Home » Archives for 2013

Vlan Numbers

Posted by fanie on Wednesday, June 19, 2013

2950:
standard ios supports up to 64 vlans, able to use vlan id from 1 – 4094.
Enhanced image supports up to 250 vlans, able to use vlan id from 1 – 4094
2960:
Maximum up to 255 vlans, able to use vlan id from 1 – 4094
Lan lite supports up to 64 vlans, able to use vlan id from 1 – 4094
3550, 3560, 3750:
Maximum allowed vlans is 1005, able to use vlan id from 1 – 4094
4500, 6500:
Supports maximum up to 4094 vlans, able to use vlan id from 1 – 4094

source: http://cyruslab.net/2010/09/12/number-of-vlans-that-can-be-created-for-each-cisco-switch-models/

  • 0 and 4095: Reserved
  • 1 - Cisco default management
  • 2-1001: Available for Ethernet VLANs
  • 1002-1005: Defaults for FDDI and Token Ring VLANs
  • 1006-4094: Extended range available for Ethernet VLANs (802.1Q only) 

source : http://www.certmag.com/read.php?in=2692
More aboutVlan Numbers
at 8:00 PM { Add comments }

3 way handshake

Posted by fanie on Friday, March 29, 2013

The best 3 way handshake illustration :


source : http://jvmblog.tistory.com/180
More about3 way handshake
at 5:13 PM { Add comments }

Privilege Router Switch Mode

Posted by fanie on Saturday, March 23, 2013

Router> (this is user exec mode -> privilege 1)
Router# (this is enable exec mode -> privilege 15)
Router(conf) (this is global config)

Show history (show all commands that we have typed before)
The history size is up to 256 buffer


command :
Router#terminal history size 256


More aboutPrivilege Router Switch Mode
at 11:07 PM { Add comments }

HSRP version Multicast Switch Settings

Posted by fanie on Saturday, January 26, 2013

To setting hsrp is something like this :

int fa0/0
ip add 34.34.115.1 255.255.255.0
standby 0 ip 34.34.115.8

to know the multicast ip and port used by the system, use this :

debug ip packet detail

*Mar  1 00:54:07.423: IP: s=34.34.115.8 (local), d=224.0.0.2 (Vlan123), len 48, sending broad/multicast
*Mar  1 00:54:07.427:     UDP src=1985, dst=1985







the multicast ip and port number
Ip=224.0.0.2 source port=1985 destination port=1985
More aboutHSRP version Multicast Switch Settings
at 7:23 AM { Add comments }

Auto RP Multicast Router Settings

Posted by fanie

Finding auto-rp multicast port number, without memorizing the numbers

sh ip mroute

Outgoing interface flags: H - Hardware switched, A - Assert winner
 Timers: Uptime/Expires
 Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 224.0.1.39), 00:04:18/stopped, RP 0.0.0.0, flags: DCL
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    Vlan123, Forward/Sparse-Dense, 00:03:07/00:00:00
    Loopback0, Forward/Sparse-Dense, 00:04:18/00:00:00

(*, 224.0.1.40), 00:04:20/stopped, RP 0.0.0.0, flags: DCL
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    Loopback0, Forward/Sparse-Dense, 00:04:20/00:00:00

224.0.1.39 rp-announce
224.0.1.40 rp-discovery

More aboutAuto RP Multicast Router Settings
at 7:17 AM { Add comments }

IP DHCP Snooping Switch Settings

Posted by fanie on Sunday, January 20, 2013

Ip dhcp snooping


DHCP Snooping to stop rogue DHCP servers. Only allow dhcp messages from "trusted" ports

ip dhcp snooping trust -> to the dhcp server
ip dchp snooping vlan 100 -> inspect dhcp messages in vlan 100
ip dhcp snooping binding abcd.abcd.abcd vlan 100 1.1.1.2 vlan 100 (static binding)
ip dhcp snooping information option -> insertion 82 (in cisco drop insertion 82 when activating dhcp snooping-> default)

router drop insertion 82 message, to overcome this matter :
switch
no ip dhcp snooping information option
router
ip dhcp relay information trust-all (accept insertion 82 from switch)

ip dhcp snooping databse flash:data.txt (save ip dhcp mapping)

Verification


switch#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100
DHCP snooping is operational on following VLANs:   
100
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/8              yes         unlimited

switch#sh ip dhcp snooping binding vlan 100
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:0A:BC:1F:41:31   10.10.10.3         56371       dhcp-snooping   100    FastEthernet0/8
Total number of bindings: 1

Do static dhcp snooping binding
switch#ip dhcp snooping binding abcd.abcd.abcd vlan 100 10.10.10.2 interface f0/5 expiry 5000
Cat2#sh ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:0A:BC:1F:41:31   10.10.10.3         56371       dhcp-snooping   100    FastEthernet0/8
ab:cd:ab:cd:ab:cd   10.10.10.2          4995       dhcp-snooping   100    FastEthernet0/5
Total number of bindings: 2

Ip source guard
ip verify source -> inspect spoofed ip
ip verify source port-security -> inspect spoofed ip and mac address (need insertion 82)


DAI (dynamic arp inspection)

More aboutIP DHCP Snooping Switch Settings
at 8:00 AM { Add comments }

Syslog Priority Router Settings

Posted by fanie on Thursday, January 17, 2013

Syslog Priority (highest to lowest):
0.  Emergency (highest)
1.  Alert
2.  Critical
3.  Error
4.  Warning
5.  Notice
6.  Informational
7.  Debug (lowest)

Quick tips to Remember :
Eat Asian Cuisine Early With Ninja In Dubai


The lowest syslog priority can see all the syslog message. For example, syslog 6 can see syslog 0 - 6 messages.
 
More aboutSyslog Priority Router Settings
at 12:45 AM { Add comments }

OSPF State

Posted by fanie on Saturday, January 12, 2013


FULL/DR and FULL/BDR , 
2WAY/DROTHER comes up  from the point of view non bdr/dr router. (reduce broadcast)

More aboutOSPF State
at 10:49 AM { Add comments }

AAA Authentication Router Settings

Posted by fanie

aaa authentication login default local
aaa authentication login default local-case


local: case insensitive for username
local-case: case sensitive for username
More aboutAAA Authentication Router Settings
at 9:30 AM { Add comments }

Routing and Forwarding Information Base Definition

Posted by fanie on Friday, January 11, 2013

CEF creates Forwarding Information Base (FIB). CEF offers the following benefit:
  • Better performance than fast-switching(faster) and uses less CPU to do the same task
 
Enabling ip cef 
 
Router#(config)ip cef
 
Verifying ip cef : 
 
Router#show ip cef

%CEF not running
 
Router# show ip cef
 Prefix              Next Hop             Interface
 0.0.0.0/0           192.168.4.5          FastEthernet0/0
 192.168.0.0/24      195.168.11.1         Serial0/0
 
RIB , FIB, LIB, and LFIB definitions
 
RIB (routing information base) -> control plane 
sh ip route
 
FIB (forwarding information base) - data plane
sh ip cef


LIB (label forwarding base) -> store all known labels in mpls -> control plane


sh mpls ldp bindings




LFIB (Label forwarding information base) -> table used to forward packets in mpls -> data plane


sh mpls forwarding-table 






RIB uses FIB to forward packet


LIB uses LFIB to forward labels in mpls


 


Data Plane and Control Plane




Data plane/ forwarding plane is where the traffic is forwarded. The traffic flows through the 
router and not to the router. 


 


To be able to forward traffic then we need control plane. 


In there we use protocols for examples STP, EIGRP, OSPF, telnet, SSH etc


 


 




 






More aboutRouting and Forwarding Information Base Definition










at
8:37 PM



{ Add comments }
          


























Filter Trafic Within Vlan Switch





Posted by
fanie




The best way is using vlan access-map.



we want to filter ping packet from R1  - SW1 - R2 in vlan 25



SW1

ip access-list extended ICMP

permit icmp any any



vlan access-map block-icmp 10

match ip address ICMP

action drop

vlan access-map 20

action forward



Then apply this policy to selected vlan 25 using this command :



vlan filter block-icmp vlan-list 25














More aboutFilter Trafic Within Vlan Switch










at
7:55 PM



{ Add comments }
          


























Unicast And Multicast Packet RIP





Posted by
fanie





router rip

neighbor 1.1.1.2 

router will send unicast packet and multicast packet. To stop multicast packet and send unicast packet, use this command :





passive-interface fa0/0



Useful debug command :




Router#debug ip rip 


 


version 1 send packet in broadcast 255.255.255.255 


version 2 send packet in multicast 224.0.0.9





Verification :





sh ip protocols




More aboutUnicast And Multicast Packet RIP










at
9:17 AM



{ Add comments }
          


























Port Channel Load Balance Switch Settings





Posted by
fanie on Sunday, January 6, 2013




Port channel load balance methods can be divided in many types :




    

  1. dst ip (layer 3)
    2. 

      

    • many sources -> same destination ip (go through same port)
      • 

    

  2. dst mac (layer 2)
    3. 

      

    • many sources -> same destination mac (go through same port)
      • 

    

  3. dst port (layer 4)
    4. 

      

    • many sources -> same destination port (go through same port) 
      • 

    

  4. src-dst ip
    5. 

      

    • A src - C dest (port 1) , B src - C dest (port 2) , D src - F dst (port 3)
      • 

    

  5. src-dst mac
    6. 

      

    • A src - C dest (port 1) , B src - C dest (port 2) , D src - F dst (port 3)
      • 

    

  6. src-dst port
    7. 

      

    • A src - C tcp 25 (port 1) , B src - C tcp 80 (port 2) , D src - F ftp (port 3)
      • 

    











More aboutPort Channel Load Balance Switch Settings










at
4:27 AM



{ Add comments }
          


























Switchport nonegotiate Switch Settings





Posted by
fanie




Switchport nonegotiate characteristics :


    

  • Disable DTP (dynamic trunking protocol)
    • 

  • Not allowing trunk auto creation (dynamic desirable default port in cisco), 
    • 

  • Stopping dtp messages which are sent every 30 seconds
    • 

  • Defining switchport mode trunk command first then switchport nonegotiate
    • 


 Desirable mode will create auto trunk as long as vtp domain is same  






More aboutSwitchport nonegotiate Switch Settings










at
2:47 AM



{ Add comments }
          


























Vlan dot1q Tag untag Native Switch Settings





Posted by
fanie




Brief tutorial for vlan behaviour in different conditions :



access (vlan 10) - access (vlan 10)

Forwarding packet in the same vlan (untagged)



access (vlan 10) - trunk (tag vlan 10)

Packet will be forwarded tag vlan 10



access (vlan 10) - trunk native (vlan 10)

Packet will be forwarded in untagged mode through the trunk, because in the same vlan. Native vlan mode is untagged.



vlan dot1q tag native

this command is  used to make  native vlan in tagged mode.



(access vlan 10) SW1 (access vlan 10 ) ~ (vlan 10 access) SW2 (trunk tag vlan 10) ~ (trunk tag vlan 10) SW3 (access vlan 10) ~ (access vlan 10) SW4 (access vlan 10)



The packet will get through using vlan 10, tagged in vlan 10 id.



(access vlan 10) SW1 (access vlan 10 ) ~ (vlan 10 access) SW2 (trunk native vlan 10) ~ (trunk native vlan 10) SW3 (access vlan 10) ~ (access vlan 
10) SW4 (access vlan 10)



the packet will get through using vlan 10 in untagged mode



(access vlan 10) SW1 (access vlan 10 ) ~ (vlan 10 access) SW2 (trunk 
native vlan 10) ~ (trunk native vlan 10) SW3 (access vlan 10) ~ (access 
vlan 
10) SW4 (access vlan 10)



Tagging vlan 10 will give an id for vlan 10, after stripping tag id, we can find the access for vlan 10.






More aboutVlan dot1q Tag untag Native Switch Settings










at
12:06 AM



{ Add comments }
          


























Spanning-tree Interoperability Switch Settings





Posted by
fanie on Saturday, January 5, 2013




Spanning tree  is used to avoid network loop in layer 2 switch



Common Spanning tree characteristics :


    

  • Long forwarding time (50 seconds)
    • 



    

  • Blocking (20 seconds -> max-age)
    • 

  • Listening (15 seconds -> forward delay)
    • 

  • Learning (15 seconds -> forward delay) -> building mac table
    • 

  • Forwarding -> up/up
    • 

  • Disabled
    • 


Spanning tree timers :


    

  • Blocking - Listening 20 seconds
    • 

  • Listening - Learning 15 seconds
    • 

  • Learning - Forwarding 15 seconds
    • 





    


For faster forwarding state when you connect to workstation/pc, you can use spanning tree portfast.



Spanning tree portfast characteristics :


    

  • Connecting only to workstation, not switch or there will be a loop network
    • 

  • Decreasing forwarding time to zero
    • 

  • No TCN (topology change notification) 
    • 




If you connect switch to a portfast port, there is opportunity for network loop. Although it will no happen because of the stp algorithm. But in the first time, the network will be overwhelmed by the broadcast storm.



Common spanning-tree result :




W1#show spanning-tree

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    24577
             Address     0019.f5d5.4256
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     0019.f5d5.4256
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- ---------------------------
Fa0/1               Desg FWD 19        128.3    P2p 





Global Config (per port access)  


 


 


 


interface fa0/0 


shutdown 


 


interfacen fa0/0


spanning-tree portfast


 


int fa0/0


no shutdown


 


SW1#show spanning-tree

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    24577
             Address     0019.f5d5.4256
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     0019.f5d5.4256
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- ---------------------------
Fa0/1               Desg FWD 19        128.3    P2p Edge 


 



There is identifier of edge in spanning-tree type. The port switches to forwarding directly without dealing listening, learning state.





Configuring Spanning Tree for all access ports (GLOBAL)



Global Config 

spanning-tree portfast default




SW1#show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0001
Extended system ID           is enabled
Portfast Default             is enabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
EtherChannel misconfig guard is enabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Configured Pathcost method used is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     0         0        0          1          1
---------------------- -------- --------- -------- ---------- ----------
1 vlan                       0         0        0          1          1




Spanning-tree Portfast & Spanning-tree Portfast Trunk Difference



Access port,

spanning-tree portfast and spanning-tree 
portfast trunk make the port as  PortFast-enabled (edge
port). That port will be Forwarding state after coming up.



