Configuring MAC Address Notification Traps
September 30, 2008 at 11:06 am | In IOS services, Switching | Leave a CommentMAC address notification enables you to track users on a network by storing the MAC address activity on the switch. Whenever the switch learns or removes a MAC address, an SNMP notification can be generated and sent to the NMS. If you have many users coming and going from the network, you can set a trap interval time to bundle the notification traps and reduce network traffic. The MAC notification history table stores the MAC address activity for each hardware port for which the trap is enabled. MAC address notifications are generated for dynamic and secure MAC addresses; events are not generated for self addresses, multicast addresses, or other static addresses.
It looks like that MAC address logging can NOT be made to a Syslog server!
DOC CD Navigation
- Catalyst 3550 Multilayer Switch Software Configuration Guide, Rel. 12.2(25)SEE
- Administering the Switch
- Managing the MAC Address Table
- Configuring MAC Address Notification Traps
Example:
Switch(config)# snmp-server host 172.20.10.10 traps private Switch(config)# snmp-server enable traps mac-notification Switch(config)# mac address-table notification Switch(config)# mac address-table notification interval 60 Switch(config)# mac address-table notification history-size 100 Switch(config)# interface fastethernet0/4 Switch(config-if)# snmp trap mac-notification added
OSPF capability transit
September 29, 2008 at 1:00 pm | In OSPF, Routing | Leave a Comment
OSPF area capability transit is enabled by default, allowing the OSPF Area Border Router to install better-cost routes to the backbone area through the transit area instead of the virtual links.
If you want to retain a traffic pattern through the virtual-link path, you can disable capability transit by entering the no capability transit command. If paths through the transit area are discovered, they are most likely to be more optimal paths, or at least equal to, the virtual-link path. To reenable capability transit, enter the capability transit command.
If you need to verify whether OSPF area capability transit is enabled for a specific routing process, enter the show ip ospf command.
DOC CD Navigation
- Cisco IOS IP Routing Protocols Configuration Guide, Release 12.4
- Part 5: OSPF
- OSPF Area Transit Capability
Also we can look up in the Command Reference.
DHCP For PPP Link
September 25, 2008 at 6:06 pm | In IP Services | 1 CommentI came accross an weird issue today when practicing Vol2 Lab 13, Task 2.3: The R4 Serial interface was not able to get IP address via DHCP, until i changed the R5 Serial0/1 to use unnumbered off Loopbac1, instead of manual IP.
This could be because of routing for the subnet 139.1.45.0/24 is not available, till the interface is fully up, by then IPCP is no longer negotiating IP address for the Serial interface. The loopback interface fix arround this issue. It may also because of other hidden issue I am not aware of. Anyway, this issue is a good candidate for the IOS bug, or weird caveat that need to remember by heart.
[21 Oct 2008] Also see other related issue found at http://enotepad.wordpress.com/2008/10/21/dhcp-for-ppp-link-revisited/
[22 Oct 2008]
This issue has been confirmed in the IEWB Vol1 ver5. We ether need to use ip unnnumbered off a loopback, or static routing for that Serial PPP interface. This is needed because the Serial link isn’t in the UP/UP state until IP is acutally negotiated. This means that when the proxy request is received at the server, the server does not have a route back to the relay in order to send the reply back.
This can be observed by turning on “debug ip packet details” on the server, and we can see that DHCP reply packets (UDP src=67, dst=67) are unroutable.
RSRack1R5#sh run int s0/1
interface Serial0/1
ip address 139.1.45.5 255.255.255.0
encapsulation ppp
peer default ip address dhcp
ip dhcp-server 139.1.15.1
RSRack1R4#sh ip int s0/1
Serial0/1 is up, line protocol is up
Internet address will be negotiated using IPCP
Broadcast address is 255.255.255.255
Peer address is 139.1.45.5
MTU is 1500 bytes
RSRack1R4#sh ip int brief | in Serial0/1
Serial0/1 unassigned YES IPCP up up
Change to use IP unnumbered on R5
RSRack1R4#sh run int s0/1
interface Serial0/1
ip address negotiated
ip rip advertise 3
encapsulation ppp
RSRack1R5#sh run
!
