Friday, March 10, 2017

Customizing the TCAM

Purpose: SDM provides the ability to customize the distribution of memory that makes up the TCAM table. If we have a layer 3 switch that does more routing than it does switching we can adjust the allocation of the system memory it using the SDM commands.

Configuration: (below)

 This command uses just one of many SDM memory templates. The number of templates and the variety depend on the device and it capabilties and resources. In the switch I used to grab these templates there were only four, but this was not a high end switch. This command shifts the memory over and disperse it a bit and the uni-cast mac portion drops from 8k entries to 4k. After entering this command the switch must be power cycled before the switch can start using the new memory template.
(config)#sdm prefer lanbase-routing

Diagnostic and verification:

This will display the template that the switch shipped with. This command using the following options provide a way to preview the differences between the individual templates. In these templates the numbers represent 8 thousand addresses and not the memory storage capacity. 
#show sdm prefer default













 This configuration reflects more storage for the different aspects of routing with less storage of unicast mac addresses usually used by the ASIC forwarding engine.
#show sdm prefer lanbase-routing
















 This configuration reflects the hopefulness that IPv6 will ever see wide use before IPv8 is released as a way to provide internet connectivity to our android servants so they can learn and grow and later enslave us.
#show sdm prefer dual-ipv4-and-ipv6 default

This is a great tool for viewing the devices utilization of the current template in order to make a choice as to which template to use.
#show platform tcam utilization










Posted by at No comments:

Configuring a switch to use dot1x for secure port access

Purpose: Dot1x (802.1x) is an open standard that provides method for securing access to individual switch ports. The feature uses an external authentication server like administrator authentication using TACACs or Radius. Dot1x relies on a supplicant installed on the remote machine or hardware to provide credentials to the server upon request. Windows can also pass-through a prompt for the user to provide credentials.

Configuration: (below)

This is the command that enables AAA on the entire switch. This is also the command needed to turn on authentication for logins using the local user database as well as Cisco's TACACS.
(config)#aaa new-model

This is the command that defines how the authentication should flow. The default command tells dot1x to use the following group named radius for all requests for access. 
(config)#aaa authentication dot1x default group radius

This command defines the attributes of the radius server using the host key word followed by the address of the server. After the address is the access key which is used by the switch to authenticate with the server.
(config)#radius-server host 192.168.1.25 key cisco123

This command enables dot1x globally for the entire switch. Its like the cdp run/no cdp run commands that are required to start that service on the switch. 
(config)#dot1x system-auth-control

This is just the standard interface access command.
(config)#interface fast0/1

This is the standard command to put a port into access mode, meaning that this port should not be connected to another switch only to an end user device(s), ex. a phone and or a PC.
(config-if)#switchport mode access

This is the command that enables dot1x on this interface. This command has to alternative keyword instead of authenticator and they are supplicant and both. 
(config-if)#dot1x pae authenticator

This is the command that configures how the port reacts to authentication requests. It has two additional options in place of the auto option they are force-authorized (This disables dot1x on the interface with an all !allowed) and force-unauthorized (this disables dot1x on the interface with a block all).
(config-if)#authentication port-control auto

Details:(possible question topics)
  • 802.1x only allows EAPOL (Extensible Authentication Protocol over LAN) traffic to flow through the port while the port is in the unauthorized state.
Diagnostic and Verification:

#show dot1x all





















#show dot1x all summary


External Support:
The following link provides a great example of configuring a windows machine to act as the supplicant and provide the users credentials for 802.1x. Configuring dot1x authentication service on windows


Posted by at No comments:

Thursday, March 9, 2017

The Purpose of this blog

This blog is an attempt to organize my learning process as I work towards achieving my CCIE. Right now I have the CCNA security and while the CCIE doesn't require the CCNP as a prerequisite I have chosen that path to give myself a better understanding of all the networking technologies involved. My goal with this blog is to present and explore all the topics associated with networking and these exams specifically as if I am teaching these topics to others in the hope that by teaching these topics I will gain a much deeper understanding.

Note: Recently I have taken the CCNP switching exam and it kicked my ass, and looking back I think it was an ass kicking that I was asking for.

So the first topics I will be going over will be the topics from the switching exam.
I don't plan on covering these topics based on this ordered list. I plan to cover them based on which topic I need the most help with.

1.0 Layer 2 Technologies

1.1 Configure and verify switch administration

  • 1.1.a SDM templates 
  • 1.1.b Managing MAC address table 
  • 1.1.c Troubleshoot Err-disable recovery 

1.2 Configure and verify Layer 2 protocols

  • 1.2.a CDP, LLDP 
  • 1.2.b UDLD 

1.3 Configure and verify VLANs

  • 1.3.a Access ports 
  • 1.3.b VLAN database 
  • 1.3.c Normal, extended VLAN, voice VLAN 

1.4 Configure and verify trunking

  • 1.4.a VTPv1, VTPv2, VTPv3, VTP pruning 
  • 1.4.b dot1Q 
  • 1.4.c Native VLAN 
  • 1.4.d Manual pruning 

1.5 Configure and verify EtherChannels

  • 1.5.a LACP, PAgP, manual 
  • 1.5.b Layer 2, Layer 3 
  • 1.5.c Load balancing 
  • 1.5.d EtherChannel misconfiguration guard 

1.6 Configure and verify spanning tree

  • 1.6.a PVST+, RPVST+, MST 
  • 1.6.b Switch priority, port priority, path cost, STP timers 
  • 1.6.c PortFast, BPDUguard, BPDUfilter 
  • 1.6.d Loopguard and Rootguard 

1.7 Configure and verify other LAN switching technologies

  • 1.7.a SPAN, RSPAN 

1.8 Describe chassis virtualization and aggregation technologies

  • 1.8.a Stackwise


2.0 Infrastructure Security

2.1 Configure and verify switch security features

  • 2.1.a DHCP snooping 
  • 2.1.b IP Source Guard 
  • 2.1.c Dynamic ARP inspection 
  • 2.1.d Port security 
  • 2.1.e Private VLAN 
  • 2.1.f Storm control 

2.2 Describe device security using Cisco IOS AAA with TACACS+ and RADIUS

  • 2.2.a AAA with TACACS+ and RADIUS 
  • 2.2.b Local privilege authorization fallback 15% 

3.0 Infrastructure Services

3.1 Configure and verify first-hop redundancy protocols

  • 3.1.a HSRP 
  • 3.1.b VRRP 
  • 3.1.c GLBP
Posted by at No comments:
Subscribe to: Comments (Atom)