%Cisco Systems% Archives %%page%%

Tag Archive for 'Cisco Systems'

Update on Cisco Live! – World’s Leading Technologies Together in JHB

Published

on October 10, 2008

. 0 Comments

Cisco Live! is the Cisco annual ‘Networkers’ conference. For the first time ever the will be held in Sandton, Johannesburg on 1st – 4th December 2008. Cisco Live! will be the place for network engineers from all over Africa gather for technical training, education and networking. For the past eleven years, the conference has been at the forefront of educating delegates on new technologies.

The Cisco Live! conference will incorporate a new concept ‘Networkers at Cisco Live!’ with a mix of technical and business offerings. This format broadens traditional technical focused meet-ups to include executive tracks that examine the role of technology in driving business value in a challenging economic climate. The theme of this year’s conference is ‘The Power of Collaboration’ and delegates can look forward to thought-provoking keynotes from local and international Cisco executives and industry experts.

Networkers at Cisco Live! will be held at the Sandton Convention Centre and will attract more than 1,500 delegates, making it the largest Networkers conference in South Africa to date. The program will comprise various sessions, ranging from technical trainings to an invitation-only executive symposium. Delegates will also have the opportunity to view the World of Solutions demonstration area, which will showcase collaboration and communication tools and technology, such as TelePresence.

A Word from Steve Midgley the Managing Director of Cisco South Africa

“South Africa is the first country outside the United States to introduce the Cisco Live! brand. With Cisco Live!, we are taking the event to the next level to provide a platform where industry players can learn new technologies, discuss business trends, share ideas and network,” said Steve Midgley, Managing Director, Cisco Systems South Africa.“In recent years, specialization, globalization and new technologies have resulted in more collaborative environments made up of global, virtual networks and communities that improvise and find more productive, innovative and faster ways to do business. Cisco puts communications and collaboration capabilities within the context of a business process to allow workers increase their productivity, speed and agility,” added Midgley.

Speakers

Rick Hutley, vice president of Global Innovations for Cisco Internet Business Solutions Group, will be a keynote speaker at the event. Hutley, responsible for engaging Cisco’s largest global customers, will discuss the role of collaborative technologies in addressing the key business challenges and opportunities faced by organisations today.

Also speaking at the conference will be World Wide Worx’s Arthur Goldstuck, who will present findings from the Cisco-sponsored Internet Access in South Africa 2008 research report. Goldstuck’s presentation will cover the latest trends in Internet access and will set the scene for a discussion around the future of connectivity in South Africa, which plays a crucial role in collaboration.

For more information on Networkers at Cisco Live! www.networkersafrica.co.za

Cisco invests $27 Million in South Africa

Published

Deon Botha

on September 16, 2008

in Asides, Cisco Systems and Vine

. 0 Comments

So yesterday it became official that Cisco Systems, Inc. is going to be investing ZAR 215,000,000 in South Africa (USD 27,000,000) love the naughts makes it looks like REAL money. The investment will go to the Cisco Innovation Hub Technology Centre (CIHTC) that will be become the home of Information and Communication Technology (ICT) initiatives including an InnovationLab, a global Talent Acquisition Programme, the Cisco Netversity, an Entrepreneur Institute and a Software Development Programme.

This investment is expected to collectively drive a R1bn gross domestic product (GDP) effect over an initial five year period. The 3000 square metre CIHT Centre will be based at the Innovation Hub (accross the CSIR) in Pretoria, South Africa.

The CIHTC complex will be an advanced tech incubation centre aimed at fostering and developing local skills, intellectual property, entrepreneurship and solution development capabilities in the ICT sector. The implications of this is 200 direct and 800 indirect employment opportunities and development of intellectual property, the training and certification of design and network engineers, local software development, state of the art network communication laboratories (maybe even CCIE and practice labs, hold thumbs!!!!), access to business guidance and a showcase for venture capital providers looking to fund solutions or businesses that result from Centre Operations.

In the words of Steve Midgley, Managing Director of Cisco South Africa “South Africa is on the brink of entering a broadband boom,” which in turn will “change the way people live and work – giving the public sector and business the opportunity to gain significant efficiencies, to drive productivity enhancements, to achieve cost reductions and to gain access to new market segments within their existing business models. It will also create an enabling platform from which new business models can be created. Cisco is investing in this initiative now to ensure that when the broadband revolution really kicks off, South Africa has enough of the right kind of skills, solutions creation capabilities and intellectual property to leverage the many benefits broadband will bring to the country.”

The Ooh factor in Cisco Telepresence

Published

Deon Botha

on July 17, 2008

in Cisco Systems and Vine

. 1 Comment

UPDATED: Got sent some WOW stats!!

For those of us that visit Cisco.com fairly often this video clip (below) will be something that you may have seen before (it was featured a while back on the page). I really love this video clip simply because I lol’ed (laughed out loud) when I saw it the first time. I thought about the clip again after reading this from mybroadband and neither the video nor the article does this Cisco solution justice simply because until I was physically shown this solution at the Cisco offices I couldn’t quite grasp “how” Cisco imagined it was going to “cut back travel” costs with Collaborative Technologies.

So JP sent me some stats on Cisco Telepresence this morning. This is some WOW stats; in December 2007 Cisco announced 100 customer deployments in over 40 countries; companies like Verizon, BT, Procter & Gamble, SAP, and even in government (Xiamen Municipal Government).

The stats (9th June 2008) for the use of Telepresence in Cisco look like this; 229 Cisco Telepresence units in 108 Cities globally deployed in Cisco Systems. The overall average utilization of these units lie at about 45% as compared to <1% for video conferencing.

The units are spread globally as follows US/Canada has 145, APAC / Japan has 38, Europe has 38, and Emerging Markets has 8 units. The deployments are mixed CTS 3000/3200/1000 depending on the theatre.

Of these units 110,627 Teleprecence meetings has been scheduled to date at a total of 141,565 hours (average of 75 minutes per meeting) with 2,576 meetings a week in the past 30 days (May 2008). This technology is not only for in-house use as there has been 13,361 meetings with customers to discuss Cisco Technology using Telepresence.

Now comes the bottom line that I mentioned above about saving money (I didnt know this until today mind you) that 17,339 of the total 1110,627 meetings avoided travel meaning that Cisco saved about $165,080,000 (I like leaving zeros when talking about millions shows you how much we really talking about). That to anyone is a fair bit of money to be saving.

I was thinking until now that this could “potentially” save money, having this verified makes my eyes open to the potential of the solution.

Wonder if I can get one of these for demo in my living room

Cisco South Africa Partner Career Day

Published

Deon Botha

on July 15, 2008

in Cisco Systems and Vine

. 0 Comments

So I attended the Cisco South Africa Career Day 2008 and it was well worth going. The event was hosted by Cisco in conjunction with the Cisco Networking Academy and the University of Pretoria.

A way that I have used to gauge the importance of an event has been to look at the “headline” act. In todays case the introduction was done my General Manager of Cisco Systems, Mr Steve Midgley and the key note address was given by Deputy Minister of Education Mr Enver Surty.

The drill-down of the presentations was that there is a skills shortage and there are initiatives already happening and in the pipelines to help address this global problem.

The event took place at the the University of Pretoria in the Entertainment Hall and Lecture Room 100 and centred around the development and availability of skill in the Information and Communication Technology (ICT) Sector mainly locally but also touched on it globally (China and India).

The event was held at the University of Pretoria to provide Cisco Networking Academy graduates the opportunity to get some “face time” with Cisco channel partners. The event provided the Cisco partners an opportunity to meet the future talent and interview graduates face-to-face. This exposed Cisco Networking Academy graduates to openings within Partner organisations, while allowing Partners to asses prospective employees.

From Cisco systems there was a clear message that they were going to be actively involved in developing and building the skills needed to assist partners and in turn the local economy through various initiatives. They drove this message home by making this the “public” launch of the Cisco Talent Partner Portal that I posted about here 2 weeks ago.

I stole a few business cards myself and talked to some of the bigger partners, one never knows when that might come in handy.

Kudos again to JP for organizing the invite.

Cisco Talent of the Future

Published

Deon Botha

on July 7, 2008

in Asides, Business, Cisco Systems and Vine

. 0 Comments

As a heads up I’m going to be attending the Cisco South Africa Partner Career Day happening at the University of Pretoria. This event rolls into one many things I am really passionate about (I think most Cisco Certified individuals are passionate about at least some of these things) namely skills, the youth, Information Communication Technology (ICT) and training.

The event sounds similar to the Cisco Global Talent Acceleration Program (GTAP) (More at ITWEB) launch a while back and although that event was not really directly relevant to me (I was a little late out of uni myself to benefit directly or apply) or my business (we are Cisco Partner and this was basically a Cisco Post Graduate Training Program with a twist) there was talk about this programs content being extended or made available in some shape or form to the Partner Community (that means everyday businesses that are somehow connected to Cisco Systems in the ecosystem).

What this would in effect mean to me and you (partner based students of the network world that either work for Cisco Partners or are trying to skill up on our lonesome) without the frills is a fast track, hard hitting, quick and to the point series of training provided by an accredited Cisco learning partner and tested by Cisco Systems themselves that gets you to written CCIE level as quickly and efficiently as possible.

Lets see what this event holds in store for us, I will post it afterwards. Thanks goes out to JP for the heads up and hooking me up with an invite (its nice and conveniently close to my offices).

BCMSN Layer 3 Routing Lab 6

Published

Deon Botha

on June 19, 2008

in BCMSN, Certification and Cisco Systems

. 0 Comments

LAB_2

Layer 3 Switching

PC1 is in VLAN 10 with IP address 192.168.10.200 255.255.255.0 Default Gateway (DG) 192.168.10.1

PC2 is in VLAN 20 with IP Address 192.168.20.250 255.255.255.0 DG 192.168.10.50

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname DSW1 Enable secret and password DSW1(config)#enable password cisco DSW1(config)#enable secret cisco Setup the console port password DSW1(config)#line con 0 DSW1(config-line)#password cisco DSW1(config-line)#login DSW1(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password DSW1(config)#line vty 0 4 DSW1(config-line)#password cisco DSW1(config-line)#login DSW1(config-line)#exit Setup the default VLAN DSW1(config)#interface vlan 1 DSW1(config-if)#ip address 192.168.1.1 255.255.255.0 DSW1(config-if)#no shut DSW1(config-if)#exit Setup VLAN 10 DSW1(config)#interface vlan 10 DSW1(config-if)#ip address 192.168.10.1 255.255.255.0 DSW1(config-if)#no shut DSW1(config-if)#exit Setup VLAN 20 DSW1(config)#interface vlan 20 DSW1(config-if)#ip address 192.168.20.1 255.255.255.0 DSW1(config-if)#no shut DSW1(config-if)#exit Setup Fastethernet Interfaces DSW1(config)#interface fastethernet 0/1 DSW1(config-if)#description DSW1 - ASW1 DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/2 DSW1(config-if)#description DSW1 - ASW1 DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/3 DSW1(config-if)#description DSW1 - ASW2 DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/4 DSW1(config-if)#description DSW1 - ASW2 DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/11 DSW1(config-if)#description DSW1 - DSW2 DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/12 DSW1(config-if)#description DSW1 - DSW2 DSW1(config-if)#no shut DSW1(config-if)#exit Associate VLANs with Fe 1 to 4 DSW1(config)#interface range fastethernet 0/1 - 4 DSW1(config-if-range)#speed 100 DSW1(config-if-range)#duplex auto DSW1(config-if-range)#switchport DSW1(config-if-range)#switchport trunk encapsulation dot1q DSW1(config-if-range)#switchport trunk native vlan 1 DSW1(config-if-range)#switchport trunk allowed vlan 1,20,10 DSW1(config-if-range)#switchport mode trunk DSW1(config-if-range)#exit Associate VLANs with Fe 11 and 12 DSW1(config)#interface range fastethernet 0/11 - 12 DSW1(config-if-range)#speed 100 DSW1(config-if-range)#duplex auto DSW1(config-if-range)#switchport DSW1(config-if-range)#switchport trunk encapsulation dot1q DSW1(config-if-range)#switchport trunk native vlan 1 DSW1(config-if-range)#switchport trunk allowed vlan 1,20,10 DSW1(config-if-range)#switchport mode trunk DSW1(config-if-range)#exit Aministratively shutdown all ports not connected DSW1(config)#interface range fastethernet 0/5 - 10 DSW1(config-if-range)#shut DSW1(config-if-range)#exit Enable Spanning Tree Protocol on VLANs DSW1(config)#spanning-tree vlan 1 root primary DSW1(config)#spanning-tree vlan 10 root primary DSW1(config)#spanning-tree vlan 20 root secondary Enable Routing and a Protocol DSW1(config)#ip routing DSW1(config)#router eigrp 100 DSW1(config-router)#network 192.168.0.0 DSW1(config-router)#exit Exit Global Configuration Mode DSW1(config)#exit Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct DSW1#show interfaces status Check that you configured STP DSW1#show spanning-tree Check routing is correct DSW1#show ip route Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)… oops copy start run DSW1#copy run start

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname DSW2 Enable secret and password DSW2(config)#enable password cisco DSW2(config)#enable secret cisco Setup the console port password DSW2(config)#line con 0 DSW2(config-line)#password cisco DSW2(config-line)#login DSW2(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password DSW2(config)#line vty 0 4 DSW2(config-line)#password cisco DSW2(config-line)#login DSW2(config-line)#exit Setup the default VLAN DSW2(config)#interface vlan 1 DSW2(config-if)#ip address 192.168.1.50 255.255.255.0 DSW2(config-if)#no shut DSW2(config-if)#exit Setup VLAN 10 DSW2(config)#interface vlan 10 DSW2(config-if)#ip address 192.168.10.50 255.255.255.0 DSW2(config-if)#no shut DSW2(config-if)#exit Setup VLAN 20 DSW2(config)#interface vlan 20 DSW2(config-if)#ip address 192.168.20.50 255.255.255.0 DSW2(config-if)#no shut DSW2(config-if)#exit Setup Fastethernet Interfaces DSW2(config)#interface fastethernet 0/1 DSW2(config-if)#description DSW2 - ASW2 DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/2 DSW2(config-if)#description DSW2 - ASW2 DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/3 DSW2(config-if)#description DSW2 - ASW1 DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/4 DSW2(config-if)#description DSW2 - ASW1 DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/11 DSW2(config-if)#description DSW2 - DSW1 DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/12 DSW2(config-if)#description DSW2 - DSW1 DSW2(config-if)#no shut DSW2(config-if)#exit Associate VLANs with Fe 1 to 4 DSW2(config)#interface range fastethernet 0/1 - 4 DSW2(config-if-range)#speed 100 DSW2(config-if-range)#duplex auto DSW2(config-if-range)#switchport DSW2(config-if-range)#switchport trunk encapsulation dot1q DSW2(config-if-range)#switchport trunk native vlan 1 DSW2(config-if-range)#switchport trunk allowed vlan 1,20,10 DSW2(config-if-range)#switchport mode trunk DSW2(config-if-range)#exit Associate VLANs with Fe 11 and 12 DSW2(config)#interface range fastethernet 0/11 - 12 DSW2(config-if-range)#speed 100 DSW2(config-if-range)#duplex auto DSW2(config-if-range)#switchport DSW2(config-if-range)#switchport trunk encapsulation dot1q DSW2(config-if-range)#switchport trunk native vlan 1 DSW2(config-if-range)#switchport trunk allowed vlan 1,20,10 DSW2(config-if-range)#switchport mode trunk DSW2(config-if-range)#exit Aministratively shutdown all ports not connected DSW2(config)#interface range fastethernet 0/5 - 10 DSW2(config-if-range)#shut DSW2(config-if-range)#exit Enable Spanning Tree Protocol on VLANs DSW2(config)#spanning-tree vlan 1 root secondary DSW2(config)#spanning-tree vlan 10 root secondary DSW2(config)#spanning-tree vlan 20 root primary Enable Routing and a Protocol DSW2(config)#ip routing DSW2(config)#router eigrp 100 DSW2(config-router)#network 192.168.0.0 DSW2(config-router)#exit Exit Global Configuration Mode DSW2(config)#exit Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct DSW2#show interfaces status Check that you configured STP DSW2#show spanning-tree Check routing is correct DSW2#show ip route Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)… oops copy start run DSW2#copy run start

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname ASW1 Enable secret and password ASW1(config)#enable password cisco ASW1(config)#enable secret cisco Setup the console port password ASW1(config)#line con 0 ASW1(config-line)#password cisco ASW1(config-line)#login ASW1(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password ASW1(config)#line vty 0 4 ASW1(config-line)#password cisco ASW1(config-line)#login ASW1(config-line)#exit Default Gateway ASW1(config-line)#ip default-gateway 192.168.1.1 Setup the default VLAN ASW1(config)#interface vlan 1 ASW1(config-if)#ip address 192.168.1.100 255.255.255.0 ASW1(config-if)#no shut ASW1(config-if)#exit Setup VLAN 10 ASW1(config)#interface vlan 10 ASW1(config-if)#ip address 192.168.10.100 255.255.255.0 ASW1(config-if)#no shut ASW1(config-if)#exit Setup VLAN 20 ASW1(config)#interface vlan 20 ASW1(config-if)#ip address 192.168.20.100 255.255.255.0 ASW1(config-if)#no shut ASW1(config-if)#exit Setup Fastethernet Interfaces ASW1(config)#interface fastethernet 0/1 ASW1(config-if)#description ASW1 - DSW1 ASW1(config-if)#no shut ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/2 ASW1(config-if)#description ASW1 - DSW1 ASW1(config-if)#no shut ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/3 ASW1(config-if)#description ASW1 - DSW2 ASW1(config-if)#no shut ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/4 ASW1(config-if)#description ASW1 - DSW2 ASW1(config-if)#no shut ASW1(config-if)#exit Setup Fastethernet 0/12 for 10mbs half duplex as an access level end-point interface ASW1(config)#interface fastethernet 0/12 ASW1(config-if)#description ASW1 - PC1 ASW1(config-if)#speed 10 ASW1(config-if)#duplex half ASW1(config-if)#switchport Make the port as an access port ASW1(config-if)#switchport mode access Make the port an access port for VLAN 10 ASW1(config-if)#switchport access vlan 10 Enable PortFast on end-points ASW1(config-if)#spanning-tree portfast ASW1(config-if)#no shut ASW1(config-if)#exit Associate VLANs with Fe 1 to 4 ASW1(config)#interface range fastethernet 0/1 - 4 ASW1(config-if-range)#speed 100 ASW1(config-if-range)#duplex auto ASW1(config-if-range)#switchport ASW1(config-if-range)#switchport trunk encapsulation dot1q ASW1(config-if-range)#switchport trunk native vlan 1 ASW1(config-if-range)#switchport trunk allowed vlan 1,20,10 ASW1(config-if-range)#switchport mode trunk Configure UplinkFast ASW1(config-if-range)#spanning-tree uplinkfast ASW1(config-if-range)#exit Aministratively shutdown all ports not connected ASW1(config)#interface range fastethernet 0/5 - 11 ASW1(config-if-range)#shut ASW1(config-if-range)#exit Enable Spanning Tree Protocol on VLANs ASW1(config)#spanning-tree vlan 1 ASW1(config)#spanning-tree vlan 10 ASW1(config)#spanning-tree vlan 20 Exit Global Configuration Mode ASW1(config)#exit Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct ASW1#show interfaces status Check that you configured STP DSW1#show spanning-tree Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)… oops copy start run ASW1#copy run start

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname ASW2 Enable secret and password ASW2(config)#enable password cisco ASW2(config)#enable secret cisco Setup the console port password ASW2(config)#line con 0 ASW2(config-line)#password cisco ASW2(config-line)#login ASW2(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password ASW2(config)#line vty 0 4 ASW2(config-line)#password cisco ASW2(config-line)#login ASW2(config-line)#exit Default Gateway ASW2(config-line)#ip default-gateway 192.168.1.50 Setup the default VLAN ASW2(config)#interface vlan 1 ASW2(config-if)#ip address 192.168.1.150 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit Setup VLAN 10 ASW2(config)#interface vlan 10 ASW2(config-if)#ip address 192.168.10.150 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit Setup VLAN 20 ASW2(config)#interface vlan 20 ASW2(config-if)#ip address 192.168.20.150 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit Setup Fastethernet Interfaces ASW2(config)#interface fastethernet 0/1 ASW2(config-if)#description ASW2 - DSW2 ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/2 ASW2(config-if)#description ASW2 - DSW2 ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/3 ASW2(config-if)#description ASW2 - DSW1 ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/4 ASW2(config-if)#description ASW2 - DSW1 ASW2(config-if)#no shut ASW2(config-if)#exit Setup Fastethernet 0/12 for 10mbs half duplex as an access level end-point interface ASW2(config)#interface fastethernet 0/12 ASW2(config-if)#description ASW2 - PC2 ASW2(config-if)#speed 10 ASW2(config-if)#duplex half ASW1(config-if)#switchport Make the port as an access port ASW2(config-if)#switchport mode access Make the port an access port for VLAN 20 ASW2(config-if)#switchport access vlan 20 Enable PortFast on end-points ASW2(config-if)#spanning-tree portfast ASW2(config-if)#no shut ASW2(config-if)#exit Associate VLANs with Fe 1 to 4 ASW2(config)#interface range fastethernet 0/1 - 4 ASW2(config-if-range)#speed 100 ASW2(config-if-range)#duplex auto ASW2(config-if-range)#switchport ASW2(config-if-range)#switchport trunk encapsulation dot1q ASW2(config-if-range)#switchport trunk native vlan 1 ASW2(config-if-range)#switchport trunk allowed vlan 1,20,10 ASW2(config-if-range)#switchport mode trunk Configure UplinkFast ASW2(config-if-range)#spanning-tree uplinkfast ASW2(config-if-range)#exit Aministratively shutdown all ports not connected ASW2(config)#interface range fastethernet 0/5 - 10 ASW2(config-if-range)#shut ASW2(config-if-range)#exit Enable Spanning Tree Protocol on VLANs ASW2(config)#spanning-tree vlan 1 ASW2(config)#spanning-tree vlan 10 ASW2(config)#spanning-tree vlan 20 Exit Global Configuration Mode ASW2(config)#exit Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct ASW2#show interfaces status Check that you configured STP DSW1#show spanning-tree Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)… oops copy start run ASW2#copy run start

The point of this exercise is is to get a dynamic routing protocol in this case EIGRP working.

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

Certguard and a Blog

Published

Deon Botha

on June 16, 2008

in Off-Topic

. 2 Comments

Since late last week there has been some waves in the online networking community about a post by Robert Williams from CertGuard. Since that post many things have happened, I am however not going to talk about the specific situation, how it is probably affecting the mentioned CCIE etc. Some notable comment can be read from members of the networking community like Colin McNamara, Arden Packeer and Greg Ferro

I have been following the situation and reading responses and trying to figure this out for myself. I am however finding myself with more questions than answers as I try and get information to make an educated decision as to the this whole story. My main questions are around Certguard.

To kick off why this whole thing is upsetting me and probably many other people. I practice what I do on my good name, If it calls for it I spend extra non-billing hours (working days without sleep) keeping my good name in tact with clients who are not happy with a product or service either I or a competitor placed because my good name and the good name of my vendor of choice is important to me. This extends into daily life where dressing appropriately for functions, being on time for meetings (early ussually) and being affable and amiable in company goes to preserving my good name. I have spent time, been careful and made sure my name is not sullied and not dragged through any mud or tarnished by schoolboy playground antics because people buy products and services from people. Basic marketing theory says that word of mouth is the best and worst marketing where one good experience brings maybe one extra customer; one bad experience sends 10 customers away forever. In the end of the day my good name is very important to me because it is my brand and my image. This situation is upsetting because it has to do directly with this concept and the sullying of someone’s good name in a disgraceful very underhanded way.

CertGuard seems to be a self appointed Information Technology (IT) Watchdog where it concerns test taking and certifications. How this is done around the back-end isn’t so clear to me at this point. I have read that they have no affiliation with Cisco or Pearson Vue (I only care about their links with Cisco I don’t much care whether Microsoft or another vendor uses their products/services). Their website isn’t exactly transparent as to all their specifics but I will outline my thoughts and findings below.

I want to know WHAT they do, they say they keep the industry clean by focusing on braindumps websites. For those who don’t know what braindumps are these are basically compiled documents of test questions that may or may not appear in the exams. A braindump is not certified study material according to the agreement you sign every time you take a Cisco exam. The fact remains to me that they aren’t affiliated with Cisco and they make a leap somewhere from “braindumps websites” to “decertifying individuals” that is a bit far fetched and I don’t know how that happens. This leap is more than just bothering me, its annoying me, I have looked through the CertGuard website, done Google Searches and tried asking others but no one knows WHAT they do other than selling a product type service.

Personally I learnt in grade school that cheating was wrong, I received a degree without trying to write crib notes on various body parts to get them into exams (a girl wrote half the theory on her breasts in one exam thinking it was the only place the invigilator wouldn’t look) and I certainly know that unless I know something outright I am not going to pass any exam (sometime down the line I am going to look stupid if I don’t know how to do something I have written an exam on). The company doesn’t seem to be closing down braindump websites but monitoring them, they dont seem affiliated with Cisco to take away a certifications from individuals and they seem to be selling information based products to end-users and not vendors. This whole thing leaves me with more questions than answers.

What CertGuard is doing is great in theory (noble and almost altruistic) protecting the intrinsic value of something like a certification (which is not like a conferred degree) is in everyones interest that is working towards getting that certification. What is rubbing me raw though is what do they actually do? Are they working for a Vendor at a higher level or are they trying to create a new economy for validating online 3rd party course content information? Are they trying to become the de facto “trusted authority” for who you can use for content and who you cant? Or are they none of the above and I’m just to stupid to see what they really do and don’t do.

One of the links in the pecking order that’s also bothering me is how CertGuard can share/give/pass information as a “trusted authority” to Cisco/Vue (other) and as a trusted authority Cisco/Vue acts on the information by tripping someone of a certification (if at all). My concern here is that I have paid a small fortune to get learning material, certifications, hardware and training from Cisco and/or Cisco Partners, I have spent countless hours in front of books, PEC, and at training losing sleep, weekends and time I could have spent focusing on other activities. If a company who is not affiliated with Cisco, recognized by Cisco and was not given a mandate by Cisco starts to act “as-if” they are working on behalf of Cisco I am going to be a very unhappy camper and would hope Cisco Systems and the community at large cuts them down to size instead of siding with them because you may be next.

I am unsure of CertGuards place in the macro network environment and how they interact with the ecosystem at this point. Is this a fear based marketing and advertising ploy in very bad taste to drum up traffic and in the end sales for their products. Network World seems to rubber stamp them and if not endorse them fully by allowing them a place from which to gather an audience. Their website doesn’t clearly state anything substantial about them, I want specifics, facts and concrete information if they are so important to the industry. I want to know that my future as a small fish in a big pond in the network industry isn’t going to be jepordized by some unknown CEO from a company who you know but also dont know what they do (I don’t trust them nor know anything about nor care about them*) turns my world upside down one sunny day.

The modus operandi of using a highly visible public platform in the network industry to blackball a blogger without prior consultation or attempted mediation is uncouth to say the least. This is something that I don’t think I can agree was/is the correct method(s) or acceptable in the least. As a person who is active online, who writes (in my case notes from various sources) and posts them to a blog, my concern is am I going to be the next lamb to slaughter (probably not but the fear is there). As rational or irrational as that is who will be the next target for Mr Williams? If you note their services they offer Blog & Forum Monitoring (feels like big brother is watching).

I certainly don’t get paid for blogging I also don’t know anyone who does, I am certainly not going to jeopardize my future so that someone can take me out at the knees for something because they feel a need to scratch something that itches.

*An online business without a complete website explaining at least Who they are, What they do, How they do it, Where they come from, How they relate to me, Why I should care, Why they should be there and have a Telephone number and Physical address FOR THE REASON I VISITED THE SITE in plain view without the need to search for it or do a whois on the domain in my experience is trying to scam me in some way.

In this case Who is Certguard to me as a Cisco Networker? What does CertGaurd have to do with Cisco? How does Certguard do what they do with relation to Cisco and Cisco Certification and the mechanics of it? Where is their value proposition with relation to Cisco and Cisco Certification? How this relates to my studies and certification process with Cisco? Why this will and will not affect me and my life? Why CertGaurd should be there and exist at all and affect my life? and where can I call someone if they make my life hell and/or buy a plane ticket to come make someones life hell if need be?

Finally I have probably edited this thing a 100 times to get it to say what I want I am adding links to the Disclaimer and if you want to know about me and finally should anyone try and muck me around thus far all posts fall under the following notice:

Followup: Ethan Banks is back in action, his blog post can be found here.

Followup: Robert Williams public apology to Ethan Banks and the Network Community.

Cisco and DDNS

Published

Deon Botha

on June 4, 2008

in Cisco Systems, Concepts and Constructs, DDNS and Support

. 3 Comments

A little off-topic (switching being topic at the moment) but I ran into this today again and wanted to jot it down quick.

WARNINGS: The commands below enable public access to internal resources. This should not be done if you do not understand Access Control Lists (ACL) and/or have a proper Firewall (not windows Firewall) installed maybe a PIX or ASA even ISA Server would do. I prefer not doing this at all because it creates a rather obvious place for network attacks to happen. You must know that these commands are what I know to work, you may disagree and I would love to hear what you do/use. I take no responsibility whatsoever as to how you use these commands and you shall be responsible for your losses or your clients losses if you do not implement this correctly or data/information is stolen.

Dynamic Domain Name Service (DDNS) is a service that lets anyone on the internet gain access to resources on a local network when that local network is connected to the internet through a Dynamic (constantly changing) IP Address connection (most ADSL connections).

To understand the concept Domain Name Service (DNS) is the mapping of IP Addresses (192.168.0.1) to human-readable computer hostnames (www.companyweb.org) that is used by routers and other networking infrastructure to delivery information as needed. The internet uses DNS so that we can go to www.google.co.za and not have to remember the IP Address for google and the million other sites online.

DDNS makes it possible for Small, Medium Business (SMB) to allow employees, customers, partners and other stakeholders access to internal resources (mail, intranet, pricelists, documents, etc) without the requirement to pay for static IP address access to the internet. This is not limited to SMB as some larger companies have dynamic connections and also use the service. There are of course security concerns and problems with DDNS.

By enabling DDNS you allow external (untrusted) access to internal (trusted) resources. This leads to not just known (employees, customers, partners and other stakeholders) visitors but unknown (random hits, hackers, etc). If you do not implement the proper security you may and probably will lose information and data without even knowing it.

On the SMB range Cisco Series Routers upward the DDNS command is supported and services like Dyndns can be configured without much hassle. There are some small things to watch out for though that I will cover below.

Step 1: Open an Account with DynDNS (Other services work with Cisco Routers). I however have only used DynDNS and I am happy with them. Check the config guide from Cisco for the other commands. Once you have the DynDNS account setup a free DynDNS hostname they have many options like your-option.domain.com and write down this and your username and password.

Step 2: Add DynDNS.org to your Host list and Statically apply your ISP DNS servers. This works best, you could just not do this but it works better if you do.

Router(config)#ip host members.dyndns.org 63.208.196.96 Router(config)#ip name-server xxx.xxx.xxx.xxx Router(config)#ip name-server xxx.xxx.xxx.xxx

Things to change xxx.xxx.xxx.xxx is your ISP DNS Server address, primary first address, secondary address second.

For those with ISPs that love changing their DNSs regularly (I know some ISPs change their DNS servers monthly, they have a list of DNSs and the active ones any given month would be any persons lucky assumption) this is great if you charge by the hour and bad for your client because they will see you every month (i.e. bad for Cisco’s image because a client thinks his Cisco kit breaks every month).

Via Etherealmind you can give OpenDNS a try. OpenDNS is DNS with a little extra as they inlcude Phising protection and spelling correction in their service.

Step 3: This is tricky because it uses a special character, play around with this and see what happens. When you get to the special character in the line press Ctrl+V to allow for the character input in IOS

Router(config)#ip ddns update method dyndns Router(DDNS-update-method)#HTTP Router(DDNS-HTTP)#http://DYNDNS-USERNAME:DYNDNS-PASSWORD@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a> Router(DDNS-update-method)#interval maximum 0 28 0 0

If you don’t get it, the special character I mentioned is the question mark, which won’t be allowed to be input without the CTRL+V. Things to Change DYNDNS-USERNAME is your DynDNS Username and DYNDNS-PASSWORD is your DynDNS Password

Step 4: On the Dialer interface (not the ATM, fastethernet, gigabitethernet interfaces). This could also be put on the Serial interface (say for a flapping link, if you have a Leased line for internet but then you would probably have a static IP address) why you would use DDNS then I dont know but it could and would probably work.

Router(config)#interface Dialer1 Router(config-if)#ip ddns update hostname your-option.domain.com Router(config-if)#ip ddns update dyndns host members.dyndns.org

Things to change your-option.domain.com is the choice for the domain you made at DynDNS like game-server.dyndns.org.

Step 5: We are doing this for a reason and the reason behind DDNS is to have a private resource available to the public internet. To achieve this in IPv4 NAT or PAT is used when a single Internet connection is available. NAT basically takes multiple internal addresses and allows all those addresses to access the internet at once through a single internet connection. For this to work you need to configure your NAT inside and NAT outside.

Router(config)#interface Dialer1 Router(config-if)#nat outside Router(config-if)#exit Router(config)#interface vlan VLAN-Number Router(config-if)#nat inside

I use a VLAN and map the VLAN to an fastethernet or gigabitethernet interface, you may or may not do it this way.

Step 6: Configure NAT extend a internal resource to the public. I am say doing this for Small Business Server 2003 (SBS) for Exchange Outlook Web Access (OWA). This uses HTTP port 80 and HTTPS port 443. Consider only doing this if you have Premium Edition (comes with ISA Server) so that you can excercise some control over what you publish and what you dont publish.

Router(config-if)#ip nat inside source list 101 interface Dialer1 overload Router(config-if)#ip nat inside source static tcp xxx.xxx.xxx.xxx 80 interface Dialer1 80 Router(config-if)#ip nat inside source static tcp xxx.xxx.xxx.xxx 443 interface Dialer1 443

Things to change here would be the xxx.xxx.xxx.xxx which is the SBS IP address (default is 192.168.16.2)

Step 7: Disable the Router HTTP and HTTPS server so that you won’t be getting the routers login page when you try access the your-option.domain.com. Which is both annoying, could break the functionality and also is a security risk.

Router(config-if)#no ip http server Router(config-if)#no ip http secure-server

This command will disable the WEB GUI!!!! If this is a problem consider not configuring DDNS. This command may break functionality because it also uses HTTP port 80 meaning that if you type the url the router wont know whether to give you OWA or WEB GUI. It’s a security problem because everyime someone comes to the external website on port 80 the router will ask for level 15 login and password (Cisco specific information and anyone that knows network kit knows this means Cisco kit lurks yonder) and they may well actually get into the router and factory-reset it for you should they be able to login or you haven’t chosen a secure password (which is not good).

Step 8: Configure ACLs (at least) for WAN traffic). Some ISR routers come with options of Firewall consider configuring that too. Disable CDP on external facing interfaces etc (IOW take due care and dilligence in setting up a proper secure router plus some more because you are letting the outside world into the private network).

Step 9: To Verify DDNS using the show commands

Router(config)#show ip ddns update

Alternatively you can use the debug command

Router(config-if)#debug ip ddns update

Step 10 :I’m not paranoid (all this talk of security), I just don’t like gambling with lady luck. Exposing any part of the internal network to the outside world is a security risk that can be mitigated (not totally) but controlled. Consider this and how to mitigate the risk before exposing something like SBS (which by all accounts is the Business Nervous System in a SMB).

Notes and Notices:

Anything free is meant to be taken with a pound of salt. I take no responsibility for loss or damage from implementation of the above commands on routers or networks without proper consultation and documentation done by myself in person with end-users. I do not suggest this configuration, by writing this I do not imply that this is a good idea to implement or configure in all situations.

In good afrikaans “Die is als voets-toets”.

Switch Security Layer-2 Attacks – Four

Published

Deon Botha

on May 28, 2008

in ACL, BCMSN, CDP, Certification, Cisco Systems, Concepts and Constructs, SSH, Telnet and VTY

. 0 Comments

CDP

Cisco Discovery Protocol (CDP) is a useful and great protocol when you are sitting on the other side of the office/country/planet and don’t know what you are working with on a network but CDP has some holes for attackers to leverage that can cause problems.

CDP uses clear-text and unauthenticated to send information about network topology between network devices. An attacker can use a packet sniffer to get information about network infrastructure that we don’t really want them to have.

CDP isn’t needed on ports that no network management is done (this isn’t the case for Cisco IP Phones). You can also go ballistic and disable CDP totally thats up to you. To disable CDP use the following commands

CDP per-port

switch(config)#configure terminal switch(configp)#interface gigabitethernet 0/1 switch(config-if)#no cdp enable

CDP Globally

switch(config)#configure terminal switch(config)#no cdp run

Be careful with this, CDP is used in conjunction with or as support for other Cisco protocols

Telnet

Telnet has a few problems:

All usernames, passwords, and data sent over a public network (read: Internet) is sent in clear text and is thus vulnerable.
A user with an account on the system can gain elevated privelages.
A remote attacker could crash the Telnet service, preventing legitimate service rendering.
A remote attacker could find an enabled guest account that may be present anywhere in the trusted domain of the server.

iow Dont Telnet over the internet

SSH

SSH is a client and server protocol used to log in to another computer over a network. It provides strong authentication and secure communication over a public communication network. SSH may be “more” secure many vendors implementations of SSH is vulnerable.

switch(config)#configure terminal switch(config)#line vty 0-15 switch(config-line)#transport input ssh

VTY Access Control Lists (ACL)

One can associate ACLs to permit or deny access to a vty port to a switch.

The Number of VTYs differ make sure you get it right and configure an ACL on ALL the VTY connections and don’t leave one open

switch(config)#configure terminal switch(config)#access-list 12 permit 192.168.0.0 0.0.255.255 switch(config)#line vty 0 15 switch(config-line)#access-class 12 in

Notes and Notices:

Switch Security Layer-2 Attacks – Three

Published

Deon Botha

on May 28, 2008

in BCMSN, BPDU Filtering, BPDU Guard, BPDU Root Guard, Certification, Cisco Systems, Concepts and Constructs, DAI, DHCP Snooping, DHCP Spoofing, Dynamic ARP Inspection, IP Source Guard, Loop Guard and Unidirectional Link Detection

. 0 Comments

If the feature talks about trusted/untrusted ports then access ports (facing end-devices or downstream) are untrusted and trunk/other ports (facing distribution/core or upstream) are trusted

DHCP Spoofing and Starvation

DHCP is a protocol that allows end-devices to get network configurations from a central server (router, switch, MS Server). A DHCP server can be spoofed by an attacker whereby end-devices receive network configuration from the attacker DHCP and not the legitimate DHCP server.

The reason why one would want to spoof a DHCP server is because the intruder can configure end-devices with IP Address, Domain Name Service (DNS) and Default Gateway (DG) of their choosing and not the legitimate information; the attacker will then play man in the middle.

Mitigating DHCP Snooping

DHCP Snooping is a Cisco Catalyst feature allowing for configuration of switch ports as either trusted or untrusted so that the ports can respond to DHCP requests. Trusted ports can source all DHCP messages and can host or be an uplink to a DHCP server. Untrusted ports can source requests only. If a rogue device on an untrusted port attempts to send a DHCP response packet, the port is shut down (errdisabled).

Configuration

Step 1:Configure DHCP snooping globally.

switch#configure terminal switch(config)#ip dhcp snooping

Step 2: Configure Trusted and Untrusted ports.

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#ip dhcp snooping trust By default all ports are untrusted

Step 3:Configure DHCP Option 82 Insertion.

switch#configure terminal switch(config)#ip dhcp snooping information option This is optional and is to let the forwarded DHCP request packet contain information on the switch port where it originated

Step 4:Configure rate limiting on untrusted ports.

switch#configure terminal switch(config)#interface gigabitethernet 0/2 switch(config-if)#ip dhcp snooping limit rate packets per second rate

Step 5:Configure DHCP snooping for selected VLANs.

switch#configure terminal switch(config)#ip dhcp snooping vlan number 1,3-6

Step 6:Confirm the configuration

switch#show ip dhcp snooping

STP Comprimises – STP Operation Protection

STP has two protection methods on ports where PortFast has been enabled. In proper configs PortFast will only be enabled on downstream ports (outward facing) that connect to end-devices. As was discussed in previous posts it is an understood theory that Broadcast Packet Data Unit (BPDU) will not come from these interfaces, if this should happen BPDU guard and BPDU filtering provide protection (this could either signal config error or an attack).

BPDU Guard is used to protect the switched network from problems that may arise from the receipt of BPDUs from ports that they shouldn’t be coming from. This could be from honest mistake or someone trying to add a switch.
BPDU Filtering affects how the switch acknowledges BPDUs seen on PortFast configured ports. The functionality differs depending on whether it is configured globally or per-port.
BPDU Root Guard protects against a switch outside the designated network attempting to become the root bridge by blocking it access until the receipt of its BPDUs ceases.

STP Operation Protection – Configuration of BPDU Guard

Step 1:Enable BPDU Guard Globally

switch#configure terminal switch(config)#spanning-tree portfast bpduguard

Step 2 isplay BPDU Configuration information

switch#show spanning-tree summary totals

STP Operation Protection – Configuration of BPDU Filtering

As mentioned earlier there are two methods of configuring BPDU Filtering, below are the two methods and the differences in how these implementations will affect configuration

STP Operation Protection – Configuration of BPDU Filtering – Global

switch#configure terminal switch(config)#spanning-tree portfast bpduguard default

In a valid config, PortFast ports do not receive BPDUs. If a PortFast enabled port receives a BPDU then it signals an invalid config, BPDU Guard puts the port in errdisabled state.

BPDU Filtering has these affects:

Affects all operational PortFast ports on switches that do not have BPDU filtering configured on the individual ports (i.e. you can have Global and port-based active at the same time)
If BPDUs are seen, port loses PortFast status, BPDU filtering is disabled, and STP sends and receives BPDUs on the port as it should with other STP ports on a switch.
Upon startup, the port transmits 10 BPDUs. If this port receives any BPDUs during that time, PortFast and BPDU filtering is disabled.

STP Operation Protection – Configuration of BPDU Filtering – Port

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#spanning-tree bpduguard enable

At the interface level (port-level) you can enable BPDU guard without also enabling PortFast. When the port receives a BPDU it is put into a errdisabled state.

BPDU Filtering has these affects:

It ignores all BPDUs received.
It sends no BPDUs.

Config this on ports that connect to known end-points that would/should/will never ever see a BPDU.

AND EXPLICIT configuration of PortFast BPDU filtering on a port that is not connected to an end-device can create bridging loops. The port ignores BPDUs and changes to a forwarding state. This does not happen when PortFast BPDU Filtering is enabled globally. This means that if you config this on a port that may be/is connected to another switch and needs to participate in STP in some way/form then it is always in the forward state.

STP Operation Protection – Configuration of BPDU Filtering – Confirmation
switch#spanning-tree summary totals

Confirming Configuration on a specific port
switch#spanning-tree interface gigabitethernet 0/0 detail

STP Operation Protection – Root Guard

Root Guard is a feature that limits on which switch ports the root bridge can be negotiated on. If a root guard-enabled port receives BPDUs that are better that those of the current root bridge, then the port will transition into a root-inconsistent state (STP listenning state).

Root Guard is configured on a per-port basis, recovery requires no intervention. A root guard port is in an STP-designated port state. When root guard is enabled on a port, the switch does not allow that port to become an STP root port. The port remains an STP-designated port.

Root guard should be enabled on all ports that the root bridge is not anticipated on and never will be.

%SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to become non-designated in VLAN 01. Moved to root-inconsistent state

Configuration

Step 1:Enable Root Guard on an interface

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#spanning-tree guard root

Step 2:Verify Root Guard on an interface

switch#show running-config interface gigabitethernet 0/1

Step 3:Verify if any port is in the Root Guard inconsistent state

switch#show spanning-tree inconsistentports

STP Forwarding Loops – Unidirectional Link Detection (UDLD)

A unidirectional link occurs when traffic is transmitted between neighbours in only one direction; this can cause spanning tree loops. UDLD allows detection when this occurs and shuts down the affected interface when it is detected.

UDLD is a layer-2 protocol that works with Layer-1 mechanisms to determine the status of a link. The switch periodically transmits UDLD packets on a UDLD enabled interface; if the packets are not echoed back in a specific time frame, the link is flagged as unidirectional and shut down (for this to work devices on both ends must support UDLD).

UDLD falls outside STP but has benifits to STP in detecting unidirectional links which can cause loops. UDLD can do one of two things depending on whether it is configured as “Normal” or “Aggressive”.

Normal Mode UDLD changed the port to undetermined when UDLD messages/echoes stop coming back
Aggressive Mode UDLD errdisables the port after UDLD messages/echoes stop coming back and it makes 8 re-establishing attempts.

UDLD uses MAC 0100.0CCC.CCCC (01-00-0c-cc-cc-cc) with sub-network Access Protocol (SNAP) High Level Data Link Control (HDLC) protocol type 0×0111.

Configuration

Step 1: Enable UDLD

Step 1.1:On fiber and non-fiber (copper) interfaces

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#udld enable

Step 1.2:Globally on Fiber switch interfaces

switch#configure terminal switch(config)#udld enable

Step 2: Disable UDLD

Step 2.1:On nonfiber interfaces individually

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#no udld enable

Step 2.2:On Fiber interfaces

switch#configure terminal switch(config)#udld disable

Step 3:Reset all interfaces that have been errdisabled by UDLD

switch#udld reset

Step 4:Verify UDLD

switch#show idld interface gigabitethernet 0/1

STP Forwarding Loops – Loop Guard

Similar to UDLD, Loop Guard grants protection for STP when a link is unidirectional and BPDUs are being sent and not received. Without loop guard a unidirectional link will transition to forwarding when it stops receiving BPDUs. When loop guard is enabled and a link stops receiving BPDUs, the interface will move into a STP loop-inconsistent blocking state.

SPANTREE-2-LOOPGUARDBLOCK: No BPDUs were received on port 0/1 in vlan 2. Moved to loop inconsistent state.

When a BPDU is received again on the port, the port will transition to the appropriate state without intervention.

Configuration

Step 5:Enable Loop Guard

Step 5.1:Globally configure Loop Guard

switch#configure terminal switch(config)#spantree global-default loopguard enable/disable

Step 5.1 er-Port Loop Guard

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#spanning-tree guard loop

Step 6:Verify Loop Guard

switch#show spantree guard 0/1

E-2-LOOPGUARDBLOCK: port 0/1 restored in vlan 2

Loop guard is enabled on ports that are participating in spanning tree and are redundant at Layer-2. When a switch stops receiving BPDUs on its root or blocking ports, it will transition the ports to loop-inconsistent, which does not pass traffic. Loop Guard is configured per port on, Loop Guard does not work with Root Guard, and should not be enabled on PortFast ports.

With Loopguard and EtherChannel. the first operational port is used for BPDUs; if the link is unidirectional, loop guard transitions ALL links of the channel to loop-inconsistent. This is not desirable because the inherit redundancy gained through channeling is lost.

MAC Spoofing – IP Source Guard

Similar to DHCP snooping, IP Source Guard this feature can be enabled on a untrusted port to prevent IP address Spoofing.

When started all IP traffic on the port is blocked, except DHCP packets that are caputred by the DHCP snooping feature. When a end-device then receives a valid IP Address from the DHCP server, or when a static IP Address is configured by the user, a per-port and VLAN Access Control List (PVACL) is instaled on the port.

This restricts the end-device to those source IP Addresses configured in the binding; any IP traffic with a different source IP address will be dropped.

Step 1:Configure DHCP snooping globally.

switch#configure terminal switch(config)#ip dhcp snooping

Step 2:Configure DHCP snooping for selected VLANs.

switch#configure terminal switch(config)#ip dhcp snooping vlan number 1,3-6

Step 3: Configure Trusted and Untrusted ports.

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#ip dhcp snooping trust

By default all ports are untrusted

Step 4:Configure IP Source Guard, Source IP, and Source MAC Address filtering on the Port.

switch#configure terminal switch(config)#interface gigabitethernet 0/2 switch(config-if)#ip verify source vlan dhcp-snooping port-security

Step 5:Configure rate limiting on untrusted ports.

switch#configure terminal switch(config)#interface gigabitethernet 0/2 switch(config-if)#ip dhcp snooping limit rate packets per second rate

Step 6 Optional if not a DHCP End-Device) Configure a static IP Binding on the port.
switch#configure terminal Switch(config)#ip source binding mac-address vlan vlan-id ip-address interface interface-name

ARP Spoofing

Address Resolution Protocol (ARP) Operation is that a end-device (A) sends a broadcast to determine the MAC Address of a end-device (B) with a particular IP Address. The end-device (B) at that IP Address replies with a MAC Address. The originating end-device (A) caches the ARP response, uses it to populate the destination Layer-2 header and then goes on to send a packet.

By spoofing ARP operation an attacking system then plays man in the middle and appears to be the destination sought by senders. All packets sent to the attacker will be forwarded to the correct end-device after being relayed through the attacking system.

Dynamic ARP Inspection (DIA)

DIA determines the validity of an ARP packet based on a valid MAC address-to-IP Address binding stored in a DHCP snooping database. To ensure validity these actions are taken:

Forwards ARP packets received on trusted interfaces without any checks.
Intercepts all ARP packets on untrusted ports.
Verifies that each intercepted packet has a valid binding before forwarding the packet that can update a local ARP Cahce.
Drops, logs or drops and logs ARP packets with invalid bindings.

Configuration

Step 0:Enable DHCP Snooping

Step 1:Configure DIA on a VLAN or VLAN Range

switch#configure terminal switch(config)#ip arp inspection vlan 1,2,3,4,5

Step 2:Enable DIA trust on an interface (sets the interface as trusted)

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#ip arp inspection trust

Step 3:Configures DIA to drop ARP Packets when the IP Addresses are invalid, or when MAC Addresses in the body of the ARP packet do not match the addresses specified in the Ethernet header.

switch#configure terminal switch(config)#ip arp inspection validate src-mac dst-mac ip

A post to do with DIA can be found at Richard Bannisters CCIE Blog

Notes and Notices:

Network Ninja

Tag Archive for 'Cisco Systems'

Update on Cisco Live! – World’s Leading Technologies Together in JHB

Cisco invests $27 Million in South Africa

The Ooh factor in Cisco Telepresence

Cisco South Africa Partner Career Day

Cisco Talent of the Future

BCMSN Layer 3 Routing Lab 6

Certguard and a Blog

Cisco and DDNS

Switch Security Layer-2 Attacks – Four

Switch Security Layer-2 Attacks – Three

Search

About

Latest

Archives

Categories