Thursday 6 February 2020
Friday 15 November 2019
Sunday 20 May 2018
Switch- Port Security
What is covered?
We will look at how to secure a Cisco switch using the port security feature.
Why Port security is required?
Port security is a feature in Cisco switches that help to control the network access of the devices.
For example :
In the following switch, Port no 1-5 are configured as VLAN 10 and port no 6-10 are configured as VLAN 20. The other ports are on the default VLAN 1.
VLAN 10 -> it is for the Sales team
VLAN 20 -> It is for the HR team
The reason to have a setup like above is to segregate the network into two. So the users on VLAN 10 cannot access resources on VLAN 20.
Now: A user Jack who belongs to the sales team comes to office and connects his laptop to port no 6 on the switch. At this moment he will not have access to his Sales team network but instead, he will have access to HR team network. This also means that he will have access to all the payslip details stored on the HR server which is connected to the port 10.
Although the above act was unintentional, what if Jack intentionally plugged his laptop into port 6 to access the pay slip server.
How to prevent unauthorized access to our network?
We can use the port security feature that is available in the switch. Since switches communicate based on the MAC address. We can configure the port to allow particular MAC address and block the rest.
Example: The HR team consists of 4 members. Each member will have one laptop and then there is the HR server. In total there are five network devices which will be connected to the VLAN 20 (port no 6-10 on the switch). We can assign one port to each user (port no 6-9 for the users ) and port no 10 for the server.
Port no 6 -> Configured to allow MAC address of the user 1
Port no 7 -> Configured to allow MAC address of the user 2
Port no 8 -> Configured to allow MAC address of the user 3
Port no 9 -> Configured to allow MAC address of the user 4
Port no 10 -> Configured to allow MAC address of the HR-SERVER
This configuration will make sure that the team members have access to the network. When someone accidentally or purposefully tried to connect to their network they will not be able to access any resource on the network.
To configure port securing on the switch, the port has to be configured as "access" port. Only then we can apply port security
Syntax:
Switch (config) # interface <interface type> <interface no>
Switch (config-if) # switchport mode access
Example:
Switch-HR (config) # interface fastethernet 0/0
Switch-HR (config-if) # switchport mode access
Need to configure more than one computer to access the same port, can this be done?
Imagine this scenario, there are two users from HR who work on different 12 Hrs shift. The sit in the same place and use the same port to access the network. Can we still apply port security on that port?
The Answer is yes WE CAN allow then access. We will configure the switch to allow these two MAC address.
Syntax : to allow more than one MAC address
Switch (config-if) # switchport port-security maximum <value>
Example:
Switch-HR (config-if) # switchport port-security maximum 2
How to add the MAC address to the ports?
There are two ways to add the mac address to the port.
Method 1 : We type the MAC address Manually
Syntax:
Switch (config-if) # switchport port-security mac-address <mac-address>
Example :
Switch-HR(config-if) # switchport port-security mac-address 1A:2B:3C:4D:5E:6F
Method 2 : Switch will learn the MAC address automatically. We will use the word 'Sticky' in place of the MAC address for the switch to learn the MAC address automatically.
Syntax:
Switch (config-if) # switchport port-security mac-address sticky
Example:
Switch-HR(config-if) # switchport port-security mac-address sticky
How the switch should react if an unauthorized user connects to the network?
If there is any violation of security takes place, the switch can be configured to do one of the following
- Shutdown
- Restrict
- Protect
Shutdown: If the port is configured to shut down during violation then they port becomes "Error Disabled" and the LED of the port is turned off. To turn the port back on we need to contact the Administrator
Restrict: If the port is configured to restrict during the violation, then frames with an unknown source MAC address are dropped. It also gives a notification or creates a log message that a security violation has occurred.
Note: The LED on the switch will be on. The unauthorized user will think that they are connected to the network, but when they try to access the resources on the network then they will not be able to access it.
Protect: If the port is configured to protect during the violation, then frames with an unknown source MAC address are dropped. It does not notify that a security violation has occurred.
Syntax :
Switch (config-if) # switchport port-security violation {protect|restrict|shutdown}
Example :
Switch -HR(config-if) # switchport port-security violation shutdown
CODING:
Configuring port security
Switch (config) # interface <interface type> <interface no>
Switch (config-if) # switchport mode access
Switch (config-if) # switchport port-security maximum <value>
Switch (config-if) # switchport port-security mac-address <mac-address>
Switch (config-if) # switchport port-security violation {protect|restrict|shutdown}
Switch (config-if) # switchport port-security
Verification:
Switch# show port-security
Monday 26 March 2018
OSI Model
What is OSI Model?
According to Wikipedia, Open Systems Interconnection model (OSI model) is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to its underlying internal structure and technology.Why OSI?
Let's imagine a situation where you have a bunch of Network equipment from Brand A (It's a top brand and expensive) for your company. After few years you have decided to expand your business and need to set up another office and when you conduct a market research you find that there is another brand Brand B which is cheaper than Brand A.Things to note
1. Brand B is cheaper than Brand A
2. Brand B is new in the market and Brand A is the leader in the Market.
However you want to try using Brand B. As a consumer, you have the right to choose which brand you want to use. At this point, you find that you cannot use Brand B as Brand A does not support any other brand in the network. Hence, you are forced to buy Brand A for your new branch so that you can connect both the branches.
To avoid this kind of situation, ISO (International Standardization organization) came up with OSI Model which standardizes the communication function of a device irrespective of its technology. This helps in achieving interoperability between two different Brands.
DIfferent Layers of OSI Model:
OSI Model Consists of Seven different Layers. They are
7 - Application
6 - Presentation
5 - Session
4 - Transport
3 - Network
2 - Data Link
1 - Physical
OSI Layer is divided into 2 portions namely Hot layers and Media Layers.
Hot Layers consists of layer 7,6,5,4
Media Layers consists of layer 3,2,1
Sunday 25 March 2018
NTP - Explanation and Configuration
What is NTP?
- NTP - Stands for Network Time Protocol.
- This allows the network devices to have their clock synchronized with the central Main clock.
- NTP gets its time form an authoritative time source usually a radio clock / an atomic clock attached to a time server.
- This helps to make sure that all the logs have the correct time stamp.
- NTP uses UDP on port 123.
What is NTP Stratum?
- NTP stratum refers to the distance between the Network device and the authoritative time source.
- Stratum has values between 0-16
- stratum 0 refers to the source clock which has little to no delay and cannot be used on the networks.
- Stratum 1 is the primary device that gets the time from stratum 0 using GPS or National time and frequency transmission.
- The further the stratum level goes the less the accuracy will be.
Lab: Configuring NTP server
Objective: Configure a Router as NTP client and a Server as NTP server for time synchronization. 
Topology: NTP Lab – Set up the Packet tracer as above
CONFIGURE THE ROUTER:
Router(config)#hostname Router-1
Router-1(config)#interface fastEthernet 0/0
Router-1(config-if)#ip address 192.168.1.1 255.255.255.0
Router-1(config-if)#no shutdown
Router-1(config-if)#exit
Router-1(config)#exit
Configure the Server:
Assing the IP address on the Server.
Verify the IP address and Ping the Gateway
Enable the NTP service on the server:
- Click on the server Icon
- Click on services
- Click on NTP on the left side
- Click ‘ON” under NTP and set the date and time
//Configure the Router to get the Time from NTP server
Router-1(config)#NTP server 192.168.1.2
Router-1(config)#exit
//Checking the clock after configuring the NTP server
Router-1#show clock
*11:34:29.882 UTC Sun Mar 25 2018
Router-1#
Router-1#show ntp status
Clock is synchronized, stratum 2, reference is 192.168.1.2
nominal freq is 250.0000 Hz, actual freq is 249.9990 Hz, precision is 2**19
reference time is DE3D2144.00000032 (11:49:24.050 UTC Sun Mar 25 2018)
clock offset is 0.00 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec.
Monday 19 March 2018
What is the Subnet Mask?
What is the Subnet Mask?
- This is used to identify the Network portion and Host portion of the IP address.
- It has 1's in all the Network portion and 0's in the host portion
Class A: N.H.H.H
11111111.00000000.00000000.00000000
Default Subnet Mask for Class A is 255.0.0.0
Class B: N.N.H.H
11111111.11111111.00000000.00000000
Default Subnet Mask for Class B is 255.255.0.0
Class C: N.N.N.H
11111111.11111111.11111111.00000000
Default Subnet Mask for Class C is 255.255.255.0
- Subnet Mask is used also used to find the Network address.
- An AND operation is performed on the Binary version of the IP address and the subnet mask
IP Address : 10.0.2.3
SM Address : 255.0.0.0
IP : 00001010.00000000.00000010.00000011
SM : 11111111.00000000.00000000.00000000
------------------------------------------
00001010.00000000.00000000.00000000
NW : 10 . 0 . 0 . 0
------------------------------------------
The Network Address is 10.0.0.0
AND Truth table for reference
|
A
|
B
|
Result
|
|
1
|
1
|
1
|
|
1
|
0
|
0
|
|
0
|
1
|
0
|
|
0
|
0
|
0
|
What is IP address?
What is IP address?
Octal Format:
Network address: IP address with all bits as ZERO in the host portion.
Broadcast address: IP address with all bits as ONES in the host portion.
Valid IP Addresses lie between the Network Address and the Broadcast Address.
An Internet Protocol address (IP address) is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.
IPv4 is a 32-bit address. It is divided into 4 Octet. Each octet is 8 bits. Bits are represented by 0's and 1's
Example: 192.168.1.1
The binary version of it is: 11000000.10101000.00000001.00000001
Total Range of IPv4 Address:
First octet
|
Second octet
|
Third octet
|
Fourth octet
|
|
Starting range
|
00000000
|
00000000
|
00000000
|
00000000
|
Ending Range
|
11111111
|
11111111
|
11111111
|
11111111
|
Converting the above table of binaries into decimal we get the following
First octet
|
Second octet
|
Third octet
|
Fourth octet
|
|
Starting range
|
0
|
0
|
0
|
0
|
Ending Range
|
255
|
255
|
255
|
255
|
So the Range of IPv4 address is 0.0.0.0 to 255.255.255.255
The different classes of IPv4 Address
- Class A
- Class B
- Class C
- Class D
- Class E:
Priority Bit:
This is used for IP address classification. The Leftmost bit from the First octet is used for priority bits
Class A
|
0
|
Class B
|
10
|
Class C
|
110
|
Class D
|
1110
|
Class E
|
1111
|
Class
A: For CLASS A the first bit of the first octet is reserved as the priority bit
0XXXXXXX
2^7
|
2^6
|
2^5
|
2^4
|
2^3
|
2^2
|
2^1
|
2^0
|
Decimal
Value
|
0
|
0
|
0
|
0
|
0
|
0
|
0
|
0
|
0
|
0
|
0
|
0
|
0
|
0
|
0
|
0
|
1
|
1
|
0
|
0
|
0
|
0
|
0
|
0
|
1
|
0
|
2
|
0
|
0
|
0
|
0
|
0
|
0
|
1
|
1
|
3
|
0
|
1
|
1
|
1
|
1
|
1
|
1
|
1
|
127
|
The
range starts from 0.0.0.0
The
ends with 127.255.255.255
Class
B: For CLASS B the first 2 bits of the first octet are reserved as the priority
bit
10XXXXXX
2^7
|
2^6
|
2^5
|
2^4
|
2^3
|
2^2
|
2^1
|
2^0
|
Decimal
Value
|
1
|
0
|
0
|
0
|
0
|
0
|
0
|
0
|
128
|
1
|
0
|
0
|
0
|
0
|
0
|
0
|
1
|
129
|
1
|
0
|
0
|
0
|
0
|
0
|
1
|
0
|
130
|
1
|
0
|
0
|
0
|
0
|
0
|
1
|
1
|
131
|
1
|
0
|
1
|
1
|
1
|
1
|
1
|
1
|
191
|
The
range starts from 128.0.0.0
The ends with 191.255.255.255
Class C: For CLASS C the first 3 bits of the first octet is
reserved as the priority bit
110XXXXX
2^7
|
2^6
|
2^5
|
2^4
|
2^3
|
2^2
|
2^1
|
2^0
|
Decimal
Value
|
1
|
1
|
0
|
0
|
0
|
0
|
0
|
0
|
192
|
1
|
1
|
0
|
0
|
0
|
0
|
0
|
1
|
193
|
1
|
1
|
0
|
0
|
0
|
0
|
1
|
0
|
194
|
1
|
1
|
0
|
0
|
0
|
0
|
1
|
1
|
194
|
1
|
1
|
0
|
1
|
1
|
1
|
1
|
1
|
223
|
The range starts from 192.0.0.0
The ends with 223.255.255.255
Class D: For CLASS D the first 4 bits of the first octet are
reserved as the priority bit
1110XXXX
2^7
|
2^6
|
2^5
|
2^4
|
2^3
|
2^2
|
2^1
|
2^0
|
Decimal
Value
|
1
|
1
|
1
|
0
|
0
|
0
|
0
|
0
|
224
|
1
|
1
|
1
|
0
|
0
|
0
|
0
|
1
|
225
|
1
|
1
|
1
|
0
|
0
|
0
|
1
|
0
|
226
|
1
|
1
|
1
|
0
|
0
|
0
|
1
|
1
|
227
|
1
|
1
|
1
|
0
|
1
|
1
|
1
|
1
|
239
|
The range starts from 224.0.0.0
The ends with 239.255.255.255
Class E: For CLASS E the first 4 bits of the first octet are
reserved as the priority bit
1111XXXX
2^7
|
2^6
|
2^5
|
2^4
|
2^3
|
2^2
|
2^1
|
2^0
|
Decimal
Value
|
1
|
1
|
1
|
1
|
0
|
0
|
0
|
0
|
240
|
1
|
1
|
1
|
1
|
0
|
0
|
0
|
1
|
241
|
1
|
1
|
1
|
1
|
0
|
0
|
1
|
0
|
242
|
1
|
1
|
1
|
1
|
0
|
0
|
1
|
1
|
243
|
1
|
1
|
1
|
1
|
1
|
1
|
1
|
1
|
255
|
The range starts from 240.0.0.0
The ends with 255.255.255.255
CLASS
|
IP address range
|
Class A
|
0.0.0.0 - 127.255.255.255
|
Class B
|
128.0.0.0 - 191.255.255.255
|
Class C
|
192.0.0.0 -223.255.255.255
|
Class D
|
224.0.0.0 - 239.255.255.255
|
Class E
|
240.0.0.0 - 255.255.255.255
|
Octal Format:
Class A :
N.H.H.H
Class B :
N.N.H.H
Class C :
N.N.N.H
N = Refers
to the Network Portion
H = Refers
to the Host portion
Broadcast address: IP address with all bits as ONES in the host portion.
Valid IP Addresses lie between the Network Address and the Broadcast Address.
Calculate
the Number of Networks for each Class:
The priority bit that was mentioned above will be used
The priority bit that was mentioned above will be used
Class A
Octet Format is N.H.H.H
Network bits
: 8
No. of
Networks
= 2^(no of network bits– Priority bit)
= 2^(no of network bits– Priority bit)
= 2^(8-1)
= 2^7
= 128 – 2 (-2 is for 0 & 127 Network)
= 126 Networks
Class B
Octet Format is N.N.H.H
Network bits
: 16
No. of
Networks
= 2^(no of network bits– Priority bit)
= 2^(no of network bits– Priority bit)
= 2^(16-2)
= 2^14
= 16384 Networks
Class C
Octet Format is N.N.N.H
Network bits
: 24
No. of
Networks
= 2^(no of network bits– Priority bit)
= 2^(24-3)
= 2^21
= 2097152 Networks
Calculate the Number of Host for each Class:
Calculate the Number of Host for each Class:
Class A Octet Format is
N.H.H.H
Host bits : 24
No. of Networks
= 2^(no of host bits) -2
= 2^(24) – 2
= 16777216 - 2
= 16777214 Hosts/Network
Class B Octet Format is
N.N.H.H
Host bits : 16
No. of Networks
= 2^(no
of host bits) -2
= 2^(16) – 2
= 65536 - 2
= 65534 Hosts/Network
Class C Octet Format is
N.N.N.H
Host bits : 8
No. of Host
= 2^(no of host bits) -2
= 2(8) – 2
= 256 - 2
= 254 Hosts/Network
Subscribe to:
Posts (Atom)
-
What is covered? In this topic, we will see what a VLAN is and how it is configured in a CISCO switch What is VLAN? VLAN s... -
Lab: EtherChannel Configuration Objective: To demonstrate the configuration of EtherChannel Topology: Set up the lab as per the conf... -
What is EtherChannel? EtherChannel combines certain individual ports from the switch to form a single logical link. They provide redu...