Cincinnerdi Tech Stuff

A mind-numbing read if ever there was one

Archive for the ‘Cisco Switches’ Category

Port-Security: Devil in the “sticky” details?

with one comment

Cisco’s port-security feature in its switches can restrict a switchport to a single, learned MAC address, potentially preventing such security issues as:

  • A user bringing in their own router, switch or hub to create a rogue network.
  • A user unplugging their corporate PC and plugging in an unauthorized laptop.
  • Unauthorized use of a virtual machine (VM) on a PC which creates a new MAC address

It’s easy to see that the VM – Parallels in this case – uses a separate MAC address for its separate IP in the following screen shot:

We can mitigate problems from normal, non-hacker users; presumably hackers could spoof a laptops MAC address. Shoot, I can even plug in my old Linksys NAT router, have it “clone” my PC’s mac address and it will be able to circumnavigate all of the above listed exploits. But, it does afford some level of protection, so off we go…

Last time the Sticky wasn’t working quite right (thanks to errors in Cisco book!):

“During this practice setup, I found that the 3550 switch DID restrict use of multiple MACs it didn’t learn a “Sticky MAC” address and permitted me to swap out one PC for another. Though I followed Cisco’s instructions (ISBN-10: 1-58720-171-2) where it indicates that Sticky Learning is the default. However, later research on the Cisco web site indicates it’s not (see Note 1 below). I’ll try the switchport
port-security mac-address sticky command next time.”

So this time I used the right IOS, so we get to see some security in action.

Note: The running-config is actually changed to add new “sticky” lines with the actual mac addresses added “…sticky  ####.####.####” 

Also, I’ll note here, I attempted to proceed with DAI (Dynamic ARP Inspection) but the switch’s CLI simply returned an error that the ip arp… command is invalid. Also, the use of ip source binding was also unavailable. Hmmm. Our switches are running IOS Release 12.1Cisco’s web site shows this command supported on a 3550 using Cisco IOS Release 12.2(35) SE (See web page). Administration so far refuses to upgrade the IOS release (sigh!)

Now on to the blow-by-blow account of Port-security: Read the rest of this entry »

Advertisements

Written by scottledyard

2007, April 14th at 9:53 pm

Posted in CCNP, Cisco, Cisco Switches

Pretty severe penalty for excessive DHCP-ing

with one comment

Cisco allows you to monitor any switchport to limit the rate of DHCP client activity. Presumably, someone flooding a network with spurious DISCOVER packets could give a DHCP server headaches.

I figured extra packets would just be dropped, but was in for somewhat of a shock when the port was placed into a permanent ERR-DISABLE status. That means a SysAdmin would need to reset the port manually, unless other provisions were made.

So what’s reasonable number of packets per minute? Maybe 3? I set it to 2 to see what the result. Pretty drastic!

The IOS: Read the rest of this entry »

Written by scottledyard

2007, April 11th at 9:28 am

Firing up a Fresh 3550 Switch using Auto-configuration

leave a comment »

ciscologo.gif

Don’t look here if you’re hoping to actually see a “how-to.” Here’s a link to Cisco page on Switch Auto-Configuration. (I haven’t gone through it, but from what I read I wouldn’t assume it’s going to be easy. Looks like it’s easy on the switch; but you have to configure a ton of stuff!)

So the point of this posting is just to show what displays on your console if you reload or start the switch after erasing the startup-config and a DHCP server happens to be attached. What’s not apparent from the listing is that there will be endless console messages showing attempts to reach a config server.

— System Configuration Dialog — Read the rest of this entry »

Written by scottledyard

2007, April 7th at 10:27 am

Add VTP and a 1760 router

leave a comment »

Net layout 032407

Maintaining a VLAN database is much easier using VTP, but requires some care about adding a new switch, else it might wipe out your carefully configured VLANS.

I presumed the best way was to setup ONE switch, zap the other switches revision numbers to zero, and then hook them up. But I could have hooked them all up first and then configured. Switches after THAT would have needed to have their revision # set back.

I planned to incorporate the router right into the load balanced, fault tolerant MST (Multiple Spanning Tree) switch network, but ran into a glitch when it came to the router switch ports. The switch banks added into a 1760 router are NOT full function switches, lacking any but VTP transparent mode and NO facility for any STP other than standard. Odd since the IEEE has deprecated STP in lieu of Rapid STP.

I was able to configure the router switch port, a vlan (10) to serve as an IP addressable gateway, a finally ping out to another network (4.4.4.0/24). No small feat since this required the config of the PIX 501 firewall appliances with a static route back to my net. I did get into the config of the PIX enough to see that OSPF routing protocol could be configured to make this simpler and more flexible.

Questions I still have:

An IP is listed for “who” updates VTP on the switch (see note marked ** below). Since the switches update themselves (presumably with layer 2 multicasts) I’m not sure why a layer 3 IP would be important.

VTP Setup.

Let’s take a look at the initial state of VPT on the 3550 switch that I chose to be the “leader” Read the rest of this entry »

Written by scottledyard

2007, March 25th at 10:00 am

Posted in CCNP, Cisco, Cisco Switches, MST, RSTP, STP

STP tuning

leave a comment »

After wading through reams of packets shoved out a Cisco 3550 just for STP / PVST+, I have a bit more knowledge about this loop preventing protocol.

A brief aside: Sniffing STP ain’t much fun when you have a bunch of VLANs configured. For some reason, the switches came up with VLANs 1, 2, 3, 4, 5, 6, 7, 8 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 60, 70, 95, 96, 1002, 1003, 1004, 1005. Except for VLAN1, I zapped them with no vlan # and that helped (though Cisco doesn’t allow the deletion of the last 4.) I only had to do this on one of the switches!?

Sw2 was the root bridge. I wanted to make sw1 the root and have sw3 as the backup root bridge. Note that there is no actual status of secondary, there is just the next larger bridge ID.

Last time I changed the bridge priorities manually, but this lab I used the global config commands:

2950sw1(config)#span vlan 1 root primary

3550sw3(config)#span vlan 1 root secondary

These are macro commands which change the priorities of the switches. Now they are:

sw1 is now 24576+1
sw3 is now 28762+1
sw2 is now 32768+1

The +1 is for the vlan number, in this case 1.

BEFORE I executed this command, the switches had setup this STP tree: Read the rest of this entry »

Written by scottledyard

2007, March 3rd at 8:26 pm

Posted in Cisco, Cisco Switches, STP

Easy sniff: Cisco 2900XL Switch in SPAN mode

leave a comment »

Wireshark_logoI’ve wanted to be able to use Wireshark to sniff on my LAN using the Cisco 2900XL Switch instead of an old hub I keep around for LAN sniffing purposes, but I’ve never taken the time to use the port monitoring features of Cisco’s SPAN, until now.

It’s pretty straight forward. Just configure one port to monitor any traffic on another. The IOS:

!
interface FastEthernet0/1
port monitor FastEthernet0/17
port monitor FastEthernet0/18
port monitor FastEthernet0/19
port monitor FastEthernet0/20
port monitor FastEthernet0/22
port monitor FastEthernet0/23
!

I was even able to hook up this PC to the 0/1 monitoring port and use it normally — I’m typing this on that PC that’s on the internet now. Wireshark was able to see all that was happening on those other ports. As an aside, the most persistent traffic were STP BPDUs issued from each of the 6 active switch ports every 2 seconds. FWIW, the packets look like this:

I was reading a manual for the 2950 (not 2900XL) earlier today. Clearly, there is MUCH more in this area of SPAN that can be accomplished on the 2950. Still, this is doing everything I need it to.

BTW, as I was browsing the 2900XL manual, I was distracted for a minute by the section on using CMS, a web browser GUI for switch management. I thought, why not give it a try? I’ve seen Cisco GUI interfaces for PIX and Wireless Access Points and they’re a good way to see the wealth of features at a glance. But, alas, this seems to require having the software loaded on the switch. All I got when I plugged in the patch cable and entered http:192.168.1.192 was a basic screen:

When you click on the first line about CMS or such, I get a 404 error, presumably because I don’t have that GUI software installed on the switch.
There was some merit in the available choices. For example, I received a nicely formatted gob of “shows” when I clicked on the Show tech support option. The 1st, show ver, looks like this:

—————— show version ——————
Cisco Internetwork Operating System Software
IOS ™ C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5.4)WC(1), MAINTENANCE INTERIM SOFTWARE
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Tue 10-Jul-01 11:52 by devgoyal
Image text-base: 0x00003000, data-base: 0x00333CD8
ROM: Bootstrap program is C2900XL boot loader
Switch uptime is 32 minutes
System returned to ROM by power-on
System image file is “flash:c2900XL-c3h2s-mz.120-5.4.WC.1.bin”

cisco WS-C2924-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K bytes of memory.
Processor board ID FAB0406T00W, with hardware revision 0x01
Last reset from power-on
Processor is running Enterprise Edition Software
Cluster command switch capable
Cluster member switch capable
17 FastEthernet/IEEE 802.3 interface(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:B0:64:ED:12:C0
Motherboard assembly number: 73-3382-07
Power supply part number: 34-0834-01
Motherboard serial number: FAB040370MM
Power supply serial number: PHI0341009W
Model revision number: A0
Model number: WS-C2924-XL-EN
System serial number: FAB0406T00W
Configuration register is 0xF

Written by scottledyard

2007, February 26th at 4:47 pm

%d bloggers like this: