Thursday, April 22, 2010

Port-security on shared hub and err-disable auto recovery

'
---------                ----------
| switch 1|----------| switch 2 |
---------  Fa0/16    ----------
|
PC1 = 00-0C-F1-xx-xx-xx
PC2 = 00-1D-09-yy-yy-yy

Step 1: (Base configuration)

Switch 2(Edge switch):

Uplink interface: Fa0/16

Fa0/16 config:
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast disable


Switch 1(Mobile switch):

Uplink interface: Fa0/16
Fa0/16 config:
switchport access vlan 10
switchport mode access
speed 100
duplex full


User interface for PC: Fa0/1, Fa0/2, Fa0/3
Config:
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable

Step 2: (Added port-security on uplink interface of Switch 2)

Added command below on Fa0/16
(config-if)#sw port-security
(config-if)#sw port-security violation shut
(config-if)#sw port-security mac-address sticky
(config-if)#sw port-security maximum 2

Switch 2(Edge switch):

Fa0/16 config:
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
speed 100
duplex full
spanning-tree portfast disable

Step 3: (Connect PC1 to Fa0/1 of Switch1)

PC1----------Fa0/1 Switch1

Findings:
Switch1:
1. Log shows that int Fa0/1 of Swtich1 change status to up
2. sh int status fa0/1 shows that the PC is connected
Switch2:
3. sh run int fa0/16 - added --> switchport port-security mac-address sticky 000c.f1xx.xxxx
4. sh port-security address
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
----    -----------       ----                -----   -------------
10    000c.f1xx.xxxx    SecureSticky        Fa0/16       -

5. sh port-security int fa0/16
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address        : 000c.f1xx.xxxx
Security Violation Count   : 0

Step 4: (Connect PC1 and PC2 on Fa0/1 and Fa0/2 respectively)

PC1----------Fa0/1 Switch1
PC2----------Fa0/2 Switch1

Findings:
Switch1:
1. Log shows that int Fa0/2 of Swtich1 change status to up
2. sh int status fa0/2 - shows that the PC is connected
Switch2:
3. sh run int fa0/16 - added --> switchport port-security mac-address sticky 001d.09yy.yyyy
4. sh port-security address
Vlan    Mac Address       Type                Ports   Remaining Age
----    -----------       ----                -----   -------------
10    000c.f1xx.xxxx    SecureSticky        Fa0/16       -
10    001d.09yy.yyyy    SecureSticky        Fa0/16       -
5. sh port-security int fa0/16
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 2
Last Source Address        : 001d.09yy.yyyy
Security Violation Count   : 0


Step 5: (Connect rouged PC with MAC = 00-1D-09-zz-zz-zz on Fa0/3 of Switch1)

PC1----------Fa0/1 Switch1
PC2----------Fa0/2 Switch1
PC3----------Fa0/3 Switch1

Findings:
Switch1:
1. Log shows that int Fa0/3 of Swtich1 change status to up
2. Log shows that int Fa0/16 of Swtich1 change status to down
3. sh int status fa0/3 - shows that the PC is connected
Switch2:
4. Log shows:
02:19:51: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/16, putting Fa0/16 in err-disable state
02:19:51: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001d.09zz.zzzz on  port FastEthernet0/16.
02:19:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to down
02:19:53: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to down

5. sh int fa0/16 status - Uplink interface goes to err-disabled state
Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/16                       err-disabled 10           full    100 10/100BaseTX


Step 6: (Add errdisable auto recovery on switch2 then remove PC3)

(config)#errdisable recovery cause psecure-violation
(config)#errdisable recovery interval 30

Findings:
Switch1:
1. Log shows that int Fa0/3 of Swtich1 change status to down
2. Log shows that int Fa0/16 of Swtich1 change status to up
3. sh int status fa0/16 - shows that the PC is connected
Switch2:
4. Log shows:
02:29:07: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-di
sable state on Fa0/16
02:29:10: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up
02:29:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, chan
ged state to up

5. sh int fa0/16 status - Uplink interface goes to connected state
Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/16                       connected    10           full    100 10/100BaseTX

