about Networks!

Overview of ISMS

This post is my snippet of Wikipedia article about ISMS.

The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

PDCA (ISO/IEC 27001:2005):

The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
The Do phase involves implementing and operating the controls.
The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.

Continue reading “Overview of ISMS”

Share this!

Private VLAN

Members of an isolated VLAN can only communicate with the promiscuous ports mapped
Members of a community VLAN can communicate with members of the same community and the promiscuous ports.

A two-way community acts like a regular community but has the additional aspect of allowing access control lists to check traffic going to and from (two ways) the VLAN and provides enhanced security within a private VLAN.

To configure PVLAN, VTP should be in transparent mode.

Create primary private-vlan
Create isolated/community VLAN
Associating isolated/community VLANs to primary
Configure spanning-tree mode and associating ports to PVLANs
Mapping PVLANs under the primary VLAN interface
To verify: show interface [primary PVLAN] private-vlan mapping

IPExpert, Vol.1, 2.28

You must configure VTP to transparent mode before you can create a private VLAN.
Private VLANs are configured in the context of a single switch and cannot have members on other switches. Private VLANs also carry TLVs that are not known to all types of Cisco switches.

Configuration

SWITCH(config)# vlan primary_number
SWITCH(vlan-config)# private-vlan primary
SWITCH(config)# vlan secondary_number
SWITCH(vlan-config)# private-vlan [isolated | community]
SWITCH(config)# vlan primary_number
SWITCH(vlan-config)# private-vlan association secondary_number_list [add secondary_number_list]
SWITCH(config)# interface type mod/port
SWITCH(config-if)# switchport
SWITCH(config-if)# switchport mode private-vlan host
SWITCH(config-if)# switchport mode private-vlan host-association primary_number secondary_number
SWITCH(config)# interface type mod/port
SWITCH(config-if)# switchport
SWITCH(config-if)# switchport mode private-vlan promiscuous
SWITCH(config-if)# switchport mode private-vlan mapping primary_number secondary_number
SWITCH(config)# interface primary_number
SWITCH(config-if)# ip address address mask
SWITCH(config-if)# private-vlan mapping primary_number secondary_number

show vlan private-vlan type
show interface private-vlan mapping
show interface type mod/port switchport

Share this!

QoS Misc. 1 Q/A

How to block cisco.com/go/support using QoS matching DNS name, while allowing the web access to the host like cisco.com:

class-map match-all TEST
 match protocol http host "*cisco.com\/support*"
!
policy-map NBAR
 class TEST
  drop
!
interface FastEthernet0/1
 service-policy output NBAR

How to read the output of CoS-DSCP map

Switch# show mls qos maps dscp-cos
  Dscp-cos map:
    d1 :  d2                   9
    ---------------------------------------
     0 :    00 00 00 00 00 00 00 00 01 01
     1 :    01 01 01 01 01 01 02 02 02 02
     2 :    02 02 02 02 03 03 03 03 03 03
     3 :    03 03 04 04 04 04 04 04 04 04
     4 :    05 05 05 05 05 05 05 05 06 06
     5 :    06 06 06 06 06 06 07 07 07 07
     6 :    07 07 07 07

d1 is digit-one of the dscp, d2 is digit-two of the dscp. The intersection of the two digits gives the cos value for that particular dscp value.
e.g. for dscp 46, we can see the cos value is 05, while dscp 48 has cos 06 and dscp 64 is not shown as it is invalid.

Priority Queuing

Q: When I set priority-list 1 queue-limit 5 45 66 80 (I am setting the priority queue to 5 packets) I would think I would want this to be my highest #. In short I don’t think I understand this concept. If I set the priority queue to 80, then my priority traffic could accept 80 packets before it moves to the next queue. I would think this would be a good thing. I am sure I am not seeing this the right way. Can somebody explain please?

A: The queue-limit is simply how many packets each queue will hold. That is, the size of the queue.
With priority queuing, the scheduler will always try to empty the higher queues first before moving to the next-highest.
Ex. empty the high queue first, then medium queue, then normal queue and then finally low queue.
That’s why texts often mention the possibility of queue starvation.
When you have congestion on the interface, (which is the only situation you would engage the software queues) you would want your high priority traffic sent first.
You can set the limit (size) to whatever you want, but if you classify your traffic incorrectly, or rather too “loose”, putting too much into the high priority queue, you would end up servicing this queue all the time.
Tail drop should occur when you can’t “buffer” any more data, yes.
PQ is a double edged sword in my opinion.

Share this!

SVI Policy Configuration

Here are the main points to keep in mind:

The configuration requires a nested policy-map
The policy-map applied to the SVI references another policy map that actually does the policing
Do not forget to enable vlan-based QoS on the appropriate range of ports
In the parent policy-map, you must perform some action (besides calling another policy map)

In order to configure policing on a Switched Virtual Interface (SVI or VLAN interface), here is a sample configuration:

CAT2(config)#int range fa0/1 – 5
CAT2(config-if-range)#mls qos vlan-based
CAT2(config-if-range)#exit
!
CAT2(config)#access-list 100 permit udp any any range 16384 32767
!
CAT2(config)#class-map RTP
CAT2(config-cmap)#match access-group 100
CAT2(config-cmap)#exit
!
CAT2(config)#class-map PORTS
CAT2(config-cmap)#match input-interface fa0/1 - fa0/5
CAT2(config-cmap)#exit
!
CAT2(config)#policy-map PORT
CAT2(config-pmap)#class PORTS
CAT2(config-pmap-c)#police 256000 8000 exceed-action drop
CAT2(config-pmap-c)#exit
CAT2(config-pmap)#exit
!
CAT2(config)#policy-map VLAN
CAT2(config-pmap)#class RTP
CAT2(config-pmap-c)#set dscp 46
CAT2(config-pmap-c)#service-policy PORT
CAT2(config-pmap-c)#exit
CAT2(config-pmap)#exit
!
CAT2(config)#int vlan 100
CAT2(config-if)#service-policy input VLAN
CAT2(config-if)#end

Notice we set the DSCP value in the parent policy map in order to meet the requirement of “performing some action!” Also remember, both of the sample configurations above require mls qos configured globally on the device.

Share this!

Switching Misc. 1

To authenticate 802.1x clients:

SW1(config)# dot1x system-auth-control
SW1(config)# aaa new-model
SW1(config)# aaa authentication dot1x default group radius
SW1(config)# radius-server host 150.100.220.100 key ipexpert

When a PC doesn’t support EAP, it can be placed in a guest-vlan:
dot1x guest-vlan 200
When the authentication is failed:
dot1x auth-fail vlan 100

Port-security table won’t survive a reload unless using “sticky” parameter.

switchport protected: The ports cannot communicate even with other ports in the same VLAN

Assign a static switching table entry

SW1(config)# mac-address-table {dynamic | static | secure} mac-addr {vlan vlan-id} {interface int1 [int2 … int15] [protocol {ip | ipx | assigned}]

If the destination port is a trunk, you must also specify the destination VLAN number vlan-id.

Set the switching table aging time:

SW1(config)# mac-address-table aging-time seconds [vlan vlan-id]

For VLAN number vlan-id (2 to 1001), entries are aged out of the switching table after seconds (0, 10 to 1,000,000 seconds; default 300 seconds). A value of 0 disables the aging process. The VLAN number is optional. If not specified, the aging time is modified for all VLANs.

Optimize the port as a connection to a single host

SW1(config-if)# switchport host

Several options are set for the port: STP PortFast is enabled, trunk mode is disabled, EtherChannel is disabled, and no dot1q trunking is allowed.

Share this!