Configuring MAC Address Notification Traps

September 30, 2008 at 11:06 am | Posted in IOS services, Switching | Leave a comment

MAC address notification enables you to track users on a network by storing the MAC address activity on the switch. Whenever the switch learns or removes a MAC address, an SNMP notification can be generated and sent to the NMS. If you have many users coming and going from the network, you can set a trap interval time to bundle the notification traps and reduce network traffic. The MAC notification history table stores the MAC address activity for each hardware port for which the trap is enabled. MAC address notifications are generated for dynamic and secure MAC addresses; events are not generated for self addresses, multicast addresses, or other static addresses.

It looks like that MAC address logging can NOT be made to a Syslog server!

DOC CD Navigation

  • Catalyst 3550 Multilayer Switch Software Configuration Guide, Rel. 12.2(25)SEE
  • Administering the Switch
  • Managing the MAC Address Table
  • Configuring MAC Address Notification Traps

Example:

Switch(config)# snmp-server host 172.20.10.10 traps private
Switch(config)# snmp-server enable traps mac-notification
Switch(config)# mac address-table notification
Switch(config)# mac address-table notification interval 60
Switch(config)# mac address-table notification history-size 100
Switch(config)# interface fastethernet0/4
Switch(config-if)# snmp trap mac-notification added

OSPF capability transit

September 29, 2008 at 1:00 pm | Posted in OSPF, Routing | Leave a comment

OSPF area capability transit is enabled by default, allowing the OSPF Area Border Router to install better-cost routes to the backbone area through the transit area instead of the virtual links.

If you want to retain a traffic pattern through the virtual-link path, you can disable capability transit by entering the no capability transit command. If paths through the transit area are discovered, they are most likely to be more optimal paths, or at least equal to, the virtual-link path. To reenable capability transit, enter the capability transit command.

If you need to verify whether OSPF area capability transit is enabled for a specific routing process, enter the show ip ospf command.

DOC CD Navigation

  • Cisco IOS IP Routing Protocols Configuration Guide, Release 12.4
  • Part 5: OSPF
  • OSPF Area Transit Capability

Also we can look up in the Command Reference.

DHCP For PPP Link

September 25, 2008 at 6:06 pm | Posted in IP Services | 1 Comment

I came accross an weird issue today when practicing Vol2 Lab 13, Task 2.3: The R4 Serial interface was  not able to get IP address via DHCP, until i changed the R5 Serial0/1 to use unnumbered off Loopbac1, instead of manual IP.

This could be because of routing for the subnet 139.1.45.0/24 is not available, till the interface is fully up, by then IPCP is no longer negotiating IP address for the Serial interface. The loopback interface fix arround this issue. It may also because of other hidden issue I am not aware of. Anyway, this issue is a good candidate for the IOS bug, or weird caveat that need to remember by heart.

[21 Oct 2008] Also see other related issue found at https://enotepad.wordpress.com/2008/10/21/dhcp-for-ppp-link-revisited/

[22 Oct 2008]

This issue has been confirmed in the IEWB Vol1 ver5. We ether need to use ip unnnumbered off a loopback, or static routing for that Serial PPP interface. This is needed because the Serial link isn’t in the UP/UP state until IP is acutally negotiated. This means that when the proxy request is received at the server, the server does not have a route back to the relay in order to send the reply back.

This can be observed by turning on “debug ip packet details” on the server, and we can see that DHCP reply packets (UDP src=67, dst=67) are unroutable.

RSRack1R5#sh run int s0/1
interface Serial0/1
ip address 139.1.45.5 255.255.255.0
encapsulation ppp
peer default ip address dhcp

ip dhcp-server 139.1.15.1

RSRack1R4#sh ip int s0/1
Serial0/1 is up, line protocol is up
Internet address will be negotiated using IPCP
Broadcast address is 255.255.255.255
Peer address is 139.1.45.5
MTU is 1500 bytes

RSRack1R4#sh ip int brief | in Serial0/1
Serial0/1                  unassigned YES IPCP   up                    up

Change to use IP unnumbered on R5

RSRack1R4#sh run int s0/1
interface Serial0/1
ip address negotiated
ip rip advertise 3
encapsulation ppp

RSRack1R5#sh run
!
interface Serial0/1
ip unnumbered Loopback1
encapsulation ppp
peer default ip address dhcp

interface Loopback1
ip address 139.1.45.5 255.255.255.0

ip dhcp-server 139.1.15.1

RSRack1R4#sh ip int s0/1
Serial0/1 is up, line protocol is up
Internet address is 139.1.45.4/32
Broadcast address is 255.255.255.255
Address determined by IPCP
Peer address is 139.1.45.5

RSRack1R4#sh ip int brief | in Serial0/1
Serial0/1                  139.1.45.4 YES IPCP up                    up

ACL usage: Direction of traffic

September 24, 2008 at 1:53 pm | Posted in Blogroll | Leave a comment

Lab13, Task 7.1

I sometimes made stupid mistakes, e.g. when doing this task, where I overlook the directions of ACL.

Tips to avoid stupid mistakes

– Read questions carefully

– Use common sense. DoS are usually exploited by sending ICMP echo from OUTSIDE, and other ICMP responses (e.g. port unreachables, time-exceeded) generated from INSIDE.

Task requirement:

Configure R3’s interface E0/1 and R4’s interface E0/0 to reflect the following policy:

  • Deny inbound all ICMP echo (type 8) packets.
  • Deny outbound all ICMP time exceeded and port unreachable packets to stop traceroute ‘replies’.
  • Silently discard packets that are denied.
  • Log all denied packets.

Solution:
interface Ethernet0/1
ip access-group FILTER_IN in
ip access-group FILTER_OUT out
no ip unreachables
!
ip access-list extended FILTER_IN
deny icmp any any echo log
permit ip any any
!
ip access-list extended FILTER_OUT
deny icmp any any time-exceeded log
deny icmp any any port-unreachable log
permit ip any any

Where is GRE located in DOC CD?

September 24, 2008 at 10:55 am | Posted in Lab tips | Leave a comment

It’s located under

  • Configuration Guide
  • System Management
  • Cisco IOS Interface and Hardware Component Configuration Guide, Release 12.4
  • Part 4: Tunnels

Some common features are “easy to navigate” like Virtual Link, where you know exactly it’s under Routing -> OSPF, or DHCP is under IP addressing Scheme.

GRE location is not obvious. My first thought is that it might be under Routing -> Protocol Independent, or IP Addressing, but both are not correct. For uncommon features like this, I usually stop “search arround” after two or three tries. My approach is go back to the Master Index, and search for keyword, relating to this feature. More specifically

Cisco IOS Master Command List, Release 12.4
Look for one of these commands
– tunnel source
– tunnel destination,
– or tunnel mode

All these commands are located in
Cisco IOS Interface and Hardware Component Command Reference

Now we know that GRE is located under these main topic, and we can go back to the configuration guide, and navigate under this main topic for GRE, as listed at the beginning of this post. Here’s again:

  • Configuration Guide
  • System Management
  • Cisco IOS Interface and Hardware Component Configuration Guide, Release 12.4
  • Part 4: Tunnels

802.1P

September 13, 2008 at 4:36 pm | Posted in Switching | Leave a comment
RSRack1SW1(config-if)#switchport voice vlan ?
  <1-4094>  Vlan for voice traffic
  dot1p     Priority tagged on PVID
  none      Don't tell telephone about voice vlan
  untagged  Untagged on PVID

RSRack1SW1(config-if)#switchport voice vlan dot1p

This command configures the telephone to use IEEE 802.1p priority tagging and uses VLAN 0 (the native VLAN). By default, the Cisco IP phone forwards the voice traffic with an IEEE 802.1p priority of 5.

Doc CD Navigation

  • Catalyst 3560 Switch Software Configuration Guide, Rel. 12.2(46)SE
  • Configuring Voice VLAN
  • Voice VLAN Configuration Guidelines

VTP Prunning Caveat in a mixed VTP mode topology

September 13, 2008 at 4:18 pm | Posted in Switching | Leave a comment
Server  Client   Trans     Client
SW1 ---- SW2 ---- SW3 ----- SW4
                   |         |
                   |VLAN25   |
                   |         |
                   R5       VLAN25

Switch in the transparent mode does not take part in VTP, therefore does not send out prunning messages, except messages it receives from switch in the VTP server/client mode.

Therefore, if we enable prunning on SW1, SW2, SW4, and IF SW1 & SW2 do not have any interfaces in VLAN25, the VLAN 25 will be pruned on the trunk link between SW3 and SW4, even though SW3 may have interface on VLAN25 . Due to this behavior, the reachbility of VLAN25 between SW3 & SW4 will be broken.

To prevent VLAN25 from being pruned, we need to remove it from the Prune Eligible List.

RSRack1SW4#sh int trunk | b prune
Port        Vlans in spanning tree forwarding state and not pruned
Fa0/19      1-2,11,32,43,367

RSRack1SW4(config)#interface FastEthernet0/19
RSRack1SW4(config-if)# switchport trunk pruning vlan remove 25 

RSRack1SW4#sh run int fa0/19
interface FastEthernet0/19
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 11
 switchport trunk pruning vlan 2-24,26-1001
 switchport mode dynamic desirable
end

RSRack1SW4#sh int trunk | b prune
Port        Vlans in spanning tree forwarding state and not pruned
Fa0/19      1-2,11,25,32,43,367

Catalyst QoS: VLAN Access-map for IP traffic filtering

September 12, 2008 at 3:31 pm | Posted in QoS, Switching | Leave a comment

Task: Configuring VLAN access-map to only allow Telnet and Ping and routing (OSPF) traffic within VLAN145.

If the default action of the VLAN access-map is dropping, then we need to explicitly permit ARP frames as well, otherwise, two PC hosts within the VLAN145 won’t be able to ARP for each other MAC address, and the connectivity between them will fail.

Configuration

access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any eq telnet any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit ospf any any

!
mac access-list extended ARP
 permit any any 0x806 0x0
!
vlan access-map VLAN145_FILTER 10
 action forward
 match ip address 100
vlan access-map VLAN145_FILTER 15
 action forward
 match mac address ARP
vlan access-map VLAN145_FILTER 20
 action drop
!
vlan filter VLAN145_FILTER vlan-list 145

Catalyst QoS – Using Hierarchical Policy-Maps for Policing Markdown on 3560

September 12, 2008 at 11:44 am | Posted in QoS, Switching | Leave a comment

Configuration

SW2#
class-map match-all IP_TRAFFIC
 match access-group 100
class-map match-all INPUT_INTERFACES
 match input-interface  FastEthernet0/13 - FastEthernet0/15
!
!
policy-map POLICE_32K
 class INPUT_INTERFACES
  police 32000 8000 exceed-action policed-dscp-transmit
policy-map POLICE_64K
 class INPUT_INTERFACES
  police 64000 8000 exceed-action policed-dscp-transmit
policy-map POLICE_VLAN200
 class IP_TRAFFIC
  set ip precedence 5
  service-policy POLICE_64K
policy-map POLICE_VLAN100
 class IP_TRAFFIC
  set ip precedence 4
  service-policy POLICE_32K

mls qos map policed-dscp  32 to 24
mls qos map policed-dscp  40 to 32
mls qos

interface range fa0/13-15
 mls qos vlan-based

interface Vlan100
 service-policy input POLICE_VLAN100
!
interface Vlan200
 service-policy input POLICE_VLAN200

Verification
SW1#ping 200.0.0.4 rep 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 200.0.0.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/9 ms

SW2#sh mls qos interface fa0/4 statistics
FastEthernet0/4 (All statistics are in packets)

  dscp: incoming 
-------------------------------

  0 -  4 :           0            0            0            0            0 
  5 -  9 :           0            0            0            0            0 
 10 - 14 :           0            0            0            0            0 
 15 - 19 :           0            0            0            0            0 
 20 - 24 :           0            0            0            0            0 
 25 - 29 :           0            0            0            0            0 
 30 - 34 :           0            0           18            0            0 
 35 - 39 :           0            0            0            0            0 
 40 - 44 :          82            0            0            0            0 
 45 - 49 :           0            0            0            0            0 
 50 - 54 :           0            0            0            0            0 
 55 - 59 :           0            0            0            0            0 
 60 - 64 :           0            0            0            0 
  dscp: outgoing
-------------------------------

  0 -  4 :           0            0            0            0            0 
  5 -  9 :           0            0            0            0            0 
 10 - 14 :           0            0            0            0            0 
 15 - 19 :           0            0            0            0            0 
 20 - 24 :           0            0            0            0            0 
 25 - 29 :           0            0            0            0            0 
 30 - 34 :           0            0           18            0            0 
 35 - 39 :           0            0            0            0            0 
 40 - 44 :          82            0            0            0            0 
 45 - 49 :           0            0            0            0            0 
 50 - 54 :           0            0            0            0            0 
 55 - 59 :           0            0            0            0            0 
 60 - 64 :           0            0            0            0 
  cos: incoming 
-------------------------------

  0 -  4 :         102            0            0            0            0 
  5 -  7 :           0            0            0 
  cos: outgoing
-------------------------------

  0 -  4 :           0            0            0            0           18 
  5 -  7 :          82            0            0 
Policer: Inprofile:            0 OutofProfile:            0 

SW2#clear mls qos int statistic

SW1#ping 100.0.0.4 rep 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 100.0.0.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/3/9 ms

SW2#sh mls qos interface fa0/4 statistics          
FastEthernet0/4 (All statistics are in packets)

  dscp: incoming 
-------------------------------

  0 -  4 :           0            0            0            0            0 
  5 -  9 :           0            0            0            0            0 
 10 - 14 :           0            0            0            0            0 
 15 - 19 :           0            0            0            0            0 
 20 - 24 :           0            0            0            0           26 
 25 - 29 :           0            0            0            0            0 
 30 - 34 :           0            0           74            0            0 
 35 - 39 :           0            0            0            0            0 
 40 - 44 :           0            0            0            0            0 
 45 - 49 :           0            0            0            0            0 
 50 - 54 :           0            0            0            0            0 
 55 - 59 :           0            0            0            0            0 
 60 - 64 :           0            0            0            0 
  dscp: outgoing
-------------------------------

  0 -  4 :           0            0            0            0            0 
  5 -  9 :           0            0            0            0            0 
 10 - 14 :           0            0            0            0            0 
 15 - 19 :           0            0            0            0            0 
 20 - 24 :           0            0            0            0           26 
 25 - 29 :           0            0            0            0            0 
 30 - 34 :           0            0           74            0            0 
 35 - 39 :           0            0            0            0            0 
 40 - 44 :           0            0            0            0            0 
 45 - 49 :           0            0            0            0            0 
 50 - 54 :           0            0            0            0            0 
 55 - 59 :           0            0            0            0            0 
 60 - 64 :           0            0            0            0 
  cos: incoming 
-------------------------------

  0 -  4 :         109            0            0            0            0 
  5 -  7 :           0            0            0 
  cos: outgoing
-------------------------------

  0 -  4 :           0            0            0           26           74 
  5 -  7 :           0            0            0 
Policer: Inprofile:            0 OutofProfile:            0

SW2#show mls qos maps policed-dscp 
   Policed-dscp map:
     d1 :  d2 0  1  2  3  4  5  6  7  8  9 
     ---------------------------------------
      0 :    00 01 02 03 04 05 06 07 08 09 
      1 :    10 11 12 13 14 15 16 17 18 19 
      2 :    20 21 22 23 24 25 26 27 28 29 
      3 :    30 31 24 33 34 35 36 37 38 39 
      4 :    32 41 42 43 44 45 46 47 48 49 
      5 :    50 51 52 53 54 55 56 57 58 59 
      6 :    60 61 62 63

Doc CD Navigation

  • Catalyst 3560 Switch Software Configuration Guide, Rel. 12.2(46)S
  • Configuring QoS
  • Configuring Standard QoS
    • Configuring a QoS Policy
      • Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps
    • Configuring DSCP Maps
      • Configuring the Policed-DSCP Map

Catalyst QoS – Per port, Per VLAN classification

September 11, 2008 at 5:26 pm | Posted in QoS, Switching | 1 Comment

Configure SW3 to mark traffic comming to the trunk interface Fa0/16 fromm VLAN201 to IP Precedence 1, and from VLAN 202 to IP Precedence 2.

Topology:

VLAN201          VLAN201
  |                 |
  |                 |
  |                 |
SW2 ------------- SW3
  |                 |
  |		    |
  |		    |
VLAN202          VLAN202

Configuration

SW3#

!
class-map match-all VLAN202
match vlan  202
class-map match-all VLAN201
match vlan  201
!
!
policy-map MARK_PREC
 class VLAN201
  set ip precedence 1
 class VLAN202
  set ip precedence 2

!

Note that within a class-map, match VLAN has to be followed by a match class-map (nested configuration). See the wrong configuration example without match class-map (above) and the error message when the service policy is applied onto the interface:

SW3(config)#int fa0/16
SW3(config-if)#service-policy input MARK_PREC
QoS: match class-map must follow match vlan in class-map VLAN201.
QoS: Policy map MARK_PREC failed vlan check
Service Policy attachment failed
*Mar  1 05:45:32.418: %QM-4-MATCH_NOT_SUPPORTED: Match type is not supported in classmap VLAN201
SW3(config)#class-map match-all VLAN202
SW3(config-cmap)#match vlan  202
SW3(config-cmap)#match class-map IP_TRAFFIC
SW3(config)#class-map match-all VLAN201
SW3(config-cmap)#match vlan  201
SW3(config-cmap)#match class-map IP_TRAFFIC
SW3(config-cmap)#int fa0/16
SW3(config-if)#service-policy input MARK_PREC

Verification

SW3(config)#int vlan 201
SW3(config-if)#ip accounting precedence input
SW3#
SW3#
SW3#sh int vlan 201 precedence
Vlan201
  Input
    (none)

SW2#ping 201.0.0.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.0.0.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms

SW3#sh int vlan 201 precedence
Vlan201
  Input
    Precedence 0:  5 packets, 590 bytes
SW3#sh mls qos
QoS is disabled

SW3#c
Enter configuration commands, one per line.  End with CNTL/Z.
SW3(config)#mls qos
QoS: ensure flow-control on all interfaces are OFF for proper operation.
SW3(config)#
SW3#
SW3#

SW3#sh mls qos
QoS is enabled

SW2#ping 201.0.0.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.0.0.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms

SW3#sh int vlan 201 precedence
Vlan201
  Input
    Precedence 0:  5 packets, 590 bytes
    Precedence 1:  5 packets, 590 bytes

SW2#ping 202.0.0.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.0.0.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

SW3#sh int vlan 202 precedence
Vlan202
  Input
    Precedence 2:  5 packets, 590 bytes

Alternatively on a C3550 we can use “mls qos monitor dscp” on physical interface to count number of packets with a particular IP Precendence or DSCP values.

SW3#c
Enter configuration commands, one per line.  End with CNTL/Z.
SW3(config)#int fa0/16
SW3(config-if)#mls qos
SW3(config-if)#mls qos mo
SW3(config-if)#mls qos monitor ?
  bytes    Collect byte statistics
  dscp     Collect DSCP statistics
  packets  Collect packet statistics

SW3(config-if)#mls qos monitor ds
SW3(config-if)#mls qos monitor dscp ?
  <0-63>  DSCP values separated by spaces (up to 8 values total)

SW3(config-if)#mls qos monitor dscp 0 ?
  <0-63>  DSCP values separated by spaces (up to 8 values total)
  <cr>

SW3(config-if)#mls qos monitor dscp 0 8 16
SW3(config-if)#
SW3#
SW3#
SW3#
SW3#
SW3#
SW3#
*Mar  1 06:00:28.574: %SYS-5-CONFIG_I: Configured from console by console
SW3#c
Enter configuration commands, one per line.  End with CNTL/Z.
SW3(config)#int fa0/16
SW3(config-if)#mls qos monitor packets
QoS: This command is only applicable on a master port.
 On a 24 ports switch:
  -port 1 controls interface 1 to 12
  -port 13 controls interface 13 to 24
 On a 48 ports switch:
  -port 25 controls interface 25 to 36
  -port 37 controls interface 37 to 48
SW3(config-if)#
SW3(config-if)#
SW3(config-if)#int fa0/13
SW3(config-if)#mls qos monitor packets
SW3(config-if)#

SW2#ping 201.0.0.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.0.0.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
SW2#ping 202.0.0.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.0.0.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

SW3#sh mls qos int fa0/16 statistics
FastEthernet0/16
Ingress
  dscp: incoming   no_change  classified policed    dropped (in pkts)
    0 : 14         4          0          0          0        
    8 : 0          0          5          0          0        
    16: 0          0          5          0          0        
Others: 0          0          0          0          0        
Egress
  dscp: incoming   no_change  classified policed    dropped (in pkts)
    0 : 5             n/a       n/a      0          0        
    8 : 5             n/a       n/a      0          0        
    16: 5             n/a       n/a      0          0        
Others: 69            n/a       n/a      0          0         

SW3#
Next Page »

Create a free website or blog at WordPress.com.
Entries and comments feeds.