Port-Security (Mac-Address Filtering)

Port-Security is fundamentally great to implement, especially since this command supports both static (Sticky) and dynamic mac-address filtering.

Basic configuration:

##Open Interface##
(config)#int e0/2

##Enable Port-Security##
(config-if)#switchport port-security

##Allow a specific mac-address##
(config-if)#switchport port-security mac-address aabb.ccdd.eeff

##Only Allow a single mac-address##
(config-if)#switchport port-security maximum 1

##If policy is violated, err-disable port##
(config-if)#switchport port-security violation shutdown

Verify configuration on the interface:

#show port-security interface e0/2
Sw1#sh port-security int e0/2
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : aabb.ccdd.eeff:10
Security Violation Count   : 0

View from both devices:

Once the Router (R1) changes it’s mac-address, it will err-disable the Switchport from Sw1. 

R1(config)#interface e0/0
R1(config-if)#mac-address aabb.ccff.eeff
Sw1#
*Jul  6 17:14:56.613: %PM-4-ERR_DISABLE: psecure-violation error detected on Et0/2, putting Et0/2 in err-disabl
e state
Sw1#
*Jul  6 17:14:56.613: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aa
bb.ccff.eeff on port Ethernet0/2.
*Jul  6 17:14:57.621: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to down
Sw1#
*Jul  6 17:14:58.617: %LINK-3-UPDOWN: Interface Ethernet0/2, changed state to down
Sw1#

To fix the err-disable, you will want to put the original MAC-address back on R1 or add the new mac-address to the port-security interface. Then, you will want to cycle the switchport. (shut/no shut) – verify w/ ping. 


If you want/need to save the mac-address that was learned after a reboot, you will need to use this: 

(config)#int e0/2
(config-if)#switchport port-security mac-address sticky aabb.ccdd.eeff
#wr

If you get an error, perform this first, to remove any previously set mac-address:

(config-if)#no switchport port-security mac-address aabb.ccdd.eeff 

##followed by: 

(config-if)#switchport port-security mac-address sticky aabb.ccdd.eeff

VLAN & VTP Basics

Creating VLANs is an easy task, but you may run into issues with the VLANs populating between the other access switches (VTP : Client).

Option One (used to create the VLAN)

**Option One**
(config)#vlan 10
(config-vlan)#name SALES

&

**Option Two** 
(config)#interface vlan 10
(config-if)#description SALES
(config-if)#ip address a.b.c.d x.x.x.x

Option two allows you to set a static interface for IP routing. 


For EXTENDED VLANs(1006-4096), VTP mode must be in Transparent. Server mode should throw errors, probably not in IOL devices.

(config)#vtp mode transparent

By default all cisco catalysts come preconfigured with VTP server mode. You will need to change this on all access switches not serving vlans. First,

(config)#vtp mode Server
or
(config)#vtp mode Transparent
or
(config)#vtp mode Client

then, set the domain

(config)#vtp domain CISCO

This will put the switch in client mode and on the same domain as the VTP server. Allowing it to accept VLAN configs from the core or Firewall. If you run into an MD5 digest checksum mismatch error, you may need to change the password on all devices in the same domain that need VTP configs, like this: 

(config)#vtp password cisco

You will then want to issue the below command to show the current status: 

#show vtp status
Sw1>sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 : CISCO
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : aabb.cc00.1200
Configuration last modified by 0.0.0.0 at 7-5-19 23:13:37
Local updater ID is 0.0.0.0 (no valid interface found)


Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 9
Configuration Revision            : 0
MD5 digest                        : 0x87 0x6A 0xFA 0xCB 0xD3 0x27 0xDF 0x0C
                                    0x04 0xF4 0x94 0x8E 0x18 0xEA 0xE9 0x84

Cisco Certification rebuild!

It’s official! Cisco has finally decided to do a complete rebuild of their certificate program.

Check out the famous network blog by Kevin Wallace: https://www.kwtrain.com/blog/certupdate?cid=98b3de66-d267-46fd-b804-d5824a287ea8&fbclid=IwAR1Be9O8nZcTTXMyd6FsH-O30USC09wTzB03rAuDHhKO3HJzv3QSkHGFxfQ

This is all the information we have right now, but stay tuned and keep learning!

CDP Neighbor – 6.2.2019

Technology: CDP Neighbor

What does this technology do? CDP Neighbor is used to identify directly connected devices on a Cisco system.  

Use case? If you don’t have physical access to an adjacent switch, you can use CDP Neighbor to identify the device on a specific port. 

Basic Command:
#show cdp neighbors

Full Command:
#show cdp neighbors [ interface { ethernet slot/port | mgmt mgt-num}][ detail]
  • interface – Shows CDP neighbor info for that specified interface. 
  • ethernet – Shows CDP neighbor info for an Ethernet interface. 
  • mgmt – Shows CDP neighbor info for management interface. 
  • detail – Shows the detailed information about CDP neighbors. 

My lab: 

How I used it: 

In todays lab, we will use CDP Neighbor commands to determine which devices are directly connected to the MainDistribution switch from within the CLI of the MainDistribution.  It’s obvious that the AccessLayer switch and the EdgeRouter are directly connected, however, we are not always working in lab environments. In a real world application, the AccessLayer switch may be several hundred feet away. Understanding CDP Neighbor commands will help us determine the exact adjacently attached devices that we have in our network. 


To start, I started all of my network devices. Once booted, I decided to login and run the CDP Neighbor command

#show cdp neighbors

From here you can see the “Local Intrfce” and the “Port ID”. The Local Interface identifies the current switch that you are currently working on and the port that is locally attached to the remote device. The Port ID identifies the remote device port number. So, MainDistribution (Gig 02 from the “Local Intrfce”) is directly connected to the AccessLayer (Gig2/1 from the Port ID) switch. 


Now, you may be asking, how do you know that the adjacent device is the “AccessLayer”? Well, based on the previous image, you cannot unless you know the environment very well. Let me explain. 


The “Device ID” column shows the adjacent device “Hostname”. If the hostname is configured and you understand the name, then you will be able to identify the adjacent switch. Take a look: 

I changed the hostname of the adjacent device so that you can see the difference between screenshots. In my first image, the Device ID said “Switch”, which is the default hostname. Since I changed it, you can now see “AccessLayer” as the Device ID for the connected device. 


Now that you can identify the adjacent device, the local port number and the adjacent port number, we can now spend some time to understand the “Holdtme” column and what to do if the CDP command isn’t showing anything. 


“Holdtme” means Hold Time, this is the length of time that the switch will hold that information before it discards it. You can use the following command to specify the time (Default = 180s). (Think “Time To Live”) 

(config)#CDP holdtime <60>

I personally prefer the shorter times, but if you have a ton of management traffic, you can cause CPU/RAM overload… You can always set the time when you are troubleshooting and reset it when you’re done. 
Finally, if CDP neighbors is not working, you may need to enable it on your devices. This is a very easy command.  

(config)#CDP enable

Reference:

Cisco.com

Starting Point 2.0 (Eve-NG installation) – 5.3.2019

Umm.. yeah, bro. I had a blog before. I had different priorities at the time, but now I’m back at it. You got beef? Or are you vegan?

Today, I have Eve-NG configured on the Google Cloud Platform… This ended up being a total waste of time. More about this later (See my GNS3 post).

My total cost was roughly $90/month. With me shutting the server down when I didn’t use it, the monthly cost was $20… It became more of a hassle. I deleted my compute instance and moved on.

eve-ng.net

I subscribed to INE’s All Access Pass. This was great, because for me, I paid $300(ish) about three years ago for their CCNA class, and this meant that I would have all of their classes for $99/month. I plan to have my employer pick up the tab in the new year if I end up liking the subscription.


If you’re installing Eve-NG on Google Cloud Platform, you may need to use the following:

##Community Edition installation repo command
wget -O - http://www.eve-ng.net/repo/install-eve.sh | bash -i 

If you’re like me and pre-installed the pro version, then you’ll need this:

## To roll back from EVE-NG Pro to the Community Edition, issue the following commands in the CLI of EVE

> apt install eve-ng eve-ng-guacamole

> systemctl disable docker

> systemctl disable docker.service

> systemctl stop docker.service

> systemctl disable udhcpd

## Reboot EVE

Finally, do not forget about the license files!!

https://www.eve-ng.net/documentation/howto-s/62-howto-add-cisco-iou-iol