VTP

January 5th, 2010 No comments

• Configure all inter-switch links on SW2, SW3, and SW4 to be in dynamic
auto state.
• Configure all inter-switch links on SW1 to be in dynamic desirable state.
• Configure SW2 as a VTP server in the domain VTP.
• Configure SW1, SW3, and SW4 as VTP clients in the domain VTP.

SW1:
vtp domain VTP
vtp mode client
!
interface range FastEthernet0/13 - 21
switchport mode dynamic desirable
!
interface FastEthernet0/1
switchport access vlan 146
!
interface FastEthernet0/5
switchport access vlan 58

 

SW2
vtp domain VTP
vlan 5,7,8,9,10,22,43,58,67,79,146
!
interface FastEthernet0/2
switchport access vlan 22
!
interface FastEthernet0/4
switchport access vlan 43
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!

 

Categories: Uncategorized Tags:

Router-On-A-Stick

January 5th, 2010 No comments

• Configure the link between SW2 and R6 as an 802.1q trunk link.
• Using the subinterfaces listed in the diagram configure R6 to route traffic for both VLANs 67 and 146 on its Ethernet link.

SW2(config)#int Fa 0/6
SW2(config-if)#switchport trunk encapsulation dot1q 
SW2(config-if)#switchport mode  trunk 
SW2(config-if)#end

 

R6(config)#int Fa 1/0.67
R6(config-subif)#encapsulation dot1Q 67
R6(config-subif)#ip address 155.1.67.6 255.255.255.0
R6(config-subif)#exit
R6(config)#int Fa 1/0.146                     
R6(config-subif)#encapsulation dot1Q 146            
R6(config-subif)#ip address 155.1.146.6 255.255.255.0
R6(config-subif)#exit
R6(config)#end

 

• Verify that R6 has reachability to devices both on VLAN 67 and 146.

SW2#sh int fa0/6 trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/6       on           802.1q         trunking      1
Port        Vlans allowed on trunk
Fa0/6       1-4094
Port        Vlans allowed and active in management domain
Fa0/6       1,5,7-10,22,43,58,67,69,79,146
Port        Vlans in spanning tree forwarding state and not pruned
Fa0/6       1,5,7-10,22,43,58,67,69,79,146

 

R6#ping 155.1.67.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.67.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R6#ping 155.1.146.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.146.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

 

Categories: IT, Networking, Routing, Switching Tags:

January 5th, 2010 No comments

Disable Dynamic Trunking Protocol on the trunk links of SW1.

                                                         
                                                         
SW1(config)#int range Fa0/13 - 21                        
SW1(config-if-range)#switchport trunk encapsulation dot1q
SW1(config-if-range)#switchport mode trunk               
SW1(config-if-range)#switchport nonegotiate              
SW1(config-if-range)#end                                 
                                                         
SW2(config)#int range Fa0/13 - 21                        
SW2(config-if-range)#switchport trunk encapsulation dot1q
SW2(config-if-range)#switchport mode trunk               
SW2(config-if-range)#switchport nonegotiate              
SW2(config-if-range)#end                                 
                                                         
SW3(config)#int range Fa0/13 - 21                        
SW3(config-if-range)#switchport trunk encapsulation dot1q
SW3(config-if-range)#switchport mode trunk               
SW3(config-if-range)#switchport nonegotiate              
SW3(config-if-range)#end                                 
                                                         
SW4(config)#int range Fa0/13 - 21                        
SW4(config-if-range)#switchport trunk encapsulation dot1q
SW4(config-if-range)#switchport mode trunk               
SW4(config-if-range)#switchport nonegotiate              
SW4(config-if-range)#end                                 

 

Verify that trunking is still occurring between SW1 & SW2, SW1 & SW3, and SW1 & SW4 without the use of DTP.

SW1#sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      146
Fa0/14      on           802.1q         trunking      146
Fa0/15      on           802.1q         trunking      146
Fa0/16      on           802.1q         trunking      146
Fa0/17      on           802.1q         trunking      146
Fa0/18      on           802.1q         trunking      146
Fa0/19      on           802.1q         trunking      146
Fa0/20      on           802.1q         trunking      146
Fa0/21      on           802.1q         trunking      146

 

SW2#sh int trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/6       on           802.1q         trunking      1
Fa0/13      on           802.1q         trunking      146
Fa0/14      on           802.1q         trunking      146
Fa0/15      on           802.1q         trunking      146
Fa0/16      on           802.1q         trunking      146
Fa0/17      on           802.1q         trunking      146
Fa0/18      on           802.1q         trunking      146
Fa0/19      on           802.1q         trunking      146
Fa0/20      on           802.1q         trunking      146
Fa0/21      on           802.1q         trunking      146

 

SW3#sh int trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      146
Fa0/14      on           802.1q         trunking      146
Fa0/15      on           802.1q         trunking      146
Fa0/16      on           802.1q         trunking      146
Fa0/17      on           802.1q         trunking      146
Fa0/18      on           802.1q         trunking      146
Fa0/19      on           802.1q         trunking      146
Fa0/20      on           802.1q         trunking      146
Fa0/21      on           802.1q         trunking      146

 

SW4#sh int trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      146
Fa0/14      on           802.1q         trunking      146
Fa0/15      on           802.1q         trunking      146
Fa0/16      on           802.1q         trunking      146
Fa0/17      on           802.1q         trunking      146
Fa0/18      on           802.1q         trunking      146
Fa0/19      on           802.1q         trunking      146
Fa0/20      on           802.1q         trunking      146
Fa0/21      on           802.1q         trunking      146

 

Categories: IT, Networking, Switching Tags:

802.1q Native VLAN

January 5th, 2010 No comments

Modify the native VLAN on the 802.1q trunks of SW1 so that traffic between devices in VLAN 146 is not tagged when sent over the trunk links.

SW1(config)#int range Fa0/13 - 21
SW1(config-if-range)#switchport trunk native vlan 146
SW2(config)#int range Fa0/13 - 21
SW2(config-if-range)#switchport trunk native vlan 146
SW3(config)#int range Fa0/13 - 21
SW3(config-if-range)#switchport trunk native vlan 146
SW4(config)#int range Fa0/13 - 21
SW4(config-if-range)#switchport trunk native vlan 146

 

Verification:

SW1#sh int trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      desirable    802.1q         trunking      146
Fa0/14      desirable    802.1q         trunking      146
Fa0/15      desirable    802.1q         trunking      146
Fa0/16      desirable    802.1q         trunking      146
Fa0/17      desirable    802.1q         trunking      146
Fa0/18      desirable    802.1q         trunking      146
Fa0/19      desirable    802.1q         trunking      146
Fa0/20      desirable    802.1q         trunking      146
Fa0/21      desirable    802.1q         trunking      146

 

SW2#sh int trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/6       on           802.1q         trunking      1
Fa0/13      auto         n-802.1q       trunking      146
Fa0/14      auto         n-802.1q       trunking      146
Fa0/15      auto         n-802.1q       trunking      146

 

SW3#sh int trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      auto         n-802.1q       trunking      146
Fa0/14      auto         n-802.1q       trunking      146
Fa0/15      auto         n-802.1q       trunking      146

 

SW4#sh int trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      auto         n-802.1q       trunking      146
Fa0/14      auto         n-802.1q       trunking      146
Fa0/15      auto         n-802.1q       trunking      146

 

Categories: IT, Networking, Switching, Uncategorized Tags:

802.1q Trunking

January 4th, 2010 No comments

Change the trunking encapsulation on SW1’s inter-switch links from static ISL to static 802.1q.

SW1(config)#int range Fa0/13 - 21
SW1(config-if-range)#switchport trunk encapsulation dot1q 

 

Verify that SW2, SW3, & SW4 are negotiating 802.1q as the trunking encapsulation to SW1, and that SW1 is not negotiating 802.1q to SW2, SW3, and SW4

SW1#sh int trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      desirable    802.1q         trunking      1
Fa0/14      desirable    802.1q         trunking      1
Fa0/15      desirable    802.1q         trunking      1
Fa0/16      desirable    802.1q         trunking      1
Fa0/17      desirable    802.1q         trunking      1
Fa0/18      desirable    802.1q         trunking      1
Fa0/19      desirable    802.1q         trunking      1
Fa0/20      desirable    802.1q         trunking      1
Fa0/21      desirable    802.1q         trunking      1

 

SW2#sh int trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/6       on           802.1q         trunking      1
Fa0/13      auto         n-802.1q       trunking      1
Fa0/14      auto         n-802.1q       trunking      1
Fa0/15      auto         n-802.1q       trunking      1

 

SW3#sh int trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      auto         n-802.1q       trunking      1
Fa0/14      auto         n-802.1q       trunking      1
Fa0/15      auto         n-802.1q       trunking      1

 

SW4#sh int trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      auto         n-802.1q       trunking      1
Fa0/14      auto         n-802.1q       trunking      1
Fa0/15      auto         n-802.1q       trunking      1

 

Categories: IT, Networking, Switching Tags:

ISL Trunking

January 4th, 2010 No comments

Statically set the trunking encapsulation of SW1’s inter-switch links to ISL.

SW1(config)#int ra fa 0/13 - 21
SW1(config-if-range)#switchport trunk encapsulation isl 

 

Verify that SW2, SW3, & SW4 are negotiating ISL as the trunking encapsulation to SW1, and that SW1 is not negotiating ISL to SW2, SW3,and SW4.

SW1#sh int trunk 
Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      desirable    isl            trunking      1
Fa0/14      desirable    isl            trunking      1
Fa0/15      desirable    isl            trunking      1
Fa0/16      desirable    isl            trunking      1
Fa0/17      desirable    isl            trunking      1
Fa0/18      desirable    isl            trunking      1
Fa0/19      desirable    isl            trunking      1
Fa0/20      desirable    isl            trunking      1
Fa0/21      desirable    isl            trunking      1

 

SW2#sh int trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/6       on           802.1q         trunking      1
Fa0/13      auto         n-isl          trunking      1
Fa0/14      auto         n-isl          trunking      1
Fa0/15      auto         n-isl          trunking      1

SW3#sh int trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      auto         n-isl          trunking      1
Fa0/14      auto         n-isl          trunking      1
Fa0/15      auto         n-isl          trunking      1

SW4#sh int trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      auto         n-isl          trunking      1
Fa0/14      auto         n-isl          trunking      1
Fa0/15      auto         n-isl          trunking      1

 

Categories: Uncategorized Tags:

Layer 2 Dynamic Switchports

January 4th, 2010 No comments

Configure all inter-switch links on SW2, SW3, and SW4 to be in dynamic auto state and configure all inter-switch links on SW1 to be in dynamic desirable state.

SW1:
interface range FastEthernet0/13 - 21
switchport mode dynamic desirable
SW2:
interface range FastEthernet0/13 - 21
switchport mode dynamic auto
SW3:
interface range FastEthernet0/13 - 21
switchport mode dynamic auto
SW4:
interface range FastEthernet0/13 - 21
switchport mode dynamic auto

 

Verification:Using the CAM table verify that all layer 2 traffic between devices in the same VLAN, but not attached to the same switch, is transiting SW1.

R4#ping 155.1.146.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.146.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R4#sh arp          
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  155.1.146.1            85   0025.84e8.6381  ARPA   FastEthernet1/1
Internet  155.1.146.4             -   001b.2ad6.f9d2  ARPA   FastEthernet1/1
Internet  155.1.146.6             0   0007.0e45.7f01  ARPA   FastEthernet1/1
Internet  204.12.1.4              -   001b.2ad6.f9d1  ARPA   FastEthernet1/0
Internet  204.12.1.254            0   001b.2ae2.c9c1  ARPA   FastEthernet1/0

 

SW2#sh mac addr dynamic address 0007.0e45.7f01
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0007.0e45.7f01    DYNAMIC     Fa0/6
 146    0007.0e45.7f01    DYNAMIC     Fa0/6
Total Mac Addresses for this criterion: 2

 

Categories: IT, Networking, Switching Tags:

Layer 2 Access Switchports

January 4th, 2010 No comments

VLAN assignments on SW1, SW2, SW3, and SW4 to obtain basic connectivity

!SW1:
vlan 7,58,67,79,146
!
interface FastEthernet0/1
switchport access vlan 146
!
interface FastEthernet0/5
switchport access vlan 58
!SW2:
vlan 8,22,43,58
!
interface FastEthernet0/2
switchport access vlan 22
!
interface FastEthernet0/4
switchport access vlan 43
!
interface FastEthernet0/24
switchport access vlan 22
!SW3:
vlan 5,9,43,79
!
interface FastEthernet0/5
switchport access vlan 5
!
interface FastEthernet0/24
switchport access vlan 43
!SW4:
vlan 10,146
!
interface FastEthernet0/4
switchport access vlan 146

 

Verification:

 SW1#sh int status 
Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/1                        connected    146        a-full  a-100 10/100BaseTX
Fa0/2                        notconnect   1            auto   auto 10/100BaseTX
Fa0/3                        connected    routed     a-full  a-100 10/100BaseTX
Fa0/4                        notconnect   1            auto   auto 10/100BaseTX
Fa0/5                        connected    58         a-full  a-100 10/100BaseTX
Fa0/6                        notconnect   1            auto   auto 10/100BaseTX
Fa0/7                        notconnect   1            auto   auto 10/100BaseTX
Fa0/8                        notconnect   1            auto   auto 10/100BaseTX
Fa0/9                        notconnect   1            auto   auto 10/100BaseTX
Fa0/10                       notconnect   1            auto   auto 10/100BaseTX
Fa0/11                       notconnect   1            auto   auto 10/100BaseTX
Fa0/12                       notconnect   1            auto   auto 10/100BaseTX
Fa0/13                       connected    trunk      a-full  a-100 10/100BaseTX
Fa0/14                       connected    trunk      a-full  a-100 10/100BaseTX
Fa0/15                       connected    trunk      a-full  a-100 10/100BaseTX
Fa0/16                       connected    trunk      a-full  a-100 10/100BaseTX
Fa0/17                       connected    trunk      a-full  a-100 10/100BaseTX
Fa0/18                       connected    trunk      a-full  a-100 10/100BaseTX
Fa0/19                       connected    trunk      a-full  a-100 10/100BaseTX
Fa0/20                       connected    trunk      a-full  a-100 10/100BaseTX
Fa0/21                       connected    trunk      a-full  a-100 10/100BaseTX
Fa0/22                       notconnect   1            auto   auto 10/100BaseTX
Fa0/23                       notconnect   1            auto   auto 10/100BaseTX
Fa0/24                       notconnect   1            auto   auto 10/100BaseTX

 

Categories: IT, Networking, Switching Tags:

ASA – Botnet Configuration

December 10th, 2010 No comments

Documentation
This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_botnet.htm
Overview
Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious activity.
Prerequisite
The ASA must be running minimum 8.2 code to be able to configure botnet feature.
ASA-5505# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(5)
…….
Botnet license must be installed on the ASA

ASA-5505# sh ver
 
Cisco Adaptive Security Appliance Software Version 8.2(1) 
Device Manager Version 6.2(5)
.......
Botnet Traffic Filter        : Enabled
 

 

Once license expires filtering will not work until license is renewed.
Limitations
Botnet Traffic Filter does not share any information between Failover pairs.
Failovers or Reboots require a re-download of the Dynamic Database.
Currently there is no support for IPV6.
Step by Step Configuration

1. Enable DNS client on ASA
This steps is required to allow it to resolve the address of CSIO’s updater service, so the dynamic filter update client to fetch updates.

 
ASA(config)# dns domain-lookup outside
ASA(config)#dns server-group DefaultDNS
ASA(config-dns-server-group)#name-server 4.2.2.2

 

2. Enable dynamic traffic filtering (Botnet Traffic Filter).

ASA(config)#dynamic-filter updater-client enable

 

3. Enable the Botnet Traffic Filter database update.

ASA(config)#dynamic-filter use-database

 

4. Classify the traffic that will be exempted and subjected.

ASA(config)#access-list botnet-exclude extended deny ip any 192.168.0.0 255.255.0.0  ---> exempted traffic
ASA(config)#access-list botnet-exclude extended permit ip any any  ---> subjected traffic

 

5. Enable dynamic-filter classification on outside interface

ASA(config)#dynamic-filter enable interface outside classify-list botnet-exclude

 

6. Configure a class map and only match dns traffic

ASA(config)#class-map botnet-DNS
ASA(config-cmap)# match port udp eq domain

 

7. Enable DNS snooping on the external interface

ASA(config)# policy-map botnet-policy
ASA(config-pmap)# class botnet-DNS
ASA(config-pmap-c)# inspect dns dynamic-filter-snoop
ASA(config)# service-policy botnet-policy interface outside

 

Alternatively, you can also choose to apply this to the existing global policy that is already configured on the ASA.

class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
  inspect dns dynamic-filter-snoop
  ...
service-policy global_policy global
 

 

8. Define local whitelists and/or blacklists if needed.
Never block addresses:
This is traffic to or from an IP address that is considered to be good. It is part of administrator configured lists.

 
ASA(config)# dynamic-filter whitelist
ASA(config-llist)# name www.google.com
ASA(config-llist)# name www.cisco.com

 

Manual Black List:
This is traffic to or from an IP address that is considered to be malicious. This IP address can be either an IP address/network entry in the dynamic blacklist or administrator configured blacklist, or it can be a snooped IP address that was found in a DNS reply for a blacklisted domain.

ASA(config)# dynamic-filter blacklist
ASA(config-llist)# name www.crackhell.com
ASA(config-llist)# name www.megaport.hu
ASA(config-llist)# address 164.109.48.46 255.255.255.255

 

Final Configuration Section:

dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
!
dynamic-filter updater-client enable
dynamic-filter use-database
!
access-list botnet-exclude extended deny ip any 192.168.0.0 255.255.0.0 
access-list botnet-exclude extended permit ip any any
!
dynamic-filter enable interface outside classify-list botnet-exclude
!
class-map botnet-DNS
match port udp eq domain
!
policy-map botnet-policy
class botnet-DNS
  inspect dns dynamic-filter-snoop 
!
service-policy botnet-policy interface outside
 

 

Logging

338001 – 338004
338101 – 338104
338201 – 338204
338301 – 338310

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp5787165
Show commands

show dynamic-filter data
dynamic-filter database find <string>
show dynamic-filter reports top botnet-sites
show dynamic-filter reports top infected-hosts
show dynamic-filter reports top botnet-ports

 

clear dynamic-filter statistics
The dynamic filter statistics can be cleared at any time with this command. To clear the statistics for a certain interface use the optional interface nameif keyword for the command.

clear dynamic-filter reports top [botnet-sites | botnet-ports | infected-hosts]
This command will reset all statistics back to 0 and remove all entries from the reports.

clear dynamic-filter dns-snoop
This command deletes all of the entries from the DNSRC. DNS reverse Cache Information.

Categories: Networking, Security Tags:

Cisco 3560 IOS Upgrade

August 25th, 2007 No comments

All-in-One Command:

Switch# archive download-sw /overwrite /reload tftp://10.10.1.27/c3560-ipservicesk9-mz.122-55.SE3.tar

 

Step-by-Step breakdown:

Switch# copy tftp://10.10.1.27/c3560-ipservicesk9-mz.122-55.SE3.bin flash:c3560-ipservicesk9-mz.122-55.SE3.bin
Switch# 
Switch# boot system flash:c3560-ipservicesk9-mz.122-52.SE.bin
Switch# 
Switch# copy running-config startup-config
Building configuration...
[OK]
Switch# 
Switch# show boot
BOOT path-list      : flash:c3560-ipservicesk9-mz.122-52.SE.bin
Config file         : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break        : no
Manual Boot         : no
HELPER path-list    :
Auto upgrade        : yes
Auto upgrade path   :
Timeout for Config
          Download:    0 seconds
Config Download
       via DHCP:       disabled (next boot: disabled)
Switch# 
Switch# reload

 

Categories: IT, Networking, Switching Tags: