Month: June 2015
In this article I am going to show you the effect of port-security on switch ports. The topology is very simple and I am using only one switch with a number of PCs.
You use Port-Security
- When you want to limit the number of devices that can connect to a port on your switch
- When you want to explicitly tell your switch which devices can connect (based on MAC address of those devices)
VRFLite is part of CCNP outline! OK! I know it has very little to talk about but the actual part of configuring MPLS and VRFLite is the same: They both need VRF to be configured prior to going to the feature configuration.
Here I show you the configuration of VRFs in detail.
In this article I discuss Zone Based Firewall (ZBF) that is relatively new concept to draw a line between different areas and control traffic to an from these areas to each other. My scenario defines three zones: Internet (public network), DMZ (some servers open to internet go here) and Intranet (my LAN).
Prevoiusly, if I needed to implement such a concept I would have to create some access-lists and add them to interfaces. For me, managing access-lists is a pain so I love this approach.
In this article I want to show you when and how to enable sparse mode for your multicast scenario.
Dense mode is less complicated when configuring; you just enable it under interface configuration on every router on your path to the destination subnets where receivers sit. Dense mode is enabled when you assume a large percentage of your devices need to receive the multicast traffic in a large percentage of time.
On the other hand, sparse mode (as the name implies), assume that any device (on some or all subnets) may decide to receive the multicast traffic. They do not receive the traffic very often and they are not in one or more particular subnets.
In this sample I am going to show a a scenario in which you will more likely use an OSPF totally NSSA area.
As you can see in the topology, routers in are 46 have only one link to other ares in my network. This is a typical scenario in which you enable one of the stub types, since all routes have the same exit interface and a default route will be enough to route all traffics to other areas.
In this case area 46 is stub to OSPF network but it has a connection to another autonomous system, EIGRP 67 so it is not so stubby! My OSPF network may need to have reachability to EIGRP AS and this means I need redistribution. An NSSA area supports redistribution. The result of redistribution is Type-7 LSA inside NSSA area.
You have your router and you do not have any plan to buy a firewall? Your Cisco router has some advanced fatures that let it to act as a firewall-a good one actually!
It is possible if you use Content-Based Access List (CBAC) to inspect all outbound connections and deny any inbound connection.
First of all I want to make this clear for those of you who still are in doubt where to use shaping and where to use policing.
- Shaping is outbound. Policing is inbound and outbound, so if you are limiting input rate, you need to use policing (e.g. when you want to limit download speed).
- Shaping is a traffic softener! I mean if you have more data than can be sent in a time slot, you buffer it to send later where in policing you only try to conform to the rate limit policy. The following picture illustrates the difference.
- Policing can be used for marking (as shown in this article) while shaping cannot.