802.1x

By daxm (June 3rd, 2013)

Supplicant <—–> Switch <—–> Server
EAPoL-Start –>

<– EAP-Request-ID

EAP-Response-ID –>

Access-Request –>

<– Access-Challenge

<– EAP-Request

EAP-Request –>

Access-Request –>

<– Access-Accept

<– EAP-Success

 

Command Tasks:

!
aaa new-model
aaa authentication dot1x default group radius
radius-server host <ip>
!
dot1x system-auth-control
!
int f0/0
switchport mode access
dot1x port-control <auto/force/force-unauthorized>
!

 

categoriaUncategorized commentoNo Comments dataJune 3rd, 2013
Leggi tutto

VLAN ACCESS MAPS

By daxm (June 3rd, 2013)

Using VLAN Access Maps.

3 Steps:
!
ip access-list ext <ACL-NAME>
permit icmp any any
permit eigrp any any
!
vlan access-map <VAM> seq <num>
match ip address <ACL-NAME>
action <forward/drop>
!
vlan filter <VAM> vlan-list <num>
!

In other words… a vlan filter maps a vlan access-map to a vlan.  The vlan access-map matches IP address and/or MAC address using either an ip access-list or mac access-list.

categoriaUncategorized commentoNo Comments dataJune 3rd, 2013
Leggi tutto

FHRP — GLBP

By daxm (February 9th, 2010)

Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary protocol to provide redundancy to LAN clients with only a “default gateway” as their routing option (so is HSRP but that is for a different post).

  • GLBP uses the multicast address of 224.0.0.102 to communicate with GLBP enabled routers in the LAN.  A hello message is sent every 3 seconds, by default, on UDP port 3222 (both source and destination port).
  • The AVG (Active Virtual Gateway) is “the man” for the GLBP group and is the router who assigns virtual MAC addresses to other member of the GLBP group.  The AVG is also is responsible for responding to ARP requests for the virtual IP address being used for the GLBP group.  The AVG will select one of the virtual MAC addresses assigned to one of the GLBP group members to use in the ARP response.  (Thus sharing the load as the “default gateway” for the LAN is spread across the whole GLBP group.)
  • Though multiple routers can be apart of the GLBP group only 4 virtual MAC addresses are used.  (Given that, I’m assuming only 4 routers in a group are considered “active” at any one moment?)  Thus the router (virtual forwarder) who is assigned a virtual MAC is the primary virtual forwarder and other routers that have learned that MAC are considered secondary virtual forwarders.  Should the primary virtual forwarder fail one the secondary virtual forwarders for that MAC will assume the responsibility of responding to that MAC for a period of time (until the AVG expires the use of that MAC).
  • If the AVG fails selection of the router with the highest priority value (1-255) then, if there is a tie, the router with the highest IP address.
  • Preemption of the AVG role is disabled by default.  However, preemption of the primary virtual forwarder role is enabled with a 30 second delay.
  • The AVG for a GLBP group can be enabled to store a “client cache” database of all the LAN clients using this group.  The maximum entries is set to 2000 but under “normal” circumstances should never excees 1000.  Use the ‘show glbp detail’ command on the AVG to view this cache.  Use the ‘glbp client-cache’ command to enable this feature.
  • GLBP supports ISSU (In Service Software Upgrade) and SSO (Stateful Switchover) but is beyond what I need to know for now.
  • GLBP supports up to 1024 virtual routers per interface.
  • Authentication for the GLBP group can be configured using an MD5 hashed password.
  • GLBP supports weighting and tracking.

categoriaUncategorized commentoNo Comments dataFebruary 9th, 2010
Leggi tutto