LTLnetworker | IT hálózatok, biztonság, Cisco

               IT networks, security, Cisco

Archive for the ‘switch’ Category

Management network topology and asymmetric routing

Posted by ltlnetworker on August 16, 2015

We all want a management network or at least a management VLAN. Regarding those who say they have none, actually they do have a VLAN for management, it is probably just shared with ordinary users (i. e. it is not dedicated). But most IT people prefer a dedicated VLAN that is not used for other kind of traffic and preferably not reachable for users.

In this article we use this definition:
a management VLAN or management network is a dedicated segment for network management traffic which can be used for:

  • administering your network devices (aka device access: switches, routers, firewalls via telnet, ssh, https etc.)
  • collecting monitoring information (syslog, SNMP etc.)
  • hosting syslog, monitoring and management servers (Nagios, Tivoli, Cisco Prime etc.)
  • AAA traffic (RADIUS or TACACS+ to Cisco ACS/ISE)

Read the rest of this entry »

Posted in ASA, Check Point, Cisco, F5, Fortinet, routing, switch | Tagged: , , , , , | 3 Comments »

Why is this huge traffic appearing here? Unknown unicast flood

Posted by ltlnetworker on October 5, 2014

Switches usually forward unicast frames to the necessary direction only. Selecting the egress port depends on the MAC address table that is populated by MAC learning. The switch has a chance to learn an address and keep it in the table only if frames are sent from that address regularly. Cisco switches’ default aging time is 300 s, a MAC address is dropped from the table if no frames arrive for 5 minutes.

Unknown unicast flood occurs if traffic is sent to a MAC address which was
a) never learned
b) already aged out
from the MAC address table. In this case, the frame is flooded out on all ports belonging to the VLAN just like a broadcast.
Read the rest of this entry »

Posted in Cisco, switch | Tagged: , | Leave a Comment »

Using Cisco ISE as a generic RADIUS server

Posted by ltlnetworker on August 31, 2014

Cisco ISE is an identity-based policy server featuring a wide range of functions from RADIUS CLI authentication to workstation posturing. With just a base license it includes a full-featured RADIUS server and it is capable of performing trivial RADIUS tasks which would not require such a sophisticated product themselves. For the functions described in this article Cisco Secure ACS could have been commonly chosen some years earlier. ISE’s policy logic and web interface is quite different.

The following use cases are described:

Posted in AAA, ASA, Cisco, IPsec, ISE, remote access, router IOS, switch | Tagged: , , , | 8 Comments »

Interesting MST troubleshooting

Posted by ltlnetworker on January 23, 2011

I’ve experienced a strange problem on my desk with two switches. I disconnected the uplink to the company network then the two switches lost connectivity with each other. Even if it was December 31th I felt I must find out what was happening.
Read the rest of this entry »

Posted in Cisco, switch | Tagged: , , | Leave a Comment »