Monday, August 22, 2011

Recovery procedure for Cisco switch when IOS image gets deleted

If you accidentally reload the switch before you get an image on it, you will be forced into rommon mode. No worries, but, you will need console access.

1) Connect to the console port with the following settings and increase the baud rate for your image         transfer:

Bits per sec:   9600
Data bits:     8
Parity:           none
Stop bits:     1
Flow control:   none




2) Disconnect and reconnect to the console with 115200 bits per sec.
3) Start the xmodem file transfer:













The not so obvious thing here is, after you see the words "Begin the Xmodem transfer.....," you must now "send Xmodem" from your terminal session software...



4) Once the file transfer is finished, set the baud rate for console back to the default, and reconnect your session at 9600...

 

5) Lastly, set the boot system parameter and reset. (In theory, you don't have to run this command because, if there is no image defined in the config, the system loads the first image it finds in flash. It is good to know about in case you have multiple sources, usb drive, etc.)



-------------------------


Alternate Method from USB Drive:
1) boot into rommon mode
2) run: boot system usbflash0:c3825-advipservicesk9-mz.124-24.T3.bin

Be aware of these settings in your running-config and set them appropriately. See below entries...
boot system flash:c3825-advipservicesk9-mz.124-24.T3.bin
boot system usbflash0:c3825-advipservicesk9-mz.124-24.T3.bin

For example, if you only had the usb entry from above and reloaded your router without the usb drive inserted, guess what?
You guessed it, the router will fail to load because it can't find an image. (Unless you have one in flash.)





















Friday, August 12, 2011

Cisco Port Security

Cisco's port security feature is a great way to increase your internal network security. The port security feature associates MAC addresses to switch ports and allows only those MAC addresses to access the ports. This can be done on a per port basis, except for trunk ports or etherchannel ports. If an unknown MAC address tries to communicate through the port, port security will shutdown the port (default setting).

Basically you are going to do the following steps, depending on your needs:

1) Determine which ports you will apply port-security to. (Not trunk or etherchannel ports.)
2) Decide if you will use an aging time and how many minutes.
3) Choose how many MAc addresses you will allow on the ports.
4) Choose the security violation mode to enforce.
-------------------
Apply Port-Security
-------------------
I will setup port 1/0/1 with the default port-security (you could use t
he range command here)...


















------------------------------------------
Apply Aging Time and Maximum Mac Addresses
------------------------------------------
The default settings will allow only one MAC address to communicate through the port (Maximum MAC Addresses). This is done dynamically by default, meaning that only the first MAC learned will be allowed. Also, remember that once a MAC is learned on a port it can't be used on another port. This may be terribly inconvenient. What if you use a laptop and need to take it to the conference room? This is what the "aging time" setting is for. After the specified time (in minutes) the port will clear the MACs it has learned dynamically, allowing you to use them elsewhere.

Also, I need more than one MAC address here because I'm plugged into a Cisco phone. Let's add these parameters to the port...












Here is my interface config now...











----------------
Violations
----------------
If another MAC tries to communicate on that port, a violation will occur, and...

1) The port gets shut down.
2) A message gets generated in the log.
3) An snmp trap is generated.

Log entry...

Aug 2 15:18:26.583 MDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0c26.0a1d.1ec2 on port FastEthernet1/0/1.

Verify with these commands...













To recover from the err-disabled state, do a "shutdown", "no shutdown" on the interface.
Other global commands can be helpful also, the "clear port-security all" can clear all MACs learned on the switch.
If you are using the default port-security configuration, running the "err-disable recovery cause psecure-violation" command will bring all secure ports out of the error-disabled state.


----------
References
----------
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s6.html#wp1033679