Category: Cisco

Computer blocked by Port Security

by Samuel Mitchell, posted in Cisco, Microsoft, Routing & Switching, Security

My colleague was working on an issue where a computer was communicating on the network through a Cisco switch that had port security enabled. As usually, he disables port security and re-enables it in an attempt to get the new mac address registered on the port. The computer (A) was now able to get an IP address from the DHCP server but unfortunately, the computer (A) still was not able to communicate with the server. In an effort to identify whether the problem was with computer (A) or the network port, another computer (B) was connected to the port which was successful. But when computer (A) was reconnected to the same port, there was still no communication. All network settings on Computer (A) were verified to be correct but still no break through. The same computer (A) was taken to another switch in another location and surprisingly it worked. So hhhmmm….what could be the problem? It was escalated to me to investigate further as he could not identify what was the root of the problem.

I started to ask the question “What is working?”

The responses were:

  1. Other devices were communicating when connected to the port
  2. The computer (A) is getting an IP address from the DHCP server
  3. The computer (A) is able to communicate on other switches

Next question, did they try the computer (A) on another port on the same switch? Response was No.

Anyways, everything was connected back to how it was before and then I started the troubleshooting.

The following observations were made:

  1. Port-security was enabled on the entire switch but disabled on this troubled port.
  2. The port duplex and speed was ok (Full/100)
  3. The computer (A) got an dynamic IP address from the DHCP server
  4. The computer (A) mac address was not showing on the port when I check the MAC address table for the problem port (f0/42)
  5. Port security sticky address listing showed that computer (A) mac address was tied to port f0/22

What do you think the root of the problem is?

The computer (A) is not able to communicate with anything on the network because the mac address of the computer (A) was tied to another port so when devices response to the packet, it is returning to the wrong port. so the solution was to remove the sticky address and allow the switch to relearn it over the new connected port (f0/42). Another question resonate in my mind was “How did it get an IP address from the DHCP server?”. But if you review how devices acquire an IP address, it is using broadcast. Therefore, the computer will always get an IP address but it would not be able to communicate with other devices.

I hope this troubleshooting scenario helps someone with understanding port-security on a Cisco switch.

CIA – Confidentiality, Integrity and Availability

by Samuel Mitchell, posted in Security, Uncategorized

Confidentiality – is the method of ensuring that only authorized persons are able to view the company data.

Integrity – is the method of ensuring that only authorized persons are allowed to modify the company data.

Availability – is the method of ensuring that the authorized persons are able to access the company data when it is need.

Almost caught by Spam

by Samuel Mitchell, posted in Exchange, Security, Uncategorized

I had receive the following spam email which seems to come from Paypal:

Spam_email_paypalMarch132018_edit

At first glance, it looks very legitimate but after close inspection, it was discovered to be a spam. This provides the opportunity to highlight some indications that the email received is a spam and how to mitigate against it.

  • Check the email address that it is coming from. Not the one that is displayed at first glance but when it is opened, the email address that is between these symbols <>. In the example above, it says it is coming from service@paypal-int.co.uk. (Paypal correct address is service@intl.paypal.com).

 

  • Check where the link that you are asked to click on is point to by just hovering the mouse pointer over the hyperlink and look at the bottom of the browser. The spam email said the following:

    If you did not initiate this payment, we recommend that you go to Manage/Cancel Payment

    The Manage/Cancel payment was pointing to an unknown URL and not to the Paypal website so you know that it is a malicious website it is asking you to click on.

 

  • Usually the greeting will include the email address it is sent to. In this case, I was address by my email address (*****@gmail.com) and not by my full name which the Paypal will have on record.

Now for those who are unsure if this event actually happened that the email is stating. Verify the transaction by logging on directly to your website or portal (not using the email links) in my case Paypal.com and check if any such event has occurred.

I hope this is helpful and don’t be fooled by well crafted spam emails.

Keep safe…Keep secure

Simple Computer Security Tips

by Samuel Mitchell, posted in Security

As a computer user, we sometimes take for granted the numerous threats that are out on the internet that can steal and even take over our computers without our permission. It is important that we are aware of the threats that can affects us by just browsing the internet.

I would like to share a few simple tips that will help any person to protect themselves from the various treats on the internet.

  1. Install an Anti-virus software on your computer – this is one of the most important task that any person can do to protect their computer from viruses or malware that can cause our computer to behave abnormal or render it unusable. There are a few paid anti-virus software I can recommend such as Norton Security, Kaspersky Anivirus, ESET Security and McAfee Antivirus. If you dont want to spend money on this then there are also good free antivirus software such as Avast, AVG and Microsoft Security Essential.
  2. Remove the admin privileges from your default user account – This is a very important task because a lot of persons don’t realize that when you have administrator right on your user account that you use daily any changes can be made to the compute without restriction. It is not good because if your computer does get infected then the malicious software can make unwanted changes and you will not have control over it. I recommend that you create a different account with admin rights, then change the user account you use daily to a standard user. See instructions here on how to do this on Windows 10.
  3. Ensure that windows firewall is enabled – This is especially important for person who connect to any and every open WiFi that comes there way. Having the firewall enabled can reduce the likelihood of a unauthorized person from connecting or access your computer from these free open networks. for steps on how to check or enable to windows firewall on your computer, go here. Note: that the latest windows come with the Windows firewall turned on by default.
  4. Backup documents to a secure cloud space – This tip might seem trivial but it is one of the most important task to do. This task does not only protect you from hackers wiping out your data but also protects the important information from devices fail or a computer crash. To accomplish this task you can use one of the free large cloud space such as Google Drive and OneDrive. Note that they also have a desktop sync tool that allows you to sync local folders to the cloud once you are connected to the internet.
  5. Don’t visit any websites that are labelled as unsecure or unsafe – Whether browsing the internet or searching for information to assist in doing a task, we will sometimes get a message from our browser warning us that this site is unsecure. It is best that we don’t continue unless we are absolutely sure that it is legitimate or safe. Current reputable browser such as Google Chrome, Internet Explorer (or Edge) or Firefox has built in Certification Authority that checks a website’s certificate for its authenticity. This is important because we can be visiting a website that is developed by a hacker to get access to our computer or retrieve information from it.

These are the tips in a nutshell but if there are any more, I will update this list. I just want remind you to keep safe and do as much as you can to protect your personal data.

Avoid using Fiber Transceivers for Switch Connection

by Samuel Mitchell, posted in Routing & Switching, Uncategorized

I am dedicating this article to an experience I had with connecting switches using 10/100 Base-T 100Base-FX fiber converters (Transceivers).

It is a pain when the transceivers goes bad especially if it is not identified as causing packet loss or slow link connection on the switched network.

I had an experience were a location was complaining of having slow connection to the server resources and the IP phones were having poor call quality. When the user is on a call, the caller will hear the person very clearly but the other user would constantly hear drop in the conversation.

When a ping test was done, for every 5 or 10 ping response, the packet will drop, even to the uplink switch. When a ping test is done to the same switch, it was successful with no packet loss.

Looking at the interfaces status, there was no indication of any CRC errors or other parameters such as runts or interface reset indicating no problem with cable.

I connected my laptop directly to the transceiver and did a ping test and the same result. This is where I concluded that the problem was with the transceiver; low and behold when I swap out the transceiver for the direct fiber connection to the switches, all connection issues just disappear.

Conclusion:  Avoid using transceivers to connect switches over fiber links, as much as possible use SFP modules because when the transceivers goes bad, they cause latency to the connected location. Also I have noticed that the devices are very unreliable and are fragile hence they are high maintenance and a waste of time, effort and money which most of us Engineers don’t have time to waste.

Configuring similar Cisco features on an HP 2530 switch

by Samuel Mitchell, posted in HP, Routing & Switching, Uncategorized

I had the privilege to learn another vendor’s switch configure from HP. This article will be about Configuring the following parameters in a HP 2530 similar what you will do in a Cisco access switch:

  • Access port (edge port)
  • Trunk ports (tagged port)
  • Port security (MAC security)
  • Ether channel  (LAG)
  • Spanning tree
  • Portfast
  • Enable secret password
  • SNMP
  • Switch virtual Interface  (SVI)
  • Vlan default gateway
  • Show logging on the console

Before I begin we need to know that there are two main standards in the networking world, it is either Cisco or IEEE. So vendors like HP will only follow the IEEE standards. With that being said, let us begin:

What I am going to do is to show the Cisco way of the commands for the particular feature followed by HP.

1. Trunk ports: we know that Cisco switch has two protocol Used to develop a trunk port; ISL and 802.1Q (IEEE standard). Although the newest Cisco are no longer supporting ISL as it is being faced outed.

CISCO: 

SW(config-if)# switchport trunk encapsulation dot1q

SW(config-if)# switchport mode trunk
SW(config-if)# switchport trunk allow vlan 1-5
SW(config-if)# switchport trunk native vlan 5

HP:

SW(configure)# int 49

SW(eth-49)# tagged vlan 1-4

SW (eth-49)# untagged vlan 5

 

2. Creating and configuring Voice vlan on a switch port that tells the IP Phone which vlan to use for communication.

CISCO:

SW(config)# interface f0/1

SW(config-if)# switchport voice vlan 6

HP:

SW(configure)# vlan 6

SW(vlan-6)#voice

SW(configure)#int 1

SW(eth-1)#tagged vlan 6

 

3. Configure Spanning-tree portfast to let the port transition into forwarding state immediately and also this configures the port as a access/edge port.

CISCO:

SW(config)# interface Fa0/1

SW(config-if)# switchport mode access

SW(config-if)# switchport access vlan 2

SW(config-if)# spanning-tree portfast

HP:

SW(configure)# spanning-tree 1 admin-edge-port

SW(configure)# interface 1

SW(eth-1)# untagged vlan 2

 

4.  Configure BPDU Guard to prevent a switch from connecting to a access port by shutting it down.

CISCO:

SW(config)#interface range fa0/1 – 24

SW(config-if-range)#spanning-tree bpduguard enable

HP:

SW(configure)# spanning-tree 1-24 bpdu-protection

 

5. Configure RSTP protocol to prevent loops in a network.

CISCO:

SW(config)# spanning-tree mode rapid-pvst

HP:

SW(configure)# spanning-tree

SW(configure)# spanning-tree force-version rstp-operation

 

6.  Configure Port security using mac address restriction and limiting the number of devices connected.

CISCO:

SW(config)# interface range f0/1 – 24

SW(config-if-range)# switchport port-security

SW(config-if-range)# switchport port-security maximum 2

SW(config-if-range)# switchport port-security violation restrict

HP:

SW(configure)# port-security 1-24 learn-mode limited-continuous address-limit 2

 

7. Configuring SNMP on the switch for monitoring tool to access the switch status.

CISCO:

SW(config)# snmp-server community [string-password] ro

HP:

SW(configure)# no snmp-server community public

SW(configure)# snmp-server community [string-password] restricted

 

8. Configure username and password on the switch.

CISCO:

SW(config)# username admin privilege 15 secret [password]

HP:

SW(configure)# password manager user-name [admin] plaintext [networkpassword]

 

9. Configure Etherchannel or Link Aggregation (LAG) port to bundle two or more ports together. Remember that LACP is the standard protocol for other vendors except Cisco.

CISCO:

SW(config)# interface range Fa0/47 – 48

SW(config-if-range)#channel-protocol lacp

SW(config-if-range)# channel-group 1 mode active

HP:

SW(configure)# trunk 47-48 trk1 LACP

 

10. Configure Switch Virtual Interface IP address and default gateway.

CISCO:

SW(config)# ip default-gateway 10.1.1.1

SW(config)# int vlan 1

SW(config-if)# ip address 10.1.1.10 255.255.255.0

SW(config-if)# no shutdown

HP:

SW(config)# ip default-gateway 10.1.1.1

SW(config)#int vlan 1

SW(vlan-1)#ip address 10.1.1.10 255.255.255.0

 

11. Show logging on the console

Cisco:

SW(config)# terminal monitor

HP:

SW# debug destination session

SW# debug event

Standard configuration of an access layer switch (Cisco)

by Samuel Mitchell, posted in Routing & Switching, Security

Over the years I have developed a number of parameters that needs to be configured on the Cisco switch. See below the features that you should consider to be enable or configured on the switch:

  1. logging synchronous – this feature allows your commands not to be interrupted by syslog messages because it can be annoying when you are typing a command and in the middle of it, you get a syslog message which breaks your command line.
  2. service password-encryption – this feature enables your system password to be encrypted with MD5 hash which is usually stored in the startup or running configuration file as clear text. This helps to add another layer of security for on-lookers. Although the MD5 hash password is easily reversible using google search, alteast it is not easily readable with just a glance. Note: this only encrypts password for the commands enable password, line vty and console passwords. Enable secret uses an irreversible encryption.
  3. enable secret – it is best to use this privilege mode password command than using enable password since it is more secure and the password is encrypted which is irreversible as mentioned in previous point.
  4. vtp mode transparent – although VLAN Trunking Protocol (VTP) is a great way of managing the vlan database for multiples switch, it can pose a problem if anything goes wrong with misconfiguration from any switches that is apart of the VTP domain.  It is also cisco’s best practice to convert all switches to transparent mode and manually manage the vlan  individually on each switches which will leave no room for error. This error can in fact cause a network outage that will take hours to reconfigure depending on the scale of your LAN.
  5. transport input ssh – it is good practice to secure your connection to your switches using ssh as it prevent persons from using tools such as wireshark to get password information for protocol (telnet) which send username and password in clear text. SSH encrypts the username and password in transit from source to device. this feature can be applied at the line vty port.

As I go along, I will update this article to reflect more parameters to configure on a network device for the best performance and security.

Setting up an Cisco Lightweight AP previously configured

by Samuel Mitchell, posted in Wireless

We had a problem at work where we had to change the IP address of the Cisco Wireless controller (WLC) and as a result all the APs were orphans with no way to rejoin the WLC.

In our environment, we did not have the CISCO-WAP-CONTROLLER configured in the DNS server so the APs had no way of getting the new WLC IP address.

I had to connect to each APs via the console port (blue) using a serial cable. When I connected to it, I used the default login of Cisco/Cisco which is factory default configured username and password for any APs that joins an cisco WLC.

When I login and went to the privilege mode using command enable. after you have entered the privilege mode, you can use the following AP commands to manually configure the AP network settings and controller IP address to ensure it rejoins the WLC:

  • AP# capwap ap ip address 192.168.0.5 255.255.255.0
  • AP# capwap ap ip default-gateway 192.168.0.1
  • AP# capwap ap controller ip address 192.168.0.2 255.255.255.0

These commands sets the AP’s IP address manually and the controller ip address that the AP should use to register.

 

 

CCNA Routing & Switching Preparation Tools

by Samuel Mitchell, posted in Routing & Switching

When preparing for my exam, I have used the following resources to get started on my journey to ensure I had allow areas covered:

  1. Exam Blueprint (cisco.com)
  2. CCENT/CCNA ICND1 100-105 Official Cert Guide
  3. CCNA Routing and Switching ICND2 200-105 Official Cert Guide
  4. Cisco Packet Tracer (Network Simulator) or GNS3 for ICND2
  5. Practice Test – (when you purchase the premium ebook, you get the exam engine from pearson it certification or you can use MeasureUp)
  6. Video training (CBTNuggets.com) – they include practice test depending on packager selected.

Mentor Training

by Samuel Mitchell, posted in Routing & Switching

I have started to do mentorship training for the CCNA Routing & Switching certification exam 100-105 and 200-105.
I noticed that when I begin to teach or train others in what I know and understand in the cisco networking skills, I have a better chance of retaining the knowledge of the skills learned and developed over the years when studying for the CCNA exam.

I am now taking thing a step further to develop a blog that will allow me to sharing and impart the know I have about CCNA certification so it can better prepare me for the study of the CCNP R&S exam.

I look forward to sharing my knowledge and you my friends to add and develop on it.