How to Configure Switch Port Security Ethereal Channel

In this article I will show you that how can you

  • Configuring the IP address and subnet mask
  • Setting the IP default gateway
  • Enable telnet session for switch
  • Enable Ethereal Channel
  • Enable port security

To perform this activity download this lab topology and load in packet tracer or create your own topology as shown in figure

Configure IP address subnet mask and default gateway

IP address and default gateway is used to configure switch remotely via telnet or SSH. Without this essential configurations you have connect with switch via console cable each time. That’s very tedious as you have to go near to switch each time.

Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S1
S1(config)#interface vlan 1
S1(config-if)#ip address 10.0.0.10 255.0.0.0
S1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
S1(config-if)#exit
S1(config)#ip default-gateway 10.0.0.1

Enable Telnet and password protect the line

You can secure a switch by using passwords to restrict various levels of access. Using passwords and assigning privilege levels are simple ways of providing both local and remote terminal access control in a network. Passwords can be established on individual lines, such as the console, and to the privileged EXEC (enable) mode. Passwords are case sensitive. By default There are five VTY ports on the switch, allowing five simultaneous Telnet sessions, noting that other Cisco devices might have more than five logical VTY ports. The five total VTY ports are numbered from 0 through 4 and are referred to all at once as line vty 0 4.

S1(config)#line console 0
S1(config-line)#password vinita
S1(config-line)#login
S1(config-line)#exit
S1(config)#line vty 0 4
S1(config-line)#password vinita
S1(config-line)#login
S1(config-line)#exit
S1(config)#

Enable Switch port security

this feature set allows you (among several other options) to disable a port if more than one MAC address is detected as being connected to the port. This feature is commonly applied to ports that connect security-sensitive devices such as servers. You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.

Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S2
S2(config)#interface fastEthernet 0/1
S2(config-if)#switchport mode access
S2(config-if)#switchport port-security
S2(config-if)#switchport port-security maximum 1
S2(config-if)#switchport port-security mac-address sticky
S2(config-if)#switchport port-security violation shutdown
S2(config-if)#exit
S2(config)#

You can verify port security.

  • Click on the red x button on the right hand portion of the PT window. This will allow you to delete a connection in the topology. Place the x over the connection between Server and S2 and click. The connection should disappear.
  • Select the lightening bolt button on the bottom left-hand corner of the PT window to pull up connection types. Click the “copper straight-through” connection. Click the TestPC device and select the fastethernet port. Next, click on S2 and select port Fa0/1.
  • From the command prompt of TestPC type the command ping 10.0.0.4. The ping should fail.
  • On S3, enter the command show port-security interface fa0/1.

Port security is enabled, port-status is secure-shutdown, security violation count is 1.

Configure Ethereal channel

Ethereal Channel allows you to combine switch ports to increase more bandwidth. If you connect switch ports without Ethereal Channel configurations STP switch’s in built function will shutdown one of these port to avoid loop. You can download this example topology for practice of Ethereal Channel .

  • To enable EtherChannel on DLS1, enter the interface range mode for ports F0/11 and F0/12 on with the command interface range f0/11 - 12.
  • Enter the command switchport mode trunk.
  • Enter the command channel-group 1 mode desirable.
  • Repeat steps a through c on DLS2.
DLS1>enable
DLS1#configure terminal
DLS1(config)#interface range fastEthernet 0/11 - 12
DLS1(config-if-range)#switchport mode trunk
DLS1(config-if-range)#channel-group 1 mode desirable
DLS1(config-if-range)#exit
DLS1(config)#exit
DLS1#

Subnet Mask Quick Reference Chart

Subnet Mask Quick Reference Chart
What Is Subnet Mask?
 Ans.
A mask used to determine what subnet an IP address belongs to. An IP address has two components, the network address and the host address. For example, consider the IP address 150.215.017.009. Assuming this is part of a Class B network, the first two numbers (150.215) represent the Class B network address, and the second two numbers (017.009) identify a particular host on this network.

Subnetting enables the network administrator to further divide the host part of the address into two or more subnets. In this case, a part of the host address is reserved to identify the particular subnet. This is easier to see if we show the IP address in binary format. The full address is:

10010110.11010111.00010001.00001001

The Class B network part is:

10010110.11010111

and the host address is

00010001.00001001

If this network is divided into 14 subnets, however, then the first 4 bits of the host address (0001) are reserved for identifying the subnet.