--------------           ---------------

| switch 1|----------| switch 2 |

--------------           ---------------


PC1 = 00-0C-F1-95-08-73

PC2 = 00-1D-09-05-6A-CD


Step 1: (Base configuration)


Switch 2(Edge switch):


Uplink interface: Fa0/16


Fa0/16 config:

switchport access vlan 10

switchport mode access

speed 100

duplex full

spanning-tree portfast disable




Switch 1(Mobile switch):


Uplink interface: Fa0/16

Fa0/16 config:

switchport access vlan 10

switchport mode access

speed 100

duplex full



User interface for PC: Fa0/1, Fa0/2, Fa0/3

Config:

switchport access vlan 10

switchport mode access

speed 100

duplex full

spanning-tree portfast

spanning-tree bpduguard enable


++++++++++++++++++++++++++++++++++++


Step 2: (Added port-security on uplink interface of Switch 2)


Added command below on Fa0/16

(config-if)#sw port-security

(config-if)#sw port-security violation shut

(config-if)#sw port-security mac-address sticky

(config-if)#sw port-security maximum 2


Switch 2(Edge switch):


Fa0/16 config:

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security mac-address sticky

speed 100

duplex full

spanning-tree portfast disable


++++++++++++++++++++++++++++++++++++


Step 3: (Connect PC1 to Fa0/1 of Switch1)


PC1----------Fa0/1 Switch1


Findings:

Switch1:

1. Log shows that int Fa0/1 of Swtich1 change status to up

2. sh int status fa0/1 shows that the PC is connected

Switch2:

3. sh run int fa0/16 - added --> switchport port-security mac-address sticky 000c.f195.0873

4. sh port-security address

-------------------------------------------------------------------

Vlan    Mac Address       Type                Ports   Remaining Age

----    -----------       ----                -----   -------------

10    000c.f195.0873    SecureSticky        Fa0/16 -


5. sh port-security int fa0/16

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 2

Total MAC Addresses        : 1

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 1

Last Source Address        : 000c.f195.0873

Security Violation Count   : 0


++++++++++++++++++++++++++++++++++++


Step 4: (Connect PC1 and PC2 on Fa0/1 and Fa0/2 respectively)


PC1----------Fa0/1 Switch1

PC2----------Fa0/2 Switch1


Findings:

Switch1:

1. Log shows that int Fa0/2 of Swtich1 change status to up

2. sh int status fa0/2 - shows that the PC is connected

Switch2:

3. sh run int fa0/16 - added --> switchport port-security mac-address sticky 001d.0905.6acd

4. sh port-security address

Vlan    Mac Address       Type                Ports   Remaining Age

----    -----------       ----                -----   -------------

10    000c.f195.0873    SecureSticky        Fa0/16       -

10    001d.0905.6acd    SecureSticky        Fa0/16       -

5. sh port-security int fa0/16

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 2

Total MAC Addresses        : 2

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 2

Last Source Address        : 001d.0905.6acd

Security Violation Count   : 0


++++++++++++++++++++++++++++++++++++


Step 5: (Connect rouged PC with MAC = 00-1D-09-0D-C4-21 on Fa0/3 of Switch1)


PC1----------Fa0/1 Switch1

PC2----------Fa0/2 Switch1

PC3----------Fa0/3 Switch1


Findings:

Switch1:

1. Log shows that int Fa0/3 of Swtich1 change status to up

2. Log shows that int Fa0/16 of Swtich1 change status to down

3. sh int status fa0/3 - shows that the PC is connected

Switch2:

4. Log shows:

02:19:51: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/16, putting Fa0/16 in err-disable state

02:19:51: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001d.090d.c421 on  port FastEthernet0/16.

