Saturday, May 10, 2014

Configuring Port Security

Setting Maximum Number of Secure Addresses
This example shows how to enable port security on the Fast Ethernet interface 0/1 and how to set the maximum number of secure addresses to 3. The violation mode is the default, and no secure MAC addresses are configured.
Switch# configure terminal
Switch(config)# interface fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 3
Switch(config-if)# switchport port-security mac-address sticky
Setting a Violation Mode
Switch(config-if)# switchport port-security violation restrict
Setting the Aging Timer
Switch(config-if)# switchport port-security aging time 120
Configuring a Secure MAC Address
Switch(config-if)# switchport port-security mac-address 0000.0000.0003 (Static secure MAC)
Configuring Sticky Port Security

Switch(config-if)# switchport port-security mac-address sticky
Posted by at No comments:

Private VLAN (PVLAN)

The main purpose of Private VLAN (PVLAN) is to provide the ability to isolate hosts at Layer 3 instead of Layer 3. As you know, a VLAN is a broadcast domain, by using PVLAN we are splitting that domain into some smaller broadcast domains. For example, without PVLAN, a service provider wants to increase security by isolating customers into separate domains so that they can’t access each other, they have to assign them into different VLANS and use different subnets. This can result in a waste of IP addresses and difficulty in VLAN management. Private VLANs (PVLANs) can solve this problem by allowing the isolation of devices at Layer 2 in the same subnet. PVLAN can be considered “VLAN inside VLAN”.

There are three types of ports in PVLAN:
1.     Isolated – only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
2.     Promiscuous – can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.

3.     Community – can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.
Posted by at No comments:

HSRP States

Initial – This is the beginning state. It indicates HSRP is not running. It happens when the configuration changes or the interface is first turned on.
Listen – The router knows both IP and MAC address for the virtual router but it is not the active or standby router. For example, if there are 3 routers in HSRP group, the router that is not in active or standby state will remain in listen state.
Speak – The router sends periodic HSRP hellos and participates in the election of the active or standby router.
Standby – In this state, the router monitors hellos from the active router and it will take the active state when the current active router fails (no packets heard from active router)

Active – The router forwards packets that are sent to the HSRP group. The router also sends periodic hello messages.
Posted by at No comments:

Hot Standby Router Protocol (HSRP) – Routing Redundancy

Hot Standby Router Protocol (HSRP) – Routing Redundancy
1.     It is a Cisco Proprietary
2.     It enables a set of router interfaces to present the appearance of a single virtual router or default gateway to the hosts on a LAN.
3.     It provides a virtual Media Access Control (MAC) address and an IP address that is shared among the LAN network.
4.     The virtual router does not exist; it represents the common target for routers that are configured to provide backup to each other. 
5.     One of the routers is selected to be the active router and another to be the standby router, which takes control of the group MAC address and IP address should the designated active router fail.

The standby ip interface configuration command activates HSRP on a Layer 3 interface. Devices running HSRP send and receive multicast UDP-based hello packets to detect router failure and to designate active and standby routers.
The switch supports HSRP MAC addresses for up to 16 unique HSRP groups. Because each group address can be used on up to 16 Layer 3 interfaces, the maximum number of HSRP interfaces is 256. Cisco recommends to use no more than 64 HSRP interfaces due to CPU utilization.

Default HSRP Configuration
HSRP groups – None configured
Standby group number – 0
Standby MAC address – 0000.0c07.acXX, where XX is the HSRP group number
Standby priority – 100
Standby delay 0
Standby track interface priority 10
Standby hello time – 3 seconds
Standby holdtime – 10 seconds

HSRP Configuration Guidelines and Limitations
There are three types of interfaces that can be used to configure HSRP
1.     Routed port – a physical port configured as a Layer 3 port by entering the no switchport interface configuration command.
2.     SVI – a VLAN interface created by using the interface vlan vlan_id global configuration command and by default Layer 3 interface.
3.     Etherchannel port channel in Layer 3 mode – a port-channel logical interface created by using the interface port-channel port-channe-number global configuration command and binding the Ethernet interface into the channel group.
All Layer 3 interfaces must have IP addresses assigned to them.
An interface can belong to multiple HSRP groups, and the same HSRP group can be applied to different interfaces.

Following the steps below to create or enable HSRP on a Layer 3 interface:
1.     Enter global configuration mode.
2.     Enter interface configuration mode, and enter the Layer 3 interface on which you want to enable HSRP.

3.     Create the HSRP group using its number and virtual IP address. standby [group-number] ip [ip-address [secondary]]

Reference:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swhsrp.html
Posted by at No comments:

CAM Table Operation

Non-VLAN-Capable Switch CAM Table Operation
A Switch uses its CAM (Content addressable memory) table to store MAC addresses and the associated port where each MAC address was learned. Once the Switch receives a frame, it uses its CAM table in order to determine what to do with the frame.

1.     If the destination MAC address is not appearing in the CAM table, then the Switch sends (Flood) the frame to all ports except for the port through which it arrived.
2.     If the destination MAC address appears in the CAM table, then the frame is sent to the identified port for transmission. (Forward)
3.     If the destination MAC address comes from the same port on which it was received, it is discarded. (Filter)
4.     If the destination MAC address is a broadcast or multicast address, then the frame is sent to all ports, excluding the received port. (Flood)

VLAN-Capable Switch CAM Table Operation
A Switch uses its CAM table to store MAC addresses and the associated port and the port VLAN ID where each MAC address was learned. Once the Switch receives a frame, it uses its CAM table to determine which action to take.

1.     If the destination MAC address is not appearing in the CAM table, then the Switch sends (Flood) the frame to all ports with matching VLAN ID, excluding the received port.
2.     If the destination MAC address appears in the CAM table, then the frame is sent (Forward) to the port with matching VLAN ID for transmissions.
3.     If the destination MAC address comes from the same port on which it was received, it is discarded. (Filter)
4.     If the destination MAC address is a broadcast or multicast address, then the frame is sent (Flood) to all ports with matching VLAN ID, excluding the received port.


Posted by at No comments:
Subscribe to: Posts (Atom)