interface Serial0/1
ip unnumbered Loopback1
encapsulation ppp
peer default ip address dhcp
interface Loopback1
ip address 139.1.45.5 255.255.255.0
ip dhcp-server 139.1.15.1
RSRack1R4#sh ip int s0/1
Serial0/1 is up, line protocol is up
Internet address is 139.1.45.4/32
Broadcast address is 255.255.255.255
Address determined by IPCP
Peer address is 139.1.45.5
RSRack1R4#sh ip int brief | in Serial0/1
Serial0/1 139.1.45.4 YES IPCP up up
ACL usage: Direction of traffic
September 24, 2008 at 1:53 pm | In Blogroll | Leave a CommentLab13, Task 7.1
I sometimes made stupid mistakes, e.g. when doing this task, where I overlook the directions of ACL.
Tips to avoid stupid mistakes
- Read questions carefully
- Use common sense. DoS are usually exploited by sending ICMP echo from OUTSIDE, and other ICMP responses (e.g. port unreachables, time-exceeded) generated from INSIDE.
Task requirement:
Configure R3’s interface E0/1 and R4’s interface E0/0 to reflect the following policy:
- Deny inbound all ICMP echo (type 8) packets.
- Deny outbound all ICMP time exceeded and port unreachable packets to stop traceroute ‘replies’.
- Silently discard packets that are denied.
- Log all denied packets.
Solution:
interface Ethernet0/1
ip access-group FILTER_IN in
ip access-group FILTER_OUT out
no ip unreachables
!
ip access-list extended FILTER_IN
deny icmp any any echo log
permit ip any any
!
ip access-list extended FILTER_OUT
deny icmp any any time-exceeded log
deny icmp any any port-unreachable log
permit ip any any
Where is GRE located in DOC CD?
September 24, 2008 at 10:55 am | In Lab tips | Leave a CommentIt’s located under
- Configuration Guide
- System Management
- Cisco IOS Interface and Hardware Component Configuration Guide, Release 12.4
- Part 4: Tunnels
Some common features are “easy to navigate” like Virtual Link, where you know exactly it’s under Routing -> OSPF, or DHCP is under IP addressing Scheme.
GRE location is not obvious. My first thought is that it might be under Routing -> Protocol Independent, or IP Addressing, but both are not correct. For uncommon features like this, I usually stop “search arround” after two or three tries. My approach is go back to the Master Index, and search for keyword, relating to this feature. More specifically
Cisco IOS Master Command List, Release 12.4
Look for one of these commands
- tunnel source
- tunnel destination,
- or tunnel mode
All these commands are located in
Cisco IOS Interface and Hardware Component Command Reference
Now we know that GRE is located under these main topic, and we can go back to the configuration guide, and navigate under this main topic for GRE, as listed at the beginning of this post. Here’s again:
- Configuration Guide
- System Management
- Cisco IOS Interface and Hardware Component Configuration Guide, Release 12.4
- Part 4: Tunnels
802.1P
September 13, 2008 at 4:36 pm | In Switching | Leave a CommentRSRack1SW1(config-if)#switchport voice vlan ?
<1-4094> Vlan for voice traffic
dot1p Priority tagged on PVID
none Don't tell telephone about voice vlan
untagged Untagged on PVID
RSRack1SW1(config-if)#switchport voice vlan dot1p
This command configures the telephone to use IEEE 802.1p priority tagging and uses VLAN 0 (the native VLAN). By default, the Cisco IP phone forwards the voice traffic with an IEEE 802.1p priority of 5.
Doc CD Navigation
- Catalyst 3560 Switch Software Configuration Guide, Rel. 12.2(46)SE
- Configuring Voice VLAN
- Voice VLAN Configuration Guidelines
VTP Prunning Caveat in a mixed VTP mode topology
September 13, 2008 at 4:18 pm | In Switching | Leave a CommentServer Client Trans Client
SW1 ---- SW2 ---- SW3 ----- SW4
| |
|VLAN25 |
| |
R5 VLAN25
Switch in the transparent mode does not take part in VTP, therefore does not send out prunning messages, except messages it receives from switch in the VTP server/client mode.
Therefore, if we enable prunning on SW1, SW2, SW4, and IF SW1 & SW2 do not have any interfaces in VLAN25, the VLAN 25 will be pruned on the trunk link between SW3 and SW4, even though SW3 may have interface on VLAN25 . Due to this behavior, the reachbility of VLAN25 between SW3 & SW4 will be broken.
To prevent VLAN25 from being pruned, we need to remove it from the Prune Eligible List.
RSRack1SW4#sh int trunk | b prune Port Vlans in spanning tree forwarding state and not pruned Fa0/19 1-2,11,32,43,367 RSRack1SW4(config)#interface FastEthernet0/19 RSRack1SW4(config-if)# switchport trunk pruning vlan remove 25 RSRack1SW4#sh run int fa0/19 interface FastEthernet0/19 switchport trunk encapsulation dot1q switchport trunk native vlan 11 switchport trunk pruning vlan 2-24,26-1001 switchport mode dynamic desirable end RSRack1SW4#sh int trunk | b prune Port Vlans in spanning tree forwarding state and not pruned Fa0/19 1-2,11,25,32,43,367
Catalyst QoS: VLAN Access-map for IP traffic filtering
September 12, 2008 at 3:31 pm | In QoS, Switching | Leave a CommentTask: Configuring VLAN access-map to only allow Telnet and Ping and routing (OSPF) traffic within VLAN145.
If the default action of the VLAN access-map is dropping, then we need to explicitly permit ARP frames as well, otherwise, two PC hosts within the VLAN145 won’t be able to ARP for each other MAC address, and the connectivity between them will fail.
Configuration
access-list 100 permit tcp any any eq telnet access-list 100 permit tcp any eq telnet any access-list 100 permit icmp any any echo access-list 100 permit icmp any any echo-reply access-list 100 permit ospf any any ! mac access-list extended ARP permit any any 0x806 0x0 ! vlan access-map VLAN145_FILTER 10 action forward match ip address 100 vlan access-map VLAN145_FILTER 15 action forward match mac address ARP vlan access-map VLAN145_FILTER 20 action drop ! vlan filter VLAN145_FILTER vlan-list 145
Catalyst QoS – Using Hierarchical Policy-Maps for Policing Markdown on 3560
September 12, 2008 at 11:44 am | In QoS, Switching | Leave a CommentConfiguration
SW2#
class-map match-all IP_TRAFFIC
match access-group 100
class-map match-all INPUT_INTERFACES
match input-interface FastEthernet0/13 - FastEthernet0/15
!
!
policy-map POLICE_32K
class INPUT_INTERFACES
police 32000 8000 exceed-action policed-dscp-transmit
policy-map POLICE_64K
class INPUT_INTERFACES
police 64000 8000 exceed-action policed-dscp-transmit
policy-map POLICE_VLAN200
class IP_TRAFFIC
set ip precedence 5
service-policy POLICE_64K
policy-map POLICE_VLAN100
class IP_TRAFFIC
set ip precedence 4
service-policy POLICE_32K
mls qos map policed-dscp 32 to 24
mls qos map policed-dscp 40 to 32
mls qos
interface range fa0/13-15
mls qos vlan-based
interface Vlan100
service-policy input POLICE_VLAN100
!
interface Vlan200
service-policy input POLICE_VLAN200
Verification
SW1#ping 200.0.0.4 rep 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 200.0.0.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/9 ms
SW2#sh mls qos interface fa0/4 statistics
FastEthernet0/4 (All statistics are in packets)
dscp: incoming
-------------------------------
0 - 4 : 0 0 0 0 0
5 - 9 : 0 0 0 0 0
10 - 14 : 0 0 0 0 0
15 - 19 : 0 0 0 0 0
20 - 24 : 0 0 0 0 0
25 - 29 : 0 0 0 0 0
30 - 34 : 0 0 18 0 0
35 - 39 : 0 0 0 0 0
40 - 44 : 82 0 0 0 0
45 - 49 : 0 0 0 0 0
50 - 54 : 0 0 0 0 0
55 - 59 : 0 0 0 0 0
60 - 64 : 0 0 0 0
dscp: outgoing
-------------------------------
0 - 4 : 0 0 0 0 0
5 - 9 : 0 0 0 0 0
10 - 14 : 0 0 0 0 0
15 - 19 : 0 0 0 0 0
20 - 24 : 0 0 0 0 0
25 - 29 : 0 0 0 0 0
30 - 34 : 0 0 18 0 0
35 - 39 : 0 0 0 0 0
40 - 44 : 82 0 0 0 0
45 - 49 : 0 0 0 0 0
50 - 54 : 0 0 0 0 0
55 - 59 : 0 0 0 0 0
60 - 64 : 0 0 0 0
cos: incoming
-------------------------------
0 - 4 : 102 0 0 0 0
5 - 7 : 0 0 0
cos: outgoing
-------------------------------
0 - 4 : 0 0 0 0 18
5 - 7 : 82 0 0
Policer: Inprofile: 0 OutofProfile: 0
SW2#clear mls qos int statistic
SW1#ping 100.0.0.4 rep 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 100.0.0.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/3/9 ms
SW2#sh mls qos interface fa0/4 statistics
FastEthernet0/4 (All statistics are in packets)
dscp: incoming
-------------------------------
0 - 4 : 0 0 0 0 0
5 - 9 : 0 0 0 0 0
10 - 14 : 0 0 0 0 0
15 - 19 : 0 0 0 0 0
20 - 24 : 0 0 0 0 26
25 - 29 : 0 0 0 0 0
30 - 34 : 0 0 74 0 0
35 - 39 : 0 0 0 0 0
40 - 44 : 0 0 0 0 0
45 - 49 : 0 0 0 0 0
50 - 54 : 0 0 0 0 0
55 - 59 : 0 0 0 0 0
60 - 64 : 0 0 0 0
dscp: outgoing
-------------------------------
0 - 4 : 0 0 0 0 0
5 - 9 : 0 0 0 0 0
10 - 14 : 0 0 0 0 0
15 - 19 : 0 0 0 0 0
20 - 24 : 0 0 0 0 26
25 - 29 : 0 0 0 0 0
30 - 34 : 0 0 74 0 0
35 - 39 : 0 0 0 0 0
40 - 44 : 0 0 0 0 0
45 - 49 : 0 0 0 0 0
50 - 54 : 0 0 0 0 0
55 - 59 : 0 0 0 0 0
60 - 64 : 0 0 0 0
cos: incoming
-------------------------------
0 - 4 : 109 0 0 0 0
5 - 7 : 0 0 0
cos: outgoing
-------------------------------
0 - 4 : 0 0 0 26 74
5 - 7 : 0 0 0
Policer: Inprofile: 0 OutofProfile: 0
SW2#show mls qos maps policed-dscp
Policed-dscp map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 01 02 03 04 05 06 07 08 09
1 : 10 11 12 13 14 15 16 17 18 19
2 : 20 21 22 23 24 25 26 27 28 29
3 : 30 31 24 33 34 35 36 37 38 39
4 : 32 41 42 43 44 45 46 47 48 49
5 : 50 51 52 53 54 55 56 57 58 59
6 : 60 61 62 63
Doc CD Navigation
- Catalyst 3560 Switch Software Configuration Guide, Rel. 12.2(46)S
- Configuring QoS
- Configuring Standard QoS
- Configuring a QoS Policy
- Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps
- Configuring DSCP Maps
- Configuring the Policed-DSCP Map
- Configuring a QoS Policy
Catalyst QoS – Per port, Per VLAN classification
September 11, 2008 at 5:26 pm | In QoS, Switching | 1 CommentConfigure SW3 to mark traffic comming to the trunk interface Fa0/16 fromm VLAN201 to IP Precedence 1, and from VLAN 202 to IP Precedence 2.
Topology:
VLAN201 VLAN201 | | | | | | SW2 ------------- SW3 | | | | | | VLAN202 VLAN202
Configuration
SW3# ! class-map match-all VLAN202 match vlan 202 class-map match-all VLAN201 match vlan 201 ! ! policy-map MARK_PREC class VLAN201 set ip precedence 1 class VLAN202 set ip precedence 2 !
Note that within a class-map, match VLAN has to be followed by a match class-map (nested configuration). See the wrong configuration example without match class-map (above) and the error message when the service policy is applied onto the interface:
SW3(config)#int fa0/16 SW3(config-if)#service-policy input MARK_PREC QoS: match class-map must follow match vlan in class-map VLAN201. QoS: Policy map MARK_PREC failed vlan check Service Policy attachment failed *Mar 1 05:45:32.418: %QM-4-MATCH_NOT_SUPPORTED: Match type is not supported in classmap VLAN201
SW3(config)#class-map match-all VLAN202 SW3(config-cmap)#match vlan 202 SW3(config-cmap)#match class-map IP_TRAFFIC SW3(config)#class-map match-all VLAN201 SW3(config-cmap)#match vlan 201 SW3(config-cmap)#match class-map IP_TRAFFIC
SW3(config-cmap)#int fa0/16 SW3(config-if)#service-policy input MARK_PREC
Verification
SW3(config)#int vlan 201 SW3(config-if)#ip accounting precedence input SW3# SW3# SW3#sh int vlan 201 precedence Vlan201 Input (none) SW2#ping 201.0.0.9 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 201.0.0.9, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms SW3#sh int vlan 201 precedence Vlan201 Input Precedence 0: 5 packets, 590 bytes SW3#sh mls qos QoS is disabled SW3#c Enter configuration commands, one per line. End with CNTL/Z. SW3(config)#mls qos QoS: ensure flow-control on all interfaces are OFF for proper operation. SW3(config)# SW3# SW3# SW3#sh mls qos QoS is enabled SW2#ping 201.0.0.9 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 201.0.0.9, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms SW3#sh int vlan 201 precedence Vlan201 Input Precedence 0: 5 packets, 590 bytes Precedence 1: 5 packets, 590 bytes SW2#ping 202.0.0.9 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 202.0.0.9, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms SW3#sh int vlan 202 precedence Vlan202 Input Precedence 2: 5 packets, 590 bytes
Alternatively on a C3550 we can use “mls qos monitor dscp” on physical interface to count number of packets with a particular IP Precendence or DSCP values.
SW3#c Enter configuration commands, one per line. End with CNTL/Z. SW3(config)#int fa0/16 SW3(config-if)#mls qos SW3(config-if)#mls qos mo SW3(config-if)#mls qos monitor ? bytes Collect byte statistics dscp Collect DSCP statistics packets Collect packet statistics SW3(config-if)#mls qos monitor ds SW3(config-if)#mls qos monitor dscp ? <0-63> DSCP values separated by spaces (up to 8 values total) SW3(config-if)#mls qos monitor dscp 0 ? <0-63> DSCP values separated by spaces (up to 8 values total) <cr> SW3(config-if)#mls qos monitor dscp 0 8 16 SW3(config-if)# SW3# SW3# SW3# SW3# SW3# SW3# *Mar 1 06:00:28.574: %SYS-5-CONFIG_I: Configured from console by console SW3#c Enter configuration commands, one per line. End with CNTL/Z. SW3(config)#int fa0/16 SW3(config-if)#mls qos monitor packets QoS: This command is only applicable on a master port. On a 24 ports switch: -port 1 controls interface 1 to 12 -port 13 controls interface 13 to 24 On a 48 ports switch: -port 25 controls interface 25 to 36 -port 37 controls interface 37 to 48 SW3(config-if)# SW3(config-if)# SW3(config-if)#int fa0/13 SW3(config-if)#mls qos monitor packets SW3(config-if)# SW2#ping 201.0.0.9 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 201.0.0.9, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms SW2#ping 202.0.0.9 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 202.0.0.9, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms SW3#sh mls qos int fa0/16 statistics FastEthernet0/16 Ingress dscp: incoming no_change classified policed dropped (in pkts) 0 : 14 4 0 0 0 8 : 0 0 5 0 0 16: 0 0 5 0 0 Others: 0 0 0 0 0 Egress dscp: incoming no_change classified policed dropped (in pkts) 0 : 5 n/a n/a 0 0 8 : 5 n/a n/a 0 0 16: 5 n/a n/a 0 0 Others: 69 n/a n/a 0 0 SW3#
Blog at WordPress.com. | Theme: Pool by Borja Fernandez.
Entries and comments feeds.
