If you have firewall in between your client(network device switch,rotuer etc. ) and Tacacs server then you need open TCP 49 port on the firewall.
Friday, 26 May 2017
Data center - DD questionnaire
Few questions are listed below which are important for the Data center DD.
- WAN links and its bandwidth and current utilization
- Number of server ports - 1gig/10gig
- Number of servers:- physical and virtual
- Number of server chassis:-
- Number of vlans and related SVIs:-
- Intranet and internet traffic flow
- Number of load balancers - internal & external
- DMZ network details
- Number of firewalls
- Throughput of current firewalls and link utlization report
- Firewall zone and related services.
- Routing protocol used in exisitng DC.
- Security devices like IPS,IDS.
- Voice setup.
- Different environment details like test,production, SAP etc.
- VPN sites and setup.
- IP address details
- applications with specific qos reqirement
Sunday, 21 May 2017
What is DAI( dynamic arp inspection)?
DAI validated the ARP packets in a network. DAI only perform the inspection or checking only on untrusted ports and will not perform inspection on trusted ports. when switch receives a ARP packet on a trusted interface, then it forwards the packet without any inspection or checks.
DAI only allow the ARP only if source is in DHCP snooping table or static binding.
In other words, ARP is only allowed from untrusted port when there is valid entry of source in DHCP snooping table or static binding.
It prevents Man in middle attacks.
Configuration:-
ip arp inspection vlan 1
int fa0/1
ip arp inspection untrust
Verification:-
show ip dhcp snooping binding
show ip arp inspection interfaces
Below error is displayed when a arp packet is recived on untrusted port and source is not present in DHCP snooping table.
%SW_DAI-4-DHCP_SNOOPING_DENY
DAI only allow the ARP only if source is in DHCP snooping table or static binding.
In other words, ARP is only allowed from untrusted port when there is valid entry of source in DHCP snooping table or static binding.
It prevents Man in middle attacks.
Configuration:-
ip arp inspection vlan 1
int fa0/1
ip arp inspection untrust
Verification:-
show ip dhcp snooping binding
show ip arp inspection interfaces
Below error is displayed when a arp packet is recived on untrusted port and source is not present in DHCP snooping table.
%SW_DAI-4-DHCP_SNOOPING_DENY
What is the reserved mac address for outer unknown unicast destnation in fabricpath?
010F.FFC1.01C0 is the reserved mac address for unknown unicast traffic.
Fabricpath ECMP hashing functions
Cisco FabricPath switches support ECMP forwarding for known unicast frames. If the destination switch ID can be reached through more than one output interface with equal cost, the forwarding engine uses a hash function to pick one of the interfaces. Below are the hashing methods:-
1. Source parameters (layer-3, layer-4, or mixed).
2. Destination parameters (layer-3, layer-4, or mixed).
3. Both the source and the destination parameters (layer-3, layer-4, or mixed).
1. Source parameters (layer-3, layer-4, or mixed).
2. Destination parameters (layer-3, layer-4, or mixed).
3. Both the source and the destination parameters (layer-3, layer-4, or mixed).
Advantage of Fabricpath
Below are fabricpath advantages:-
1. MAC address scalability with conversational learning
2. loop mitigation with TTL in the frame field
3. Spanning Tree Protocol independence
4. Remove Suboptimal path.
5. All uplink are in forwarding state.
6. Equal cost multipathing
Subscribe to:
Posts (Atom)