Thứ Hai, 29 tháng 7, 2013
Cisco ASA Management
General keys
Cisco ASA
provides the remote access management protocol such as Telnet, HTTPS and SSH. Each
access management protocol allows up to 5 concurrent connections per context
and 100 total connections across all security contexts.
By default,
Cisco ASA doesn’t allow management access, so it must be configured to accept
management access from specific source IP ranges.
Telnet is a
clear-test access protocol that authenticates access to ASA based on IP address
of the session source. Hence, Telnet protocol should never be used over
untrusted networks, in that case you should use SSH instead.
SSH
protocol authenticates the ASA using public-key. SSH protocol can be used over
untrusted networks.
HTTPS
protocol allows access to ASA using ASDM and authenticates ASA to the
administrator using public key in the form of X.509 certificate. HTTPS protocol
can be used over untrusted network, it’s similar to SSH.
Thứ Tư, 17 tháng 7, 2013
How to configure GS-2224 for Q-in-Q
Functional Description :
* Service
providers can use Q-in-Q to transparently pass Layer 2 VLAN traffic from a
customer site, through the service provider network, to another customer site
without removing or changing the customer VLAN tags
* The double Q-in-Q
tags can indicate different information , the inner tag indicates the user, the
outer tag indicates carrier provider , the Q-in-Q packet with two tags can
traverse the carrier’s network and the inner tag is transmitted transparently .
Test Scenario :
Switch will be
used for Leased Line Service,
They are already
using Tag VLAN (802.1q) ,so they would like to add another Tag with out
changing existing VLAN.
Typical Application :
An abstract illustration to above
application :
GS-2224 Configure Steps :
Step 1:
Configure VLAN mode at “ Tag mode ”.
Step 2: Create
VLAN 20 and VLAN 40
Configure Port 3 .Port 4 and Port 24 are belong to
VLAN 20
Configure Port 1 .Port 2 and Port 24 are
belong to VLAN 40
Port 24 is uplink port .
The above setting is configured at SW1(Left side) and SW2(Right
side).
Step 3 : Configure
tag identifier as “0x8100 “ OR “0x88a8”
(There is no specific regulation
to choose tag identifier, the
only precautions
needs to be noticed whether link partner aware of the tag identifier).
Step 4 : Examine”
VLAN aware” check box are activity on all ports .
Step 5 :
Configure PVID
Port1 and Port2 are PVID=40 and their
port role are VLAN access mode .
Port3 and Port4 are PVID=20 and their
port role are VLAN access mode .
The port role of Port24 is VLAN trunk
mode.
Step 6 :
Configure double tag function to “Customer mode“ at Port1 ~ Port 4.
(The following picture with configure port1
and port2 only for example ).
Step 7 :
Configure double tag function to “Service mode“ at Port24.
( Double Tag:
Double-tag mode belongs to the tag-based mode,
however, it would treat all frames as the untagged ones, which means that tag
with PVID will be added into all packets. Then, these packets will be forwarded
as Tag-based VLAN. So, the incoming packets with tag will become the double-tag
ones. Scroll to enable the function and default is Disable.
Customer
port :
The
parameter is for this port connects to customer site .
Service
port :
The
parameter is for this port connects between at carrier sites. )
Test Criterion :
* Outgoing
packets from port 24 (pours packets from port1 to port24) are carrying double
tag.
The packets
captured 1.jpg .~ packets captured 4.jpg
is for reference.
Test Result : PASS
* Outgoing
packets from port 24 (pours packets from port1 to port24) are carrying correct
outer tag and inter tag .
The packets
captured 1.jpg .~ packets captured 4.jpg
is for reference.
Test Result : PASS
* Packets can
be forwarded via both switches with enable Q in Q.
Test Result : PASS
* Left Company
A and Right Company A can communicate each other .
Test Result : PASS
* Left Company
B and Right Company B can communicate each other .
Test Result : PASS
*Outgoing
packets from port 1(packets are forwarded via both switches to another customer
site ) are carrying correct tag .
The packets
captured 5.jpg .~ packets captured 6.jpg
is for reference.
Test Result : PASS
Print all relevant configuration at
CLI
GS-2224(vlan)# sh
group
Vlan mode is
tag-based.
Vlan Name : Default
Vlan ID : 1
IGMP Aware : disable
Private VLAN :
disable
GVRP Propagation :
disable
Member : 1 2
3 4 5
6 7 8
9 10 11 12 13 14 15 16 17 18 19
20 21 22 23 24
Vlan Name : vlan 20
Vlan ID : 20
IGMP Aware : disable
Private VLAN : disable
GVRP Propagation : disable
Member : 3 4 24
Vlan Name : vlan 40
Vlan ID : 40
IGMP Aware : disable
Private VLAN :
disable
GVRP Propagation :
disable
Member : 1 2 24
GS-2224(vlan)# sh
port
Tag
Identifier:0x8100
Port
PVID Ingress Frame Type
Role Untag Vid Aware
double
Filtering
tag
------ ------
--------- ---------- --------- ----------- ------- --------
1 40
disable all Access 0
true customer
2
40 disable all
Access 0 true customer
3
20 disable all
Access 0 true customer
4
20 disable all
Access 0
true customer
5
1 disable all
Access 0 true
disable
6
1 disable all
Access 0 true
disable
7
1 disable all
Access 0 true
disable
8 1
disable all Access 0
true disable
9
1 disable all
Access 0 true
disable
10
1 disable all
Access 0 true
disable
11
1 disable all
Access 0
true disable
12
1 disable all
Access 0 true
disable
13
1 disable all
Access 0 true
disable
14
1 disable all
Access 0 true
disable
15
1 disable
all Access 0
true disable
16
1 disable all
Access 0 true
disable
17
1 disable all
Access 0 true
disable
18
1 disable all
Access 0
true disable
19
1 disable all
Access 0 true
disable
20
1 disable all
Access 0 true
disable
21
1 disable all
Access 0 true
disable
22
1 disable
all Access 0
true disable
23
1 disable all
Access 0 true
disable
24
1 disable all
Trunk 0 true
service
Đăng ký:
Bài đăng (Atom)