Networking Blogs: October 2017

Saturday, 28 October 2017

Port Security in Switch Part 2

Port Security Configuration

Take a switch and connect three PC's and one switch on the switch's port Fa 0/1 - Fa 0/4 as shown below

Now on interface Fa 0/1, we will perform the following configuration

switch# interface fast ethernet 0/1
switch# switchport mode trunk
switch# switchport port-security
switch# switchport port-security maximum 1

On fa 0/1, we have assign the maximum number for devices that can be connected on this port. So if the maximum no reached past it's limit the port will get disable as shown below

Now on interface fa 0/2, we will perform the following configuration

switch# interface fast ethernet 0/2
switch# switchport mode access
switch# switchport port-security
switch# switchport port-security maximum 1
switch# switchport port-security violation shutdown

On fa 0/2, we have assign violation rule which is shutdown. Whenever a port-security is breached , the violation action performs it's function .There are three types of actions for violation :

Protect
Restrict
Shutdown

Now on interface fa 0/3, we will perform the following configuration

switch# interface fast ethernet 0/3
switch# switchport mode access
switch# switchport port-security
switch# switchport port-security mac-address 0001.420C.83EA

On fa0/2, you can see that we have assigned a static MAC address but port detected another MAC address which is a clear violation and has been shutdown as shown below

Now on interface fa 0/4, we will perform the following configuration

switch# interface fast ethernet 0/4
switch# switchport mode access
switch# switchport port-security
switch# switchport port-security mac-address sticky

On fa0/4, we have configured the sticky command which will dynamically take the mac address from the first device that gets connected on that port.

Now remember to enable a port again that has been disabled, you need to manually disable the port by using the "shutdown" command and then enable it with "no shutdown" command.

To see the port-security status of any interface, the command is "show port-security interface". The status of fa 0/1 has been shown below.

Friday, 27 October 2017

Port Security in Switch Part 1

Port Security

Introduction
Suppose your I.T head asks you to connect only the known list of users in a switch in your I.T so no other users from another depart comes and connect there device with your switch. That's where the concept of port security helps you to solve this problem. Through port security, inappropriate device cannot connect with your switch which makes the switch more secure. The identification of the devices are made by the device's MAC address because the switch only understands the MAC address but not the device's IP address.

Features of Port Security

The features of port security are as follows:

The switch keeps a list of all incoming frames from all the source's MAC address .
The switch helps you to define the maximum no of MAC address which should have access through that port.
If the no of MAC addresses reached the configured maximum limit, it gives the detection of port security violation.
There is a command called sticky MAC address which helps the port security to learn the MAC address of the devices dynamically so that you should not carry the burden of writing address of all devices with your hands.

This is an important note that you should keep in your mind which is "Whenever you put port security on a port of a switch, the switch will no longer any MAC address as a dynamic entry. Now we know that to see the mac address entries in a switch you use the command "show mac address" but this command will not work on ports that uses port security. There are two commands that help you to see MAC addresses of secure ports which are as follows

Show mac address-table secure: This command shows the mac address list of those ports that uses port security.
Show mac address-table static: This command shows the mac address list of those ports that are statically assigned by the host.

In the next post post we will learn the configuration of port security and also the show commands that have been listed above.

Thursday, 26 October 2017

Switch interface status and duplex/speed synchronization

Troubleshooting is a very important in a career of a network engineer. If a network of the company in which you are working goes down you must have the ability to perform troubleshoot and fix problems so your network quickly comes back online and the company resume it's work. In this post we will talk about troubleshooting in switches.There are many features you need to analyze on switches in which some are shown below :

Checking Interface status and statistics
Pattern of forwarding frames
Synchronization of speed and duplex
Examining port security
Configuration of VLAN and VLAN trunking

When you use the command of show interface status in switches, The command shows two types of status which is the Line status and the Protocol status. The line status refers to the layer 1 (Physical Layer) status condition and the protocol layer gives us the layer 2 (Data Link Layer) status condition. The line and protocol status can be in an up state, down state or administratively down
(manually done by the host) state. Below are the combination status and causes made by both the status

Line Status Protocol status Interface Causes

up up connected The interface is working
down down disabled Disabled by port security
up down not connected Not expected on switch
down down not connected Bad cable or wrong pinouts
administratively down down disabled Done by the user manually

Duplex and Speed
We all know what is speed of a network but most of you are not familiar with duplex .There are two types of duplex:

Full duplex : The switch can send and receive at the same time.
Half duplex : The switch cannot send and receive at the same time.

Now remember, the speed and duplex of the switch and the user end devices must be same. Suppose the pc is sending data at 100mbps but the switch speed is just 10 mbps. The link won't work because the speed must be the same. Same isthe condition for duplex that both the devices must have the same duplex mode.There is a command called "Auto-negotiation" which helps us to solve this problem.

In any case,if the auto-negotiation setting fails on a switch or a user end device, it then uses default settings which are

Speed :Use the slowest supported speed (mostly 10mbps).
Duplex: If 10 or 100 mbps, use half duplex otherwise it will use full duplex.

In the next post, we will learn about the port security which is an important part of a switch in terms of security and troubleshooting.

Wednesday, 25 October 2017

Virtual Local Area Network (VLAN) Trunk

Again consider a scenario of being a network engineer in a bank.The Treasury department and the Procurement department are on two different LAN's meaning they are connected to two separate switches. So now your boss wants you to make a separate domain which includes both department. Now you cannot just take both switches and started putting both departments cables in one which would obviously disturb the bank activities.Instead what you will do is that you are going to connect both switches with each other and then you assign both the department to a separate VLAN with both having the same VLAN number and use a concept called VLAN Trunking which will help them to communicate with each other even being on a separate domain. Now I will show you how to perform VLAN trunking in Cisco Packet Tracer.

Open your Cisco Packet Tracer. Take 4 PC's and 2 switches and connect 2 PC's with one switch using a straight cable on interface 0/3 and 0/5. Same process is for the remaining PC's and switch also and connect them with interface 0/3 and 0/6. Now connect both switches with each other using both interfaces 0/1 with a crossover cable. Assign APIPA IP to all PC's by going to the IP configuration and clicking on DHCP. Name the PC which are on fa 0/3 as Treasury and Procurement and name the rest PC's as Finance and Logistics.

Now if you have read my previous post you must know how to make VLAN and assign them to interfaces. if you haven't then go to my blog and read the post Virtual Local Area Network (VLAN).
Now for switch0, create VLAN 3 and VLAN 5 and assign VLAN 3 to interface 0/3 and VLAN 5 to interface 0/5.Then in Switch1, create VLAN 3 and VLAN 6 and assign VLAN 3 to interface 0/3 and VLAN 6 to interface 0/6. Now ping any PC with each other other and you will see that the reply is not coming so the VLAN's are created perfectly. Now our main task is to make communication between the Treasury and the Procurement depart through VLAN trunking. Now go to switch0 and do the following configuration in config mode

switch(config)#interface fastethernet 0/1
switch(config-if)#switchport mode trunk
switch(config-if)#exit

Your VLAN trunking is now enabled and now you can send packets from the treasury to the procurement department even being in a separate domain.

if you want see that trunking is enabled, write the command "show interface trunk" on privileged mode and you will see the trunk status.

Thursday, 19 October 2017

Virtual Local Area Network (VLAN)

Consider the scenario. You are working in a bank as a network engineer. The bank ask you to make a separate domain for the treasury department and finance department so they could not communicate with each other. Now, the treasury department consist of 10 users and the finance department consist of 5 users. Now to separate there domain you need to buy one switch for each department which will be expensive. Now instead of buying different switches from different department you can separate the department's domain using a single switch. The concept of separating LAN's in a single domain is called Virtual Local Area Network (VLAN's).

Now open your Cisco Packet Tracer and connect 4 workstations with a switch using a straight cable. Consider 2 pc's of treasury department with interface fa0/1 and fa0/2 and 2 pc's of finance department with interface fa0/3 and fa0/4. Assign APIPA IP's to each pc. Click on the pc then go to the IP configuration and click on DHCP.

Now go to pc0 of treasury department's command prompt and write the command ping and the IP of PC 3 which is in finance department.It will give the reply because the treasury department and the finance department are on the same domain.

Now to separate these depart we will use VLAN's. Note that one vlan contains only one domain. Now go to the switch and create 2 VLAN.

Switch>en

Switch#config t

switch(config)#Vlan 2

switch(config-vlan)#name Vlan02

switch(config)#Vlan 3

switch(config-vlan)#name Vlan03

After you have created Vlan's we will go to the port(interface) config mode of those interfaces through which the pc's are connected. The treasury department port's are fa0/1 and fa0/2 and the finance department port's are fa0/3 and Fa0/4. Assign vlan 2 to treasury department and vlan 3 to finance department if you are assigning VLAN's to multiple ports then you don't have to access single port at a time to assign VLAN's. Instead use the "interface range" command to access multiple port and giving same configuration to all at a same time.

Switch>en

Switch#config t

switch(config)#

switch(config)#interface range fa0/1-fa0/2`

switch(config-if-range)#switchport mode access

switch(config-if-range)#switchport access vlan 2

switch(config)#interface range fa0/3-fa0/4

switch(config-if-range)#switchport mode access

switch(config-if-range)#switchport access vlan 3

switch(config-if-range)#exit

Now again go to pc01 and command prompt and ping pc03. This time the pc will not reply because it is on the separate domain.This means that you have configured the VLAN's correctly.remember all ports of the switch are already assigned to default VLAN which is VLAN 1.To see your VLAN status write the command on "show vlan brief" where you can see VLAN information.