How to configure the DHCP server on a Cisco ASA device?  

DHCP (Dynamic Host Configuration Protocol) servers provide all the basic information the client wants to operate on the network, including DNS address, Default Gateway, IP addresses, and subnet. masks and many more.

In this blog, we configure the Cisco ASA firewall to act as a DHCP (Dynamic Host Configuration Protocol) server. DHCP simplifies the process of IP address assignment in your network. In this scenario, we’ll set up the ASA to provide IP addresses to internal LANs using different DHCP scopes.

let's see the configuration: 

Topology:-

• configure the topology as per the diagram 
• configure the IP addresses on ASA and configure security
• configure DHCP server on ASA 
• verify the configuration with show commands and ping. 

ciscoasa(config)# interface gigabitEthernet 0

ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0

ciscoasa(config-if)# security 100

ciscoasa(config-if)# nameif inside

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# exit

ciscoasa(config)# dhcpd address 192.168.1.2-192.168.1.240 inside

ciscoasa(config)# dhcpd dns 8.8.8.8

ciscoasa(config)# dhcpd domain internetworks

ciscoasa(config)# dhcpd option 3 ip 192.168.1.1

ciscoasa(config)# dhcpd lease 3000

ciscoasa(config)# dhcpd enable inside

ciscoasa(config)# exit

ciscoasa# show dhcpd binding

IP address       Client Identifier        Lease expiration        Type

    192.168.1.2    0100.5079.6668.00            2399 seconds    Automatic

    192.168.1.3    0100.5079.6668.01            2941 seconds    Automatic

    192.168.1.4    0100.5079.6668.02            2949 seconds    Automatic

    192.168.1.5    0100.5079.6668.03            2956 seconds    Automatic

    192.168.1.6    0100.5079.6668.04            2963 seconds    Automatic

    192.168.1.7    0100.5079.6668.05            2970 seconds    Automatic

    192.168.1.8    0100.5079.6668.06            2977 seconds    Automatic

ciscoasa# show dhcpd statistics

DHCP UDP Unreachable Errors: 0

DHCP Other UDP Errors: 0

Address pools        1

Automatic bindings   7

Expired bindings     0

Malformed messages   0

Message              Received

BOOTREQUEST          0

DHCPDISCOVER         7

DHCPREQUEST          14

DHCPDECLINE          0

DHCPRELEASE          0

DHCPINFORM           0

Message              Sent

BOOTREPLY            0

DHCPOFFER            7

DHCPACK              14

DHCPNAK              0

ciscoasa# show dhcpd state

Context  Configured as DHCP Server

Interface inside, Configured for DHCP SERVER

PC2> ip dhcp

DORA IP 192.168.1.3/24 GW 192.168.1.1

PC2> show ip

NAME        : PC2[1]

IP/MASK     : 192.168.1.3/24

GATEWAY     : 192.168.1.1

DNS         : 8.8.8.8

DHCP SERVER : 192.168.1.1

DHCP LEASE  : 2565, 3000/1500/2625

DOMAIN NAME : internetworks

MAC         : 00:50:79:66:68:01

LPORT       : 10017

RHOST:PORT  : 127.0.0.1:10018

MTU:        : 1500

What is Cisco Management VLAN? How to configure VLAN management? | CCNA Security

 

What is a Management VLAN?

Management VLAN is a VLAN that is used for Managing and monitoring network devices like routers, switches, and other devices from a remote location by using protocols such as telnet, SSH, SNMP,syslog, etc.  The purpose of the management VLAN is to configure designated the VLAN for configuration purposes. Cisco recommends not to use VLAN 1 and not to use any VLAN that carries user data traffic as management VLAN. Normally the Management VLAN is VLAN1, but you can use any VLAN as a management VLAN. Once you configure the Management VLAN for administration, the data plane traffic and management traffic will be isolated this reduces the interference, and also with this VLAN security will be enhanced for management traffic.  

Let’s see the configuration for better understanding.

Topology:-

Cisco ASA access management with ASDM, SSH, telnet and dedicated management interface.

 

A Cisco ASA firewall is a barrier between LAN and WAN networks (trusted and untrusted networks), we configure the firewall in the forwarding path of the network so each packet has to be checked by our firewall. Cisco ASA firewall offers several ways to connect and interact. The Administrative user can access the ASA using Telnet, Secure Shell SSH, and ASDM.   

Cisco ASA supports In-band management and Out-band management.

In-band management ASA uses the same data network that carries regular user traffic and protocols like Telnet, SSH, or HTTPS over the same network interfaces that handle user traffic. Inband management uses the same transit path as user traffic. (data plane  + management plane)

you can see the data plane traffic (normal traffic) and management plane ( Telnet, SSH, and ASDM traffic) using the same transit path. it can be any interface fast ethernet, gigabyte ethernet serial interface, or loopback but not a dedicated management interface. 

Now this kind of topology has advantages and disadvantages.  It's easy to configure because of the existing network infrastructure and no need for separate dedicated management interfaces. Disadvantages are a security risk, dependent on network availability and shared resources. 

Out-band management  

Out-band management Cisco ASA offers a dedicated management interface separate from regular data interfaces.  The administrator uses a dedicated management physical port on the ASA to access the device and this interface is only used for outbound management purposes. 

Out-band management isolates management traffic from normal data traffic. The console port and management physical port both are out-band management.  

let's see the configuration of all the methods to access the ASA firewall, 

1. in the first lab, we are going to configure the Talent
2. in the second lab, we are going to configure the Secure Shell
3. in the third lab, we are going to configure a dedicated management interface
4. in the fourth  lab, we are going to configure the ASDM

 First lab topology:-

• configure the topology as per the diagram 
• configure the IP addresses as per the topology 
• configure the zone inside and outside 
• enable telnet because by default telnet is disabled on ASA 
• configure router-1 to act as a PC for verification. 

  

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.1.10 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

ciscoasa(config)# interface gigabitEthernet 0
ciscoasa(config-if)# security 100
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit

ciscoasa(config)# ping 192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/50 ms

ciscoasa(config)# interface gigabitEthernet 1
ciscoasa(config-if)# security 0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address 12.12.12.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit

ciscoasa(config)# username admin password admin
ciscoasa(config)# telnet 192.168.1.0 255.255.255.0 inside

R1#telnet 192.168.1.1 /source-interface fastEthernet 0/0
Trying 192.168.1.1 ... Open

User Access Verification
Password:

ciscoasa> enable
Password:

ciscoasa# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           192.168.1.1     YES manual up                    up
GigabitEthernet1           12.12.12.1      YES manual up                    up
GigabitEthernet2           unassigned      YES unset  administratively down up
GigabitEthernet3           unassigned      YES unset  administratively down up
ciscoasa#
ciscoasa# exit
Logoff

[Connection to 192.168.1.1 closed by foreign host]
R1#
R1#

What is Cisco IOS Zone Based Firewall on router? How to configure ZBF on Cisco Routers?

 Zone Based Firewall

ZBF (Zone Based Firewall) is the stateful firewall that is available on Cisco IOS routers, introduced in 2006. ZBF supports deep packet inspection just like an ASA. ZBF works based on the concept of security zones. You can name the zones whatever you want. In ZBF we don’t assign access-list to the interface. We create zones and the interface will be configured to the different zones (one interface can only be a member of one zone) and security policies will be assigned. The default policy is to block all the traffic unless we explicitly allow it.

 

• Zone-Based Model: Interfaces are assigned to zones, and inspection policy is applied to traffic moving between these zones.
• Flexible Configuration: Allows for more granular control of traffic based on zones rather than just interfaces.
• Stateful Inspection: Maintains the state of active sessions and inspects traffic accordingly.
• Successor to CBAC: ZBF is considered the successor to Context-Based Access Control (CBAC), offering enhanced security features.

let's see the configuration on ZBF:-

Topology:-

Goal:

• configure the topology as per the topology 
• assign IP addresses as per the topology 
• configure EIGRP 100 and advertise all the interfaces 
• configure router-2 for ZBF. 
• configure zones INSIDE for LAN and OUTSIDE  zone for internet
• configure ACL extended 
• allow PC 2 to ping server 30.1.1.11
• allow telnet from INSIDE
• leave rest for the default
• verify the configurations telnet, ping, and show commands. 

(first, configure the IP addresses on PC-1 and PC-2 inside the zone)

PC1> ip 10.1.1.10 255.0.0.0 10.1.1.1
Checking for duplicate address...
PC1 : 10.1.1.10 255.0.0.0 gateway 10.1.1.1

PC1> show ip
NAME        : PC1[1]
IP/MASK     : 10.1.1.10/8
GATEWAY     : 10.1.1.1
DNS         :
MAC         : 00:50:79:66:68:00
LPORT       : 10026
RHOST:PORT  : 127.0.0.1:10027
MTU:        : 1500

PC2> ip 10.1.1.11 255.0.0.0 10.1.1.1
Checking for duplicate address...
PC1 : 10.1.1.11 255.0.0.0 gateway 10.1.1.1

PC2> show ip
NAME        : PC2[1]
IP/MASK     : 10.1.1.11/8
GATEWAY     : 10.1.1.1
DNS         :
MAC         : 00:50:79:66:68:01
LPORT       : 10028
RHOST:PORT  : 127.0.0.1:10029
MTU:        : 1500

PC1> ping 10.1.1.11
84 bytes from 10.1.1.11 icmp_seq=1 ttl=64 time=0.583 ms
84 bytes from 10.1.1.11 icmp_seq=2 ttl=64 time=0.495 ms
84 bytes from 10.1.1.11 icmp_seq=3 ttl=64 time=0.511 ms
84 bytes from 10.1.1.11 icmp_seq=4 ttl=64 time=0.780 ms
84 bytes from 10.1.1.11 icmp_seq=5 ttl=64 time=0.759 ms

Configure the IP addresses between the routers and LAN interfaces

R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface serial 4/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R2(config)#interface serial 4/0
R2(config-if)#ip address 192.168.1.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 4/1
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R3(config)#interface serial 4/1
R3(config-if)#ip address 192.168.2.2 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 30.1.1.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

