Month: June 2015

Port-Security in Cisco Switches

Posted on Updated on

In this article I am going to show you the effect of port-security on switch ports. The topology is very simple and I am using only one switch with a number of PCs.

PortSecurity

You use Port-Security

  • When you want to limit the number of devices that can connect to a port on your switch
  • When you want to explicitly tell your switch which devices can connect (based on MAC address of those devices)

Read the rest of this entry »

VRFLite On Cisco Routers

Posted on

VRFLite is part of CCNP outline! OK! I know it has very little to talk about but the actual part of configuring MPLS and VRFLite is the same: They both need VRF to be configured prior to going to the feature configuration.
Here I show you the configuration of VRFs in detail.VRFLite

Read the rest of this entry »

Zone-Based Firewall

Posted on

In this article I discuss Zone Based Firewall (ZBF) that is relatively new concept to draw a line between different areas and control traffic to an from these areas to each other. My scenario defines three zones: Internet (public network), DMZ (some servers open to internet go here) and Intranet (my LAN).
Prevoiusly, if I needed to implement such a concept I would have to create some access-lists and add them to interfaces. For me, managing access-lists is a pain so I love this approach.ZFW

Read the rest of this entry »

PIM Sparse Mode

Posted on Updated on

In this article I want to show you when and how to enable sparse mode for your multicast scenario.
Dense mode is less complicated when configuring; you just enable it under interface configuration on every router on your path to the destination subnets where receivers sit. Dense mode is enabled when you assume a large percentage of your devices need to receive the multicast traffic in a large percentage of time.
CCIE_Topology
On the other hand, sparse mode (as the name implies), assume that any device (on some or all subnets) may decide to receive the multicast traffic. They do not receive the traffic very often and they are not in one or more particular subnets.

Read the rest of this entry »

PPP Authentication on Serial Links

Posted on

In this article I enable authentication for serial links. I have two serial link on R1, one of them uses PPP encapsulation while the other uses frame-relay.
SERIAL_LINKS_AUTHENTICATION
Enabling authentication for PPP link is easy and straightforward. I need an authenticator: a server (RADIUS or TACACS+ server) or a local username and password. In my scenario I choose the latter. I assume that any connection to R1 is authenticated and the preferred method is AAA.

Read the rest of this entry »

Not So Stubby Area (NSSA)

Posted on

In this sample I am going to show a a scenario in which you will more likely use an OSPF totally NSSA area.
OSPF NSSA
As you can see in the topology, routers in are 46 have only one link to other ares in my network. This is a typical scenario in which you enable one of the stub types, since all routes have the same exit interface and a default route will be enough to route all traffics to other areas.
In this case area 46 is stub to OSPF network but it has a connection to another autonomous system, EIGRP 67 so it is not so stubby! My OSPF network may need to have reachability to EIGRP AS and this means I need redistribution. An NSSA area supports redistribution. The result of redistribution is Type-7 LSA inside NSSA area.

Read the rest of this entry »

Content-Based Access-List (CBAC)

Posted on

You have your router and you do not have any plan to buy a firewall? Your Cisco router has some advanced fatures that let it to act as a firewall-a good one actually!
It is possible if you use Content-Based Access List (CBAC) to inspect all outbound connections and deny any inbound connection. VPN_GRE

Read the rest of this entry »

Single-Rate and Two-Rate Three-Color Policing

Posted on Updated on

First of all I want to make this clear for those of you who still are in doubt where to use shaping and where to use policing.

  • Shaping is outbound. Policing is inbound and outbound, so if you are limiting input rate, you need to use policing (e.g. when you want to limit download speed).
  • Shaping is a traffic softener! I mean if you have more data than can be sent in a time slot, you buffer it to send later where in policing you only try to conform to the rate limit policy. The following picture illustrates the difference.
  • Policing can be used for marking (as shown in this article) while shaping cannot.

Read the rest of this entry »