PLEASE LEAVE YOUR SUGGESTION AND COMMENTS

PLEASE LEAVE YOUR SUGGESTION AND COMMENTS

Sunday, 30 October 2011

Private VLANs

How to create Private Vlans. Below are the steps I follow:

1> create a map of how your network is and the interfaces in the port modes
2> create primary and sub vlans and associate sub-vlans to primary vlan
3> add interfaces to either isolated or community
4> finally add the promiscuous port and map private-vlans which can reach this promiscuous port.

1>Creating the map
Primary vlan: 200
f4/27    Router--> promiscuous port
f4/26FTP--> Isolated   vlan 210
f4/24 and f4/25  WWW and sql-->community   vlan 205

2.a> Creating vlan and sub vlans
conf t
vtp mode transparent
vlan 200
private-vlan primary
exit
vlan 205
private-vlan community
exit
vlan 210
private-vlan isolated
exit
================
2.b> Associating the sub-vlans to Primary vlan


associating 205 and 210 to vlan 100

vlan 200
private-vlan association 205,210

===============
show vlan private-vlan type
============

configuring fast ethernet ports now

3> add ports to Private vlans and to modes

int fa4/24
switchport mode private-vlan host
switchport private-vlan host association 200 205

4> creating promiscuous port and map private-vlans which can reach this promiscuous port

int fa4/27
switchport mode private-vlan promiscuous
switchport private-vlan mapping 200 205,210



Added Ravindra Krishna at 04:10 1 comments

Thursday, 27 October 2011

Securing L2

To use most of the security features of any l2 cisco switch first convert the port to access port.


Switch>en
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#interface f0/1
Switch(config-if)#switchport mode access  ----->converting f0/1 to access port
Switch(config-if)#switchport port-security--->use this command to enable the port security. You can follow with further commands as a new command


Switch(config-if)#switchport port-security ?
  mac-address  Secure mac address
  maximum      Max secure addresses
  violation    Security violation mode
  <cr>
Switch(config-if)#switchport port-security maximum 1 -->only 1 mac address allowed to learn on this interface


Switch(config-if)#switchport port-security violation ?
  protect   Security violation protect mode ----> it ignores the other mac address and no logs
  restrict  Security violation restrict mode --->logs the violation
  shutdown  Security violation shutdown mode  --->shuts down the port


Switch#show port-security interface f0/1
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0   --->this will go up


To enable the security violated port:
conf t
errdisable recovery cause security-violation 
errdisable recovery interval <time in seconds>

To learn the dynamic and allow limited mac address, you can use combination of maximum and sticky:

Switch(config)#interface fastEthernet 0/2
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security mac-address ?
  H.H.H   48 bit mac address
  sticky  Configure dynamic secure addresses as sticky
Switch(config-if)#switchport port-security mac-address sticky ?
  H.H.H  48 bit mac address
  <cr>
Switch(config-if)#switchport port-security mac-address sticky






Added Ravindra Krishna at 23:35 0 comments

HSRP

My Laptop's Motherboard failed on me. I lost all my work. But I got it back and now back on track. I tried to do HSRP on packet tracer but it did not work. I searched some blogs and packet tracer does not support HSRP or any other redundancy protocols. So I either had to use real switches or practice these labs on routers. The L3 switches are out of my pocket so I need to reconfigure my GNS3. So I did labs on HSRP

LAB 1> Use simple fastethernet interfaces as part of standby
LAB2> Use vlan interface as part of standby
LAB3> Include Port channel
LAB4> Use priority
LAB5> Use Preempt
LAB 6> Use Timers in HSRP

Done with HSRP...will keep posted
Added Ravindra Krishna at 12:50 0 comments

Sunday, 9 October 2011

Port Channel- single vlan- L2

In this scenario, I wanted to check the etherchannel between 2 L2 switches for a single vlan. I am going to paste the config of a single switch as the config of the other switch is not different.








interface FastEthernet0/1
 switchport access vlan 100
channel-protocol pagp
 channel-group 1 mode desirable
 switchport mode access
!
interface FastEthernet0/2
 switchport access vlan 100
channel-protocol pagp
 channel-group 1 mode desirable
 switchport mode access
!
interface FastEthernet0/3
 switchport access vlan 100
channel-protocol pagp
 channel-group 1 mode desirable
 switchport mode access
!
interface FastEthernet0/4
 switchport access vlan 100
 switchport mode access
!
interface Port-channel 1
 switchport access vlan 100
!
Added Ravindra Krishna at 07:47 0 comments
Subscribe to: Posts (Atom)