Archive

Archive for September, 2010

Native VLAN – why you should change it

September 27, 2010 1 comment

The native VLAN (assuming 802.1Q) is a VLAN that is sent untagged by default. The default for Cisco switches is that all ports are in VLAN 1 and if trunking is used VLAN 1 will be sent untagged. VLAN 1 is also used for other things like DTP, VTP and CDP frames and also BPDU’s. Using VLAN 1 as a management VLAN is a bad idea – unless all access ports are removed from it of course.

A better idea is to create a vlan which is used as a dummy native VLAN. Set this vlan to native with swithport trunk native vlan x where x is the number you chose for the dummy native VLAN. Choose a different VLAN to use for your management traffic. The advantage of doing this is:

  • All VLANs will be tagged
  • No risk of leaking traffic from access ports to trunk ports unless configured to do so
  • Dedicated VLAN for management, separated from clients who will not be able to access it
  • Requires more thought which will lead to a better design than trusting defaults
Advertisements
Categories: Layer 2 Tags: , , ,

Spanning tree

September 22, 2010 2 comments

Been really busy lately with a big migration at work so studying is though but have been studying some spanning tree. I have used the IEEE 802.1D-1998 and 802.1D-2004 documents for 802.1D and 802.1W but these documents are almost too detailed, they even go in to some of the source code. I have also been looking at blogposts from INE and Cisco documents and also the CCNP SWITCH book.

Categories: CCIE Tags:

CCNA scholarship

September 17, 2010 Leave a comment

Steve over at networking-forum is hosting a CCNA scolarship. The person who gets picked for it will get free books from Cisco Press and also the exam paid for. The requirements to get selected is to write an essay why you should be picked. The person who gets picked will then blog about his progress in his studies. For more information go to CCNA scolarship. If you have never heard of networking-forum before it’s a forum for mostly Cisco with a lot of very talented people with certifications ranging from CCNA to CCIE. I highly recommend you visit it.

Categories: Announcement Tags:

50 hours done

September 15, 2010 Leave a comment

I have passed my first 50 hours of reading maybe not as fast as I would have wanted but still happy to have passed it. Will try to step up the pace from now on but work and other commitments is keeping me from going at full pace right now. Hopefully I can reach 100 within a month.

Categories: Announcement Tags:

Back on track

September 13, 2010 Leave a comment

I’m back from vacation, nice to do something different for a while but also nice to be back home 🙂 Have got a lot of stuff going at work right now. I’m resuming my CCIE studies and I’m starting with the blueprint and taking one topic at a time. First out is spanning tree, I will do some reading from the CCNP Switch track and blog posts on INE and IPexpert and at Ciscos site of course. I will keep you posted with my progress.

Categories: Announcement Tags:

Going on vacation – back in a week

September 3, 2010 Leave a comment

I’m going to Croatia to hopefully get some sun and recharge the batteries. It’s going to be nice to spend some time with my family. I will back in a week so no posting until then.

Categories: Announcement Tags:

Cisco ASA – Efficient access-lists with object-groups

September 2, 2010 Leave a comment

I am currently migrating some PIX firewalls to ASA and I have been rewriting the access-lists to be more efficient and easy to read. This is done by using objects and object-groups. Lets first talk about objects, the object can only have one entry, it is useful if we want to reference a single host or a single subnet, this is the syntax:

object network WEBSERVER
host 1.1.1.1

This means that we we write our ACL, lets call it OUTSIDE_IN we can reference this object. So instead of access-list OUTSIDE_IN permit tcp any 1.1.1.1 eq http we get access-list OUTSIDE_IN permit tcp any object WEBSERVER eq http. This makes our ACL’s a little easier to read although something at port 80 is quite easy to say what it does but we can use the same technique for all servers or objects that we want to reference by name. I could also have done this with a subnet:

object network GUEST-SUBNET
subnet 192.168.33.0 255.255.255.0

I could then use this in my ACL instead of using 192.168.33.0 and I would immidiately now what this subnet is for if I need to read the ACL.

I can also do more complex things using object-groups. Lets say that we have a company with a lot of webservers and we want to permit HTTP from the outside in. We might not want to permit HTTP to the whole subnet but only to the hosts, this would mean 5 lines of ACL, a different approach is to use object-groups:

object-group network WEBSERVERS
network-object host 1.1.1.1
network-object host 1.1.1.2
network-object host 1.1.1.3
network-object host 1.1.1.4
network-object host 1.1.1.5

The ACL line would then be access-list OUTSIDE_IN permit tcp any object-group WEBSERVERS eq http. This means one line instead of five. Our ACL will be much more readable when doing a show run. If we do a show access-list the access-list will be expanded to show the host entries.

We can also use object-groups to group ports. Lets say that the webservers should also be accessible from HTTPS(443) and SSH(22). We can group this together and do:

object-group service WWW-HTTPS-SSH tcp
port-object eq www
port-object eq ssh
port-object eq https

Then my ACL will be access-list OUTSIDE_IN permit tcp any object-group WEBSERVERS object-group WWW-HTTPS-SSH. This will save us a lot of lines and also make more readable ACL’s. This is a powerful feature and I suggest you start using it.

Categories: Security Tags: , ,