It is recommended to implement the separation of management and data/customer traffic in your Datacenter switches like Cisco IOS and IOS-XE (e.g. ASR1000). Traffic passing through the management plane should be exclusively for management or administrative access purposes only like SSH, SNMP, NTP and AAA. Here’s the recommended configuration or practices for these management services. Configure Authentication, Authorization and Accounting (AAA) -preferably to setup centralized TACACS+ to manage all your devices, some uses Cisco® Identity Services Engine (ISE) for central…
Category: <span>Cisco</span>
It is recommended to implement the separation of management and data/customer traffic in your Datacenter switches like Cisco IOS-XR devices (e.g. ASR 9000, CRS). Traffic passing through the management plane should be exclusively for management or administrative access purposes only like SSH, SNMP, NTP and AAA. Here’s the recommended configuration or practices for these management services. Configure Authentication, Authorization and Accounting (AAA) -preferably to setup centralized TACACS+ to manage all your devices, some uses Cisco® Identity Services Engine (ISE) for…
Dynamic Host Configuration Protocol, or DHCP, is a network protocol used (via DHCP server) to dynamically or automatically assign IP address and other info (e.g.Gateway,DNS) to each hosts in the network. Here’s a sample configuration of running DHCP server in a Layer 3 switch. Host Setup: Gateway: 192.168.10.1 Netmask: 255.255.255.0 DNS Server: 192.168.20.254, 8.8.8.8 Layer 3 Switch(tested in Cisco 49xx) VLAN ID: 888 IP Block: 192.168.10.0/24 Fig.A. Hosts connected to switch Configure respective interfaces for access vlan L3-Switch#conf t…
As mentioned from the previous post, Bogon prefixes or routes should never appear in the Internet routing table. Network Engineers should implement “Best Practices” in their network, that includes filtering of bogons as it maybe used in DDoS attacks or Spams. Refer to https://freenetworktutorials.com/ipv4-and-ipv6-bogon-address-list for more info. “Martians” bogons may changed occasionally so at least make sure private address mentioned in https://freenetworktutorials.com/ipv4-classful-and-reserved-addresses are filtered so it wont leak out into the Internet. Here is sample steps and configuration. 1. Create the Ingress…
For number of addresses, I always used this formula:32 – (cidr) = Xthen 2^x = number of addressesTo get the number of hosts, subtract with 2 (network and subnet mask) Example: (to get # of addresses and hosts of /24)32 – 24 = 82^8 = 256 (total number of addresses)256 -2 = 254 (total number of hosts) CIDR Addresses Netmask Wildcard /32 1 255.255.255.255 0.0.0.0 /31 2 255.255.255.254 0.0.0.1 /30 4 255.255.255.252 0.0.0.3 /29 8 255.255.255.248 0.0.0.7 /28 16 255.255.255.240…
Here’s the Cisco IOS-XR commands vs Juniper OS commands Cisco IOS-XR Juniper OS BASIC show show | include | match ..formal | display set configure configure/edit shutdown disable no shutdown delete interface <interface> disable no delete clear clear show running-config show configuration show version show version show tech-support request support information show configuration (after change) show | compare (after change) clear counters <interface> clear interface…
An Access List or ACL is set of rules to filter network traffic that can be applied to router or switches. In some large networks where it requires like hundreds of lines, it’s a bit a pain in the ass to manage and configure this. Another thing if user keeps on requesting for changes like adding and removing rules, then using object-group can be the answer. Object-groupgs can be implemented in extended ACLs, both numbered and named, and can be…
1.Remote access should be via SSH and telnet is disabled IOS-XR: no telnet ipv4 server Nexus OS: no feature telnet feature ssh feature tacacs+ 2. SSH should be version 2 or higher. Do not run v1. IOS-XR: ssh server v2 ssh server vrf management Nexus OS: ssh server v2 ssh server vrf management ssh timeout 60 3. Configure SSH logging IOS-XR: ssh server logging 4. Configure Login Banner IOS-XR: banner login ^C ************************************************************************* UNAUTHORIZED ACCESS TO…
Here’s the sample IS-IS dynamic routing configuration in different Cisco platforms. Fig.1 IOS-XR Configure Loopback interface Loopback0 ipv4 address 172.16.2.1 255.255.255.255 ipv6 address fdfe:abcd:ef12:0:172:16:2:1/128 ipv6 enable Configure P2P IP interface Gi0/0/0/0 description Connection to IOS Fa0/0 ipv4 address 172.17.0.1 255.255.255.252 ipv4 verify unicast source reachable-via any ipv4 unreachables disable ipv6 nd suppress-ra ipv6 verify unicast source reachable-via any ipv6 address fdfe:ab12:cd34:a00:1::/127 ipv6 enable ipv6 unreachables disable load-interval 30 dampening interface Gi0/0/0/1 description Connection to NX-OS E1/1 ipv4 address 172.18.0.1…
Leave a Comment