Trunk Port 

spanning-tree portfast has no effect on trunk ports. For Trunk port if you want immediately to make the trunk in forwarding state,use spanning-tree porfast trunk command. But this command must not be used when connecting to switch. Because it will no detect looping in your network. This command only suitable when connecting to Layer 3 devices for examples routers (with encapsulation vlans).





Spanning-tree Rapid (802.1w) RW



The forward delay  is not used (synchronization process)

Faster,Max age timer is used (6 seconds -> three missed 
BPDUs in a row) 



RSTP bridge port roles:



    

  1. Root port – The closest port to the root bridge (forwarding) cost 
    2. 

  2. Designated port – A forwarding port 
    3. 

  3. Alternate port – The best alternate path to the root 
bridge. .
    4. 

  4. Backup port – Two Ports/more connected to a hub. The port will be in fwd in case one of them in trouble
    5. 

  5. Disabled port
    6. 




Spanning-tree States :




    

  1. Discarding
    2. 

  2. Learning
    3. 

  3. Forwarding
    4. 




Spanning-tree Compatibility

RSTP - STP (backward to STP in that port boundary)

PVRSTP - RSTP (compatible using vlan 1 instance with switch in rstp mode, other instances will be tunneled without connecting to  switch running rstp mode)

MSTP - RSTP, RPVST+,PVST+ ->compatible with instance 0 in mst -> common spanning tree (CST).



RSTP,RPVST+, PVST+ see MST region as a single switch.



MSTP - MSTP pre standard (MISTP) -> must set spanning-tree mst pre-standard in mst switch







Table 17-2 PVST+, MSTP, and Rapid-PVST+ Interoperability




  

    
    



PVST+



    



MSTP



    



Rapid PVST+










PVST+







Yes







Yes (with restrictions)







Yes (reverts to PVST+)










MSTP







Yes (with restrictions)







Yes







Yes (reverts to PVST+)










Rapid PVST+







Yes (reverts to PVST+)







Yes (reverts to PVST+)







Yes













MSTP instance 0 is the IST/CST region inside MST.





MSTP instance 0 as the CST region outside of MST.





The MST to PVST+ interaction replicates the BPDU from IST for each vlan. Simulating PVST+ neighbour.
















More aboutSpanning-tree Interoperability Switch Settings










at
5:03 PM



{ Add comments }
          


























IP ARP Inspection Switch Settings





Posted by
fanie




IP arp inspection is used to validate ip to mac binding of arp cache in a switch. This method prevent from man in the middle attack (broadcast arp request then responded by unknown switch using invalid mac address table). The switch database is using the dhcp snooping database. A trusted port of ip arp inspection will forward packet without check it. But untrusted packet will check packet before forwarding it.



Characteristics of ip arp inspection :

Validate ip-to-mac binding before updating local arp cache

Intercepting trusted and untrusted switch port

Drop invalid arp packets

Per vlan basis configuration



Example :




SW1(config)#ip arp inspection vlan 11
SW1#show ip arp inspection

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
   11     Enabled          Active

Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
   11     Deny             Deny              Off

Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
   11              0              0              0              0

Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
 ----   ------------    -----------  -------------   -------------------
   11              0              0              0                     0

Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
   11                   0                        0                       0






More aboutIP ARP Inspection Switch Settings










at
8:28 AM



{ Add comments }
          


























IP DHCP Snooping Switch Settings





Posted by
fanie




ip dhcp snooping command is very useful to check dhcp messages from untrusted ports to the trusted port of dhcp server. It is operated by vlan basis by using command :



ip dhcp snooping vlan 17



by using that command, every dhcp messages will be validated against the dhcp database.



verification :








show ip dhcp snooping 









Switch DHCP snooping is enabled









DHCP snooping is configured on following VLANs:









10









DHCP snooping is operational on following VLANs:









none









DHCP snooping is configured on the following Interfaces:















Insertion of option 82 is enabled









Verification of hwaddr field is enabled









Interface                    Trusted     Rate limit (pps)









------------------------     -------     ----------------


 





More aboutIP DHCP Snooping Switch Settings










at
8:09 AM



{ Add comments }
          


























Switch Root Guard Advantages





Posted by
fanie




Root Guard command is very useful in switch configuration. The configuration is set on the access port of switch.



Advantages and characteristics of using root guard :

Prevent other switches to become root switch (designated port not root port)

Change port state to inconsistentports when receiving superior bpdu 

Port auto recovery after the disturbing switch has gone




Command :

int fa0/0

spanning-tree guard root








More aboutSwitch Root Guard Advantages










at
8:01 AM



{ Add comments }