Monday, June 26, 2017

Block Connectivity Between Hosts in a VLAN by Protected Port Config of a Switch

This is like a more simple variation of PVLANs. By a single command you can stop communication between 2 hosts in a same VLAN.

Topology is simple, all the Server and the 2 PCs are in one VLAN (one broadcast domain) and have assigned IP address of the same range.

Requirement is to block PC-A from accessing PC-B. But the both PCs must be able to access the Server. This can be achieved by configuring the ports to be protected.

Note:- This config is local to the switch..

Concept is that you can configure switch ports to be protected and protected ports cannot communicate with each other. But protected ports can communicate with other unprotected ports.. 

SW(config)#int e0/1
SW(config-if)#switchport protected

SW(config)#int e0/2
SW(config-if)#switchport protected

Now the data traffic will not be forwarded in between  e0/1 and e0/2 ports.

Now let's look at trunk port scenarios..
All ports are in a one VLAN..

Scenario 1
If e0/3 of SW is a protected port; 
all the traffic from SW-2 cannot access PC-A. But they can access the Server..
Reason:- e0/1 and e0/3 are protected ports..

Scenario 2
If e0/3 of SW is an unprotected port & 
If e0/0 of SW-2 is a protected port; 
all the traffic from SW-2 can access any port of SW..
Reason:- protected port configuration is local to the switch..

Scenario 3
If e0/0 of SW-2 is a protected port &
If e0/1 of SW-2 is a protected port;
PC-B cannot access any port in of SW..
Reason:- PC-B and the trunk to SW are protected ports..

Tuesday, June 20, 2017

How to Partition Layer 2 Broadcast Domain of a VLAN by Configuring PVLANs

PVLAN (Private VLAN) partitions the layer 2 broadcast domain of a VLAN into sub-domains. This is useful when you need your devices to be in the same VLAN (ip range) but you need to control access with each other.

There are 3 types of VLANs involve when we configure PVLANs..

1) Primary VLANs
2) Isolated VLANs
3) Community VLANs

Primary VLAN is the normal VLAN we create. It is the parent broadcast domain which we partition later using the Isolated & Community VLANs which are called Secondary / Sub VLANs..

There are 3 types of ports involve regarding the VLAN type we assign..

1) Promiscuous ports - Primary VLAN is assigned
2) Isolated ports - Isolated VLANs are assigned
3) Community ports - Community VLANs are assigned

The concept is simple;
The Promiscuous port can communicate with any other port (Isolated, Community)..
An Isolated port can only communicate with the Promiscuous port, They cannot communicate with other Isolated ports of the same Isolated VLAN either.
The Community ports can communicate with the Promiscuous port & the other Community ports which are in the same Community VLAN only..

Let's see the configuration..

Here I am going to create;
Primary VLAN (100)
Isolated VLAN (200)
Community VLANs
- Community-A (VLAN 300)
- Community-B (VLAN 400)

Note:- VTPv1 & VTPv2 modes should be changed to transparent to support PVLANs as they do not support PVLAN configurations. Only VTPv3 will be supported..

Also note that every Cisco switch will not support PVLANs..

Configuration of the Community VLANs
SW(config)#vlan 400
SW(config-vlan)#private-vlan community
SW(config)#vlan 300
SW(config-vlan)#private-vlan community

Configuration of the Isolated VLANs
SW(config)#vlan 200
SW(config-vlan)#private-vlan isolated

Configuration of the Primary VLAN
SW(config)#vlan 100
SW(config-vlan)#private-vlan primary
SW(config-vlan)#private-vlan association 200,300,400

Configuration of the Promiscuous port
SW(config)#int e0/0
SW(config-if)#switchport mode private-vlan promiscuous
SW(config-if)#switchport private-vlan mapping 100 200,300,400

Configuration of the Isolated ports
SW(config)#int range e0/1-2
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport private-vlan host-association 100 200

Configuration of the Community-A ports
SW(config)#int range e1/1-2
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport private-vlan host-association 100 300

Configuration of the Community-B ports
SW(config)#int range e2/1-2
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport private-vlan host-association 100 400

Show Commands to verify the PVLAN configurations..
SW#show vlan private-vlan
SW#show int e0/0 switchport

Now you can test the connectivity after assigning IP address to the PCs in the same range..

The Default Gateway (a router) should be always connected to the Promiscuous port which all the PCs can reach. If a router is connected to that interface, Hair-Pinning routing can occur which will bend the rules of PVLANs.
Which means that all the PCs will communicate with each other through the default gateway router like in router on stick in inter VLAN routing..
You can stop this by putting an ACL in the router interface to block traffic from the same subnet to the same subnet..

Sunday, June 18, 2017

A Note on Syslog Logging System of Cisco IOS Devices

Network Devices generate messages when something happens. The logging system of these messages is called "Syslog". These messages can help to identify what is happening for troubleshooting or what has happened in the network device for later root cause analysis.

You can view Syslog messages on Cisco CLI using following commands

On Console Line;
R(config)#logging console

On Terminal VTY (SSH, Telnet);
R#terminal monitor

Full Syslog message format in Cisco IOS is as following..

seq no:timestamp: %facility-severity-MNEMONIC: event

Seq No: 
A sequence number to identify the message as by order.
This is useful because some times the output can be out of order on the screen.
You will not see this often because it is disabled by default.
Following command will enable the Seq no,
R(config)#service sequence-numbers

Date and time of the message or event.
Time stamps are also disabled by default. But you would see it enabled almost all systems because it is very important to identify the time which the events triggered.
Following command will enable the Timestamp,
R(config)#service timestamps log datetime

This tells the protocol, module, or process that generated the message.
Following are the common facilities you may encounter.
SYS for the operating system
IF for an interface
LINK for physical links
LINEPROTO for line protocol

A number from 0 to 7 designating the importance of the action reported.
The levels are:

Levels 0 through 4 are for events that could seriously impact the device, whereas levels 5 through 7 are for less-important events.
By default, Syslog servers receive informational messages (level 6).

To change the minimum severity level that is shown on the console, use the following command.
R(config)#logging console <severity level>

To change the minimum severity level that is shown on the termial, use the following command.
R(config)#logging monitor <severity level>

If you specify a level, that level and all the higher levels will be displayed.
For example, by using the logging console warnings command, all the logging of emergencies, alerts, critical, errors, warnings will be displayed.

A string that describes the message in short.

A plain-text description of the event that triggered the Syslog message.

Now let's analyze a typical Syslog message
*Jun 16 16:41:14.958: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up

Seq No: none (not configured)
Timestamp: Jun 16 16:41:14.958
SEVERITY level: 3 (errors)
Event: Interface Ethernet0/0, changed state to up

Storing Syslog Data

By default any Cisco IOS device will store it's Syslog messages in it's internal buffer of 4 Mb.
You can increase the buffer size by the following command.
R(config)#logging buffered <size>

Or you can configure a dedicated Syslog server to store Syslog data and give it's IP by following command;
Router(config)#logging <ip address of the syslog server>

To change the minimum severity level that is sent to the server, use the following command.
Router(config)#logging trap <severity level>

Server must use a Syslog software to capture the Syslog messages sent to this server.

Tuesday, June 13, 2017

Active Directory Directory Services (ADDS) Structure Essentials

Cisco equipment are what make the internet works while Windows Active Directory Domain Services (ADDS) are what makes businesses work.

So network engineers should have at least a basic level of understanding on the way it is structured to serve in an enterprise environment.

This post is just about the basic architecture concepts about ADDS.. Not an in detail explanation..

Domain Controllers

Like the Exchange servers which control email services, the Domain Controllers are the servers which control ADDS which sets security permissions in a Windows environment. Basically it is the server which the System Administrators configure to allow or block certain users or computers from accessing certain resources (emails, VPNs, applications, file servers, printers etc) in a network.


There are 2 types of accounts in AD
1) User Accounts
2) Computer Accounts

You can set permissions / apply polices to individual Accounts or Groups.


The information regarding to User Accounts or Computer Accounts are stored in a structured way which is called a "Schema"..

Ex:- Schema for a User Account
email address:

In Windows AD, this Schema is extensible / can be modified (fields can be added)..


Groups are used to apply security..
Administrators create Groups and Assign User Accounts / Computer Accounts to them and they fix policies for the Groups which effect the all members in that group.

There are 2 types of Groups.
1) Security Groups
2) Distribution Groups

Security Groups are normal Groups you will see day to day.. They are used to apply security policies.
Distribution Groups are primarily used by email applications..

Groups can be bundled and assign into some other Groups too..

Ex:- We have a Sales group and a HR group in our company. These Groups are called Global Groups and those Global Groups can be inserted in to a Local Group and apply a security policy at once which effects to all members in both Groups..

Note that a same user can be in several Groups & individual Accounts can also be bundled with Groups..

These Local & Global are 2 scopes of Groups. Actually there are 3 scopes.
1) Global Groups
2) Local Groups
3) Universal Groups

Scopes are determined by 3 characteristics..

Replication - Where Group is created and where it is replicated..
Membership - What members the Group can have..
Availability - Where can the Group be used..

If you need more info about Group Scopes you can find them here.

Organizational Units (OU)

Organizational Units are Groups used to apply policy..
They are the Groups which are created for the Administrative purposes.
Which means there can be a delegated Administrator for that OU.

Domain & Sub Domains / Child Domains

Domain is all the users and all the computers which are tied to the Domain Controller's ADDS..
Sub domains / Child Domains are subsets of the parent domain. Actually a Sub Domain is a separate Domain in the same network with separate Domain Controllers but has the same Schema. Sub Domains can also have their own Sub Domains..

Ex:- and it's sub domains like & can have sub domains like &


When you create Sub Domains to Domains, automatically a 2-Way Trust happens.
And within those 2 Sub Domains a 2-Way Transitive Trust happens.

Which means; trusts and vice versa trusts and vice versa

Then trusts and vice versa which we call "Transitive Trust"

Trust simply means that the Admin of can give permissions to a user account from to access resources of and vice versa..

In a Transitive Trust the Admin of can give permissions to a user account from to access resources of and vice versa..

A user can access resources of another Domain using his username and password if the Admin of that Domain permits..


Because all Sub Domains share the same name space, we call it is in a same Tree.
So a Tree is the entity you get when you add Sub Domains to a Domain.


A Forest is the entity you get when you add 2 or more Domains together with a Trust..
The difference of the Domains is the difference of the Schema..

Ex:- When buys there is a Forest..

When 2 Domains are trusted, 2 way trusts don't happen like in Domains and Sub Domains. Admins can do only a One-Way Trust. So if 2 Way Trusts are required, Admins should create 2 One-Way Trusts..

Sunday, June 11, 2017

Basic Installation of Microsoft Windows Server 2012 R2 in VMware Workstation

Download the ISO file, you can do this from original Microsoft site as an evaluation copy too.
Next go to the VMware and go to File > New Virtual Machine > Typical > I will install the operating system later and select Windows Server 2012 and specify the name if the server and the location to be installed.
60 GB will be enough for the hard disk space for my labs and I will store it as a single file.
It is better if you can give at least 4 GB for RAM and all the CPU cores available.
Don't forget to select the ISO image file from the CD ROM of the VM and make sure it is ticked to connect at power on before you begin.

Now let's start installing it by powering on the VM..

It willtake some time to pop this up.
Select your preferences and hit Next..

(click on the images to view in full size)

I am selecting the standard server with a GUI..

From this step onward, it is like installing a normal Windows PC operating system.. Just choose your preferences and hit Next..

After the installation, it will reboot and ask for the password of the Administrator account..

After the settings are finalized, you will be able to login from the Administrator password you gave..
You will see the following Dashboard..

Now it's better to install the VMware tools for smoother operation..
Go to VM > Install VMware tools
Now Go to Start Menu of the Server 2012 > This PC and double click on the CD ROM which will lead you to install VMware tools.. Just few Next, Nexts, it will be done and will reboot the machine..

First thing you will need is to change the IP address to a static IP, you will need to turn off or add some exceptions to the Firewall of the Server to allow pings from your routers to check the connectivity.. Both those activities are just like in your Windows PC..

By default it will assign it self a hostname .. You can change it from the Properties of This PC, just like you do in your Windows PC. It will ask for a reboot..