Showing posts from June, 2012

CONTROL Plane Policy

CBAC and Zone Based FW are all DATA Plane policies. Another type of Security Policies is a Control Plane Policy. This is quite similar to Cisco's MQC used for the QoS traffic shaping and policing. You can also use the commands like from MQC to limit (POLICE) the Control Traffic.

You can use STANDARD CLASS-MAPS like in MQC to match PROTOCOL or ACLs (access-group), but you can also use, example, the LOGGING TYPE CLASS-MAPS:
(config)#class-map type logging match-any LOGGING
(config-cmap)#match packets ?
dropped    Packets dropped by control-plane protection features <-IN ORDER TO VIEW THE CONTROL PLANE
error      Error packets dropped by control-plane protection features
permitted  Packets permitted by control-plane protection features

(config)#policy-map POLICE_50KBPS
(config-pmap)#class CONTROL_BW
(config-pmap-c)#police 50000 conform-action transmit exceed-action drop violate-action drop

The trick is to APPLY the Policy Map to the CONTROL PLANE:

BANNER and MENU Configuration

If you need to define a BANNNER to display the user restrictions, have in mind that you can use the variables:
$(hostname) $(line) $(domain)

You also have an option of creating the DYNAMIC ENTRIES as a banner, and let user use the VARIABLES as a response:
Cisco Docs: Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4T>Banner Configuration

Step 1: Define the MENU TITLE
(config)#menu MYMENU title & This is the AXA menu

Step 2: Define the TEXT ITEMS:
(config)#meny MYMENU text 1  Display all interfaces with their IPs
(config)#meny MYMENU text 2  Display the configuration of Fa1/0/1
(config)#meny MYMENU text 3  Logout
(config)#meny MYMENU text 4  Exit the Menu

Step 3: Specify the UNDERLYING COMMAND of each item in the MENU:
(config)#menu MYMENU command 1 sh ip int br
(config)#menu MYMENU command 2 sh run int fa1/0/1
(config)#menu MYMENU command 9 sh menu-exit

Step 4: Define the DEFAULT action:
(config)#menu MYMENU default 9

Step 5: Define the GLOBAL commands, for example to cle…

Etherchannel L2 vs L3

PAgP (Port Aggregation Protocol) - Cisco Prop. DESIRABLE or AUTO or NONEGOTIATE
*in case the link is configured as ACCESS, or the "switchport nonegotiate" command
- Protocol Value: 0x0104
- Same multicast group MAC like CDP

LACP (Link Aggregation Control Protocol) - 802.3ad - ACTIVE or PASSIVE
- Multicast MAC: 01-80-C2-00-00-02
- During Detection transmits packets every second

2#show lacp 1 internal
Flags:  S - Device is requesting Slow LACPDUs
        F - Device is requesting Fast LACPDUs
        A - Device is in Active mode       P - Device is in Passive mode

Channel group 1
                            LACP port     Admin     Oper    Port        Port
Port      Flags   State     Priority      Key       Key     Number      State
Gi3/0/19  SA      bndl      32768         0x1       0x1     0x7F        0x3D
Gi3/0/20  SA      bndl      32768         0x1       0x1     0x80        0x3D

"ON" - Doesnt use LACP or PaGP. BOTH sides MUST …