Shahed

Shahed Israr is a Network Engineer specializing in GPON, FTTH, and telecom access network technologies. With hands-on experience in Huawei OLT and ONT configuration, U2000 NMS deployment, iMaster NCE-FAN Lite management systems, firmware upgrades, and advanced network troubleshooting, he helps Internet Service Providers (ISPs) and network professionals deploy, manage, and optimize fiber optic networks efficiently. Through GPON Solution, he shares practical technical guides, real-world solutions, and professional knowledge to support engineers working in modern GPON infrastructure.

Cisco Switch VLAN Security

by

Cisco Switch VLAN Security

Today I will discuss about Cisco Switch VLAN Security issue.  A Virtual Local Area Network (VLAN) is a broadcast domain. All members of a VLAN receive every broadcast packet sent by members of the same VLAN, but they do not receive packets sent by members of a different VLAN. All members of a VLAN are grouped logically into the same broadcast domain independent of their physical location. Adding, moving or changing members is achieved via software within a switch. Routing is required for communication among members of different VLANs.[boxads]

The next subsections describe the vulnerabilities and corresponding counter measures for the following areas: VLAN 1, Private VLAN, VTP, Trunk Auto-Negotiation, VLAN Hopping and Dynamic VLAN Assignment.

  • 1. VLAN1

Cisco switches use VLAN 1 as the default VLAN to assign to their ports, including their management ports. Additionally, Layer 2 protocols, such as CDP and VTP, need to be sent on a specific VLAN on trunk links, so VLAN 1 was selected. In some cases, VLAN 1 may span the entire network if not appropriately pruned. It also provides attackers easier access and extended reach for their attacks.

Do not use VLAN 1 for either out-of-band management or in-band management.

To provide out-of-band management that separates management traffic from user traffic, use the following VLAN Security commands as an example.

Create the out-of-band management VLAN.

Switch(config)# vlan 6
Switch(config-vlan)# name ADMINISTRATION-VLAN

Create a management IP address and restrict access to it. Also, enable the interface.
Switch(config)# no access-list 10
Switch(config)# access-list 10 permit 10.1.6.1
Switch(config)# access-list 10 permit 10.1.6.2
Switch(config)# interface vlan 6
Switch(config-if)# description ADMIN-VLAN
Switch(config-if)# ip address 10.1.6.121 255.255.255.0
Switch(config-if)# ip access-group 10 in
Switch(config-if)# no shutdown

Read more

Cisco Switch System Availability

by

Cisco Switch System Availability

Today I will discuss about Cisco Switch System Availability issue. Many attacks exist and more are being created that cause denial of service (DoS), either partially or completely, to systems or networks. Switches are just as susceptible to these attacks. These attacks focus on making resources (e.g., system processor, bandwidth) unavailable. [boxads]

The following counter measures will mitigate the vulnerabilities to system availability on each switch:

  • To prevent fast flooding attacks and to guarantee that even the lowest priority processes get some processor time use the scheduler interval command. The following Cisco Switch System Availability example sets the maximum time before running the lowest priority process to 500 milliseconds access.

Switch(config)# scheduler interval 500

Another way to guarantee processor time for processes is to use the scheduler allocate command. This command sets the interrupt time and the process time.

Cisco Switch System Availability
Cisco Switch System Availability

The following Cisco Switch System Availability example makes 10 percent of the processor available for process tasks, with an interrupt time of 4000 microseconds and a process time of 400 microseconds.

Switch(config)# scheduler allocate 4000 400

Read more

Configure Eth-Trunk on Huawei Switch

by

How to configure Eth-Trunk on Huawei Switch port/interface:

Today i will show you how to configure Eth-Trunk on Huawei Switch port/interface.
Here i use one side GigabitEthernet 0/0/15 & 0/0/16 interface & other side GigabitEthernet 0/0/2 & 0/0/3, And Eth-Trunk 10. [boxads]

Step-1: At first login your switch & go to system-view mode & follow bellow configuration.

<HUAWEI> system-view
[HUAWEI]interface Eth-Trunk 10
[HUAWEI-Eth-Trunk10]port link-type trunk
[HUAWEI-Eth-Trunk10]port trunk allow-pass vlan xxx xxx xxx xx
[HUAWEI-Eth-Trunk10]quit
[HUAWEI]

[Here xxx is your desired VLAN]

eth-trunk interface
eth-trunk interface

Step-2: Now go to interface mode & add eth-trunk 10, And follow bellow configuration.