02:19:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to down

02:19:53: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to down


5. sh int fa0/16 status - Uplink interface goes to err-disabled state

Port      Name               Status       Vlan       Duplex  Speed Type

Fa0/16                       err-disabled 10           full    100 10/100BaseTX



++++++++++++++++++++++++++++++++++++


Step 6: (Add errdisable auto recovery on switch2 then remove PC3)


(config)#errdisable recovery cause psecure-violation

(config)#errdisable recovery interval 30


Findings:

Switch1:

1. Log shows that int Fa0/3 of Swtich1 change status to down

2. Log shows that int Fa0/16 of Swtich1 change status to up

3. sh int status fa0/16 - shows that the PC is connected

Switch2:

4. Log shows:

02:29:07: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-di

sable state on Fa0/16

02:29:10: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up

02:29:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, chan

ged state to up


5. sh int fa0/16 status - Uplink interface goes to connected state

Port      Name               Status       Vlan       Duplex  Speed Type

Fa0/16                       connected    10           full    100 10/100BaseTX


Tuesday, April 6, 2010

spanning-tree portfast default and spanning-tree portfast bpduguard default

'
I was trying to simulate this two command:
  1. spanning-tree portfast default
  2. spanning-tree portfast bpduguard default

Before going into details let me give you a little background on this two command:

spanning-tree portfast default – It’s a global command to set all the switch interface to STP portfast. When you issue the command you will received a warning to disable manually portfast on interface connected to hub, bridge and switch, because if not this will cause a temporary bridging loop.

spanning-tree portfast bpduguard default – It’s a global command to set STP bpduguard on all interface configured with portfast.

Combining the two command it is similar to going to each switch interface and enable portfast and bpduguard.

Our problem at first is how to disable portfast? Do we go to the interface and issue a “no spanning-tree portfast” or “spanning-tree portfast disable”.

What I do is enable “debug spanning-tree events” and “debug spanning-tree pvst+”, this is the only debug spanning option I find relevant to what I'm doing. I first capture debug out without the portfast default command, second I issue the portfast default command and lastly I issue the “spanning-tree portfast disable” on trunk interfaces. I then compare the three output and I can’t seem to find the deference.

I then move forward and issue the “spanning-tree portfast bpduguard default” command. When I try to connect a switch on one of the access interface the switch then moved to err-disabled state. It means the two command are working, I then issue “spanning-tree portfast disable” then refresh the node and the interface switch moved to connected state.

I then conclude that if you use the two global commands above, it will be applied on all interface including trunks and to negate the portfast/bpduguard you need to issue the “spanning-tree portfast disable” on the interface to avoid temporary loop on your L2 network.

Monday, March 29, 2010

Interview w/ AT&T Singapore

'
I was interviewed last Friday with AT&T Singapore. I was able to talk to Renato Gonzales the Manager and Avil Pinto Team Lead.

Renato first ask me how I’m doing and what I feel. I cordially reply that I’m a little bit nervous. He asks me to rate my self in L2, L3 and security. I said that I will put L2 on top of my list with 9, second will be L3 with 7 and Security with 6.

After that small introduction he introduces me to Avil for the technical interview. He started asking if I just stay at home and prepare for the interview or I go to work. I replied that I went to work since my shift is 6AM-3PM, I was able to work and still have enough time to went home for the interview. Avil throw the following questions below.
  1. Describe VLAN and why it should be used?
  2. How can you allow traffic to traverse from one VLAN to another?
  3. What firewall policy should you create to allow this traffic?
  4. What are the types of NAT?
  5. How can I clear NAT table?
  6. What are the types of Firewall?
  7. Differentiate Firewall and Access List?
  8. What are the STP port statuses?
  9. What’s the STP membership process?
  10. What’s the ARP process?
  11. What’s the TCP connection process?
  12. What layer DNS operates?
  13. What does the OSPF multicast address?
  14. Describe BGP?
  15. If I have connectivity problem between my branch office going to my central office, how should you troubleshoot this issue?

We spent almost an hours for the entire interview. With the very bad telephone voice quality I was glad that finished without any major communication issue.

Renato ask me how do I feel and I laugh and said to him “to tell me how I should feel” then he replied that I’m doing okay. He then proceeds and ask me if I have any question for them. I just then said that I’ve done a few digging on the net and found out that they have many Filipino guys on their team and in fact they have considerable amount of people from Network Team Accenture Philippines and that I was able to find Avil’s Facebook account and able to browse his friend list. They then replied that I’m correct and Avil said that he also from Accenture in India.

I hope I get this job… with the money that I’ll be getting at the same time improve my experience drastically since I’ll be working on a big telecommunication company. I will be expose into a lot of technologies and gain a lot of knowledge and at t he same time be able to provide the needs of my family. Hopefully this job is for me…

Tuesday, March 23, 2010

Configure switch interface for VMPS DOT1X authentication

'
PC(w/ Cisco Secure Services Client)--------EdgeSwitch----------ACS(TACACS)---------DomainControler

Edge switch interface configuration below depending on the Cisco Catalyst Switch Model.

For Cisco Catalyst Switch 4500 series:

interface Fa1/1
switchport mode access
switchport voice vlan <Voice VLAN>
speed 100
duplex full
qos trust cos
authentication event no-response action authorize vlan <Guest VLAN>
authentication host-mode multi-host
authentication port-control auto
authentication timer reauthenticate 60
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x max-req 10
storm-control broadcast level 20.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
end

For Cisco Catalyst Switch 6500 series:
interface Fa1/1
switchport
switchport mode access
switchport voice vlan <Voice VLAN>
speed 100
duplex full
mls qos trust cos
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x timeout quiet-period 5
dot1x timeout reauth-period 60
dot1x max-req 10
dot1x guest-vlan <Guest VLAN>
storm-control broadcast level 20.00
spanning-tree portfast
spanning-tree bpduguard enable
end

Monday, March 22, 2010

Change trunk native VLAN from 1 to 2

'
SwitchB |----------------trunk---------------|SwitchA

Current Trunk Configuration:

SwitchA:

SwitchA#sh int g0/1 trunk

Port        Mode         Encapsulation  Status        Native vlan

Gi0/1       on           802.1q         trunking      1

Port      Vlans allowed on trunk

Gi0/1       1-4094

Port        Vlans allowed and active in management domain

Gi0/1       1-2,10,20,30

Port        Vlans in spanning tree forwarding state and not pruned

Gi0/1       1-2,10,20,30

SwitchB:

SwitchB#sh int g0/1 trun

Port        Mode         Encapsulation  Status        Native vlan

Gi0/1       on           802.1q         trunking      1

Port      Vlans allowed on trunk

Gi0/1       1-4094

Port        Vlans allowed and active in management domain

Gi0/1       1-2,10,20,30

Port        Vlans in spanning tree forwarding state and not pruned

Gi0/1       1-2,10,20,30

Change Native VLAN on SwitchA:

SwitchA:

SwitchA#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

SwitchA(config)#int g0/1

SwitchA(config-if)#switchport trunk native vlan 2

SwitchA(config-if)#

23:32:19: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan i

d 1 on GigabitEthernet0/1 VLAN2.

23:32:19: %SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet0/1 on VLAN0001.

Inconsistent peer vlan.

23:32:19: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet0/1 on VLAN0002.

 Inconsistent local vlan.

SwitchB:

SwitchB#

23:32:58: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan i

d 2 on GigabitEthernet0/1 VLAN1.

23:32:58: %SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet0/1 on VLAN0002.

Inconsistent peer vlan.

23:32:58: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet0/1 on VLAN0001.

 Inconsistent local vlan.

Change Native VLAN on SwitchB:

SwitchA:

23:35:22: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0/1 on VLA

N0001. Port consistency restored.

23:35:22: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0/1 on VLA

N0002. Port consistency restored.

SwitchB:

SwitchB#conf t

SwitchB(config)#int g0/1

SwitchB(config-if)#switchport trunk native vlan 2

SwitchB(config-if)#

23:36:01: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0/1 on VLA

N0002. Port consistency restored.

23:36:01: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0/1 on VLA

N0001. Port consistency restored.

