Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Posts with #cisco switches - cisco firewall tag

Cisco ASA 5510 Firewall Basic Configuration Tutorial

April 5 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

There is a basic configuration tutorial for the Cisco ASA 5510 security appliance. This device is the second model in the ASA series (ASA 5505, 5510, 5520 etc) and is fairly popular since is intended for small to medium enterprises. Like the smallest ASA 5505 model, the Cisco ASA 5510 comes with two license options: The Base license and the Security Plus license. The second one (security plus) provides some performance and hardware enhancements over the base license, such as 130,000 Maximum firewall connections (instead of 50,000), 100 Maximum VLANs (instead of 50), Failover Redundancy, etc. Also, the security plus license enables two of the five firewall network ports to work as 10/100/1000 instead of only 10/100.


Next we will see a simple Internet Access scenario which will help us understand the basic steps needed to setup an ASA 5510. Assume that we are assigned a static public IP address 100.100.100.1 from our ISP. Also, the internal LAN network belongs to subnet 192.168.10.0/24. Interface Ethernet0/0 will be connected on the outside (towards the ISP), and Ethernet0/1 will be connected to the Inside LAN switch.

 

The firewall will be configured to supply IP addresses dynamically (using DHCP) to the internal hosts. All outbound communication (from inside to outside) will be translated using Port Address Translation (PAT) on the outside public interface. Let's see a snippet of the required configuration steps for this basic scenario:

 

Step1: Configure a privileged level password (enable password)
By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance. Configure this under Configuration Mode:

ASA5510(config)# enable password mysecretpassword

 

Step2: Configure the public outside interface
ASA5510(config)# interface Ethernet0/0
ASA5510(config-if)# nameif outside
ASA5510(config-if)# security-level 0
ASA5510(config-if)# ip address 100.100.100.1 255.255.255.252
ASA5510(config-if)# no shut

 

Step3: Configure the trusted internal interface
ASA5510(config)# interface Ethernet0/1
ASA5510(config-if)# nameif inside
ASA5510(config-if)# security-level 100
ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5510(config-if)# no shut

 

Step 4: Configure PAT on the outside interface
ASA5510(config)# global (outside) 1 interface
ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0

 

Step 5: Configure Default Route towards the ISP (assume default gateway is 100.100.100.2)
ASA5510(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1

 

Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP
ASA5510(config)# dhcpd dns 200.200.200.10
ASA5510(config)# dhcpd address 192.168.10.10-192.168.10.200 inside
ASA5510(config)# dhcpd enable inside

 

More Related: How to Configure Cisco ASA 5505 Firewall?...

Read more

How to Select the Right Cisco Switches for Your Local Area Network?

March 23 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Creating network designs for people is not an easy task, for many factors and requirements need considering. It’s the fact that most organizations do not upgrade their LAN to prepare for the future – most of them don’t touch the network as long as it is running properly and supporting the user’s applications. When starting the planning process for putting a secure voice system on the network, which takes the network requirements to another level.

Core-distribution-Access.jpg

There is a lot more to consider than QoS for putting voice on the LAN, although that is what the discussion is usually centered around. The LAN also has to have a number of other attributes:

  1. Secure - with voice on the LAN, the switches must have security features that can prevent them from getting attacked with MAC address floods, rogue DHCP servers, gratuitous ARP’s changing the default gateway, and other attacks that can be launched by malware.
  2. Fast - If voice goes through multiple switches, each hop can add latency. Instead of store and forward of the ethernet frames, switches should use cut-through to move things along. Server and uplink speeds should be gigabit, while for most organizations 10/100 Mbsp to the desktop is just fine.
  3. QoS - As discussed above. This comes into play mostly in uplinks. When remote access layer closets are connected back to the distribution layer, there is a choke point in the LAN. Any choke points require queuing to prioritize the voice.
  4. Reliable - Long Mean Time Between Failure, well tested code to limit bugs, good support from the manufacturer in case there is a software or hardware issue.
  5. Managable - The switches have to be able to be managed remotely, have SNMP information, be able to log, and be configurable. GUI interfaces are ok, but there is nothing like a solid command line interface for rapid configuration, troubleshooting, and repair.
  6. Power Density- Switches have to be able to support the power density of the planned devices. Most switches cannot power all ports at the highest levels.
  7. Power and Cooling – Since IP phones are powered from the switches, all access layer switches will require properly sized UPS’s. A basic switch consumes about 60 Watts. A 48 port switch with 15 Watt phones plugged into every port will require at least 600 Watts. Put a few of those switches in the closet an you are looking at not only a much bigger UPS, but also better cooling.
  8. Redundant Design – The only place that there should be a single point of failure is at the access layer in the closets. If a switch fails, only the devices connected to that switch should lose connectivity – all others should work around the issue. In most cases that means dual uplinks from each closet to a redundant distribution layer at the core.

An excellent reference to everything discussed above is the Cisco Campus Network for High Availability Design Guide. This drawing shows both redundant uplinks and the single points of failure that are acceptable:

redundant-uplinks-and-the-single-points-of-failure-that-are.jpg

When all the requirements for a good LAN that can support voice are evaluated, it turns out that it prepares the network for future requirements as well, like IP security cameras, wireless access points, and other devices that may hang off the LAN.

It is certainly possible to build out a LAN with non-Cisco switches, but there are so many little things that are useful with Cisco switches, and they tend to be price competitive, that it is usually best to go with them. For example, one of the most useful tools is Cisco Discovery Protocol, which lets you see what other CDP devices are connected to an individual switch. I use this all the time to work my way through a network and find out where devices are located.

Having set a baseline for what we are looking for in a LAN switch, we can overview a variety of Cisco switches that are available and largely required by small to large businesses. And most of them serve a useful purpose for different situations.

Cisco Catalyst 2960 Series – a type of useful, versatile switch. It is layer 2 only, so no routing. The 24 port 10/100 POE version is great. It includes two gigabit dual-personality uplink ports, so a stack can be linked together, and then the top and bottom of the stack can be connected by fiber to the distribution switches. This switch is good and popular.

Cisco 3560 Series Similar to the 2960, but has a few more features. This is a layer 3 switch, and has three different classes of IOS. The IP base includes static routing, EIGRP stub, but no multicast routing. IP services includes the full routing features set. IP Advanced Services includes IPV6 on top of everything else. The SFP ports have to be populated with either copper or fiber gig SFP’s to uplink.

Cisco 3750 – This is just like the 3560, but with one big difference. The 3750 includes two Stackwise connectors on the back of the switch, allowing up to nine switches to be stacked together using a 32 Gbps backplane speed. The stack is managed as a single switch, and uplink ports on different switches can be connected together with EtherChannel so that multi-gigabit closet uplinks can be obtained. For an inexpensive distribution layer, a small stack of 3750 switches is ideal. The entire stack is limited to 32 Gbps of throughput, so this is not a good server switch for more than about 20 servers.

Cisco 4500 – This is a chassis switch that is designed to be used in the access layer.  The internal design is optimized for connecting a bunch of users and uplinking out of the closet, since the internal connections the different thirds of each blade is limited to 2 Gbps in most of the linecards. The latest version of the blades and supervisor are faster, but are still oversubscribed, so this should not be used for a distribution or server switch. It is a great access layer closet switch for high density (>200 users) gigabit POE to the desktop.

Cisco 3560E Series The E version of the 3560 switches are gigabit to the desktop and 10 gigabit uplink and aggregation. They also have modular power supplies so that every port on a 48 port switch can be powered to the highes level if required.

Cisco 3750E – gigabit speed, 10 Gbps uplinks, and Stackwise+ for switch interconnection. Stackwise+ is twice the speed of Stackwise at 64 Gbps, but has a much higher comparative speed since all traffic that is on one switch can stay on the switch, whereas with Stackwise on the 3750′s all traffic traverses the Stackwise link.

Cisco Catalyst 6500 Swithces Excellent switch, very useful as a distribution and server switch. The switch has three backplanes, and it is worthwhile looking at the connection speed of the supervisor engines and blades before making a decision. The legacy backplane is still available using the Sup720; it is a 32 Gbps shared backplane. New blades use either CEF256, which is a 8 Gbps connection, or CEF720, which uses dual 20Gbps connections.

  • The Cisco 6500 blades can have distributed routing features, or dCEF. These are typically not required except for the most challenging networks.
  • The most cost-effective and reliable method for setting up a 6500 is to use a single chassis6509  with redundant power supplies, redundant supervisor engines, dual 6748 gigabit blades for server connectivity, and dual 6748 fiber uplink blades for connecting remote wiring closets.
  • The Cisco 6509 has no limitations – any blade can go into any slot. The Catalyst 6513 has more slots, but only the bottom four can accept the CEF720 blades, the top seven slots connect at CEF256 or slower.
  • My preference is to usually use this box as just a switch, and put routing, firewall, wireless control and other functions in dedicated boxes, but there are certain situations where the ability to put services modules like the ACE module, IPS modules, or Firewall services module in the 6500 solve a specific technical problem.

 

So, some examples of good designs:

  1. If there are between 500 and 2000 hosts on a LAN, then single or dual 6500′s at the core/distribution layer are appropriate. Stacks of 3750′s or 2960′s in the closet with gigabit uplinks back to the distribution layer are appropriate.
  2. For between 100 and 500 hosts on a LAN, then a stack of 3750E or 3750 switches at the core/distribution layer and a stack of 2960′s in the closets would be a good design for most organizations.
  3. For <100 hosts, a good design is dual 3750′s at the distribution layer with 2960′s for access layer. If price is the deciding factor then a stack of 2960′s is appropriate.

 

Examples of non-optimal designs that I have seen:

  1. Putting a single Cisco 3750 in an access layer closet. There is no reason for this, as the primary benefit of the 3750 is its Stackwise system. If there is only one, then no stacking is required.
  2. Adding dCEF capability to a 6500 when there is very little routing to be done in the system, and the 6500 is nowhere near hitting its performance limit with all routing being done in the supervisor engine.
  3. Having a mismatch between power draw and power supply on the switch. This can happen from having power supplies that are too small, or loading too many POE devices onto an underpowered 48 port switch.

One of the most useful devices to increase reliability of the switching infrastructure is a backup power supply. One of my rules of thumb is that moving parts break first, so the most likely item to fail in the switch is the power supply and/or cooling fans. Every Cisco switch and most of the smaller routers have a DC port in the back. That is for backup power.

The Cisco RPS675 can be used as backup power. It has dual power supplies, and can connect to six different devices. If those devices ever lose their power supply, then the RPS box will provide power via the DC power port, and everything will contine to run. The only tricky thing is ordering the correct cables. There is one set of cables for E versions of switches, and another set for all other devices.

Putting together a LAN upgrade design is a relatively straightforward process. The difference between a good design and a poor one really come down to the details. No one wants to get a cheap network that will not handle the needs of the organization in the next few years and have to be replaced, and converseley most organizations would not want to pay for an oversized network that is too expensive.

It is best to get a design done from a reseller that regularly sells deploys the products they are recommending. Good VAR’s will stay on top of the new products that are out, and will change their recommendations are based on the customer’s needs and budget. I would argue that a good VAR can put together a better design than a sales engineer from a manufacturer. The VAR is responsible for making it work within budget, whereas the manufacturer will not do the installation, and is compensated for selling as much equipment as possible.

 

More Cisco hardware guide and info you can visit: http://www.router-switch.com/Price-cisco-switches-cisco-switch-catalyst-3560_c22?page=3

Read more

How to Find the Chassis Temp of a Cisco Catalyst 2960?

March 12 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

The Cisco Catalyst 2960 switch is a small switch that runs the same Cisco IOS that the larger switches do, and has most of the same features. This article describes several ways you can pull information from the switch, such as the chassis temperature. These methods should work on most Cisco switches. Computer with terminal emulation software prepared before you start.

Cisco-Catalyst-2960-Series.jpg

 

Command Line Interface (CLI)

1. Establish a terminal console connection by entering the IP address of the switch into the "Host Name (or IP Address)" section of the terminal emulation software. Select "SSH" or "Telnet" as the "Connection Type" and click "Open."

 

2. Verify you are in the "Privilege Exec" mode, which uses a "#" at the end of the prompt. Enter the command "enable" to move out of the "Exec" mode and into the "Privilege Exec" mode. (The "Exec" mode uses a ">" at the end of the prompt.)

 

3. Enter the command "show env all" to see all the environment information. The "Temperature is" section will be at "OK" and the "Temperature State" will be "Green" if the "Temperature Value" is below the "Yellow Threshold" value.

 

4. Modify the "Yellow Threshold" with the command "system env temperature threshold" followed by a number. This command must be issued from the "config" mode, which has "(config)" at the end of the prompt. To move from the "Privilege Exec" mode to the "config" mode, issue the command "configure terminal."

 

Web Browser

5. Check if the web service is running on your switch by issuing the command "show ip http server status" from the "Privileged Exec" mode. See Section 1 for details on how to get there.

 

6. Verify that "HTTP server status" and/or "HTTP secure server status" is set to "Enabled." Issue the command "ip http server" from the "configuration" mode to enable the web services. To disable the HTTP service, issue the command "no ip http server."

 

7. Open a browser, type the IP address of your switch into the address bar and hit enter.

 

8. Check the far right section titled "Temp" for the temperature of the switch.

 

Tips & Warnings

You can also use SNMP traps to monitor the switch temperature, but the process is not very intuitive and requires knowledge of SNMP MIBs, traps and monitoring software.

Enabling the HTTP service on your switch introduces a security risk.


Reference from Cisco.com

Catalyst 2960 Switch Software Configuration Guide

Cisco Catalyst 2960-S and 2960 Series Switches with LAN Base Software

Cisco IOS Commands Master List

Read more

How to Upgrade the License on Cisco ASA?

March 7 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

The different licensing “levels” available on the Cisco Adaptive Security Appliances allow an organization to buy only what they need while retaining the option to upgrade in the future, if necessary.

For example, a small business with 15 employees may start out with a Cisco ASA 5505 with a 25-user (or, more correctly, 25-host) license. As new employees are hired — or existing employees begin using Wi-Fi on more devices — they may approach the limit and find it necessary to upgrade to a 50- or unlimited-user license.

Cisco-asa-5510-copy-1.jpg

Once you have obtained a new “activation key”, the process of upgrading the license on a Cisco ASA is among one of the simplest tasks you can perform, although it often times will require a reload of the device to take effect.

 

You can see what license you currently have installed using the show activation-key command:

ciscoasa# show activation-key

Serial Number: JMX1316M41H

Running Activation Key: 0x2174cf47 0x945b4c3a 0x74159120 0xba2ca848 0x8f602feb

 

Licensed features for this platform:

Maximum Physical Interfaces: 8

VLANs: 3, DMZ Restricted

Inside Hosts: 10

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

VPN Peers: 10

WebVPN Peers: 2

Dual ISPs: Disabled

VLAN Trunk Ports: 0

AnyConnect for Mobile: Disabled

AnyConnect for Linksys phone: Disabled

Advanced Endpoint Assessment: Disabled

UC Proxy Sessions: 2

 

This platform has a Base license.

The flash activation key is the SAME as the running key.

 

Upgrading to our new license is simply a matter of going into global configuration mode and using theactivation-key command to provide the new license key to the ASA:

ciscoasa# configure terminal

ciscoasa(config)# activation-key 0x32841048 0x4a497a37 0xa09392c0 0xb7090030 0x053bcbc8

Failover is different.

   flash activation key: Restricted(R)

   new activation key: Unrestricted(UR)

Proceed with update flash activation key? [confirm]

 

Our new activation key was accepted. The above output shows that the activation key saved in flash memory is “Restricted” while the new one we’ve just supplied is “Unrestricted”. The ASA asks us to confirm that we want to update the key? Go ahead and press ENTER.

Failover is different.

   running activation key: Restricted(R)

   new activation key: Unrestricted(UR)

WARNING: The running activation key was not updated with the requested key.

The flash activation key was updated with the requested key, and will become active after the next reload.

ciscoasa(config)#

 

The ASA tells us that the activation key stored in flash was updated (and will take effect upon the next reload), but the running activation key was not changed. When you see this, the ASA is telling you that you need to perform a reload for the new features to take effect.

 

I’ll go ahead and do that, though you might need to wait for a maintenance window or planned downtime.

ciscoasa(config)# end

ciscoasa# reload

Proceed with reload? [confirm]

Once the ASA has reloaded, we can log back in and verify that our new license — and new features — are active:

ciscoasa# show activation-key

Serial Number:  JMX1316M41H

Running Activation Key: 0x32841048 0x4a497a37 0xa09392c0 0xb7090030 0x053bcbc8

 

Licensed features for this platform:

Maximum Physical Interfaces: 8

VLANs: 20, DMZ Unrestricted

Inside Hosts: Unlimited

Failover: Active/Standby

VPN-DES: Enabled

VPN-3DES-AES: Enabled

VPN Peers: 25

WebVPN Peers: 2

Dual ISPs: Enabled

VLAN Trunk Ports: 8

AnyConnect for Mobile: Disabled

AnyConnect for Linksys phone: Disabled

Advanced Endpoint Assessment: Disabled

UC Proxy Sessions: 2        

 

This platform has an ASA 5505 Security Plus license.

The flash activation key is the SAME as the running key.

ciscoasa#

 

The ASA is back up and running and you can start using the additional features that your new license provides.

 

More info and tutorials of Cisco and Cisco firewall you can visit: http://blog.router-switch.com/

Read more

Cisco ISR G2 - the Best a Branch can Get? —Any Service, Any Branch, Anywhere

March 6 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Transform your branch-office experience with the new Cisco Integrated Services Routers Generation 2 (ISR G2) Family, Cisco’s latest addition to the tremendously successful integrated services router portfolio. The Cisco ISR G2s are part of the Cisco Borderless Network Architecture that enables business innovation and growth across all remote sites. The next-generation architecture delivers a new workspace experience by meeting the performance requirements for the next generation of WAN and network services, enabling the cost-effective delivery of high-definition collaboration at the branch office and providing the secure transition to the next generation of cloud and virtualized network services. Designed for optimal service delivery on a single platform, the new Cisco ISR G2 routers give businesses greater power to deliver a superior customer experience and deploy services “on demand” as business needs dictate—while reducing overall operating costs.

 

What Problems Do Cisco ISR G2s Help Solve?

With the number of employees growing at the branch office, IT teams are challenged to securely and efficiently connect remote locations at minimal cost. The Cisco ISR G2 not only addresses critical branch-office challenges like the first generation, it also introduces revolutionary ways to make the remote office more productive, more collaborative, and more operationally efficient. These new innovations enable branch offices to:

Deliver next-generation WAN and network service requirements

Become more productive through increased videobased collaboration and rich-media services

Securely transition to cloud and virtualized network services

Minimize energy consumption and costs to support corporate sustainability

Enable small IT teams to scale services worldwide

 

Cisco ISR G2Positioning

The Cisco ISR G2 provides a highly secure and reliable platform for scalable multiservice integration at enterprise and commercial branch offices of all sizes and small-to-medium sized businesses (Figure 1). The excellent service delivery on a single platform, now up to 8x greater performance, offers the ultimate user experience with the architectural scalability and investment protection needed to minimize overall deployment costs.

 

Figure 1 Cisco Integrated Services Routers Generation 2

cisco-isr-g2.jpg

 

What’s new on Cisco ISR G2?

Table 1 compares the features of the first and second generations of Cisco Integrated Services Routers.

WhatsNew.JPg

 

Why Upgrade Your Existing Access Router to a Cisco ISR G2 Router?

The Cisco ISR G2 portfolio builds upon the market success of the first generation of integrated services routers with new enhancements that deliver greater value to your business with new enhancements for service virtualization, video-ready capabilities, and operational excellence. Our exciting new innovations deliver:

Video-ready branch office for a superior customer experience with new services that transform the branch-office workspace:

Media engines that enable business-grade video applications based on high-density video-ready DSPs that deliver the media net high-definition experience

Bandwidth-optimized and scalable video services, including media-rich video conferencing, video surveillance, video streaming, and digital signage

High-performance (up to 8x), nonstop branch office experience to meet your future WAN and services requirements

TelePresence capability to your midsize branch offices with T1/E1 links

Service virtualization to deliver highly effective business innovation that achieves unparalleled service:

Cloud extensibility and services virtualization for mission-critical application survivability to remote sites

Broadest services offering to all branch-office sites, including security, unified communications, WANoptimization, application integration, and customizable virtual services

A revolutionary “on-demand” services delivery model enabled by the innovative Cisco Services Ready Engine (SRE)

Operational excellence providing the lowest total cost of ownership (TCO) with scalability, operational flexibility, and simplicity based on best-in-class service integration, innovative pay-as-you-grow model, and optimized energy efficiency:

Superior business flexibility for on-demand service delivery with minimal system upgrades

Increased branch-office uptime with enhanced availability features

Greater energy efficiency with slot-based controls to decrease costs and support sustainability

Simplified deployment with a single Cisco IOS Software image

Investment protection with support for most of the prior generation of integrated services router interfaces

 

Cisco Services for the Branch Office

Services from Cisco and our certified partners can help you transform the branch-office experience and accelerate business innovation and growth with Borderless Networks. We have the depth and breadth of expertise to create a clear, replicable, optimized branch office footprint across technologies that will help you:

Increase the accuracy, speed, and efficiency of deployment

Improve operational efficiency, save money, and mitigate risk

Continuously improve performance

 

Why Cisco?

Built on 25 years of innovation and product leadership along with broad market acceptance, the new generation of access routers continues to optimize service integration to transform the branch-office experience with the speed, scale, and flexibility to deliver tomorrow’s services transparently at a low cost of ownership. For more information, please visit: www.cisco.com/go/isrg2.

 

Table 2 compares the models of the Cisco ISR G2 portfolio.

cisco-isr-g2-comparison.jpg

More Cisco ISR G2 Files: Cisco ISR G2 Management Overview

Read more

Ethernet Switches and Crossover Cables

February 29 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Ethernet Switch

A switch is something that is used to turn various electronic devices on or off. However, in computer networking, a switch is used to connect multiple computers with each other. Since it is an external device it becomes part of the hardware peripherals used in the operation of a computer system. This connection is done within an existing Local Area network (LAN) only and is identical to an Ethernet hub in terms of appearance except with more intelligence. These switches not only receive data packets, but also have the ability to inspect them before passing them on to the next computer. That is, they can figure out the source, the contents of the data, and identify the destination as well. As a result of this uniqueness, it sends the data to the relevant connected system only, thereby using less bandwidth at high performance rates.ethernet-switches-copy-1.jpg

 

Ethernet Switches and Crossover Cables

The wires in a crossover cable are “crossed” so that output signals from the transmitting device are properly sent as input signals to the receiving end. An Ethernet switch can be thought of as a device that makes temporary crossover cable connections between computers that want to communicate. Just like crossover cables, switches do not suffer from collision problems.

However, it should be noted that the actual cables used are “straight through.” The crossover function is done inside of the switch.

 

Since separate wires are used for sending and receiving, switches support operation in full duplex mode. This mode allows devices to send and receive data at the same time.

 

Advantages over Hubs

As mentioned above, switches are intelligent devices that can read the data packets that pass through them. By storing each host’s MAC address and its corresponding port in a table, switches ensure that bandwidth is not wasted by intelligently directing traffic. Hubs are dumb devices that do not do any processing.

 

Unlike hubs, switches are modern, fast, and support full duplex operation. In short, they are much better.

 

...To be continued...

 

Read more

Cisco Switch Port Security ---How to Configure Switch Security?

February 27 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Conventional network security often focuses more on routers and blocking traffic from the outside. Switches are internal to the organization and designed to allow ease of connectivity, therefore only limited or no security measures are applied.

 

The following basic security features can be used to secure your switches/Cisco switches and network:

* Physically secure the device

Use secure passwords

* Enable SSH access

* Enable port security

* Disable http access

* Disable unused ports

* Disable Telnet

 

Let’s look at how to implement and configure some of the above mentioned switch security features.

Cisco-Switch-Port-Security----How-to-Configure-Swit-copy-1.jpg


 

1. How to Configure the privileged EXEC password.  

Use the enable secret command to set the password. For this activity, set the password to orbit.

SW1#configure terminal

SW1(config)#enable secret orbit

SW1(config)#

 

2. How to Configure virtual terminal (Telnet) and console passwords and require users to login.

A password should be required to access the console line.  Even the basic user EXEC mode can provide significant information to a malicious user. In addition, the VTY lines must have a password before users can access the switch remotely.

Use the following commands to secure the console and telnet:

SW1(config)#line console 0

SW1(config-line)#password cisco

SW1(config-line)#login

SW1(config-line)#line vty 0 15

SW1(config-line)#password cisco

SW1(config-line)#login

SW1(config-line)#exit

SW1(config)#

 

3. How to Configure password encryption.

At this stage, the privileged EXEC password is already encrypted. To encrypt the line passwords that you just configured, enter the service password-encryption command in global configuration mode.

SW1(config)#service password-encryption

SW1(config)#

 

4. How to Configure and test the MOTD banner.

Configure the message-of-the-day (MOTD) using Authorized Access Only as the text. Follow these guidelines:

i. The banner text is case sensitive. Make sure you do not add any spaces before or after the banner text.

 

ii. Use a delimiting character before and after the banner text to indicate where the text begins and ends. The delimiting character used in the example below is %, but you can use any character that is not used in the banner text.

 

iii. After you have configured the MOTD, log out of the switch to verify that the banner displays when you log back in.

 

SW1(config)#banner motd %Authorized Access Only%

SW1(config)#end

SW1#exit

 

5. How to Configure Port Security

Enter interface configuration mode for FastEthernet 0/11 and enable port security.

Before any other port security commands can be configured on the interface, port security must be enabled.

SW1(config-if)#interface fa0/11

SW1(config-if)#switchport port-security

* Notice that you do not have to exit back to global configuration mode before entering interface configuration mode for fa0/11.

 

6. How to configure the maximum number of MAC addresses.

To configure the port to learn only one MAC address, set the maximum to 1:

SW1(config-if)#switchport port-security maximum 1

 

7. How to configure the port to add the MAC address to the running configuration.

The MAC address learned on the port can be added to (“stuck” to) the running configuration for that port.

SW1(config-if)#switchport port-security mac-address sticky 

 

8. How to Configure the port to automatically shut down if port security is violated.

If you do not configure the following command, SW1 only logs the violation in the port security statistics but does not shut down the port.

SW1(config-if)#switchport port-security violation shutdown

Use the show-mac-address- table command to confirm that SW1 has learned the MAC address for the intended devices, in this case PC1.

SW1#show mac-address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

20 0060.5c4b.cd22 STATIC Fa0/11

 

You can use the show port-security interface fa0/11 command to also verify a security violation with the command.

SW1#show port-security interface fa0/11

 

Port Security : Enabled

Port Status : Secure-shutdown

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address:Vlan : 00E0.F7B0.086E:20

Security Violation Count : 1

 

9. How to Secure Unused Ports

Disabling unused switch ports a simple method many network administrators use to help secure their network from unauthorized access. Disabling an unused port stops traffic from flowing through the port(s)

Step 1: Disable interface Fa0/10 on SW1.

Enter interface configuration mode for FastEthernet 0/17 and shut down the port.

SW1(config)#interface fa0/10

SW1(config-if)#shutdown

 

Step 2: Disable interfaces Fa0/1 to Fa0/24 on SW1

SW1(config)#interface range fa0/1-24

SW1(config-if)#shutdown

 

More Cisco switches' tutorials: http://blog.router-switch.com/category/reviews/cisco-switches/

Read more

Cisco Ethernet Switches Make Big Leap to 40/100G

February 3 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Cisco unveiled significant extensions to both of its major switching lines with the addition of 40/100G Ethernet capabilities.

 Cisco-Catalyst-Series-copy-1.jpg

The enhancements are intended to address the growth of 10G Ethernet in data centers, which Dell’Oro Group forecasts will be the major revenue contributor to Ethernet switching in the next five years. Growth in 10G necessitates larger pipes between switches to aggregate those links and forward traffic at faster rates to alleviate congestion and keep network operations running optimally, especially with trends like cloud, video and mobility sending more packets in all different directions.

 

Cisco is adding 40G Ethernet to its Catalyst 6500 switching line, and 40/100G Ethernet to its Nexus 7000 switch to aggregate 40G at the core, and interconnect data centers to service providers.

 

Cisco also rolled out two fixed configuration switches for high-density 10G Ethernet in campus aggregation and data center top-of-rack deployments.

 

And in an effort to bring legacy infrastructures into the virtual world, Cisco unveiled network virtualization capabilities for its Catalyst 6500, 4500 and ASR 1000 product lines, as well as a new data center appliance for scalable virtual services.

 

Cisco is offering two modules for the Nexus 7000: a two-port 100G Ethernet board, which would provide the switch with up to 32 non-blocking 100G Ethernet ports; and a six-port 40G Ethernet module which would provide up to 96 non-blocking 40G ports for the switch.

 

Of the major switching vendors, only Brocade is offering 100G Ethernet on a core platform -- its MLX series switching routers. Several other vendors are already offering 40G fixed, modular and uplink ports on their switches.

 

The technology has yet to go gangbusters though.

Notes: More News of Cisco Updates Its High-end Switches

 

"We see sporadic implementation" of 40/100G Ethernet, says Jon Oltsik, an analyst at Enterprise Strategy Group. "Cisco’s one of the first big players to go mainstream with it. It’s good for marketing – they’ll be perceived as a high-performance vendor."

 

Cisco also unveiled the Nexus 3064-X, which had been expected. The 3064-X is aimed at low latency financial services environments and features 48 1/10G Ethernet ports plus four 40G links.
And the company’s Nexus 1000V virtual switch, which resides on blade servers like the Cisco Unified Computing System, now supports the Virtual Extensible LAN (VXLAN) workload scaling capability Cisco announced last summer.

 

VXLAN is also new in Cisco’s Nexus 1010 new virtual services appliance. The VXLAN version is called the Nexus 1010-X and it is a dedicated hardware platform for provisioning and scaling network services in virtualized environments, like data centers and clouds.

 

For the campus environment and the Catalyst line, Cisco unveiled the Catalyst 6900 Series 40 Gigabit Ethernet Interface Module for the flagship Catalyst 6500 switch. It allows the switch to support up to 44 40G ports.

 

Cisco also rolled out the Catalyst 4500-X, a fixed aggregation switch targeted at space-constrained campus networks. It supports up to 40 10G Ethernet ports and 1.6Tbps of switching capacity through Cisco’s Virtual Switching System redundancy technique. It also includes support for Medianet video and NetFlow analysis services.

 

Lastly, Cisco unveiled software for its campus switches and routers designed to simplify network virtualization. Cisco Easy Virtual Network (EVN) runs on the Catalyst 6500 and 4500 switches, and ASR 1000 edge router, and allows operators to more easily create separate logical networks on a single physical infrastructure.

 

And in the data center, Cisco added features to the Nexus NX-OS operating system such as PowerOn Auto-Provisioning and Python scripting to customize network behavior based on events as they happen. These features are now available on Nexus 3000 series platforms, and planned for the Nexus 2000 and 5000 switches.

 

The 40/100G modules for the Nexus 7000 will be available in the second quarter. The 6900 module for the Catalyst 6500 will be available in April. The Nexus 3064-X will be available in March.                         

---Original News from Networkworld.com

Read more

Configuring VTP on a Cisco Switch

January 30 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

During the early days of networking, it was difficult to implement VLANs across networks. Each VLAN was manually configured on each network switch. Managing a large switched network used to be a complicated tasks, VLAN trunking methods has helped to ease this problem.

 

 VLAN Trunking Protocol (VTP) is a Cisco Proprietary which basic aim is to manage all configured VLANs across a switched network.  VTP helps to propagate and maintain VLAN configurations consistency to other switches on the network.

 

VTP is a messaging protocol that uses layer 2 trunk frames to add, delete and rename VLANs on a single domain. It helps to centralize changes which are sent to other switches on the network.

 

A switch had to be configured in the role of a VTP server to manage your VLAN configuration on your network. The sever(s) will share VLAN information with other switches on the network which must use the same domain name.

 

VTP learns only normal-range VLANs (VLAN IDs 1 to 1005).

The primary role of VTP is to maintain VLAN configuration consistency across a network administration domain.

 

VTP stores VLAN configurations in the VLAN database called vlan.dat.

After a trunk is established between switches, VTP advertisement is exchanged between the switches. Both the server switch and client exchange and monitor advertisement from one another to ensure each has an accurate record of VLAN information. VTP advertisement will not be exchanged if the trunk between the switches is inactive.

 

 

In the diagram above, a trunk link is configured between switch S1, - VTP Server, S2 and S3 - VTP client. After a trunk is established between the switches, VTP summary advertisement is exchanged among the switches.

 

More Notes:

VTP Configuration Guidelines 

Follow these steps to configure a Cisco Catalyst switch to use VTP successfully:

 

VTP Server Switches 

i. Before you begin configuration, ensure that all of the switches are set to their default settings.

 

ii. Always reset the configuration revision number before installing a previously configured switch into a VTP domain. Not resetting the configuration revision number allows for potential disruption in the VLAN configuration across the rest of the switches in the VTP domain.

iii. Configure at least two VTP server switches in your network. Because only server switches can create, delete, and modify VLANs, you should make sure that you have one backup VTP server in case the primary VTP server becomes disabled. If all the switches in the network are configured in VTP client mode, you cannot create new VLANs on the network.

 

iv. Configure a VTP domain on the VTP server. Configuring the VTP domain on the first switch enables VTP to start advertising VLAN information. Other switches connected through trunk links receive the VTP domain information automatically through VTP advertisements.

 

v. If there is an existing VTP domain, make sure that you match the name exactly. VTP domain names are case-sensitive.

 

vi. If you are configuring a VTP password, ensure that the same password is set on all switches in the domain that need to be able to exchange VTP information. Switches without a password or with the wrong password reject VTP advertisements.

 

vii. Ensure that all switches are configured to use the same VTP protocol version. VTP version 1 is not compatible with VTP version 2. By default, Cisco Catalyst 2960 switches run version 1 but are capable of running version 2. When the VTP version is set to version 2, all version 2 capable switches in the domain auto configure to use version 2 through the VTP announcement process. Any version 1-only switches cannot participate in the VTP domain after that point.

 

viii. Create the VLAN after you have enabled VTP on the VTP server. VLANs created before you enable VTP are removed. Always ensure that trunk ports are configured to interconnect switches in a VTP domain. VTP information is only exchanged on trunk ports.

 

VTP Client Switches 

i. As on the VTP server switch, confirm that the default settings are present.

ii. Configure VTP client mode. Recall that the switch is not in VTP client mode by default. You have to configure this mode.

iii. Configure trunks. VTP works over trunk links.

iv. Connect to a VTP server. When you connect to a VTP server or another VTP-enabled switch, it takes a few moments for the various advertisements to make their way back and forth to the VTP server.

v. Verify VTP status. Before you begin configuring the access ports, confirm that the revision mode and number of VLANs have been updated.

vi. Configure access ports. When a switch is in VTP client mode, you cannot add new VLANs. You can only assign access ports to existing VLANs.

 

Read more

How to Configure DHCP on a Cisco ASA 5505?

January 4 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Dynamic Host Configuration Protocol (DHCP) is a network application protocol used by devices (DHCP clients) to obtain configuration information for operation in an Internet Protocol network. This protocol reduces system administration workload, allowing devices to be added to the network with little or no manual intervention.

Configure-DHCP-on-a-Cisco-ASA-5505-copy-1.jpg

 

The diagram has the network topology. In this network the firewall is the gateway of the 10.16.74.0/24 network. Firewall and Servers will be excluded from the DHCP pool.

First step is to configure the inside (LAN) interface on the 10.16.74.0/24 network

FIREWALL(config)#interface Vlan1
FIREWALL(config-if)#nameif inside
FIREWALL(config-if)#security-level 100
FIREWALL(config-if)#ip address 10.16.74.1 255.255.255.0

Next assign the LAN ports for the correct VLAN in this case port 1 of firewall will be on VLAN 1

FIREWALL(config)#interface Ethernet0/1
FIREWALL(config-if)#switchport access vlan 1
FIREWALL(config-if)#no shut

Lastly, configure the dhcp range and assign it to an interface. Configure DNS servers, one internal and one external in case the internal fails. Enable DHCP on the inside interface

FIREWALL(config)#dhcpd address 10.16.74.15-10.16.74.35 inside
FIREWALL(config)#dhcpd dns 10.16.74.10 4.2.2.2
FIREWALL(config)#dhcpd enable inside

In order to see which devices are receiving DHCP from the firewall run the following command

FIREWALL(config)#sh dhcpd binding

IP address Hardware address Lease expiration Type

 

Read more
<< < 10 11 12 > >>