CISCO SDM why oh why oh why!

You would think a company like cisco would be able to produce a management tool that works.

Now I know SDM has issues with different java versions in windows and that in its self seems to be pot luck if it works or not.

But getting it running under Linux, oh my god! every thing sees to be against me here. And the worst thing about it all is how close I can get. I sure its doing this just to tease me.

I have tried old and new Firefox, about 6 versions of JAVA and still no joy. Its time to go home now and no remote access to the firewall so it will have to wait till Tuesday for my next play. So email still not working..

Ah well the weekend ahead, walks with the dogs, and some nice food to look forward to. Oh and of course lots of studying. ūüėČ

Have a great one.

JAVA versions in Linux.

I am still quite a newbie when it comes to Linux, and have a long way to go yet before I could be considered an expert. But slowly I am getting there.

Today to help with setting up the firewall to allow email, I thought it was time I finally got around to installing Java on this PC, and because CISCO SDM express requires an old version this means setting up multiply versions.

Installing the first one is simple enough

$sudo apt-get install java….

(you can do an
$apt-get update
followed by
$apt-cache search java
and this will show you what versions are available for download.)

and after a bit of poking around the second one was simple enough as well, download the bin file from www.JAVA.com and extract it to a directory (this can be any where you want, although the /opt/ one seems to be a common choice) as below. If you want more instructions just click on the instruction link on the site.

$sudo sh ./java-5-4…..

Then cheat and open the java desktop control panel open up the runtime¬†environment¬†settings and add in you new version. (if any¬†Linux¬†masters wan’t to post the guru way to do this please do ūüôā )

And there you have it multiply JAVA installs.

Only one issues now though, Firefox does not support Java below version 6-10, and SDM still does not work! So its on to the next method to get SDM working on Linux.

I will get this email working soon…

Take care all.

Filtering the VLAN Traffic

So it ended up I decided to do a recap on VLAN access control lists (ACL’s) before I got back into¬†Spanning¬†Tree. I also covered Private VLAN’s tonight but will come back to them some other time for the blog.

Over the years I have had lots of dealing with port and router based ACL’s, but VLAN based ACL’s I only came across when I started studying for my CCNP. And I already have plans to use them to limit the traffic on some of our more¬†sensitive¬†network segments.

Now if you know you VACL set up, here is the point to stop reading, what follows is a run through of the config, with some description of the steps.

Still with me? OK lets get to it.

The first step in creating a VACL’s is in fact to create some “standard” ACL’s first, these will be used to classify what traffic is filtered once the VACL is applied. the VACL will¬†accept¬†two types of access lists as¬†arguments IP and MAC, so lets set some up.

(config)#access-list 100 permit ip host 172.168.5.5 any

(config)#mac access-list extended MAC-ACL
(config-ext-mac)#permit any host b7d4.5f6d.8e31

So two simple ACL’s created, now you can you the IP¬†access¬†list command and create named access¬†lists¬†as will if you wish.

So now we need to create the VACL and add these lists to it.

(config)#vlan access-map <name> 10
(config-map)#match ip address 100
(config-map)#action drop
(config-map)#vlan access-map <name> 20
(config-map)#match mac-address MAC-ACL
(config-map)#action drop
(config-map)#vlan access-map <name>30
(config-map)#action forward

Notice by default if a VACL is configured on a VLAN is a packet does not match the VACL it will be dropped. As we can see each section in the VACL has a¬†sequence¬†number, a match¬†statement¬†(can have more than one) and an action to take. In this set up any traffic¬†that¬†matches the two ACL’s we set up will be dropped. By adding a¬†sequence¬†with out any match¬†statement¬†and only an action, we have set up a “catch all” ¬†situation, just like you may do with a “standard ACL when you enter “permit any any”.

So there we have it the VACL all set up and ready to go, now its just a case of applying it to a VLAN or two.

(config)#vlan filter <name> vlan-list 10

And there you have it, now any traffic passing across the switch on the configured VLAN’s will be subject to the¬†statements¬†in you VACL. I think there great for adding that extra layer of security to your network, and keeping traffic where it should be.

OK so not an exciting post tonight, but I will get back to STP tomorrow and I can tell you from past experience how not to configure it.

Night all and take care.

DHCP snooping and Option 82

OK time to get on with it. And seeing as I have just been brushing up on switch security what better place to start.

Not going to tell you how to configure DHCP snooping or show you my lab set up, there are plenty of great documents on the net you can find for that, www.cisco.com/dhcp-cconfig for instance.  But I suposes theres no harm in a quick recap about what DHCP snooping is and why it is used.

Really the hint is in the name, when¬†enabled¬†on a Switch, any DHCP packets, (both requests and replies) the switch listens in on and can filter and in some cases altered. The main function is of course to prevent rogue DHCP servers from being placed on the network, so in its most basic set up, you simple enable it on a switch and mark all ports on the uplink path to the DHCP server as trusted, this will allow DHCP responce packets to be sent down this path. Easy hey!? You can add in limiters to how many request packets a untrusted port can send to the DHCP server to prevent DoS attacks on the DHCP servers, and there are other options of course (always is in IT), but prevention of DoS attacks and prevention of Rogue DHCP servers are the two¬†biggie’s.

What DHCP snooping also does of course as it reads the DHCP packets passing through its ports, is to build up a data base of what IP address and  MAC address have been assigned by DHCP to which Switch port. This can then be used for IP source guard, this works by assigning an ACL on a per port basics that restricts the source IP address in packets, to the IP stored in the DHCP snooping database. And for Dynamic ARP inspection, where the ARP packets are filtered by the switch to insure the information contained in them matches the information gained from DHCP snooping.

So by combining DHCP snooping with IP source guard, Dynamic ARP inspection and port-security, you can mitigate many of the Layer 2 switch based attacks.

The one thing that really¬†interested¬†me when I was going through DHCP snooping was the setting to enable option 82. It was kind of mentioned in passing in the CCNP course material, so I had a little look up about what it was. Well this seemed simple enough, when the switch recives an incoming DHCP request packet from the switch it adds in some information.¬†namely¬†the switch port the client is connected on , the vlan it is¬†assigned¬†to and the id of the switch adding the¬†information. This Document sums it up nicely. And then you read that this information can be used by the DHCP server for how it assigns address, and can be stored by the DHCP agent. I thought hey… cool.. So I¬†enable¬†this option, turn on support on the windows 2003 DHCP servers, and BING!! I would have a list of DNS name, IP address, MAC address, and switch and port location.. But sadly it seems windows 2003 does not support this option.. poor form if you ask me.

It got me thinking though, ways to trace a client device to a physical location. Not just what area of a building by down to the switch port it is¬†connected¬†to. This can be very¬†useful¬†for tracing PC’s with problems on the network, or trace back were strange traffic is¬†coming¬†from, and the quicker you¬†can¬†do it the better.

There the manual way of course, use the CAM tables and show commands to trace a MAC address back to its switch port. You first of course have to resolve the DNS name back to the MAC. Then at the other end you could enable 802.1x port-based authentication, and run a CISCO ACS server to do the authentication. Run a report on the ACS server  and it will give you all the information you need.

My personal solution was to use Kiwi cat tools to run an audit on all the switch devices and build up a database of MAC address to switch ports. I already have a data base of DNS names РMAC address from our auditing software and it was a 5 minute job to set up the link between them.

So from looking at DHCP Snooping, to ways to monitor the network. All in a days studying :). Now one more run though of the config for this on my lab and then its on to¬†practising¬†MSTP’s.

Well there you have it, first real post, now to see what the general public think.

Take care all.