Showing posts with label Cisco IOS. Show all posts
Showing posts with label Cisco IOS. Show all posts

Thursday, April 22, 2010

Port-security on shared hub and err-disable auto recovery

'
---------                ----------
| switch 1|----------| switch 2 |
---------  Fa0/16    ----------
|
PC1 = 00-0C-F1-xx-xx-xx
PC2 = 00-1D-09-yy-yy-yy

Step 1: (Base configuration)

Switch 2(Edge switch):

Uplink interface: Fa0/16

Fa0/16 config:
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast disable


Switch 1(Mobile switch):

Uplink interface: Fa0/16
Fa0/16 config:
switchport access vlan 10
switchport mode access
speed 100
duplex full


User interface for PC: Fa0/1, Fa0/2, Fa0/3
Config:
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable

Step 2: (Added port-security on uplink interface of Switch 2)

Added command below on Fa0/16
(config-if)#sw port-security
(config-if)#sw port-security violation shut
(config-if)#sw port-security mac-address sticky
(config-if)#sw port-security maximum 2

Switch 2(Edge switch):

Fa0/16 config:
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
speed 100
duplex full
spanning-tree portfast disable

Step 3: (Connect PC1 to Fa0/1 of Switch1)

PC1----------Fa0/1 Switch1

Findings:
Switch1:
1. Log shows that int Fa0/1 of Swtich1 change status to up
2. sh int status fa0/1 shows that the PC is connected
Switch2:
3. sh run int fa0/16 - added --> switchport port-security mac-address sticky 000c.f1xx.xxxx
4. sh port-security address
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
----    -----------       ----                -----   -------------
10    000c.f1xx.xxxx    SecureSticky        Fa0/16       -

5. sh port-security int fa0/16
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address        : 000c.f1xx.xxxx
Security Violation Count   : 0

Step 4: (Connect PC1 and PC2 on Fa0/1 and Fa0/2 respectively)

PC1----------Fa0/1 Switch1
PC2----------Fa0/2 Switch1

Findings:
Switch1:
1. Log shows that int Fa0/2 of Swtich1 change status to up
2. sh int status fa0/2 - shows that the PC is connected
Switch2:
3. sh run int fa0/16 - added --> switchport port-security mac-address sticky 001d.09yy.yyyy
4. sh port-security address
Vlan    Mac Address       Type                Ports   Remaining Age
----    -----------       ----                -----   -------------
10    000c.f1xx.xxxx    SecureSticky        Fa0/16       -
10    001d.09yy.yyyy    SecureSticky        Fa0/16       -
5. sh port-security int fa0/16
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 2
Last Source Address        : 001d.09yy.yyyy
Security Violation Count   : 0


Step 5: (Connect rouged PC with MAC = 00-1D-09-zz-zz-zz on Fa0/3 of Switch1)

PC1----------Fa0/1 Switch1
PC2----------Fa0/2 Switch1
PC3----------Fa0/3 Switch1

Findings:
Switch1:
1. Log shows that int Fa0/3 of Swtich1 change status to up
2. Log shows that int Fa0/16 of Swtich1 change status to down
3. sh int status fa0/3 - shows that the PC is connected
Switch2:
4. Log shows:
02:19:51: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/16, putting Fa0/16 in err-disable state
02:19:51: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001d.09zz.zzzz on  port FastEthernet0/16.
02:19:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to down
02:19:53: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to down

5. sh int fa0/16 status - Uplink interface goes to err-disabled state
Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/16                       err-disabled 10           full    100 10/100BaseTX


Step 6: (Add errdisable auto recovery on switch2 then remove PC3)

(config)#errdisable recovery cause psecure-violation
(config)#errdisable recovery interval 30

Findings:
Switch1:
1. Log shows that int Fa0/3 of Swtich1 change status to down
2. Log shows that int Fa0/16 of Swtich1 change status to up
3. sh int status fa0/16 - shows that the PC is connected
Switch2:
4. Log shows:
02:29:07: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-di
sable state on Fa0/16
02:29:10: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up
02:29:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, chan
ged state to up

5. sh int fa0/16 status - Uplink interface goes to connected state
Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/16                       connected    10           full    100 10/100BaseTX

--------------           ---------------

| switch 1|----------| switch 2 |

--------------           ---------------


PC1 = 00-0C-F1-95-08-73

PC2 = 00-1D-09-05-6A-CD


Step 1: (Base configuration)


Switch 2(Edge switch):


