CBAC and Zone Based FW are all DATA Plane policies. Another type of Security Policies is a Control Plane Policy. This is quite similar to Cisco's MQC used for the QoS traffic shaping and policing. You can also use the commands like from MQC to limit (POLICE) the Control Traffic.
You can use STANDARD CLASS-MAPS like in MQC to match PROTOCOL or ACLs (access-group), but you can also use, example, the LOGGING TYPE CLASS-MAPS:
(config)#class-map type logging match-any LOGGING
(config-cmap)#match packets ?
dropped Packets dropped by control-plane protection features <-IN ORDER TO VIEW THE CONTROL PLANE
error Error packets dropped by control-plane protection features
permitted Packets permitted by control-plane protection features
(config)#policy-map POLICE_50KBPS
(config-pmap)#class CONTROL_BW
(config-pmap-c)#police 50000 conform-action transmit exceed-action drop violate-action drop
The trick is to APPLY the Policy Map to the CONTROL PLANE:
(config)#control-plane
(config-cp)#service-policy input POLICE_50KBPS
BANNER and MENU Configuration
If you need to define a BANNNER to display the user restrictions, have in mind that you can use the variables:
$(hostname) $(line) $(domain)
You also have an option of creating the DYNAMIC ENTRIES as a banner, and let user use the VARIABLES as a response:
Cisco Docs: Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4T>Banner Configuration
Step 1: Define the MENU TITLE
(config)#menu MYMENU title & This is the AXA menu
Step 2: Define the TEXT ITEMS:
(config)#meny MYMENU text 1 Display all interfaces with their IPs
(config)#meny MYMENU text 2 Display the configuration of Fa1/0/1
(config)#meny MYMENU text 3 Logout
(config)#meny MYMENU text 4 Exit the Menu
Step 3: Specify the UNDERLYING COMMAND of each item in the MENU:
(config)#menu MYMENU command 1 sh ip int br
(config)#menu MYMENU command 2 sh run int fa1/0/1
(config)#menu MYMENU command 9 sh menu-exit
Step 4: Define the DEFAULT action:
(config)#menu MYMENU default 9
Step 5: Define the GLOBAL commands, for example to clean the screen when the MENU starts:
(config)#menu MYMENU clear-screen
$(hostname) $(line) $(domain)
You also have an option of creating the DYNAMIC ENTRIES as a banner, and let user use the VARIABLES as a response:
Cisco Docs: Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4T>Banner Configuration
Step 1: Define the MENU TITLE
(config)#menu MYMENU title & This is the AXA menu
Step 2: Define the TEXT ITEMS:
(config)#meny MYMENU text 1 Display all interfaces with their IPs
(config)#meny MYMENU text 2 Display the configuration of Fa1/0/1
(config)#meny MYMENU text 3 Logout
(config)#meny MYMENU text 4 Exit the Menu
Step 3: Specify the UNDERLYING COMMAND of each item in the MENU:
(config)#menu MYMENU command 1 sh ip int br
(config)#menu MYMENU command 2 sh run int fa1/0/1
(config)#menu MYMENU command 9 sh menu-exit
Step 4: Define the DEFAULT action:
(config)#menu MYMENU default 9
Step 5: Define the GLOBAL commands, for example to clean the screen when the MENU starts:
(config)#menu MYMENU clear-screen
Etherchannel L2 vs L3
PAgP (Port Aggregation Protocol) - Cisco Prop. DESIRABLE or AUTO or NONEGOTIATE
*in case the link is configured as ACCESS, or the "switchport nonegotiate" command
- Protocol Value: 0x0104
- Same multicast group MAC like CDP
LACP (Link Aggregation Control Protocol) - 802.3ad - ACTIVE or PASSIVE
- Multicast MAC: 01-80-C2-00-00-02
- During Detection transmits packets every second
LACP>
Check the DEFAULT PARAMETERS:
2#show lacp 1 internal
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
Channel group 1
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi3/0/19 SA bndl 32768 0x1 0x1 0x7F 0x3D
Gi3/0/20 SA bndl 32768 0x1 0x1 0x80 0x3D
"ON" - Doesnt use LACP or PaGP. BOTH sides MUST BE ON!!!
#do show etherch protocol
Channel-group listing:
----------------------
Group: 13
----------
Protocol: - (Mode ON)
You can configure MAX 16 PORTS, out of which:
MAXIMUM 8 ACTIVE PORTS, and the other HOT STANDBY (activate if one of the first 8 fail). Which ones belong to
the ACTIVE group depends on the LACP PRIORITY, that can be configured:
(config-if)#lacp port-priority 1 <--- LOWER IS BETTER!!! (default is 32768)
L3 ETHERCHANNEL: Configure the Port-Channel interface statically, and all L3 configuration under it
Summary: 32 Po32(RU) - Gi1/0/23(P) Gi1/0/24(P)
L2 ETHERCHANNEL: LOGICAL INTERFACE CREATED AUTOMATICALLY. Best Practice (CONFIGURATION):
- Default Interface
- Channel Protocol and Group on physical interface (this creates Port Channel)
- Configure TRUNKING ENCAPSULATION under the PORT CHANNEL directly
- SHUT -> NO SHUT on PHYSICAL INTERFACES
Summary: 24 Po24(SU) PAgP Gi1/0/21(P) Gi1/0/22(P)
* "show interface trunk" Will show only Port Channel, but "show interface XX switchport" will show that the INT IS TRUNK
LOAD BALANCE the Etherchannel>
*CONFIGURED in the Global Config mode:
(config)#port-channel load-balance ?
dst-ip Dst IP Addr
dst-mac Dst Mac Addr
src-dst-ip Src XOR Dst IP Addr
src-dst-mac Src XOR Dst Mac Addr
src-ip Src IP Addr
src-mac Src Mac Addr
#show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
dst-mac
EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Destination MAC address
IPv4: Destination MAC address
IPv6: Destination MAC address
*in case the link is configured as ACCESS, or the "switchport nonegotiate" command
- Protocol Value: 0x0104
- Same multicast group MAC like CDP
LACP (Link Aggregation Control Protocol) - 802.3ad - ACTIVE or PASSIVE
- Multicast MAC: 01-80-C2-00-00-02
- During Detection transmits packets every second
LACP>
Check the DEFAULT PARAMETERS:
2#show lacp 1 internal
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
Channel group 1
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi3/0/19 SA bndl 32768 0x1 0x1 0x7F 0x3D
Gi3/0/20 SA bndl 32768 0x1 0x1 0x80 0x3D
"ON" - Doesnt use LACP or PaGP. BOTH sides MUST BE ON!!!
#do show etherch protocol
Channel-group listing:
----------------------
Group: 13
----------
Protocol: - (Mode ON)
You can configure MAX 16 PORTS, out of which:
MAXIMUM 8 ACTIVE PORTS, and the other HOT STANDBY (activate if one of the first 8 fail). Which ones belong to
the ACTIVE group depends on the LACP PRIORITY, that can be configured:
(config-if)#lacp port-priority 1 <--- LOWER IS BETTER!!! (default is 32768)
L3 ETHERCHANNEL: Configure the Port-Channel interface statically, and all L3 configuration under it
Summary: 32 Po32(RU) - Gi1/0/23(P) Gi1/0/24(P)
L2 ETHERCHANNEL: LOGICAL INTERFACE CREATED AUTOMATICALLY. Best Practice (CONFIGURATION):
- Default Interface
- Channel Protocol and Group on physical interface (this creates Port Channel)
- Configure TRUNKING ENCAPSULATION under the PORT CHANNEL directly
- SHUT -> NO SHUT on PHYSICAL INTERFACES
Summary: 24 Po24(SU) PAgP Gi1/0/21(P) Gi1/0/22(P)
* "show interface trunk" Will show only Port Channel, but "show interface XX switchport" will show that the INT IS TRUNK
LOAD BALANCE the Etherchannel>
*CONFIGURED in the Global Config mode:
(config)#port-channel load-balance ?
dst-ip Dst IP Addr
dst-mac Dst Mac Addr
src-dst-ip Src XOR Dst IP Addr
src-dst-mac Src XOR Dst Mac Addr
src-ip Src IP Addr
src-mac Src Mac Addr
#show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
dst-mac
EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Destination MAC address
IPv4: Destination MAC address
IPv6: Destination MAC address
Subscribe to:
Posts (Atom)
Most Popular Posts
-
Before we start, lets once again make sure we fully understand what Bridge Domain is. The bridge domain can be compared to a giant distribut...
-
Ever since Cisco bought Insieme and created Cisco ACI, and VMware bought Nicira and created NSX, I've been intensively deep-diving and b...
-
[In collaboration with the guest blogger, Marc Espinosa ] Let's start with the messaging protocols, MQTT and CoAP, and consider which ...
-
By know you should know the following facts about ACI: Cisco Nexus 9k Switches make the ACI Fabric, which is the Control and the Data pla...
-
Get ready to have your mind blown. One of the easiest procedures I've encountered. You just need to follow these 3 steps, to migrate the...
-
The VM-Series firewall for VMware NSX is jointly developed by Palo Alto Networks and VMware. NetX APIs are used to integrate the Palo Alto N...
-
Google has made their Cloud Platform (GCP) so that you can host your application any way your business requires. When we talk about the ...
-
First time we “unpack” ACI, we will find a certain number of potential Spine and potential Leaf switches, and hopefully 3 (or 5) APIC Contro...
-
Narbik Topology for web-iou Disclaimer: I DON’T OWN NOR HAVE AN ACCESS TO THE TOPOLOGY, INITIAL CONFIGS, IOU/IOL BINARIES OR ANY OTHER ...
-
Before I get into the Python for NX-OS, let me explain a few concepts that I've seen Network Engineers have been struggling with. Dev...