Configure the IP addresses on server-1 and server-2 in the outside zone

server2> ip 30.1.1.10 255.0.0.0 30.1.1.1
Checking for duplicate address...
PC1 : 30.1.1.10 255.0.0.0 gateway 30.1.1.1

server2> show ip
NAME        : server2[1]
IP/MASK     : 30.1.1.10/8
GATEWAY     : 30.1.1.1
DNS         :
MAC         : 00:50:79:66:68:04
LPORT       : 10034
RHOST:PORT  : 127.0.0.1:10035
MTU:        : 1500

server> ip 30.1.1.11 255.0.0.0 30.1.1.1
Checking for duplicate address...
PC1 : 30.1.1.11 255.0.0.0 gateway 30.1.1.1

server> show ip
NAME        : server[1]
IP/MASK     : 30.1.1.11/8
GATEWAY     : 30.1.1.1
DNS         :
MAC         : 00:50:79:66:68:05
LPORT       : 10036
RHOST:PORT  : 127.0.0.1:10037
MTU:        : 1500

Configure routing between routers and advertise directly connected interfaces

R1(config)#router eigrp 100
R1(config-router)#network 192.168.1.0
R1(config-router)#network 10.0.0.0
R1(config-router)#no auto-summary
R1(config-router)#exit

R2(config)#router eigrp 100
R2(config-router)#network 192.168.1.0
R2(config-router)#network 192.168.2.1
R2(config-router)#no auto-summary
R2(config-router)#exit

R3(config)#router eigrp 100
R3(config-router)#network 192.168.2.0
R3(config-router)#network 30.0.0.0
R3(config-router)#no auto-summary
R3(config-router)#exit

verify the connectivity with ping from PC-1 to server-1

PC1> show ip
NAME        : PC1[1]
IP/MASK     : 10.1.1.10/8
GATEWAY     : 10.1.1.1

PC1> ping 30.1.1.10
84 bytes from 30.1.1.10 icmp_seq=1 ttl=61 time=115.597 ms
84 bytes from 30.1.1.10 icmp_seq=2 ttl=61 time=94.468 ms
84 bytes from 30.1.1.10 icmp_seq=3 ttl=61 time=94.519 ms
84 bytes from 30.1.1.10 icmp_seq=4 ttl=61 time=78.793 ms
84 bytes from 30.1.1.10 icmp_seq=5 ttl=61 time=78.209 ms

As you can see the connectivity is good, now configure the telnet config on router-1 and router-2 for testing do not configure the login password. 

R1(config)#line vty 0 4
R1(config-line)#no login
R1(config-line)#exit

*Jun 17 11:54:55.771: %SYS-5-CONFIG_I: Configured from console by console
R1#telnet 192.168.2.2
Trying 192.168.2.2 ... Open

R3>
R3>
R3>
R3>

Our inside router-1 can telnet router-3, same way configure telnet on router-3

R3(config)#line vty 0 4
R3(config-line)#lo
R3(config-line)#no login
R3(config-line)#exit
R3(config)#end
R3#
R3#
R3#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
R1>
R1>
R1>
R1>

Now configure zone name INSIDE for our LAN traffic and OUTSIDE zone 

R2(config)#zone security INSIDE
R2(config-sec-zone)#exit
R2(config)#zone security OUTSIDE
R2(config-sec-zone)#exit

R2(config)#interface serial 4/0
R2(config-if)#zone-member security INSIDE
R2(config-if)#exit

R2(config)#interface serial 4/1
R2(config-if)#zone-member security OUTSIDE
R2(config-if)#exit

the default policy is to block all the traffic unless we explicitly allow it. so now configure ACL and permit 10.1.1.11 to ping and permit 10.1.1.1 for telnet. 

R2(config)#ip access-list extended 150
R2(config-ext-nacl)#permit icmp host 10.1.1.11 any echo
R2(config-ext-nacl)#permit tcp host 10.1.1.1 host 30.1.1.1 eq telnet
R2(config-ext-nacl)#exit

R2#show access-lists 150
Extended IP access list 150
    10 permit icmp host 10.1.1.11 any echo (3 matches)
    30 permit tcp host 10.1.1.1 host 30.1.1.1 eq telnet (1 match)

configure a class map to classify the traffic for inspected

R2(config)#class-map type inspect INSIDE-OUTSIDE-CLASS
R2(config-cmap)#match access-group 150

R2(config-cmap)#exit

configure policy map to define ZBF policies on classified traffic

R2(config)#policy-map type inspect INSIDE-OUTSIDE-POLICY
R2(config-pmap)#class type inspect INSIDE-OUTSIDE-CLASS
R2(config-pmap-c)#inspect
R2(config-pmap-c)#exit
R2(config-pmap)#exit

configure zone pair

R2(config)#zone-security INSIDE-OUTSIDE-PAIR source INSIDE destination OUTSIDE
R2(config-sec-zone-pair)#service-policy type inspect INSIDE-OUTSIDE-POLICY
R2(config-sec-zone-pair)#exit

from router-1 try to access router-3 with telnet

R1#telnet 30.1.1.1 telnet /source-interface fastEthernet 0/0
Trying 30.1.1.1 ... Open
R3>
R3>
R3>
R3>show ip interface br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            30.1.1.1        YES manual up                    up
Serial4/1                  192.168.2.2     YES manual up                    up

as you can see router-1 can access router-3 remotely with telnet, because we allow it 

R3#telnet 10.1.1.1 /source-interface fastEthernet 0/0
Trying 10.1.1.1 ...
% Connection timed out; remote host not responding

but router-3 can not access router-1 with telnet because we didn't allow it. by default, all the traffic is blocked. 