Uplink interface: Fa0/16


Fa0/16 config:

switchport access vlan 10

switchport mode access

speed 100

duplex full

spanning-tree portfast disable




Switch 1(Mobile switch):


Uplink interface: Fa0/16

Fa0/16 config:

switchport access vlan 10

switchport mode access

speed 100

duplex full



User interface for PC: Fa0/1, Fa0/2, Fa0/3

Config:

switchport access vlan 10

switchport mode access

speed 100

duplex full

spanning-tree portfast

spanning-tree bpduguard enable


++++++++++++++++++++++++++++++++++++


Step 2: (Added port-security on uplink interface of Switch 2)


Added command below on Fa0/16

(config-if)#sw port-security

(config-if)#sw port-security violation shut

(config-if)#sw port-security mac-address sticky

(config-if)#sw port-security maximum 2


Switch 2(Edge switch):


Fa0/16 config:

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security mac-address sticky

speed 100

duplex full

spanning-tree portfast disable


++++++++++++++++++++++++++++++++++++


Step 3: (Connect PC1 to Fa0/1 of Switch1)


PC1----------Fa0/1 Switch1


Findings:

Switch1:

1. Log shows that int Fa0/1 of Swtich1 change status to up

2. sh int status fa0/1 shows that the PC is connected

Switch2:

3. sh run int fa0/16 - added --> switchport port-security mac-address sticky 000c.f195.0873

4. sh port-security address

-------------------------------------------------------------------

Vlan    Mac Address       Type                Ports   Remaining Age

----    -----------       ----                -----   -------------

10    000c.f195.0873    SecureSticky        Fa0/16 -


5. sh port-security int fa0/16

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 2

Total MAC Addresses        : 1

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 1

Last Source Address        : 000c.f195.0873

Security Violation Count   : 0


++++++++++++++++++++++++++++++++++++


Step 4: (Connect PC1 and PC2 on Fa0/1 and Fa0/2 respectively)


PC1----------Fa0/1 Switch1

PC2----------Fa0/2 Switch1


Findings:

Switch1:

1. Log shows that int Fa0/2 of Swtich1 change status to up

2. sh int status fa0/2 - shows that the PC is connected

Switch2:

3. sh run int fa0/16 - added --> switchport port-security mac-address sticky 001d.0905.6acd

4. sh port-security address

Vlan    Mac Address       Type                Ports   Remaining Age

----    -----------       ----                -----   -------------

10    000c.f195.0873    SecureSticky        Fa0/16       -

10    001d.0905.6acd    SecureSticky        Fa0/16       -

5. sh port-security int fa0/16

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 2

Total MAC Addresses        : 2

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 2

Last Source Address        : 001d.0905.6acd

Security Violation Count   : 0


++++++++++++++++++++++++++++++++++++


Step 5: (Connect rouged PC with MAC = 00-1D-09-0D-C4-21 on Fa0/3 of Switch1)


PC1----------Fa0/1 Switch1

PC2----------Fa0/2 Switch1

PC3----------Fa0/3 Switch1


Findings:

Switch1:

1. Log shows that int Fa0/3 of Swtich1 change status to up

2. Log shows that int Fa0/16 of Swtich1 change status to down

3. sh int status fa0/3 - shows that the PC is connected

Switch2:

4. Log shows:

02:19:51: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/16, putting Fa0/16 in err-disable state

02:19:51: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001d.090d.c421 on  port FastEthernet0/16.

02:19:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to down

02:19:53: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to down


5. sh int fa0/16 status - Uplink interface goes to err-disabled state

Port      Name               Status       Vlan       Duplex  Speed Type

Fa0/16                       err-disabled 10           full    100 10/100BaseTX



++++++++++++++++++++++++++++++++++++


Step 6: (Add errdisable auto recovery on switch2 then remove PC3)


(config)#errdisable recovery cause psecure-violation

(config)#errdisable recovery interval 30


Findings:

Switch1:

1. Log shows that int Fa0/3 of Swtich1 change status to down

2. Log shows that int Fa0/16 of Swtich1 change status to up

3. sh int status fa0/16 - shows that the PC is connected

Switch2:

4. Log shows:

02:29:07: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-di

sable state on Fa0/16

02:29:10: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up

02:29:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, chan

ged state to up


5. sh int fa0/16 status - Uplink interface goes to connected state

Port      Name               Status       Vlan       Duplex  Speed Type

Fa0/16                       connected    10           full    100 10/100BaseTX


Posted by MarvDMartian at 8:29 PM 1 comments
Labels: , , , , , , ,

Tuesday, March 9, 2010

Change STP VLAN priorities and implement STP root Guard

'
I created the change below to correct our STP load balancing between the primary core switch and the secondary core switch. Previous implementation incorrectly set the VLAN STP priorities and we have to implement this change before we can add root STP root guard on all uplink ports going to the edge switches. This is done to project our core switches from taking over as the root of our STP domain from any one who will configure a switch connected to the edge with lower priority.

 With this implementation we can make sure that only the two core switches (primary and secondary) can only be elected as the root bridge.

----------------------------------------------------
                    | CoreSW1001 | CoreSW1002
---------------+----------------+-----------------
Odd VLAN   | 8192                 | 16384
---------------+----------------+-----------------
Even VLAN | 16384              | 8192
----------------------------------------------------

CoreSW1001:

conf t
spanning-tree vlan 215 priority 8192

spanning-tree vlan 202 priority 16384

CoreSW1002:

conf t
spanning-tree vlan 215 priority 16384

spanning-tree vlan 202 priority 8192

-------------------------
enabling STP Root Guard
-------------------------

CoreSW1001:

cont t
int r "all uplink interface"
spanning-tree guard root
end
wr mem

CoreSW1002:

conf t
int r "all uplink interface"
spanning-tree guard root
end
wr mem
Posted by MarvDMartian at 5:30 AM 0 comments
Labels: , , , ,

Friday, March 5, 2010

Enabling Cisco device to authenticate locally to VTY/Con line

'
My wife called me yesterday asking how to enable authentication on VTY line using the created local account. I try to walk her thru and ask her some details about the username command with are the command to create local account and password respectively. She said that they already done that part but when they try to remote the device the account and password is not accepted. So the next thing I ask is to check what the config they put inside the VTY line is. Cut the story short we end the call without resolving the issue and I told her that I will simulate this when I arrive at the office.

At round 6PM and I'm already free I decide to go with the simulation using the two catalyst Cisco switch on my cubicle. Setup the switch with the power cable and the console cable connection to my PC. I starting to configure the switch with "username deviceadmin privilege 15 secret 0 MyPasswd" then instead of using the VTY line I decided to use the con lines since I was already connected to it. I enter the con line then try to search the list of available commands, the only command that I find relevant to my problem is the login command with the parameter of local. I use the command save my config the reload the switch.

After the reload I was ask for the user and password so I enter the username information that I just created and it’s was a success. My newly created local account was used to authenticate access to my console. I move further and created another account with lesser privilege and again it was accepted with the limitation of not being able to enter configure terminal. For the complete command please check below.

Commands:

SW01#conf t

SW01(config)#username deviceadmin privilege 15 secret 0 MyPasswd

SW01(config)#exit

Sw01#line con 0

Sw01(config-line)#login local
Posted by MarvDMartian at 11:58 PM 0 comments
Labels: , , , , ,

Thursday, March 4, 2010

STP VLAN root primary|secondary 2nd post

'
I just find out today from my lead that we are not really using the command above as part of our VLAN creation steps instead we statically set VLAN priority to 8192 for the root bridge and 16384 for the secondary root bridge.
We just try to use the Cisco macro command root primary and root secondary because our boss insisted on using it. Now we know that this command give's/set 24576 and 28372 priority value to the root and the secondary root bridge respectively.
I don't really see any problem in using the macro command or setting the priority value by your self as long as your being consistent and not mix the two command in a single setup.
Posted by MarvDMartian at 9:17 AM 0 comments
Labels: , , , , ,

Tuesday, March 2, 2010

STP VLAN root primary|secondary

'
I just was testing this on live network. We are trying to find out how this Cisco Macro command will be able to set the STP priority. We expect that we get a priority of 8192 for the primary root bridge and 16384 for the secondary root bridge, but after we created a new VLAN and implemented the commands on our primary core switch as the primary root and secondary core as the secondary root and we get the following setting below:

Core1:

Core1#sh run | i span

Spanning-tree vlan 999 priority 24576

Core2:

Core2#sh run | i span

Spanning-tree vlan 999 priority 28372

We really don’t know why this priority setting is deferent from the previous VLAN STP implementations done on the same core switches.

I’ll be posting the answers if I can find out the explanation behind this.
Posted by MarvDMartian at 5:20 AM 0 comments
Labels: , , , , ,
Subscribe to: Posts (Atom)