Port-Security (Mac-Address Filtering)

Port-Security is fundamentally great to implement, especially since this command supports both static (Sticky) and dynamic mac-address filtering.

Basic configuration:

##Open Interface##
(config)#int e0/2

##Enable Port-Security##
(config-if)#switchport port-security

##Allow a specific mac-address##
(config-if)#switchport port-security mac-address aabb.ccdd.eeff

##Only Allow a single mac-address##
(config-if)#switchport port-security maximum 1

##If policy is violated, err-disable port##
(config-if)#switchport port-security violation shutdown

Verify configuration on the interface:

#show port-security interface e0/2
Sw1#sh port-security int e0/2
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : aabb.ccdd.eeff:10
Security Violation Count   : 0

View from both devices:

Once the Router (R1) changes it’s mac-address, it will err-disable the Switchport from Sw1. 

R1(config)#interface e0/0
R1(config-if)#mac-address aabb.ccff.eeff
Sw1#
*Jul  6 17:14:56.613: %PM-4-ERR_DISABLE: psecure-violation error detected on Et0/2, putting Et0/2 in err-disabl
e state
Sw1#
*Jul  6 17:14:56.613: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aa
bb.ccff.eeff on port Ethernet0/2.
*Jul  6 17:14:57.621: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to down
Sw1#
*Jul  6 17:14:58.617: %LINK-3-UPDOWN: Interface Ethernet0/2, changed state to down
Sw1#

To fix the err-disable, you will want to put the original MAC-address back on R1 or add the new mac-address to the port-security interface. Then, you will want to cycle the switchport. (shut/no shut) – verify w/ ping. 


If you want/need to save the mac-address that was learned after a reboot, you will need to use this: 

(config)#int e0/2
(config-if)#switchport port-security mac-address sticky aabb.ccdd.eeff
#wr

If you get an error, perform this first, to remove any previously set mac-address:

(config-if)#no switchport port-security mac-address aabb.ccdd.eeff 

##followed by: 

(config-if)#switchport port-security mac-address sticky aabb.ccdd.eeff

VLAN & VTP Basics

Creating VLANs is an easy task, but you may run into issues with the VLANs populating between the other access switches (VTP : Client).

Option One (used to create the VLAN)

**Option One**
(config)#vlan 10
(config-vlan)#name SALES

&

**Option Two** 
(config)#interface vlan 10
(config-if)#description SALES
(config-if)#ip address a.b.c.d x.x.x.x

Option two allows you to set a static interface for IP routing. 


For EXTENDED VLANs(1006-4096), VTP mode must be in Transparent. Server mode should throw errors, probably not in IOL devices.

(config)#vtp mode transparent

By default all cisco catalysts come preconfigured with VTP server mode. You will need to change this on all access switches not serving vlans. First,

(config)#vtp mode Server
or
(config)#vtp mode Transparent
or
(config)#vtp mode Client

then, set the domain

(config)#vtp domain CISCO

This will put the switch in client mode and on the same domain as the VTP server. Allowing it to accept VLAN configs from the core or Firewall. If you run into an MD5 digest checksum mismatch error, you may need to change the password on all devices in the same domain that need VTP configs, like this: 

(config)#vtp password cisco

You will then want to issue the below command to show the current status: 

#show vtp status
Sw1>sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 : CISCO
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : aabb.cc00.1200
Configuration last modified by 0.0.0.0 at 7-5-19 23:13:37
Local updater ID is 0.0.0.0 (no valid interface found)


Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 9
Configuration Revision            : 0
MD5 digest                        : 0x87 0x6A 0xFA 0xCB 0xD3 0x27 0xDF 0x0C
                                    0x04 0xF4 0x94 0x8E 0x18 0xEA 0xE9 0x84

Cisco Certification rebuild!

It’s official! Cisco has finally decided to do a complete rebuild of their certificate program.

Check out the famous network blog by Kevin Wallace: https://www.kwtrain.com/blog/certupdate?cid=98b3de66-d267-46fd-b804-d5824a287ea8&fbclid=IwAR1Be9O8nZcTTXMyd6FsH-O30USC09wTzB03rAuDHhKO3HJzv3QSkHGFxfQ

This is all the information we have right now, but stay tuned and keep learning!

Objective Study Partner

Look, there are many areas of life where having a partner is the best, and the worst. When studying, with two people setting common objectives and targets, makes for a successful partnership.

Just like this blog, it’s a place for us to dump projects, resources, and roadblocks that we identified throughout our journey. Luckily, we have different paths but a similar journey.

Daniel called me one day and asked me if I’d be interested in setting real objective goals. Well… I’m an MBA (humble brag), aspiring Network guru and I know Daniel is amazing at what he does, but he’s gonna have to write about that… With all of this said, what could I lose? It’s obviously in my blood to set goals and achieve them.

Daniel and I both have CCNA’s – to date. So, we set our first goal. In two weeks we will jump on a conference call (day 2 of my first real vacation!) to cover EIGRP and OSPF at the NP level. This means that we will both study independently, come together on a call and share what we both learned. Sounds a lot like your moms book club doesn’t it? Cringy…

But it works.

Get the emotions out of your head so that you can maintain peak clarity! This is a long road to travel (we’re coming for you ‘Pan-American Highway’), so find a reliable partner, fuel up and start rolling.

CDP Neighbor – 6.2.2019

Technology: CDP Neighbor

What does this technology do? CDP Neighbor is used to identify directly connected devices on a Cisco system.  

Use case? If you don’t have physical access to an adjacent switch, you can use CDP Neighbor to identify the device on a specific port. 

Basic Command:
#show cdp neighbors

Full Command:
#show cdp neighbors [ interface { ethernet slot/port | mgmt mgt-num}][ detail]
  • interface – Shows CDP neighbor info for that specified interface. 
  • ethernet – Shows CDP neighbor info for an Ethernet interface. 
  • mgmt – Shows CDP neighbor info for management interface. 
  • detail – Shows the detailed information about CDP neighbors. 

My lab: 

How I used it: 

In todays lab, we will use CDP Neighbor commands to determine which devices are directly connected to the MainDistribution switch from within the CLI of the MainDistribution.  It’s obvious that the AccessLayer switch and the EdgeRouter are directly connected, however, we are not always working in lab environments. In a real world application, the AccessLayer switch may be several hundred feet away. Understanding CDP Neighbor commands will help us determine the exact adjacently attached devices that we have in our network. 


To start, I started all of my network devices. Once booted, I decided to login and run the CDP Neighbor command

#show cdp neighbors

From here you can see the “Local Intrfce” and the “Port ID”. The Local Interface identifies the current switch that you are currently working on and the port that is locally attached to the remote device. The Port ID identifies the remote device port number. So, MainDistribution (Gig 02 from the “Local Intrfce”) is directly connected to the AccessLayer (Gig2/1 from the Port ID) switch. 


Now, you may be asking, how do you know that the adjacent device is the “AccessLayer”? Well, based on the previous image, you cannot unless you know the environment very well. Let me explain. 


The “Device ID” column shows the adjacent device “Hostname”. If the hostname is configured and you understand the name, then you will be able to identify the adjacent switch. Take a look: 

I changed the hostname of the adjacent device so that you can see the difference between screenshots. In my first image, the Device ID said “Switch”, which is the default hostname. Since I changed it, you can now see “AccessLayer” as the Device ID for the connected device. 


Now that you can identify the adjacent device, the local port number and the adjacent port number, we can now spend some time to understand the “Holdtme” column and what to do if the CDP command isn’t showing anything. 


“Holdtme” means Hold Time, this is the length of time that the switch will hold that information before it discards it. You can use the following command to specify the time (Default = 180s). (Think “Time To Live”) 

(config)#CDP holdtime <60>

I personally prefer the shorter times, but if you have a ton of management traffic, you can cause CPU/RAM overload… You can always set the time when you are troubleshooting and reset it when you’re done. 
Finally, if CDP neighbors is not working, you may need to enable it on your devices. This is a very easy command.  

(config)#CDP enable

Reference:

Cisco.com

CCNP Ch.1 – 5.19.2019

Today, I’m starting my journey for the CCNP v2 R&S.

I’m learning about the different Routing connections (Building Access, Building Distribution, Campus backbones, etc..). I’m glad to know that my campus is actually set up like their suggestions, with the exception of two buildings.

Knowing more, I now see where I may add a building distribution switch to limit the number of fiber connections running back to the core, but also increase feasibility of troubleshooting fewer switches in the long run.


Topics that I need to remember or work on the most:

  • Routing Protocols
    • RIP – Distance-Vector
    • EIGRP (Advanced) Distance-Vector
    • OSPF – Link-State
    • IS-IS – Link-State
    • BGP – Path-Vector

All routing protocols are currently IGP (Interior Gateway Protocols) except for BGP, which is an EGP (Exterior Gateway Protocol).

The second topic that I need to focus on is Split-Horizon and Poison Reverse.

Split-Horizon is the feature that prevents a route learned on one interface from being advertised through the same interface again. (CH.1)

The Poison Reverse feature causes a route received on the same interface to be advertised back out, however, it uses a metric of “infinite“.

The third important technology emphasized in this chapter were the different network traffic types.

  • Unicast – One to One
  • Broadcast – One to Many
  • Multicast – One to Many, but specific
  • Anycast – IPv6 only, assigned to multiple devices for One to Nearest

Reference:

Official Cert Guide by Kevin Wallace, CCIE No. 7945 for CCNP ROUTE 300-101

Cloud My Lab – 5.19.2019

Okay, I have to say, I’m really enjoying “Cloud my Lab”. They finally got my instance (Pod) up and running about 72 hours after my payment processed.

To get into the server, all I had to do was RDP in using my Windows RDP client and the provided IP and user credentials. Once I was in, I had all of the images pre-loaded and GNS3 configured for my first project.

For $30, I have to say, it’s totally worth it! Sure, it’s a convenience fee, but their technical staff stand ready to help with any trouble that I have.

In addition, I don’t have to worry about finding the best ios files and go through the hassle of uploading them. Also, this environment can be operated from a Chromebook RDP window app… that’s pretty convenient! I’ll create more posts later as I build out my lab environments and test additional features.

Edit:

I found out today that my instance, “Pod”, only has 4GB of RAM while my subscription is currently set to “Tiny” which supports 8GB of RAM… I decided to upgrade to a “Small” instance because I noticed a little lag when I launched my text editor “Atom.io”, after doing so, I checked the CPU and RAM from the system properties and noticed that I was not getting the level of service that I paid for during my original subscription period. I’ve contacted their support and they are working diligently to resolve my issue.

I’m very excited to have the full 8vCPU’s and 16GB of RAM! I may even use this system for remote testing VPNs and ICMP from outside of my network.

Edit #2: This is what matters…

I was completely wrong about the configuration and setup over there at Cloud My Lab. After discovering that my host machine only had 4GB of RAM allocated, I contacted support to get it fixed. With the $30/mnth “Tiny” package, you should be getting 8GB RAM. Each time I started a text editor or web browwser, the CPU and RAM would spike! So I was a little frustrated.

After communicating with support, they explained that the GNS3 hosted instance gets the 8GB RAM remotely and that the Windows Host that you RDP into only gets the 4GB… This made a lot of sense once it was explained. It certainly explained the reason for the Windows Host maxing resources while the GNS3 Host continued to respond perfectly fine.

Ansible (Red Hat) – 5.18.2019

Today, I’m installing Ansible on my Mac…

For Mac, you need to install pip, which is done by following the instructions provided by Ansible, which didn’t work for me, so I found an easier command:

$ sudo easy_install pip

With that command, I was able to make it to the next phase… which didn’t work. At this point, I was very frustrated! After deciding to read all of the instructions on Ansible, I found a paragraph regarding MacOS 10.9 . Well, I was running 10.14. It obviously inherited its bitchiness from 10.9. So, I ran the command:

$ CFLAGS=-Qunused-arguments CPPFLAGS=-Qunused-arguments pip install --user ansible

All problems were solved. At this point, I’m considering a degree in Linux based systems so that I can actually understand this shit. But no, I’m going to continue my path toward the #CCIE and #CCAr!


Credit: Ansible for making an amazing product that’s openSource, Apple for making amazing hardware with very low specs, and Cisco for being amazing.

Starting Point 2.0 (Eve-NG installation) – 5.3.2019

Umm.. yeah, bro. I had a blog before. I had different priorities at the time, but now I’m back at it. You got beef? Or are you vegan?

Today, I have Eve-NG configured on the Google Cloud Platform… This ended up being a total waste of time. More about this later (See my GNS3 post).

My total cost was roughly $90/month. With me shutting the server down when I didn’t use it, the monthly cost was $20… It became more of a hassle. I deleted my compute instance and moved on.

eve-ng.net

I subscribed to INE’s All Access Pass. This was great, because for me, I paid $300(ish) about three years ago for their CCNA class, and this meant that I would have all of their classes for $99/month. I plan to have my employer pick up the tab in the new year if I end up liking the subscription.


If you’re installing Eve-NG on Google Cloud Platform, you may need to use the following:

##Community Edition installation repo command
wget -O - http://www.eve-ng.net/repo/install-eve.sh | bash -i 

If you’re like me and pre-installed the pro version, then you’ll need this:

## To roll back from EVE-NG Pro to the Community Edition, issue the following commands in the CLI of EVE

> apt install eve-ng eve-ng-guacamole

> systemctl disable docker

> systemctl disable docker.service

> systemctl stop docker.service

> systemctl disable udhcpd

## Reboot EVE

Finally, do not forget about the license files!!

https://www.eve-ng.net/documentation/howto-s/62-howto-add-cisco-iou-iol