PC1> show ip
NAME        : PC1[1]
IP/MASK     : 10.1.1.10/8
GATEWAY     : 10.1.1.1

PC1> ping 30.1.1.11
30.1.1.11 icmp_seq=1 timeout
30.1.1.11 icmp_seq=2 timeout
30.1.1.11 icmp_seq=3 timeout
30.1.1.11 icmp_seq=4 timeout
30.1.1.11 icmp_seq=5 timeout

from the above output, you see that PC-1 can not ping servers because we didn't allow it. we allow PC-2 10.1.1.11 too ping any network

PC2> show ip
NAME        : PC2[1]
IP/MASK     : 10.1.1.11/8
GATEWAY     : 10.1.1.1

PC2> ping 30.1.1.11
84 bytes from 30.1.1.11 icmp_seq=1 ttl=61 time=127.289 ms
84 bytes from 30.1.1.11 icmp_seq=2 ttl=61 time=94.466 ms
84 bytes from 30.1.1.11 icmp_seq=3 ttl=61 time=94.540 ms
84 bytes from 30.1.1.11 icmp_seq=4 ttl=61 time=93.967 ms
84 bytes from 30.1.1.11 icmp_seq=5 ttl=61 time=94.784 ms

R2#show zone-pair security
Zone-pair name INSIDE-OUTSIDE-PAIR
    Source-Zone INSIDE  Destination-Zone OUTSIDE
    service-policy INSIDE-OUTSIDE-POLICY

R2#show access-lists 150
Extended IP access list 150
    10 permit icmp host 10.1.1.11 any echo (3 matches)
    30 permit tcp host 10.1.1.1 host 30.1.1.1 eq telnet (1 match)

R2#show zone security INSIDE
zone INSIDE
  Member Interfaces:
    Serial4/0

R2#show zone security OUTSIDE
zone OUTSIDE
  Member Interfaces:
    Serial4/1

if you like this blog please visit to our YouTube channel https://www.youtube.com/@internetworkss

What are TACACS+ RADIUS and Diameter protocols? How to configure TACACS+ RADIUS in cisco packet tracer? CCNA security

What are TACACS+ RADIUS and Diameter protocols? 

 TACACS+ RADIUS and Diameter is a protocol to provide a centralized management system for AAA Authentication, Authorization, and Accounting. An ACS (Access Control Server) supports RADIUS and TACACS+ protocols and is commonly used in enterprise environments. TACACS+, RADIUS, and Diameter have some key differences. (if you are not familiar with AAA please click here )

Types of AAA Protocols

• Terminal access controller access-control system plus (TACACS+)
• Remote authentication dial-in user service (RADIUS)
• Diameter

TACACS+ (Terminal Access Controller Access Control System) is an enhancement to TACACS developed by Cisco. Which means TACACS+ is Cisco's proprietary protocol. TACACS+ is mainly used for device administration using ACS (Access Control Server). TACACS+ is used for the communication between the client and the Cisco ACS server. TACACS+ is a reliable protocol because it uses TCP port 49 for communication and the TACACS+ communication is encrypted means all the packets is encrypted. TACACS+ provides more control over accounting and authorization. TACACS+ combines authentication and authorization in one step.

Remote Access Dial-In User Service (RADIUS) is the IEFT standard protocol. The RADIUS protocol is used for communication between any vendor (cisco or non-cisco) AAA client and ACS server. If you are using multiple vendors devices then you can use RADIUS. In RADIUS communication is faster but a bit less reliable uses UDP port 1645/1812 for authentication and 1646/1813 for accounting. In a single process authentication and authorization can be done. RADIUS key with MD5 is used to hide the user password.

 The Diameter protocol is a AAA protocol that works with Long-Term Evolution (LTE) and multimedia networks. Diameter is an advanced Authentication, Authorization, and Accounting (AAA) protocol that evolved from the earlier RADIUS protocol. It’s part of the application layer protocols in the Internet protocol suite. 

let's see the configuration of the AAA TACACS+ and RADIUS server:

Topology:-

Goal: TACACS+

• configure the topology as per the diagram 
• configure the IP addresses as per the topology
• configure dynamic routing between the network 
• configure AAA authentication and key internet same for both (router and server)
• verify with telnet from PC-1 192.168.10.30
• configure RADIUS server 
• verify with telnet from remote PC- 192.168.30.10

ROUTER-1(config)#interface gigabitEthernet 0/1
ROUTER-1(config-if)#ip address 192.168.10.1 255.255.255.0
ROUTER-1(config-if)#no shutdown
ROUTER-1(config-if)#exit

ROUTER-1(config)#interface gigabitEthernet 0/0
ROUTER-1(config-if)#ip address 192.168.20.1 255.255.255.0
ROUTER-1(config-if)#no shutdown
ROUTER-1(config-if)#exit
 
ROUTER-2(config)#interface gigabitEthernet 0/0
ROUTER-2(config-if)#ip address 192.168.20.2 255.255.255.0
ROUTER-2(config-if)#no shutdown
ROUTER-2(config-if)#exit

ROUTER-2(config)#interface gigabitEthernet 0/1
ROUTER-2(config-if)#ip address 192.168.30.1 255.255.255.0
ROUTER-2(config-if)#no shutdown
ROUTER-2(config-if)#exit

ROUTER-1(config)#router eigrp 100

ROUTER-1(config-router)#network 192.168.10.0

ROUTER-1(config-router)#network 192.168.20.0

ROUTER-1(config-router)#no auto-summary

ROUTER-1(config-router)#exit

%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 192.168.20.1 (GigabitEthernet0/0) is up: new adjacency

ROUTER-2(config)#router eigrp 100

ROUTER-2(config-router)#network 192.168.20.0

ROUTER-2(config-router)#network 192.168.30.0

ROUTER-2(config-router)#no auto-summary

ROUTER-2(config-router)#exit

%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 192.168.20.1 (GigabitEthernet0/0) is up: new adjacency

ROUTER-1(config)#username admin password internet
ROUTER-1(config)#tacacs-server host 192.168.10.10
ROUTER-1(config)#tacacs-server key cisco123

ROUTER-1(config)#aaa new-model
ROUTER-1(config)#aaa authentication login cisco123 group tacacs+ local

ROUTER-1(config)#line console 0
ROUTER-1(config-line)#login authentication cisco123
ROUTER-1(config-line)#exit
ROUTER-1(config)#end

User Access Verification

Username: user1

Password:

ROUTER-1>

ROUTER-1>

ROUTER-1>

ROUTER-1>password is user1

C:\>ipconfig

FastEthernet0 Connection:(default port)

Link-local IPv6 Address.........: FE80::2D0:D3FF:FEBA:44B2

IP Address......................: 192.168.10.30

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.10.1

(let's create another user with the name user2 and password user2)

(now verify with telnet from PC- 192.168.10.30)

ROUTER-1#show aaa sessions

Total sessions since last reload: 3

Session Id:4

Unique Id:4

User Name:user2

IP Address:192.168.10.30

Idle Time: 0

CT Call Handle: 0

What is AAA Authentication, Authorization, and Accounting? What is ACS server? Cyber security

What is AAA  Authentication, Authorization, and Accounting?  

Authentication, Authorization, and Accounting (AAA) is a standard-based framework that provides a set of security services. Which device or computer is permitted to use the network resources with the help of AAA authentication and what they are allowed to do means use the internet or access CLI with telnet or SSH through AAA authorization and AAA accounting captures all the information about that particular user means time and date and what actions user performed while accessing the network. AAA combined process is essential for our network security, AAA helps us to ensure that only authorized users can access network resources and AAA also records the actions performed by the user in the network.

Authentication-

Authentication is the process by which AAA identifies the user, a user wants permission to use the network resource and AAA authentication asks for some credentials such as username and password, USB key, or fingerprint. Now AAA system verifies these credentials against a database to identify the authenticated user.  If the user-provided credentials match with the AAA database credentials the user is authenticated and if the credentials do not match then the user can not use the network resources. You can use the local database for AAA authentication on route or a switch but for big organizations, you must use an external server such as the ACS server. Authentication is a must for network access or device access. 

Authorization

An authenticated user gained access after the authentication process now AAA authorization means what resources that particular user is allowed to access and what action the user can perform. For example, if a member of the IT team's junior network engineer wants to access the router and configure some routing configuration but this user should not access all these resources the administrator can create a view and allow show commands and ping commands only in that view. Now the junior network engineer is only authorized to perform show commands and ping commands. The administrator can use authorization methods how the user is authorized for network resources through the local database or ACS server.

 Accounting

AAA accounting monitors and captures user activity, while the user is logged in to the network. Accounting collects information on how long the user is active in the network, the data the user sends or receives, the IP address, the URI they used, and the different services the user accessed. Accounting is very useful for analyzing user activity.

AAA implementation

AAA implementation can be done by using the local database on devices such as routers or switches. We can also implement AAA with an external server like an ACS access control server. If you have a small number of devices then you can use the local database on the router but if you have a big organization then use an external server such as ACS.

Let’s take the overview of both methods: 

Local database

Local database- we can implement an AAA local database on a router or a switch. We should create user authentication for each user, then configure AAA authorization to assign privilege levels for each user to define what this user is authorized for and what commands this user can execute on the device. After that configure AAA accounting for the device to log user activities like login time and the commands users execute.

ACS Server

External server ACS is the most common method used for AAA implementation in the network. First authentication- a user or device like a printer sends an authentication request to the ACS server, ACS holds the user credentials and compares them to the database. Second authorization ACS server provides information about the network and what resources the user can access. Third accounting ACS server records user actions and generates reports. 

Types of AAA Protocols

 

• Remote authentication dial-in user service (RADIUS)
• Terminal access controller access-control system plus (TACACS+)
• Diameter

(in the next blog we will see AAA protocols and the ACS server)

 Let's see the configuration of the AAA  Local database:

Topology:

 

Goal:

• configure the IP addresses as per the topology
• ensure the reachability between the PC and router
• configure AAA authentication with local database
• configure AAA authentication list name (internet)
• configure login authentication on console and line vty
• verify the authentication from PC

Router(config)#interface gigabitEthernet 0/0
Router(config-if)#ip address 10.1.1.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
 
Router(config)#username admin password admin
 
Router(config)#aaa new-model
Router(config)#aaa authentication login internet local
Router(config)#line console 0
Router(config-line)#login authentication internet
Router(config-line)#exit
 
Router(config)#line vty 0 4
Router(config-line)#login authentication internet
Router(config-line)#exit
Router(config)#end
Router#exit
 
Router con0 is now available
 

 

User Access Verification
 
Username: admin
Password:
Router>enable
Router#show aaa sessions
Total sessions since last reload: 3

 

(IF YOU LIKE THIS BLOG PLEASE VISIT OUR YOUTUBE CHANNEL https://www.youtube.com/@internetworkss

What is MST multiple spanning tree IEEE 801s? What is the MSTP regions? What is MST instance? How to configure MSTP and tune or modify?

 IEEE 802.1s Multiple spanning tree (MST), sometimes referred to as multiple STP (MSTP). MST allows us to create Multiple spanning trees inside a single network. Each spanning tree is called an instance and this instance has its own root bridge, forwarding topology. An instance can be mapped with one or more VLANs. For example:

• VLANs 10,20 and 30 are mapped in instance 1
• VLANs 40,50 and 60 are mapped in instance 2

Now VLANs 10,20 and 30 follow different paths on the same physical network and VLANs 40,50 and 60 follow different paths and have different root bridges and forwarding paths.

multiple spanning tree is not like RPVST or PVST+ where each VLAN requires a separate instance. Let's take an example of PVST+ when we have 50 VLANs configured this means there are 50 instances of spanning tree running and this consumes a lot of CPU and memory. MST needs only one set of STP messages for each MST instance.  MST is the solution where we can map different VLANs to one or more instances as per the requirement.

 

An MST region is a group of switches that together use MST in a consistent way. They run the same number of MST instances and map the same sets of VLANs onto these instances, among other things. The switches in the MST region must have the same configuration parameters as follows:

 

• Region name: means the name of that particular region or group of MST switches.
• Revision number: means the number indicates the version of the configuration
• VLAN to Instance map: means a table of assignments for each VLAN to an instance

The switch outside the MST region will not see the MST region for outside the region switch, it looks like it's communicating to a big switch.

 

Multiple spanning tree (MST) instance

MST instance is a logical entity that defines a one-spanning tree for multiple VLANs, instance name is 32 bytes. MST instance number is in the range of 0 – 4095 but the different switch platforms support different numbers of range for example catalyst 2950 has the range of 0 – 15 and catalyst 3560 has the range of 0 – 4094. Now the important thing is out of the MST instance there is a special instance called instance 0 and this is also called the internal spanning tree (IST). Instance 0 or IST is default already exists. Instance 0 is the only instance that interacts with outside MST region switches and provides a loop-free environment to the region.  

Configuring MST requires pre-planning because it is necessary to decide where their MST boundaries shall be placed and where the regions shall be placed.  

MST allows us to tune the root bridge for instance modify costs and make primary or secondary.

 Now let's see the configuration:

Topology:

Goal:

• configure the trunk with nonnegotiable between switches ethernet 0/0-1
• configure VTP domain MSTP and version 2 for sync VLAN information
• configure switch 1 and switch 3 VTP server and the rest of the switch clients
• configure VLANs 10,20,30,40,50,60 on any VTP server
• configure Multiple spanning tree on all the switches 
• configure VLAN 10,20, and 30 in MST 1 instance 
• configure VLAN 40,50 and 60 in MST 2 instance
• configure region name MSTP and revision number 1
• by default our switch 1 is the root bridge for all the VLANs
• configure tunning for instance 1 means the VLAN 10,20,30 root bridge will be switch 1 and for instance, 2 switch 3 will be the root bridge. 

Switch-1-(config)#interface range ethernet 0/0 - 1
Switch-1-(config-if-range)#switchport
Switch-1-(config-if-range)#switchport trunk encapsulation dot1q
Switch-1-(config-if-range)#switchport mode trunk
Switch-1-(config-if-range)#switchport nonegotiate
Switch-1-(config-if-range)#exit

*Jun 12 10:05:37.389: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Jun 12 10:05:37.404: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up

Switch-2-(config)#interface range ethernet 0/0 - 1
Switch-2-(config-if-range)#switchport
Switch-2-(config-if-range)#switchport trunk encapsulation dot1q
Switch-2-(config-if-range)#switchpot mode trunk
Switch-2-(config-if-range)#switchport nonegotiate
Switch-2-(config-if-range)#exit

*Jun 12 10:07:56.489: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Jun 12 10:07:56.521: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up

Switch-3-(config)#interface range ethernet 0/0 - 1
Switch-3-(config-if-range)#switchport
Switch-3-(config-if-range)#switchport trunk encapsulation dot1q
Switch-3-(config-if-range)#switchport mode trunk
Switch-3-(config-if-range)#switchport nonegotiate
Switch-3-(config-if-range)#exit

*Jun 12 10:13:46.936: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Jun 12 10:13:46.951: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up

Switch-4-(config)#interface range ethernet 0/0 - 1
Switch-4-(config-if-range)#switchport
Switch-4-(config-if-range)#switchport trunk encapsulation dot1q
Switch-4-(config-if-range)#switchport mode trunk
Switch-4-(config-if-range)#switch nonegotiate
Switch-4-(config-if-range)#exit
Switch-4-(config)#end

*Jun 12 10:16:12.123: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Jun 12 10:16:12.139: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up

Switch-1-(config)#vtp domain MSTP

Switch-1-(config)#vtp version 2

Switch-1-(config)#vtp mode server

Switch-1-(config)#exit

Switch-1-#show vtp status

VTP Version capable             : 1 to 3

VTP version running             : 2

VTP Domain Name                 : MSTP

VTP Pruning Mode                : Disabled

VTP Traps Generation            : Disabled

Device ID                       : aabb.cc00.0100

Configuration last modified by 0.0.0.0 at 6-12-24 10:40:51

Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:

--------------

VTP Operating Mode                : Server

Maximum VLANs supported locally   : 1005

Number of existing VLANs          : 5

Configuration Revision            : 1

MD5 digest                        : 0x25 0xBA 0x4E 0x29 0x64 0xC6 0x11 0x76

                                    0xD4 0x1E 0xC2 0x6B 0x69 0xEB 0x26 0x7A

Switch-2-(config)#vtp domain MSTP

Switch-2-(config)#vtp version 2

Switch-2-(config)#vtp mode client

Switch-2-(config)#exit

Switch-3-(config)#vtp domain MSTP

Switch-3-(config)#vtp version 2

Switch-3-(config)#vtp mode client

Switch-3-(config)#exit

Switch-3-#show vtp status

VTP Version capable             : 1 to 3

VTP version running             : 2

VTP Domain Name                 : MSTP

VTP Pruning Mode                : Disabled

VTP Traps Generation            : Disabled

Device ID                       : aabb.cc00.0300

Configuration last modified by 0.0.0.0 at 6-12-24 10:40:51

Feature VLAN:

--------------

VTP Operating Mode                : Client

Maximum VLANs supported locally   : 1005

Number of existing VLANs          : 5

Configuration Revision            : 1

MD5 digest                        : 0x25 0xBA 0x4E 0x29 0x64 0xC6 0x11 0x76

                                    0xD4 0x1E 0xC2 0x6B 0x69 0xEB 0x26 0x7A

Switch-4-(config)#vtp domain MSTP

Switch-4-(config)#vtp version 2

Switch-4-(config)#vtp mode client

Switch-4-(config)#exit

Switch-1-(config)#vlan 10
Switch-1-(config-vlan)#exit
Switch-1-(config)#vlan 20
Switch-1-(config-vlan)#exit
Switch-1-(config)#vlan 30
Switch-1-(config-vlan)#exit
Switch-1-(config)#vlan 40
Switch-1-(config-vlan)#exit
Switch-1-(config)#vlan 50
Switch-1-(config-vlan)#exit
Switch-1-(config)#vlan 60
Switch-1-(config-vlan)#exit

Switch-2-#show vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active
10   VLAN0010                         active
20   VLAN0020                         active
30   VLAN0030                         active
40   VLAN0040                         active
50   VLAN0050                         active
60   VLAN0060                         active

Switch-3-#show vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active
10   VLAN0010                         active
20   VLAN0020                         active
30   VLAN0030                         active
40   VLAN0040                         active
50   VLAN0050                         active
60   VLAN0060                         active

(as you can see by default switch 1 is the root for all VLANs)

Switch-1-#show spanning-tree

VLAN0001

  Spanning tree enabled protocol ieee

  Root ID    Priority    32769

             Address     aabb.cc00.0100

             This bridge is the root

             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)

             Address     aabb.cc00.0100

             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Et0/0               Desg BKN*100       128.1    Shr *PVID_Inc

Et0/1               Desg BKN*100       128.2    Shr *PVID_Inc

Switch-1-(config)#spanning-tree mode mst

Switch-1-(config)#spanning-tree mst configuration

Switch-1-(config-mst)#revision 1

Switch-1-(config-mst)#name MSTP

Switch-1-(config-mst)#instance 1 vlan 10,20,30

Switch-1-(config-mst)#instance 2 vlan 40,50,60

Switch-1-(config-mst)#exit

Switch-1-#show spanning-tree mst configuration

Name      [MSTP]

Revision  1     Instances configured 3

Instance  Vlans mapped

--------  ---------------------------------------------------------------------

0         1-9,11-19,21-29,31-39,41-49,51-59,61-4094

1         10,20,30

2         40,50,60

-------------------------------------------------------------------------------

Switch-1-#show spanning-tree mst

##### MST0    vlans mapped:   1-9,11-19,21-29,31-39,41-49,51-59,61-4094

Bridge        address aabb.cc00.0100  priority      32768 (32768 sysid 0)

Root          this switch for the CIST

Operational   hello time 2 , forward delay 15, max age 20, txholdcount 6

Configured    hello time 2 , forward delay 15, max age 20, max hops    20

Interface                        Role Sts Cost      Prio.Nbr Type

----------------                 ---- --- --------- -------- --------------------------------

Et0/0                            Desg FWD 2000000   128.1    Shr

Et0/1                            Desg FWD 2000000   128.2    Shr

##### MST1    vlans mapped:   10,20,30

Bridge        address aabb.cc00.0100  priority      32769 (32768 sysid 1)

Root          this switch for MST1

Interface                        Role Sts Cost      Prio.Nbr Type

----------------                 ---- --- --------- -------- --------------------------------

Et0/0                            Desg FWD 2000000   128.1    Shr

Et0/1                            Desg FWD 2000000   128.2    Shr

##### MST2    vlans mapped:   40,50,60

Bridge        address aabb.cc00.0100  priority      32770 (32768 sysid 2)

Root          this switch for MST2

Interface                        Role Sts Cost      Prio.Nbr Type

----------------                 ---- --- --------- -------- --------------------------------

Et0/0                            Desg FWD 2000000   128.1    Shr

Et0/1                            Desg FWD 2000000   128.2    Shr

Switch-2-(config)#spanning-tree mode mst

Switch-2-(config)#spanning-tree mst configuration

Switch-2-(config-mst)#revision 1

Switch-2-(config-mst)#name MSTP

Switch-2-(config-mst)#instance 1 vlan 10,20,30

Switch-2-(config-mst)#instance 2 vlan 40,50,60

Switch-2-(config-mst)#exit

Switch-3-(config)#spanning-tree mode mst

Switch-3-(config)#spanning-tree mst configuration

Switch-3-(config-mst)#revision 1

Switch-3-(config-mst)#name MSTP

Switch-3-(config-mst)#instance 1 vlan 10,20,30

Switch-3-(config-mst)#instance 2 vlan 40,50,60

Switch-3-(config-mst)#exit

Switch-4-(config)#spanning-tree mode mst

Switch-4-(config)#spanning-tree mst configuration

Switch-4-(config-mst)#revision 1

Switch-4-(config-mst)#name MSTP

Switch-4-(config-mst)#instance 1 vlan 10,20,30

Switch-4-(config-mst)#instance 2 vlan 40,50,60

Switch-4-(config-mst)#exit

Switch-1-#show spanning-tree mst 1

##### MST1    vlans mapped:   10,20,30

Bridge        address aabb.cc00.0100  priority      32769 (32768 sysid 1)

Root          this switch for MST1

Interface                        Role Sts Cost      Prio.Nbr Type

----------------                 ---- --- --------- -------- --------------------------------

Et0/0                            Desg FWD 2000000   128.1    Shr

Et0/1                            Desg FWD 2000000   128.2    Shr

Switch-1-#

Switch-1-#

Switch-1-#show spanning-tree mst 2

##### MST2    vlans mapped:   40,50,60

Bridge        address aabb.cc00.0100  priority      32770 (32768 sysid 2)

Root          this switch for MST2

Interface                        Role Sts Cost      Prio.Nbr Type

----------------                 ---- --- --------- -------- --------------------------------

Et0/0                            Desg FWD 2000000   128.1    Shr

Et0/1                            Desg FWD 2000000   128.2    Shr

Switch-1-(config)#spanning-tree mst 1 root primary

Switch-1-(config)#spanning-tree mst 2 root secondary
Switch-1-(config)#exit

Switch-1-#show spanning-tree mst 1
##### MST1    vlans mapped:   10,20,30
Bridge        address aabb.cc00.0100  priority      24577 (24576 sysid 1)
Root          this switch for MST1
Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Desg FWD 2000000   128.1    Shr
Et0/1                            Desg FWD 2000000   128.2    Shr

Switch-1-#show spanning-tree mst 2
##### MST2    vlans mapped:   40,50,60
Bridge        address aabb.cc00.0100  priority      28674 (28672 sysid 2)
Root          address aabb.cc00.0300  priority      2     (0 sysid 2)
            port    Et0/0           cost      4000000              rem hops 18
Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Root FWD 2000000   128.1    Shr
Et0/1                            Altn BLK 2000000   128.2    Shr

(as you can see the above outcome switch 1 is the root bridge for MST instance 1 but not for MST instance 2)

Switch-3-(config)#spanning-tree mst 2 root primary

Switch-3-(config)#spanning-tree mst 1 root secondary

Switch-3-#show spanning-tree mst 2

##### MST2    vlans mapped:   40,50,60

Bridge        address aabb.cc00.0300  priority      2     (0 sysid 2)

Root          this switch for MST2

Interface                        Role Sts Cost      Prio.Nbr Type

----------------                 ---- --- --------- -------- --------------------------------

Et0/0                            Desg FWD 2000000   128.1    Shr

Et0/1                            Desg FWD 2000000   128.2    Shr

Switch-3-#show spanning-tree mst 1

##### MST1    vlans mapped:   10,20,30

Bridge        address aabb.cc00.0300  priority      28673 (28672 sysid 1)

Root          address aabb.cc00.0100  priority      24577 (24576 sysid 1)

            port    Et0/1           cost      4000000              rem hops 18

Interface                        Role Sts Cost      Prio.Nbr Type

----------------                 ---- --- --------- -------- --------------------------------

Et0/0                            Altn BLK 2000000   128.1    Shr

Et0/1                            Root FWD 2000000   128.2    Shr

(as you can see switch 3 is the root bridge for MST instance 2 but not for 1)

if you like this blog please visit to our YouTube channel https://www.youtube.com/@internetworkss