Tag Archives: Networking

How to configure OSPF Totally Stubby Area in Cisco Routers- Series 1?

In this series of posts lets configure OSPF Totally Stubby Area, but before proceeding further let’s summarise the below topology

OSPF Totally Stubby Area
  1. Two OSPF Areas Area 0 and Area 5
  2. R1, R2 and R4 are part of Area 0 and OSPF is configured on the directly connected links on each router ( R1 – R2 link , R1-R4 link)
  3. R4 has four loop back interfaces  loopback 1 (10.0.1.1) , loopback 2 (10.0.2.2) ,loopback 3 (10.0.3.3) and loopback 4 (10.0.4.4) ,these loopback interfaces networks are redistributed into OSPF
  4. R2-R3 are part of Area 5, R2 happened to be a ABR
  5. OSPF Area 5 is configured on the interfaces connected between R2-R3.

Currently Area 5 is a normal area and its not been configured as a totally stubby area,  R2 installs the R4 loopback interface networks as Type 5 LSA and forward the same to Area 5

We can see from the below snap shot R2 received R4 loopback networks as Type 5 LSAs and the routes are installed as Type 2 External OSPF routes, also we could see the interface connecting R1-R4 are also advertised as Type 3 LSA

R2 - R4 route
R2 - type 5

R3 sees R4 loopback interfaces network as Type 5 LSA and R1-R4 , R1-R2 links network 192.168.14.0/29 , 192.168.12.0/29  as Type 3 LSAs

R3 LSA table

In next post, let’s see by what impact Area 5 will have especially after configuring it as  OSPF Totally Stubby Area.

Introduction to Cisco port security and the reasons to implement

A growing challenge facing network administrators is determining how to control who can access the organization’s internal network—and who can’t. For example, can anyone walk into campus LAN , plug in a laptop, and access the network? You might argue that the wall jack has no connection to a switch, but couldn’t someone just pull the Ethernet cable from a working PC and connect to the network that way?

You might think this an unlikely scenario, but it does happen. For example a salesmen coming in to demo products, and they would just pull the Ethernet jack off a PC and connect it to their laptop, hoping to get Internet access.

I turned to switch port security to help solve the problem. Let’s look at how we can use Cisco’s Port Security feature to protect our organization.

Understand the basics
In its most basic form, the Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will disable the port. Most of the time, network administrators configure the switch to send a SNMP trap to their network monitoring solution that the port’s disabled for security reasons. When using port security, we can prevent devices from accessing the network, which increases security.

Benefits to port Securty
The key benefits of Port Security are:
•Network Availability – Reduce campus wide network outages caused by broadcast storms by blocking non standard hubs and switches.
•Network Reliability – Network port bandwidth can be guaranteed if limited to one MAC address. Bandwidth can’t be guaranteed if other network devices are sharing the network port.
•DHCP Availability – Reduce the risk of over subscription of DHCP IP Address per VLAN by limiting one MAC address per port.
•Network Security – Limiting one MAC address per switch port is an attack mitigation strategy. Stops CAM tables flooding attacks forcing the switch into repeater mode. Tools like macof can be used for this type of attack.
•Future Proofing – The implementation of port authentication at the edge of the network (802.1x) will also limit user to one MAC address per port.

Applying Cisco Security Features to Solve Common Problems

Sample Configuration for port security
Configuring the Port Security feature is relatively easy. In its simplest form, port security requires going to an already enabled switch port and entering the port-security Interface Mode command. Here’s an example:

Switch)# config t
Switch(config)# int fa0/18
Switch(config-if)# switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode

Switch(config-if)# switchport port-security
Switch(config-if)#^Z

By entering the most basic command to configure port security, we accepted the default settings of only allowing one MAC address, determining that MAC address from the first device that communicates on this switch port, and shutting down that switch port if another MAC address attempts to communicate via the port. But you don’t have to accept the defaults.

Know your options
As you can see in the example, there are a number of other port security commands that you can configure. Here are some of your options:
switchport port-security maximum {max # of MAC addresses allowed}: You can use this option to allow more than the default number of MAC addresses, which is one. For example, if you had a 12-port hub connected to this switch port, you would want to allow 12 MAC addresses—one for each device. The maximum number of secure MAC addresses per port is 132.
switchport port-security violation {shutdown | restrict | protect}: This command tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum. The default is to shut down the port. However, you can also choose to alert the network administrator (i.e., restrict) or only allow traffic from the secure port and drop packets from other MAC addresses (i.e., protect).
switchport port-security mac-address {MAC address}: You can use this option to manually define the MAC address allowed for this port rather than letting the port dynamically determine the MAC address.

Of course, you can also configure port security on a range of ports. Here’s an example:
Switch)# config t
Switch(config)# int range fastEthernet 0/1 – 24
Switch(config-if)# switchport port-security
However, you need to be very careful with this option if you enter this command on an uplink port that goes to more than one device. As soon as the second device sends a packet, the entire port will shut down.

View the status of port security
Once you’ve configured port security and the Ethernet device on that port has sent traffic, the switch will record the MAC address and secure the port using that address. To find out the status of port security on the switch, you can use the show port-security address and show port-security interface commands. Below are examples for each command’s output:
Switch# show port-security address
Secure Mac Address Table
——————————————————————-
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
1 0004.00d5.285d SecureDynamic Fa0/18 –
——————————————————————-
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024

Switch# show port-security interface fa0/18
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0004.00d5.285d
Security Violation Count : 0

Switch#

How to configure Cisco VIRL – VMMaestro to use SecureCRT as an external telnet and SSH Client?

Cisco VIRL comes with an internal SSH and Telnet client which is quite good and it opens all the SSH and telnet sessions within VMMaestro GUI, but if someone wants to use Secure CRT on  their MAC as an external client, one can easily configure the changes in VIRL VMMaestro,

VMMaestro-1

Terminal>Cisco Terminal

Step 1

Change the title format to : %s

Step 2

Select : Use external terminal applications

Step3

Use the following fields show below

Telnet command:/Applications/SecureCRT.app/contents/MacOS/SecureCRT
Telnet arguments:/T /N %t /TELNET %h %p
SSH Command:/Applications/SecureCRT.app/contents/MacOS/SecureCRT
SSH arguments:/T /N %t /TELNET %h %p
VMMaestro-2

By doing these minor changes you can use Secure CRT to SSH or Telnet VIRL Devices

telnet VIRL
VIRL telnet 1

Does CCIE track selection need counselling?

When it comes to choosing a CCIE track most of the CCIE aspirers are confused, every day I encounter at least one CCIE aspirers approaching me for advice. Some times I petty them but there are in need of guidance, so I morally try to support them and guide them to best of my ability.

CCIE

Why are most of them are confused in choosing CCIE tracks?

Its been observed that most of them are confused at the step 1 of CCIE, they struggle to choose a CCIE track for them, some of them try to meet instructor after instructor of different tracks to select the CCIE track, this makes them more confused. Even I have seem some people start with a CCIE track A for few months and then again they change their track to track B, this is not a good sign for some one who already started the journey of CCIE.

I believe most of them want to choose a CCIE track for different reasons like

  • Which CCIE track is in more demand?
  • Which CCIE track is easy to pass?
  • Which CCIE track offers me more remuneration?
  • Which CCIE track is easy to simulate?
  • Which CCIE track costs less?

So and so forth, well these are not the valid reasons to select a CCIE track. I strongly believe there should be strong desire and passion towards a particular track, which comes out when you ask the series of questions which mentioned in the article “ The Journey of CCIE – Series 1”. Yet some people may need some sort of Pre CCIE counselling in selecting a CCIE track and planning their journey.

Well, as per my knowledge no one is offering such service if someone wants to seek any guidance they can reach me out I can assist them in choosing their passions. Yes, CCIE is a passion and can be only achieved when someone gives more than 100%. Please do feel free to reach me out, I will more than glad to help you.

How to set up an F5 BIG-IP LTM Virtual lab on VMware Fusion?

After passing the F5 201 – TMOS Administration Exam, some of the professional friends were keen to know how to build an F5 practice lab on their personnel machines.

In this post we will walk through how to build a virtual lab for F5 201 – TMOS Administration Exam on macOS Sierra step-by-step.

We will be using the following topology to built an F5 Virtual lab so that one can practice for their 201 – TMOS Administration Exam. Before starting please ensure VMware Fusion is installed on macOS Sierra

figure-1-f5-ltm-topology

Fig 1 – F5 BIG-IP LTM Toplogy

We will be using four VMWare networks for this lab, by default “vmnet” is created so we need to create three more VMware networks.

  • vmnet2
  • vmnet3
  • vmnet4

The IP Address mapping and functions of VMware networks will be as follow:

figure-2-ip-address-schema

Step 1: Launch VMware fusion and then select preferences

figure-3-vmware-fusion

Step 2: Click the Icon Network and click lock icon to make changes

figure-4-network


Step 3 : Select + icon to add a custom network named vmnet 2 and assign the Subnet IP 172.16.1.0 and Subnet Mask 255.255.255.0. This will be the internal network. Also ensure to select the following checkbox

  • Connect the host Mac to this network
  • Provide addresses on this network via DHCP
figure-5-add-custom-network
figure-6-vmnet2


Step 4: Select + icon to add a custom network named vmnet 3 and assign the Subnet IP 172.16.2.0 and Subnet Mask 255.255.255.0. This will be the HA network. Also ensure to select the following checkbox

  • Connect the host Mac to this network
  • Provide addresses on this network via DHCP
figure-7-vmnet3


Step 4: Select + icon to add a custom network named vmnet 4 and assign the Subnet IP 10.1.0.0 and Subnet Mask 255.255.255.0. This will be the management network. Also ensure to select the following checkbox

  • Connect the host Mac to this network
  • Provide addresses on this network via DHCP
figure-8-vmnet4

Step 5:  Log into F5 Website and request a free trail version of BIP-IP virtual edition

figure-9-free-trail-of-big-ip-ve

Step 6: Once an email is received from F5 with BIG-IP registration key download the BIG-IP VE System VMware Image, since the F5 201 – TMOS Administration Exam is based on TMOS version of 11.4 we will be downloading a BIG -IP V 11.4 – Virtual Edition for our labs. Download an OVA file for  VMware ESX/i Server v4.1-5.1 as its compatible with VMware fusion.

figure-10-big-ip-ve-image


Step 7-a: Import the BIG-IP VE System VMware Image VMware Fusion >File > Import

figure-11-import-big-ip


Step 7 – b: Click Choose File

figure-12-choose-file

Step 7 – c: Navigate to the folder where the BIG-IP VE System VMware Image was downloaded and select BIGIP-11.4.0.2384.0-scsi.ova image file and then click open

Click Continue to import the BIG-IP VE System VMware Image

figure-13-big-ip


Step 7 – d: Name the new virtual machine with the desired name and then click save

figure-14-save-big-ip

Step 7 – e: Accept the license agreements

figure-15-accept-license

Step 8: Once the import is completed, click finish and then click Customize Settings to configure the Network settings, if needed one can customize memory, CPU and Hard disk settings

figure-16-finish

Step 9-a: Customize Network Adapter setting to match the topology you are using.

In our case we will match to our topology

figure-17-network-adaptors

Step 9-b: Map Network Adapter to the vmnet4 network as this will be assigned to the management interface of BIG-IP Virtual Appliance

figure-18-network-adaptor

Step 9-c: Map Network Adapter 2 to the Bridge Networking Interface (in our case Network Adapter 2 will be bridged to the Wi-Fi adapter which is connected to the external network 192.168.1.0/24)

figure-19-network-adaptor2

Step 9-d: Map Network Adapter 3 to the vmnet2 network as this will be assigned to the internal interface of BIG-IP Virtual Appliance

figure-19-network-adaptor3

Step 9-e: Map Network Adapter 4 to the vmnet3 network as this will be assigned to the HA l interface of BIG-IP Virtual Appliance

figure-19-network-adaptor4

By following above steps one could a build a F5 BIG-IP LTM lab on their laptop using VMware Fusion. In upcoming post we will see how to do an initial configuration on F5 BIG-IP Virtual Edition to run F5 201 – TMOS Administration Exam labs on their laptops.