Q: How do I configure port security on my ASW (3550s or 3750s)?

A:

First, make sure your IOS supports port security. You can use the Software Advisor tool on CCO to show you what versions of IOS support port security. Port security is set at the interface level. First, you set the maximum number of MAC addresses for the switchport (default is 1, so if you set it to this you will see nothing in sho run). sw(config-if)# switchport port-secu max 1 Then, choose between the three ways of learning MACs.

• static - manually configured. command is switchport port-sec mac-add 0011.2233.4455
• dynamic - port will learn MAC addresses as usual, but stop learning more addresses when it has reached the max.
• sticky - converts dynamic address to static addresses in the running config only. To use this, wait until your switchport has learned the MACs you want, then issue the interface command switchport port-sec mac sticky. As soon as you do this, these MACs become static commands, but in the running config only. You then have to copy run start to make these settings survive a reload.

Next, decide how to handle security violations. A violation occurs either when the max number of MACs is exceeded, or when an address on one secure port is seen on another secure port on the same VLAN. The effects are:

• protect - silently drop the packets from the excess MAC addresses.
• restrict - drop the packets over the max, and log the event.
• shutdown - err-disable the port. This is the default.

After finishing the config, enable security on the port with interface command port-security ena. Check the settings with sho port sec int f1/0/11.

Q: How do I set up Netflow on my router?

A:

First make sure Netflow is included in the IOS you are running. You might try one of the "show" commands given below, or use Cisco's Software Advisor tool (on the CCO website). Turn on CEF, and set up the flow parameters. Here we are sending Netflow packets in version 5 format to 10.1.2.3 on port 2003/UDP. For active connections, we're sending flow info every 1 minute, and we are sending the flow info on connections that have gone inactive every 15 seconds:

ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
ip flow-export version 5
ip flow-export destination 10.1.2.3 2003

Note that even if you dn't have a place to send the flow information to, you can still do this setup, omitting the destination line, to make your router keep netflow stats for you to inspect using the show commands given below. Also, if you do send the flows to a host which is not listening on the given UDP port, you'll get an ICMP port unreachable message back for each datagram you send. Now enable netflow on each interface. You can use either "ingress" or "egress"; I'm not sure which is better from a perfomance standpoint. If you miss some interfaces, you won't see both sides of some conversations:

int f0/0
ip flow ingress
int f0/1
ip flow ingress
int s0/1
ip flow ingress

Use show ip flow export to look at the netflow setup and flow counters on your router. clear ip cache stats will clear these counters. To see the whole table of netflow stats, use show ip cache flow. clear ip cache flow will clear these counters.

Q: How do I enable SSH logins on my routers?

A:

First, make sure you're using a version of IOS that supports SSH. I'm using 12.4. Turn on new-model logins (make the password better than my example):

aaa new-model
username cisco password cisco

Give it a FQDN, which is needed for key generation, and then generate a key. The key name will be devicename.domain-name:

ip domain-name example.com
cry key gen rsa

Check the key with show cry key mypub rsa. Now make the vty logins use ssh:

line vty 0 15
 transport input ssh

And define some ssh settings:

ip ssh ver 2
ip ssh source-int f0/0

Q: What are your favorite command aliases on Cisco routers and switches?

A:

Alias force

Switches:

alias exec cpu sho proc cpu | include CPU
alias exec mac sho mac- dyn | include
alias exec ip sho arp | include
alias exec sis show interface status
alias exec po show interface status | include Po
alias exec fa show interface status | include Fa
alias exec gi show interface status | include Gi
alias exec vlans show vlan brief | include active

Routers:

alias exec cpu show proc cpu | include CPU
alias exec stat show run | include ip route
alias exec fa show interface status | include Fa
alias exec showtech show tech | redirect tftp://mytftpsrvr/thisrtr_showtech.txt
alias exec mac show mac- dyn | incl
alias exec ip show arp | include
alias exec sis show interface status

I type sis as soon as I log into a switch to see the interface table. I use fa instead on the big switches, when I'm not interested in seeing the Gigabit ports in the table (since they change infrequently). I can type mac 034b to find the switch CAM table entry for the mac containing those four digits. To track down the whereabouts of an IP on the switch fabric, I type ip 10.3.4.5 at the router to find its MAC address, then if the MAC is 1234.5678.abcd, I type mac abcd at the switches to see what switchport it's on.