The subnet mask is the network address plus the bits reserved for identifying the subnetwork. (By convention, the bits for the network address are all set to 1, though it would also work if the bits were set exactly as in the network address.) In this case, therefore, the subnet mask would be 11111111.11111111.11110000.00000000. It’s called a mask because it can be used to identify the subnet to which an IP address belongs by performing a bitwise AND operation on the mask and the IP address. The result is the subnetwork address:

Subnet Mask 255.255.240.000 11111111.11111111.11110000.00000000
IP Address 150.215.017.009 10010110.11010111.00010001.00001001
Subnet Address 150.215.016.000 10010110.11010111.00010000.00000000

The subnet address, therefore, is 150.215.016.000.

Cisco UCS Leads the Industry in Server Performance and Productivity

On April 5th, 2011, Cisco participated in the Intel® Xeon® Processor E7 Product Family Announcement with NINE new world record performance benchmark results highlighting the Cisco Unified Computing System’s outstanding performance and IT productivity across key data center workloads. Cisco also announced the broadening of its server portfolio with the introduction of the Cisco UCS C260 enterprise server, an Intel Xeon processor E7 family based platform designed for most data demanding business critical IT challenges. The Cisco Unified Computing System’s outstanding performance benchmark results are highlighted in the Intel® Xeon® processor E7 Family-based Platform Performance Highlights (April 5, 2011) announcement.

Fundamentally, this record setting performance further reinforces the Cisco Unified Computing System’s ability to deliver next generation compute across bare-metal, high performance computing (HPC) and in the most complex virtualization and cloud computing environments in the data center. Check out the Performance Brief for additional information on the nine new Cisco UCS world record benchmarks. The detailed benchmark disclosure reports are available here.

So the momentum continues…In two short years, the Cisco UCS has captured over 40 world records for performance and IT productivity taking its place among the most trusted server vendors on the market. Check out the Cisco Unified Computing System™ Performance Leadership Presentation. 

The Royal Router

 The Royal Router

While it’s clear not all routers have a sense of humor, the Cisco ASR 9000 seems to be the exception.   Ever since its launch, it has positioned itself as the perfect gift for Valentine’s Day and Father’s Day.  (I’ll note that on those occasions, even when I had the ASR9000 at the top of my wish list, I only received a Whitman’s Sampler and a neck tie, but no carrier class hardware. Come on, what’s a guy to do to get up to 6.4 Tbps around here?

I’m not sure if being the life of the party has helped the ASR 9000 become the industry’s leading Edge router, but its popular personality and unmatched capabilities I’ll bet have helped it get an invite to the royal wedding this Friday.   Or, at least be the router invited to connect the video of the wedding to the TV network for a broadcast to an estimated 2.3 billion people.

iPads on Your Network? Take Control with Unified Policy and Management

iPads on Your Network? Take Control with Unified Policy and Management

Users are increasingly carrying their iPads, iPhones and Android smartphones into the workplace. These mobile devices and tablets introduce new security threats and IT management challenges.

Join us for the third in our series of webinars to learn about new Cisco innovations that will help you identify the devices, apply policies and enable user management across wired and wireless networks. Featuring special guest speaker Dan Larkin, Director of Strategic Operations for the National Cyber-Forensics and Training Alliance (NCFTA) who will share the new threat vectors introduced due the influx of mobile devices. Take control of your network now.

Frame Relay Network Operation

A Frame Relay (FR) network is shown in the figure below. An FR network may be considered as a FR cloud that consists of FR switches, and customer nodes. A FR switch acts as DCE and the customer equipment works as DTE. A virtual circuit is established between the DTE and corresponding DCE. As mentioned earlier, a virtual circuit is identified by a DLCI (Data Link Connection Identifier) number. DLCIs have local significance. It means that on a given physical channel, there can not be two DLCIs which are identical.

Frame Relay is essentially a packet switched network, and can be compared with an X.25 network. Though both Frame Relay and X.25 use same basic protocol HDLC, there are several differences between the two. Some of the important differences between a Frame Relay network and and X.25 network are given below:

Feature X.25 Frame Relay
Basic frame protocol used HDLC HDLC
Typical Speed (bandwidth) Low High
Interactive sessions Barely suitable Suitable
LAN connectivity for fast file transfers Not suitable Suitable
Protocol Overhead High Minimal
Protocol complexity High Low
Voice support Poor Good
Error Correction Very good Not supported
Comments 1. X.25 is a very old protocol, and widely implemented. However, it is hard to find any new implementations.

2. X.25 implements node-to-node error correction, and very suitable for noisy circuits. A severe drawback is high overhead, and transmission delays.

1. Frame Relay is widely implemented these days. Frame Relay does not support any node-to-node error correction. With the advent of highly reliable physical channels, node-to-node error correction (offered by X.25) is considered to be out-of-date, and not essential.

2. Revised specifications for Frame Relay network support LMI extensions. These include: global addressing, virtual circuit status messages, and multicasting

Frame Relay Protocols Overview

Before going ahead with Frame Relay protocol, and its operation, we discuss virtual circuits. Remember that a circuit provides connection between end nodes by means of an electrical connection. In data circuits, the term virtual circuit is also used in similar sense. A virtual circuit provides a logical connection between end nodes for the flow of information. There are two types of virtual circuits:

  • Permanent Virtual Circuit (PVC), and
  • Switched Virtual Circuits (SVC)

Permanent Virtual Circuit (PVC): PVC is a permanent connection between the end nodes (DTEs) within a Frame Relay network. The virtual circuit is always available irrespective of whether any data is being transmitted or not. This type of connection (PVC) is used when it is required to consistently transfer data between the end nodes. A PVC can have two operational states as given below:

  • Data transfer state: Data is transmitted between the end nodes over the virtual circuit.
  • Idle state: No data is transferred between the end nodes. Note that PVC does not terminate the virtual circuit even when there is no data being transferred between the end nodes.

Switched Virtual Circuit(SVC): A switched virtual circuits (SVC) provide temporary connection between end nodes (DTEs) across a Frame Relay network. An SVC communication session has four states:

  • Call setup: The virtual circuit between two Frame Relay end nodes is established.
  • Data transfer: Data is transmitted between the end nodes over the virtual circuit.
  • Idle: The connection between end nodes is still active, but no data is transferred. An SVC call is terminated after a certain period of idle time
  • Call termination: The virtual circuit between end nodes is terminated.

If there is some more data to be transmitted at a later time, an SVC is negotiated again. SVCs are advantageous when you have burst traffic, and you don’t want to block the network bandwidth for a given virtual circuit 24hours a day.

Unlike SVC, there is no call setup, and call termination procedures in PVC. This results in simple link management procedures, and more efficient data transfers.

Frame Relay Protocol: FR is an HDLC protocol based network. We have discussed HDLC in earlier sections, and the HDLC frame is given below. Other protocols that use HDLC frames include SDLC, Frame Relay, and X.25. They primarily differ in how the address and control bits in HDLC frame are used.

The different fields are explained below with respect to Frame Relay:

Flag (both opening and closing flags): 8 bits (01111110 or 7E hex)
Address (Also known as Frame Relay Header): It is a 16-bit field as given below.

Data Link Connection Identifier (DLCI): The DLCI is 10-bit wide. DLCI identifies the virtual connection between the end node (a DTE device) and the switch (a DCE device).

C/R: The C/R bit says whether the frame is a command or response.

Forward Explicit Congestion Notification (FECN): This is a single-bit field that can be set to either 0 or 1 by a switch. Normally, FECN is zero. A value of 1 indicates network congestion in the direction of source to destination, known as Forward Explicit Congestion Notification.

Backward Explicit Congestion Notification (BECN): This is a single-bit field that can be set to either 0 or 1 by a switch in the FR network. Normally, BECN is zero. A value of 1 indicates that the FR network has experienced congestion in the direction of destination to source.

By using FECN and BECN, upper layer protocols can control the communication for efficient utilization of FR network.

Discard Eligibility (DE): This is set by the DTE device to indicate that the marked frame may be discarded in the event of network congestion. Discard Eligible frames are discarded first before removing frames that do not have DE bit set, in the event of network congestion.

Note that all FECN, BECN, and DE enable FR network congestion control by regulating the communication, and prioritizing traffic.

Extended Address (EA): The eighth bit of each byte of the Address field (header) is used to indicate the EA. If the EA value is 1, then the current byte is determined to be the last octet of the DLCI.

Data: This field contains encapsulated upper-layer protocol data. It has variable length up to 16,000 octets.

FCS (Frame Check Sequence) or CRC (Cyclic Redundancy Code): It is either 16 bits, or 32 bits wide. Frame Check Sequence is used to verify the data integrity. If the FCS fails, the frame is discarded.

ISDN Protocols Overview

Integrated Services Digital Network (ISDN), as the name implies, provides integrated services that consist of telephony, data, and video transmission over ISDN.

ISDN is of two types:

  • Basic Rate ISDN (BRI), and

  • Primary Rate ISDN (PRI)

Basic Rate ISDN consists of two 64kbps B-channels (B for Bearer) and one D-channel (2B+1D). B-Channels are used for transmitting user information (voice, data, or video), and D-Channel is used for transmitting control information. B-Channel offers a bandwidth of 64kbps, and D-Channel has a bandwidth of 16kbps. With 2B channels, BRI provides up to 128kbps uncompressed bandwidth. Note that the total bandwidth used by ISDN BRI is 192kbps. The remaining bandwidth [192 – (2B+D)] or 48kbps is used for framing.

Primary Rate ISDN consists of 23 B-channels and one D-channel (23B+1D) for US or 30 B-channels and one D-channel (30B+1D) for Europe, Australia, India, and some other countries. The ISDN standard followed by Europe is also known as Euro ISDN, and standardized by ETSI (European Telecommunications Standard Institute). The PRI D-Channel offers 64kbps bandwidth.

There are several constituent standards that define ISDN.

I.430 Standard: It describes the Physical layer and part of the Data Link layer for BRI.

Q.920 and Q.921 Standards: Together, they provide the Data Link protocol used over the D channel.

Q 930, and Q.931 Standards: Documents the Network layer user-to-user and user-to-network interface. The functionalities offered include call setup and breakdown, channel allocation, and other optional services.

G.711 Standard: It describes the standard 64 kbps audio encoding used by telcos.

ISDN Reference Points:

ISDN standards specify several reference points that functionally separate the ISDN network. The ISDN devices need to comply with applicable reference point specifications. For example, a TE1 device such as an ISDN phone or a computer need to comply with reference point ‘S’ specifications. Various reference points specified in ISDN are given in the figure below:

R: This is the reference point between non-ISDN equipment and a Terminal Adapter (TA).

S: This is the reference point between user terminals and Network Termination Type2 (NT2).

T: This is the reference point between NT1 and NT2 devices.

U: This is the reference point between NT1 devices and line termination equipment of the Telco

PPP and SLIP Protocols Overview

Serial Line Internet Protocol (SLIP):

This is a packet-framing protocol and defines a sequence of bytes that frame IP packets on a serial line. It is commonly used for point-to-point serial connections running TCP/IP.

Point-to-Point Protocol (PPP):

PPP is basically an encapsulation protocol that is used to transport datagrams over serial point-to-point links. Network address assignment, link configuration management, error detection, multi protocol support are some of the most prominent features of PPP protocol. PPP supports these features by using LCP (Link Control Protocol), and NCP (Network Control Protocol).

LCP responsible for initiating, negotiating, configuring, maintaining, and terminating the serial link point-to-point connection.

You can transport multiple protocols like IP, IPX, DECnet using PPP.

Protocol frame configuration: As mentioned earlier, the protocol frame is a version of HDLC protocol. It contains six fields as shown in the diagram.

Flag (both opening and closing flags): 8 bits (01111110 or 7E hex)
Address: PPP does not use node addresses. It is a single byte of 11111111, representing a broadcast address.
Control: The field is 8 bits, wide and indicates whether the frame is a Control or Data frame.
Protocol: 16 bits wide, and identify the protocol encapsulated in the DATA field of the frame.
Data
(Payload): This is the information that is carried from node to node. The default maximum length of the Data field is 1500 bytes.
FCS (Frame Check Sequence) : It is either 16 bits, or 32 bits wide. Frame Check Sequence is used to verify the data integrity. If the FCS fails, the frame is discarded. FCS is implement by using Cyclic Redundancy Code (CRC).

Operation of PPP:

PPP operates over different phases consisting of

  • Link establishment and configuration negotiation
  • Link quality determination phase (Optional)
  • Network layer protocol configuration negotiation
  • Link termination

Initially, PPP negotiates a link between the two point to point interfaces. These are normally a DTE and a DCE interfaces such as RS-232C, V.35, RS-422, and RS-423. PPP by itself does not impose any limitation on achievable speed. The physical interfaces, and the media normally limits the available link speeds.

The second phase is link quality determination. This phase is optional.

Once the Link level configuration is made, and the link is established, then the network level configuration is made.

The link is terminated by LCP as and when required.

Advantages of PPP over SLIP:

1. Address notification: It enables a server machine to inform a dial-up client of its IP address for that link. SLIP requires that the user manually configure this information.

2. Authentication: PPP supports Password Authentication Protocol (PAP), and Challenge Handshake Authentication Protocol (CHAP) protocols. PAP transmits password in plain text, whereas CHAP uses encryption for authentication.

3. Multiple Protocol Support: PPP can support Multiple Protocols to operate on the same link. For example, both IP and IPX traffic can use same PPP link.

4. Link Monitoring: Offers link monitoring to help diagnose any link failures.