Tuesday, June 20, 2017

How to Partition Layer 2 Broadcast Domain of a VLAN by Configuring PVLANs

PVLAN (Private VLAN) partitions the layer 2 broadcast domain of a VLAN into sub-domains. This is useful when you need your devices to be in the same VLAN (ip range) but you need to control access with each other.

There are 3 types of VLANs involve when we configure PVLANs..

1) Primary VLANs
2) Isolated VLANs
3) Community VLANs

Primary VLAN is the normal VLAN we create. It is the parent broadcast domain which we partition later using the Isolated & Community VLANs which are called Secondary / Sub VLANs..

There are 3 types of ports involve regarding the VLAN type we assign..

1) Promiscuous ports - Primary VLAN is assigned
2) Isolated ports - Isolated VLANs are assigned
3) Community ports - Community VLANs are assigned

The concept is simple;
The Promiscuous port can communicate with any other port (Isolated, Community)..
An Isolated port can only communicate with the Promiscuous port, They cannot communicate with other Isolated ports of the same Isolated VLAN either.
The Community ports can communicate with the Promiscuous port & the other Community ports which are in the same Community VLAN only..

Let's see the configuration..

Here I am going to create;
Primary VLAN (100)
Isolated VLAN (200)
Community VLANs
- Community-A (VLAN 300)
- Community-B (VLAN 400)

Note:- VTPv1 & VTPv2 modes should be changed to transparent to support PVLANs as they do not support PVLAN configurations. Only VTPv3 will be supported..

Also note that every Cisco switch will not support PVLANs..





Configuration of the Community VLANs
SW(config)#vlan 400
SW(config-vlan)#private-vlan community
SW(config)#vlan 300
SW(config-vlan)#private-vlan community

Configuration of the Isolated VLANs
SW(config)#vlan 200
SW(config-vlan)#private-vlan isolated

Configuration of the Primary VLAN
SW(config)#vlan 100
SW(config-vlan)#private-vlan primary
SW(config-vlan)#private-vlan association 200,300,400

Configuration of the Promiscuous port
SW(config)#int e0/0
SW(config-if)#switchport mode private-vlan promiscuous
SW(config-if)#switchport private-vlan mapping 100 200,300,400

Configuration of the Isolated ports
SW(config)#int range e0/1-2
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport private-vlan host-association 100 200

Configuration of the Community-A ports
SW(config)#int range e1/1-2
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport private-vlan host-association 100 300

Configuration of the Community-B ports
SW(config)#int range e2/1-2
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport private-vlan host-association 100 400

Show Commands to verify the PVLAN configurations..
SW#show vlan private-vlan
SW#show int e0/0 switchport

Now you can test the connectivity after assigning IP address to the PCs in the same range..

Note:-
The Default Gateway (a router) should be always connected to the Promiscuous port which all the PCs can reach. If a router is connected to that interface, Hair-Pinning routing can occur which will bend the rules of PVLANs.
Which means that all the PCs will communicate with each other through the default gateway router like in router on stick in inter VLAN routing..
You can stop this by putting an ACL in the router interface to block traffic from the same subnet to the same subnet..

Sunday, June 18, 2017

A Note on Syslog Logging System of Cisco IOS Devices

Network Devices generate messages when something happens. The logging system of these messages is called "Syslog". These messages can help to identify what is happening for troubleshooting or what has happened in the network device for later root cause analysis.

You can view Syslog messages on Cisco CLI using following commands

On Console Line;
R#logging console

On Terminal VTY (SSH, Telnet);
R#terminal monitor

Full Syslog message format in Cisco IOS is as following..

seq no:timestamp: %facility-severity-MNEMONIC: event

Seq No: 
A sequence number to identify the message as by order.
This is useful because some times the output can be out of order on the screen.
You will not see this often because it is disabled by default.
Following command will enable the Seq no,
R(config)#service sequence-numbers

Timestamp:
Date and time of the message or event.
Time stamps are also disabled by default. But you would see it enabled almost all systems because it is very important to identify the time which the events triggered.
Following command will enable the Timestamp,
R(config)#service timestamps log datetime

Facility: 
This tells the protocol, module, or process that generated the message.
Following are the common facilities you may encounter.
SYS for the operating system
IF for an interface
LINK for physical links
LINEPROTO for line protocol

Severity:
A number from 0 to 7 designating the importance of the action reported.
The levels are:
















Levels 0 through 4 are for events that could seriously impact the device, whereas levels 5 through 7 are for less-important events.
By default, Syslog servers receive informational messages (level 6).

To change the minimum severity level that is shown on the console, use the following command.
R(config)#logging console <severity level>

To change the minimum severity level that is shown on the termial, use the following command.
R(config)#logging monitor <severity level>

If you specify a level, that level and all the higher levels will be displayed.
For example, by using the logging console warnings command, all the logging of emergencies, alerts, critical, errors, warnings will be displayed.

MNEMONIC
A string that describes the message in short.

Event
A plain-text description of the event that triggered the Syslog message.


Now let's analyze a typical Syslog message
*Jun 16 16:41:14.958: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up

Seq No: none (not configured)
Timestamp: Jun 16 16:41:14.958
FACILTY: LINK
SEVERITY level: 3 (errors)
MNEMONIC: UPDOWN
Event: Interface Ethernet0/0, changed state to up

Storing Syslog Data

By default any Cisco IOS device will store it's Syslog messages in it's internal buffer of 4 Mb.
You can increase the buffer size by the following command.
R(config)#logging buffered <size>

Or you can configure a dedicated Syslog server to store Syslog data and give it's IP by following command;
Router(config)#logging <ip address of the syslog server>

To change the minimum severity level that is sent to the server, use the following command.
Router(config)#logging trap <severity level>

Server must use a Syslog software to capture the Syslog messages sent to this server.

Tuesday, June 13, 2017

Active Directory Directory Services (ADDS) Structure Essentials

Cisco equipment are what make the internet works while Windows Active Directory Domain Services (ADDS) are what makes businesses work.

So network engineers should have at least a basic level of understanding on the way it is structured to serve in an enterprise environment.




This post is just about the basic architecture concepts about ADDS.. Not an in detail explanation..

Domain Controllers

Like the Exchange servers which control email services, the Domain Controllers are the servers which control ADDS which sets security permissions in a Windows environment. Basically it is the server which the System Administrators configure to allow or block certain users or computers from accessing certain resources (emails, VPNs, applications, file servers, printers etc) in a network.

Accounts

There are 2 types of accounts in AD
1) User Accounts
2) Computer Accounts

You can set permissions / apply polices to individual Accounts or Groups.

Schema

The information regarding to User Accounts or Computer Accounts are stored in a structured way which is called a "Schema"..

Ex:- Schema for a User Account
username:
email address:
extension:

In Windows AD, this Schema is extensible / can be modified (fields can be added)..

Groups

Groups are used to apply security..
Administrators create Groups and Assign User Accounts / Computer Accounts to them and they fix policies for the Groups which effect the all members in that group.

There are 2 types of Groups.
1) Security Groups
2) Distribution Groups

Security Groups are normal Groups you will see day to day.. They are used to apply security policies.
Distribution Groups are primarily used by email applications..

Groups can be bundled and assign into some other Groups too..

Ex:- We have a Sales group and a HR group in our company. These Groups are called Global Groups and those Global Groups can be inserted in to a Local Group and apply a security policy at once which effects to all members in both Groups..

Note that a same user can be in several Groups & individual Accounts can also be bundled with Groups..





These Local & Global are 2 scopes of Groups. Actually there are 3 scopes.
1) Global Groups
2) Local Groups
3) Universal Groups

Scopes are determined by 3 characteristics..

Replication - Where Group is created and where it is replicated..
Membership - What members the Group can have..
Availability - Where can the Group be used..

If you need more info about Group Scopes you can find them here.

Organizational Units (OU)

Organizational Units are Groups used to apply policy..
They are the Groups which are created for the Administrative purposes.
Which means there can be a delegated Administrator for that OU.

Domain & Sub Domains / Child Domains

Domain is all the users and all the computers which are tied to the Domain Controller's ADDS..
Sub domains / Child Domains are subsets of the parent domain. Actually a Sub Domain is a separate Domain in the same network with separate Domain Controllers but has the same Schema. Sub Domains can also have their own Sub Domains..

Ex:- google.com and it's sub domains like asia.google.com & europe.google.com
europe.google.com can have sub domains like east.europe.google.com & west.europe.google.com

Trust

When you create Sub Domains to Domains, automatically a 2-Way Trust happens.
And within those 2 Sub Domains a 2-Way Transitive Trust happens.

Which means;
google.com trusts asia.google.com and vice versa
google.com trusts europe.google.com and vice versa

Then asia.google.com trusts europe.google.com and vice versa which we call "Transitive Trust"

Trust simply means that the Admin of google.com can give permissions to a user account from asia.google.com to access resources of google.com and vice versa..

In a Transitive Trust the Admin of europe.google.com can give permissions to a user account from asia.google.com to access resources of europe.google.com and vice versa..

A user can access resources of another Domain using his username and password if the Admin of that Domain permits..

Tree

Because all Sub Domains share the same google.com name space, we call it is in a same Tree.
So a Tree is the entity you get when you add Sub Domains to a Domain.























Forest

A Forest is the entity you get when you add 2 or more Domains together with a Trust..
The difference of the Domains is the difference of the Schema..

Ex:- When google.com buys blogspot.com there is a Forest..

When 2 Domains are trusted, 2 way trusts don't happen like in Domains and Sub Domains. Admins can do only a One-Way Trust. So if 2 Way Trusts are required, Admins should create 2 One-Way Trusts..