EAP is client-server authentication. Credentials need to be specified on client side as there is no default use of hostname as identity on contrary to Chap.
Client-side
ppp eap identity R5
ppp eap password CISCO
Server-side using a local stored username.
username R5 password 0 CISCO
ppp authentication eap
ppp eap local
Affichage des articles dont le libellé est LAYER2. Afficher tous les articles
Affichage des articles dont le libellé est LAYER2. Afficher tous les articles
dimanche 6 décembre 2009
lundi 12 octobre 2009
Private-VLAN
Differents vlan types :
- Promisicous/primary : a port/vlan that could communicate to all other private vlan associated with.
- Community : a port/vlan that could communicate with each other and with primary associated with.
- Isolated : a port/vlan that could communicate with primary associated with only.
A primary port can contains one isolted vlan and multiple communities vlan
Configuration
- Create the differents vlan
vlan 10
private-vlan primary
vlan 20
private-vlan community
vlan 30
private-vlan isolated
-Associate the vlan with a primary vlan
vlan 10
private-vlan association 10,20
Configure interface
On the following example,
- port 21 & 22 could communicate with each other and with port 1
- port 31 & 32 could not communicate with each other but could with port 1
- Port 1 could communicate with port 21,22,31,32
int f0/1
switchport mode private-vlan promiscious
switchport private-vlan mapping 10 add 20 30
int range f0/21-22
switchport mode private-vlan host
switchport private-vlan host-association 10 20
int range f0/31-32
switchport mode private-vlan host
switchport private-vlan host-association 10 30
- Promisicous/primary : a port/vlan that could communicate to all other private vlan associated with.
- Community : a port/vlan that could communicate with each other and with primary associated with.
- Isolated : a port/vlan that could communicate with primary associated with only.
A primary port can contains one isolted vlan and multiple communities vlan
Configuration
- Create the differents vlan
vlan 10
private-vlan primary
vlan 20
private-vlan community
vlan 30
private-vlan isolated
-Associate the vlan with a primary vlan
vlan 10
private-vlan association 10,20
Configure interface
On the following example,
- port 21 & 22 could communicate with each other and with port 1
- port 31 & 32 could not communicate with each other but could with port 1
- Port 1 could communicate with port 21,22,31,32
int f0/1
switchport mode private-vlan promiscious
switchport private-vlan mapping 10 add 20 30
int range f0/21-22
switchport mode private-vlan host
switchport private-vlan host-association 10 20
int range f0/31-32
switchport mode private-vlan host
switchport private-vlan host-association 10 30
vendredi 9 octobre 2009
Difference between BPDUGuard & BPDU Filtering
Thoses functions could be enabled globally for all PortFast ports :
span portfast bpdufilter default
span portfast bpduguard default
Or by interfaces.
The main difference is :
- Bpdu Guard will shutdown the port if a bpdu is received on a portfast port
- Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.
span portfast bpdufilter default
span portfast bpduguard default
Or by interfaces.
The main difference is :
- Bpdu Guard will shutdown the port if a bpdu is received on a portfast port
- Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.
jeudi 8 octobre 2009
Mac address Notification
The purpose is to notify a NMS of mac address changes :
Enable the TRAP :
snmp-server enable traps mac-notification
Enable the MAC notification globally :
mac address-table notification change
Enable the change on the port :
snmp trap mac-notification change [added | removed]
Limit the traps :
mac address-table notification interval seconds
mac address-table notification history-size messages
Verify :
show mac address-table notification change
Enable the TRAP :
snmp-server enable traps mac-notification
Enable the MAC notification globally :
mac address-table notification change
Enable the change on the port :
snmp trap mac-notification change [added | removed]
Limit the traps :
mac address-table notification interval seconds
mac address-table notification history-size messages
Verify :
show mac address-table notification change
lundi 21 septembre 2009
Integrated Routing & Bridging
IRB permits to bridge between to router interfaces, create a virtual interface (BVI) and permit to route via this BVI between the bridged interface and the other router interface.
In this lab you want to bridge between 2 vlans :
interface Ethernet0/0
no ip address
half-duplex
!
interface Ethernet0/0.16
encapsulation dot1Q 16
bridge-group 1
!
interface Ethernet0/0.36
encapsulation dot1Q 36
bridge-group 1
You now need to enable a spanning tree protocol on the group
bridge 1 protocol ieee
It's now possible to ping machine between vlan 36 and vlan 16 (same broadcast domain)
Now to route between vlan 16/36 to other router interface, you need to create a virtual interface with an IP :
interface BVI1
ip address 136.1.136.6 255.255.255.0
bridge 1 route ip
From vlan 16/36 you could now ping BVi1 and behind
In this lab you want to bridge between 2 vlans :
interface Ethernet0/0
no ip address
half-duplex
!
interface Ethernet0/0.16
encapsulation dot1Q 16
bridge-group 1
!
interface Ethernet0/0.36
encapsulation dot1Q 36
bridge-group 1
You now need to enable a spanning tree protocol on the group
bridge 1 protocol ieee
It's now possible to ping machine between vlan 36 and vlan 16 (same broadcast domain)
Now to route between vlan 16/36 to other router interface, you need to create a virtual interface with an IP :
interface BVI1
ip address 136.1.136.6 255.255.255.0
bridge 1 route ip
From vlan 16/36 you could now ping BVi1 and behind
vendredi 4 septembre 2009
Frame-Relay Interfaces types
Physical
PVC establishment :
PVC establishment :
PVC establishment :
PVC establishment :
- LMI automatically applies all DLCI to the interface or
- frame-relay interface dlci applies the specified dlci to the interface
- Need static mapping or
- Need inverse-arp enabled on the DLCI
PVC establishment :
- frame-relay interface dlci applies the specified dlci to the interface
- No mapping needed (everything for the subnet is sent thrue pt-to-pt interface)
- Inverse arp is not needed ans disabled by default
PVC establishment :
- LMI automatically applies all DLCI to the interface or
- frame-relay interface dlci applies the specified dlci to the interface
- Need static mapping or
- Need inverse-arp enabled on the DLCI
PPP chap authentication
Chap authentication is unidirectionnal. A router always answer to a challenge even if ppp authentication chap is not configured. So for a one-way authentication R5 authenticating R4 :
On R5
username ROUTER4 password 0 CISCO
interface Serial1/1
ip address 132.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap
On R4
interface Serial1/1
ip address 132.1.45.4 255.255.255.0
encapsulation ppp
ppp chap hostname ROUTER4
ppp chap password CISCO
The 2 ways authentication :
On R5
username ROUTER4 password 0 CISCO
interface Serial1/1
ip address 132.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap host
ppp chap hostname ROUTER5
On R4
username ROUTER5 password 0 CISCO
interface Serial1/1
ip address 132.1.45.4 255.255.255.0
encapsulation ppp
ppp authentication chap
ppp chap hostname ROUTER4
On R5
username ROUTER4 password 0 CISCO
interface Serial1/1
ip address 132.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap
On R4
interface Serial1/1
ip address 132.1.45.4 255.255.255.0
encapsulation ppp
ppp chap hostname ROUTER4
ppp chap password CISCO
The 2 ways authentication :
On R5
username ROUTER4 password 0 CISCO
interface Serial1/1
ip address 132.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap host
ppp chap hostname ROUTER5
On R4
username ROUTER5 password 0 CISCO
interface Serial1/1
ip address 132.1.45.4 255.255.255.0
encapsulation ppp
ppp authentication chap
ppp chap hostname ROUTER4
Layer 3 Etherchannel
Purpose : Etherchannel on a "no switchport" interface.
The physical interfaces should already be in "no switchport" before issuing the "channel-group" command in order to create the Layer 3 etherchannel
Ip will be placed on int port-channel interface.
The physical interfaces should already be in "no switchport" before issuing the "channel-group" command in order to create the Layer 3 etherchannel
Ip will be placed on int port-channel interface.
Etherchannel : Pagp or Lacp
Pagp or lacp are used to automatically negotiate etherchannel bundle :
Pagp (Cisco protocol):
auto : passive negotiation, other side needs too be desirable
desirable : active negotiation, other side needs too be desirable or auto.
Lacp (802.3ad)
passive : passive negotiation, other side needs to be active
active : passive negotiation, other side needs to be active or passive.
The main differences between both is Pagp only works in cisco environment whereas lacp works in mixe environment
To manually force the etherchannel, both sides have to be in on mode.
Verification
Rack1SW2#sh etherchannel 1 sum
Flags: D - down P - in port-channel
I - stand-alone s - suspended
R - Layer3 S - Layer2
U - in use
Group Port-channel Ports
-----+------------+-----------------------------------------------------------
1 Po1(SU) Fa1/7(P) Fa1/8(P) Fa1/9(P)
OR
Rack1SW2#sh etherchannel 1 port
Ports in the group:
-------------------
Port: Fa1/7
------------
Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On/FEC Gcchange = 0
Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1
Port index = 2
Age of the port in the current state: 00d:03h:17m:20s
Port: Fa1/8
------------
Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On/FEC Gcchange = 0
Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1
Port index = 1
Age of the port in the current state: 00d:03h:17m:20s
Pagp (Cisco protocol):
auto : passive negotiation, other side needs too be desirable
desirable : active negotiation, other side needs too be desirable or auto.
Lacp (802.3ad)
passive : passive negotiation, other side needs to be active
active : passive negotiation, other side needs to be active or passive.
The main differences between both is Pagp only works in cisco environment whereas lacp works in mixe environment
To manually force the etherchannel, both sides have to be in on mode.
Verification
Rack1SW2#sh etherchannel 1 sum
Flags: D - down P - in port-channel
I - stand-alone s - suspended
R - Layer3 S - Layer2
U - in use
Group Port-channel Ports
-----+------------+-----------------------------------------------------------
1 Po1(SU) Fa1/7(P) Fa1/8(P) Fa1/9(P)
OR
Rack1SW2#sh etherchannel 1 port
Ports in the group:
-------------------
Port: Fa1/7
------------
Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On/FEC Gcchange = 0
Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1
Port index = 2
Age of the port in the current state: 00d:03h:17m:20s
Port: Fa1/8
------------
Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On/FEC Gcchange = 0
Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1
Port index = 1
Age of the port in the current state: 00d:03h:17m:20s
vendredi 14 août 2009
Frame-Relay Legacy Traffic Shaping
Some recalls :
Guaranteed rate = minimum guaranteed rate by the Telco. Configured with minCIR (bps) by default is 1/2 CIR
CIR = rate provided by Telco during no congestion. Configured with CIR (bps) By default it's 2x CIR
Access rate = maximum rate of the link. Configured with Bc (bits). Bc = (Access Rate - CIR)*Tc By default Tc is 125ms or 1/8 of seconds.
Example
32kbps is guarantedd
64kbps of Cir
192kbps of Access Rate
Guaranteed rate = minimum guaranteed rate by the Telco. Configured with minCIR (bps) by default is 1/2 CIR
CIR = rate provided by Telco during no congestion. Configured with CIR (bps) By default it's 2x CIR
Access rate = maximum rate of the link. Configured with Bc (bits). Bc = (Access Rate - CIR)*Tc By default Tc is 125ms or 1/8 of seconds.
Example
32kbps is guarantedd
64kbps of Cir
192kbps of Access Rate
map-class frame-relay cisco
frame-relay cir 64000
frame-relay mincir 32000
frame-relay adaptive-shaping becn
frame-relay bc 8000
frame-relay be 16000
interface Serial0/0interface Serial/0/
frame-relay traffic-shaping
frame-relay class cisco
Verification commands :
show traffic-shaping
Frame-Relay DE setting
Purpose of the exercice is to set the DE bit of a frame-relay packet depending on the length. 2 solutions depending on constraints :
1) If it's for all dlci of a given interface, you could use a Service-Policy :
class-map match-all DE1024
match packet length min 1024
!
policy-map DE1024
class DE1024
set fr-de
!
interface Serial0/0
service-policy output DE1024
2) If it's for a specific dlci, you could use the de-list command :
frame-relay de-list 1 protocol ip gt 1024
!
interface Serial0/0
frame-relay de-group 1 501
To check, connect on the other side router :
R2#sh frame-relay pvc 105
PVC Statistics for interface Serial0/0 (Frame Relay DTE)
DLCI = 105, DLCI USAGE = LOCAL, PVC STATUS = STATIC, INTERFACE = Serial0/0.2
input pkts 25 output pkts 25 in bytes 13600
out bytes 13600 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 7 out DE pkts 0
out bcast pkts 0 out bcast bytes 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
pvc create time 00:49:33, last time pvc status changed 00:35:02
1) If it's for all dlci of a given interface, you could use a Service-Policy :
class-map match-all DE1024
match packet length min 1024
!
policy-map DE1024
class DE1024
set fr-de
!
interface Serial0/0
service-policy output DE1024
2) If it's for a specific dlci, you could use the de-list command :
frame-relay de-list 1 protocol ip gt 1024
!
interface Serial0/0
frame-relay de-group 1 501
To check, connect on the other side router :
R2#sh frame-relay pvc 105
PVC Statistics for interface Serial0/0 (Frame Relay DTE)
DLCI = 105, DLCI USAGE = LOCAL, PVC STATUS = STATIC, INTERFACE = Serial0/0.2
input pkts 25 output pkts 25 in bytes 13600
out bytes 13600 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 7 out DE pkts 0
out bcast pkts 0 out bcast bytes 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
pvc create time 00:49:33, last time pvc status changed 00:35:02
Inscription à :
Articles (Atom)