The mind is a powerful thing: November 2010

Thursday, November 25, 2010

Wireless Networking

Wireless Networking

This topic will present basic information about wireless networking which are technology, configuration, scanning, authentication, and antenna type.

Until today, wireless network technology has 4 standards which can be seen on the table below

type	802.11a	802.11b	802.11g	802.11n
throughput	up to 54 mbps	up to 11 mbps	up to 54 mbps	up to 540 mbps
frequency	5Ghz	2.4 GHz	2.4 GHz	5 GHz or 2.4 GHz

There are 2 wireless network configuration which are BSS and IBSS.
Basic Service Set (BSS) is the most common configuration where a Wireless AP communicates with its host such as PCs. To be able to recognize the AP, the client searches for access points and uses the Service Set Identifier (SSID) which is basically a case sensitive name up to 32 character. The SSID can be set in the AP to be seen public or to be hidden.
Independent Basic Service Set (IBSS) is the second configuration where the clients communicate with each other independently or peer-to-peer. This type of configuration does not need an AP.

In order for the PC to be able to communicate to the AP, a method called Scanning must be used. There are 2 types of scanning which are active and passive.
In active scanning, the client makes the initiative and sends Probe requests, asking APs to send Probe Responses and waits for the Probe Response.
In passive scanning, the client hears and waits for Probe Responses from the AP.
If there are more than 1 Probe Responses found, the user can choose which one it wants to use.

Authentication is also needed for network security purposes. It will do this after it hears the Probe Response and the selected network is chosen by the user. There are several authentications. The first one is "Open," where everyone can access the network. The second one is "Shared Key"where only users that know the key can access the network (WEP, EAP, WPA and WPA2).

The antenna type for AP consists of several types. A point-to-point antenna is an antenna that has a very small beam and is usually used to create a point-to-point connection with another AP. A directional antenna has a limited coverage for serving only specific areas of customer. An omni-directional antenna is an antenna that has coverage to every direction and is used to serve all customers near the AP. However, the radius length of the coverage is more limited than point-to-point connection for the same power.

-- 26 November 2010 --

Wednesday, November 24, 2010

Power over Ethernet (POE)

Power over Ethernet (PoE) allow devices to power up other devices or send electricity over UTP cables that has been connected to the 2 devices. Some switches has also the capability of running POE to power up IP Phones. By default, POE switch's port do attempt to find whether its peer device needs power. The IEEE standard for POE is 802.3af and 802.3at for High-Power POE.

To configure automatic detect and power inline devices type the command:
(config-if)#power inline auto

To configure specific power that needs to be given to the inline device type the command:
(config-if)#power inline consumption

To disable POE ability type the command:
(config-if)#power inline never

-- 25 November 2010 --

CoS, ToS, DiffServ, RTP Header Compression

Class of Service (CoS) is a policy to enable QoS on the network. It puts a 3 bit field in an layer-2 Ethernet frame to define the priority of the traffic. The highest priority is marked with 7 (111) and the lowest priority is marked with 0 (000). Dot1q and ISL can both provide CoS with some differences:
- ISL uses 4 bits User field, where the last 3 bits is used for CoS.
- Dot1q uses 3 bits User field used for CoS.

Type of Service (ToS) is an allocated field in the layer 3 IPv4 header to provide QoS. It consists of 8 bits with 3 precedence bits in the beginning, 3 request bits and 2 unused bits. The first 3 bits represents the priority of the packet. As in CoS, 7 means highest priority and 0 means lowest priority. 3 request bits consists of 3 different type of service which is request low delay (100), request high throughput (010), or request high reliability (001) which can also be memorized as DTR bits.

The modern version of ToS is used in DiffServ. The DS field in DiffServ uses 6 Differentiated Services Code Point (DSCP) bits and 2 Explicit Congestion Notification (ECN) bits. The 6 DSCP bits contain of Class Selector Value (3 bits) and Drop Precedence value (3 bits).

The Class Selector Value is divided into 7 classes which are:

Class 7 (111) - Network Control, used of traffic controlling such as STP and routing protocol. This is the highest priority class.

Class 6 (110) - Internetwork Control, used for same purposes in class 7 but for internetwork traffic

Class 5 (101) - Expendited Forwarding, used for voice traffic and other time critical data. This traffic has characteristics of low delay, low loss and low jitter and is given strict priority queuing above all other traffic classes.

Class 1-4 (001-100) - Assured Forwarding, used for applying QoS for certain traffic where 4 is higher priority than 3, which is higher than 2, and in return is higher than class 1.

Class 0 (000) - Best-effort forwarding, used as default for every traffic if not configured for QoS.

The Drop Precedence value is used for Assured Forwarding which defines the importance of the packet. There are only 3 values high is high (3), medium (2) and low (1). Therefore AF21 means traffic will be handled as class 2 with a low drop precedence.

RTP Header Compression can also improve VoIP quality. The compression can reduce an IP/UDP/RTP header from 40 bytes to only 2-4 bytes. The command is:
(config-if)#ip rtp header-compression

-- 25 November 2010 --

QOS, IntServ, DiffServ

Providing a good Quality of Service (QoS) for IP phones is important. Voice has a character of delay sensitive and some factors need to be considered for that which are:

1. Jitter, which is the interval of the receiving packages. For example the word hel-lo can be heard as h--ello if the jitter is bad.
2. Delay, which is the time for the data to travel from the moment one speaks and the other receives the voice signal. Large delays will provide uncomfortable conversations.
3. Packet loss, which is the amount of packets that can be dropped. Voice traffic is not packet sensitive, so it is allowed to have some packets losses but if the packets are dropped too often, the receiver is unable to identify what the speaker is saying.

The default QoS for all services is best-effort. In BE, all packets will be forwarded in the same order as they came in.

Another protocol for QoS is the Integrates Services Model (Intserv). IntServ uses Resource Reservation Protocol (RSVP), where RSVP creates and reserves a high priority path called as Guaranteed Rate Services (GRS) end-to-end before the voice traffic is being transmitted. This protocol can be disadvantageous because of the reserved bandwidth concept it uses. Therefore, if there are a lot voice traffic, the bandwidth will be reserved all for voice traffic.

To prevent unused reservations, another more advanced protocol is available which is Differentiated Services Model (DiffServ). Diffserv, does not reserve end to end bandwidth, but makes priorities based on per-hop decision. DiffServ has 2 tasks which are marking (tagging data with a value) and classification (classify the queuing and transmitting process of the data according to the marks).

To implement QoS on a switch's interface put the command:
(config-if)#mls qos

To trust incoming devices for its QoS values add the command:
(config-if)#mls qos trust

Trust CoS, DSCP and IP precedence means it will read those frames/packets and trust the QoS stated by them. However, trust device (for example trust device cisco-phone) means that the switch will only accept QoS values from a cisco phone. QoS values stated from device other than a cisco phone will be overwritten with the default configured value of QoS on the switch by the switch itself.

To see the interface's QoS settings put the command:
SWX#show mls qos interface

We can modify QoS values that comes from another device behind an IP Phone such as the PC. The command is:
(config-if)#switchport priority extend cos

If we want to trust the PC the command is:
(config-if)#switchport priority extend trust

-- 23 November 2010 --

Tuesday, November 23, 2010

Voice over IP & IP Phone

VoIP is a technology that makes voice conversations available using internet technology. VoIP can be done using IP Phones. An IP phone has 3 port one to go to the switch, another to the phone's ASIC and the other one goes to the laptop/PC. In this configuration, nothing needs to be done on the PC if it was directly connected to the switch and can send traffic.

The link between the switch and IP Phone can be configured in several ways:

1. Access Link. If this is implemented, voice traffic and data traffic will be mixed up and no priority is given to voice traffic. Frames who come first, get served first. The advantage is that there needs nothing to be done to apply this option (Default). The disadvantage is that if there are lots of data traffic, voice traffic will be disturbed by delays and this should be prevented since voice is delay sensitive.

2. Trunk link and use 802.1p. This option will tag voice traffic as high priority. It will also send traffic through its default voice native VLAN which is VLAN 0. VLAN 0 needs to be created manually, because it is sometimes not automatically created.

3. Trunk link and not tagging voice traffic (untagged). In this way, the IP phone is able to send untagged voice traffic.

4. Trunk link and specify a specific Voice VLAN. THe IP Phone will forward traffic with a specific VLAN.

To configure voice traffic in an interface put the command:
(config-if)#switchport voice vlan /dot1p/none/untagged

-- 24 November 2010 --

Gateway Load Balancing Protocol (GLBP)

Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary load balancing protocol to load balance traffic between different routers. Therefore, it uses all the routers in place of letting only one router to process all traffic. GLBP routers must be placed in a router group to be able to perform.

