802.1x

By daxm (June 3rd, 2013)

Supplicant <—–> Switch <—–> Server
EAPoL-Start –>

<– EAP-Request-ID

EAP-Response-ID –>

Access-Request –>

<– Access-Challenge

<– EAP-Request

EAP-Request –>

Access-Request –>

<– Access-Accept

<– EAP-Success

 

Command Tasks:

!
aaa new-model
aaa authentication dot1x default group radius
radius-server host <ip>
!
dot1x system-auth-control
!
int f0/0
switchport mode access
dot1x port-control <auto/force/force-unauthorized>
!

 

categoriaUncategorized commentoNo Comments dataJune 3rd, 2013
Leggi tutto

VLAN ACCESS MAPS

By daxm (June 3rd, 2013)

Using VLAN Access Maps.

3 Steps:
!
ip access-list ext <ACL-NAME>
permit icmp any any
permit eigrp any any
!
vlan access-map <VAM> seq <num>
match ip address <ACL-NAME>
action <forward/drop>
!
vlan filter <VAM> vlan-list <num>
!

In other words… a vlan filter maps a vlan access-map to a vlan.  The vlan access-map matches IP address and/or MAC address using either an ip access-list or mac access-list.

categoriaUncategorized commentoNo Comments dataJune 3rd, 2013
Leggi tutto

IP Source Guard

By daxm (June 3rd, 2013)

IP Source Guard requires DHCP snooping (and applied to a VLAN).

Source Guard checks inbound IP traffic on an interface against the DHCP snooping database and compares the IP (and possibly MAC) against the database to ensure that the source IP (and possibly MAC) against the associated database entry.

To match only on source IP:

!
int f0/0
ip verify source
!
To match on source IP and MAC:

!
int f0/0
ip verify source port-security
switchport port-security
!

To manually bind a source-guard entry:

!
(router-config)# ip source bind <mac> vlan <num> <ip> int <interface>
!

 

Leggi tutto

Frame Relay

By daxm (February 14th, 2010)

… What is Frame Relay …

Devices that “speak” Frame Relay fall into 1 of 2 categories:  data terminal equipment (DTE) or data circuit-terminating equipment (DCE).

  • DTE equipment is at the customer premise and are usually the “user” end of the connection.  Think of terminals, PCs, routers.
  • DCE equipment is the service provider end of the connection and provide the clocking and switching services in the FR network.

Frame Relay is a connection-oriented protocol. This means that before data is sent across the FR network an end-to-end (DTE to DTE) path must be established.  This end-to-end path is known as a virtual circuit (VC). NOTE:  Multiple VCs can travel down the same physical wire(s).  Through the use of TDM (time division multiplexing) each VC can get its share of the wire’s available bandwidth.

Leggi tutto

FHRP — GLBP

By daxm (February 9th, 2010)

Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary protocol to provide redundancy to LAN clients with only a “default gateway” as their routing option (so is HSRP but that is for a different post).

  • GLBP uses the multicast address of 224.0.0.102 to communicate with GLBP enabled routers in the LAN.  A hello message is sent every 3 seconds, by default, on UDP port 3222 (both source and destination port).
  • The AVG (Active Virtual Gateway) is “the man” for the GLBP group and is the router who assigns virtual MAC addresses to other member of the GLBP group.  The AVG is also is responsible for responding to ARP requests for the virtual IP address being used for the GLBP group.  The AVG will select one of the virtual MAC addresses assigned to one of the GLBP group members to use in the ARP response.  (Thus sharing the load as the “default gateway” for the LAN is spread across the whole GLBP group.)
  • Though multiple routers can be apart of the GLBP group only 4 virtual MAC addresses are used.  (Given that, I’m assuming only 4 routers in a group are considered “active” at any one moment?)  Thus the router (virtual forwarder) who is assigned a virtual MAC is the primary virtual forwarder and other routers that have learned that MAC are considered secondary virtual forwarders.  Should the primary virtual forwarder fail one the secondary virtual forwarders for that MAC will assume the responsibility of responding to that MAC for a period of time (until the AVG expires the use of that MAC).
  • If the AVG fails selection of the router with the highest priority value (1-255) then, if there is a tie, the router with the highest IP address.
  • Preemption of the AVG role is disabled by default.  However, preemption of the primary virtual forwarder role is enabled with a 30 second delay.
  • The AVG for a GLBP group can be enabled to store a “client cache” database of all the LAN clients using this group.  The maximum entries is set to 2000 but under “normal” circumstances should never excees 1000.  Use the ‘show glbp detail’ command on the AVG to view this cache.  Use the ‘glbp client-cache’ command to enable this feature.
  • GLBP supports ISSU (In Service Software Upgrade) and SSO (Stateful Switchover) but is beyond what I need to know for now.
  • GLBP supports up to 1024 virtual routers per interface.
  • Authentication for the GLBP group can be configured using an MD5 hashed password.
  • GLBP supports weighting and tracking.

categoriaUncategorized commentoNo Comments dataFebruary 9th, 2010
Leggi tutto

Switchport Protected Command

By daxm (February 8th, 2010)

Similar to Private VLAN’s concept of an isolated VLAN is a command called Switchport Protected.  It is similar in that any interface that is in the same VLAN and is in “switchport protected” mode cannot see each other but can see other ports NOT in switchport protected mode that are in the same VLAN.  This feature ONLY works on a per switch basis.  So protected interfaces on different switches can communicate with each other as if the protected command wasn’t there.

Here is my graphic to display this:

Leggi tutto

Private VLANs

By daxm (February 1st, 2010)

To help myself better understand private VLANs I created the following picture:

Private VLAN Diagram

Leggi tutto

Dynamic ARP Inspection (DAI)

By daxm (January 31st, 2010)

As mentioned in my previous post, here are my notes on DAI.

To enable DAI all is needed is 1 command:  (config)#ip arp inspection vlan <num> HOWEVER there is so much behind this simple command it is scary.

Unless additional parameters are configured DAI uses the DHCP snooping bindings table to know what IP-to-MAC-to-Interface mappings are permitted.  Here is a copy of my DHCP snooping table on my home switch:

daxm-home-switch#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
——————  —————  ———-  ————-  —-  ——————–
00:1E:90:EC:61:7A   192.168.1.39     2747        dhcp-snooping   1     FastEthernet1/0/1
00:22:68:15:74:1E   192.168.1.18     3528        dhcp-snooping   1     FastEthernet1/0/4
00:50:56:00:00:01   192.168.1.34     3003        dhcp-snooping   1     FastEthernet1/0/1
Total number of bindings: 3

daxm-home-switch#

Leggi tutto

DHCP Snooping

By daxm (January 31st, 2010)

DHCP snooping seems to me to be a strange security enhancement. Though I do agree that securing against a rogue DHCP server is important the way Cisco implements it is odd.

In order for DHCP snooping to work at least 3 configurations are  needed:

1) Enable DHCP snooping on the switch — (config)#ip dhcp snooping

2) All ports are “untrusted” by default.  Specify which port are “trusted”.  A trusted interfaces consist of interfaces along the path to the DHCP server.  So, trunk ports and the actual port connecting to the DHCP server need to be configured as trusted ports.  — (config-if)#ip dhcp snooping trust

3) Identify which VLANs DHCP snooping will monitor. — (config)#ip dhcp snooping vlan <num>

4) (Optional?)  After configuring the above commands in my local (home) network I noticed that my DHCP requests were not being answered.  Thanks to a buddy of mine (Thanks Walt!) he showed me that the DHCP snooping process was adding Option 82 to my DHCP requests by default.  Apparently my DHCP server didn’t like that option because as soon as I disabled Option 82 from being sent my DHCP requests were being answered. — (config)#no ip dhcp snooping information option

Leggi tutto

Spanning-tree Timers

By daxm (December 8th, 2009)

Quick note about STP timers:
— STP timers are inherited from the root bridge. Therefore you only need to configure the timers on the root bridge and backup root bridge.
— STP timers are configured per VLAN. Therefore if you want to configure the timers for all the vlans you’ll need to use the ‘vlan 1-4094’ option.

So, the timers associated to the path to the root bridge are the ones that are honored not the timers configured on the current bridge.

SW04(config)#do sh spann vlan 1

VLAN0001
Spanning tree enabled protocol ieee
Root ID    Priority    4097
Address     001e.bd01.5400
Cost        8
Port        21 (GigabitEthernet1/0/21)
Hello Time   3 sec  Max Age 10 sec  Forward Delay 10 sec

Bridge ID  Priority    8193   (priority 8192 sys-id-ext 1)
Address     001d.e665.f200
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Aging Time  300 sec

Check out http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094954.shtml for more information.

Leggi tutto