Copo de Leite

  

Curiosidades e Dicas Cisco

exec-timeout 0 0

exec-timeout 0 0 é utilizado para que a sessão em uso (seja em vty ou console), nunca expire.

ALS2(config)#line vty 0 15
ALS2(config-line)#exec-timeout 0 0
ALS2(config-line)#line conso 0
ALS2(config-line)#exec-timeout 0 0
ALS2(config-line)#^Z

Enable secret ou Enable password?

Em geral temos essa dúvida ao nos depararmos com essas duas opções nas linhas de comando. E agora?

Bom, o tipo de criptografia utilizado no enable password, do Tipo 7, já foi “quebrado” porque o mesmo é reversível e é considerado um algoritmo fácil de se quebrar. Em contrapartida, temos também Tipo-5 que é muito mais robusto, quase impossível de quebrar. O enable secret utiliza esse Tipo-5.

Quando configuramos ambos, o enable secret tem precedência sobre o enable password.

• Uma curiosidade é que o comando service password-encryption codifica as senhas locais com o Tipo-7. O uso deste tipo é necessário pois alguns mecanismos de autenticação (por exemplo, CHAP) requerem senhas livres de criptografia. Para tanto, esse comando é útil para que na leitura inadvertida do arquivo de configuração, uma observador casual não acabe lendo a senha “a olho nu”.

Fonte: http://blog.ioshints.info/2007/11/enable-password-or-enable-secret.html

Logging synchronous

Esta dica é legal pois quando se esta operando os equipamentos cisco, tanto router quanto switches geram mensagems de alerta na console ou telnet/ssh (quando executado terminal monitor).

Estas mensagens acabam atrapalhando quando se esta digitando uma linha de comando no equipamento porque “embaralha” o seu comando.

Para evitar este inconveniente, deve-se utilizar a funcionalidade “logging synchronous”, que deve ser configurada da seguinte forma

conf t
line con 0
logging synchronous
line vty 0 4
logging synchronous
line vty 5 15
logging synchronous

Este último nem sempre esta presente nos equipamentos portanto fica como “opcional”.

Fonte: http://www.fabiosilva.eti.br/site/page/2/

Testar cabos de rede com switches Cisco

Os switches Cisco das series Catalyst 2960, 3560, 2750, 6500…. possuem uma funcionalidade que permite diagnosticar o tamanho do cabo de rede que está conectado em uma de suas portas, e também se existir algum problema ele informa + ou – em que distância o problema está.

Isso tudo é possível devido ao TDR (Time Domain Reflectometer), que é um mecanismo eletrônico para identificar problemas em cabos metálicos.

Este diagnóstico pode ser feito em portas fastethernet 10/100/1000, e não em módulos de 10 Gigabit e em módulos SFP.

Para utilizar em portas que pode ser usada GBIC ou cabo UTP, deve-se especificar na configuração da interface que o meio é RJ45.

interface g0/1
media-type rj45

Para executar o diagnóstico, o comando é bem simples, mas cuidado, pode haver queda na porta quando o diagnóstico for executado.

test cable-diagnostic tdr interface fastethernet 0/1

E para verificar o diagnóstico finalizado, o comando é o seguinte:

show cable-diagnostic tdr interface fastethernet 0/1

O resultado do comando deve ser +- como abaixo:

Interface Speed Local pair Pair length        Remote pair Pair status
——— —– ———- —————— ———– ——————–
Fa0/1    100M  Pair A     61   +/- 15 meters Pair A      Normal
Pair B     61   +/- 15 meters Pair B      Normal
Pair C     N/A                Pair C      Not Supported
Pair D     N/A                Pair D      Not Supported

Fonte: http://www.fabiosilva.eti.br/site/page/2/

Port-Security

Is is a security feature to be enabled on user end devices ports. It is capable of limiting the number of macs to be learned on a particular port.

To enable it on an access port:

switchport port-security

To limit the number of devices attached to it:
switchport port-security maximum 1

It is important to remember that port which has VOIP phones should have maximum set to 2, since we have two different macs to be learned on that port.

We can also pre-determine the mac address (addresses) to be allowed on that port:

switchport port-security mac-address 0200.5455.4E01

However, as the network size grows up, it will get harder to maintain a control of its ports. For this reason, there is a feature named sticky.

With that you can set the maximum number of allowed mac-address and it will learn automatically and put that in the port config as we did when manually setting the

mac-address. It is not going to be saved on the startup-config, unless you do it mannually. If the switch recycles, it will relearn the mac-addresses, which can be

considered as a security issue:

switchport port-security mac-address sticky
switchport port-security maximum 2

Configuring Dot1x AAA

Global config:
conf t
aaa new-model
aaa authentication do1x default local
username fatima password franca
on the interfaces to be authenticated:

dot1x port-control auto

“Auto” allows port to start in disable authentication state. Only EAP packets will be allowed. Once EAP packets reaches the server and grant the authentication,

port will be enabled.

