Shahed

Shahed Israr is a Network Engineer specializing in GPON, FTTH, and telecom access network technologies. With hands-on experience in Huawei OLT and ONT configuration, U2000 NMS deployment, iMaster NCE-FAN Lite management systems, firmware upgrades, and advanced network troubleshooting, he helps Internet Service Providers (ISPs) and network professionals deploy, manage, and optimize fiber optic networks efficiently. Through GPON Solution, he shares practical technical guides, real-world solutions, and professional knowledge to support engineers working in modern GPON infrastructure.

Cisco Network Security Services

by

Cisco Network Security Services

Today I will discuss about Cisco Network Security issue. Switches can have a number of network services enabled. Many of these services are typically not necessary for a switch’s normal operation; however if these services are enabled then the switch may be susceptible to information gathering or to network attacks. The characteristics or the poor configuration of the network services on a switch can lead to compromise. Most of these services use one of the following transport mechanisms at Layer 4 of the OSI RM: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).

If possible, instead of using a network service (e.g., telnet) to perform in-band management of a switch, use out-of-band management (e.g., via the console port) for each switch. Out-of-band management reduces the exposure of configuration information and passwords better than in-band management.[bodyads]

  • 1. Unnecessary Network Services

If possible, disable each unnecessary network service on each switch. The following Cisco Network Security commands will disable services of concern. In some cases, the Cisco Network Security commands affect the switch globally, while in other cases the commands affect only a single interface.

Below is an example for the set of interfaces that includes GigabitEthernet 6/1 through 6/3.

SWITCH(config)# interface range gigabitethernet 6/1 – 3

  • 1.1. TCP and UDP Small Servers – TCP/UDP Ports 7, 9, 13, 19

Cisco provides support for “small servers” (e.g., echo, discard, daytime and chargen). Two of these servers, echo and chargen, can be used in denial-of-service attacks against one or more switches. These services can be disabled using the following Cisco Network Security commands.

SWITCH(config)# no service tcp-small-servers
SWITCH(config)# no service udp-small-servers

Read more

Cisco Switch Port Security Configuration

by

Cisco Switch Port Security Configuration

Today I will discuss about Cisco Switch Port Security issue. Layer 2 interfaces on a Cisco switch are referred to as ports. A switch that does not provide port security allows an attacker to attach a system to an unused, enabled port and to perform information gathering or attacks. A switch can be configured to act like a hub, which means that every system connected to the switch can potentially view all network traffic passing through the switch to all systems connected to the switch. Thus, an attacker could collect traffic that contains usernames, passwords or configuration information about the systems on the network.

[bodyads]

Cisco Switch Port Security limits the number of valid MAC addresses allowed on a port. All switch ports or interfaces should be secured before the switch is deployed. In this way the security features are set or removed as required instead of adding and strengthening features randomly or as the result of a security incident. Note that port security cannot be used for dynamic access ports or destination ports for Switched Port Analyzer. Still, use port security for active ports on the switch as much as possible.

The following Cisco Switch Port Security examples show the commands to shut down a single interface or a range of interfaces:

Single interface:
Switch(config)# interface fastethernet 0/1
Switch(config-if)# shutdown

Range of interfaces:
Switch(config)# interface range fastethernet 0/2 – 8
Switch(config-if-range)# shutdown

The administrator can enable aging for statically configured MAC addresses on a port using the switchport port-security aging static command. The aging time command (e.g., switchport port-security aging time time) can be set in terms of minutes. Also, the aging type command can be set for inactivity (e.g., switchport port-security aging type inactivity), which means that the addresses on the configured port age out only if there is no data traffic from these addresses for the period defined by the aging time command. This feature allows continuous access to a limited number of addresses.

The following Cisco Switch Port Security example shows the commands for restricting a port statically on a Catalyst 3550 switch:

Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security violation shutdown
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address 0000.02b0.0388
Switch(config-if)# switchport port-security aging time 10
Switch(config-if)# switchport port-security aging type inactivity

Read more

Errdisable reason and recovery procedure

by

Errdisable reason and recovery procedure:

 This document defines the errdisabled reason & describes how to recover from it, and provides examples of errdisable recovery. [boxads]

Note: The port status of err-disabled displays in the output of the show interfaces interface_number status command.

Function of Errdisable:

When a switch port is error disabled state, it is effectively shut down and no traffic is sent or received on that port. The port LED is set to the color orange and, when you issue the show interfaces command, the port status shows err-disabled. bellow is an example of  error-disabled port status looks like from the command-line interface (CLI) of the switch:

SW1#show interfaces fastEthernet 0/1 status 

Port    Name       Status       Vlan       Duplex  Speed Type
Fa0/1              err-disabled 100          full   1000 1000BaseSX

Or, if the interface has been disabled because of an error condition, you can see messages that are similar to these in both the console and the syslog:

%SPANTREE-SP-2-BLOCK_BPDUGUARD: 
   Received BPDU on port fastEthernet0/1 with BPDU Guard enabled. Disabling port.
%PM-SP-4-ERR_DISABLE: 
   bpduguard error detected on Fi0/1, putting Fi0/1 in err-disable state

This message show when a host port receives the  (BPDU) bridge protocol data unit. The actual message depends on the reason for the error condition.

Read more

Configuring Q-in-Q vlan tunnels on cisco Switch port

by

Configuring Q-in-Q vlan tunnels on cisco Switch port: Today i will discuss how to Configuring Q-in-Q vlan tunnels in cisco switch. At first login your Switch then apply bellow command. Here i use FastEthernet 0/1 interface. [boxads] conf t interface FastEthernet 0/1 description “your description here” port-type nni switchport access vlan 92               switchport mode … Read more

Configure Selective QinQ in Huawei Switch

by

How to Configure Selective QinQ in Huawei Switch:

Networking Requirements:
As shown in Figure, common Internet access users (using PCs) and IPTV users (using IPTV terminals) connect to the carrier network through Switch A and Switch B and communicate with each other through the carrier network. [boxads]

It is required that packets of PCs and IPTV terminals are tagged VLAN 2 and VLAN 3 when the packets are transmitted through the carrier network.

selective QinQ
selective QinQ

Configuration Roadmap:

The configuration roadmap is as follows:

1. Create VLANs on Switch A and Switch B.
2. Configure types of interfaces on Switch A and Switch B, and add the interfaces to corresponding VLANs.
3. Configure selective QinQ on interfaces of Switch A and Switch B.

Read more

Configure QinQ Huawei Switch

by

How to Configure QinQ on Huawei Switch port/interface:

Today I will show how to configure QinQ in Huawei Switch port/interface. As shown in Figure, there are two enterprises on the network, namely, Enterprise 1 and Enterprise 2. Enterprise 1 has two office locations; Enterprise 2 has three office locations. The office locations of the two enterprises access SwitchG or SwitchF of the ISP network.

[boxads]

The network of Enterprise 1 is divided into VLAN 1000 to VLAN 1500; the network of Enterprise 2 is divided into VLAN 2000 to VLAN 3000. It is required that employees in the same VLAN can communicate with each other through the ISP network but the two enterprises are isolated from each other.

Networking diagram for QinQ on Huawei switch
Networking diagram for QinQ on Huawei switch

Configuration Roadmap:

The configuration roadmap is as follows:

1. Create VLAN 10 and VLAN 20 on SwitchF; create VLAN 20 on SwitchG.
2. Configure GE 1/0/1, GE 2/0/1, and GE 3/0/1 of SwitchF as QinQ interfaces.
3. Configure GE 1/0/1 and GE 2/0/1 of SwitchG as QinQ interfaces.
4. Add GE 4/0/1 of SwitchF and GE 3/0/1 of SwitchG to VLAN 20 in tagged mode.

Read more