Posts from ‘Layer 2 Technologies’

Dec
01

Catalyst switch port security is so often recommended. This is because of a couple of important points:

  • There are many attacks that are simple to carry out at Layer 2
  • There tends to be a gross lack of security at Layer 2
  • Port Security can guard against so many different types of attacks such as MAC flooding, MAC spoofing, and rouge DHCP and APs, just to name a few

I find when it comes to port security, however, many students cannot seem to remember two main points:

  1. What in the world is Sticky Learning and how does it work?
  2. What is the difference between the different violation modes and how can I remember them?

Sticky Learning

Sticky learning is a convenient way to set static MAC address mappings for MAC addresses that you allow on your network. What you do is confirm that the correct devices are connected. You then turn on sticky learning and the port security feature itself, for example:

switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security

Continue Reading

Jan
28

Let’s say you get a bunch of inexpensive (but a bit outdated) routers (36XX or 72Xx) and some really nice (maybe not so cheap) Cisco switches (e.g. 3550/3560) and you would like to provide a VPLS-like service to your customers. Since VPLS is a service available only on more powerful Cisco platforms, we have to figure a way to simulate Multipoint Ethernet L2 VPN over a packet switching network (PSN) using only “convenient” point-to-point L2 VPN services.

Let model a situation where we have a number of routers connected over (PSN), with an ethernet switch connected to router at every location:

VPLS with L2TPV3

What we can do, is connect ethernet ports using pseudowires to form a virtual ring topology over PSN. That is, refeferring to our picture, xconnect routers’ ethernet ports counter-clockwise, say xconnect E0/0 of R3 with E0/1 of R4, then E0/0 of R4 with E0/1 of R5 and finally E0/0 of R5 with E0/1 of R3. Effectively, we will form an ethernet ring, partially connected over convenient switches, and partially using L2VPN pseudowires. Router configurations look pretty much similar, for example at R3 we would have something like this


R3:
pseudowire-class PW_CLASS
 encapsulation l2tpv3
 ip local interface Loopback0
!
interface Loopback0
 ip address 150.1.3.3 255.255.255.255

!
! Xconnecting E0/0 of R3 with E0/1 of R4
!
interface Ethernet0/0
 no ip address
 xconnect 150.1.4.4 34 encapsulation l2tpv3 pw-class PW_CLASS

!
! Xconnecting E0/1 of R3 with E0/0 of R5
!
interface Ethernet0/1
 no ip address
 xconnect 150.1.5.5 35 pw-class PW_CLASS

!
! Frame-Relay is used to connect to other routers (PSN network)
!
interface Serial1/0
 no ip address
 encapsulation frame-relay
!
interface Serial1/0.34 point-to-point
 ip address 150.1.34.3 255.255.255.0
 frame-relay interface-dlci 304
!
interface Serial1/0.35 point-to-point
 ip address 150.1.35.3 255.255.255.0
 frame-relay interface-dlci 305 

!
! OSPF is used as a sample IGP
!
router ospf 1
 router-id 150.1.3.3
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0

Speaking honestly, it’s not “classic” VPLS in true sense:

Firstly, STP should be running over ring topology, in order to block redundant ports. One can use star topology and disable STP, but this will introduce a single point of failure into the network. Classic VPLS does not run STP over packet core, only a full-mesh of pseudowires.

Secondly, there is no MAC-address learning for pseudowires, since they are point-to-point in essense. MAC addresses are learned by switches, and this impose a usual scalability restriction (though cisco switches may allow you to scale to a few thousands of MAC addresses in their tables).

However, this is funny and simple example of how you can use a simple concept to come up with a more complicated solution.

Tags: , , , ,

Jan
20

Below are a couple example configurations for PPPoE. Note that you can run into MTU issues when trying to use OSPF over PPPoE. This can easily be resolved by using the “ip ospf mtu-ignore” command as the dialer interface’s MTU is 1492 while the virtual-template’s (virtual-access) MTU is 1500.

*** Client ***
interface Ethernet0/0
 pppoe enable
 pppoe-client dial-pool-number 1
!
interface Dialer1
 ip address 142.1.35.5 255.255.255.0
 encapsulation ppp
 dialer-pool 1
 dialer persistent

*** Server ***

vpdn enable
!
vpdn-group CISCO
 accept-dialin
 protocol pppoe
 virtual-template 1
!
interface Ethernet0/0
 pppoe enable
!
interface Virtual-Template1
 ip address 142.1.35.3 255.255.255.0

The next example is using DHCP to assign the client their IP address:

*** Client ***

interface Ethernet0/1
 pppoe enable
 pppoe-client dial-pool-number 1
!
interface Dialer1
 ip address dhcp
 encapsulation ppp
 dialer pool 1
 dialer persistent

*** Server ***

ip dhcp excluded-address 191.1.45.1 190.12.45.3
!
ip dhcp pool MYPOOL
 network 191.1.45.0 255.255.255.0
!
vpdn enable
!
vpdn-group CISCO
 accept-dialin
 protocol pppoe
 virtual-template 1
!
interface Ethernet0/0
 pppoe enable
!
interface Virtual-Template1
 ip address 191.1.45.5 255.255.255.0
 peer default ip address dhcp-pool MYPOOL

Tags: , , ,

Categories

CCIE Bloggers