Monday, March 17, 2014
Saturday, March 15, 2014
EIGRP Route Filtering
- Are you looking for flexible job in Information Technology ? Post your CV with:
- https://www.security-architecture.com/add-cv/
- Why to Filter routes in EIGRP
- Branch routers do not need to see each others networks.
- Branch routers might be in sales division and don’t need to use manufacturing division
- Some routers will have smaller routing table
- Propagation of topology database on slow links will use less bandwidth
- Security reason
- How to Filter routes in EIGRP:
- Filtering routes in EIGRP is always done with distribution-lists. To match the routes to be filtered we can use:
- access-list
- ip prefix-list
- route-map
Filter by an access-list
- Let’s say router have the network 172.16.28.0/24
- We want this prefix to be filtered from being propagated to other routers.
- Remember that at the end of each access-list there is an implicit deny statement
- Create a Standard ACL (named or numbered)
- Ip access-list standard 5
- deny 172.16.0.0 0.0.255.255
- permit any
- Attach the access-list to eigrp by using distribute-list
- Router eigrp 10
- distribute-list 5 out
Filter by a prefix-list
- Caracteristics of prefix-list usage
- Allows the matching of the prefix-length (subnet mask) while ACL do not
- Faster matching of routes as compared to ACL
- Can only be used for route filtering and cannot be used for security
- Each line has a sequence number and permit/deny statement
- Example of prefix-list filtering>
- Ip prefix-list list-name seq seq-num {deny | permit} {prefix/prefix-length} [ge ge-value] [le le-value]
- Route prefix must be within the range of addresses implied by the prefix/prefix-length parameters
- Route’s prefix length must match the range of prefixes implied by the prefix-length, ge-value and le-value
- You can read our other blogs:
- http://ftpservices.blogspot.com/
- http://dhcpservices.blogspot.com/
-
Saturday, February 15, 2014
802.1x configuration
Why to use dot1x authentication ? dot1x authentication can be used to secure access to the network.
•enable “aaa” on the switch “ aaa new-model”
•enable “aaa” on the switch “ aaa new-model”
•Define external
radius-servers:
–Radius-server
host hostname | ip-address} key string
•Define the
authentication method for 802.1x
–Aaa authentication dot1x
default group radius
•Enable 802.1x
globally “dot1x system-auth-control”
•Configure each switchport that uses 802.1x
–Switch(config-if)#dot1x
port-control {force-authorized | force-unauthorized | auto}
•Force-authorized:
the port always authorize any connected client (default state)
•Force-unauthorized:
the port is forced to never authorize any connected client (client need to
disconnect/reconnect)
•Auto:
the port uses 802.1x exchange to move from unauthorized to the authorized state
•Allow multiple hosts
on a switchport
–Dot1x
host-mode multi-host
•“show dot1x all”
If you are looking to find a job remotely, apply here:
https://www.security-architecture.com/add-cv/
If you are looking to find a job remotely, apply here:
https://www.security-architecture.com/add-cv/
Switch port-security
Looking for a part-time job ? Click here to post your CV
Control port-access based on MAC addresses. To configure it:
Control port-access based on MAC addresses. To configure it:
–Enable
port-security on an interface “switchport port-security”
–Specify
the maximum number of MAC addresses that will be allowed “switchport port-security
maximum mac-address-number
(1-1024). By default port-security will make sure that only one MAC
address will be allowed access on each switchport.
–You
can specify MAC addresses for a switchport statically or dynamically – the switch will learn the mac addresses for the
host connected to a switchport (up to the maximum
configured); learned mac addresses can be
aged out if the hosts are silent for a period of time (by default no aging). If
after the maximum number a new host connect to that switchport, the port will go to
errdisabled
•switchport port-security maximum
2
•Switchport port-security mac-address xxxx.xxxx.xxxx
•Swtichport port-security mac-address sticky
–Define
how the interface will react in case of port-security violation:
•“switchport port-security
violation {shutdown | restrict | protect}
•Shutdown:
put port in errdisabled stated (either
re-enable manually or through err-disable recovery)
•Restrict:
the port is allowed to stay up, but all packets from violating MAC address are
dropped. (send snmp trap or syslog)
•Protect:
Port is allowed to stay up, although packets from violating addresses are
dropped. No record of violation is kept
OSPF metric
•OSPF
uses a Metric of
cost=100,000,000/bandwidth(Kbps)
•The default reference bandwdith is 100,000,000 and it can be
changed.
OSPF router type
•We
have these types of routers:
–Internal
router: All networks (interfaces) connected directly to this router belong to
the same area. An internal-router has a single link-state database
–Area
Border router: ABR: He has at least 2 connected networks (interfaces) that are
in two different areas. ABR will have more than one link-state database, 1 for
each area. Its responsibility to exchange topology information between areas
–Backbone
router: at least one connected network in area 0 ( can be internal or ABR)
–Autnomous System Boundary
router: ASBR: at least one network participating in OSPF, and one network in
another routing domain. Its role is to exchange information between OSPF and
external routes.
Subscribe to:
Posts (Atom)