Blog Just another tech site

5Oct/120

Cisco 2960s Ip Source Guard Port-Security Issue

IP Source Guard

Yesterday I had an issue where ip source guard with mac-address filtering was applied across a range of switches including 3560g's and 2960s'. The majority of switches functioned fine with the applied changes not affecting users. One issue appeared with a pair of 2960s switches which were running in series (one trunked to the next), where users could not obtain ip addresses from the DHCP server.

A different building with the same switches with the same IOS version and the same configuration were functioning correctly (as well as many others but on different VLANS.

I then took steps of restoring the previous working configuration and adding in the new configuration one line at a time. The changes that were being made was the implementation of dynamic arp inspection, port security and ip source guard.

If the command ip verify source was applied all was well (I checked this by shutting down ports, clearing the ip snooping binding table adding the command and then activating the ports again and checking if ip's were obtained.

The command ip verify source port-security was causing issues, which I originally thought that could have been caused by an option 82 issue, but it was allowed in the configuration and the DHCP server has had no issues with it in the past.

I then decided to upgrade the IOS version from 15.0(1)SE1 to 15.0(2)SE. This surprisingly fixed the issue and all was well with ip source guard once more.

Filed under: Cisco, Networking No Comments
3Aug/123

Using minicom to interface with serial devices on Linux

I came across a problem recently, I needed to configure a Cisco switch and all I had was a Ubuntu machine that had a serial port. Since then I've got a Cisco 2511, with octal cable, which is very handy when configuring many devices, but that is for another post.

I found a program called 'minicom' which is available as far as I'm aware in all the main repositories. This post is a brief explanation on how to find your serial port and setup / use minicom.

1. First of all lets start with finding the computers serial ports, make sure you have your device powered on and connected:

dmesg | grep tty

Listing Linux serial devices

This shows in my example that the physical serial port is at ttyS0, where as usb > serial converters will show as ttyUSB0

2. Time to open up minicom, I believe the later versions will allow running as an unprivileged user, but this will mean that you can not save configurations. Better to run as root if you have the option.

Start-up Minicom

Default page after starting Minicom

3. Checking the options available is very easy, to put minicom in to command mode control+a needs to be pressed, with a following 'z' to show the options. For example, control+a then x will close minicom.

Minicom Options

4. Now it is time to setup minicom, as you can see from the help page you need to use control+a then o (for options). Scroll down to "Serial port setup" and hit enter.

Minicom serial settings.

5. From there is is pretty straight forward to follow the prompts to change to your required settings. Typically Cisco networking equipment uses 9600 Bps/Par/Bits, "8-N-1", Yes to Hardware Control Flow and no to Software Control Flow. Also set your serial device to the one you found in the first step.

Minicom Cisco Settings

6. Now save your configuration for quicker access in the future, personally I save it as "Cisco".

Saving configuration

7. Now close minicom with control+a then x will prompt you the option to close the program or simply scroll to "Exit".

Resetting Minicom

8. If you saved a configuration within minicom, it can be used to open minicom directly in to those settings. For example, "minicom cisco".

Initialising Minicom

9. Everything should be ready for using your serial device.

Functioning Minicom

1Aug/1214

Cisco SG 200-08 Trunking

I've had a little struggle getting a Cisco SG 200-08 trunking with several vlans to a Cisco 3560G switch.

I'll quickly explain what was throwing me off for speed readers, but I will go in depth later on. On the proper Cisco switch the standard dot1q encapsulation and trunk mode needs to be used, this is similar to the SG 200-08 where the default 'trunk' port setting needs to be used. The only changes that need to be changed on the smart switch is to create the vlans before hand and put them as a member of the trunk port in the "Port VLAN Membership". This gave me strife because I am used to in 3560s' where all ports are allowed on a trunk from default where as they specifically need to be applied on the smart switches trunk ports.

How to setup a Cisco SG 200-08 with trunking and a non default management vlan:

  • First off I would start with providing the SG 200-08 a access port on a vlan that has DHCP access so the web interface can be access for configuration.

  • The device should now be access through the DHCP address, find this by looking up the server or doing an nmap scan and look for Cisco equipment.
  • Now create the VLANs you need and name them under the "Create VLAN tab".

  • The created VLAN/s now need to be added to the desired trunk port on the smart switch, this is done through "Port VLAN Membership". Simply select the trunk port, edit the details and select the VLAN that is to be allowed on the trunk, tick Membership and then click the arrow to move it in to the selected column.

  • The VLANs that are needed on the trunk should now be showing on the Port VLAN Membership page.

  • Access ports can now be configured, which is straight forward by changing the required ports to access ports and defining which VLAN is required, which is done through "Interface Settings". This won't actually work until we configure a trunk port on the other switch.

  • Depending on your native vlan settings, you may have to change the management vlan setting before changing the port on the other switch to a trunk. Just a reminder make sure the management vlan is a member of the trunk port. This can be done through the "IPv4 Interface".

  • The smart switch might be unconnectable if the management VLAN has been changed, therefore we need to enable a trunk port on the other switch to gain access again.

The switch should now be accessed through the IP entered in the management settings and trunking should be working correctly.

Just a note: A port setting called "General" can be used, which I believe will give you more options for Ingress Filtering and allowing tagging on that port, which would give you more options for VLAN compatible devices.

Filed under: Cisco, Networking 14 Comments
20Jul/121

Path MTU Discovery

MTU Path Discovery - Fragment Error

Checking the MTU on a path is a very simple and handy thing to know (but I still seem to forget the command line options). The MTU can be manually discovered through manipulation of the windows ping tool.

There are two extra command line options that are used for MTU discovery:

  • -l - Used to change the number of bytes sent in the icmp ping echo.
  • -f - set the flag do not fragment, so networking devices will reply with a icmp message if the packet is to large for the frame.

An example use of this would be "ping www.google.com -l 1400 -f".

If the size being sent outweighs the MTU it will throw the exception "Packet needs to be fragemented but DF set." Starting at a large packet size and lowering it gradually will manually allow you to find path MTU.

Path MTU Discovery

Filed under: Networking 1 Comment
7Jul/120

Windows – Finding which process is bound to a port

Sometimes I have the issue that a port is already bound to a port, stopping another process using that port. Other times I just plainly needed to find which process was using a particular port.

Usually a simple nmap scan of the localhost shows enough information to get by. For beginners after installing nmap simply run the command "nmap localhost" to run a regular scan. Nmap can be found here http://nmap.org/download.html

If the exact proccess bound to a port needs to be found a few steps need to be taken.

  1. Open command prompt and run the command "netstat -ao". -a displays all listening ports. -o lists the owning process ID.

    netstat -ao

  2. Find the related port, make sure to differenciate between TCP / UDP ports and take note of processes PID.
  3. Open up task manager and select View > Select columns.

    Task Manager - Show columns.

  4. Select the top checkbox for "PID (Process Identifier)".

    Task Manager - Select PID column.

  5. Now simply find the related PID from netstat in the processes tab. Now you should have your related process.

    Task manager PIDs showing.

7Jul/120

Multiple DNS suffixes in Windows

Working in multiple domains can be a hassel, but there are a few things to make life easier. I have needed to do this recently to allow quicker access to two standard domains containing users, servers and workstations and a domain dedicated networking equipment.

Why would you need to do this? In my case instead of typing a full qaulified domain name to access a device in another domain, the device name can be used. For example if I am in 'domain1.com' and I need to access 'device1' in 'domain2.com' normally the full name 'device1.domain2.com' would have to be used. Instead once the second dns sufix as been added to your network interface to access 'device1.domain2.com', only 'device1' would have to be input.

Steps to add other dns suffixes:

  1. In your desired network adapters settings, select IPv4's properties

    Select Ipv4 properties

  2. Select advanced in the properties dialogue.

    Select Advanced

  3. Select the DNS tab.

    Select the DNS tab.

  4. Select "Append these DNS suffixes (in order):" and add your desired domains.

    Select 'Append' and add the desired DNS suffixes.

 

Now you should be able to access the devices from other domains without the fully qualified domain name. I presume if there are exactly the same names in both domains, it will use the first match of domains in the list.

7Jul/120

Cisco IOS – Logging to a non standard syslog port

Recently I have been setting up a new logging system, but have needed to log to a different port than the usual 514 (UDP).

This is relatively easy depending on the version of IOS running. The following command will allow it:

logging host <IP> transport udp port <port number>

Non standard port logging

Some versions of IOS will not allow the command:

Alternate IOS version

From my experience 2960S and  3560E series switchs running Universal based IOS seem to allow the command but 3560G series dont allow it running an IPBased IOS.

Im assuming the command is only available in certain feature set versions of IOS.

Filed under: Cisco No Comments