Root Guard

Root guard needs to be configured on ports that are not trunking or being access ports.
To prevent that new accidental switch instalation have a new STP bridge root for the network. Following command needs to be configured:

- conf t
int range f0/13 – 15
spanning-tree guard root
end

UDLD
UDLD prevents unidirection links from causing STP to be in loop. Ports needs to be configured as:

udld port agressive

udld reset –> bring ports moved to err-disable back to active.

show udld —> show the status of the port configuration. Can be filtered by the port.

UDLD ENABLE –> is the global command to configure gigaethernet ports with udld protection feature.

In an etherchannel configuration, UDLD detects the interface with problems in the bundle and shutdown just the especific port, port aggregation link will keep working as usual.

LOOP GUARD
Loop guard works similar to UDLD, protecting STP from loops due to unidirectional links.

It must be enabled on root and alternate ports.

“The loop guard feature is enabled on a per-port basis. However, as long as it blocks the port on the STP level, loop guard blocks inconsistent ports on a per-VLAN

basis (because of per-VLAN STP). That is, if BPDUs are not received on the trunk port for only one particular VLAN, only that VLAN is blocked (moved to

loop-inconsistent STP state). For the same reason, if enabled on an EtherChannel interface, the entire channel is blocked for a particular VLAN, not just one link

(because EtherChannel is regarded as one logical port from the STP point of view). “
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml

“BPDU skew detection is a diagnostic feature that generates syslog messages when BPDUs are not received in time. The BPDU skew detection feature is not supported in

Catalyst switches running Cisco IOS system software.”

To enable it:

CatOS
set spantree guard loop <mod/port>

Cisco IOS
Router(config)#interface gigabitEthernet 1/1
Router(config-if)#spanning-tree guard loop
Issue this command in order to enable loop guard globally:

CatOS

Console> (enable) set spantree global-default loopguard enable
Cisco IOS

Router(config)#spanning-tree loopguard default
Issue this command in order to disable loop guard:

CatOS

Console> (enable) set spantree guard none <mod/port>
Cisco IOS

Router(config-if)#no spanning-tree guard loop
Issue this command in order to globally disable loop guard:

CatOS

Console> (enable) set spantree global-default loopguard disable
Cisco IOS

Router(config)#no spanning-tree loopguard default
Issue this command in order to verify loop guard status:

CatOS

show spantree guard <mod/port>

Console> (enable) show spantree guard 3/13
Port                     VLAN Port-State    Guard Type
———————— —- ————- ———-
3/13                     2    forwarding          loop
Console> (enable)Cisco IOS

show spanning-tree

Router#show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
EtherChannel misconfig guard is enabled
Extended system ID           is disabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is enabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Pathcost method used         is short

Name                   Blocking Listening Learning Forwarding STP Active
———————- ——– ——— ——– ———- ———-
Total                        0         0        0          0          0
“Based on the various design considerations, you can choose either UDLD or the loop guard feature. In regards to STP, the most noticeable difference between the two

features is the absence of protection in UDLD against STP failures caused by problems in software. As a result, the designated switch does not send BPDUs. However,

this type of failure is (by an order of magnitude) more rare than failures caused by unidirectional links. In return, UDLD might be more flexible in the case of

unidirectional links on EtherChannel. In this case, UDLD disables only failed links, and the channel should remain functional with the links that remain. In such a

failure, the loop guard puts it into loop-inconsistent state in order to block the whole channel.

Additionally, loop guard does not work on shared links or in situations where the link has been unidirectional since the link-up. In the last case, the port never

receives BPDU and becomes designated. Because this behaviour could be normal, this particular case is not covered by loop guard. UDLD provides protection against

such a scenario.

As described, the highest level of protection is provided when you enable UDLD and loop guard.”

 SPANNING-TREE PORTFAST

Spanning-tree portfast is used on ports not destined to be trunk or receive BPDUs. It means, a server/user access port.
It will eliminate the spanning-tree port transitions before it starts forwarding. With this config, STP port will change from blocking to forwarding.

BPDU GUARD

BPDU guard is a feature to prevent BPDUs to be received on an unexpected port. A port set to spanning-tree portfast is intended to end user devices where no BPDU is

expected. To prevent malicious or accidental connections, BPDU guard is the feature that will put this interface in error-disable to avoid further issues:
To enable it globally use: spanning-tree portfast bpduguard default
To enable it by interface: spanning-tree portfast / spanning-tree portfast bpduguard enable

DHCP SNOOPING

DHCP snooping is a feature to ensure that only the authorized DHCP servers are to relay addresses over a dynamic addressing configuration.

To globally enable the config:
conf t
ip dhcp snooping

Ports in which DHCP server resides must be configured to have the command:
ip dhcp snooping trust.

Same config needs to be applied on the port configured as trunk leading to the switch server is attached to.

Ports where only DHCP requests are expected (access ports), needs to be configured as:
ip dhcp snooping limit rate  20  <– Where 20 is the limit amount of dhcp requests per second.

Last, but not least, we need to configure the dhcp snooping on the participating vlans:

conf t
ip dhcp snooping vlan 100,200

to verify: sh ip dhcp snooping

Instalação do Dynamips / Dynagen no Windows Vista
http://blog.ccna.com.br/2009/07/06/instalacao-do-dynamips-dynagen-no-windows-vista/

Abstrato

    

Tango na Rua

 

O Pocotó!

    

Pintando o 7