Read more

HSRP Tuning Example

by

HSRP Tuning Example

Today I will discuss about HSRP Tuning. As you see in the article “HSRP (Hot Standby Router Protocol)”, it is quite simple configure Hot Standby Router Protocol. [boxads]
Some cases require a custom configuration, using priority, track, preempt etc…and these are:

  • The standby preempt interface configuration command allows the router to become the active router when its priority is higher than all other HSRP-configured routers in this Hot Standby group. The configurations of both routers include this command so that each router can be the standby router for the other router. If you do not use the standby preempt command in the configuration for a router, that router cannot become the active router.
  • The standby priority interface configuration command sets the router’s HSRP priority (the default priority is 100).
  • The standby timers interface configuration command sets the interval in seconds between hello messages (called the hello time) to five seconds and sets the duration in seconds that a router waits before it declares the active router to be down (called the hold time) to eight seconds. (The defaults are three and 10 seconds, respectively.) If you decide to modify the default values, you must configure each router to use the same hello time and hold time.
  • The standby track command allows you to specify another interface on the router for the HSRP process to monitor in order to alter the HSRP priority for a given group. If the line protocol of the specified interface goes down, the HSRP priority is reduced. This means that another HSRP router with higher priority can become the active router if that router has standby preempt enabled.
  • The standby authentication interface configuration command establishes an authentication string whose value is an unencrypted eight-character string that is incorporated in each HSRP multicast message. This command is optional. If you choose to use it, each HSRP-configured router in the group should use the same string so that each router can authenticate the source of the HSRP messages that it receives.

Suppose to have this physical configuration:

HSRP Tuning Example
HSRP Tuning Example

Read more

HSRP (Hot Standby Router Protocol)

by

HSRP (Hot Standby Router Protocol)

The HSRP (Hot Standby Router Protocol) is a Cisco proprietary first-hop redundancy protocol (FHRP) designed to allow for transparent fail-over of the first-hop IP router, and has been described in detail in RFC 2281.

[boxads]

HSRP provides high network availability by providing first-hop routing redundancy for IP hosts on Ethernet, Fiber Distributed Data Interface (FDDI), Bridge-Group Virtual Interface (BVI), LAN Emulation (LANE), or Token Ring networks configured with a default gateway IP address. HSRP is used in a group of routers for selecting an active router and a standby router. In a group of router interfaces, the active router is the router of choice for routing packets; the standby router is the router that takes over when the active router fails or when preset conditions are met. HSRP active and standby routers send hello messages to the multicast address 224.0.0.2 using UDP port 1985.

The virtual router is simply an IP and MAC address pair that end devices have configured as their default gateway. The active router processes all packets and frames sent to the virtual router address. The virtual router does not process physical frames and exists in software only. The active router physically forwards packets sent to the MAC address of the virtual router. The virtual router MAC address is a well know mac-address and it is 0000.0c07.acxx, where xx is the HSRP group member. For example, if the group is 20 the virtual MAC address is 0000.0c07.ac14 (remember that the number in the mac address is expressed in HEX!!!).

When the active router fails, the other HSRP routers stop seeing hello messages from the active router. So, the standby router will be the new active router and, if possible, a new standby router will be elected. Because the new active router assumes both the IP and MAC addresses of the virtual router, the end stations see no disruption in service. The end-user stations continue to send packets to the virtual router MAC address, and the new active router delivers the packets to the destination.

HSRP has 2 timers:

  • Hello interval time: Interval between successive HSRP hello messages from given router. Default is 3 seconds.
  • Hold interval time: Interval between the receipt of a hello message and the presumption that the sending router has failed. Default is 10 seconds.
HSRP (Hot Standby Router Protocol)
HSRP (Hot Standby Router Protocol)

Read more

Configure Port Channel CISCO Switch

by

Configure Port Channel CISCO Switch:

EtherChannel bundles individual Ethernet links into a single logical link that provides bandwidth up to 1600 Mbps (Fast EtherChannel, full duplex) or 16 Gbps (Gigabit EtherChannel) between two Cisco Catalyst switches. All interfaces in each EtherChannel must be the same speed and duplex, and both ends of the channel must be configured as either a Layer 2 or Layer 3 interface. [boxads]

If one link within the EtherChannel bundle fails, traffic previously carried over the failed link is carried over the remaining links within the EtherChannel.

Link Aggregation protocols are:

  • IEEE standard Link Aggregation Protocol (LACP)
  • Cisco’s proprietary Port Aggregation Protocol (PAgP).

Read more