Archives for posts with tag: VLAN

This post will show you how to configure a DHCP scope on your Cisco device.

DHCP uses the transport layer protocol UDP. DHCP server uses port 67 and the client uses port 68. DHCP would fall into layer 7 application layer protocols.

Create your pools just like below and add any options in you require i’ve shown 2 different option types one is IP and one is ASCII. You can add as many options as you need.

ip dhcp pool vlan10
network 10.10.10.0 255.255.255.0
update dns both override
domain-name mydomain.com
dns-server 10.1.1.111 10.2.2.222
netbios-name-server 10.1.1.111 10.2.2.222
default-router 10.10.10.1
option 137 ascii http://myserver.com/update
option 150 ip 192.168.101.1
lease 3
!
ip dhcp pool vlan16
network 10.10.16.0 255.255.255.0
update dns both override
domain-name mydomain.com
dns-server 10.1.1.111 10.2.2.222
netbios-name-server 10.1.1.111 10.2.2.222
default-router 10.10.16.1
option 150 ip 192.168.101.1
option 137 ascii http://myserver.com/update
lease 3
!

To add static DHCP reservations you need to add the MAC address as below. Note they start with ’01’ and in dotted hexadecimal. The ’01’ means that its Ethernet media type.

ip dhcp pool static-user1
host 10.10.10.54 255.255.255.0
client-identifier 01bb.cccc.dddd.ff
!
ip dhcp pool staticuser2
host 10.10.16.53 255.255.255.0
client-identifier 01xx.yyyy.zzzz.aa

The above configuration would be added to your switch that contains your SVI’s.

Confirm your configuration by using these commands below.

show ip dhcp binding – This will show all assigned IP’s and MAC address.
show ip dhcp pool [pool name] – This will show information on number of IP’s leased.
show ip dhcp conflict – This will show any conflicts in your pools.
clear ip dhcp binding | conflict [x.x.x.x] | * – This will clear the pool of the address you specify or all in the case of *.

DHCP

RH

The last item on our list is the service-policy, this is the part where we apply our policy-map to an interface and specify the direction for the policy.

To help you visualise how the command is used and which direction see the picture below.

QOS

QOS is being applied to traffic coming from inside our network going outbound to the WAN.

Your interface will look something like this.

interface FastEthernet0/0
 description WAN_interface
 bandwidth 20000
 ip address 10.100.100.2 255.255.255.252
 ip nbar protocol-discovery
 service-policy output QOS_Egress

To confirm the QOS is working you would use the command “show policy-map interface fastethernet 0/0” this will give you a whole bunch of information, see below for an example of how this might look.

Service-policy output: QOS_Egress

queue stats for all priority classes:

queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 331150787/112001702019

Class-map: voice_traffic (match-all)
266055005 packets, 57655712122 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
Priority: 7% (1400 kbps), burst bytes 35000, b/w exceed drops: 0
QoS Set
dscp ef
Packets marked 266055059

Class-map: voip_signal (match-any)
78149834 packets, 7487646866 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match:  dscp cs3 (24) af31 (26)
78149834 packets, 7487646866 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 78149832/7487645664
bandwidth 3% (600 kbps)
QoS Set
dscp af31
Packets marked 78149834

Class-map: class-default (match-any)
9073254895 packets, 3302249852254 bytes
5 minute offered rate 998000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/16751970/0
(pkts output/bytes output) 569664615/3424829483864
QoS Set
dscp default
Packets marked 9071570170
shape (average) cir 16000000, bc 160000, be 160000
target shape rate 16000000

As you can see it gives lots of information on how your QOS is performing, the default-class shows some drops that means its had to drop some packets when the link was congested and in fact means your QOS policy is doing its job if the drops were excessive you would increase the values or decrease whichever suits your network.

If you just want to view an indivdual class then you would use the command “show policy-map interface fastethernet 0/0 output class web_traffic” for example.

When using the “service-policy input QOS_Egress” you will receive an error stating that you cannot apply this to the interface, this is becuase CBWFQ is a mechanism for traffic queuing in the outbound direction, never for the inbound direction.

I hope my 3 part blog has gone some way to helping you understand QOS.

RH

A common scenario you might come across is having a device on your network that needs to be restricted. So for example a third party PC that doesn’t meet your security requirements but needs to access a production server.

If your network can support it then you would segment this part of your network with a VLAN then route between them on a layer 3 switch or at the router. So in my example its a layer 3 switch, write the access list then apply it at the VLAN interface either inbound or outbound.

Below is the basic config for VLAN 10, anything in this VLAN will only be able to access the production server at 10.50.5.10 which happens to be on VLAN 20, this would apply to devices or whole subnets on a different switch or even across the WAN. I’ll make this interesting and allow the clients only access on TCP port 80, and also allow the clients to lookup DNS on the same server this is UDP port 53.

ACL_pic

Create your ACL
————————————-
ip access-list extended 100
permit ip any 192.168.1.0 0.0.0.255
permit tcp any host 10.50.5.10 eq www
permit udp any host 10.50.5.10 eq domain
deny ip any any log 

Apply your ACL to the VLAN interface
————————————-
interface vlan 10
ip access-group 100 in

That’s all you have to do to restrict the traffic, its very simple the inbound and outbound commands are hard to understand at first but just imagine yourself standing on top of the switch and think of traffic direction, so in my case its inbound to the switch.

RH

When you receive your new Cisco switch, its inherently insecure out of the box so here’s a few things you might want to think about before you go ahead and use in a production environment.

1. Set an enable password “(config)#enable secret 0 cisco12345” using the secret will encrypt your password with a strong MD5 hash.

2. Encrypt any plain text passwords with “(config)#service password-encryption”

3. Use a range command on your interfaces, enable spanning-tree portfast and switchport mode access in one go with this handy command “(config-if)#switchport host” this also disables etherchannel capabilities.

4. Still inside the range command you could use “(config-if)#spanning-tree bpduguard enable” this will shut down the port should another bogus switch be plugged into any of the ports and start sending BPDU’s, you can also enable this globally with the command “(config)#spanning-tree bpduguard default”

5. A simple yet effective practice is to never use VLAN1 for anything unless you really need to!

6. Use a blackhole VLAN like some obscure unused VLAN 999, put all unused ports in there so should an attacker plug into an unused port they just aren’t going to get access to anything, or simply shut the unused port down until needed.

7. Use port-security to restrict the amount of MAC address’s you expect to see on a switch so for example on a normal data / voice port you’d expect to see 1 PC and 1 VoIP device. “(config)#switchport port-security maximum 2” next enable it on the port with “(config)#switchport port-security” So any more than 2 MAC address’s seen on the port and it will disable. There are other more granular options with this command so investigate them and use what suits you.

8. Create a local user with this command “(config)#username admin_cisco privilege 15 secret 0 cisco54321”

9. Secure your console and VTY lines with this command use under (line console 0 and vty 0 15) “(config)#login authentication local”

These steps are very simple and easy, and hopefully you will think about using them to secure your device. I will say that this list is not exhaustive so do some research.

RH

Setting up your ASA for guest wireless is easy, you only need the base licence to do this. First of all you need to know that a VLAN is associated to layer 2 of the OSI model, and when your clients connect to the Guest Wireless VLAN they will be able to route out the VLAN via the ASA firewall. So here’s your topology.

Capture1

I can hear you ask why there are 2 connections to the firewall well one is your inside corporate interface and the second is your guest wireless interface.

So you’ve already setup your AP either its an autonomous AP or you have this connected to your LAN controller, the reason you need to trunk your AP to the switch is so you can have multiple SSID’s each with its own VLAN assigned. One thing I would mention is make sure your switch has DTP turned off for unused ports, don’t think I need to explain that one do I?

ASA1(config)#interface vlan 3
ASA1(config-if)#nameif Guest
ASA1(config-if)#security-level 50
ASA1(config-if)#ip address 192.168.1.254 255.255.255.0
ASA1(config-if)#no forward interface vlan 1
ASA1(config-if)#exit
ASA1(config)#interface ethernet 0/2
ASA1(config-if)#switchport access vlan 3
ASA1(config-if)#exit

NAT Translation

ASA1(config)#global (outside) 1 interface
ASA1(config)#nat (Guest) 1 0.0.0.0 0.0.0.0

I usually assign DHCP address’ from the ASA when setting up guest wireless this way, but you can do it from the LAN controller or the AP itself. Here’s the config for the ASA

ASA1(config)#dhcpd address 192.168.1.x 192.168.1.x Guest_DHCP
ASA1(config)#dhcpd dns 8.8.8.8
ASA1(config)#dhcpd enable Guest_DHCP

That my friends is all there is to it, your ASA will already have the ACL in there that states “any to any less secure network” which means your guest wireless clients will be able to access the internet and the config line “no forward interface vlan 1″ prevents access to your inside corporate network.

“If you cant see it, it’s not there”

RH