Monday, March 17, 2008

Switch Port Security

If you are working in a strict security environment then switch port security is a must. Configuring switch port security could become a tidious task. However, if you can control the environment when you setup the network, this little trick can help you save a lot of work.

Instead of configuring port security and manually enter MAC address for the port, you could plug all your hosts in then issue the following commands:

Switch(config)#int range f0/1-xx
Switch(config-if-range)#switchport port-security
Switch(config-if-range)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation restrict
Switch(config-if-range)#switchport port-security mac-address sticky
Switch(config-if-range)#end

The first command takes you to the interface range configuration mode; the next two turn on the port security and set a maximum number of mac addresses to 1. "Violation restrict" will not allow traffic for any host whose mac address is different than what the switch has learned for the port in question. After that, the "mac-address sticky" commands instruct the switch to learn the mac address dynamically and remembers it for the each port.

Sunday, March 2, 2008

Basic Load Balancing

Load Balancing normally has two modes of operation: Per-Destination and Per-Packet.

Per destination load balancing means the router distributes the data packets based on the destination address. If you have two paths going to Host A & B on the same network then all packets for Host A will travel over the first path and all packets for Host B will travel over the second path. This will preserve the packet order which is very useful in certain applications; however, it could result in unequal usage of the network links as bandwidth & load are not taken into route calculation.

Per packet load balancing means the router sends one packet over the first path and second packet over the second path; all going to the same destination. Per packet load balancing guarantees equal load across all the links; however, the packets may arrive at the destination out of order because of different delay/bandwidth may exist on different paths.

Per destination load balancing is enable by the command:

Router# config t
Router(config)# interface Ethernet 0
Router(config-if)# no ip route-cache

Now the router CPU will look at every single packet and spread them across the different path available in the routing table for the destination. This is not recommended on low end server as it could crash the router because the CPU must do all the processing and might not be able to handle it. To enable fast switching, use the following commands:

Router# config t
Router(config)# interface Ethernet 0
Router(config-if)# ip route-cache


Newer switching schemes such as Cisco Express Forwarding (CEF) allow you to do per packet and per destination load balancing more quickly but it does imply that extra resources will be needed to maintain it.