NetworkJutsu

Networking & Security Services | San Francisco Bay Area

Cisco

PHB (Per-Hop Behavior)

By Leave a Comment

According to End-To-End QoS Network Design: Quality of Service in LANs, WANs, and VPNs book, there are four available standard PHBs (Per-Hop Behavior) and are listed below:

  • Expedited Forwarding (EF) – Provides a strict-priority service. This is similar to the Express Mail service of USPS.
  • Assured Forwarding (AF) – Provides a qualified delivery guaranteee and makes the provision for oversubscription to this service (specifically, markdown and dropping schemes for excess traffic). This is similar to Registered Mail service of USPS.
  • Class Selectors (CS) – Provides code points that can be used for backward compatibility with IP Precedence models.
  • Default PHB (Best-Effort Service) – Provides a “delivery when possible” or best effort service. This is similar to Regular Mail service of USPS.

Click here for more information.

Reference

End-To-End QoS Network Design: Quality of Service in LANs, WANs, and VPNs

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

Layer 3 Link Load Balancing

By Leave a Comment

CCDP ARCH book states to avoid CEF (Cisco Express Forwarding) polarization, the recommended way to do is to use alternating input hashes in the core and distribution layer. In the core, use the default hash, which is based on only Layer 3 information. In the distribution layer, use Layer 3 and 4 information as the input into the CEF hash algorithm.

To enable Layer 3 and 4 CEF hashing algorithm, issue this command:

Switch (config)# mls ip cef load-sharing full

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

Recommended EtherChannel Load Balancing

By Leave a Comment

CCDP ARCH book states that the recommended way to load balance an EtherChannel is to use Layer 4 load balancing.

How to enable enable Layer 4 load balancing on EtherChannel:

Switch (config)# port-channel load-balance src-dst-port

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

Cisco STP Toolkit

By Leave a Comment

STP (Spanning Tree Protocol) is a great invention by Radia Perlman. The protocol was designed to ensure that Layer 2 Ethernet network is loop-free. “Algorhyme” is a poem by Radia Perlman that pretty much summarizes what STP is. While this is a great invention, it needed some improvements. Say hello to Cisco’s STP Toolkit.

Cisco STP Toolkit is a collection of STP extensions that improves the performance of the original IEEE 802.1D STP algorithm. Here are the extensions included in the STP Toolkit:

  • PortFast – Mostly used in access ports, but can be used in trunk ports. If you choose to enable PortFast on trunk ports, make sure you’re not creating a loop. This extension causes an access port or trunk port to go to Forwarding STP state immediately, basically skipping the listening and learning state.
  • UplinkFast – Used in uplink ports to speed up STP convergence after a direct failure.
  • BackboneFast – Speeds up STP convergence after an indirect failure. This extension needs to be enabled on all network devices to take advantage of the feature.
  • Loop Guard – Helps prevent Layer 2 loop when there is an unidirectional link failure. It prevents an alternate or root port from becoming a designated port if it stops receiving BDPUs, it transitions to loop-inconsistent state.
  • Root Guard – Prevents external switches becoming a root. These are normally enabled on ports connecting to downstream switches. When a superior BPDU is received from an interface where root guard is enabled, the switch port will transition to root-inconsistent state.
  • BPDU Guard – When PortFast is enabled on a port, this STP extension helps prevent bridging loops by transitioning a switch port to err-disabled upon receiving a BPDU.
  • BPDU Filter – This STP extension prevents PortFast-enabled ports from sending and receiving BPDUs – effectively disabling STP at the edge which can lead to bridging loops. This is not a recommended configuration per the authors of CCDP ARCH Self-Study Guide.
  • UDLD (Unidirectional Link Detection) – This STP extension prevents bridging loops by monitoring the fiber optic and/or twisted-pair links and detecting if a one-way or unidirectional communication exists. If it detects a unidirectional communication, it will shut down the interface and there will be a system alert.

Some Cisco documentation include UDLD and BPDU Filter and some do not. Just for the sake of completion, I included them both here.

I hope this has been helpful and thank you for reading!

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

How to enable SSH on Cisco Routers and Switches

By Leave a Comment

UPDATE: Please read my updated post regarding SSH on Cisco IOS.

On my previous blog post, I talked about one of the things a Network Engineer must do to harden Cisco routers and switches. Today, I am adding another one to the list. I will try to keep adding to this list to raise the importance of security.

As the title says, I am going to show you on how to enable SSH on Cisco IOS devices. The commands are pretty much the same in pretty much all of the IOS versions. If the commands listed here didn’t work, then use the IOS help menu.

The majority, if not all, of the people, know that Telnet sends data in clear text. That said, usernames and passwords are up for grabs. Imagine an unauthorized user logging into company’s Cisco IOS devices and deleting the configuration and rebooting them. When that happens, someone would be let go pretty soon.

To enable SSH on Cisco IOS, you need to have crypto feature in the IOS. If the IOS does not support crypto, then you’re out of luck. If you have a SMARTnet contract, I suggest you upgrade the IOS. For legacy hardware, the only choice is to upgrade it to a newer version. Please check Cisco Feature Navigator to check your IOS if it supports the crypto feature.

Enabling SSH on Cisco IOS

Without further delay, below are the commands to enable SSH on Cisco IOS. With this method, Cisco IOS requires the user to specify the host name and domain name.

Router(config)#host R1
R1(config)#ip domain name domain.com
R1(config)#crypto key generate rsa general-keys modulus 2048
R1(config)#ip ssh version 2
R1(config)#line vty 0 15
R1(config-line)# transport input ssh

Alternatively, Cisco IOS user could enable SSH without specifying the domain name, as shown below. In this case, I am using 4096-bit key size for the RSA keys.

R1(config)#crypto key gen rsa modulus 4096 label SSH_KEY
The name for the keys will be: SSH_KEY
% The key modulus size is 4096 bits
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 103 seconds)
R1(config)#
*Dec 15 20:38:36.581: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#ip ssh rsa keypair-name SSH_KEY
R1(config)#
*Dec 15 20:39:38.227: %SSH-5-DISABLED: SSH 1.99 has been disabled
*Dec 15 20:39:38.228: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#ip ssh ver 2
R1(config)#line vty 0 15
R1(config-line)#transport input ssh

While you don’t need to use the transport input ssh command, it is recommended to disable Telnet altogether. By default, line vty 0 to 15 has the command transport input all configured but not showed in the running configuration or startup configuration. That said, it will allow you to use either SSH or Telnet.

Final Words

Hopefully, this will be included in your standard configuration for all Cisco routers and switches that you have. Telnet is a considered a security risk, so enabling SSH will mitigate security risk on your network.

I hope this has been helpful and thank you for reading!

Are you ready to improve your network security?

Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.

ENGAGE US

You might also like to read

Securing Cisco IOS SSH server

Want to learn more about the basics of securing Cisco networks?

CCNA Security Official Cert Guide

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.