Saturday, October 31, 2009

Security Services

Went through sdm one-touch lockdown, and scanned with nmap. Also used cli's autosecure mechanism. Both actually work pretty nicely. Then did a brief "Services" lab where the portfolio had me disable services globally, and on an interface. Here is the code:


Router(config)#no ip finger
Router(config)#no service udp-small-servers
Router(config)#no service tcp-small-servers
Router(config)#service tcp-keepalives-in
Router(config)#service tcp-keepalives-out
Router(config)#no cdp run
Router(config)#no service pad
Router(config)#no ip bootp server
Router(config)#no ip http server
Router(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

*Mar 1 07:06:02.235: %SSH-5-ENABLED: SSH 1.99 has been enabled

Router(config)#no ip source-route
Router(config)#no ip gratuitous-arps
Router(config)#int fa0/0
Router(config-if)#no ip redirects
Router(config-if)#no ip proxy-arp
Router(config-if)#no ip unreachables
Router(config-if)#no ip directed-broadcast
Router(config-if)#no ip mask-reply
Router(config-if)#no mop enabled


Read about what each of these items was in the book. Hopefully I can use this page as notes later to quiz myself. LAB 5-3 ISCW portfolio

Friday, October 30, 2009

IPSEC VTI (virtual tunnel interface)



So imagine R2 in the middle there is the ISP, and the two bottom routers...we will call them R1 and R2 are the customer.  They both have an internet connection, but they also have a leased line inbetween them for internal communications.  Basically this IPSEC VTI we are going to use, is an encrypted tunnel over the internet that is used ONLY IF the leased line is down for some reason.  It is a brilliant idea really, and worked quite flawlessly.  Basically just set up a regular isakmp and ipsec profiles/transform-sets.  I then, instead of creating a crypto map, created a crypto profile, and then a modified tunnel interface config.  It went something like this:


R1(config)#crypto ipsec profile myprofile
R1(ipsec-profile)#set transform-set mytrans

R1(config)#int tunnel 0
R1(config-if)#ip address 172.16.113.1 255.255.255.0
R1(config-if)#tunnel source serial 0/0
R1(config-if)#tunnel destination 192.168.23.3
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile myprofile


So, the preferred path to the loopback off of R3 learned via eigrp, was over the leased line (obviously because of the lower bandwidth and delay value for the ethernet connection).  But when the ethernet interface was severed, eigrp recalculated and inserted the feasible successor into the routing table with the path over the encrypted tunnel.  Brilliant!

Wednesday, October 28, 2009

Securing MGMT Protocols, IPS, Cisco Firewall

Got to be honest, didn't take real good notes here.  I have seen this stuff before, and basically just played along on my home router while watching the videos.  I REALLY need to get caught up on my reading.  I have been slacking on that the past couple of days.  I may hash out some labs to do tomorrow night, and try to read some during the day tomorrow at work.  We will see.  I did learn that there can be in-band and out-of-band management networks.  Out-of-band is completely segregated from the production network.  I personally work in an in-band mgmt network.  It is integrated into our day to day production network.  The differences between the two were pretty interesting, and Jeremy even spoke of putting the different servers into private vlan to segregate them even within their parent vlan.  We spoke about ssh, and how to enable it requires a host and domain name.  You can specify timeout and authentication parameters by saying:
ip ssh timeout [#] //idle logon timeout value
ip ssh authentication-retries [#] //specifies how many times a person can attempt continous logons

LOGGING
logging buffered [level]
logging [ip]
logging trap [level]
logging origin-id hostname \\specifies a hostname instead of ip address]
logging facility [type] \\specifies another virtual log table for organizational efforts

SNMP
snmp-server community [word [ro/rw] [acl]
snmp-server engineID [word]
snmp-server group [word] v3 [authentication]
snmp-server user [word] [group] v3 ...

NTP
ntp server [ip]
show ntp association
ntp master [stratum number]
ntp authentication-key [#] [word]
ntp peer [ip] key [#]
ntp trusted key [#]

IP INSPECT
show ip insepect sessions
ip inspect [word] [rule] [option]
(config-if)ip insepct [word] in/out

IPS
Actions of IPS
  1. alarm
  2. drop
  3. reset
Configuring
  1. Download/install sdf file
  2. create ips rule
  3. adjust ips settings
  4. apply to interface
  5. configure logging (SDEE, security device event exchange)
(no) ip ips sdf builtin
ip ips sdf location flash://[file]
ip ips name [word] [acl]
ip ips signature [#]
(config-if)ip ips [name] in/out
ip ips notify [log, sdee]


Sorry so brief.....need the post for notes!

Monday, October 26, 2009

Random Security Measures

security password min-length [0-16] \\sets a minimum password length for all future passwords
no service password-recovers \\very dangerous...you cant recover passwords or ios's after this point
security authentication failure rate [#] log \\locks user out for x seconds if failed login x times
login block-for [seconds] attemps [#] within [seconds] \\blocks a user for x seconds after x attempts within x seconds...
login quiet-mode access-class [name] \\if login is blocked...this sets an acl that still allows groups of users access
login delay [#] \\sets a delay after a failed login
login on-failure log \\logs login failures after # attempts
show login

motd options ( $(line)  $(domain)   $(hostname) )

ENABLING VIEWS
aaa new-model \\enable aaa
enable view (enter secret password at prompt)
parser view [name]
secret [password]
(configure options)

secure boot-image \\locks ios image
secure boot-config \\locks config file
no secure [option] \\requires console access

reload in [minutes]  \\good if entering say access lists on a remote router
reload cancel

ACL TYPES
standard
extended
dynamic
established
time-based
context based

cool command of the day
ip access-list resequence [name/num] [start num] [variance]

time-range [name]
absolute/periodic

Sunday, October 25, 2009

P2P IPSEC CLI Config & Automatic Device Lockdown Methods

Did the point to point ipsec cli config tonight.  I covered it in another post, but had some trouble tonight right off of the bat.  I think it was because I manually deleted yesterdays config instead of wiping my routers clean.  Something must have messed up todays config...but I wr erased, reloaded, and re-configd' and all was well in the world of ipsec tunnels.

I also watched the nuggets regarding cisco's auto secure, sdm one-touch, and step-by-step security audits.  Now, I had known about the sdm's functionality, but the auto secure is pretty neat as well.  Basically just type:
# auto secure
and follow the prompts.  Pretty good stuff!

Saturday, October 24, 2009

GRE Tunnel....Experimenting with different routing instances






This was my diagram.  I started by assigning ip addresses to all links, and loopbacks on the spoke routers.  I ran eigrp as 1 over all the connected links, and did not advertise the loopbacks.  Then configured the GRE tunnels as follows (I give you one...the other is a mirror):

int tunnel 0
tunnel source serial 0/0
tunnel destination 192.168.23.3
ip address 172.16.13.1 255.255.255.0

After configuring the other side I tested with pings to the other tunnel interface....success.

Then I configured eigrp as 2, and advertised those loopbacks, and the tunnel interfaces (which happened to all be covered by the network statement 172.16.0.0).  A show ip eigrp neighbors 2 confirmed the adjancency, and a show ip route eigrp 2 confirmed the updated routes.  I can see how this could be useful over a public link, and especially encrypted within an IPSEC tunnel.

I also did the P2P IPSEC SDM config tonight.  Not as much fun as the CLI....not at all.  But the SPAN setup was cool, and capturing...actually seeing the encrypted data was really neat.

Friday, October 23, 2009

Cisco's EasyVPN Server SDM Setup & KISS

Went through the cert guide's chapter on easy vpn server setup, and IPSEC failover.  Probably need to read the IPSEC failover chapter again, but I got the just of it.  The easy vpn server stuff in the book was VERY vague, but the nuggets covered it well, and I worked along with my local router and SDM.  Split tunneling was a misunderstood issue for me, but now it makes sense.  Basically allowing a user to split the tunnel; the admin can say WHAT is secured through the tunnel, and what is still accessed via the users local  lan.  Cool feature that can be supported via ACL's. 

Then KISS, or keeping it simply secure....ha Here are the common security vulnerabilities described in the nugs...
  1. Physical
  2. Environmental/Maintenance
  3. Reconnaissance (sniffers, sweepers, scanners)
  4. Access attacks
  5. DOS
  6. Virus's/Worms/Trojans
  7. Management protocol attacks (telnet, ssh, syslog, snmp, tftp, ntp, etc..)
He discussed both the attacks, and mitigation techniques.  I should be able to remember these...we will see!

Thursday, October 22, 2009

IPSEC, SDM, GRE over IPSEC...or vice-versa!

So I actually read about 2 more chapters in the Official Exam Cert Guide today, and watched two nuggets.  I reinforced what I learned last night about IPSEC tunnel CLI configuration on GNS3 at work today.  I actually configured everything from memory, and got it correct the first time!  Again the order is:
  1. Configure ISAKMP SA (P1)
  2. Configure IPSEC SA (P2)
  3. Define interesting traffic via extended ACL
  4. Configure Crypto map
  5. Bind crypto map to interface
  6. (Configure NAT ACL as necessary)
So I was actually pretty proud of that, and everything made perfect sense as I was configuring it.  So today I finished up the IPSEC chapters in the book, and watched the SDM IPSEC Tunnel config, and the GRE/IPSEC videos.  Basic GRE tunnel is as follows:

int tunnel [number]
ip address [ip] [netmask]
tunnel source [int type][num]
tunnel destination [ip]
tunnel mode [type][type] //default is gre ip

So GRE is great in that it can transport routing protocols, which IPSEC cannot do.  However it is inherently insecure, and so IPSEC over GRE is a great option.  GRE adds about 24 bytes to the header, and has an additional 12 bytes it can add as well as optional attributes.  Some of the newer IOS versions do allow the passing of multicast traffic through an IPSEC tunnel.  I will be configuring a IPSEC/GRE tunnel via cli later, but tonight was over the SDM config of the tunnel.  Good stuff, can wait to dive into the labs for these sections.

Wednesday, October 21, 2009

Site 2 Site IPSEC Tunnel CLI Config

Well, IPSEC tunnels tonight guys and gals!  There are five increments that a router goes through in regards to IPSEC tunnels:
  1. Define interesting traffic
  2. IKE Phase 1 ISAKMP SA
  3. IKE Phase 2 IPSEC SA
  4. Data is transmitted through IPSEC tunnel
  5. Tunnel is tore down
The steps to get this thing going in the CLI are as follows:

SET ISAKMP POLICY
crypto isakmp policy [policy number (lowest to highest)]
authentication [pre-share, rsa, etc...]
encryption [aes, des, 3des]
group [1, 2, 5] \\defines DH group
hash [sha, md5]
lifetime [0-86400] \default is 24 hours or 86400
crypto isakmp key 0 [word] [ address] [ip] [no-xauth]

SET IPSEC TRANSFORM SET
cryptp ipsec transform-set [word] [encryption] [authentication]

DEFINE INTERESTING TRAFFIC
ip access-l ext 101
permit ip [source] [destination]

SET CRYPTO MAP
crypto map [word] [sequence num] [ipsec-isakmp]
set peer [ip address]
set transform-set [t-set]
match address [access-list]

APPLY CRYPTO MAP TO INTERFACE
crypto map [name]

IF NATTING!!!!
\\deny source-destination in nat access-list

show crypto isakmp sa
show crypto ipsec sa

Tuesday, October 20, 2009

MPLS wrap-up & IPSEC Intro.

Well I finished up MPLS today by finishing the rest of my reading, looking over weak areas, and doing shows and debugs from my already constructed labs. Trying to explain everything to another guy on the networking team felt like it helped my understanding out as well. We looked through the MPLS VPN lab, and traced labels throughout the topology, and also verified them against the routes in the routing tables (both the main routing table, and the vrf's). Very much worth the time! Also, by chance, learned that the command show ip protocols vrf [name] had ALOT of pertinent information in it...especially regarding redistributed protocols/AS's as well as neighbors.

Then I watched the nuggets regarding IPSEC introduction.  Much of it a review for me at this point, but still learned some good stuff.  IPSEC attempts to achieve:
  1. Authentication
  2. Data Integrity (SHA1 -{160 bit}, MD5 {128 bit}, etc...)
  3. Confidentiality (DES, 3DES, AES, RSA)
  4. Anti-replay
These are negotiated via IKE (internet key exchange)

There are 2 IPSEC modes:
Transparent and Tunnel

Symmetric encryption == both ends have the same keys (DES, 3DES, AES)
Asymmetric encryption == public/private keys (RSA, DH)

IPSEC is a "protocol suite"

Monday, October 19, 2009

MPLS

So...I am trying to MASTER the MPLS portion of the ISCW before moving on to the next topic.  I have spent about 3 days on it thus far, and will probably give it through tomorrow.  I have read all the MPLS chapters in the ISCW Authorized Self Study guide, watched the nuggets, and completed the labs in the portfolio.  Man, I really dont even know where to begin...there is soooo much with MPLS, and only a portion of it is even covered by this exam.  I do however feel that my knowledge on the matter is growing, and it is something that peaks my interest.  Lets go over the labs first:

4-1 Frame Mode MPLS
Diagram (sorry!):
[R1]----------[R2]----------[R3]

Easy enough!  Started by configuring loopbacks and serial IP's to the interfaces.  I then ran eigrp on the interfaces and advertised all loopbacks and serials.  Ensured end-to-end connectivity by pinging from R1's loopback to R3's loopback interfaces, checking routing tables, and show ip eigrp commands.  Then configured MPLS as follows:
 (config) ip cef  \\enabled cisco express forwarding
(config-if) mpls ip \\enabled mpls on all mpls interfaces
(config-if) mpls label protocol ldp \\set ldp as the label distro. protocol
(config-if) mpls mtu 1512 \\set the mtu to 12 > than 1500 to accomodate 3 X 4 byte labels

Verified with:

show mpls ldp bindings
show mpls forwarding-table
show mpls interfaces [type] [number] [detail]
This was a basic frame mode mpls configuration.  As you can tell this is done over ethernet, thus the "frame" mode.  This is opposed to mpls over atm; which is known as mpls cell mode.

The next lab was a bit more challenging....guess thats why it is called the "challenge" lab.
Lab 4-2 MPLS VPN's
[HQ]-------[SP1]-------[SP2]--------[SP3]---------[Branch]

This is hard to even explain....
  1. Set up interfaces with loopbacks, ip's, etc...
  2. Configured ospf over service provider network
  3. configured MPLS in SP domain
  4. Configured a virtual routing and forwarding table for the "customer"
    1. ip vrf "name"
    2. rd 100:1  \\route distinguisher...unique for each "customer"
    3. route-target both 1:100  \\will help if the customer uses multiple vpn's
    4. (config-if) ip vrf forwarding "name"  \\do this on the customer facing interface
      1. Verify with ping vrf "name" [ip]
  5. Configured eigrp AS 1 on both customer routers advertising networks
  6. Configured eigrp AS 100 on PE routers SP1 and 3 and then set up the ipv4 vrf
    1. address-family ipv4 vrf customer
    2. autonomous-system 1  \\customers as
    3. no auto
    4. network [ip]
      1. Verify with show ip route vrf "name"
  7. BGP setup on PE routers SP1 and SP3
    1. router bgp as
    2. neighbor [ip] remote-as [as]
    3. neighbor [ip] update-sourec loop0
    4. address-family vpnv4
    5. neighbor [ip] activate
    6. neighbor [ip] send-community both
    7. exit
    8. address-family ipv4 vrf customer
    9. redistribute eigrp 1
  8. Redistribute bgp routes into eigrp
    1. address-family ipv4 vrf customer
    2. redistribute bgp [as] metric 64 1000 255 1 1500

And done....that one was a real brainwasher. Made me re-evaluate everything I thought that I knew about MPLS. Like I said...I will do some re-study tomm. and probably move on to the next topic by Wednesday.

Friday, October 16, 2009

MPLS

LSR - Label Switch Router
LIB - Label Information Base
LFIB (Action table) - Label Forwarding Information Base
PE - Provider Edge
LDP - Label Distribution Protocol
VRF - Virtual Routing and Forwarding

Placing the label = "Pushing" the lable
Removing the label = "Popping" the label

Control Plane - L3 routing exists here, label exchanging protocols LDP operates here
Data Plane -  "Forwarding plane", send data at L2/L3, and does the label swapping

I'm tired....


MPLS FRAME MODE CONFIGURATION...
(config) ip cef
(config-if) mpls ip
(config_if)mpls label protocol ldp
(config-if)mpls mtu 1512

show mpls ldp neighbor
show mpls ldp bindings


Route Distinguisher - 64 bit tag prepened to IPv4 address and routes that works to identify a particular customer (i.e. "customer1", "cust23")
Route Target - allows a customer to belong to multiple vpns....need to look more into this...

Good night...i'm exhausted from work and study and family

Thursday, October 15, 2009

ISCW Chapters 1, 2, 3

I went with the official exam certification guide again for this exam.  I have officially conquered chapters 1, 2, and 3...which I have to say were boring as shit.  All about SONA, IIN, and  cable/dsl technologies.   I also watched the Nugget vids on the topics as well, which in fact, cheered me up a bit about it all.  Also, went through a basic PPPoE config that went as follows:

int dialer [#] - (1-255) Creates the virtual dialer interface
ip address negotiation (negotiates with carrier for ip address)
ecapsulation ppp (designates encap type)
ip mtu 1492 (interstingly enough ethernet is 1500, but dsl adds an 8 byte header...this proves more effecient)
ip nat outside (do it here rather than the physical interface)
ppp authentication [pap/chap] callin (the "callin ensures that you are not authenticating the ISP)
ppp [pap/chap] sent-username [word] password [word]
dialer pool [#] - assign everything to a pool that you can reference on the physical interface
interface [physical wan connection]
pppoe enable
pppoe dial-pool-name [# from above dial-pool callout]
debug ppoe event
debug ppp authentication
show pppoe session

And that was pretty much it...except for the rest of the internal NAT stuff that remains to be completed.  Showed some good debug output in the videos, and hopefully this stuff will sink in...I will start labbing in about 1 week I think. 

Monday, October 12, 2009

The Great ISCW Race!

Well I started tonight on the adventures of the ISCW.  Due to the pending changes in the CCNP curriculum, looks like I have to finish by March 2010 with the ONT/ISCW combo.  Shouldn't be really difficult..but we will see.  I will post more tomorrow now that my introductory nuggets are done!

Saturday, October 10, 2009

ISCW

Update:  I did pass the BCMSN and am going to start the ISCW on Monday.  More posts to follow...go CCNP!

Wednesday, September 16, 2009

Messing with ether-channels

No Etherchannel, one end isl, the other dot1q:
Results:  Trunk and lines showed up and up, no data would pass over line (could not get pings going)

Etherchanneled two ports, configured one Po interfaces as isl, the other as dot1q
Results: Portchannel went down, the ports on the side I changed to dot1q started trunking as dot1q even though I had hard coded them with isl.....I only changed the Portchannel interface to dot1q and it reprogrammed the individual ports in the channel groups encapsulation values!

I also tested those rules regarding what has to be in place for an etherchannel to form:
  1. Duplex settings must match
  2. speed settings must match
  3. Native Vlans must match
  4. channeling protocol

Tuesday, September 15, 2009

Back in the mix

Well, I am still not 100% healthy, but have been studying none-the-less.  As you can see I have started to add links to the blog.  Most are going to be direct cisco links to whitepages and topic areas for exams.  I pretty much blew away all the transcender tests scoring 100% on all their "compiled mock exams."  They were fairly straightforward and easy...I am not expecting the exam to be that simple.

I did do some labbing tonight, and really wrapped my head around the fairy simple technology that is VTP.  I just needed to verify some things, and I did.  I also went back over DAI in the cisco documentation.  Then I reconfigured VACL's on the rack.  Those seem pretty straightforward as well at this point.  At work I dove pretty deep into STP features, and re-read all of them (they could be of some use to us at work as well!).  Last night I got freaked out about wireless, and did some additional reading on LWAPP.  Again, I think that as long as I recognize that there is both control and data traffic on UDP ports 12222, and 12223, I should be ok.  The technology is not that difficult for me to identify with.

Lastly, I read some really good CCIE stories on IEOC.com.  And another techexam.net member passed his CCIE SP lab recently as well.  Hearing stories like this makes me realize that the goal is obtainable, it just requires a great deal of effort.  I still have hopes of 2011 being my year!  Oh ya, this saturday is my rescheduled BCMSN exam...hopefully this will place me halfway through my CCNP track!

Friday, September 11, 2009

Sick!

Got sick!  Sicker than shit actually.  Had to delay the exam until next Saturday the 19th of Sept.  Bummer, I was extremely ready to knock this bad boy out!  I'll let you all know.  Still killing the Transcender exams.  Got 100% first time through on all the voice topics (28/28).  Happy with that.

Wednesday, September 9, 2009

Transcender

So I bought the BCMSN Transcender exams for the first time.  They are actually pretty good and raising my confidence significantly.  I have not scored below a 90% on any of them, and normally over 95.  So I am feeling relatively prepared right now.  I will dig away at the remaining questions in their bank over the next two nights, and finish up the opened ended questions in the exam study guide.  I did get CCIE LAN Switching the other day.  Looks like a good read, but is all CatOS config stuff.  The theory is there though, which is nice.  So, I will probably post again Friday night, and then let you all know Saturday after the exam on how that went.  Cheers!

Monday, September 7, 2009

Book Time

I finished up looking over all of the Foundation Summaries in the BCMSN Official Exam Certification Guide.  Good little review actually.  I still plan on reading all the question/answers in the back of the book as well to finalize my preparations.  I DID book the test.  Date: Saturday September 12th.   So now I am in overdrive trying to fill in any gaps.  I have done alot actually over the weekend.  Studying qos again, and hitting the books for some theory review.  I also went to the Cisco Learning network and tried some of their practice exams out.  I found alot of glaring errors, and some common mistakes.  One however caught my attention, and I had to lab.  The question was something like, if two routers/switches in an HSRP group have the same priority, which one will become active?  The answer was the device with the highest configured IP address in the HSRP interface.  hmmm.... lab time?!?

I think so...

Upon further testing and configurations....this is not completely true.  You see...I set up 2 interfaces on two L3 switches.  Both in vlan 1, both with the default priority of 100.  The only time the higher IP address device took over active, was if it came up before the other.  Meaning I had to shutdown the other interface...and let the higher IP'd router take the active role.  It would not just take the active role over if the lower IP'd device was active and it was standby. (I cleared up my confusion posting a topic to techexams.net//nevermind).  

Saturday, September 5, 2009

Last Week!

Started off tonight with a practice exam.  Got a 96%!  Happy about that.  After a long round of golf today, it was hard to get myself into the office to actually do some studying.  After the practice exam I went back through the voice section in the BCMSN Lab Portfolio.  I think I am actually starting to wrap my head around the auto qos thing.  Here were my main tasks for the lab:

Set up VTP
Set up VLANS
Set up etherchannels
Set up HSRP on 3 VLANS
Set up access layer devices
Configure auto qos on access-layer devices
Configure distribution devices to trust qos/cos information being passed to them from the access-layer

I through some STP stuff in there to even out the traffic flow (making the active hsrp device the root bridge for that particular vlan).  I am not going to dive into any config stuff tonight...just want to leave myself a note to remember the "mls qos" global command on the distribution switches.  This will configure all ports as "untrusted" in this respect.  We will then need to go through and trust the links to our access-layer devices with the auto qos voip trust command. 

Friday, September 4, 2009

Tonight...

I started off tonight by hitting a practice exam.  Got caught off-guard with a few questions and got and 84% on the thing.  I will try again tomorrow.  I then booted up the rack, cleared my configs and vlan.dat files, and started off by configuring vtp, version, domain, mode, and password.....easy enough.  Then I created a couple of vlans on the server...and made sure they were given to the client boxes.  They were....Then I, without a book, configured MST, mapping vlans 10, 100 to instance 1, vlan 200 to instance 2, and vlan 300 to instance 3.  I had to do some research, but found the command to make a different switch the root for a specific instance:

(config)spanning-tree mst [instance #] root primary

as Borat would say.....niooooooccceeeee

Then I did a VACL to block a host from reaching his intended vlan.  He was still allowed access other vlans, unless the acl read somthing like
access-list 1 permit 192.168.10.100 0.0.0.0

then he didnt get to shit!

I changed it to:
access-list 101 permit ip host 192.168.10.100 192.168.10.0 0.0.0.255

and it worked as planned.

I also set up some inter-vlan routing using one of my 3550's.  Easy config....just set the default gateway on the other switches....configure routing with "ip routing", and configure the interfaces. Works flawlessly.  Going to go to bed and read some foundation summary's now.

Lab

Thought I would post a few pics of my home lab...nothing special, but enough to get me through the CCNP track:
I have
3 X 2620XM (1 with NM-4AS, NM-1T, and one with 2 X NM-1T)
2 X 2509 (terminal servers...thought 1 was broke, so I bought another...good little 1 serial routers)
1 X 3550-24-PWR
1 X 3550-48-EMI
1 X 2950T
 Not shown is an 871 wireless

Good times.


Thursday, September 3, 2009

Almost there....I can feel it!

Did a couple more practice tests tonight.  Downloaded the free Transcender demo for the test as well.  Only had like 20 questions, but they were still insightful.  I also went through the "Foundation Summaries" chapters 1 -8 in the BCMSN Off. Exam Cert Guide.  Got some good review of some things I had already forgotten :(  Its a fucking shame that a man can just remember everything!  Guess I should stop drinking while studying!  :)  Anywho...will finish up probably one more night of practice tests...then the foundation summary's...then a bit more labbing.  I think that I am going in to sit this beast not this saturday but next.  I also ordered the book Cisco LAN Switching (CCIE Professional Development series).  Hell of a deal at like 15 buck...I was tired of reading the damn thing under google book previews anyhow.  Bastards..they always take away the pages you want to read the most.  But it will soon be mine, thanks amazon.  Alright, time for bed.  Update again tomorrow.

Tuesday, September 1, 2009

Boson Practice Tests

Well, the last 2 or 3 nights have been dedicated to Boson practice tests.  I am scoring around 85 - 92 % on all of them, so I think that it is going well.  I need to take a couple more nights of practice questions to wrap my mind the topics, and then identify my weaker areas on the blueprint.  So far I should go back and look at:
  1. Basic qos configs (auto qos, etc...)
  2. VRRP, GLBP (protocol specifics, timers, etc..)  I can program these all day, but need to go over their details again.
  3. STP features ( I am pretty good here, but know that they will hit on it)
  4. MST
  5. Wireless (pretty good here too, but hey it's cisco.  They always seem to hit you where you least expect it)
  6. etherchannel gotcha's

Sunday, August 30, 2009

Finished BCMSN Lab Portfolio

Well, I finished up the lab portfolio today!!!! Hooraaahhh
I felt that I finished up pretty strong writing some VACLS on one of my switches.  Basically permitting a host to still use its default gateway, but blocking it from reaching other hosts on the vlan.  Config is as follows:

dsl2(config)#ip access-list extended temp-host
dsl2(config-ext-nacl)#permit ip host 172.16.200.7 172.16.200.0 0.0.0.255 - id what you are identifying
dsl2(config-ext-nacl)#exit

dsl2(config)#vlan access-map block-temp 10 -create "access-map"
dsl2(config-access-map)#match ip address temp-host
dsl2(config-access-map)#action ?
  drop     Drop packets
  forward  Forward packets
dsl2(config-access-map)#action drop - drop packets from 172.16.200.7
dsl2(config-access-map)#vlan access-map block-temp 20
dsl2(config-access-map)#action forward -permit all others (there is still an implicit deny at the end)
dsl2(config-access-map)#exit

dsl2(config)#vlan filter block-temp vlan-list 200 - identify the access-map with a specific vlan
dsl2(config)#end
dsl2#sh vlan access-map - check your work
Vlan access-map "block-temp"  10
  Match clauses:
    ip  address: temp-host
  Action:
    drop
Vlan access-map "block-temp"  20
  Match clauses:
  Action:
    forward
I did test this with a host in vlan 200 with the ip address of 172.16.200.7.   It worked flawlessly.  The host could not communicate within the vlan, but could still get out to others and the internet.

So, now its on to a little review, some practice questions, reinforcement labbing, and then the exam pretty soon!  I will keep everyone posted (the few that may ever see this anyways!).

STP Root Guard

Well, using the same topology as before, I configured DLS 1 to be the root switch for vlans 1 and 100, while being the secondary for vlan 200.
dls1(config)#spanning-tree vlan 1,100 root primary
dls1(config)#spanning-tree vlan 200 root secondary

I essentially did the same thing, except opposite on DLS2, making it the root for 200, and the secondary root for 1 and 100.   This gives some consistency in the network, allowing the admin to really control what is happening with the elections.  This primarily gives each switch a value based on the current roots priority.
When you enter this command, the switch checks the switch priority of the root switches for each VLAN. Because of the extended system ID support, the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN.  If any root switch for the specified VLAN has a switch priority lower than 24576, the switch sets its own priority for the specified VLAN to 4096 less than the lowest switch priority. --> From Cisco.com

I then, just for fun, was playing with root guard.  This again is a feature to protect from rouge switches being placed on the network, and taking over root bridge responsibilities if they have a lower priority number.  Essentially if a bpdu is received on a port with this feature, it will be placed in the root inconsistent state.  Look what happened when I configured it on the port channel connecting DLS1 and DLS2:
dsl2(config-if)#spanning-tree guard root
dsl2(config-if)#
*Mar  1 00:28:31.159: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Port-channel1.
*Mar  1 00:28:31.163: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port Port-channel1 on VLAN0001.
dsl2(config-if)#
*Mar  1 00:28:40.831: %HSRP-5-STATECHANGE: Vlan100 Grp 1 state Standby -> Active
*Mar  1 00:28:40.879: %HSRP-5-STATECHANGE: Vlan1 Grp 1 state Standby -> Active

Whoa!  Blocked the port, and forced an HSRP statechange.  Now, the port stayed blocked, but DLS 1 took its active HSRP priority back over (Remember this was a redundant switching topology!)  It just took a little bit.  Around 1 minute. 

I think that I have talked about this before...but admins can also enable bpdu guard on ports with portfast enabled.  Because bpdu's are NOT expected to be heard on ports with portfast enabled, why not ensure that if bpdu's are received, that the switchport be shut down?  Do you really want switches plugged in where your not expecting them?  Not me!  Enable it globally on all portfast ports by typing:

dsl2(config)#spanning-tree portfast bpduguard default
dsl2(config)#end
dsl2#
*Mar  1 00:44:40.051: %SYS-5-CONFIG_I: Configured from console by console
dsl2#sh spanning summary
Switch is in pvst mode
Root bridge for: VLAN0200
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
EtherChannel misconfig guard is enabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Configured Pathcost method used is short

Saturday, August 29, 2009

BCMSN Lab 8 - Switch Security

Saturday at last!  The kid is napping, the wife is working on her project, and I finally get some "daytime" studying hours.  Today I labbed up the switch security chapter in the BCMSN Lab Portfolio.  I started with a lab topology that looked like so:
 
Just a note:  I did not hook up ALS2.  I ran basically a triangle with dls1, dls2, and als1.  A dhcp server was set up off of fa0/6 on dls1.  This lab also ran these vlans and HSRP gateways:
  • VLAN 1 - 172.16.1.1/24
  • VLAN100 (staff)- 172.16.100.1/24 (USERS WHERE ON ALS1 FA0/3 -4)
  • VLAN200 (students)- 172.16.200.1/24 (USERS WHERE ON ALS1 FA0/1 -2)
So the first thing I did was get the etherchanneled trunks up between the switches, and set the vlans and hsrp addresses.  I wont post that here because we have been over it already before.  The first thing again, was protecting from MAC flooding.  This is done through port-security commands.  Vlan 200 is unique because the mac addresses will change often because of student laptops, etc...However, the staff uses desktops and ip phones that never really change.  So their configurations will appear a bit differently.  Heres the configs on als1:
ALS1(config)#int range fa0/3 - 4
ALS1(config-if-range)#switchport mode access
ALS1(config-if-range)#switchport access vlan 200
ALS1(config-if-range)#switchport port-security
ALS1(config-if-range)#switch port-security max 1
ALS1(config-if-range)#end
ALS1#sh port-security interface fastEthernet 0/3
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0

The staff ports were configured as follows:
ALS1(config)#int range fa0/1 - 2
ALS1(config-if-range)#switchport mode access
ALS1(config-if-range)#switch access vlan 100
ALS1(config-if-range)#switchport port-security
ALS1(config-if-range)#switchport port-security maximum 2
ALS1(config-if-range)#switchport port-security mac-address sticky ?
  H.H.H  48 bit mac address
 

ALS1(config-if-range)#switchport port-security mac-address sticky
ALS1(config-if-range)#end

ALS1#sh port-security int fastEthernet 0/1
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0

So as you can see, the configured maximum mac addresses to be learned on the ports were different for the two access vlan ports.  The mac-address sticky command allows the first two mac addresses to be learned dynamically, and then added to the running config.  What what happens when I plug a switch into that port:
ALS1#sh run int fa0/1
Building configuration...

Current configuration : 312 bytes
!
interface FastEthernet0/1
 switchport access vlan 100
 switchport mode access
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 000d.65eb.5e88
 switchport port-security mac-address sticky 0014.692f.7f00
end

The first two addresses learned where added to the config.  Good shit!  Currently there is no aging time set on these ports, so those dynamically learned addresses are it! Notice in the show port-security interface commands, the aging time is 0, essentially disabled.  If we wanted to change this we would use the switchport port-security aging {static | time time | type {absolute | inactivity}} command.


The next lesson was DHCP spoofing attack mitigation.  This is to protect from rouge DHCP servers being put on your network.  They create was is a man in the middle attack scenario, which we should all try to avoid.  Here is the basic config:

ALS1(config)#ip dhcp snooping - enable it globally
ALS1(config)#ip dhcp snooping vlan 100 200 - enable it for vlans 100 and 200
ALS1(config)#int fa0/24
ALS1(config-if)#ip dhcp snooping trust - Trust all trunk ports!!
ALS1(config-if)#int range fa0/15 - 16
ALS1(config-if-range)#ip dhcp snooping trust - Trust all trunk ports!!
ALS1(config-if-range)#exit




The config was the same on all of the other switches.  However on DLS1 I also trusted fa0/6 which was the port that the DHCP server was connected too.  Here is a show command from ALS1:

ALS1#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100-200
Insertion of option 82 is enabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/15             yes         unlimited - we COULD change this with the ip dhcp snooping limit rate [# in pps command]
FastEthernet0/16             yes         unlimited
FastEthernet0/24             yes         unlimited

Now the port is suppose to shut down if it sees any dhcp server activity, but the only results I got were that of the packets being blocked :) 

Friday, August 28, 2009

BCMSN Lab 7-1 Configuring Switches for IP Telephony Support

I actually found this to be more HSRP labbing than anything else!  The main point of this lab however was to set up a L3 switched network with AutoQOS enabled on a couple choice interfaces.  Basically you have 2 L3 switches running HSRP on 3 vlans:
  • VLAN 100- Data Vlan
  • VLAN 200- Voice Vlan
  • VLAN 1 - Management Vlan
The HSRP config was simple.  I should be able to do this in my sleep now, including most of the advanced features of it and it's associated debugging commands.  These two L3 switches (my distribution layer) had 1 access layer switch connected to them (both with etherchannels configured).  There were suppose to be 2 access switches, but I ran out of crossover cables!  Anywho,  they had me set a VOIP phone off of port fa0/6 on the access switch.  My config was as follows:

int fa0/6
switchport access vlan 100
switchport voice vlan 200
auto qos voip cisco-phone
end

Everything there should be relatively self-explanatory except the fourth line.  Let me tell you whats going on with that auto qos voip cisco-phone command.  First know that the auto qos command is actually a macro that runs when you hit enter.  Multiple line are sent to the switchport.  Check it out:

2950#sh run int fa0/6
interface FastEthernet0/6
 switchport access vlan 100 - data vlan
 switchport voice vlan 200 -  voice vlan
 mls qos trust device cisco-phone - This sets the cos trust on a dependency that a cisco voip phone will be on the other end. 
 mls qos trust cos - this just says "trust the cos value sent to you from the device"..i.e. the cisco phone which sets a cos value of 5 by default
 auto qos voip cisco-phone - I entered this to generate everything else.
 spanning-tree portfast - cumon!  Good to know it executes this as well though!
end

    OK, so your probably like what the hell do those mean!  To be honest, I was too.  I went out and read about them, and will attempt to give an explanation here (both for your benefit and mine!).  I put the notes above next to the command outputs. 

 Not to mention the commands set in the global config
wrr-queue bandwidth 10 20 70 1 (sets the bandwidth values for queue 1,2,3,4 (10, 20, 70, 1) "The ratio of the weights is the ratio of frequency in which the WRR scheduler dequeues packets from each queue."
wrr-queue cos-map 1 0 1 (cos values of 0 and 1 are mapped to queue 1)
wrr-queue cos-map 2 2 4 (cos values of 2 and 4 are mapped to queue 2)
wrr-queue cos-map 3 3 6 7 (cos values of 3, 6 and 7 are mapped to queue 3)
wrr-queue cos-map 4 5 (cos values of 5 are mapped to queue 4)
mls qos map cos-dscp 0 8 16 26 32 46 48 56 (maps cos values to differentiated service code point values...this is the default mapping enabled by auto qos)


and a little show command:
2950#sh mls qos int fa0/6
FastEthernet0/6
trust state: not trusted - a phone is NOT connected
trust mode: trust cos
COS override: dis
default COS: 0 - default is 0, however the COS of 5 will be accepted from a voip phone
pass-through: none
trust device: cisco-phone



Most of the detailed QOS stuff is outside the scope of the BCMSN exams, but I thought I should touch on it now so that it isnt a total shock when I hit the topics down the road.  Verify your voice vlans and appliance trusts here:
2950#sh int fa0/6 switch
Name: Fa0/6
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 100 (100)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: 200 (200)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none - I have not extended the trust boundary beyond the cisco phone using the switchport priority extend trust command.  Look after I execute it:
2950#sh int fa0/6 switch
Name: Fa0/6
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 100 (100)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: 200 (200)
\output omitted\
Appliance trust: trusted

The last thing I did was enable the distribution switches to trust my cos information being sent in the L2 frames using the commands:
(config)mls qos - enable it globally
(config-if)auto qos voip trust - trust the incoming qos values

Wednesday, August 26, 2009

GLBP Lab

Gotta remember...Cisco proprietary
Ran some debugs...saw that the hellos go to 224.0.0.102
*Mar  1 04:36:19.363: IP: s=172.16.10.100 (local), d=172.16.10.4 (FastEthernet0/0), len 100, sending
*Mar  1 04:36:20.075: IP: s=172.16.10.1 (FastEthernet0/0), d=224.0.0.102, len 88, rcvd 2
*Mar  1 04:36:20.995: IP: s=172.16.10.3 (local), d=224.0.0.102 (FastEthernet0/0), len 88, sending broad/multicast

Did a pretty standard config....3 routers connected to one switch.  Gave each fa0/0 interface a unique address on the 172.16.10.x/24 subnet, and applied the following config:
R1
(config-if)glbp 0 ip 172.16.10.100
(config-if)glbp 0 preempt
(config-if)glbp 0 priority 120

R2

(config-if)glbp 0 ip 172.16.10.100
(config-if)glbp 0 preempt
(config-if)glbp 0 priority 110

R3
(config-if)glbp 0 ip 172.16.10.100
(config-if)glbp 0 preempt
(received default priority of 100)

used show glbp [brief]
R3#sh glbp brief
Interface   Grp  Fwd Pri     State    Address         Active router   Standby router
Fa0/0            0    -      100  Listen  172.16.10.100  172.16.10.1  172.16.10.2
Fa0/0            0    1        -      Active   0007.b400.0001  local                    -
Fa0/0            0    2        -      Listen   0007.b400.0002  172.16.10.1         -
Fa0/0            0    3        -      Listen   0007.b400.0003  172.16.10.2        -


The - in the first line identifies the AVG, or active virtual gateway.  This is the device that distributes the created glbp mac-addresses to client within arp replies.  As you can see, there are 3 different AVF's represented by the 3 routers.  172.16.10.1 is the AVG, and 172.16.10.2 is standing by in case it fails.  You can also see which mac-address/ip address is associated with each AVF.  I also learned that the first AVF is actually going to be the first one to receive a client.

Tuesday, August 25, 2009

HSRP LAB

You know what I keep freakin forgetting? Dumbest shit in the world actually.....during my switch configs I ALWAYS forget the stinking ip default-gateway command!?! Thats like switching 101...I pick up pretty quickly after something fails to come back from the switch..but I mean damn. This is like the 10 time in 3 weeks I have done it. Need to embed that into my head...so I wrote it here :)

So I did an HSRP lab tonight. It was pretty fun. I see where the BCMSN lab portfolio is going.....type...repeat...type....repeat. Thats ok though, I figure that it will be etched into my brain via laser beam once completed. So, basic config:

I know that diagram is juvinile...but I dont have visio installed at home! So, better a paint visio than nothing at all. So quit your bitching and snickering.

Then a couple of nodes hooked up to each on a separate vlan. I had vlans 1, 10, 20, 30, 40 running on all of the switches. I distributed the vlans from switch 1 via vlan trunking protocol version 2. So....switches 1 and 2 are 3550 layer 3 switches. The book had me make sw1 the active hsrp router for 1, 10, and 20. SW2 was the standby for those, and the active router for....dadada, you guessed it 30 and 40. Basic config looked like this under the svi interfaces:

standby 1 ip 172.16.x.x
standby 1 preempt
standby 1 priority 150 (on the active switch, remember that 100 is the default)

So all went as planned. The correct switches became the active router for the proper vlans, the other became the standby. I manipulated the hello and hold timers on vlan 40, on the active router, and noticed that it actually passed these values on to the standby router...cool shit.

Umm, I then went off track and started doing my own thing. I manipulated spanning tree so that switch2 would become the root switch for its vlans (30,40). SW1 was the root switch by default for all vlans because of its low mac address. I used this command...I think:
spanning-tree vlan 30,40 root primary (thats off the top of my head so I think its accurate)

Then finally I tracked the port channel on SW1 on its active vlan interfaces (1, 10, 20).
(config)int range vlan 1, vlan 10, vlan20
(config-if-range) standby 1 track port-channel 1 51 (decrement to drop priority below 100 so that SW2 will take over as active router)

Something I noticed was that I had and active/active state for about 45 seconds where both switches were the active switch for all vlans. Finally SW2 took over the active role however. Need to look up some literature on this anomaly. Guess which vlan came out of active/active first?.....the one I lowered the hello and hold timers on! 40

Sunday, August 23, 2009

STP Features

I felt a little weak on certain STP features, and the BCMSN lab manual unfortunately did not touch on any of them. In particular they were:

Root Guard: Protects ports from receiving superior bpdu's. I.E. Root Bridges can not be detected on these ports once it is enabled. If superior bpdu's are detected the port will be placed into a root-inconsistent state. This can be verified with the sh span inconsistent-ports command.

BPDU Guard: Use this if you want not bpdu's to be accepted on a port. If bpdu's are found, the port will be placed into err-disabled. Use it where portfast is enabled!

LoopGuard: If you have a port in blocking, root, or maybe any other non-designated role that experiences a sudden loss of bpdu's, you could be in trouble. Once that bpdu max-age timer expires the switch will role that blocking or whatever port into the forwarding stage because bpdu's are suddenly gone. This prevents a switching loop. Loopguard prevents this...check it out. I had two switches connected, and used bpdu filtering on the port connected to this switch...thus cutting off the bpdu's..heres what happened:

*Mar 1 00:27:04.387: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port Fast Ethernet0/2 on VLAN0001.
3550-48#sh spanning

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 000d.65eb.5e80
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0014.692f.7f00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p
Fa0/2 Desg BKN*19 128.2 P2p *LOOP_Inc
Fa0/16 Altn BLK 19 128.16 P2p

3550-48#sh spanning-tree inconsistentports

Name Interface Inconsistency
-------------------- ------------------------ ------------------
VLAN0001 FastEthernet0/2 Loop Inconsistent

Number of inconsistent ports (segments) in the system : 1

Dont forget about udld, and bpdu filtering (which essentially tells the switch to not accept or send bpdu's on certain interfaces).

MST

Set up MST out of the BCMSN lab portfolio tonight.... I did it off of 3 switches though, and they had me run through what I thought was a pretty basic configuration of MST. 3 switches, all interconnected in a triangle fashion. All had vlans 1, 10, 20, 30, 40, 50, 60, 70, 80, 90, 100. With per-vlan stp you basically had an instance running for each, 11 in total. All instances were computing the same stp topology, over the same physical connections. A bit redundant ehe?@?
So MST lets you "group" these vlans. Heres what I did with some output omitted of course:

POE(config)#spanning-tree mode ?
mst Multiple spanning tree mode
pvst Per-Vlan spanning tree mode
rapid-pvst Per-Vlan rapid spanning tree mode

POE(config)#spanning-tree mode mst
POE(config)#spanning-tree mst ?
WORD MST instance range, example: 0-3,5,7-9
configuration Enter MST configuration submode
forward-time Set the forward delay for the spanning tree
hello-time Set the hello interval for the spanning tree
max-age Set the max age interval for the spanning tree
max-hops Set the max hops value for the spanning tree

POE(config)#spanning-tree mst config
POE(config)#spanning-tree mst configuration ?


POE(config)#spanning-tree mst configuration
POE(config-mst)#?
abort Exit region configuration mode, aborting changes
exit Exit region configuration mode, applying changes
instance Map vlans to an MST instance
name Set configuration name
no Negate a command or set its defaults
private-vlan Set private-vlan synchronization
revision Set configuration revision number
show Display region configurations

POE(config-mst)#sh current
Current MST configuration
Name []
Revision 0 Instances configured 1

Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-4094
-------------------------------------------------------------------------------
POE(config-mst)#sh pending
Pending MST configuration
Name []
Revision 0 Instances configured 1

Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-4094
-------------------------------------------------------------------------------

POE(config-mst)#name ?
WORD Configuration name

POE(config-mst)#name cisco ?


POE(config-mst)#name cisco
POE(config-mst)#revision ?
<0-65535> Configuration revision number

POE(config-mst)#revision 1

POE(config-mst)#instance 1 ?
vlan Range of vlans to add to the instance mapping

POE(config-mst)#instance 1 vlan ?
LINE vlan range ex: 1-65, 72, 300 -200

POE(config-mst)#instance 1 vlan 20-50
POE(config-mst)#instance 2 vlan 80, 100
POE(config-mst)#sh pending
Pending MST configuration
Name [cisco]
Revision 1 Instances configured 3

Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-19,51-79,81-99,101-4094
1 20-50
2 80,100
-------------------------------------------------------------------------------
POE(config-mst)#exit

POE#sh spanning-tree mst config
Name [cisco]
Revision 1 Instances configured 3

Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-19,51-79,81-99,101-4094
1 20-50
2 80,100
-------------------------------------------------------------------------------

Now when I run a simple show spanning-tree I will basically see 3 instances (i.e. 3 stp calculations) versus the 11 we saw earlier. Brilliant! I also did a bit of unplugging as I went with some different debugs running. The best command I hit was debug spanning mst roles. Great output.

Friday, August 21, 2009

EtherChannel Labs in BCMSN Lab Portfolio

Ran through the labs in the BCMSN portfolio tonight concerning etherchannels. Fun little lab really. Simple, yet to the point. Went over the various modes:
channel-group [#} mode [active (LaCP), auto (PaGP), desirable (PaGP), passive (LaCP), on]

Actually did not have enough crossovers to do the entire lab with, but made my own little scenario up and used bits and pieces from theirs. Did some layer 2 etherchannels, along with a L3 channel using ip addresses on which to verify connectivity. Used the show commands:

show ether summary
sh ether [#]
sho ether load-balance

And configured different load balancing mechanims with the command
(config)port-channel load-balance [type]

Lastly, learned a cool interface command that allows you to statically define the protocol to use (either LaCP, or PaCP)


(config-if)channel-protocol [protocol]

Tuesday, August 18, 2009

Private Vlans

I might of hit this before...but I read about private vlans, vacl's, switch spoofing, and vlan hopping again tonight in the exam study guide. I really feel like I am taking this material in very well. I work within a fully switched enviornment every day, and have had some good exposure to it throughout my career so this stuff is sitting pretty well in my mind, and even answering some questions I had coming into the exam topics.

Private VLAN's
Primary vlan must be associated with secondary vlans through an association statement. Primary vlans can communicate with secondary vlans. Secondary vlans can communicate with the primary vlan, but not with other secondary vlans unless they are in the same "community." Secondary vlans can be one of these two types:
  1. Isolated- isolated from everything except the primary vlan. CAN NOT communicate with other secondary or isolated secondary vlans.
  2. Community- secondary community hosts can communicate with each other, but not with any other secondary vlans. They can also communicate with the primary vlan, or normal vlan.
Switchports must also be configured for private vlan access. They can be in one of two modes:
  1. Promiscous- use this for routers/firewalls/gateways. Ports in promiscous mode bypass the rules or private vlans and can communicate with any secondary or primary vlan in any type (isolated or community).
  2. Host- connected to a regular host...must abide by the private vlan rulesets.
Configuration example:
(config)vlan [vlan-id]
(config-vlan)private vlan [isolated, primary, community]
(config-vlan)private-vlan association [secondary vlan list] [add|remove] - use this on the primary vlan to associate the secondary vlans ***

Interface config
(config-if)switchport mode private-vlan [host | promiscous] - set the mode
(config-if)switchport private-vlan host-association [primary vlan id] [secondary vlan id] - if in host mode
(config-if)switchport private-vlan mapping [primary vlan id][secondary vlan list] [add|remove] - this is for promiscous mode and used to apply mappings to SVI's as well.

look familiar :) It basically replace these....:

(config-if)switchport mode access
(config-if)switchport access vlan [vlan-id]

Monday, August 17, 2009

All Things Voice...Almost

This is going to be more config stuff than anything. But I read some voice/qos/cos stuff, so I need to offload at least a bit into this blog tonight. My notes f#$#!@ suck though, so this might be a bit more of a mess than some of my other posts. But here we go anyways.

Best effort deliver- No real quality of service (*QOS) here. The network devices just deliver packets or frames as they are recieved.

Integrated Services Model- This model essentially clears a path through the network for priority data to flow through using the resource reservation protocol (RSVP). The application requesting QOS via RSVP send the protocol its request. RSVP in turn goes out to the network devices along the path to see if they can support the request. If granted, the path is cleared for the priority traffic. Imagine a fire truck going through the city....the cops would have all the intersections cleared for it in advance of its arrival.

Differentiated Services Model (DiffServ)- QOS is handled on a per-hop basis rather than a per-flow basis. As the traffic approaches each network device, QOS decision will be made based on the information contained within the packet header. This frees up that end-to-end traffic tunnel that IntServ created.

TOS or type of service includes:
  • IP precendence value - 3 bits
  • TOS value - 4 bits
  • A Zero - 1 bit
Differentiated Services Code Point (DSCP)
  • Class Selector- 3 bits
Class 7 Network Control (STP, routing protocols, etc...)
Class 6 Internetwork Control
Class 5 Expedited forwarding (voice and other critical data)
Class 1 Assured forwarding (not left to best effort)
Class 0 Best effort delivery
  • Drop precedence- 3 bits
High - 3
Med - 2
Low - 1

Can be displayed as follows: AF (class)(drop prec); AF23 = Assured Forwarding class 2, high

Basic config:
(config)mls qos (enable globally on device)
(config-if)mls qos trust [cos] - trust cos value unconditionally on port
(config-if)mls qos trust device cisco-phone
(config-if)switchport priority extend trust (extends trust boundary...like beyond cisco phone to pc)

show mls qos [int]

Wireless

Well, we should all know a bit about this stuff already, but here's the just of it from the CBT videos. I will probably, like most of my other posts, have to post another wireless section as I read about it in the BCMSN Official Exam Certification Guide.
-WLAN (wireless local area network)...no shit sherlock, cummon
-Basic Service Set- one access point with associated access stations comprises a basic service set.
-Ext. Service Set- one or more BSS's that appear as one logical BSS to the link layer of connected devices
BSSESS
Image Source: www.extremetech.com/article2/0,2845,1073,00.asp

The wireless "cell" is essentially the area of coverage that the AP provides, and host must form an association with an access point by matching both SSID and authentication measures.

There are essentially 2 types of wireless scanning:
  1. Active- Where the client sends probe request and waits for responses from AP's.
  2. Passive- hmmm, where the client passively listens for beacon frames pushed by AP's...
Security
  1. Open System- essentially a wide open network...no security measures
  2. Shared key- WEP, WPA(2)
  3. MAC authentication- not mentioned but important to remember, though it is easily spoofed.
RFC 3748 speaks on EAP, or extensible authentication protocol. Cisco proprietary cousin is LEAP. It provides two way authentication between the AP and client station, and users a radius server to do so. It uses dynamic keys propageted for each unique session.

The WIFI alliance created WPA and WPA2.

802.11a- 25MBPS- 54; 100ft indoors, 5 Ghz
802.11b- 6.5MBPS- 11; 100ft indoors, 2.4 Ghz
802.11g- 25MBPS- 54; 100ft indoors, 2.4 Ghz
802.11n- 200MBPS - 540; 160ft indoors, 2.4 or 5 Ghz

IrDA- Infrared Data Association
version 1. = 1 meter @ 115Kbps
version 1.1 = 1 meter @ 4Mbps

Antennas
  1. Yagi-uda - uni-directions or "directional" antennas or peer 2 peer
  2. Omni- or all directions or peer to multi-peer
Wireless is half-duplex and uses carrier sense multiple access with collision avoidance

Aironet systems tray utilities color definitions:
red - low signal
yellow - fair signal
green - very good signal
lt gray - not EAP authenticated; connection present though
dark gray - no connection
white - adapter is disabled

Thursday, August 13, 2009

VRRP, GLBP, Server load balancing

Couple of topics in this one!

Virtual Router Redundancy Protocol- RFC 2338
This is an OPEN standard...meaning not Cisco Proprietary. You basically have a master and backup router(s) with this config. You still create a "virtual router" but you actually use a physical interface of one of your routers as the virtual router IP address. The preempt option is enabled by default, and the protocol multicasts to the other routers to multicast IP address 224.0.0.18. The MAC address for VRRP's virtual router is 0000.5e00.01XX (where xx is the group number in hexidecimal). The newer version does support object tracking. Learn more at:
http://www.cisco.com/en/US/docs/ios/12_0st/12_0st18/feature/guide/st_vrrpx.html

Gateway Load Balancing Protocol
This IS a Cisco proprietary protocol. You still have your configuration in a "group," and there is still a virtual router. You end up with 1 virtual IP, but there are multiple mac addresses for the virtual router. This is how you end up with your load balancing. Normally the active router, or active virtual gateway will respond to host queries in a round robin fashion, giving them router 1 mac, router 2 mac, and so on. This way when hosts send to the gateway they are using the virtual ip, and one of many macs. You can fine tune this mac address giving...so to say. It can be in one of 3 modes...round robin, host dependent load balancing, or weighted mac assignement load balancing (i.e. mac 1 (50), mac2 (10), mac 3 (40)).
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html

Server Load Balancing
Basically you can take a group of server and configure the router to display them as one entity. More to come...
http://www.ciscopress.com/articles/article.asp?p=1355228

HSRP Interface Tracking

I talked briefly about how you can track interfaces with HSRP during my last posting. Consider the following diagram:Imagine PE 1 and 2 are in a standard HSRP configuration. PE1 is the active router, and the main route out of the network is out of Ethernet2 to the central router. However, if this interface were to go down for any reason, we want the priority of PE1 to go below that of PE2, so that PE2 takes over and can route to that central router. Interface tracking is a prime solution for this dilema. The config would be as follows:
PE1
(config-if)standby [group #] track ethernet2 [decrement value] - if PE1 is 120, and PE2 is the default value of 100, than we will need the decrement to be greater than 20. The default is 10.

PE2
(config-if)standby [group #] preempt - most people forget this command, but it must be entered for PE2 to take over when PE1's priority drops below its own.

Verify the decrement and tracking with the show standby command.

To debug HSRP use the debug standby command (go figure...standby again)

Tuesday, August 11, 2009

HSRP: RFC 2281

Studied on HSRP, or hot standby router protocol. It is defined by RFC 2281. It is a cisco proprietary protocol that allows 2 routers or L3 switches some redundancy if one were to fail. It does this by creating a virtual router that has both a virtual mac, and ip address. The two participating routers will be in one of two modes:

Active or standby

This protocol was not defined really for "load balancing"; but more for redundancy. However load balancing may be achieved by assigning two standby groups to an interface, and assigning two seperate virtual ip's. The downside...you have to manually configure your hosts to use either of the gateways in order to load balance (there are other protocols for this!!)

The states for HSRP are as follows:
  1. disabled- the interface is not running hsrp
  2. initial (init)- the interface but has just came up.
  3. learn- the interface is configured, but has not heard from active router
  4. listen- the router knows is virtual ip, but does not know who is primary or standby
  5. speak- the routers are sending hello's and holding the election
  6. standby- the router is a candidate to become the active router and is sending hellos
  7. active- the router is forwading packets sent to the virtual ip address, and is sending hello's
The virtual ip address is configured with hsrp, the mac however is derived automatically from the following address:
  • 0000.0c07.acxx (where xx is the group number in hexidecimal)
It should be noted that you CAN track interfaces with HSRP. If a tracked interface goes down it can dynamically adjust the priority so that the standby router takes over (if programmed properly with the correct priorities and preempt commands).

Commands to configure and show:
(config-if)standby [group #] ip [ip address] -this is the same on both and is the virtual ip
(config-if)standby [group #] priority [0-255] -the highest priority wins active role
(config-if)standby [group #] preempt -forces router to take active role if priority is higher
(config-if)standby [group #] mac-address [xxxx.xxxx.xxxx]
(config-if)standby [group #] authentication [options] - Must match on both routers

show standby