Final Trunk Status:

SwitchA:

SwitchA#sh int g0/1 trunk

Port        Mode         Encapsulation  Status        Native vlan

Gi0/1       on           802.1q         trunking      2

Port      Vlans allowed on trunk

Gi0/1       1-4094

Port        Vlans allowed and active in management domain

Gi0/1       1-2,10,20,30

Port        Vlans in spanning tree forwarding state and not pruned

Gi0/1       1-2,10,20,30

SwitchB:

SwitchB#sh int g0/1 trunk

Port        Mode         Encapsulation  Status        Native vlan

Gi0/1       on           802.1q         trunking      2

Port      Vlans allowed on trunk

Gi0/1       1-4094

Port        Vlans allowed and active in management domain

Gi0/1       1-2,10,20,30

Port        Vlans in spanning tree forwarding state and not pruned

Gi0/1       1-2,10,20,30

Analysis:

When you change the native end of the trunk’s native VLAN both switch will detect VLAN inconsistency (native VLAN mismatch) and put the interface on blocking state on both VLAN 1 and 2, I think other VLAN will continue forwarding data and will not be affected with the configuration. When you then move forward and configure the other end, then the switches detect that the native VLAN mach and consistent the switch then move and unblock the interface forward traffic.

Wednesday, March 10, 2010

Zenoss and Netscreen global policy training.

'
My teammate Sherwin Hidalgo conducted a training about Zenoss and Netscreen global policy, during our weekly meeting. He is about to resign and this part of the resignation process.

Zenoss is an open source NMS (Network Management System) We are currently moving to this platform in exchange with our Cisco Works. Cisco's NMS is just unreliable it just sends a lot fo false positive alarms. We just waisted a lot of man hours setting it up and a lot of money for the licence.
  1. Search option at the upper right corner of the window. Just put the device hostname and press enter then the device window page will display. Inside the device windows you have 7 tabs (Arrow Down, Status, OS, Hardware, Software, Events and Perf)

    1. Arrow – Inside you can conduct connectivity test from the Zenoss server going to the device like ping and snmpwalk.
    2. Status – you can check device basic information like IP address, MAC address etc.
    3. OS – you check the device interfaces including the sub interfaces. Click the interface to see the interface utilization graph.
    4. Events – you’ll be able to check the alerts generated.
    5. Perf – you will be able to check the cpu and memory utilization.

  2. Location option at the lower left corner of the window. Its one of the option under Browse By. Clicking the option menu you will be able to browse the devices by location groups.

Netscreen global policies will be check last on the policy check of the firewall. The order will be below.
  1. Interzone – If the source and destination zones are different (e.g. trust to untrust).
  2. Intrazone – If the source and destination zones are the same, the security device performs a policy lookup in this policy set list. Traffic will flow from one interface to another within the same zone.
  3. Global – If the security device does not find a match, the device then checks the global policy list.

Global policy should be configured per Vsys. This should be used for policies that are common to the entire Vsys (e.g. Access to mail servers, shared internet access). You should place the “Deny Any Any” at the last portion and remove it from Interzone and Intrazone if not the Global policy will not be check.

Tuesday, March 9, 2010

Change STP VLAN priorities and implement STP root Guard

'
I created the change below to correct our STP load balancing between the primary core switch and the secondary core switch. Previous implementation incorrectly set the VLAN STP priorities and we have to implement this change before we can add root STP root guard on all uplink ports going to the edge switches. This is done to project our core switches from taking over as the root of our STP domain from any one who will configure a switch connected to the edge with lower priority.

 With this implementation we can make sure that only the two core switches (primary and secondary) can only be elected as the root bridge.

----------------------------------------------------
                    | CoreSW1001 | CoreSW1002
---------------+----------------+-----------------
Odd VLAN   | 8192                 | 16384
---------------+----------------+-----------------
Even VLAN | 16384              | 8192
----------------------------------------------------

CoreSW1001:

conf t
spanning-tree vlan 215 priority 8192

spanning-tree vlan 202 priority 16384

CoreSW1002:

conf t
spanning-tree vlan 215 priority 16384

spanning-tree vlan 202 priority 8192

-------------------------
enabling STP Root Guard
-------------------------

CoreSW1001:

cont t
int r "all uplink interface"
spanning-tree guard root
end
wr mem

CoreSW1002:

conf t
int r "all uplink interface"
spanning-tree guard root
end
wr mem