Saturday, February 15, 2014

802.1x configuration

Why to use dot1x authentication ? dot1x authentication can be used to secure access to the network. 
enable “aaa” on the switch “ aaa new-model”
Define external radius-servers:
Radius-server host hostname | ip-address} key string
Define the authentication method for 802.1x
Aaa authentication dot1x default group radius
Enable 802.1x globally “dot1x system-auth-control”
Configure each switchport that uses 802.1x
Switch(config-if)#dot1x port-control {force-authorized | force-unauthorized | auto}
Force-authorized: the port always authorize any connected client (default state)
Force-unauthorized: the port is forced to never authorize any connected client (client need to disconnect/reconnect)
Auto: the port uses 802.1x exchange to move from unauthorized to the authorized state
Allow multiple hosts on a switchport
Dot1x host-mode multi-host

“show dot1x all”

If you are looking to find a job remotely, apply here:
https://www.security-architecture.com/add-cv/

Switch port-security

Looking for a part-time job ? Click here to post your CV

Control port-access based on MAC addresses. To configure it:
Enable port-security on an interface “switchport port-security”
Specify the maximum number of MAC addresses that will be allowed “switchport port-security maximum mac-address-number (1-1024). By default port-security will make sure that only one MAC address  will be allowed access on each switchport.
You can specify MAC addresses for a switchport statically or dynamically – the switch will learn the mac addresses for the host connected to a switchport (up to the maximum configured); learned mac addresses can be aged out if the hosts are silent for a period of time (by default no aging). If after the maximum number a new host connect to that switchport, the port will go to errdisabled
switchport port-security maximum 2
Switchport port-security mac-address xxxx.xxxx.xxxx
Swtichport port-security mac-address sticky
Define how the interface will react in case of port-security violation:
switchport port-security violation {shutdown | restrict | protect}
Shutdown: put port in errdisabled stated (either re-enable manually or through err-disable recovery)
Restrict: the port is allowed to stay up, but all packets from violating MAC address are dropped. (send snmp trap or syslog)
Protect: Port is allowed to stay up, although packets from violating addresses are dropped. No record of violation is kept

  

OSPF metric

OSPF uses a Metric of  cost=100,000,000/bandwidth(Kbps)
The default reference bandwdith is 100,000,000 and it  can be changed.

OSPF router type

We have these types of routers:
Internal router: All networks (interfaces) connected directly to this router belong to the same area. An internal-router has a single link-state database
Area Border router: ABR: He has at least 2 connected networks (interfaces) that are in two different areas. ABR will have more than one link-state database, 1 for each area. Its responsibility to exchange topology information between areas
Backbone router: at least one connected network in area 0 ( can be internal or ABR)

Autnomous System Boundary router: ASBR: at least one network participating in OSPF, and one network in another routing domain. Its role is to exchange information between OSPF and external routes.