When operating with GLBP, the host needs to point its gateway to a virtual IP address virtual router. Although the IP address is the same, the MAC address of each physical router is different. When ARP request is sent from the host, one of the routers will give their MAC address to the host and will serve that host. However, another host that comes directly after will be given another MAC address of a different router.

One of the router (with the highest priority) acts as Active Virtual Gateway (AVG). The second highest priority is set as standby, and all other routers is set into listening state. The AVG will assign a virtual MAC address to all the other routers and enables Active Virtual Forwarders (AVF). Each AVF will process packets that are sent to its virtual MAC address based on load balancing methods. If AVF on a router fails, another router will handle the request since routers can communicate with each other using the multicast IP address 224.0.0.102 and UDP port 3222.

Load balancing method in GLBP consists of 3 methods of MAC address assignments:

1. Round robin, where each router will get a packet fairly each turn. If there are 4 hosts (1,2,3,4 coming in order) and 2 routers (A,B) then host 1 will go to A, host 2 will go to B, host 3 will go to A and host 4 will go to B.
2. Host dependent, which is used if a host needs to get the same MAC address serving router.
3. Weighted, where traffic can be assigned to routers with certain weights. For example if there are 3 routers , where one router (A) has 2x capacity than other two (B,C) then the traffic can be weighted with the value 2:1:1. In that way, 2 clients will be served by router A, 1 client by router B and 1 client by router C.

To apply GLBP use the command in the interface mode:
(config-if)#glbp ip

To change GBLP priority use:
(config-if)#glbp priority

To enable preempt:
(config-if)#glbp preempt

Monday, November 22, 2010

Virtual Router Redundancy Protocol (VRRP)

VRRP (Virtual Router Redundancy Protocol) defined in RFC 2338 is a non-proprietary redundancy protocol like the Cisco's proprietary HSRP. It can be used on a multi-vendor environment. The operation of VRRP and HSRP is similar.

The differences are:
1. VRRP router knows Master router and Backup Router (as Active and Standby in HSRP). The Master router will have the virtual ip address, so that the virtual ip address is the router's real address.
2. VRRP advertisements are multicast to 224.0.0.18
3. The MAC address of VRRP virtual router is 0000.5e00.01XX, where XX is the number of the router group in hexadecimal
4. The "preempt" command in HSRP is set as default on VRRP router so that the backup router will be the master router if the priority of the routers changes.
5. VRRP has a feature called Object Tracking which is similar to HSRP Interface Tracking

-- 23 November 2010 --

HSRP Tracking

HSRP Interface Tracking is an important feature to provide redundancy on the router group and switch between them if anything unexpected happens to the active router.

The active router is the router which has the highest priority. The active router can switch to another router if the main router decreases its priority or another router is set to a higher value. Remember for direct switching, the preempt command condition needs to be enabled.

HSRP tracking is able to decrease a router priority based on its track record. It can track interfaces and decreases a router priority should the interface that is monitored go down. The command to track an specific interface is:
(config)#interface // needs to be configured on the port connecting to the host.
(config-if)#standby track

// interface is the interface of the monitored interface, e.g. interface serial 0 going to another router.
The decrement value needs to be set from 1-255, and this feature will decrease the priority number if the monitored interface goes down. The default value (if not set) is 10.

For example, we have 2 router (router A and B), where router A is the active router set with value = 150 and router B is standby with value = 140. Serial 0 to another router is monitored with HSRP track on router A, where the decrement value = 20. If the serial 0 interface is down on router A, then the priority will be decreased to 150-20 = 130. This value is lower than router B with the priority 140. Therefore, router B will immediately take over as active router. If at some point serial 0 of router A is up again, the priority value will be set back to 150 and router A will be the active router again and router B will act as standby. Watch out on setting track priority decrement values, because if the decrement value is to low e.g. on router A is set to only 5, nothing will happen if serial 0 goes down. This happens because the decrease value of router A is 150-5=145 which is still higher than router B priority of 140. Changing decrement values can be done directly on live networks and will effect immediately (for example change from 5 to 15).

There is also a possibility to monitor multiple interfaces. In this case, it will check for both interfaces and will decrement only if one of the interfaces is down, or will accumulate the total amount of values set for both interfaces if both of them go down.

To see and debug HSRP enter "#debug standby" command.

-- 23 November 2010 --

Hot StandBy Routing Protocol

HSRP (Hot Standby Routing Protocol) is a protocol that makes High-Availability available and makes almost immediate cutover to a secondary router if the primary router fails. If is defined in RFC 281. On MLS, HSRP can be configured on routed ports, SVIs and Etherchannels with IP addresses. However, to run HSRP on a L3 Switch, it must have Enhanced Mulilayer Software IMage (EMI).

HA is available because HSRP creates a virtual router complete with a virtual IP address and MAC address for HSRP router group. In that way, the host will communicate to the virtual router, without knowing the actually physical router behind it. If the primary (hot) router fails, then the virtual router will switch the traffic to a secondary (standby) router almost instantly. HSRP has also an interface tracking feature, where it can monitor interfaces on the same router group and will be able to reduce to the priority of a router if its interface is down.

HSRP has 7 states:

1. Disabled: The interface is not running HSRP at all
2. Initial (Init): Happens when a router with HSRP comes up
3. Learn: The state where a router waits to other active router's in the group and waits for its Virtual IP Address.
4. Listen: Router knows its Virtual IP address, but still listens for hello packets from other routers.
5. Speak: The router sends hello messages and participate in the election for a primary or standby router.
6. Standby: The router sends hello messages because it is a candidate to become an active router.
7. Active: The router is active and forwards packets to the Virtual IP address.

To configure a router for HSRP:
(config)#interface fa // to set interface
(config-if)#standby ip // standby command is used to do HSRP configuration, group-number is used to define the router group

To show HSRP configuration type the command:
RX#show standby

The default MAC address of the virtual router is 0000-0C07-ACXX where XX is the number of the router group in hexadecimal. So, if the router group is 26 then the hexadecimal number is 16+10 which is 1a so the default MAC address will be 0000-0C07-AC1A. To change the MAC address of the virtual router put the command:
(config-if)#standby mac-address // mac-address should be noted as XXXX.XXXX.XXXX

To change hello intervals on HSRP type the command:
(config-if)#standby timers

Router with higher priority will be the default servicing router. To change priority of a router:
(config-if)#standby priority
However, this command will not change the service directly to a more higher priority number, but will be applied if the current servicing router is restarted. To be able to switch service to the higher priority number directly, the command preempt should be used. There will be also a message on the router indicating the state change.
(config-if)#standby preempt

-- 23 November 2010 --

ICMP Router Discovery Protocol (IRDP)

ICMP Router Discovery Protocol (IRDP) is used to make High Availability or redundancy available on routers and to make switching between them in a short time. The IRDP uses RFC 1256.

IRDP generates ICMP Router Advertisements which is an ICMP message type 9 to all host. Host that hears this will set the default gateway to that router. In case of more than 1 router, the host will choose a primary router and saves the other configuration and will use it if it loses the primary router. A host itself can send an ICMP Router Solicitation (ICMP message type 10), where it will ask the IDRP router to send Router Advertisement packets to the host.

The IDRP uses real IP address and MAC address of the L3 Switch / Router. It does not use any kind of virtual addresses.

To configure put the command "(config-if)#ip irdp" in the interface mode.

- 23 November 2010 --

Inter VLAN communication using SVI

Hosts on a switch cannot communicate to each other if they use different VLANs. The traditional way in creating a communication line between different VLANs is by adding a router on a stick and creating sub-interfaces to connect both VLANs. Although this method works perfectly,

router on a stick can have its drawbacks such as loading the router processor and acting as a single point of failure.

Another way to create inter-VLAN communication is by using Switch Virtual Interface (SVI) that can be implemented on switches which have an internal route processor or called as Route Switch Module (RSM). SVI is already implemented for VLAN 1 by default.

MLS can be configured for any VLAN in a L3 Switch in order to communicate with ther VLANs.

Before creating the process, make sure the ip routing is already on by using the command:
(config)#ip routing

The first one to do is to create the VLAN and configure the ports on the proper VLANs with the command:
(config)#int fa
(config-if)#switchport mode access
(config-if)#swichport access vlan //VLANs will be created

To create the SVI is simple:
(config>#int vlan // to access the vlan interface
(config-if)#ip address // to create an ip address for the VLAN SVI
Note that the line protocol should be running and show ip config can be done to show the SVI.

The process above should be done to all VLANs at the switch if it wants to communicate. #show ip route will show the route of the switch and it can be seen that the switch has route to the different VLANs.

In order for the host to communicate with other host in different VLANs, make sure that the gateway of the hosts is the IP address of the SVI.
HOST(config)#ip route 0.0.0.0 0.0.0.0 .

After this, the hosts should be able to communicate with other hosts.

If the L3 Switch must reach another router, the port interface of the switch must be changed to routed port so that it will be able to route traffic. The command is simple which is "(config-if)#no switchport mode access" on a interface, because if the port is in the switchport access mode, then the port acts as a switch port. After that set the IP address of the port by "(config-if)#ip address ".

-- 22 November 2010 --

Sunday, November 21, 2010

Multilayer Switching (MLS)

Multilayer Switch is a special L3 switch that has the capability to route packets. There are 2 methods of doing MLS which are route caching and Cisco Express Forwarding (CEF)

Route caching devices have a routing processor and a switching engine. The first packet will be handled by the routing processor while the switch engine observes how the routing processor forwards the first packet of a flow (a unidirectional stream with the same protocol). After that, the switch takes over the process of forwarding or switching these packets in the same flow.

CEF is another method of MLS and can be found on certain hardwares only. CEF is easier on a switch's CPU than route caching. The CEF is enabled by default because it is hardware based. However, in order to run it, IP routing has to be enabled first. If the IP routing is not enabled, the command of "IPv4 CEF not running" will show up when the "#show ip cef" command is run.

CEF has 2 main components which are:

1. FIB - Forwarding Information Base which contains L3 routing information such as found in routing table
2. AT - Adjecency Table which contains L2 switching information and a MAC address table of the sender and destination hop.

CEF has 2 logical planes which are:
1. Control Plane or also known as Layer3 Engine which job is to build the FIB and AT table.
2. Data Plane also known as the hardware engine or Application-Specific Integrated Circuit (ASIC) which does the work of putting data on the memory and forwarding data to the next hop.

-- 22 November 2010 --

Friday, November 19, 2010

Network Attacks

There are several network attacks that can be done to attack one's network. A few of them are MAC address flooding attack, VLAN Hopping and Switch Spoofing.

MAC address flooding attack sends out numerous frames to the switch using different source MAC addresses. This will load the switch with processing capacity since it needs to find maintain those MAC addresses in the switching table. It will also create a denial of service (DoS), because when the memory for the MAC address table is run out, legitimate hosts will not be able to access the switch. Unnecessary bandwidth consumption is also being used since MAC address flooding will flood the network with broadcasts. From this attack, the attacker can also intercept packets with a packet sniffer, since this client can receive broadcasts from legitimate hosts. To prevent this, illegitimate hosts should be kept out of the network and should be blocked if they want to access the network. Port-based authentication and port security can be implemented to implement this prevention.

VLAN Hopping uses double VLANs to spoof the switch by using double VLANs. In order to do this, the host should be able to access the port, be placed in the native VLAN, and the switch should use dot1q. The attacker will use 2 different VLANs, where one is the native VLAN. When the switch sees a frame from a native VLAN, it will remove the VLAN tag and sends it in the network untagged (dot1q protocol). What the switch does not know is that the frame has a second VLAN tag. At this moment, the attacker's frame is free to attack other hosts for phising, trojan, virus etc using their second VLAN to attack users having the same VLAN as the second VLAN of the attacker. To prevent this, simply create a native VLAN where there are no host attached to it. In this way, every frame from the host is being inspected.

Switch spoofing uses the behavior of switches running a port in dynamic desirable mode. In this way, a switch will aggressively try to form a trunk port with its peer, without knowing who or what its peer is. The attacker can spoof the switch by acting as a switch and accepting the trunk. From this moment on, the attacker has the ability to listen traffic running through its device and can find out user names, passwords, credit card numbers etc. To prevent this, the switch should only set dynamic desirable mode or auto mode to ports that are known to have trusted switches at its peer. All other ports should be set to access mode.

Dynamic ARP Inspection (DAI)

ARP is used to find out the MAC address of a receiver based on its IP address. This is necessary in order to send frames to the correct receiver. However, this process can be manipulated by an attacker called ARP spoofing or ARP cache poisoning.

This attack uses the moment where an ARP request is sent and the receiver is asked to reply if they have the corresponding MAC address. An attacker, will reply as if they have the corresponding address and sends its MAC address to the sender. The sender will not know this manipulation and therefore accepts the MAC address of the attacker as valid and will send frames to that attacker that actually belongs to the receiver. The attacker can forward the received packages to the real destination (as if a normal process happens between the sender and receiver) to deceive the sender and receiver,. This is dangerous since the attacker has the ability to monitor, listen, and check to the frames first (including passwords!). This is also called as "man in the middle attack" because of the position of the attacker relaying frames from the sender to the receiver.

This attack can be prevented by using Dynamic ARP Inspection (DAI). In this process the switch will build a database with paired IP-MAC addresses which can be configured static or automatic based on DHCP Snooping process. DAI uses the concept of trusted and non-strusted ports as in DHCP Snooping. However, incoming frames from untrusted ports will not be automatically dropped (as what happens in DHCP Snooping), but will be checked based on IP-MAC address pairing. If it is valid, the frames will be forwarded, but if it is not valid then the frames will be dropped. If the frames comes from a trusted port, the frames will be directly forwarded without being checked for its IP-MAC address pair.

There are some recommendations of Cisco to secure the network where all ports connected to host should be set as untrusted, where ports connected to switches should be set as trusted. Ohter notes are that DAI runs only on ingress switch's ports, and DAI can be run on trunk ports or etherchannel ports.

To activate DAI:
(config)#ip arp inspection vlan

To trust ports:
(config)#int fa // configure a specific port
(config-if)#ip arp inspection trust // to create a trusted port

To validate:
(config)#ip arp inspection validate // to validate. src-mac checks whether the source of the ethernet header is the same as the source of the ARP message. dst-mac checks whether the destination of the ethernet header is the same as the destination of the ARP message. ip compares the IP header of the sender of the ARP request against the destination address of the ARP reply.

To show DAI:
SWx#show ip arp inspection

Thursday, November 18, 2010

Address Resolution Protocol

ARP stands for Address Resolution Protocol. It is used to determine a physical address or MAC address from a IP address that is known. The router or switch will then broadcast the incoming request and asks to the users "who has this IP address?". If the client does not have that address, it will ignore the packet. If the client does use that IP address, if will then reply with an answer "I have this IP address, and my MAC address is aa:bb:cc:dd:ee:ff".

A simple illustration can be explained using a house's phone number and house address. A phone number of a house can be changed. This is also the same for an IP address of a client, it can be changed easily. A house address on the other hand is physically attached to a certain location that will be always there. This is the same as MAC or physical address of the client. So, when ARP is sent, a request is done to trace a phone number and the operator (Switch) is required to find out the home address of that phone number. The operator will then knock each door simultaneously and asks to the resident whether the given phone number is their phone number.

There is also RARP which stands for reverse ARP. It used used reversely when a device want to know the IP address of a device but has only the MAC address of it. So basically it will ask to a certain home address its telephone number.

DHCP Snooping

DHCP snooping is a feature on cisco switches to prevent possible attacks from unauthorized users. The attack can be made when a client asks for a IP by sending a DHCP request. The attacker can exploit the client with giving them a fake DHCP offer and the client will simply accept it, if this offers comes first before the real trusted DHCP server accepts them (since clients accepts the first DHCP offer that comes in).

By applying DCHP Snooping, this problem can be avoided since the switch will examine the port of incoming DCHP offers. It will then determine whether the port is considered in the "trusted" category or "untrusted" category. If it is trusted, the DHCP offer will be sent to the client. If it is untrusted, the DHCP offer will be blocked, evenmore the port will be set into err-disabled mode. One important thing to remember is that by default, the switch assumes all ports untrusted, so make sure to configure trusted ports on the switch if applying DHCP snooping on the switch.

To configure dhcp snooping enter the command below:
(config)#ip dhcp snooping vlan //dhcp snooping will be done to any host in the same vlan_number

Then configure the port of the trusted DHCP server:
(config)#int fa
(config)#ip dhcp snooping trust // trust the port for sending dhcp offers. There are also other option such as limit and vlan

To add the DHCP option82 relay agent information put:
(config)#ip dhcp snooping information option

Finally, to show dhcp snooping information the command "#show ip dhcp snooping" can be used.

Private VLAN

A private VLAN is used to restrict a client so that it can only access a specific port or limited users. Each port can be configured in 3 ways:

1. Promiscuous mode where the client attached to that port can access primary and secondary VLAN clients. Usually, this mode is applied to gateway devices such as routers

2. Isolated mode where the client can only communicate with the primary VLAN and with devices in promiscuous ports., but not to the host in the same secondary VLAN (Same VLAN) or different secondary VLAN (different VLAN). Basically the client can communicate only a one-on-one relationship with the gateway.

3. Community mode where the client can communicate only with other host in the same secondary VLAN, and with devices in promiscuous ports, but not to other host in secondary VLAN (different VLAN)

The configuration of the private VLAN is shown below:

(config)#vlan
(config-vlan)#private-vlan community // it can also be set as isolated or primary
Private VLAN need to be set only on VTP transparent mode*. Then the private VLAN needs to be associated to a primary VLAN.
(config-vlan)#private association // note that the primary vlan needs to be created first, it will not create it automatically

Then the port needs to be set in private mode:
(config)#interface fast // the port that we want to set
(config)#switchport mode access // make it an access port first
(config)#switchport mode private-vlan // host is used when we want to define the port attached to the client, promiscuous is used when we want to define the port attached to the gateway device.

Virtual Access Control List

ACL can be used to filter traffic from different VLAN, however it cannot filter traffic from the same VLAN. In order to make this condition possible Virtual ACL (VACL) needs to be implemented.

For example, we want to block 4 users with the IP of 172.10.10.0/24 to communicate to other hosts.

First we need to implement access-lists by “(config)#ip access-list extended BLOCK4IP”

“(config-ext-nacl)#permit ip 172.10.10.0 0.0.0.4 172.10.10.0 0.0.0.255” and yes, it is permit, not deny, because we will define this list later in another command. The traffic that we want to filter, needs to be identified here.

Then we create the map to match the access-list made before and then block the traffic coming from that access-list. We do this by:

“(config)#vlan access-map NO_4IP 10” 10 here is the sequence number of this command to be read by the switch. If there is another command with the sequence number lower than that e.g.5, then that command will be read first. Then we match the IP address list using the acl generated before

“(config-access-map)#match ip address BLOCK4IP”

“(config-access-map)#action drop” (to drop the packet that match addresses from the acl BLOCK4IP

Then we need to forward all other iP’s other than the 4 ip addresses generated before using the command:

“(config)#vlan access-map NO_4IP 20” where we want to implement this command after the 4 ip addresses is being blocked first (sequence number = 10 is being read first). Then put the command “(config-access-map)#action forward”. If we want to implement another command between it, we can do it directly and it will be directly applied as long as we put it in the sequence between 10 and 20.

Then we need to apply the VACL not it a specific interface but in the global configuration mode. The command to apply the VLAN map is “(config)#vlan filter NO_4IP vlan 100” (suppose that we want to apply it in vlan 100)

Note that VACL act like ACL where it has an implicit deny at the end, so if the traffic is not explicitly forwarded, it will be dropped. Also, one VACL can be applied to only one VLAN.

Tuesday, November 16, 2010

Dot1x Port Based Authentication

The most known authentication for clients to the network uses port security. There is another more advanced way of authentication using dot1x authentication which is based on the IEEE 802.1x standard.

A major difference in this authentication method is that both the client/supplicant and the authenticator must be configured to handle dot1x authentication. The Authentication server must use the RADIUS/DIAMETER protocol and can not use TACACS/TACACS+ protocol. The command for activating dot1x on the switch is “dot1x system-auth-control” in the global configuration mode.

Before the client is authenticated to the network, it can only run 3 protocols which are Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP) and EAPOL (EAP over LAN). EAPOL is used to provide EAP authentication between the client and the switch, where after that the switch will forward the authentication to the RADIUS using EAP and wait for orders from the RADIUS what to do with its client. After it is authenticated, the client can run other protocols.

The next step is to configure the port for dot1x authentication. The port can have 3 types of authorization:

1. Force-authorized which will force the port to authorize all clients attempting the switch through that port. This means that there is actually no authorization at all, and is the default mode.

2. Force-unauthorized which will force the port not to authorize every client attempting to authenticate on that port.

3. Auto which will enable dot1x on the port and initially blocks the client from doing any activity besides EAPOL authentication. After the authentication is completed, then the service is given to the client.

The command on the switch’s port is as follow:

“(config-if)#dot1x port-control [auto | force-authorized | force-unauthorized]”

The client has to be configured too. For windows the configuration can be set via Startà Control Panel à Network Connections and then Check the “Enable IEEE 802.1x” checkbox and set the EAP type to MD5.

As a summary, dot1x configuration needs to be done on the switch, switch port, and the client. It can also be only used with RADIUS/DIAMETER protocols.