Posts from ‘Layer 2 Technologies’
Catalyst switch port security is so often recommended. This is because of a couple of important points:
- There are many attacks that are simple to carry out at Layer 2
- There tends to be a gross lack of security at Layer 2
- Port Security can guard against so many different types of attacks such as MAC flooding, MAC spoofing, and rouge DHCP and APs, just to name a few
I find when it comes to port security, however, many students cannot seem to remember two main points:
- What in the world is Sticky Learning and how does it work?
- What is the difference between the different violation modes and how can I remember them?
Sticky learning is a convenient way to set static MAC address mappings for MAC addresses that you allow on your network. What you do is confirm that the correct devices are connected. You then turn on sticky learning and the port security feature itself, for example:
switchport port-security maximum 2 switchport port-security mac-address sticky switchport port-security
Let’s say you get a bunch of inexpensive (but a bit outdated) routers (36XX or 72Xx) and some really nice (maybe not so cheap) Cisco switches (e.g. 3550/3560) and you would like to provide a VPLS-like service to your customers. Since VPLS is a service available only on more powerful Cisco platforms, we have to figure a way to simulate Multipoint Ethernet L2 VPN over a packet switching network (PSN) using only “convenient” point-to-point L2 VPN services.
Let model a situation where we have a number of routers connected over (PSN), with an ethernet switch connected to router at every location:
What we can do, is connect ethernet ports using pseudowires to form a virtual ring topology over PSN. That is, refeferring to our picture, xconnect routers’ ethernet ports counter-clockwise, say xconnect E0/0 of R3 with E0/1 of R4, then E0/0 of R4 with E0/1 of R5 and finally E0/0 of R5 with E0/1 of R3. Effectively, we will form an ethernet ring, partially connected over convenient switches, and partially using L2VPN pseudowires. Router configurations look pretty much similar, for example at R3 we would have something like this
R3: pseudowire-class PW_CLASS encapsulation l2tpv3 ip local interface Loopback0 ! interface Loopback0 ip address 220.127.116.11 255.255.255.255 ! ! Xconnecting E0/0 of R3 with E0/1 of R4 ! interface Ethernet0/0 no ip address xconnect 18.104.22.168 34 encapsulation l2tpv3 pw-class PW_CLASS ! ! Xconnecting E0/1 of R3 with E0/0 of R5 ! interface Ethernet0/1 no ip address xconnect 22.214.171.124 35 pw-class PW_CLASS ! ! Frame-Relay is used to connect to other routers (PSN network) ! interface Serial1/0 no ip address encapsulation frame-relay ! interface Serial1/0.34 point-to-point ip address 126.96.36.199 255.255.255.0 frame-relay interface-dlci 304 ! interface Serial1/0.35 point-to-point ip address 188.8.131.52 255.255.255.0 frame-relay interface-dlci 305 ! ! OSPF is used as a sample IGP ! router ospf 1 router-id 184.108.40.206 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0
Speaking honestly, it’s not “classic” VPLS in true sense:
Firstly, STP should be running over ring topology, in order to block redundant ports. One can use star topology and disable STP, but this will introduce a single point of failure into the network. Classic VPLS does not run STP over packet core, only a full-mesh of pseudowires.
Secondly, there is no MAC-address learning for pseudowires, since they are point-to-point in essense. MAC addresses are learned by switches, and this impose a usual scalability restriction (though cisco switches may allow you to scale to a few thousands of MAC addresses in their tables).
However, this is funny and simple example of how you can use a simple concept to come up with a more complicated solution.
Below are a couple example configurations for PPPoE. Note that you can run into MTU issues when trying to use OSPF over PPPoE. This can easily be resolved by using the “ip ospf mtu-ignore” command as the dialer interface’s MTU is 1492 while the virtual-template’s (virtual-access) MTU is 1500.
*** Client *** interface Ethernet0/0 pppoe enable pppoe-client dial-pool-number 1 ! interface Dialer1 ip address 220.127.116.11 255.255.255.0 encapsulation ppp dialer-pool 1 dialer persistent *** Server *** vpdn enable ! vpdn-group CISCO accept-dialin protocol pppoe virtual-template 1 ! interface Ethernet0/0 pppoe enable ! interface Virtual-Template1 ip address 18.104.22.168 255.255.255.0
The next example is using DHCP to assign the client their IP address:
*** Client *** interface Ethernet0/1 pppoe enable pppoe-client dial-pool-number 1 ! interface Dialer1 ip address dhcp encapsulation ppp dialer pool 1 dialer persistent *** Server *** ip dhcp excluded-address 22.214.171.124 126.96.36.199 ! ip dhcp pool MYPOOL network 188.8.131.52 255.255.255.0 ! vpdn enable ! vpdn-group CISCO accept-dialin protocol pppoe virtual-template 1 ! interface Ethernet0/0 pppoe enable ! interface Virtual-Template1 ip address 184.108.40.206 255.255.255.0 peer default ip address dhcp-pool MYPOOL