CONTROL Plane Policy

CBAC and Zone Based FW are all DATA Plane policies. Another type of Security Policies is a Control Plane Policy. This is quite similar to Cisco's MQC used for the QoS traffic shaping and policing. You can also use the commands like from MQC to limit (POLICE) the Control Traffic.

You can use STANDARD CLASS-MAPS like in MQC to match PROTOCOL or ACLs (access-group), but you can also use, example, the LOGGING TYPE CLASS-MAPS:
(config)#class-map type logging match-any LOGGING
(config-cmap)#match packets ?
  dropped    Packets dropped by control-plane protection features <-IN ORDER TO VIEW THE CONTROL PLANE
  error      Error packets dropped by control-plane protection features
  permitted  Packets permitted by control-plane protection features

(config)#policy-map POLICE_50KBPS
(config-pmap)#class CONTROL_BW
(config-pmap-c)#police 50000 conform-action transmit exceed-action drop violate-action drop

The trick is to APPLY the Policy Map to the CONTROL PLANE:
(config)#control-plane
(config-cp)#service-policy input POLICE_50KBPS

BANNER and MENU Configuration

If you need to define a BANNNER to display the user restrictions, have in mind that you can use the variables:
$(hostname) $(line) $(domain)

You also have an option of creating the DYNAMIC ENTRIES as a banner, and let user use the VARIABLES as a response:
Cisco Docs: Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4T>Banner Configuration

Step 1: Define the MENU TITLE
(config)#menu MYMENU title & This is the AXA menu

Step 2: Define the TEXT ITEMS:
(config)#meny MYMENU text 1  Display all interfaces with their IPs
(config)#meny MYMENU text 2  Display the configuration of Fa1/0/1
(config)#meny MYMENU text 3  Logout
(config)#meny MYMENU text 4  Exit the Menu

Step 3: Specify the UNDERLYING COMMAND of each item in the MENU:
(config)#menu MYMENU command 1 sh ip int br
(config)#menu MYMENU command 2 sh run int fa1/0/1
(config)#menu MYMENU command 9 sh menu-exit

Step 4: Define the DEFAULT action:
(config)#menu MYMENU default 9

Step 5: Define the GLOBAL commands, for example to clean the screen when the MENU starts:
(config)#menu MYMENU clear-screen

Etherchannel L2 vs L3

PAgP (Port Aggregation Protocol) - Cisco Prop. DESIRABLE or AUTO or NONEGOTIATE
*in case the link is configured as ACCESS, or the "switchport nonegotiate" command
- Protocol Value: 0x0104
- Same multicast group MAC like CDP

LACP (Link Aggregation Control Protocol) - 802.3ad - ACTIVE or PASSIVE
- Multicast MAC: 01-80-C2-00-00-02
- During Detection transmits packets every second

LACP>
Check the DEFAULT PARAMETERS:
2#show lacp 1 internal
Flags:  S - Device is requesting Slow LACPDUs
        F - Device is requesting Fast LACPDUs
        A - Device is in Active mode       P - Device is in Passive mode

Channel group 1
                            LACP port     Admin     Oper    Port        Port
Port      Flags   State     Priority      Key       Key     Number      State
Gi3/0/19  SA      bndl      32768         0x1       0x1     0x7F        0x3D
Gi3/0/20  SA      bndl      32768         0x1       0x1     0x80        0x3D

"ON" - Doesnt use LACP or PaGP. BOTH sides MUST BE ON!!!
#do show etherch protocol
                Channel-group listing:
                ----------------------

Group: 13
----------
Protocol:   -  (Mode ON)


You can configure MAX 16 PORTS, out of which:
MAXIMUM 8 ACTIVE PORTS, and the other HOT STANDBY (activate if one of the first 8 fail). Which ones belong to
the ACTIVE group depends on the LACP PRIORITY, that can be configured:
(config-if)#lacp port-priority 1 <--- LOWER IS BETTER!!! (default is 32768)

L3 ETHERCHANNEL: Configure the Port-Channel interface statically, and all L3 configuration under it
Summary: 32     Po32(RU)         -        Gi1/0/23(P) Gi1/0/24(P)

L2 ETHERCHANNEL: LOGICAL INTERFACE CREATED AUTOMATICALLY. Best Practice (CONFIGURATION):
- Default Interface
- Channel Protocol and Group on physical interface (this creates Port Channel)
- Configure TRUNKING ENCAPSULATION under the PORT CHANNEL directly
- SHUT -> NO SHUT on PHYSICAL INTERFACES
Summary: 24     Po24(SU)        PAgP      Gi1/0/21(P) Gi1/0/22(P)

* "show interface trunk" Will show only Port Channel, but "show interface XX switchport" will show that the INT IS TRUNK


LOAD BALANCE the Etherchannel>
*CONFIGURED in the Global Config mode:
 (config)#port-channel load-balance ?
  dst-ip       Dst IP Addr
  dst-mac      Dst Mac Addr
  src-dst-ip   Src XOR Dst IP Addr
  src-dst-mac  Src XOR Dst Mac Addr
  src-ip       Src IP Addr
  src-mac      Src Mac Addr

 #show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
        dst-mac

EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Destination MAC address
  IPv4: Destination MAC address
  IPv6: Destination MAC address

Most Popular Posts