Network technologies and trends


November 26, 2008  5:59 AM

What is Dynamic ARP Inspection (DAI) ?



Posted by: Yasir Irfan
ARP, Cisco, Cisco Learning, Cisco Tips, DAI, DHCP, DHCP Snooping, Dynamic ARP Inspection, IP to MAC, Network Security, Security Features, Switches, Switching

Dynamic ARP inspection is a security feature which validates ARP packet in a network. Dynamic ARP inspections validates the packet by performing IP to MAC address binding inspection stored in a trusted database (the DHCP snooping database) before forwarding the packet. Dynamic ARP intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks.

Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed.

The switch performs these activities:·        

Intercepts all ARP requests and responses on untrusted ports ·        

Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before it updates the local ARP cache or before it forwards the packet to the appropriate destination·        

Drops invalid ARP packets

November 22, 2008  12:56 PM

How to configure DHCP Snooping in a Cisco Catalyst Switches.



Posted by: Yasir Irfan
802.1 Q, CCNP, Cisco, Cisco 2950, Cisco 2960, Cisco 3560, Cisco 3560-E, Cisco 3750-E, Cisco 6500, Cisco 6500 Series Catalyst Switch, Cisco 6503, Cisco Catalyst 6503-E Switch, Cisco Catalyst 6506-E Switch, Cisco Catalyst 6509-E Switch, Cisco Catalyst 6509-V-E Switch, Cisco Catalyst 6513 Switch, Cisco IOS, Cisco Learning, Cisco Systems, Cisco Tips, Configuring DHCP Snooping, DHCP, DHCP Snooping, HSRP, IOS commands, Networking, Routing and Switching, Server Security, Switches, Switching, Trunk Ports

 So here we go, with the configuration of DHCP snooping on a Cisco Switch. This feature protects the network by allowing the Cisco Switches to accept DHCP response message only from the authorized servers connected to the trusted interfaces in a Cisco Switch.

DHCP

All Switch to  Switch connections are configured as 802.1 1Q Trunk ports.

IP Address and HSRP Details for the Core Switches  DHCP 1From the above scenario we have two Cisco 6513 Series Switches as a Core/ Distribution with three VLANS one for management of Switches VLAN 50,VLAN 100 for all the servers and VLAN 101 for clients. Two Cisco 3560 Series Switches as Server Farm Switches and a Cisco 3560 Series Switch as an Access Switch.There are two DHCP servers with an IP address 10.0.1.100 and 10.0.1.101 connected with Server Farm Switches with HP NIC teaming. We configure DHCP Snooping based on above scenario. 

The first step to configure DHCP Snooping is to turn on DHCP snooping in all Cisco Switches using the “ip dhcp snooping” command. 

All Cisco Switches (config)#ip dhcp snooping  Second step is to configure the trusted interfaces, from the above scenario all trunk ports are configured as trusted ports as well as the interfaces G0/7,(ITKESF01 50.0.0.6),  G0/17,(ITKESF02 50.0.0.7),  G0/9 ITKESF01 50.0.0.6)  and G0/18 ITKESF02 50.0.0.7)  connected to DHCP servers with IP 10.0.1.100 and 10.0.1.101. Lets configure all trunk ports in ITKEBB01 

ITKEBB01(config)#interface range  gigabitEthernet 3/21 – 23

ITKEBB01 (config-if)#ip dhcp snooping trust 

Now let’s configure all trunk ports in ITKEBB02 

ITKEBB02(config)#interface range  gigabitEthernet 3/21 – 23 ITKEBB02 (config-if)#ip dhcp snooping trust 

ITKEBB02 (config)#interface gigabitEthernet 3/16

ITKEBB02 (config-if)#ip dhcp snooping trust 

Now let’s configure the trusted ports for the DHCP servers  

ITKESF01(config)#interface gigabitEthernet 0/7

ITKESF01 (config-if)#ip dhcp snooping trust 

ITKESF01(config)#interface gigabitEthernet 0/17 ITKESF01 (config-if)#ip dhcp snooping trust 

ITKESF02(config)#interface gigabitEthernet 0/9

ITKESF02 (config-if)#ip dhcp snooping trust 

ITKESF02(config)#interface gigabitEthernet 0/18 ITKESF02 (config-if)#ip dhcp snooping trust 

Now let’s configure the trunk ports  Access Switch ITKEAS01 

ITKEAS01(config)#interface range  gigabitEthernet 0/49 – 52

ITKEAS01 (config-if)#ip dhcp snooping trust 

Finally we are going to configure VLANS for DHCP snooping DHCP snooping will used on all the VLANs (VLAN 100 & 101)except management VLAN 50 . Also we will limit the requests rate received in the Access Switch (ITKEAS01)  ALL SWITCHES(config)# ip dhcp snooping VLAN 100,101 

ITKEAS01(config)#interface range  gigabitEthernet 0/1 – 48

ITKEAS01 (config-if)#ip dhcp snooping limit rate 20

Displaying the DHCP snooping  

DHCP2

For further reference please do check this article from Cisco about DHCP snooping.


November 22, 2008  7:22 AM

Why should we consider implementing DHCP Snooping?



Posted by: Yasir Irfan
Cisco, Cisco 2950, Cisco 2960, Cisco 3560, Cisco 3560-E, Cisco 3750-E, Cisco 6500, Cisco 6500 Series Catalyst Switch, Cisco 6503, Cisco Systems, Cisco Tips, DHCP, DHCP Snooping, Err-disable, Networking, Security, Switches, Switching

Dear FriendsIn my previous post I was discussing about the DHCP Snooping, it may be hard to believe a DHCP sever can lead to lot troubles in your network. Consider a host sends out DHCP discovery packets, it listens for a DHCP offers packets and accepts the first available offer from a DHCP server. Guess what happens if the host gets a DHCP offer from a rouge DHCP server? The host could end up with using rouge DHCP server with an IP address and the default gateway. The host cannot access any of the resources from your network. 

Yes we can prevent this with DHCP snooping thanks to Cisco. DHCP snooping classifies interfaces as either trusted or untrusted. DHCP messages received on trusted interfaces will be permitted to pass through the Cisco switch, but DHCP messages received on untrusted interface in a Cisco Switch results in putting the interface into error disable state. Configuring DHCP snooping in a Network is quite troublesome job but I will try to make things easier for you by using a scenario, which hopefully I am going post soon.


November 20, 2008  7:54 AM

What is Dynamic Host Configuration Protocol (DHCP) Snooping?



Posted by: Yasir Irfan
Cisco, Cisco 2960, Cisco 3560, Cisco 3745, Cisco 6500, Cisco 6500 Series Catalyst Switch, Cisco 6503, Cisco Catalyst 6503-E Switch, Cisco Catalyst 6506-E Switch, Cisco Catalyst 6509-E Switch, Cisco Catalyst 6509-V-E Switch, Cisco Catalyst 6513 Switch, Cisco Systems, Cisco Tips, DHCP, DHCP Snooping, Network Security, Security, Switches, Switching

Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature which filters untrusted DHCP messages, this security feature can protects the devices on the network from associating with an unauthorized DHCP server. When the Dynamic Host Configuration Protocol (DHCP) Snooping feature is enabled on a Cisco Switch , the Cisco Switch builds a table of MAC address, IP address lease time , binding type and interface information. In coming posts I will try to explain to how to enable and configure the Dynamic Host Configuration Protocol (DHCP) snooping security feature in a Cisco Switch.


November 17, 2008  5:16 AM

In which slot shall we install the Supervisor Engine in Cisco 6500 Series Catalyst Switches -Series2



Posted by: Yasir Irfan
Cisco, Cisco 6500, Cisco 6500 Series Catalyst Switch, Cisco Catalyst 6506-E Switch, Cisco Systems, Cisco Tips, Network Troubleshooting, Routing and Switching, SUP720, Supervisor Engine, Switches, Switching

Dear Friends in one of my previous post I did explained in which slot the Supervisor Engine SUP720  to be installed in a Cisco 6500 Series Switches. Now let’s proceed further and figure out in a Cisco Catalyst 6506-E Switch, in a Cisco Catalyst 6506-E Switch the  Supervisor Engine SUP720 is either installed in slot 5 or 6.

6506


November 12, 2008  12:56 PM

Solution for %IP-4-DUPADDR: Duplicate address error log in your Cisco 6500 Switches running HSRP



Posted by: Yasir Irfan
Cisco, Cisco 6500, Cisco 6500 Series Catalyst Switch, Cisco Catalyst 6513 Switch, Cisco IOS, Cisco Learning, Cisco Support, Cisco Systems, Cisco Tips, Hot Standby Router Protocol, HSRP, Network Troubleshooting, Routing and Switching, Switches, Switching, TAC, WebEx

Dear Friends In my previous post I was talking about the HSRP error generated in Cisco 6513 Switches with a Duplicate IP Address. I did open a TAC case with Cisco Systems. I should first of all salute Cisco for the great support to solve this issue.  Cisco TAC Engineer Mr. Pradeep was in constant touch with me in this case to resolve the issue. The best part of their support is the use of technology. Mr. Pradeep initiated a Web Ex meeting with me and spent more than hour to check step by step.  He helped me a lot and did learned lot of things from Cisco TAC team, like how to approach the problem and what measures should be taken to trouble shoot any problem. Finally we came to the conclusion there are no bugs or errors in the IOS we are using. There are no problems either in hardware or in the current configuration.I would like to quote the solution provided Mr. Pradeep TAC Engineer, Cisco Systems “Let me summarize this issue. You told me that there is one Trojan affected PC/ Host, which is connected to your access switch. Further, you got some duplicate IP address messages on your core switch. During troubleshooting, I have checked and verified that the Cisco’s Switches are working fine. Their configurations were correct. Generally duplicate IP addresses can be impounded by “broken HSRP links” or “incorrect DHCP pool configuration”, or by misconfiguration of switches or STP. I found that this entire setup is configured correctly. Furthermore, I would like to inform you that Cisco’s IOS cannot resolve Trojan issue on any PC. PC has got its own Operating System, and IOS can work only and only on “Cisco’s device”

 So now it’s quite clear if you face this kind of problem make sure the infected PC is removed from the network and make sure it s free from any sort of Trojans or Virus.


November 12, 2008  5:27 AM

Cisco IT Security Forum: An Interactive Online Conference



Posted by: Yasir Irfan
Cisco, Cisco Events, Cisco Learning, Cisco News, IT Security, On Line Conference

Dear Friends

 IT Security

Today at 9 a.m. 5 p.m. Eastern Time there is an IT Security Forum. It’s an online Interactive conference. Cisco is committed to share information you will find indispensable in managing threats.


 The following speakers are expected to take part in this online conference.

Bob Bragdon
Publisher, CSO Magazine

Chris Christiansen
Program VP, IDC – Security Products and Services Group
Michael Hall
Chief Information Security Officer, DriveSavers Data Recovery, Inc.
Mike Helinsky
Director of Information Technology Operations, Brooks Rehabilitation
Mark Hogan
Chief Information Officer, Cleveland Airport System
Bob Russo
General Manager, PCI Security Standards Council
John Stewart
Vice President and Chief Security Officer, Cisco
Marie Hattar
Vice President of Network Systems and Security Solutions, Cisco
Christopher Burgess
Director, Senior Security Advisor, Corporate Security Programs Organization, Cisco
Dave Goddard
Vice President, Technical Support, Cisco
Patrick Peterson
Vice President of Technology, IronPort Systems, a Cisco Business Unit
Fred Kost
Director, Security Solutions Marketing, Cisco

 

 

The IT Security Forum will feature:

  • Cisco executives John Stewart, Chief Security Officer, and Marie Hattar, VP, Network Systems and Security Solutions, on virtualization and collaboration
  • A review of PCI Data Security Standard v 1.2
  • Exclusive data leakage survey results
  • 2008 Cisco Annual Security Report preview
  • Panel discussions with industry leaders
  • Virtual exhibit floor where you can interact with Cisco experts

Please do register to this online conference and make use of this opportunity. 


November 12, 2008  5:18 AM

Cisco Gifts Mega Router – Cisco Aggregation Services Router 9000 (ASR 9000)



Posted by: Yasir Irfan
Aggregation Services Router, ASR 9000, Cisco News, Mega Router, Routers, Routing

Today, Cisco announced a little something to help clear the way. The world’s largest maker of networking equipment unveiled a new member to its growing family of routers custom-made for the Information Age. Known as the Cisco Aggregation Services Router 9000 (ASR 9000), the company says the machine has six times more capacity and is four times faster than any other router in its class. In fact, the company says, the brawny router is more powerful than any other competing router, period.

 ASR9000 

Pic Courtesy: Cisco

The ASR 9000 also includes new technologies for proactively managing notoriously challenging video signals. It makes corrections and ensures picture quality for ultra-clear high-definition TV and other video services, Cisco executives say.

For more details check the press release from Cisco.


November 9, 2008  6:51 AM

Don’t panic whenever you see %IP-4-DUPADDR: Duplicate address error log in your Cisco 6500 Switches running HSRP



Posted by: Yasir Irfan
Cisco, Cisco 6500, Cisco 6500 Series Catalyst Switch, Cisco 6503, Cisco Catalyst 6503-E Switch, Cisco Catalyst 6506-E Switch, Cisco Catalyst 6509-E Switch, Cisco Catalyst 6509-V-E Switch, Cisco Catalyst 6513 Switch, Cisco Systems, Cisco Tips, Hot Standby Router Protocol, HSRP, Network Troubleshooting, Networking, Routing and Switching, Switches, Switching, Trojan

If you are running HSRP and one of your VLAN is down and the following errors are generated in your Switch don’t panic. All this happens due the Trojans in the network.

MBGF-DAC-6500-BB01#sho log

 

Nov  9 07:54:21: %IP-4-DUPADDR: Duplicate address 10.12.0.2 on Vlan106, sourced by 000f.fe0a.1fbc

Nov  9 07:54:52: %IP-4-DUPADDR: Duplicate address 10.12.0.2 on Vlan106, sourced by 000f.fe0a.1fbc

Nov  9 07:55:22: %IP-4-DUPADDR: Duplicate address 10.12.0.2 on Vlan106, sourced by 000f.fe0a.1fbc

Nov  9 07:55:52: %IP-4-DUPADDR: Duplicate address 10.12.0.2 on Vlan106, sourced by 000f.fe0a.1fbc

Nov  9 07:56:11: %SEC-6-IPACCESSLOGS: list 12 permitted 10.0.0.1 256 packets

Nov  9 07:56:22: %IP-4-DUPADDR: Duplicate address 10.12.0.2 on Vlan106, sourced by 000f.fe0a.1fbc

Nov  9 07:56:52: %IP-4-DUPADDR: Duplicate address 10.12.0.1 on Vlan106, sourced by 000f.fe0a.1fbc

Nov  9 07:57:11: %SEC-6-IPACCESSLOGS: list 12 permitted 10.0.0.2 263 packets

Nov  9 07:57:11: %SEC-6-IPACCESSLOGS: list 12 permitted 10.0.0.7 200 packets

Nov  9 07:57:22: %IP-4-DUPADDR: Duplicate address 10.12.0.1 on Vlan106, sourced by 000f.fe0a.1fbc

Nov  9 07:57:52: %IP-4-DUPADDR: Duplicate address 10.12.0.2 on Vlan106, sourced by 000f.fe0a.1fbc

MBGF-DAC-6500-BB01#

Last week at 3 A.M I received a call from our Help Desk, stating our applications are not running in one our departments. I logged remotely to our Network and try figured out what is problem. Upon carefully looking at the logs in our Cisco 6513 core Switches I figured out a duplicate IP address is created which happens to be the Standby IP address for the Core Switch for HSRP.

I figured out the PC by looking the at mac address generated in the log and closed the network connection for that particular PC and the problem was solved.

If you face similar problems its better to change the HSRP Standby IP address in Core Switches and then try figure out the infected PC. Once the PC is figured out close the network connection and make sure the Trojans are removed. Upon cleaning the infected PC you can reconfigure the HSRP Standby IP address to the previous one.

Once I get the complete solution to fix this problem I will post it.


November 8, 2008  5:25 AM

CCNA Certification/Popular TCP/IP Applications port numbers



Posted by: Yasir Irfan
CCNA, Certifications, Cisco, Cisco Certifications, Cisco Learning, Cisco Tips, TCP/IP, TCP/IP Well known ports, UDP

Dear Friends  if you are preparing for CCNA 640-802 certification it would be great to remember the popular applications as well as the TCP/UP ports.

You should at least be aware of some of the applications used to manage and control the network.

tcp


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: