Switching – Expert Network Consultant https://www.expertnetworkconsultant.com Networking | Cloud | DevOps | IaC Wed, 29 Mar 2023 20:29:06 +0000 en-GB hourly 1 https://wordpress.org/?v=6.3.5 Building a Resilient Enterprise Network: A Step-by-Step Guide to Implementing a Three-Tier Design with Cisco Commands https://www.expertnetworkconsultant.com/expert-approach-in-successfully-networking-devices/building-a-resilient-enterprise-network-a-step-by-step-guide-to-implementing-a-three-tier-design-with-cisco-commands/ Fri, 31 Mar 2023 23:08:22 +0000 http://www.expertnetworkconsultant.com/?p=6063 Continue readingBuilding a Resilient Enterprise Network: A Step-by-Step Guide to Implementing a Three-Tier Design with Cisco Commands]]> The Three-Tier design is a network architecture that is commonly used in enterprise environments. It consists of a Core layer, a Distribution layer, and an Access layer. The Core layer provides high-speed connectivity and acts as the backbone of the network, the Distribution layer provides access to the Core layer and aggregates traffic from the Access layer, and the Access layer provides access to end devices such as servers, workstations, and printers. This design is also known as the Collapsed Core design because the Core layer and the Distribution layer are combined into a single layer.

To configure a Three-Tier design using Cisco commands, follow the steps below:

Configure the Core layer:

Configure the Core layer switches with high-speed links to provide the backbone of the network.
Configure the switchports connected to the Distribution layer switches as trunk ports.
Configure VLANs on the Core layer switches.

Sample Cisco commands:

interface GigabitEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 10,20,30

Configure the Distribution layer:

Configure the Distribution layer switches with uplinks to the Core layer switches and downlinks to the Access layer switches.
Configure the switchports connected to the Core layer switches as trunk ports and the switchports connected to the Access layer switches as access ports.
Configure VLANs on the Distribution layer switches.

Sample Cisco commands:

interface GigabitEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 10,20,30

interface GigabitEthernet0/2
switchport mode access
switchport access vlan 10

Configure the Access layer:

Configure the Access layer switches with uplinks to the Distribution layer switches.
Configure the switchports connected to end devices as access ports.
Configure VLANs on the Access layer switches.

Sample Cisco commands:

interface GigabitEthernet0/1
switchport mode access
switchport access vlan 10

interface GigabitEthernet0/2
switchport mode access
switchport access vlan 20

Configure Spanning Tree Protocol (STP):

Configure STP to prevent loops in the network.
Configure the Core layer switches as the root bridges for each VLAN.
Sample Cisco commands:

spanning-tree mode rapid-pvst
spanning-tree vlan 10,20,30 root primary

Configure Link Aggregation Control Protocol (LACP):

Configure LACP to provide link redundancy and load balancing between switches.
Sample Cisco commands:

interface GigabitEthernet0/1
channel-group 1 mode active

Configure VLANs:

Configure VLANs on the Core, Distribution, and Access layer switches to segment the network.
Assign ports to VLANs based on the device type and location.
Sample Cisco commands:

vlan 10
name Sales
vlan 20
name Engineering
vlan 30
name Marketing

Verify the configuration:

Verify the configuration by checking the switchport settings, VLAN configuration, and STP status.
Sample Cisco commands:

show interfaces GigabitEthernet0/1 switchport
show vlan brief
show spanning-tree vlan 10,20,30

By following these steps, you can configure a Three-Tier design using Cisco commands.

Follow a previous article on building a two tier campus network.
Design and Build a Two-Tier Campus Network Architecture

Follow this Cisco Validated Design for Inspiration.

Cisco Meraki has some good validated design ideas here.

]]>
Enhancing Network Reliability with Spanning Tree Protection for Core Switching https://www.expertnetworkconsultant.com/expert-approach-in-successfully-networking-devices/enhancing-network-reliability-with-spanning-tree-protection-for-core-switching/ Sun, 26 Mar 2023 13:52:04 +0000 http://www.expertnetworkconsultant.com/?p=6007 Continue readingEnhancing Network Reliability with Spanning Tree Protection for Core Switching]]> As networks continue to grow in size and complexity, the need for efficient and reliable data transmission becomes increasingly important. One crucial aspect of this is the prevention of network loops, which can cause data to be transmitted in an endless loop and ultimately bring down the entire network. This is where Spanning Tree Protocol (STP) comes in.

Spanning Tree Protocol is a network protocol that provides redundancy while preventing loops in a network. It accomplishes this by creating a loop-free logical topology of a network, while still allowing redundant paths for traffic. It does this by electing one switch in the network as the root bridge, and then blocking redundant links to ensure that there is only one active path between any two switches.

However, while STP provides a solid foundation for network redundancy and loop prevention, it has its limitations. For example, in the event that the root bridge fails, it can take a significant amount of time for the network to converge and find a new root bridge. This downtime can be unacceptable for certain networks, particularly those with critical applications or high availability requirements.

This is where Spanning Tree Protection (STP) comes into play. STP enhances the functionality of STP by providing a faster failover mechanism in the event of a root bridge failure. This mechanism ensures that the network can quickly recover from a failure and continue to function with minimal downtime.

STP accomplishes this by creating multiple active paths between switches while still preventing network loops. This allows for a faster failover in the event of a root bridge failure because the network already has alternate paths available to use. Additionally, STP includes a mechanism for detecting and preventing loops in the network, ensuring that data is always transmitted efficiently and without interruption.

In a core switching environment, STP protection is especially critical. Core switches are the backbone of the network, responsible for routing and transmitting data across the entire network. Any downtime or failure of a core switch can have a significant impact on the network’s performance and availability.

By implementing STP protection on core switches, network administrators can ensure that their networks remain available and reliable even in the face of hardware failures or other issues. Additionally, by leveraging the redundancy provided by STP protection, core switches can be upgraded or replaced without causing downtime or interrupting network traffic.

Root Guard is an extension of the STP protocol that provides additional security by protecting the root bridge from unauthorized access. The root bridge is the switch that has the lowest bridge ID and is responsible for initiating the STP algorithm. An attacker can potentially change the bridge ID of a switch and force it to become the root bridge, allowing them to manipulate network traffic and access sensitive information.

To prevent this, Root Guard is implemented on switches that are not intended to be the root bridge. When Root Guard is enabled, the switch will block any port that receives a BPDU (Bridge Protocol Data Unit) from a switch with a superior bridge ID to the current root bridge. This prevents any unauthorized switch from becoming the root bridge and ensures that the network topology remains stable.

Root Guard can be particularly useful in environments where network security is a high priority, such as in financial institutions, healthcare facilities, and government agencies. By enhancing the STP protocol with Root Guard, network administrators can prevent unauthorized access to critical network resources and improve overall network reliability.

Root Guard is an essential tool for enhancing the reliability and security of Spanning Tree Protocol in network environments. It provides an additional layer of protection against the Root Bridge Attack and ensures that the network topology remains stable and secure. Network administrators should consider implementing Root Guard in their network infrastructure to prevent potential attacks and improve overall network performance.

In conclusion, Spanning Tree Protection is a critical technology for ensuring the reliability and availability of network traffic. By enhancing the capabilities of STP and providing faster failover mechanisms, STP protection is particularly well-suited for core switching environments. Network administrators should carefully consider the benefits of STP protection when designing and implementing their network infrastructure, to ensure that their networks remain available and reliable at all times.

Here are the Cisco IOS commands to secure STP and enable Root Guard:

Enable STP:

switch(config)# spanning-tree mode rapid-pvst

Enable PortFast on access ports:

switch(config)# spanning-tree portfast default
switch(config)# interface interface-id
switch(config-if)# spanning-tree portfast

Enable BPDU Guard on all access ports:

switch(config)# spanning-tree portfast bpduguard default

Enable Root Guard on all non-root bridge ports:

switch(config)# spanning-tree guard root

Verify that Root Guard is enabled:

switch# show spanning-tree interface interface-id
The output should display the "Root guard" status as enabled.

By implementing these Cisco IOS commands, you can secure STP and enable Root Guard to protect against unauthorized access and maintain network stability. It is important to regularly monitor and review the STP configuration to ensure that it is properly secured and optimized for your network environment.

Cisco has some good recommendations – https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html

]]>
How to Connect GNS3 to a Physical Network | A Step by Step Guide https://www.expertnetworkconsultant.com/expert-approach-in-successfully-networking-devices/how-to-connect-gns3-to-a-physical-network-a-step-by-step-guide/ Tue, 21 Mar 2023 08:35:54 +0000 http://www.expertnetworkconsultant.com/?p=3732 Continue readingHow to Connect GNS3 to a Physical Network | A Step by Step Guide]]> How to Connect GNS3 to a Physical Network | A Step by Step Guide

This article How to Connect GNS3 to a Physical Network is a no nonsense step by step guide to setting up a full hands on GNS3 lab for the serious network engineer or student. This How to Connect GNS3 to a Physical Network lab is what it says on the tin. Routing, Switching, Firewall Security, Infrastructure, Virtualisation and Internet all made possible by this advanced lab created by some of the smartest network engineers of today.

How to Connect GNS3 to a Physical Network | Connecting Switch Uplink Interfaces (Introduction)

Trust me, we understand your frustration. You really want a handson lab but GNS3 has some gotcha’s, and it’s no longer economically efficient to have a lot of kit so what do you do? Thank God, we have the answer in the steps below. It will cost you next to nothing but guaranteed to give you the full blown hands-on experience without any compromises.

You will be able to create a myriad of labs, change network topologies without much effort and extra configuration. This lab is suitable for a business, university or individuals. It’s vendor agnostic and so can support your Next-Generation ASA Firewall, Sonic Wall, Juniper, Palo Alto, HP Aruba Switch, Cisco Catalyst Switches, Windows Servers and to make it even more interesting, if it has an interface, you can lab it.

The advantage here is that you can practice full switching and routing protocols like HSRP | GLBP | VRRP, STP, OSPF, EIGRP to name but a few.

Let us put together our kit list (Some of these you may already have at your disposal)

Hardware Kit

  • 1 x Desktop Computer or Workstation with Expansion Slots (If you own a laptop, you will need USB C to Ethernet Adapters) – Not truly reliable hence the workstation preference.
  • 2 x 4 Port PCI-E 1Gbps Network Interface Card | 2 Access Buildings
  • 2 x Access Switches | Cisco Catalyst Switches or HPE Aruba Switches | Vendor Agnostic

Software and Operating System

Figure 1.0 – Connect Network Device to Ethernet Adapter
How to Connect GNS3 to a Physical Network

Figure 1.1 – 4 Port Ethernet Adapter
How to Connect GNS3 to a Physical Network

Figure 1.2 – Connect Switch Uplink Interfaces
How to Connect GNS3 to a Physical Network
Interface 47 and 48 are our respective uplinks to Core Routers R1 and R2 respectively. To make the interface layer 3 or routed, the following configuration converts them to routed interfaces.

Example of Configuration

switch(config)# interface Fa0/47 
switch(config-if)# no switchport 
switch(config-if)# 
switch(config)# interface Fa0/48
switch(config-if)# no switchport 
switch(config-if)# 

Figure 1.3 – Uplinks of Switches 1 and 2
Uplinks of Switches 1 and 2

Access Switch 1

switch(config)# interface 47 
switch(config-if)# untagged vlan 1008
switch(config-if)# ip address 172.16.254.10
switch(config)# interface 48
switch(config-if)# untagged vlan 1012
switch(config-if)# ip address 172.16.254.14

Access Switch 2

switch(config)# interface 47 
switch(config-if)# untagged vlan 1016
switch(config-if)# ip address 172.16.254.18
switch(config)# interface 48
switch(config-if)# untagged vlan 1020
switch(config-if)# ip address 172.16.254.22

Figure 1.4 – Switches Uplinks at back of Desktop connected to Physical Interfaces
Switches Uplinks at back of Desktop connected to Physical Interfaces

Step 1 – Connect Ethernet Interfaces to Desktop Network Adapters


How to Connect GNS3 to a Physical Network | Configuring Physical Network Interfaces (Part 1)

Identify Interfaces on your computer

Command: nmcli dev status

# nmcli dev status
DEVICE  TYPE      STATE         CONNECTION
eth1    ethernet  connected     eth1
eth0    ethernet  connected     eth0
eth2    ethernet  disconnected  --
lo      loopback  unmanaged     --

Command: ifconfig

eno1: flags=4099  mtu 1500
        ether 40:a8:f0:49:7b:0a  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf7c00000-f7c20000  

lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 24697  bytes 24138502 (24.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 24697  bytes 24138502 (24.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Step 2 – Configure IP Addresses for Uplink Interfaces

How to Connect GNS3 to a Physical Network | Configuring IP Addresses for Network Interfaces (Part 2)

Step 3 – Connect Uplinks to Core Routers

How to Connect GNS3 to a Physical Network | Connecting Switch Uplinks to Core Routers (Part 3)

Step 4 – Test Connectivity with Pings

How to Connect GNS3 to a Physical Network | Test Connectivity with ICMP Pings (Part 4)

Download the full lab here: Connecting GNS3 to Physical Network – Multilayer Network Access Design

Related Post:How to Connect GNS3 to Internet

]]>
Top 5 Network Access Control (NAC) Solutions https://www.expertnetworkconsultant.com/expert-approach-in-successfully-networking-devices/top-5-network-access-control-nac-solutions/ Fri, 17 Mar 2023 10:32:46 +0000 http://www.expertnetworkconsultant.com/?p=5931 Continue readingTop 5 Network Access Control (NAC) Solutions]]> As businesses continue to rely on technology for their daily operations, network security becomes increasingly important. Network Access Control (NAC) solutions are designed to help organizations monitor and control access to their networks, ensuring that only authorized users and devices can connect. In this article, we will explore the top 5 Network Access Control solutions available in the market.

Cisco Identity Services Engine (ISE)
Cisco ISE is a comprehensive NAC solution that provides centralized policy control and enforcement. It integrates with a wide range of third-party security solutions and can be deployed on-premise or in the cloud. With its extensive policy management capabilities and real-time monitoring and reporting features, Cisco ISE is an excellent choice for organizations of all sizes.

Fortinet FortiNAC
FortiNAC is a powerful NAC solution that offers granular visibility and control over network access. It can be integrated with a variety of endpoints, including IoT devices, and can be deployed in cloud, on-premise, or hybrid environments. With features such as automated threat response and continuous compliance monitoring, FortiNAC is an excellent option for businesses that need advanced network security.

Aruba ClearPass
Aruba ClearPass is a user-friendly NAC solution that provides policy-based access control for wired and wireless networks. It integrates with a variety of security solutions and can be deployed in cloud, on-premise, or hybrid environments. With features such as self-service onboarding and advanced threat detection, Aruba ClearPass is an ideal solution for businesses that need a comprehensive yet easy-to-use NAC solution.

Pulse Secure Pulse Policy Secure
Pulse Policy Secure is a comprehensive NAC solution that provides real-time visibility and control over network access. It can be deployed on-premise or in the cloud and integrates with a variety of endpoints and security solutions. With its advanced threat detection and remediation capabilities, Pulse Policy Secure is an excellent choice for businesses that require high levels of network security.

ForeScout CounterACT
ForeScout CounterACT is a powerful NAC solution that provides real-time visibility and control over network access. It can be integrated with a wide range of security solutions and can be deployed on-premise or in the cloud. With features such as automated threat response and continuous compliance monitoring, ForeScout CounterACT is an excellent choice for businesses that need advanced network security.

In conclusion, Network Access Control solutions are critical for protecting the integrity of an organization’s network infrastructure. The above-mentioned solutions are some of the best available in the market, each offering unique features and capabilities. Organizations should carefully evaluate their requirements and choose the NAC solution that best fits their needs. By doing so, they can ensure that their network remains secure and their business operations continue to run smoothly.

]]>
Best Practices for Network Access Control https://www.expertnetworkconsultant.com/configuring/best-practices-for-network-access-control/ Wed, 15 Mar 2023 10:29:06 +0000 http://www.expertnetworkconsultant.com/?p=5928 Continue readingBest Practices for Network Access Control]]> As technology continues to advance, the threat landscape for networks is constantly evolving. The rise of mobile and remote workers, cloud computing, and the Internet of Things (IoT) has made network security more complex than ever. One of the key components in securing a network is implementing effective network access control (NAC). In this article, we will discuss best practices for NAC and how to implement them in your organization.

Develop a NAC Policy
The first step in implementing effective NAC is to develop a policy that outlines the rules and procedures for granting network access. This policy should be tailored to your organization’s specific needs and take into account factors such as user roles, devices, and applications. It should also include clear guidelines on how to enforce the policy, such as the use of firewalls and intrusion detection systems.

Identify and Authenticate Users
To ensure that only authorized users have access to your network, it is important to implement strong authentication methods. This can include usernames and passwords, two-factor authentication, or biometric authentication. In addition, it is important to regularly review and update user access privileges to ensure that they align with current job responsibilities.

Segment Your Network
Segmenting your network can help to limit the spread of malware and other security threats. By dividing your network into smaller subnets, you can control which users and devices have access to different areas of the network. This can help to prevent lateral movement by attackers and limit the impact of any security breaches.

Monitor and Enforce NAC Policies
Monitoring and enforcing your NAC policies is critical to maintaining the security of your network. This can include monitoring user activity, network traffic, and device usage. By analyzing this data, you can identify any suspicious activity and take appropriate action to mitigate any potential threats.

Regularly Update Your NAC Solution
Network security threats are constantly evolving, which means that your NAC solution needs to be updated regularly to stay effective. This can include updating software and firmware, adding new security features, and patching any vulnerabilities that are identified. Regular testing and validation of your NAC solution can help to ensure that it is functioning as intended and providing adequate protection for your network.

In conclusion, implementing effective network access control is critical to maintaining the security of your organization’s network. By following these best practices, you can help to prevent unauthorized access, limit the spread of malware, and protect sensitive data. Remember to regularly review and update your NAC policies and solutions to stay ahead of the evolving threat landscape.

SANS Institute has a great paper on the above subject.

]]>
Understanding Network Access Control (NAC) https://www.expertnetworkconsultant.com/configuring/understanding-network-access-control-nac/ Tue, 14 Mar 2023 13:10:42 +0000 http://www.expertnetworkconsultant.com/?p=5924 Continue readingUnderstanding Network Access Control (NAC)]]> What is Network Access Control (NAC) and How Does it Work?

Network Access Control (NAC) is a crucial component of modern-day network security that allows organizations to restrict access to their networks and systems to authorized users and devices. NAC helps to ensure that only trusted devices and users can access sensitive information, preventing potential security breaches and protecting critical data. In this article, we’ll take a closer look at what NAC is, how it works, and why it’s essential for organizations to implement it as part of their overall cybersecurity strategy.

What is Network Access Control (NAC)?

Network Access Control (NAC) is a security technology that controls access to network resources based on predefined policies. NAC systems are designed to verify the identity of devices and users attempting to access a network, ensuring that only authorized users and devices are granted access. NAC systems are typically deployed at the network’s edge, such as firewalls or switches, and are used to enforce security policies and restrict access to network resources.

How Does NAC Work?

NAC works by controlling access to network resources based on predefined policies. Before a device or user is granted access to a network, they must be authenticated and authorized. NAC systems use a variety of methods to verify the identity of devices and users, including digital certificates, biometric authentication, and two-factor authentication.

Once a device or user has been authenticated, the NAC system checks their compliance with security policies, such as antivirus software updates and patch management. If the device or user is compliant, they are granted access to the network. If not, they are denied access or placed in a quarantine zone until they can be brought into compliance.

Why is NAC Important for Organizations?

NAC is essential for organizations because it helps to ensure that only authorized users and devices can access their networks and systems. This is particularly important for organizations that handle sensitive data, such as healthcare providers, financial institutions, and government agencies.

NAC helps to prevent security breaches by ensuring that only trusted devices and users can access sensitive information. It also helps to enforce security policies and ensure that devices are up to date with the latest security patches and antivirus software updates.

Furthermore, NAC helps organizations to comply with regulatory requirements, such as HIPAA and PCI DSS. Compliance with these regulations is essential for organizations that handle sensitive data, and failure to comply can result in severe financial penalties and reputational damage.

Implementing NAC in Your Organization

If you’re considering implementing NAC in your organization, there are several factors to consider. First, you’ll need to assess your organization’s security needs and determine which NAC solution is best suited to your needs. There are several NAC solutions available, ranging from basic solutions to more advanced systems that integrate with other security technologies.

You’ll also need to consider your budget and the resources required to deploy and maintain your NAC solution. NAC solutions can be complex, and you’ll need to ensure that you have the necessary expertise and resources to manage your solution effectively.

In Conclusion

Network Access Control (NAC) is a critical component of modern-day network security that helps organizations to restrict access to their networks and systems to authorized users and devices. NAC helps to prevent security breaches, enforce security policies, and ensure compliance with regulatory requirements. Implementing NAC in your organization can be complex, but it’s essential for organizations that handle sensitive data and want to ensure that their networks and systems are secure.

Juniper has a very interesting article on the above subject.

]]>
What is Network Access Control (NAC) and How Does it Work? https://www.expertnetworkconsultant.com/configuring/what-is-network-access-control-nac-and-how-does-it-work/ Tue, 14 Mar 2023 09:48:35 +0000 http://www.expertnetworkconsultant.com/?p=5921 Continue readingWhat is Network Access Control (NAC) and How Does it Work?]]> Network Access Control (NAC) is a critical component of network security, designed to prevent unauthorized access to your network resources. NAC solutions provide a range of features, including identity and access management, policy enforcement, and endpoint compliance checks, to ensure that only authorized users and devices can access your network.

In this article, we will explore the basics of NAC, including how it works, why it is important, and the key components of a NAC solution.

What is Network Access Control (NAC)?

Network Access Control (NAC) is a security solution that enables organizations to control access to their networks. It provides a way to authenticate users and devices, enforce access policies, and monitor network activity to identify potential security threats.

NAC solutions use a range of techniques to ensure that only authorized users and devices can access the network. These include identity and access management, endpoint compliance checks, and policy enforcement.

How Does NAC Work?

NAC solutions typically include several key components, including:

Endpoint Identification: NAC solutions use various techniques to identify the devices that are attempting to access the network, such as MAC addresses, IP addresses, and user credentials.

Authentication and Authorization: Once an endpoint is identified, the NAC solution will authenticate the user and/or device and verify that it is authorized to access the network.

Policy Enforcement: NAC solutions enforce access policies to ensure that only authorized users and devices can access the network. Policies can be based on a range of factors, such as user identity, device type, and location.

Endpoint Compliance: NAC solutions also check endpoints for compliance with security policies, such as the presence of antivirus software or the latest operating system patches.

Monitoring and Reporting: NAC solutions monitor network activity to detect potential security threats, such as unauthorized access attempts or suspicious network activity.

Why is NAC Important?

Network Access Control (NAC) is critical for maintaining the security and integrity of your network. By controlling access to your network resources, you can prevent unauthorized access and protect sensitive data from theft or loss.

NAC solutions also provide a way to enforce security policies and ensure that all devices on your network are up-to-date with the latest security patches and antivirus software. This reduces the risk of malware infections and other security threats that could compromise your network.

Cisco provides various commands and tools that can be used for Network Access Control (NAC) solutions, endpoint compliance, policy enforcement, network security, authentication and authorization, and identity and access management. Some of the common commands and tools include:

Cisco Identity Services Engine (ISE): This is a comprehensive NAC solution that provides identity and access management, policy enforcement, and endpoint compliance features. It can be managed using various CLI (Command Line Interface) commands, such as “show” commands to display configuration details and “configure” commands to modify the configuration.

Cisco TrustSec: This is a network security solution that provides secure segmentation and policy-based access control. It can be configured using various CLI commands, such as “device-tracking” to enable device tracking and “policy” commands to configure access policies.

Cisco Secure Access Control System (ACS): This is a centralized access control solution that provides authentication and authorization for network devices and users. It can be managed using various CLI commands, such as “aaa” commands to configure authentication, authorization, and accounting policies.

Cisco AnyConnect: This is a VPN solution that provides secure remote access to network resources. It can be configured using various CLI commands, such as “vpn” commands to configure VPN policies and “webvpn” commands to configure web-based VPN access.

Cisco Adaptive Security Appliance (ASA): This is a firewall solution that provides network security and access control. It can be managed using various CLI commands, such as “access-list” commands to configure access control lists and “vpn-filter” commands to configure VPN access policies.

Overall, Cisco provides a wide range of CLI commands and tools that can be used to configure and manage NAC solutions, endpoint compliance, policy enforcement, network security, authentication and authorization, and identity and access management.

Conclusion

Network Access Control (NAC) is a critical component of network security, designed to prevent unauthorized access to your network resources. NAC solutions provide a range of features, including identity and access management, policy enforcement, and endpoint compliance checks, to ensure that only authorized users and devices can access your network.

By implementing a NAC solution, you can reduce the risk of security threats, protect sensitive data, and ensure the integrity of your network. So if you haven’t already implemented NAC in your organization, now is the time to do so.

]]>
Understanding First Hop Redundancy Protocols (FHRP) https://www.expertnetworkconsultant.com/installing-and-configuring-network-devices/understanding-first-hop-redundancy-protocols-fhrp/ Sat, 31 Aug 2019 23:00:10 +0000 http://www.expertnetworkconsultant.com/?p=3270 Continue readingUnderstanding First Hop Redundancy Protocols (FHRP)]]> Modern network design requires an important consideration of how the network deals with failure. With this Understanding First Hop Redundancy Protocols (FHRP) in mind, the network must be built with as much redundancy as possible. In fact, the design must have a good financial backing on redundancy as many of the enterprise companies are heavily reliant on internet access and cannot lose money due to a network design without much care for handling crisis.

From the client’s perspective, outside of their local network, they next important piece they deal with is the default gateway. Should the gateway go down, then access to an entire subnet would go down.

To deal with gateway redundancy, we implement a first hop redundancy protocol. There are a number of these technologies on the market and today we shall look at Cisco’s Hot Standby Router Protocol (HSRP) to start with. The others are the Virtual Router Redundancy Protocol (VRRP) and Gateway Load Balancing Protocol (GLBP). Many modern Cisco equipment supports the full flavor of the First Hop Redundancy Protocols.

Understanding First Hop Redundancy Protocols (FHRP)

You connect a computer to your network, it boots up and automatically receives IP Address information from the DHCP Server. There is a piece of information there called the Default Gateway.
The Default Gateway is the router that gets us off our local subnet. Now, imagine that router acting as the default gateway fails, suddenly we are not able to send traffic off the local subnet, the good news is that we can add some redundancy to this scenario through the use of a first hop redundancy protocol. This is the focus of this article Understanding First Hop Redundancy Protocols (FHRP). Specifically we shall be looking at 3 FHRP Protocols, these are HSRP, VRRP and GLBP.

These protocols allows our device(s) to use a backup router to get us off our local subnet whiles still pointing to the same Default Gateway IP Address that we learned via DHCP.

Let’s have a look at the Cisco’s Hot Standby Routing Protocol

Note: HSRP sends its hello messages to the multicast destination 224.0.0.2 (“all routers”) using UDP port 1985.

Equipment Used

  • Router 1 (Active) : 10.1.1.2
  • Router 2 (Standby) : 10.1.1.3
  • Access Switch
  • Workstation
  • Gateway Design and Configuration

    Virtual Gateway 1: 10.1.1.1
    Virtual Gateway 2: 10.1.1.10
    

    Figure A.1 – Workstation Default Gateway Configured as : 10.1.1.1
    Understanding First Hop Redundancy Protocols FHRP - Gateway 1

    Figure A.2 – Workstation Default Gateway Configured as : 10.1.1.10

    Understanding First Hop Redundancy Protocols (FHRP) - Gateway 2


    Figure 1.0 – Understanding First Hop Redundancy Protocols (HSRP)
    In this high availability architecture diagram, we have the said two routers in active and standby modes with the access switch and workstation configured as per the above setup in Figure A.1.
    Understanding First Hop Redundancy Protocols (FHRP)

    Operation of HSRP

    The Hot Standby Routing Protocol is considered a firt hop redundancy protocol. What does this mean? Look at the pc above in Figure 1.0, it has an IP Address of 10.1.1.120 and a Default Gateway of 10.1.1.1. What is that default gateway? This is typically the IP Address of the router that may get PC off from it’s local subnet to another network, perhaps the internet. This could be information the PC may have learned via DHCP when it joined the network. The router which is its default gateway could become the single point of failure for the PC as when the router fails, the PC may be limited to communicate on its local subnet. It cannot go beyond it’s local subnet. HSRP helps us out with this issue. HSRP is a Cisco proprietary protocol as is GLBP. The industry standard is the VRRP.

    The Default Gateway cannot be seen in the Figure 1.0 for Switch 1 or Switch 2. Switch 1 has a layer 3 ip address of 10.1.1.2 and Switch 2 has a layer 3 ip address of 10.1.1.3, So who is servicing packets reaching 10.1.1.10. Well notice the greyed out router in the middle of the diagram, this is normally called the phantom router or logical router. This is the router that the PC is logically using.

    HSRP allows one router to serve as the active router and is able to serve packets destined for the 10.1.1.10 and route them the right where they need to go.

    . In today’s network you will realise that most of our networking is with Layer 3 Switches which support FHRP. It is a popular practice to see machines point to the Switches as their Default Gateways. These are normally Multi-layer Switches which acts as routers for our FHRP deployment. The IP 10.1.1.1 has a corresponding mac address which the PC has learned using ARP. If Switch 1 went Kaboom!, Switch 2 is able to carry on with the work to serve devices their gateway and access to resources without a down time.

    Understanding First Hop Redundancy Protocols (FHRP)

    Configuration Time – Configuring an HSRP Group on Router or Layer 3 Switch

    In this configuration, we have created Switch Group 1 for both Routers or Layer 3 Switches participating in the HSRP Gateway Redundancy.

    Router A or Layer 3 Switch Network Device

    Router-A(config)# interface vlan 20
    Router-A(config-if)# ip address 10.1.1.2 255.255.255.0
    Router-A(config-if)# standby 1 priority 200
    Router-A(config-if)# standby 1 preempt
    Router-A(config-if)# standby 1 ip 10.1.1.1
    Router-A(config-if)# no shutdown
    

    Router B or Layer 3 Switch Network Device

    Router-B(config)# interface vlan 20
    Router-B(config-if)# ip address 10.1.1.3 255.255.255.0
    Router-B(config-if)# standby 1 priority 100
    Router-B(config-if)# standby 1 preempt
    Router-B(config-if)# standby 1 ip 10.1.1.1
    Router-B(config-if)# no shutdown
    

    Perform Load Balancing –
    In the previous configuration, Router-A becomes the Active Router serving all users the gateway for their traffic over its uplink whiles Router-B sits there as the Standby HSRP Router with its Uplink idle only waiting for the day of failure which may or may never happen.

    Load balancing traffic across two uplinks to two HSRP routers with that single HSRP Group 1 is not possible. There is however a method to achieving this design and that is to use two HSRP groups.

    HSRP Group One : Assigns an active router to one router or layer 3 switch
    HSRP Group Two: Assigns another active router to the other router or layer 3 switch

    With this setup, two different virtual router or gateway addresses can be used simultaneously. The rest of this setup is to make each router or layer 3 switch function as the standby router for its partner’s HSRP Group.

    Simply put, each router is the active HSRP router for one group but standby for the other group.

    Using a DHCP server, the clients can be cnfigured to have one of the two HSRP group addresses.

    Look at the diagram below – Figure 1.1.

    Router A is not only the active HSRP router for the HSRP Group 1 (10.1.1.1) but also the standby router for the HSRP Group 2 (10.1.1.10)

    Load Balancing

    Router-A as Active HSRP Router for HSRP Group 1

    Router-A(config)# interface vlan 20
    Router-A(config-if)# ip address 10.1.1.2 255.255.255.0
    Router-A(config-if)# standby 1 priority 200
    Router-A(config-if)# standby 1 preempt
    Router-A(config-if)# standby 1 ip 10.1.1.1
    

    Configure Authentication for HSRP Peers

    Router-A(config-if)# standy 1 authentication K3y1h4v3Ch05en!
    

    The above authentication is based on PLain-Text HSRP Authentication. These are HSRP messages sent with a plain-text key strong (up to 8 characters) as a simple method to authenticate HSRP peers. Keys have to match to approve peering.

    You can use MD5 authentication. The command below helps to achieve this

    Router(config)# key chain chain-name
    Router(config-keychain)# key key-number
    Router(config-keychain-key)# key-string [0 | 7] string
    Router(config)# interface type mod/num
    Router(config-if)# standby group authentication md5 key-chain chain-name
    

    This configuration makes Router-A Standy HSRP Router for HSRP Group 2

    Router-A(config-if)# standby 2 priority 100
    Router-A(config-if)# standby 2 preempt
    Router-A(config-if)# standby 2 ip 10.1.1.10
    Router-A(config-if)# standy 2 authentication K3y1h4v3Ch05en!
    

    Router-B as Standby HSRP Router for HSRP Group 1

    Router-B(config)# interface vlan 20
    Router-B(config-if)# ip address 10.1.1.3 255.255.255.0
    Router-B(config-if)# standby 1 priority 100
    Router-B(config-if)# standby 1 preempt
    Router-B(config-if)# standby 1 ip 10.1.1.1
    Router-B(config-if)# standy 1 authentication K3y1h4v3Ch05en!
    

    This configuration makes Router-B Active HSRP Router for HSRP Group 2

    Router-B(config-if)# standby 2 priority 200
    Router-B(config-if)# standby 2 preempt
    Router-B(config-if)# standby 2 ip 10.1.1.10
    Router-B(config-if)# standy 2 authentication K3y1h4v3Ch05en!
    

    Use the following command to display information about the status of either HSRP Groups

    Router#show standby [brief] [vlan vlan-id | type mod/num]
    

    Virtual Router Redundancy Protocol (VRRP)

    You can never talk about VRRP without mentioning HSRP as that is the proprietary original innovation Cisco created many years ago but since then, the open standard VRRP has become a loved version for many vendors. It is supported by major vendors including Cisco who ships the support in their iOS platforms.

    Like with HSRP, VRRP has a configured group that contains a number of routers also known as gateways. In the network design process, an engineer will configure one of the gateways as the master and the other the backup or standby. These terms could be used interchangeably.

    In the example we had with the HSRP, the Active Router had an IP address of 10.1.1.2 and the Standby 10.1.1.3. The Virtual Router’s IP address was 10.1.1.1 which was served to clients as the default gateway. In VRRP, the Master Router’s physical IP address of the interface connecting the subnet is used by the clients as a default gateway.

    In this example, the Master IP address is : 10.1.1.1 and the Backup or Standby IP address is: 10.1.1.10.

    There isn’t a logical IP Address for a Virtual Router as VRRP handles it quite differently. Behind the scenes, the backup router of the VRRP group will communicate with the master gateway and assume the duty of forwarding traffic, should the master router fail due to any known reasons. The IP address used for the VRRP always belongs to the master router which is referred to as the IP address owner. When the Master router recovers, it will take back the duties of routing for that IP address.

    It is possible to have multiple VRRP groups on a single subnet, which can be used to spread the load of the traffic coming off of a subnet. However, this must be done manually at the client’s location, by changing their default gateway addresses.

    Figure 1.1 – Understanding First Hop Redundancy Protocols (VRRP)
    Understanding First Hop Redundancy Protocols (VRRP)

    VRRP Router A Load Balancing Configuration
    VRRP Group 1

    Router-A(config)# interface vlan 20
    Router-A(config-if)# ip address 10.1.1.2 255.255.255.0
    Router-A(config-if)# vrrp 1 priority 200
    Router-A(config-if)# vrrp 1 ip 10.1.1.1
    

    VRRP Group 2

    Router-A(config-if)# vrrp 2 priority 100
    Router-A(config-if)# no vrrp 2 preempt
    Router-A(config-if)#vrrp 2 ip 10.1.1.10
    

    Let’s head over to Router B to perform a similar configuration as per below;

    VRRP Router B Load Balancing Configuration

    VRRP Group 1

    Router-B(config)# interface vlan 20
    Router-B(config-if)# ip address 10.1.1.3 255.255.255.0
    Router-B(config-if)# vrrp 1 priority 100
    Router-B(config-if)# no vrrp 1 preempt
    Router-B(config-if)#vrrp 1 ip 10.1.1.1
    

    VRRP Group 2

    Router-B(config-if)#vrrp 2 priority 200
    Router-B(config-if)# vrrp 2 ip 10.1.1.10
    

    Gateway Load Balancing Protocol (GLBP)
    In this article of Understanding First Hop Redundancy Protocols (FHRP), we have looked at the most popular first hop redundancy protocols like the HSRP and VRRP. Are you thinking what the GLBP has to offer?

    GLBP is another, you guessed it,Cisco proprietary protocol that can be used for first hop redundancy. The key feature GLBP offers which the first two do not is dynamic load balancing.

    With GLBP, unlike HSRP or VRRP, routers that exist within the GLBP group are all active and are forwarding traffic. I prefer this as it only makes economic sense to utilise these routers to achieve great throughput and resource balancing. When a GLBP group is configured, one of the routers within the group will be elected as the Active Virtual Gateway (AVG); each of the other routers will back up the AVG, should it fail due to hardware or any other unforseeable variable. The AVG is responsible for assigning virtual MAC addresses to each of the members of the GLBP group; each of these members is referred to as an Active Virtual Forwarder (AVF). The AVG is responsible for responding to ARP request by subnet devices, and selecting which group’s router will handle the traffic. The IP address of the default gateway is the same across all of the subnet devices; this IP address is virtual. Because load balancing is inherent to this protocol, you will not need to employ multi groups or instances to handle gateway load balancing. When the device ARPs for a MAC address, the AVG will respond with one of the virtual MAC addresses since it’s responsible to creating or assigning the mac addresses to begin with. This way, the AVG is able to control which router will handle the load of each individual subnet device. There is a great deal to this amazing protocol but it is not an open standard and so can only be enjoyed by Cisco customers. Cisco has an excellent documentation on their proprietary Gateway Load Balancing Protocol.

    How to Configure OSPF Step by Step
    The Ultimate Guide to Understanding and Configuring OSPF

    ]]>
    Configuring the Routed Enterprise Campus Network https://www.expertnetworkconsultant.com/expert-approach-in-successfully-networking-devices/configuring-the-routed-enterprise-campus-network/ Fri, 26 Jul 2019 08:56:18 +0000 http://www.expertnetworkconsultant.com/?p=2998 Continue readingConfiguring the Routed Enterprise Campus Network]]> Configuring the Routed Enterprise Campus Network

    Figure 1.0 – Routed Network Design Firewall and Core Switch Configuration Setup (Click on Image to Zoom In)

    Configuring the Routed Enterprise Campus Network

    Say no to something at least in your life and for us, we say no to end to end vlans focusing on configuring the routed enterprise campus network which is the enterprise network so much has been talked about. The Routed Enterprise Campus Network is the glorious loop free layer 3 routed campus design which keeps legacy layer 2 controls at bay. The likes of Spanning Tree Protocols do not have to be utilised to keep your network topology loop free. Routed networks is the answer to secured networking with much more control and segmentation abilities. Let us dive in to today’s article on Configuring the Routed Enterprise Campus Network. Let’s begin!

    In this design, I have the following network devices;

  • Cisco ASA 5506X
  • 2 x Core Switches
  • 2 x Access Switches
  • The idea is to create a local vlan unique for each building with no reference of that vlan on the Core Switches allowing them to purely perform routing which keeps that core layer 3.

    VLAN = Subnet = Closet

    In the following configuration, I am on a Cisco Catalyst Switch and at the interface FastEthernet 1/1

    How to configure a switchport as a routed port. The “no switchport” command makes the switch port converted to a routed port and that automatically enables IP Addressing. See the configuration example below;

    SW1(config)# interface fastethernet 1/1
    SW1(config-if)#no switchport
    SW1(config-if)#ip address 1.1.1.6 255.255.255.252
    SW1(config-if)#no shut
    

    If you use a HP Platform, you will not be able to convert the switchport to a routed port and so this is what you do, you create a vlan with SVI for the uplinks like the following example;


    Core Switch Configuration

    The following configuration tells the Core Switch how to reach the Building 30 Subnet which is located via the 1.1.1.8/30 subnet.

    
    vlan 2
       name "Downlink to Building 20"
       untagged 48
       ip address 1.1.1.9 255.255.255.252
       exit
    

    Access Switch Configuration
    This configuration tells the Access Switch to reach the Core Switch over the 1.1.1.8/30 subnet. Because HPE Aruba does not supported routed switchports, the interfaces participating in this interlink are placed in a dedicated vlan.

    
    vlan 2
       name "Uplink to Core Switch A"
       untagged 48
       ip address 1.1.1.10 255.255.255.252
       exit
    

    Figure 1.1 – Routed Network Design Access Switch to Core Switch Configuration Setup (Click on Image to Zoom In)

    Routed Network Design Access Switch to Core Switch Configuration Setup

    Figure 1.2 – Routed Network Design Access Switch Local VLANS to Core Switch Configuration Setup (Click on Image to Zoom In)

    Routed Network Design Access Switch Local VLANS to Core Switch Configuration Setup

    Join Me in this Lab as I completely configure a Routed Enterprise Campus Network
    Let’s begin by configuring the firewall’s interfaces facing the following Inside and Outside security zones.

    A quick breakdown of the interfaces and how they connect to their relevant uplinks

    • interface GigabitEthernet1/8 – Outisde Zone (ISP)
    • interface GigabitEthernet1/1 – Primary Core Switch
    • interface GigabitEthernet1/2 – Secondary Core Switch

    Cisco ASA 5506-X Firewall Configuration Steps

  • Step 1 : Configure Edge Firewall – Cisco ASA 5506-X Interfaces as laid out above
  • Configure interface GigabitEthernet1/8 – Outbound Uplink to ISP

    !
    interface GigabitEthernet1/8
     description "Outside Interface to BT ISP"
     nameif outside
     security-level 0
     ip address 192.168.1.100 255.255.255.0
    !
    

    Configure interface GigabitEthernet1/1 – Downlink Interface to Core Switch A

    !
    interface GigabitEthernet1/1
     description "Downlink Interface to Core Switch-A  Interface"
     nameif primary-uplink
     security-level 100
     ip address 10.100.100.1 255.255.255.252
    !
    

    Configure interface GigabitEthernet1/2 – Downlink Interface to Core Switch B

    !
    interface GigabitEthernet1/2
     description "Downlink Interface to Core Switch-B  Interface"
     nameif secondary-uplink
     security-level 100
     ip address 10.200.200.1 255.255.255.252
    

    Let’s enable SSH Access from our Private Network

    crypto key generate rsa general-keys modulus 2048
    username cisco password cisco
    aaa authentication ssh console LOCAL
    ssh version 2
    ssh 172.0.0.0 255.0.0.0 primary-uplink
    

    Configure Routes to the Internet and Internal Core Network Infrastructure

    route outside 0.0.0.0 0.0.0.0 192.168.1.254 
    route primary-uplink 172.16.0.0 255.255.0.0 10.100.100.2  1 <--[Metric 1]
    route secondary-uplink 172.16.0.0 255.255.0.0 10.200.200.2 2 <--[Metric 2]
    

    The above configuration lines addresses inter routing to and from the subnets behind the core switch infrastructure. Access Switch A has the Local VLAN Subnet 172.16.20.0/24 whereas Access Switch B has the Local VLAN Subnet of 172.16.30.0/24.

    Remember that in a routed design, VLAN = Subnet = Closet

    Network Object Group and NAT

    !
    object network primary-uplink
     subnet 10.100.100.0 255.255.255.252
    
    object network secondary-uplink
     subnet 10.200.200.0 255.255.255.252
    

    Configure Network Address Translation

    nat (primary-uplink,outside) after-auto source dynamic any interface
    nat (secondary-uplink,outside) after-auto source dynamic any interface
    

    Core Switch A Configuration

    Core-Switch-A# show vlans
    
     Status and Counters - VLAN Information
    
      Maximum VLANs to support : 256
      Primary VLAN : DEFAULT_VLAN
      Management VLAN :
    
      VLAN ID Name                             | Status     Voice Jumbo
      ------- -------------------------------- + ---------- ----- -----
      1       DEFAULT_VLAN                     | Port-based No    No
      2       Downlink to Building 20          | Port-based No    No
      3       Downlink to Building 30          | Port-based No    No
      100     Data Center Infrastructure       | Port-based No    No
      111     Uplink to Edge Firewall for WAN  | Port-based No    No
     
    
    

    Data Centre VLAN Configuration

    vlan 100
       name "Data Center Infrastructure"
       untagged 37
       ip address 10.10.10.1 255.255.255.0
       exit
    

    Uplink to Firewall

    Core-Switch-A# show run vlan 111
    Running configuration:
    vlan 111
       name "Uplink to Edge Firewall for WAN"
       untagged 47
       ip address 10.100.100.2 255.255.255.252
       exit
    

    Down-links to Access Switches

    vlan 2
       name "Downlink to Building 20"
       untagged 48
       ip address 1.1.1.9 255.255.255.252
       exit
    vlan 3
       name "Downlink to Building 30"
       untagged 46
       ip address 1.1.1.5 255.255.255.252
       exit
    

    Configuring Default Routing to the Firewall

    ip route 0.0.0.0 0.0.0.0 10.100.100.1
    

    Configuring Layer 3 Routing to Local VLANS

    Core-Switch-A# show run | inc ip rout
    ip route 172.16.20.0 255.255.255.0 1.1.1.10 metric 2
    ip route 172.16.30.0 255.255.255.0 1.1.1.6
    ip routing
    Core-Switch-A#
    
    

    Core Switch B Configuration

    Core-Switch-A# show vlans
    
     Status and Counters - VLAN Information
    
      Maximum VLANs to support : 256
      Primary VLAN : DEFAULT_VLAN
      Management VLAN :
    
     VLAN ID Name                             | Status     Voice Jumbo
      ------- -------------------------------- + ---------- ----- -----
      1       DEFAULT_VLAN                     | Port-based No    No
      12      Uplink to Building 20            | Port-based No    No
      13      Uplink to Building 30            | Port-based No    No
      100     Data Center Infrastructure       | Port-based No    No
      101     Uplink to Firewall               | Port-based No    No
      121     Interlink Connection to Switch B | Port-based No    No
    
     
    
    

    Uplink to Firewall

    Core-Switch-A# 
    vlan 101
       name "Uplink to Firewall"
       untagged 35
       ip address 10.200.200.2 255.255.255.252
       exit
    

    Downlinks to Access Switches

    vlan 12
       name "Uplink to Building 20"
       untagged 40
       ip address 2.2.2.9 255.255.255.252
       exit
    
    vlan 13
       name "Uplink to Building 30"
       untagged 39
       ip address 2.2.2.5 255.255.255.252
       exit
    

    Configuring Default Routing to the Firewall

    ip route 0.0.0.0 0.0.0.0 10.200.200.1
    

    Configuring Layer 3 Routing to Local VLANS

    ip route 172.16.20.0 255.255.255.0 2.2.2.10 metric 2
    ip route 172.16.30.0 255.255.255.0 2.2.2.6
    ip routing
    

    Building 20 Access Switch Configuration

    Building-20(config)# show vlans
    
     Status and Counters - VLAN Information
    
      Maximum VLANs to support : 256
      Primary VLAN : DEFAULT_VLAN
      Management VLAN :
    
     VLAN ID Name                             | Status     Voice Jumbo
      ------- -------------------------------- + ---------- ----- -----
      1       DEFAULT_VLAN                     | Port-based No    No
      2       Uplink to Core Switch A          | Port-based No    No
      12      Uplink to Core Switch B          | Port-based No    No
      20      Building 20 Data Network         | Port-based No    No
    
    
    
    Building-20(config)#
    
    

    Enable IP Routing and Default Route

    ip route 0.0.0.0 0.0.0.0 1.1.1.9
    ip route 0.0.0.0 0.0.0.0 2.2.2.9 metric 2
    

    VLAN Infrastructure Design Configuration

    
    vlan 2
       name "Uplink to Core Switch A"
       untagged 48
       ip address 1.1.1.10 255.255.255.252
       exit
    
    vlan 12
       name "Uplink to Core Switch B"
       untagged 40
       ip address 2.2.2.10 255.255.255.252
       exit
    
    vlan 20
       name "Building 20 Data Network"
       tagged 47
       untagged 1-12
       ip helper-address 10.10.10.100
       ip address 172.16.20.254 255.255.255.0
       exit
    
    

    Building 30 Access Switch Configuration

    Building-30(config)# show vlans
    
     Status and Counters - VLAN Information
    
      Maximum VLANs to support : 256
      Primary VLAN : DEFAULT_VLAN
      Management VLAN :
    
      VLAN ID Name                             | Status     Voice Jumbo
      ------- -------------------------------- + ---------- ----- -----
      1       DEFAULT_VLAN                     | Port-based No    No
      3       Building 30 Uplink to Core A     | Port-based No    No
      13      Building 30 Uplink to Core B     | Port-based No    No
      30      Building 30 Data Network         | Port-based No    No
    
    

    Enable IP Routing and Default Route

    ip route 0.0.0.0 0.0.0.0 1.1.1.5
    ip route 0.0.0.0 0.0.0.0 2.2.2.5 metric 2
    ip routing
    
    

    Show Local VLAN Brief

    
    vlan 3
       name "Building 30 Uplink to Core A"
       untagged 46
       ip address 1.1.1.6 255.255.255.252
       exit
    
    vlan 13
       name "Building 30 Uplink to Core B"
       untagged 39
       ip address 2.2.2.6 255.255.255.252
       exit
    
    vlan 30
       name "Building 30 Data Network"
       untagged 1-12
       ip helper-address 10.10.10.100
       ip address 172.16.30.254 255.255.255.0
       exit
    
    
    

    Perform Tests from Workstation

    Network Configuration for Download

    Download Full Working Configurations

    1. Access Switch Building 20
    2. Access Switch Building 30
    3. Core Switch A
    4. Core Switch B
    5. Firewall

    See what Cisco has to say on the topic Configuring the Routed Enterprise Campus Network.

    Other Related Articles:

    Understanding VLANS for CCNP Switch
    IEEE 802.1X Authentication and Dynamic VLAN Assignment with NPS Radius Server

    ]]>
    Network Device Management with RADIUS Authentication using Windows NPS https://www.expertnetworkconsultant.com/installing-and-configuring-network-devices/network-device-management-with-radius-authentication-using-windows-nps/ Sun, 24 Mar 2019 23:30:54 +0000 http://www.expertnetworkconsultant.com/?p=2560 Continue readingNetwork Device Management with RADIUS Authentication using Windows NPS]]> How do you configure Network Device Management with RADIUS Authentication using Windows NPS to authenticate management SSH connections to Network Devices?
    Network Device Management with RADIUS Authentication using Windows NPS

    Technologies Used In Our Scenario today to deploy Network Device Management with RADIUS Authentication using Windows NPS are the following;

  • Microsoft Windows Server 2012 R2: Network Policy Server
  • Network Equipment

    • HP Aruba 2920
    • Cisco Catalyst 2960
    • Cisco ASA 5505 Firewall




    You have heard many say AAA is the best security model for user access and management to network devices. Well, it is and as a good professional practice, securing network devices using the Triple A process meets many best security practices of our day.

    Authentication

    Authentication is the first process which provides a way of identifying a user ho requires access to network resource, typically by having the user enter a valid user name and password before access is granted. The process of authentication relies on each user requiring access to having a unique set of criteria for gaining the appropriate access desired. The AAA server which in our case is the Microsoft Network Policy Server compares a user’s authentication credentials with the user credentials stored in a database which in our case is the Windows Active Directory. If the credentials match, the user is granted access to the network. If the credentials are at variance, authentication fails and network access is denied.

    Authorisation

    Now that the user has been successfully authenticated, a user must gain authorisation for doing certain tasks. After logging into a network device for instance, the user may try to issue commands. The authorisation process determines whether the user has the authority to issue such commands. Authorisation simply is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorisation occurs within the context of authentication. Once you have authenticated a user, they may be authorised for different types of access or activity.

    Accounting

    The final plank in the AAA framework is accounting, which measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.

    Authentication, authorisation, and accounting services are often provided by a dedicated AAA server, a program that performs these functions. A current standard by which network access servers interface with the AAA server is the Remote Authentication Dial-In User Service (RADIUS) which we have used the Microsoft NS server for in our deployment.

    radius authentication guide

    Network Device Management with RADIUS Authentication using Windows NPS Step by Step Guide.

    Step 1: Configure Active Directory Infrastructure

  • Create New Security Group on Active Directory
  • AD Security Group

    Specify Name for Security Group
    AD Security Group For RADIUS Authorised Users

    Add Network Administrators to Group Created

    Create AD Security Group For RADIUS Authorised Users

    Add Users to Security Group

    Configure NPS Server : IEEE 802.1X Authentication and Dynamic VLAN Assignment

    Step 2: Configure RADIUS Infrastructure

  • Microsoft Windows Server 2012 R2: Network Policy Server
  • RADIUS Clients
  • Connection Request Policies
  • Network Policies
  • Create RADIUS Client

    RADIUS Clients

    Create RADIUS Client for Edge Switch AAA Authentication

    Create RADIUS Client and Enable RADIUS Standard

    Create RADIUS Client and Enable RADIUS Standard for Vendor Name

    Create Network Policy

    Network Policies

    Create Policy - Network Policy Name

    Create Policy – Conditions

    Then, in the Network Policies section create a new authentication policy. Enter its name, e.g., Network Switch Auth Policy for Network Admins. Create two conditions: in the first one, Windows Groups, specify the domain group, which members can get authentication (the accounts of the network administrators are in the AD Network Admins group in our example). The second condition, Authentication Type, is to select PAP as the authentication protocol.

    Then in the Configure Authentication Methods window, uncheck all authentication types, but for Unencrypted authentication (PAP. SPAP).

    Create Policy - Conditions

    Create Policy Constraints – Authentication Methods

    Create Policy Constraints - Authentication Methods

    Create Policy Constraints – NAS Port Type Virtual(VPN)
    Create Policy Constraints - NAS Port Type Virtual(VPN

    Create Policy Settings – Standard Attributes

    Framed-Protocol: PPP
    Service-Type: Administrative

    Create Policy Settings - Standard Attributes

    In the Configure Settings window, change the value of the Service-Type attribute to Administrative.

    Network Policy – NAP Enforcement and Auto Remediation
    Network Policy - NAP Enforcement and Auto Remediation

    Network Policy Overview

    Network Policy Name for Switch Radius Access

    Network Policy Condition

    
    Condition      Value
    ------------   ---------------------
    Windows Groups: Domain\Security Group
    Authentication Type: PAP
    
    

    Network Policy Settings
    Network Policy Settings

    Create Connection Request Policy

    Create Connection Request Policy

    Connection Request Policy Conditions NAS Port Type Virtual VPN
    Connection Request Policy
    Connection Request Policy Conditions NAS Port Type Virtual VPN

    Step 3: Configure Network Devices for RADIUS Authentication

    For Cisco Devices – Create a Network Policy like the above but additionally include the following setting.

    Under Vendor Specific we need to add to a Cisco-AV Pair to tell the router to go to privilege level 15, select next when you add the “shell:priv-lvl=15” in the Cisco-AV.

    shell:priv-lvl=15 
    

    Configuring AAA on Cisco IOS

    aaa new-model
    radius-server host 172.16.4.192 auth-port 1645 acct-port 1646 key YOUR_SECRET_KEY
    aaa authentication login default group radius local
    aaa authorization exec default group radius local
    ip radius source-interface Vlan124
    line con 0
    line vty 0 4
    line vty 5 15
    

    Configuring AAA for Cisco ASA

    aaa-server RADIUS protocol radius
    aaa-server RADIUS host 172.16.4.192 key YOUR_SECRET_KEY
    radius-common-pw YOUR_SECRET_KEY
    aaa authentication telnet console RADIUS LOCAL
    aaa authentication ssh console RADIUS LOCAL
    aaa authentication http console RADIUS LOCAL
    aaa authentication http console RADIUS LOCAL
    

    Configuring AAA on HP Aruba 2920 Switch

    Enable and Specify RADIUS Authentication Server

    radius-server host 172.16.4.192 key "YOUR_SECRET_KEY" acct-port 1646 auth-port 1645
    radius-server retransmit 2
    

    Enable SSH Login via RADIUS

    aaa authentication ssh login radius local
    aaa authentication ssh enable radius local
    

    Enable Web Login via RADIUS

    aaa authentication web login radius
    aaa authentication web enable radius
    aaa authentication web-based peap-mschapv2
    

    Enable Authentication and Accounting Parameters

    aaa accounting commands interim-update radius
    aaa authentication num-attempts 7
    aaa authentication login privilege-mode
    

    PS: The following command is what will get everything working for you as without it; you will get the error below;

    Access denied: no user’s authorization info supplied by the RADIUS server

    Access denied: no user's authorization info supplied by the RADIUS server

    Golden Command to allow SSH Sessions to Switch

    aaa authorization commands none
    

    Verify and Troubleshoot

    Check Switch RADIUS Authentication

    Aruba-Edge-Switch# show radius authentication
    
     Status and Counters - RADIUS Authentication Information
    
      NAS Identifier           : Aruba-Edge-Switch
      Invalid Server Addresses : 0
                      UDP
      Server IP Addr  Port  Timeouts   Requests   Challenges Accepts    Rejects
      --------------- ----- ---------- ---------- ---------- ---------- ----------
      172.16.4.192    1645  0          66         0          47         19
    

    Check Recent SSH Logins

    Aruba-Edge-Switch# show authentication last-login
    Username             Priv  Last Login           Last Login IP Address    
    --------------------------------------- -----  -------------------
    --------------------------------------- -----  -------------------
     esmith             Mgr   2019-03-21 13:18:28  172.16.122.120
     jarif              Mgr   2019-03-21 09:56:57  172.16.122.196
     rjenson            Mgr   2019-03-21 13:52:40  172.16.122.109
     dplomar            Mgr   2019-03-21 10:51:28  172.16.122.109
    

    On Microsoft NPS Server 2012 R2 – Launch Events Viewer

    Network Policy and Access Services Event Logs

    Check Authentication Informational Log Reporting

    RADIUS Authentication on Microsoft NPS Event Logs

    Check Event Logs

    
    Network Policy Server granted access to a user.
    
    User:
    	Security ID:			MercuryLabs\soppong
    	Account Name:			soppong
    	Account Domain:			MercuryLabs
    	Fully Qualified Account Name:	MercuryLabs\soppong
    
    Client Machine:
    	Security ID:			NULL SID
    	Account Name:			-
    	Fully Qualified Account Name:	-
    	OS-Version:			-
    	Called Station Identifier:	-
    	Calling Station Identifier:	172.16.122.109
    
    NAS:
    	NAS IPv4 Address:		172.16.122.19
    	NAS IPv6 Address:		-
    	NAS Identifier:			Aruba-Edge-Switch
    	NAS Port-Type:			Virtual
    	NAS Port:			-
    
    RADIUS Client:
    	Client Friendly Name:		Aruba-Switch-Auth-Corp
    	Client IP Address:		172.16.122.19
    
    Authentication Details:
    	Connection Request Policy Name:	Aruba-Switch-Access
    	Network Policy Name:		Aruba-Switch-Corp-Policy
    	Authentication Provider:	Windows
    	Authentication Server:		NPS-Server.expertnetworkconsultant.com
    	Authentication Type:		PAP
    	EAP Type:			-
    	Account Session Identifier:	-
    	Logging Results:		Accounting information was written to the local log file.
    
    Quarantine Information:
    	Result:				Full Access
    	Session Identifier:		-
    
    
    
    

    I hope you have enjoyed this article on Network Device Management with RADIUS Authentication using Windows NPS.

    Follow the following links for further understanding of the topic:

    ]]>