Switching Misc. 1

To authenticate 802.1x clients:
SW1(config)# dot1x system-auth-control
SW1(config)# aaa new-model
SW1(config)# aaa authentication dot1x default group radius
SW1(config)# radius-server host 150.100.220.100 key ipexpert
  • When a PC doesn’t support EAP, it can be placed in a guest-vlan:
    dot1x guest-vlan 200
  • When the authentication is failed:
    dot1x auth-fail vlan 100

Port-security table won’t survive a reload unless using “sticky” parameter.


switchport protected: The ports cannot communicate even with other ports in the same VLAN


Assign a static switching table entry
SW1(config)# mac-address-table {dynamic | static | secure} mac-addr {vlan vlan-id} {interface int1 [int2 … int15] [protocol {ip | ipx | assigned}]

If the destination port is a trunk, you must also specify the destination VLAN number vlan-id.

Set the switching table aging time:
SW1(config)# mac-address-table aging-time seconds [vlan vlan-id]

For VLAN number vlan-id (2 to 1001), entries are aged out of the switching table after seconds (0, 10 to 1,000,000 seconds; default 300 seconds). A value of 0 disables the aging process. The VLAN number is optional. If not specified, the aging time is modified for all VLANs.

Optimize the port as a connection to a single host
SW1(config-if)# switchport host

Several options are set for the port: STP PortFast is enabled, trunk mode is disabledEtherChannel is disabled, and no dot1q trunking is allowed.

Share this!

VTP

CDP v2 advertises VTP domain too. To disable this, no cdp  advertise-v2

VTP version can’t be changed on Client mode.

VTP Pruning is only implemented on VTP Server nodes.

VTP Pruning eligible-list is configured on TRUNK interfaces (switchport trunk pruning … )

VLANs which are not mentioned in the pruning eligible-list, will be never pruned.

VTP pruning can be only modified in server mode.

VTP pruning is propagated to clients too.

VTP mode can’t be server when existing VLANs exists.

Version-dependent transparent mode

In VTP version 1, a VTP transparent switch inspects VTP messages for the domain name and version and forwards a message only if the version and domain name match. Because only one domain is supported

in the Supervisor engine software, VTP version 2 forwards VTP messages in transparent mode without checking the version.

Share this!

802.1Q Tunneling (Q-in-Q)

interface FastEthernet0/1
 switchport access vlan 100
 switchport mode dot1q-tunnel
 l2protocol-tunnel cdp
 no cdp enable

The access VLAN which is here called Tunnel-Tag, must exist in the transit path.

In a scenario where EtherChannel is implemented between two 802.1q customers and there are more than 1 switch in the transit path, and each CE switch has for example 3 different links to CE node, each PE-to-CE should be assigned to a different VLAN.

Also, the transit path should be in form of TRUNK links, and informed of the Tunnel-Tag VLANs.

Share this!

OSPF Design: 3 – Fundamentals

OSPF benefits
  • Fast convergence
  • Variable-length subnet masking (VLSM)
  • Authentication
  • Hierarchical segmentation
  • Route summarization
  • Aggregation

Routing Summarization is a major factor in the success of designing your network. To ensure that your network can scale properly, route summarization is the biggest factor against which to measure your success. Without summarization, you have a flat address design with specific route information for every subnet being transmitted across the network—a bad thing in large networks.

Route Summarization - Network Stability

The six time-proven steps to designing a network are as follows:

  1. Analyze the requirements.
  2. Develop the network topology.
  3. Determine the addressing and naming conventions.
  4. Provision the hardware.
  5. Deploy protocol and Cisco IOS Software features.
  6. Implement, monitor, and maintain the network.

Consider the following issues when working through the network design process: Continue reading “OSPF Design: 3 – Fundamentals”

Share this!

Tuning BGP Capabilities

OSPF external routes are automatically blocked from being redistributed in BGP by default.

A solution to minimize Internet route instability is using Aggregation. Fluctuation of any single route in an Aggregation does not cause fluctuation in  the Aggregate itself.

Backdoor routes offer an alternative IGP path instead of external BGP path. Using Backdoor for specific routes, cause the administrative distance to be equal to BGP Local (200), so the IGP with the lower AD will be preferred.

By default, MED is not compared when routes are learned from different ASs. This behavior could be changed using the bgp always-compare-med command. When the bgp deterministic-med command is enabled, routes from the same autonomous system are grouped together, and the best entries of each group are compared. (useful link) An example of BGP table looks like this:

entry1: AS(PATH) 100, med 200, external, rid 1.1.1.1
entry2: AS(PATH) 500, med 100, internal, rid 172.16.8.4
entry3: AS(PATH) 500, med 150, external, rid 172.16.13.1

bgp deterministic-med Enabled, bgp always-compare-med Disabled: There is a group for AS 100 and a group for AS 500. The best entries for each group are compared. Entry1 is the best of its group because it is the only route from AS 100. Entry2 is the best for AS 500 because it has the lowest MED. Next, entry1 is compared to entry2. Since the two entries are not from the same neighbor autonomous system, the MED is not considered in the comparison. The external BGP route wins over the internal BGP route, making entry1 the best route.

When passing an EBGP route to an IBGP neighbor, the EBGP neighbor is set as the next-hop.

In NMBA partial-mesh networks, sometimes the next-hop-self command is required.

When connecting to an Internet eBGP neighbor, AS_PATH list that contains Private ASs, should be stripped.

An AS that advertises an Aggregate, considers itself the originator of that route, irrespective of where that route came from. This issue can cause a loop, so the solution is to use the AS_SET parameter before an aggregate-address.

Sometimes, customers prepend fake ASes, to prevent becoming a transit AS for providers.

Regular Expression Special Characters

Combine route injection in BGP with static Routes (with distance 254, for example) to Null0 if you want to prevent route fluctuation even if your IGP routing is not stable.

In most of the situations, METRIC is used for inbound traffic management and LOCAL_PREFERENCE is used for outbound traffic administration.

BGP multipath can be used to install multiple paths in the IP routing table if the paths are learned via the same neighboring AS. The maximum-paths command can be used to install up to six paths to a single destination. The following attributes of parallel paths have to match with the best path:

  • Weight
  • Local Pref
  • Origin
  • AS-Path Length
  • MED
  • Neighbor AS or Sub-AS match for (eBGP multipath)
  • AS-PATH match (for eiBGP multipath)
  • IGP metric to BGP next hop
Share this!