Category: Network Technologies

Cisco: Layer 2 traffic filtering

Layer 2 traffic filtering can be very useful when you want to drop packets closer to
the source because you can do this on L2 next-hop which is the switch where the
devices are connected. Based on mac-address, Layer 2 filtering can be apply using
one of the two most common method: Port Security and MAC Access Groups.

Port Security is the more secure method of the two. To use it, map a switch port to the
specific MAC address of the connected device. It gives you more possibility than just
drop the packets from a specific source, depending on what you want to achieve on
the interface where it is applied.

MAC Access Groups are generally used for small networks of 20 devices or less. Add
a permit statement for all of your devices interface MAC addresses and apply the access
list to switch interface. This will limit inbound traffic to that interface to only those
MAC addresses on your list. Is not recommended when you have many MAC addresses,
because MAC access-list are the same like IP address access-list, so they consume a
lot of resources of the machine where it is applied.

For this tutorial we will use a Cisco 3750 in which it is connected a router ( R4 ). To test
Layer 2 traffic filtering, we have a point-to-point Layer 3 connection in between
( 10.0.0.0 /30 ), with physical interface used on the R4 and a Vlan 4 interface on the
switch. The port on the switch were R4 is connected is an access port in vlan 4.

Please see the tutorial below:

Cisco: Packet sniffing

The official term of Cisco for Packet sniffing is  SPAN ( Switched Port Analyzer ) also called sometimes port mirroring or port monitoring and it’s purpose is to select traffic from a source and send to a destination with a network analyzer tool. You can find out there terms like RSPAN, PSPAN, VSPAN, ESPAN, but this are at their basic functionality nothing more than SPAN with some enhanced features ( e.g. ESPAN – Enhanced SPAN ) or describing their primary functionality ( e.g. VSPAN – Vlan SPAN – used to monitor vlans ).

Now, depending on you Cisco platform some of this xSPAN can be supported or not. A list with them you can find here.
On the high-class products, like 6500, you can find another device called NAM ( Network Analysis Module ) which enhance SPAN by providing a web interface and a local embedded traffic analyzer. Maybe someday, if I have a spare device I will make a short tutorial about NAM module.

For the basic SPAN configuration purpose I will use a c3750 as this method is supported on many more devices ( e.g. 3550, 3560, 2950, 2900XL). One notice before we begin. On the port where you redirect your SPAN traffic and where you connect your device with traffic analyzer, you don’t need a Layer 3 address. So, just let that port with plain Layer 2 configuration.

Please see the tutorial below:

Cisco: SSH enable | disable | reconfigure tutorial

One of the most used method for remote access today is SSH protocol. Even most on the network engineer say what is so complicated in the process of the enable , disable , reconfigure of the SSH process, my experience proved me that it can be really complicated, if you mess up stuff there.

One of the situation that I see very often, is that after a network engineer (administrator, beginner…) reconfigure SSH or hostname / domain-name on the Cisco routers is that they tell that is not working anymore with some errors like “key missing” or “key not matching” or more errors relating to the RSA keys. And in almost 90% from the cases was due to wrong order of operation during the SSH reconfigure.

Let’s say that we have a functional SSH access, and then we have to change the hostname and domain-name of the Cisco machine. As you know, SSH relay on RSA keys for connectivity, which relay on hostname and domain-name of the machine when the keys are creating. Most common error is that the network person change the hostname, domain-name, then delete the keys and reconfigure a new one…this is the happy case and for some routers and IOS platform is working. But, there is the worst one, when the person in charge change the domain-name and the hostname and then, he/she expect ssh to work like before. But it does not!

Please check the tutorial below for the correct order of operation in enabling, disabling or reconfiguring the SSH protocol on a Cisco device. For this tutorial I will use 2 point-to-point connected routers R0 and R1. I will enable SSH on R1 and then connect to it from R0.

SSH

Cisco: Configuring Compressed Real-Time Protocols

I had lately to configure compressed real-time protocols (CRTP) over a Frame-relay link.
I thought that it will be good to make a tutorial about how to configure this on the Serial interfaces (with HDLC or PPP encapsulation) and on the Frame-relay interface. Another type of interface supporting this is and ISDN interface, but the configuration there is the same like in the Serial interface case.
If you were asking why I don’t configure this on a Ethernet interface, well this is because CRTP is not supported on the Ethernet interfaces. This was just an explanation for those of you who didn’t knew this. The role of CRTP is to improve communication over low bandwidth links like Serial interfaces, Frame-relay or ISDN, and that’s why is not supported on Ethernet links (who’s speed is starting at 10 Mbps).

In the following tutorial I will configure CRTP on a Serial interface with PPP encapsulation (I chose this randomly as is the same with HDLC and ISDN) and Frame-relay interface, limit the number of header compression connections and check CRTP with “show…” commands. Since the purpose of this tutorial is CRTP the connection will no be active.

See the tutorial below:

Cisco: How-to limit HTTP traffic on weekdays during working hours

Some time ago a person asked me to set the HTTP traffic to 256 kbits during weekdays from 8:00 – 16:00, to limit “the fun” in the office while other are working. In theory I’m against this type of policy, because if you have a team of network engineers and they have to access cisco.com in the same time for information and other stuff like IOS download, then this will take a lot of time. Of course if you see that the productivity is going down because 80% of the traffic is to YouTube site (nothing against them, just picked randomly), then such measures are welcomed.

Since the discussion below is beyond the scope of this tutorial and represent only a personal opinion, let me tell you what I’ll show in the tutorial below.  On Fa0/0 (out connection) we will limit the HTTP responses sent out to 256kbps from Monday to Friday between 8:00 and 16:00

Please see the tutorial below: