Sunday, 5 January 2025

What is uplinkfast?

 

Spanning tree UplinkFast is a Cisco-specific enhancement to the Spanning Tree Protocol (STP). It's designed to improve the convergence time in the event of a direct link failure, especially in access-layer switches with redundant links to the distribution layer.




Here's how it works:

Quick Recovery: When the primary uplink fails, UplinkFast allows the switch to quickly transition the blocked port to forwarding, bypassing the usual listening and learning states.

Preventing Loops: It modifies the Bridge Protocol Data Units (BPDUs) to prevent loops by increasing the path cost and setting the local bridge priority.

Immediate Restoration: This feature ensures that connectivity is restored almost immediately, reducing downtime significantly.

UplinkFast is typically used in access-layer switches and should be deployed carefully to avoid potential issues with MAC address tables. 

Key points:-






  • legacy/cisco proprietary feature
  • uplinkfast is for speeding convergence when a direct link to an upstream switch fails. 
  • when uplinkfast is enabled, it is enabled for the entire switch and all VLANs.

  • this feature is not allowed on the root bridge switch. 
  • when uplinkfast is configured, the bridge priority is changed to 49,152 so that this switch will not be selected as root.



We have three switches. Switch-1 is our Root, and two others are non-root switches. Switch-1's ports are Desg FWD because it's a root. Switch-2's gig0/0 port is a Root FWD, and gig 0/1 is a Desg FWD. Switch-3's gig0/0 is Root FWD, and gig1/0 is an Altn BLK state port. so that's what we have, now switch-3 uses gig0/0 to reach the root bridge, what if the port shuts down? how long does it take for switch-3 to make a transition? let's see. 


switch-1#show spanning-tree vlan 1
VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     0c58.a85e.0000
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     0c58.a85e.0000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec
Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0               Desg FWD 4         128.1    Shr
Gi0/1               Desg FWD 4         128.2    Shr





switch-2#show spanning-tree vlan 1
VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     0c58.a85e.0000
             Cost        4
             Port        1 (GigabitEthernet0/0)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     0c2e.adf7.0000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec
Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0               Root FWD 4         128.1    Shr
Gi0/1               Desg FWD 4         128.2    Shr



switch-3#show spanning-tree vlan 1
VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     0c58.a85e.0000
             Cost        4
             Port        1 (GigabitEthernet0/0)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     0c33.c353.0000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec
Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0               Root FWD 4         128.1    Shr
Gi0/1               Altn BLK 4         128.2    Shr


switch-3#debug spanning-tree events
Spanning Tree event debugging is on
switch-3(config)#interface gigabitEthernet 0/0
switch-3(config-if)#shutdown


*Jan  5 08:15:36.684: STP: VLAN0001 new root port Gi0/1, cost 8
*Jan  5 08:15:36.684: STP: VLAN0001 Gi0/1 -> listening
*Jan  5 08:15:36.684: STP[1]: Generating TC trap for port GigabitEthernet0/0
*Jan  5 08:15:36.685: STP: VLAN0100 we are the spanning tree root

*Jan  5 08:15:38.685: STP: VLAN0001 sent Topology Change Notice on Gi0/1
*Jan  5 08:15:51.686: STP: VLAN0001 Gi0/1 -> learning
*Jan  5 08:16:06.686: STP[1]: Generating TC trap for port GigabitEthernet0/1
*Jan  5 08:16:06.686: STP: VLAN0001 Gi0/1 -> forwarding


switch-3#show spanning-tree vlan 1
VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     0c58.a85e.0000
             Cost        8
             Port        2 (GigabitEthernet0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     0c33.c353.0000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec
Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1               Root FWD 4         128.2    Shr

after a long time of listening and learning forwarding. our previous  Gig0/1 Altn BLK port is now Root FWD. This process takes time. now we have configure the Cisco Uplinkfast feature.  

switch-3(config)#interface gigabitEthernet 0/0
switch-3(config-if)#no shutdown
switch-3(config-if)#exit

switch-3(config)#do show spanning-tree vlan 1
VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     0c58.a85e.0000
             Cost        4
             Port        1 (GigabitEthernet0/0)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     0c33.c353.0000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  15  sec
Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0               Root FWD 4         128.1    Shr
Gi0/1               Altn BLK 4         128.2    Shr

switch-3(config)#spanning-tree uplinkfast
switch-3(config)#end

switch-3#debug spanning-tree events
Spanning Tree event debugging is on

*Jan  5 08:22:15.071: STP: VLAN0001 new root port Gi0/1, cost 3008
*Jan  5 08:22:15.071: %SPANTREE_FAST-7-PORT_FWD_UPLINK: VLAN0001 GigabitEthernet0/1 moved to Forwarding (UplinkFast).

wooo no listening no learning direct forwarding) this is Uplinkfast....

switch-3#show spanning-tree vlan 1
VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     0c58.a85e.0000
             Cost        3008
             Port        2 (GigabitEthernet0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Bridge ID  Priority    49153  (priority 49152 sys-id-ext 1)
             Address     0c33.c353.0000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec
  Uplinkfast enabled
Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1               Root FWD 3004      128.2    Shr

you see after we configure the Uplinkfast feature this switch means switch-3 bridge ID priority is changed. now this switch will never be a root bridge. unless we disable uplink fast. so never configure Uplink fast on the root switch. 
By at No comments:
Labels:

Saturday, 7 September 2024

What is layer 3 etherchannel? How to configure layer 3 etherchannel?

EtherChannel technology allows us to bundle multiple physical links into one logical link. It is used to increase the bandwidth and provide redundancy between multiple layer 2 / layer 3 interfaces. Layer 2 EtherChannel operates on the data link layer, but layer 3 EtherChannel operates at the network layer, allowing it to route traffic.  Ether-channel load balances traffic over all the links in the bundle. We can use a maximum 8 physical interfaces to configure the bundle into a single logical link.

Note:- when we configure the port channel (layer 3) we must configure No switchport command before using the command port-channel. if we do not configure no switchport command. the port channel will be the default layer 2 channel and we can not change it. To avoid this, configure no switchport command. 


let's see the configuration of layer 3 EtherChannel:-

Topology:-




Goal: configure layer 3 port-channel verify with show commands and configure routing verify with ping.

  • configure the topology as per the diagram
  • configure the IP addresses as per the topology
  • configure portchannel
  • verify port-channel
  • configure routing EIGRP 
  • configure IP on VLAN 1
  • verify with show commands. 
  • ping 



IOU1(config)#interface range ethernet 0/0-3
IOU1(config-if-range)#no switchport

IOU1(config-if-range)#channel-group 10 mode on
Creating a port-channel interface Port-channel 10
IOU1(config-if-range)#exit

IOU1(config)#interface port-channel 10
IOU1(config-if)#ip address 192.168.10.1 255.255.255.0
IOU1(config-if)#no shutdown
IOU1(config-if)#exit

 %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel10, changed state to up


IOU2(config)#interface range ethernet 0/0-3
IOU2(config-if-range)#no switchport
IOU2(config-if-range)#channel-group 10 mode on
Creating a port-channel interface Port-channel 10
IOU2(config-if-range)#exit

IOU2(config)#interface port-channel 10
IOU2(config-if)#ip address 192.168.10.2 255.255.255.0
IOU2(config-if)#no shutdown
IOU2(config-if)#exit

%LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel10, changed state to up




IOU1#show etherchannel port-channel
                Channel-group listing:
                ----------------------
 
Group: 10
----------
                Port-channels in the group:
                ---------------------------
 
Port-channel: Po10
------------
 
Age of the Port-channel   = 0d:00h:29m:12s
Logical slot/port   = 16/0          Number of ports = 4
GC                  = 0x00000000      HotStandBy port = null
Passive port list   = Et0/0 Et0/1 Et0/2 Et0/3
Port state          = Port-channel L3-Ag Ag-Inuse
Protocol            =    -
Port security       = Disabled
 
Ports in the Port-channel:
 
Index   Load   Port     EC state        No of bits
------+------+------+------------------+-----------
  0     00     Et0/0    On                 0
  0     00     Et0/1    On                 0
  0     00     Et0/2    On                 0
  0     00     Et0/3    On                 0
 
Time since last port bundled:    0d:00h:29m:12s    Et0/3


IOU2#show etherchannel
                Channel-group listing:
                ----------------------
 
Group: 10
----------
Group state = L3
Ports: 4   Maxports = 4
Port-channels: 1 Max Port-channels = 1
Protocol:    -
Minimum Links: 0

IOU1(config)#ip routing

IOU1(config)#router eigrp 100
IOU1(config-router)#network 10.0.0.0
IOU1(config-router)#network 192.168.10.0
IOU1(config-router)#no auto-summary
IOU1(config-router)#exit


IOU2(config)#ip routing

IOU2(config)#router eigrp 100
IOU2(config-router)#network 20.0.0.0
IOU2(config-router)#network 192.168.10.0
IOU2(config-router)#no auto-summary
IOU2(config-router)#exit

%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.10.1 (Port-channel10) is up: new adjacency

%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.10.2 (Port-channel10) is up: new adjacency

IOU1(config)#interface ethernet 1/0
IOU1(config-if)#switchport
IOU1(config-if)#switchport mode access
IOU1(config-if)#switchport access vlan 1
IOU1(config-if)#exit

IOU1(config)#interface vlan 1
IOU1(config-if)#ip address 10.1.1.1 255.0.0.0
IOU1(config-if)#no shutdown
IOU1(config-if)#exit

%LINK-3-UPDOWN: Interface Vlan1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up


IOU2(config)#interface ethernet 1/0
IOU2(config-if)#switchport
IOU2(config-if)#switchport mode access
IOU2(config-if)#switchport access vlan 1
IOU2(config-if)#exit

IOU2(config)#interface vlan 1
IOU2(config-if)#ip address 20.1.1.1 255.0.0.0
IOU2(config-if)#no shutdown
IOU2(config-if)#exit

%LINK-3-UPDOWN: Interface Vlan1, changed state to up
\%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up


IOU2#ping 10.1.1.1 source 20.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 20.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/6 ms


IOU2#traceroute 10.1.1.1
Type escape sequence to abort.
Tracing the route to 10.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.10.1 1 msec 5 msec 0 msec


By at No comments:
Labels:

Thursday, 29 August 2024

What is PPP PAP and CHAP? How to configure PPP PAP CHAP authentication?

 WAN Protocols


 Higher level Data Link Control Protocol HDLC is a Cisco proprietary WAN protocol that provides reliable delivery of data frames over a network or communication link. HDLC does not support authentication like PPP. HDLC is the default protocol on serial links.

PPP Point-to-Point Protocol is used in serial links, ethernet, frame Relay, atm, etc. PPP is a standard protocol that supports authentication, compression & error correction. PPP is not enabled by default we need to configure this on the serial link. 




Password Authentication Protocol PAP provides a simple and easiest method for a remote node simply to establish and develop its identity. PAP is done only upon initial link establishment. PAP is not a strong authentication protocol because the username and password are sent across the link in clear text. PPP PAP supports almost all the network products in the market today and on different systems. but PAP has some disadvantages like a security risk because username are sent in clear text meaning that they can be easily accessed. PPP PAP offers no protection against replay attacks.

Challenge Handshake Authentication Protocol CHAP is an encrypted authentication method that is required to verify the identity of the peer. Once the PPP link establishment phase is complete. the local router sends a unique "challenge" message to the remote node. the remote node responds with a value (MD5) the local router checks the response against its own calculation of the expected hash value. clear text username MD5 hashed password and also CHAP has the replay protection. 

lets see the configuration of PAP and CHAP:-https://youtu.be/ZXOXJLSXCG4?si=9qrXCMT8GRDlX8pJ

Topology:



Goal: first we configure CHAP authentication between router-1 and router-2, second we configure PAP between router-2 and router-3. in extra, we configure routing between routers. 

  • Configure the topology as per the diagram 
  • Configure the IP addresses as per the topology 
  • make sure interfaces and the default line protocol are UP
  • Configure PPP on serial 5/0
  • Configure CHAP authentication between router-1 and router-2 Serial link 5/0 
  • verify with show commands before and after applying CHAP
  • Configure PAP authentication between router-2 and router-3
  • verify with show commands before and after results.







Site-A-R-(config)#interface serial 5/0
Site-A-R-(config-if)#ip address 192.168.1.1 255.255.255.0
Site-A-R-(config-if)#no shutdown
Site-A-R-(config-if)#exit
 
Site-A-R-(config)#interface fastethernet 0/0
Site-A-R-(config-if)#ip address 10.1.1.1 255.0.0.0
Site-A-R-(config-if)#no shutdown
Site-A-R-(config-if)#exit

 

Headoffice-R-(config)#interface serial 5/0
Headoffice-R-(config-if)#ip address 192.168.1.2 255.255.255.0
Headoffice-R-(config-if)#no shutdown
Headoffice-R-(config-if)#exit
 
Headoffice-R-(config)#interface serial 5/1
Headoffice-R-(config-if)#ip address 192.168.2.1 255.255.255.0
Headoffice-R-(config-if)#no shutdown
Headoffice-R-(config-if)#exit

 

Site-B-R-(config)#interface serial 5/1
Site-B-R-(config-if)#ip address 192.168.2.2 255.255.255.0
Site-B-R-(config-if)#no shutdown
Site-B-R-(config-if)#exit
 
 
Site-B-R-(config)#interface fastethernet 0/0
Site-B-R-(config-if)#ip address 30.1.1.1 255.0.0.0
Site-B-R-(config-if)#no shutdown
Site-B-R-(config-if)#no keepalive
Site-B-R-(config-if)#exit

 

Site-A-R-(config)#router eigrp 1
Site-A-R-(config-router)#network 10.0.0.0
Site-A-R-(config-router)#network 192.168.1.0
Site-A-R-(config-router)#no auto-summary
Site-A-R-(config-router)#exit

Site-B-R-(config)#router eigrp 1
Site-B-R-(config-router)#network 30.0.0.0
Site-B-R-(config-router)#network 192.168.2.0
Site-B-R-(config-router)#no auto-summary
Site-B-R-(config-router)#exit

*Aug 28 17:44:41.883: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.2.1 (Serial5/1) is up: new adjacency

 

Site-A-R-#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up
Serial5/0                  192.168.1.1     YES manual up                    up

 

Headoffice-R-#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Serial5/0                  192.168.1.2     YES manual up                    up
Serial5/1                  192.168.2.1     YES manual up                    up

 

Site-A-R-#show interfaces serial 5/0

Serial5/0 is up, line protocol is up

  Hardware is M4T

  Internet address is 192.168.1.1/24

  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation HDLC, crc 16, loopback not set

  Keepalive set (10 sec)

  Restart-Delay is 0 secs

  Last input 00:00:04, output 00:00:01, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: weighted fair

  Output queue: 0/1000/64/0 (size/max total/threshold/drops)

     Conversations  0/1/256 (active/max active/max total)

     Reserved Conversations 0/0 (allocated/max allocated)

     Available Bandwidth 1158 kilobits/sec

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     212 packets input, 14595 bytes, 0 no buffer

     Received 140 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     242 packets output, 16267 bytes, 0 underruns

     0 output errors, 0 collisions, 2 interface resets

     0 output buffer failures, 0 output buffers swapped out

     3 carrier transitions     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

 




Site-A-R-(config)#interface serial 5/0
Site-A-R-(config-if)#encapsulation PPP

Site-A-R-(config-if)#PPP authentication ?
  chap        Challenge Handshake Authentication Protocol (CHAP)
  eap         Extensible Authentication Protocol (EAP)
  ms-chap     Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
  ms-chap-v2  Microsoft CHAP Version 2 (MS-CHAP-V2)
  pap         Password Authentication Protocol (PAP)
 
Site-A-R-(config-if)#PPP authentication chap
Site-A-R-(config-if)#exit


Site-A-R-(config)#username Headoffice-R- password internetworks
Site-A-R-(config)#end

 *Aug 28 17:52:18.371: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.2 (Serial5/0) is down: interface down
*Aug 28 17:52:21.099: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial5/0, changed state to down
*Aug 28 17:54:43.275: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial5/0, changed state to up
*Aug 28 17:54:44.035: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.2 (Serial5/0) is up: new adjacency


 

Headoffice-R-(config)#interface serial 5/0
Headoffice-R-(config-if)#encapsulation PPP
Headoffice-R-(config-if)#PPP authentication chap
Headoffice-R-(config-if)#exit

Headoffice-R-(config)#username Site-A-R- password internetworks

*Aug 28 17:53:15.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial5/0, changed state to up
*Aug 28 17:53:16.727: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.1 (Serial5/0) is up: new adjacency


 

 

Site-A-R-# show interface serial 5/0
Serial5/0 is up, line protocol is up
  Hardware is M4T
  Internet address is 192.168.1.1/24
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open
  Open: IPCP, CDPCP, crc 16, loopback not set
  Keepalive set (10 sec)
  Restart-Delay is 0 secs
  Last input 00:00:01, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:02:55
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/1/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 1158 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     179 packets input, 5542 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     177 packets output, 4729 bytes, 0 underruns
     0 output errors, 0 collisions, 30 interface resets
     0 output buffer failures, 0 output buffers swapped out
     30 carrier transitions     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

 

Read more »
By at No comments:
Labels:

Wednesday, 10 July 2024

How to configure the DHCP server on a Cisco ASA device?

How to configure the DHCP server on a Cisco ASA device?  



DHCP (Dynamic Host Configuration Protocol) servers provide all the basic information the client wants to operate on the network, including DNS address, Default Gateway, IP addresses, and subnet. masks and many more.

In this blog, we configure the Cisco ASA firewall to act as a DHCP (Dynamic Host Configuration Protocol) server. DHCP simplifies the process of IP address assignment in your network. In this scenario, we’ll set up the ASA to provide IP addresses to internal LANs using different DHCP scopes.

let's see the configuration: 

Topology:-




  • configure the topology as per the diagram 
  • configure the IP addresses on ASA and configure security
  • configure DHCP server on ASA 
  • verify the configuration with show commands and ping. 










ciscoasa(config)# interface gigabitEthernet 0
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# security 100
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit

ciscoasa(config)# dhcpd address 192.168.1.2-192.168.1.240 inside
ciscoasa(config)# dhcpd dns 8.8.8.8
ciscoasa(config)# dhcpd domain internetworks
ciscoasa(config)# dhcpd option 3 ip 192.168.1.1
ciscoasa(config)# dhcpd lease 3000
ciscoasa(config)# dhcpd enable inside
ciscoasa(config)# exit

ciscoasa# show dhcpd binding

IP address       Client Identifier        Lease expiration        Type

    192.168.1.2    0100.5079.6668.00            2399 seconds    Automatic
    192.168.1.3    0100.5079.6668.01            2941 seconds    Automatic
    192.168.1.4    0100.5079.6668.02            2949 seconds    Automatic
    192.168.1.5    0100.5079.6668.03            2956 seconds    Automatic
    192.168.1.6    0100.5079.6668.04            2963 seconds    Automatic
    192.168.1.7    0100.5079.6668.05            2970 seconds    Automatic
    192.168.1.8    0100.5079.6668.06            2977 seconds    Automatic


ciscoasa# show dhcpd statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0

Address pools        1
Automatic bindings   7
Expired bindings     0
Malformed messages   0

Message              Received
BOOTREQUEST          0
DHCPDISCOVER         7
DHCPREQUEST          14
DHCPDECLINE          0
DHCPRELEASE          0
DHCPINFORM           0

Message              Sent
BOOTREPLY            0
DHCPOFFER            7
DHCPACK              14
DHCPNAK              0

ciscoasa# show dhcpd state
Context  Configured as DHCP Server
Interface inside, Configured for DHCP SERVER



PC2> ip dhcp
DORA IP 192.168.1.3/24 GW 192.168.1.1

PC2> show ip

NAME        : PC2[1]
IP/MASK     : 192.168.1.3/24
GATEWAY     : 192.168.1.1
DNS         : 8.8.8.8
DHCP SERVER : 192.168.1.1
DHCP LEASE  : 2565, 3000/1500/2625
DOMAIN NAME : internetworks
MAC         : 00:50:79:66:68:01
LPORT       : 10017
RHOST:PORT  : 127.0.0.1:10018
MTU:        : 1500


By at No comments:
Labels:

Sunday, 30 June 2024

What is Cisco Management VLAN? How to configure VLAN management? | CCNA Security

 

What is a Management VLAN?

Management VLAN is a VLAN that is used for Managing and monitoring network devices like routers, switches, and other devices from a remote location by using protocols such as telnet, SSH, SNMP,syslog, etc.  The purpose of the management VLAN is to configure designated the VLAN for configuration purposes. Cisco recommends not to use VLAN 1 and not to use any VLAN that carries user data traffic as management VLAN. Normally the Management VLAN is VLAN1, but you can use any VLAN as a management VLAN. Once you configure the Management VLAN for administration, the data plane traffic and management traffic will be isolated this reduces the interference, and also with this VLAN security will be enhanced for management traffic.  

Let’s see the configuration for better understanding.

Topology:-





Read more »
By at No comments:
Labels:

Thursday, 27 June 2024

Cisco ASA access management with ASDM, SSH, telnet and dedicated management interface.

 

A Cisco ASA firewall is a barrier between LAN and WAN networks (trusted and untrusted networks), we configure the firewall in the forwarding path of the network so each packet has to be checked by our firewall. Cisco ASA firewall offers several ways to connect and interact. The Administrative user can access the ASA using Telnet, Secure Shell SSH, and ASDM.   




Cisco ASA supports In-band management and Out-band management.

In-band management ASA uses the same data network that carries regular user traffic and protocols like Telnet, SSH, or HTTPS over the same network interfaces that handle user traffic. Inband management uses the same transit path as user traffic. (data plane  management plane)




you can see the data plane traffic (normal traffic) and management plane ( Telnet, SSH, and ASDM traffic) using the same transit path. it can be any interface fast ethernet, gigabyte ethernet serial interface, or loopback but not a dedicated management interface. 

Now this kind of topology has advantages and disadvantages.  It's easy to configure because of the existing network infrastructure and no need for separate dedicated management interfaces. Disadvantages are a security risk, dependent on network availability and shared resources. 


Out-band management  

Out-band management Cisco ASA offers a dedicated management interface separate from regular data interfaces.  The administrator uses a dedicated management physical port on the ASA to access the device and this interface is only used for outbound management purposes. 





Out-band management isolates management traffic from normal data traffic. The console port and management physical port both are out-band management.  


let's see the configuration of all the methods to access the ASA firewall, 

  1. in the first lab, we are going to configure the Talent
  2. in the second lab, we are going to configure the Secure Shell
  3. in the third lab, we are going to configure a dedicated management interface
  4. in the fourth  lab, we are going to configure the ASDM


 First lab topology:-



  • configure the topology as per the diagram 
  • configure the IP addresses as per the topology 
  • configure the zone inside and outside 
  • enable telnet because by default telnet is disabled on ASA 
  • configure router-1 to act as a PC for verification. 

  

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.1.10 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

ciscoasa(config)# interface gigabitEthernet 0
ciscoasa(config-if)# security 100
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit

ciscoasa(config)# ping 192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/50 ms

ciscoasa(config)# interface gigabitEthernet 1
ciscoasa(config-if)# security 0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address 12.12.12.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit

ciscoasa(config)# username admin password admin
ciscoasa(config)# telnet 192.168.1.0 255.255.255.0 inside

R1#telnet 192.168.1.1 /source-interface fastEthernet 0/0
Trying 192.168.1.1 ... Open

User Access Verification
Password:

ciscoasa> enable
Password:

ciscoasa# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           192.168.1.1     YES manual up                    up
GigabitEthernet1           12.12.12.1      YES manual up                    up
GigabitEthernet2           unassigned      YES unset  administratively down up
GigabitEthernet3           unassigned      YES unset  administratively down up
ciscoasa#
ciscoasa# exit
Logoff

[Connection to 192.168.1.1 closed by foreign host]
R1#
R1#



Read more »
By at No comments:
Labels:

Tuesday, 18 June 2024

What is Cisco IOS Zone Based Firewall on router? How to configure ZBF on Cisco Routers?

 Zone Based Firewall

ZBF (Zone Based Firewall) is the stateful firewall that is available on Cisco IOS routers, introduced in 2006. ZBF supports deep packet inspection just like an ASA. ZBF works based on the concept of security zones. You can name the zones whatever you want. In ZBF we don’t assign access-list to the interface. We create zones and the interface will be configured to the different zones (one interface can only be a member of one zone) and security policies will be assigned. The default policy is to block all the traffic unless we explicitly allow it.

 

  • Zone-Based Model: Interfaces are assigned to zones, and inspection policy is applied to traffic moving between these zones.
  • Flexible Configuration: Allows for more granular control of traffic based on zones rather than just interfaces.
  • Stateful Inspection: Maintains the state of active sessions and inspects traffic accordingly.
  • Successor to CBAC: ZBF is considered the successor to Context-Based Access Control (CBAC), offering enhanced security features.


let's see the configuration on ZBF:-

Topology:-




Goal:

  • configure the topology as per the topology 
  • assign IP addresses as per the topology 
  • configure EIGRP 100 and advertise all the interfaces 
  • configure router-2 for ZBF. 
  • configure zones INSIDE for LAN and OUTSIDE  zone for internet
  • configure ACL extended 
  • allow PC 2 to ping server 30.1.1.11
  • allow telnet from INSIDE
  • leave rest for the default
  • verify the configurations telnet, ping, and show commands. 








(first, configure the IP addresses on PC-1 and PC-2 inside the zone)

PC1> ip 10.1.1.10 255.0.0.0 10.1.1.1
Checking for duplicate address...
PC1 : 10.1.1.10 255.0.0.0 gateway 10.1.1.1

PC1> show ip
NAME        : PC1[1]
IP/MASK     : 10.1.1.10/8
GATEWAY     : 10.1.1.1
DNS         :
MAC         : 00:50:79:66:68:00
LPORT       : 10026
RHOST:PORT  : 127.0.0.1:10027
MTU:        : 1500

PC2> ip 10.1.1.11 255.0.0.0 10.1.1.1
Checking for duplicate address...
PC1 : 10.1.1.11 255.0.0.0 gateway 10.1.1.1

PC2> show ip
NAME        : PC2[1]
IP/MASK     : 10.1.1.11/8
GATEWAY     : 10.1.1.1
DNS         :
MAC         : 00:50:79:66:68:01
LPORT       : 10028
RHOST:PORT  : 127.0.0.1:10029
MTU:        : 1500

PC1> ping 10.1.1.11
84 bytes from 10.1.1.11 icmp_seq=1 ttl=64 time=0.583 ms
84 bytes from 10.1.1.11 icmp_seq=2 ttl=64 time=0.495 ms
84 bytes from 10.1.1.11 icmp_seq=3 ttl=64 time=0.511 ms
84 bytes from 10.1.1.11 icmp_seq=4 ttl=64 time=0.780 ms
84 bytes from 10.1.1.11 icmp_seq=5 ttl=64 time=0.759 ms

Configure the IP addresses between the routers and LAN interfaces


R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface serial 4/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R2(config)#interface serial 4/0
R2(config-if)#ip address 192.168.1.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 4/1
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R3(config)#interface serial 4/1
R3(config-if)#ip address 192.168.2.2 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 30.1.1.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

Configure the IP addresses on server-1 and server-2 in the outside zone


server2> ip 30.1.1.10 255.0.0.0 30.1.1.1
Checking for duplicate address...
PC1 : 30.1.1.10 255.0.0.0 gateway 30.1.1.1

server2> show ip
NAME        : server2[1]
IP/MASK     : 30.1.1.10/8
GATEWAY     : 30.1.1.1
DNS         :
MAC         : 00:50:79:66:68:04
LPORT       : 10034
RHOST:PORT  : 127.0.0.1:10035
MTU:        : 1500

server> ip 30.1.1.11 255.0.0.0 30.1.1.1
Checking for duplicate address...
PC1 : 30.1.1.11 255.0.0.0 gateway 30.1.1.1

server> show ip
NAME        : server[1]
IP/MASK     : 30.1.1.11/8
GATEWAY     : 30.1.1.1
DNS         :
MAC         : 00:50:79:66:68:05
LPORT       : 10036
RHOST:PORT  : 127.0.0.1:10037
MTU:        : 1500


Configure routing between routers and advertise directly connected interfaces


R1(config)#router eigrp 100
R1(config-router)#network 192.168.1.0
R1(config-router)#network 10.0.0.0
R1(config-router)#no auto-summary
R1(config-router)#exit

R2(config)#router eigrp 100
R2(config-router)#network 192.168.1.0
R2(config-router)#network 192.168.2.1
R2(config-router)#no auto-summary
R2(config-router)#exit

R3(config)#router eigrp 100
R3(config-router)#network 192.168.2.0
R3(config-router)#network 30.0.0.0
R3(config-router)#no auto-summary
R3(config-router)#exit


verify the connectivity with ping from PC-1 to server-1


PC1> show ip
NAME        : PC1[1]
IP/MASK     : 10.1.1.10/8
GATEWAY     : 10.1.1.1

PC1> ping 30.1.1.10
84 bytes from 30.1.1.10 icmp_seq=1 ttl=61 time=115.597 ms
84 bytes from 30.1.1.10 icmp_seq=2 ttl=61 time=94.468 ms
84 bytes from 30.1.1.10 icmp_seq=3 ttl=61 time=94.519 ms
84 bytes from 30.1.1.10 icmp_seq=4 ttl=61 time=78.793 ms
84 bytes from 30.1.1.10 icmp_seq=5 ttl=61 time=78.209 ms

As you can see the connectivity is good, now configure the telnet config on router-1 and router-2 for testing do not configure the login password. 



R1(config)#line vty 0 4
R1(config-line)#no login
R1(config-line)#exit

*Jun 17 11:54:55.771: %SYS-5-CONFIG_I: Configured from console by console
R1#telnet 192.168.2.2
Trying 192.168.2.2 ... Open

R3>
R3>
R3>
R3>

Our inside router-1 can telnet router-3, same way configure telnet on router-3



R3(config)#line vty 0 4
R3(config-line)#lo
R3(config-line)#no login
R3(config-line)#exit
R3(config)#end
R3#
R3#
R3#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
R1>
R1>
R1>
R1>

Now configure zone name INSIDE for our LAN traffic and OUTSIDE zone 

R2(config)#zone security INSIDE
R2(config-sec-zone)#exit
R2(config)#zone security OUTSIDE
R2(config-sec-zone)#exit

R2(config)#interface serial 4/0
R2(config-if)#zone-member security INSIDE
R2(config-if)#exit

R2(config)#interface serial 4/1
R2(config-if)#zone-member security OUTSIDE
R2(config-if)#exit

the default policy is to block all the traffic unless we explicitly allow it. so now configure ACL and permit 10.1.1.11 to ping and permit 10.1.1.1 for telnet. 


R2(config)#ip access-list extended 150
R2(config-ext-nacl)#permit icmp host 10.1.1.11 any echo
R2(config-ext-nacl)#permit tcp host 10.1.1.1 host 30.1.1.1 eq telnet
R2(config-ext-nacl)#exit

R2#show access-lists 150
Extended IP access list 150
    10 permit icmp host 10.1.1.11 any echo (3 matches)
    30 permit tcp host 10.1.1.1 host 30.1.1.1 eq telnet (1 match)

configure a class map to classify the traffic for inspected


R2(config)#class-map type inspect INSIDE-OUTSIDE-CLASS
R2(config-cmap)#match access-group 150
R2(config-cmap)#exit

configure policy map to define ZBF policies on classified traffic


R2(config)#policy-map type inspect INSIDE-OUTSIDE-POLICY
R2(config-pmap)#class type inspect INSIDE-OUTSIDE-CLASS
R2(config-pmap-c)#inspect
R2(config-pmap-c)#exit
R2(config-pmap)#exit

configure zone pair

R2(config)#zone-security INSIDE-OUTSIDE-PAIR source INSIDE destination OUTSIDE
R2(config-sec-zone-pair)#service-policy type inspect INSIDE-OUTSIDE-POLICY
R2(config-sec-zone-pair)#exit


from router-1 try to access router-3 with telnet


R1#telnet 30.1.1.1 telnet /source-interface fastEthernet 0/0
Trying 30.1.1.1 ... Open
R3>
R3>
R3>
R3>show ip interface br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            30.1.1.1        YES manual up                    up
Serial4/1                  192.168.2.2     YES manual up                    up


as you can see router-1 can access router-3 remotely with telnet, because we allow it 


R3#telnet 10.1.1.1 /source-interface fastEthernet 0/0
Trying 10.1.1.1 ...
% Connection timed out; remote host not responding


but router-3 can not access router-1 with telnet because we didn't allow it. by default, all the traffic is blocked. 


PC1> show ip
NAME        : PC1[1]
IP/MASK     : 10.1.1.10/8
GATEWAY     : 10.1.1.1



PC1> ping 30.1.1.11
30.1.1.11 icmp_seq=1 timeout
30.1.1.11 icmp_seq=2 timeout
30.1.1.11 icmp_seq=3 timeout
30.1.1.11 icmp_seq=4 timeout
30.1.1.11 icmp_seq=5 timeout

from the above output, you see that PC-1 can not ping servers because we didn't allow it. we allow PC-2 10.1.1.11 too ping any network

PC2> show ip
NAME        : PC2[1]
IP/MASK     : 10.1.1.11/8
GATEWAY     : 10.1.1.1

PC2> ping 30.1.1.11
84 bytes from 30.1.1.11 icmp_seq=1 ttl=61 time=127.289 ms
84 bytes from 30.1.1.11 icmp_seq=2 ttl=61 time=94.466 ms
84 bytes from 30.1.1.11 icmp_seq=3 ttl=61 time=94.540 ms
84 bytes from 30.1.1.11 icmp_seq=4 ttl=61 time=93.967 ms
84 bytes from 30.1.1.11 icmp_seq=5 ttl=61 time=94.784 ms


R2#show zone-pair security
Zone-pair name INSIDE-OUTSIDE-PAIR
    Source-Zone INSIDE  Destination-Zone OUTSIDE
    service-policy INSIDE-OUTSIDE-POLICY


R2#show access-lists 150
Extended IP access list 150
    10 permit icmp host 10.1.1.11 any echo (3 matches)
    30 permit tcp host 10.1.1.1 host 30.1.1.1 eq telnet (1 match)

R2#show zone security INSIDE
zone INSIDE
  Member Interfaces:
    Serial4/0

R2#show zone security OUTSIDE
zone OUTSIDE
  Member Interfaces:
    Serial4/1


if you like this blog please visit to our YouTube channel https://www.youtube.com/@internetworkss


By at 2 comments:
Labels:

Saturday, 15 June 2024

What are TACACS+ RADIUS and Diameter protocols? How to configure TACACS+ RADIUS in cisco packet tracer? CCNA security

What are TACACS+ RADIUS and Diameter protocols? 


 TACACS+ RADIUS and Diameter is a protocol to provide a centralized management system for AAA Authentication, Authorization, and Accounting. An ACS (Access Control Server) supports RADIUS and TACACS+ protocols and is commonly used in enterprise environments. TACACS+, RADIUS, and Diameter have some key differences. (if you are not familiar with AAA please click here )


Types of AAA Protocols

  • Terminal access controller access-control system plus (TACACS+)
  • Remote authentication dial-in user service (RADIUS)
  • Diameter

TACACS+ (Terminal Access Controller Access Control System) is an enhancement to TACACS developed by Cisco. Which means TACACS+ is Cisco's proprietary protocol. TACACS+ is mainly used for device administration using ACS (Access Control Server). TACACS+ is used for the communication between the client and the Cisco ACS server. TACACS+ is a reliable protocol because it uses TCP port 49 for communication and the TACACS+ communication is encrypted means all the packets is encrypted. TACACS+ provides more control over accounting and authorization. TACACS+ combines authentication and authorization in one step.


Remote Access Dial-In User Service (RADIUS) is the IEFT standard protocol. The RADIUS protocol is used for communication between any vendor (cisco or non-cisco) AAA client and ACS server. If you are using multiple vendors devices then you can use RADIUS. In RADIUS communication is faster but a bit less reliable uses UDP port 1645/1812 for authentication and 1646/1813 for accounting. In a single process authentication and authorization can be done. RADIUS key with MD5 is used to hide the user password.

 The Diameter protocol is a AAA protocol that works with Long-Term Evolution (LTE) and multimedia networks. Diameter is an advanced Authentication, Authorization, and Accounting (AAA) protocol that evolved from the earlier RADIUS protocol. It’s part of the application layer protocols in the Internet protocol suite. 


let's see the configuration of the AAA TACACS+ and RADIUS server:

Topology:-




Goal: TACACS+

  • configure the topology as per the diagram 
  • configure the IP addresses as per the topology
  • configure dynamic routing between the network 
  • configure AAA authentication and key internet same for both (router and server)
  • verify with telnet from PC-1 192.168.10.30
  • configure RADIUS server 
  • verify with telnet from remote PC- 192.168.30.10


ROUTER-1(config)#interface gigabitEthernet 0/1
ROUTER-1(config-if)#ip address 192.168.10.1 255.255.255.0
ROUTER-1(config-if)#no shutdown
ROUTER-1(config-if)#exit

ROUTER-1(config)#interface gigabitEthernet 0/0
ROUTER-1(config-if)#ip address 192.168.20.1 255.255.255.0
ROUTER-1(config-if)#no shutdown
ROUTER-1(config-if)#exit
 
ROUTER-2(config)#interface gigabitEthernet 0/0
ROUTER-2(config-if)#ip address 192.168.20.2 255.255.255.0
ROUTER-2(config-if)#no shutdown
ROUTER-2(config-if)#exit

ROUTER-2(config)#interface gigabitEthernet 0/1
ROUTER-2(config-if)#ip address 192.168.30.1 255.255.255.0
ROUTER-2(config-if)#no shutdown
ROUTER-2(config-if)#exit

ROUTER-1(config)#router eigrp 100

ROUTER-1(config-router)#network 192.168.10.0

ROUTER-1(config-router)#network 192.168.20.0

ROUTER-1(config-router)#no auto-summary

ROUTER-1(config-router)#exit


%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 192.168.20.1 (GigabitEthernet0/0) is up: new adjacency




ROUTER-2(config)#router eigrp 100

ROUTER-2(config-router)#network 192.168.20.0

ROUTER-2(config-router)#network 192.168.30.0

ROUTER-2(config-router)#no auto-summary

ROUTER-2(config-router)#exit


%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 192.168.20.1 (GigabitEthernet0/0) is up: new adjacency




ROUTER-1(config)#username admin password internet
ROUTER-1(config)#tacacs-server host 192.168.10.10
ROUTER-1(config)#tacacs-server key cisco123

ROUTER-1(config)#aaa new-model
ROUTER-1(config)#aaa authentication login cisco123 group tacacs+ local

ROUTER-1(config)#line console 0
ROUTER-1(config-line)#login authentication cisco123
ROUTER-1(config-line)#exit
ROUTER-1(config)#end

User Access Verification


Username: user1

Password:

ROUTER-1>

ROUTER-1>

ROUTER-1>

ROUTER-1>password is user1


C:\>ipconfig


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::2D0:D3FF:FEBA:44B2

IP Address......................: 192.168.10.30

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.10.1





(let's create another user with the name user2 and password user2)





(now verify with telnet from PC- 192.168.10.30)









ROUTER-1#show aaa sessions

Total sessions since last reload: 3

Session Id:4

Unique Id:4

User Name:user2

IP Address:192.168.10.30

Idle Time: 0

CT Call Handle: 0


Read more »
By at No comments:
Labels:
Subscribe to: Posts (Atom)

What is uplinkfast?

  Spanning tree UplinkFast is a Cisco-specific enhancement to the Spanning Tree Protocol (STP). It's designed to improve the convergenc...