Troubleshooting and Port Security Notes

Network Troubleshooting and Configuration

Initial Problem: Ping Failure

• A network setup issue where the second switch cannot be pinged.

• Importance of labeling network devices with their IPs.

IP Configuration Errors

• Incorrect IP addresses assigned (e.g., 198 instead of 192.168).

• Example: PC 16 was incorrectly assigned an IP address starting with 198.

• Consistent IP errors throughout the network configuration.

Router Interface Issues

• Router interfaces showing as “red,” indicating a problem.

• The importance of IP address configuration on router fast Ethernet interfaces.

• Incorrect default gateway configuration.

Ping Testing Strategy

• Initial focus on pinging within the same VLAN before attempting inter-VLAN communication.

• Testing intra-VLAN communication to isolate issues.

• Example: Ping PC 15 to PC 16 (within VLAN) first.

• Verification of intra-VLAN communication before proceeding.

Inter-VLAN Verification

• Verifying that intra-VLAN communication is functional.

• Successful pinging from PC 15 to PC 16 confirms intra-VLAN functionality.

• Ensuring the trunk (802.1Q) is operational for VLAN routing.

Router Reachability

• Identifying that the router can be reached.

• Further testing: Ping from PC 15 to PC 18, which involves different VLANs.

• The problem lies in the inter-router communication (interfaces showing red). Interface is down.

Router Interface Configuration

• Checking IP addresses on Router 4 and Router 5.

• Configuring Router 5's interface (which was missing configuration).

• Commands used: int fa0/0, ip address 10.0.0.2 255.255.255.0, no shut.

• Explanation: no shut command brings the interface up, changing the indicator from red to green.

MLS Configuration

• Adding IP address to the MLS (Multilayer Switch).

• Need to configure the MLS interface (fast Ethernet 5).

• Command no switchport is used to make the port behave like a routed port instead of a switch port.

• Commands: config t, int fa0/5, no switchport, ip address 20.0.0.1 255.255.255.0, no shut.

Verifying Inter-VLAN on MLS

• Ensuring PC 10 can ping PC 11, and PC 12 can ping PC 13, to confirm MLS inter-VLAN functionality.

• If MLS is working fine, intra VLAN should work.

EIGRP Configuration

• Configuring EIGRP (Enhanced Interior Gateway Routing Protocol) on the routers and MLS.

• Commands: router eigrp <AS_number>, network <network_address>. The AS number can be any number from 1 to 65535.

• Network addresses, not IP addresses, are used in the EIGRP configuration.

• Example network configurations: network 192.168.0.0, network 192.168.128.0, network 10.0.0.0.

• Command: no auto-summary is crucial to prevent summarization of routes.

• Verifying routes: show ip route on all devices to ensure all networks are reachable.

• Final ping test: from PC 1 to the last PC to confirm end-to-end reachability.

Port Security

The Concept of Port Security

• Port security is introduced as a method to prevent unauthorized access to the network.

• Scenario: Computer 'D' (intruder) trying to steal information by replacing an authorized computer ('A').

• The goal is to prevent 'D' from impersonating 'A' even if 'A' is absent.

MAC Address Binding

• The key concept is binding a specific MAC address to a switch port.

• Rationale: MAC addresses are unique and harder to spoof compared to IP addresses.

• If a packet comes from a computer with an unknown MAC address, the port will block the traffic.

Configuration Steps

• Enter global configuration mode: en, config t

• Select the interface: interface fa0/1

• Set the port mode to access: switchport mode access

• Enable port security: switchport port-security

• Set the maximum number of allowed MAC addresses (typically 1 for enhanced security): switchport port-security maximum 1

• Specify the allowed MAC address: switchport port-security mac-address <MAC_address>

• Define the violation action (e.g., shutdown the port): switchport port-security violation shutdown

Violation Modes

• Shutdown: The port is immediately disabled upon violation.

• Other options (not detailed) exist but shutdown is commonly used for security.

Verification

• Use the command show port-security to verify the configuration and status.

• This command shows the maximum MAC addresses allowed, the current MAC address, and any violation counts.

Demonstration of Intrusion Detection

• When an unauthorized device (with a different MAC address) connects, the port is shut down.

• The show port-security command will show an increased violation count.

Alternative: Sticky MAC Address Learning

• Instead of manually configuring the MAC address, the switch can automatically learn it.

• Configure "sticky" learning: switchport port-security mac-address sticky

• The switch will learn the MAC address of the first device that connects to the port.

• This simplifies initial configuration but still provides security against unauthorized devices.

Port Security Best Practices

• Utilize port security as a defense measure at every layer.

• It complements firewalls and VLANs in securing the network.

• Port security prevents unauthorized access even within a VLAN.

• A good engineer should always apply this concept for device security, such as MAC address mapping.

Multiple Devices on One Port

• A scenario where two authorized laptops need to be used on the same port.

• Configure the maximum MAC addresses to 2.

• Allowing multiple MAC address reduces security.

Port Security with Sticky MAC Addresses

• Configure sticky MAC address learning to automatically learn authorized MAC address.

• When a device connects, its MAC address is automatically learned.

EIGRP Autonomous System Number

• The EIGRP autonomous system number is an integer that identifies the EIGRP routing domain.

• 1 \le AS \le 65535