Cisco: Layer 2 traffic filtering

Layer 2 traffic filtering can be very useful when you want to drop packets closer to
the source because you can do this on L2 next-hop which is the switch where the
devices are connected. Based on mac-address, Layer 2 filtering can be apply using
one of the two most common method: Port Security and MAC Access Groups.

Port Security is the more secure method of the two. To use it, map a switch port to the
specific MAC address of the connected device. It gives you more possibility than just
drop the packets from a specific source, depending on what you want to achieve on
the interface where it is applied.

MAC Access Groups are generally used for small networks of 20 devices or less. Add
a permit statement for all of your devices interface MAC addresses and apply the access
list to switch interface. This will limit inbound traffic to that interface to only those
MAC addresses on your list. Is not recommended when you have many MAC addresses,
because MAC access-list are the same like IP address access-list, so they consume a
lot of resources of the machine where it is applied.

For this tutorial we will use a Cisco 3750 in which it is connected a router ( R4 ). To test
Layer 2 traffic filtering, we have a point-to-point Layer 3 connection in between
( 10.0.0.0 /30 ), with physical interface used on the R4 and a Vlan 4 interface on the
switch. The port on the switch were R4 is connected is an access port in vlan 4.

Please see the tutorial below:

Cisco: Packet sniffing

The official term of Cisco for Packet sniffing isĀ  SPAN ( Switched Port Analyzer ) also called sometimes port mirroring or port monitoring and it’s purpose is to select traffic from a source and send to a destination with a network analyzer tool. You can find out there terms like RSPAN, PSPAN, VSPAN, ESPAN, but this are at their basic functionality nothing more than SPAN with some enhanced features ( e.g. ESPAN – Enhanced SPAN ) or describing their primary functionality ( e.g. VSPAN – Vlan SPAN – used to monitor vlans ).

Now, depending on you Cisco platform some of this xSPAN can be supported or not. A list with them you can find here.
On the high-class products, like 6500, you can find another device called NAM ( Network Analysis Module ) which enhance SPAN by providing a web interface and a local embedded traffic analyzer. Maybe someday, if I have a spare device I will make a short tutorial about NAM module.

For the basic SPAN configuration purpose I will use a c3750 as this method is supported on many more devices ( e.g. 3550, 3560, 2950, 2900XL). One notice before we begin. On the port where you redirect your SPAN traffic and where you connect your device with traffic analyzer, you don’t need a Layer 3 address. So, just let that port with plain Layer 2 configuration.

Please see the tutorial below:

Cisco: SSH enable | disable | reconfigure tutorial

One of the most used method for remote access today is SSH protocol. Even most on the network engineer say what is so complicated in the process of the enable , disable , reconfigure of the SSH process, my experience proved me that it can be really complicated, if you mess up stuff there.

One of the situation that I see very often, is that after a network engineer (administrator, beginner…) reconfigure SSH or hostname / domain-name on the Cisco routers is that they tell that is not working anymore with some errors like “key missing” or “key not matching” or more errors relating to the RSA keys. And in almost 90% from the cases was due to wrong order of operation during the SSH reconfigure.

Let’s say that we have a functional SSH access, and then we have to change the hostname and domain-name of the Cisco machine. As you know, SSH relay on RSA keys for connectivity, which relay on hostname and domain-name of the machine when the keys are creating. Most common error is that the network person change the hostname, domain-name, then delete the keys and reconfigure a new one…this is the happy case and for some routers and IOS platform is working. But, there is the worst one, when the person in charge change the domain-name and the hostname and then, he/she expect ssh to work like before. But it does not!

Please check the tutorial below for the correct order of operation in enabling, disabling or reconfiguring the SSH protocol on a Cisco device. For this tutorial I will use 2 point-to-point connected routers R0 and R1. I will enable SSH on R1 and then connect to it from R0.

SSH

Cisco: Spoof detection

Spoofing is a kind of network attack to compromise your network security with the intention of traffic capture which will enable an attacker to get access to confidential data. Usually a spoof attach is associated with IP spoofing, which means that the source IP of the packet which arrive to your device has been changed with intention. For example, let’s assume that you are having a plain http communication with mail server and you want to login to your mail account. You sent the intial TCP connection to the real IP of the mail server. If in this moment an attacker can spoof the traffic and reply to your machine with a fake source IP (pretending that it’s the IP address of the mail server), then the next packets (including packets which contain login/password) will be sent to the attacker machine.

The spoof detection configuration on Cisco is very simple (at least the methods that I know), but I said to put it here maybe somebody need it. We have 2 routers connected with a crosslink cable, as we need IP address on interface and interface to be UP in order to do the “show…” verification.

Please see the tutorial below:

Cisco: Configuring Compressed Real-Time Protocols

I had lately to configure compressed real-time protocols (CRTP) over a Frame-relay link.
I thought that it will be good to make a tutorial about how to configure this on the Serial interfaces (with HDLC or PPP encapsulation) and on the Frame-relay interface. Another type of interface supporting this is and ISDN interface, but the configuration there is the same like in the Serial interface case.
If you were asking why I don’t configure this on a Ethernet interface, well this is because CRTP is not supported on the Ethernet interfaces. This was just an explanation for those of you who didn’t knew this. The role of CRTP is to improve communication over low bandwidth links like Serial interfaces, Frame-relay or ISDN, and that’s why is not supported on Ethernet links (who’s speed is starting at 10 Mbps).

In the following tutorial I will configure CRTP on a Serial interface with PPP encapsulation (I chose this randomly as is the same with HDLC and ISDN) and Frame-relay interface, limit the number of header compression connections and check CRTP with “show…” commands. Since the purpose of this tutorial is CRTP the connection will no be active.

See the tutorial below: