pfSense GUI and Backend Modification to Add Stateless DHCP

Part1 of IPv6 Configuration on pfSense with Teksavvy ISP Static IPv6 Con...

Part 3 IPv6 Configuration on pfSense with Teksavvy ISP DHCPv6 AND Statel...

EIGRP Route Filtering

Are you looking for flexible job in Information Technology ? Post your CV with:

https://www.security-architecture.com/add-cv/

Why to Filter routes in EIGRP

Branch routers do not need to see each others networks.

Branch routers might be in sales division and don’t need to use manufacturing division

Some routers will have smaller routing table

Propagation of topology database on slow links will use less bandwidth

Security reason

How to Filter routes in EIGRP:

Filtering routes in EIGRP is always done with distribution-lists. To match the routes to be filtered we can use:

• access-list
• ip prefix-list
• route-map

Filter by an access-list

Let’s say router have the network 172.16.28.0/24

We want this prefix to be filtered from being propagated to other routers.

Remember that at the end of each access-list there is an implicit deny statement

Create a Standard ACL (named or numbered)

Ip access-list standard 5

deny 172.16.0.0 0.0.255.255

permit any

Attach the access-list to eigrp by using distribute-list

Router eigrp 10

distribute-list 5 out

Filter by a prefix-list

Caracteristics of prefix-list usage

Allows the matching of the prefix-length (subnet mask) while ACL do not

Faster matching of routes as compared to ACL

Can only be used for route filtering and cannot be used for security

Each line has a sequence number and permit/deny statement

Example of prefix-list filtering>

Ip prefix-list list-name seq seq-num {deny | permit} {prefix/prefix-length} [ge ge-value] [le le-value]

Route prefix must be within the range of addresses implied by the prefix/prefix-length parameters

Route’s prefix length must match the range of prefixes implied by the prefix-length, ge-value and le-value

You can read our other blogs:

http://ftpservices.blogspot.com/

http://dhcpservices.blogspot.com/

802.1x configuration

Why to use dot1x authentication ? dot1x authentication can be used to secure access to the network. 
•enable “aaa” on the switch “ aaa new-model”

•Define external radius-servers:

–Radius-server host hostname | ip-address} key string

•Define the authentication method for 802.1x

–Aaa authentication dot1x default group radius

•Enable 802.1x globally “dot1x system-auth-control”

•Configure each switchport that uses 802.1x

–Switch(config-if)#dot1x port-control {force-authorized | force-unauthorized | auto}

•Force-authorized: the port always authorize any connected client (default state)

•Force-unauthorized: the port is forced to never authorize any connected client (client need to disconnect/reconnect)

•Auto: the port uses 802.1x exchange to move from unauthorized to the authorized state

•Allow multiple hosts on a switchport

–Dot1x host-mode multi-host

•“show dot1x all”

If you are looking to find a job remotely, apply here:
https://www.security-architecture.com/add-cv/

Switch port-security

Looking for a part-time job ? Click here to post your CV

Control port-access based on MAC addresses. To configure it:

–Enable port-security on an interface “switchport port-security”

–Specify the maximum number of MAC addresses that will be allowed “switchport port-security maximum mac-address-number (1-1024). By default port-security will make sure that only one MAC address  will be allowed access on each switchport.

–You can specify MAC addresses for a switchport statically or dynamically – the switch will learn the mac addresses for the host connected to a switchport (up to the maximum configured); learned mac addresses can be aged out if the hosts are silent for a period of time (by default no aging). If after the maximum number a new host connect to that switchport, the port will go to errdisabled

•switchport port-security maximum 2

•Switchport port-security mac-address xxxx.xxxx.xxxx

•Swtichport port-security mac-address sticky

–Define how the interface will react in case of port-security violation:

•“switchport port-security violation {shutdown | restrict | protect}

•Shutdown: put port in errdisabled stated (either re-enable manually or through err-disable recovery)

•Restrict: the port is allowed to stay up, but all packets from violating MAC address are dropped. (send snmp trap or syslog)

•Protect: Port is allowed to stay up, although packets from violating addresses are dropped. No record of violation is kept

  

OSPF metric

•OSPF uses a Metric of  cost=100,000,000/bandwidth(Kbps)

•The default reference bandwdith is 100,000,000 and it  can be changed.

OSPF router type

•We have these types of routers:

–Internal router: All networks (interfaces) connected directly to this router belong to the same area. An internal-router has a single link-state database

–Area Border router: ABR: He has at least 2 connected networks (interfaces) that are in two different areas. ABR will have more than one link-state database, 1 for each area. Its responsibility to exchange topology information between areas

–Backbone router: at least one connected network in area 0 ( can be internal or ABR)

–Autnomous System Boundary router: ASBR: at least one network participating in OSPF, and one network in another routing domain. Its role is to exchange information between OSPF and external routes.

Troubleshooting VTP

•If a switch doesn’t seem to be receiving updated information from a VTP server:

–Either the swtich is in transparent mode. Verify by “show vtp status”

–“there might not be a switch configured as vtp server”

–The link between the switch and the other switches is not in trunking mode. VTP can be advertised only over trunk links. To verify if an interface is trunk or acess

•“show interface type mod/num switchport”

–Make sure the vtp version is compatible with other switches in the VTP domain.

–Make sure the VTP password matches in the vtp domain

–Make sure the VTP domain name match that of the VTP server

VTP configuration

•By default vtp mode is server, management domain is NULL, and there is no password.

•If a switch receives a VTP summary advertisement on a trunk port from any other switch, it will automatically learn the VTP domain name, VLANs and the configuration revision number it hears.

•Before you add a switch to the network, verify that the revision number is set to 0 “show vtp status”

•There is two ways to configure VTP:

–Global config mode

–vlan database mode mostly deprecated

To join a specific VTP management domain, you have to “vtp domain domain-name

Configuring the VTP mode:

–Server mode: multiple VTP servers can coexist in a domain. The servers do not elect primary or secondary, if one server is configured with a new VLAN or VTP parameter, it advertises the changes to the rest of the domain. All other servers synchronize the VTP databases to this advertisement just as any VTP client would

–Client mode: if you want to configure a as VTP server, you start it as a client to learn the latest changes, than you configure it in server mode.

–Transparent mode: this mode is used if a switch will not share the VLAN information with any other switch in the network. VLAN can still be created, deleted or modified, but they are not advertised, however VTP advertisement received by a transparent switch are forwarded out trunk links. Keeping switches in transparent mode can eliminate the chance for duplicate over-lapping VLANs in large network with many network administrators

–“vtp mode {server | client | transparent}

–Vtp password password

On some IOS, you can turn vtp off, by using the command vtp off command. This command allows the switch to act the same as if it is in a vtp transparent with the addition that the switch doesn't forward vtp advertisement on trunk links.
If you are looking for job, you can apply through this website:

• http://www.security-architecture.com/add-cv

If you need to use our support and consulting services, please visit our website:You can also visit our other blogs:

• http://dhcpservices.blogspot.com/
• http://www.ftp.services