Cisco Nexus 7000 support I/O modules (so far on Aug 2012)

 截至2012/8/31為止，Cisco Nexus 7000支援以下I/o module"

•F1-Series 32-port 1- and 10-Gigabit Ethernet I/O modules (N7K-F132XP-15)

•F2-Series 48-port 1-/10-Gigabit Ethernet I/O modules with XL (N7K-F248XP-25)

•M1-Series 48-port 10/100/1000 I/O modules (N7K-M148GT-11)

•M1-Series 48-port 10/100/1000 I/O modules with XL option (N7K-M148GT-11L)

•M1-Series 48-port 1-Gigabit Ethernet I/O modules (N7K-M148GS-11)

•M1-Series 48-port 1-Gigabit Ethernet I/O modules with XL option (N7K-M148GS-11L)

•M1-Series 32-port 10-Gigabit Ethernet I/O modules (N7K-M132XP-12)

•M1-Series 32-port 10-Gigabit Ethernet I/O modules with XL option (N7K-M132XP-12L)

•M1-Series 8-port 10-Gigabit Ethernet I/O modules with XL option(N7K-M108X2-12L)

•M2-Series 24-port 10-Gigabit Ethernet I/O modules with XL option (N7K-M224XP-23L)

•M2-Series 6-port 40-Gigabit Ethernet I/O modules with XL option (N7K-M206XP-23L)

•M2-Series 2-port 100-Gigabit Ethernet I/O modules with XL option (N7K-M202XP-23L)

而針對這些module，在設定VDC時需要注意port group，有些模組同一個port group必需配置到同一個VDC中。Port group的分配狀況如下:

•       N7K-M202CF-22L (1 interface x 2 port groups = 2 interfaces 100G modules)—There are no restrictions on the interface allocation between VDCs. 

•N7K-M206FQ-23L (1 interface x 6 port groups = 6 interfaces 40G modules)—There are no restrictions on the interface allocation between VDCs. 

•N7K-M224XP-23L (1 interface x 24 port groups = 24 interfaces 10G modules)—There are no restrictions on the interface allocation between VDCs. 

•N7K-M108X2-12L (1 interface x 8 port groups = 8 interfaces)—There are no restrictions on the interface allocation between VDCs. 

•N7K-M148GS-11L, N7K-M148GT-11, and N7K-M148GS-11 (12 interfaces x 4 port groups = 48 interfaces)—There are no restrictions on the interface allocation between VDCs, but we recommend that interfaces that belong to the same port group be in a single VDC. 

•N7K-M132XP-12 (4 interfaces x 8 port groups = 32 interfaces)—Interfaces belonging to the same port group must belong to the same VDC.

•N7K-M148GT-11L (same as non-L M148) (1 interface x 48 port groups = 48 interfaces)—There are no restrictions on the interface allocation between VDCs. 

•N7K-M132XP-12L (same as non-L M132) (1 interface x 8 port groups = 8 interfaces)—All M132 cards require allocation in groups of 4 ports and you can configure 8 port groups.

M系列和F系列的module都可以安裝XL

And the Fabric supporting matrix is as follows:

•Cisco Nexus 7009 chassis uses the Fabric 2 (N7K-C7009-FAB-2) modules.

•Cisco Nexus 7010 chassis uses the Fabric 1 (N7K-C7010-FAB-1) or Fabric 2 (N7K-C7010-FAB-2) modules.

•Cisco Nexus 7018 chassis uses the Fabric 1 (N7K-C7018-FAB-1) or Fabric 2 (N7K-C7018-FAB-2) modules.

      You can replace a Fabric 1 module with a Fabric 2 module in the Cisco Nexus 7010 and 7018 switches during operations, but while there is a mix of fabric module types, all of the fabric modules perform as Fabric 1 modules.

      Nexus7010及7018可以開機狀況下將FAB2換成FAB1，但必須是全換，如果是混插的狀況下，只有FAB1會發揮作用

       If you power up a switch with two types of fabric modules installed, only the Fabric 1 modules will power up. To utilize the Fabric 2 module capabilities, all of the installed fabric modules must be Fabric 2 modules.

      在FAB1及FAB2混插的情況下，只有FAB1會啟動，只有在全部都是FAB2時，FAB2才會全部啟動

Switch上的基本防護功能-Port Security

Cisco Switch上的Port Security功能不是甚麼稀奇的功能，但很少人知道他的用法與細項設定，在此就來談談他的運用。
首先來談談他的運用，包含:

1.防止非單位的終端設備在未授權的情況下任意接入單位網路中。

2.防止單位授權的終端設備但卻接入非該終端設備被授權可以接入的區域(交換器)中

3.非授權的電腦任意建立Virtual Machine (一台VM就會有一組mac address)

一般在設定port security的方式會有以下幾種方式:

方式一:
(config)#interface gigabitethernet 9/10
(config-if)#switchport port-security
(config-if)#switchport port-security maximum 1
(config-if)#switchport port-security 0bdc.1f69.f598
(config-if)#switchport violation shutdown

方式二:

(config)#interface gigabitethernet 9/10
(config-if)#switchport port-security
(config-if)#switchport port-security maximum 1
(config-if)#switchport port-security sticky
(config-if)#switchport violation shutdown

其中，
   >  switchport port-security這個指令就是啟用介面上的port security功能

   >  switchport port-security maximum 1這個指令在指定這一個interface上最多可以有幾個
       mac-address上來，如果大於這一個值就是violation了。

   >  而接下來就是定義mac-address，有以下幾種:

 
         >> Static :  顧名思義就是直接手動設定特定的mac-address，但是設定完之後不會出現
                          在running-config中。如果要讓static mac-address出現在running-config中，需
                          要使用switchport port-security mac-address sticky xxxx.xxxx.xxxx

         >> Dynamic : 這是系統預設使用的方式。只要設備還沒有達到maximum上限
                              而且網路介面尚未學習到該mac-address，該mac-address就會被學習進
                              來，但學習到的mac-address是會被age掉的。

         >> Sticky :  使用這種方式的行為跟dynamic一樣，但不同的是，這種方式會將學習到的
                           mac-address寫入NVRAM中，這樣一來，就算設備重開機，mac-address還
                           是一樣存在，不須重新學習。
                           而sticky學習到的mac-address是不會被age掉。

                           Sticky跟dynamic這兩種功能是互不相容的，如果啟用sticky，dynamic就會
                           被自動關閉，sticky關掉後，dynamic還是會繼續運作。

                           而透過switchport port-security mac-address sticky指令可以將dynamic learning
                            mac-address轉成sticky learning mac-address存到running-config中

                           sticky mac-address雖然可以存在NVRAM中，但是可以手動清除:
                           #clear port-security sticky [interface fax/y]

   > Aging time : Aging time的參數包含:

                        Static: 對於static mac-address啟用aging time
 
                        Time: 設定aging timeout時間

                        Type: 設定aging time類型，有absolute及inactive兩種。absolute是絕對時間，
                                  只要mac-address經過這一段時間就會從mac-address table中消失掉；
                                  inactive是相對時間，只要該mac-address經過這一段時間沒有任何
                                  traffic，就會從mac-address table中清除掉。

   > Violation : 有幾種處理方式==>

                      Protect: 會將secured mac-address以外的mac-address丟棄掉，除此之外幾乎不做
                                   任何動作

                      Restrict: 除了不把interface shutdown之外，會發出snmp trap、violation counting
                                   其他做的事情跟Protect一樣。

                      Shutdown: interface會呈現err-disabled狀態。可以使用以下方式在經過某一段時
                                       間後恢復==>

                                        Cat4507 (config)#errdisable recovery cause psecure-violation
                                        Cat4507 (config)#errdisable recovery interval 30

How to automatically backup Cisco IOS devices configuration file to a TFTP Server...

We can easily backup our Cisco IOS devices configuration files to a TFTP server whenever we issue the "write memory" command. Now how the make it? Follow the steps below:

#
#config term
(config)#archive
(config-archive)#path tftp://172.16.7.100/switch1-
(config-archive)#write-memory
(config)#exit
#write memory

then you will see the configuration file with file name such as "switch1-Aug-23-15-23-17-0",that is
the prefix you defined previously plus the date and time.

Of course, you can also check the startup-config and find that the configuration is also written into the NVRAM.

PaloAlto SSL VPN設定方式

啟用 SSL VPN client Device > SSL VPN Client > Activate 建立憑證 Device > Certificates > Generate 選擇 SSL VPN 的 user 來源 Device > Authentication (Local DB, RADIUS, LDAP, Kerberos) SSL VPN  網路環境設定 Network > Interface Network > Zones SSL VPN 連線是必須由 untrust(來源) 到 trust(目地)，所以需設定兩個 ethernet，以及切兩個 zone。 設定路由 Network > Virtual Routers 勾選為 SSL VPN 設定的 ethernet，以及一個 tunnel。 設定一條路由往 untrust Destination (e.g: IP 0.0.0.0)，Interface 選擇 untrust 的 ethernet，以及設定該 ethernet 的 Router server IP 另一條設定往 SSL VPN 要前往的網段，Interface 選擇 trust 的 ethernet。 最後設定 SSL VPN Network > SSL VPN > Add 其中 Server Certificate 選擇我們之前建立的憑證， Authentication Profile 選擇我們之前所建立的 Authentication。 Tunnel Interface 選擇 tunnel，MAX User 也要設定，依該 server model 可選擇最高的 User 數。 Gateway Address 請選擇 untrust 來源的 Interface，以及該 ethernet 的 IP。 Client Configuration 請設定當 SSL VPN 連線成功後，該 SSL VPN client 解析 DNS 的 Primary DNS Server IP， IP pool 則是 SSL VPN client 取得 IP 的網段， Access Router 則是設定 SSL VPN user 可出去的網段 router server IP。 驗證 SSL VPN https://IP (untrust ethernet IP) 以上文章參考至網路上不明來源之文章 Palo Alto – SSL VPN Configuration Published on March 18, 2011 by Owen in Palo Alto Networks A brief guide on creating a SSL portal and obtaining/deploying the SSL VPN client. Download and Enable the SSL Client Users will need to have the SSL VPN client installed before they’ll be able to access the SSL portal. This client is downloaded on 1st logon, but for it to be available to the user you’ll need to download the installer to the Palo Alto device. This can be accomplished by following the steps below: 1. Navigate to Device > SSL-VPN Client > Refresh – for this step to successfully complete the FW will require Internet access. 2. Choose the appropriate version of the client and select download. 3. Once downloaded the client will need to be activated. Select ‘activate’ to do this. 4. The SSL client installer is ready for deployment from the device. Create a SSL-VPN Profile This profile will be assigned to clients included in the specified authentication group(s). Different SSL portals can be created for different user/group(s) if required. 1. Navigate to Network > SSL-VPN > New. 2. Portal name: Enter a portal name. 3. Virtual system: If left blank this will be automatically populated on saving. 4. Tunnel interface: Select or create a tunnel interface that will be used with this profile. 5. Authentication: Select or create an authentication profile. Device > Authentication Profile > New. Name: Enter a meaningful name for the profile. Lockout – failed attempts: If 0 is used the account will never become locked out. Lockout – lockout time: If 0 is used the account lockout time never takes effect. Allow list > Edit allow list: Enter/select the groups/users that should be granted access to the SSL portal. Authentication: Select from the drop-down list the type of authentication that should be used. Methods include Local DB (a user/group will need to be created on the Palo Alto FW), RADIUS or LDAP. 6. Server certificate: A self-signed certificate can be generated, but if this is to be used on the public domain it may be best to purchase a public cert. 7. Enable IPsec encapsulation of client traffic: Check this box. 8. Redirect HTTP traffic to HTTPS login page: Optional. 9. Interface: Select the interface that will be used for incoming VPN connections. 10. IP address: Select the appropriate IP address from the list (as more than one may be bound to the interface). 11. Login lifetime: Enter a max session lifetime. 12. Inactivity logout: Enter an inactivity timeout value . 13. Client Configuration. Primary/Secondary DNS: Primary/Secondary DNS server addresses. Primary/Secondary WINS: Primary/Secondary WINS server addresses. IP Pool – Subnet/Range: Enter an IP address range that can be assigned to remote clients. DNS Suffix: Enter the DNS suffix. Split tunnelling route: If you’re allowing clients use multiple subnets, enter the routes here. There you have it, your SSL VPN is created.

關於Broadcast Address.....

熟悉Cisco設備的人都知道有個ip helper-address的指令可以幫助我們將DHCP request封包以unicast的方式丟給我們指定的DHCP server，但可能不知道，除了DHCP的封包之外，打開ip helper-address後也順便將以下的protocol以directed broadcast的方式轉發出去:

• TFTP (port 69)
• DNS (port 53)
• Time (port 37)
• TACACS (port 49)
• BOOTP client (port 68)
• BOOTP server (port 67)
• NetBIOS name service (port 137)
• NetBIOS datagram service (port 138)

如果我們想要將以上幾種之外的UDP封包以directed broadcast的方式轉發出去，可以使用ip forward-protocol的指令。

而提到directed broadcast可能會想到有個interface上的設定:no ip directed-broadcast，這個設定可以幫助我們避免類似smurf的DoS攻擊，而甚麼是directed broadcast呢?

說到directed broadcast我們先談談broadcast的種類:

1.subnet broadcast: 例如: 130.182.1.255

2.all-subnets-directed broadcast:例如:130.182.255.255

3.limited broadcast:例如:255.255.255.255，而BOOTP與DHCP都是使用這種broadcast。

而ip directed-broadcast在Cisco router上的作用可以下面的例子看出差別:

如上圖架構，我們建立一個ACL 101，內容是允許icmp封包通過，套用在R2的e0/0 interface上，同時開啟debug來觀察，並由R1執行ping 10.1.1.255，在R2 e0/0開啟ip directed-broadcast時可以觀察到以下資訊:

*Jul 25 20:57:03.879: IP: s=12.1.1.1 (Serial2/0), d=10.1.1.255 (Ethernet0/0), g=255.255.255.255, len 100, forward directed broadcast

*Jul 25 20:57:03.879: IP: s=12.1.1.1 (Serial2/0), d=10.1.1.255 (Ethernet0/0), len 100, rcvd 5

*Jul 25 20:57:03.879: IP: s=12.1.1.2 (local), d=12.1.1.1 (Serial2/0), len 100, sending

*Jul 25 20:57:03.899: IP: s=12.1.1.1 (Serial2/0), d=10.1.1.255 (Ethernet0/0), g=255.255.255.255, len 100, forward directed broadcast

（以下重复，输出省略）

雖然R1 ping的是subnet broadcast 10.1.1.255，但實際上封包到R2時會被轉成limited broadcast 255.255.255.255!

在R3上開debug看到的資訊如下:

*Jul 25 20:59:06.079: IP: s=12.1.1.1 (Ethernet0/0), d=255.255.255.255, len 100, rcvd 2

*Jul 25 20:59:06.079: IP: s=10.1.1.3 (local), d=12.1.1.1 (Ethernet0/0), len 100, sending

*Jul 25 20:59:06.099: IP: s=12.1.1.1 (Ethernet0/0), d=255.255.255.255, len 100, rcvd 2

*Jul 25 20:59:06.099: IP: s=10.1.1.3 (local), d=12.1.1.1 (Ethernet0/0), len 100, sending

*Jul 25 20:59:06.119: IP: s=12.1.1.1 (Ethernet0/0), d=255.255.255.255, len 100, rcvd 2

*Jul 25 20:59:06.119: IP: s=10.1.1.3 (local), d=12.1.1.1 (Ethernet0/0), len 100, sending

*Jul 25 20:59:06.139: IP: s=12.1.1.1 (Ethernet0/0), d=255.255.255.255, len 100, rcvd 2

*Jul 25 20:59:06.139: IP: s=10.1.1.3 (local), d=12.1.1.1 (Ethernet0/0), len 100, sending

*Jul 25 20:59:06.167: IP: s=12.1.1.1 (Ethernet0/0), d=255.255.255.255, len 100, rcvd 2

*Jul 25 20:59:06.167: IP: s=10.1.1.3 (local), d=12.1.1.1 (Ethernet0/0), len 100, sending

可以看出R3是用unicast的方式回應

但如果把ip directed-broadcast拿掉，同樣用R1去ping 10.1.1.255，則R2上看到的結果如下:

*Jul 25 21:05:22.071: IP: s=12.1.1.1 (Serial2/0), d=10.1.1.255 (Ethernet0/0), len 100, rcvd 5

*Jul 25 21:05:22.071: IP: s=12.1.1.2 (local), d=12.1.1.1 (Serial2/0), len 100, sending

*Jul 25 21:05:22.099: IP: s=12.1.1.1 (Serial2/0), d=10.1.1.255 (Ethernet0/0), len 100, rcvd 5

*Jul 25 21:05:22.099: IP: s=12.1.1.2 (local), d=12.1.1.1 (Serial2/0), len 100, sending

*Jul 25 21:05:22.131: IP: s=12.1.1.1 (Serial2/0), d=10.1.1.255 (Ethernet0/0), len 100, rcvd 5

*Jul 25 21:05:22.131: IP: s=12.1.1.2 (local), d=12.1.1.1 (Serial2/0), len 100, sending

*Jul 25 21:05:22.159: IP: s=12.1.1.1 (Serial2/0), d=10.1.1.255 (Ethernet0/0), len 100, rcvd 5

*Jul 25 21:05:22.159: IP: s=12.1.1.2 (local), d=12.1.1.1 (Serial2/0), len 100, sending

*Jul 25 21:05:22.191: IP: s=12.1.1.1 (Serial2/0), d=10.1.1.255 (Ethernet0/0), len 100, rcvd 5

*Jul 25 21:05:22.191: IP: s=12.1.1.2 (local), d=12.1.1.1 (Serial2/0), len 100, sending

可以看出，R2沒有像之前一樣將unicast轉成broadcast再轉發出去給R3了

Cisco Layer3 Switch上的IPv6設定方式

Step 1: globally enable IPv6

           (config)#ipv6 unicast-routing


Step 2: Enable IPv6 on L3 interfaces and setup ipv6 addresses

          (config)#interface vlan 254
          (config-if)#ipv6 enable
          (config-if)#ipv6 address 2001:288:123F:254::1/64


Step 3: Setup IPv6 default/static routing

         (config)#ipv6 route ::/0 2001:288:123F:254::FFFF
         (config)#ipv6 route 2001:288:123F:253::/64 2001:288:123F::1:1F