SlideShare a Scribd company logo

Nexus 1000v part ii

Download as PPTX, PDF
Krunal Shah
Krunal Shah

The document discusses several security features of the Nexus 1000v virtual switch: - It supports features like IGMP snooping, DHCP snooping, Dynamic ARP inspection, IP Source Guard, and ACLs to provide layer 2 security for virtual machines. - These features work similarly to physical switches, protecting the layer 2 network from unmanaged VMs, but they are configured through the virtual Ethernet module interfaces. - Dynamic ARP inspection and IP Source Guard rely on entries in the DHCP snooping binding database to validate IP-MAC bindings and filter invalid traffic from untrusted ports.

TechnologyBusiness
1 of 25
Nexus 1000v www.silantia.com1  IGMP Snooping  DHCP Snooping  Dynamic ARP Inspection (DAI)  IP Source Guard  Port Security  Access Control Lists (ACL)  Private VLANs (PVLAN)
Nexus 1000v IGMP snooping www.silantia.com2  Nexus 1000v VEM can snoop IGMP conversation between VM adapter and router (default gateway).  Nexus 1000v is full IGMP snooping bridge but it cannot perform IGMP querier job. ip igmp snooping ! Enables at global level vlan 200 ip igmp snooping ! Enables per vlan IGMP snooping ip igmp snooping explicit-tracking ip igmp snooping mrouter interface ethernet 2/1 ! vEths are not supported as router ports ip igmp snooping static-group 230.0.0.1 interface vethernet 21 show ip igmp snooping vlan 200
Nexus 1000v Layer 2 Security feature www.silantia.com3  Works exactly similar to Layer 2 security features in physical switches.  Security features requires Nexus 1000v Advanced License.  Layer 2 security is important in Virtual Desktop Infrastructure type of environment where each virtual machine is a user desktop.  Unmanaged VMs can bring down the whole Layer 2 network if it is not protected at VEM level.
Nexus 1000v Port-security www.silantia.com4  MAC-to-Port Mapping  Don't allow any MAC addresses other than those mapped to pass traffic  Static = Static MAC-to-Port Mapping  Dynamic = Learn the MAC, map to the port, then don't allow anyone ELSE  Can also age this dynamic mapping out  Sticky = Same as dynamic, but store mapping VSM  Violations Shutdown = Shuts port down. Simple, done.  Restrict = Drops traffic from any Other MAC addresses  Protect = Basically drops traffic from any other MACs like Restrict, but first it learns the MAC of the 1st violator and logs him (still drops his traffic too)and doesn't learn any other violators' MACs
Nexus 1000v Port-security www.silantia.com5  You can configure port security only on Layer 2 interfaces  Details about port security and different types of interfaces or ports are as follows:  Access ports  You can configure port security on interfaces that you have configured as Layer 2 access ports  On an access port, port security applies only to the access VLAN  Trunk ports  You can configure port security on interfaces that you have configured as Layer 2 trunk ports  The device allows VLAN maximums only for VLANs associated with the trunk port  SPAN ports  You can configure port security on SPAN source ports but not on SPAN destination ports
Nexus 1000v DHCP snooping www.silantia.com6  DHCP snooping functions like a firewall between untrusted hosts and trusted DHCP servers by doing the following:  Validates DHCP messages received from untrusted sources and filters out invalid response messages from DHCP servers.  Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.  Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.  Dynamic ARP Inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping binding database.  When you enable DHCP snooping, by default, all vEthernet (vEth) ports are untrusted and all Ethernet
Nexus 1000v DHCP snooping www.silantia.com7  DHCP operations are categorized into four basic phases:  IP Discovery  IP Lease Offer  IP Request  IP Lease Acknowledgement  Only DHCP messages that come from a server that is connected to a trusted port are accepted.  Any DHCP message on UDP port 68 that is data from the server to the client that is received on an untrusted port is dropped. Nexus 1000v VEM builds and maintains the DHCP snooping binding database, which contains information about clients with leased IP addresses.  Uses the DHCP snooping binding database to validate subsequent requests from clients.
Nexus 1000v DHCP snooping www.silantia.com8  Configuration  Enable the DHCP feature. feature dhcp  Enable DHCP snooping globally. ip dhcp snooping  Enable DHCP snooping on at least one VLAN.By default, DHCP snooping is disabled on all VLANs. Ensure that the  ip dhcp snooping vlan vlan-list  DHCP server is connected to the device using a trusted interface. N1KV-VSM(config)# port-profile profilename N1KV-VSM(config-port-profile)# ip dhcp snooping trust  Configuring the Rate Limit for DHCP Packets N1KV-VSM(config-if)#[no] ip dhcp snooping limit rate rate
Nexus 1000v DHCP snooping www.silantia.com9  Configuration  Error disable detection and recovery errdisable detect cause dhcp-rate-limit Enables DHCP error-disabled detection. errdisable recovery cause dhcp-rate-limit  Enables DHCP error-disabled detection. errdisable recovery interval time interval  Sets the DHCP error-disabled recovery interval, where time interval is the number of seconds from 30 to 65535.
Nexus 1000v DHCP snooping www.silantia.com10  Verification N1KV-VSM# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on the following VLANs: 100,200,250-252 DHCP snooping is operational on the following VLANs: 100,200,250-252 Insertion of Option 82 is disabled Verification of MAC address is enabled DHCP snooping trust is configured on the following interfaces: Interface Trusted Pkt Limit ------------ ------- --------- Vethernet1 No Unlimited Vethernet2 No Unlimited Vethernet3 Yes 15 Vethernet4 No Unlimited Vethernet5 No Unlimited
Nexus 1000v DHCP snooping www.silantia.com11  Verification N1KV-VSM# show ip dhcp snooping statistics Packets processed 0 Packets forwarded 0 Total packets dropped 0 Packets dropped from untrusted ports 0 Packets dropped due to MAC address check failure 0 Packets dropped due to Option 82 insertion failure 0 Packets dropped due to o/p intf unknown 0 Packets dropped which were unknown 0 Packets dropped due to service dhcp not enabled 0 Packets dropped due to no binding entry 0 Packets dropped due to interface error/no interface 0 Packets dropped due to max hops exceeded 0
Nexus 1000v Dynamic ARP inspection www.silantia.com12  DAI ensures that only valid ARP requests and responses are relayed by intercepting all ARP requests and responses on untrusted ports and verifying that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination.  DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses.  DAI is supported on vEthernet interfaces and private VLAN ports
Nexus 1000v Dynamic ARP inspection www.silantia.com13  Configuration: N1KV-VSM(config)# ip arp inspection vlan # N1KV-VSM(config)# port-profile profilename N1KV-VSM(config-port-profile)# ip arp inspection trust  Verification switch# show ip arp inspection interfaces vethernet 3 Interface Trust State Pkt Limit Burst Interval ------------- ----------- --------- ---------------- Vethernet9 Untrusted 30 5
Nexus 1000v Dynamic ARP inspection www.silantia.com14  Rate limiting ip arp inspection limit {rate pps [burst interval l bint] | none}  Configures the specified ARP inspection limit on the interface or the port profile as follows.  rate—Specifies that allowable values are between 1 and 2048 packets per second (pps).  The untrusted interface default is15 packets per second.  The trusted interface default is15 packets per second.  burst interval—Specifies that allowable values are between 1 and 15 seconds (the default is 5 seconds).  none—Specifies an unlimited number of packets per second.
Nexus 1000v Dynamic ARP inspection www.silantia.com15  Can enable additional validation checks  ip arp inspection validate ?  src-mac: Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body for ARP requests and responses  dst-mac: Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body for ARP responses  ip: Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses  arp access-list UNK-SW  permit ip host 10.0.0.1 mac host 0000.0000.0001  ip arp inspection filter UNK-SW vlan 10  Error disable  Port may go into error disable when ARP inspection is violated. N1KV-VSM(config)# errdisable detect cause arp-inspection N1KV-VSM(config)# errdisable recovery cause arp-inspection  You can shut no shut port or configure error disable recovery to recover automatically.
Nexus 1000v IP Source Guard www.silantia.com16  IP SG is a per-interface traffic filter that permits IP traffic only when the IP address and MAC address of each packet matches one of two sources of IP and MAC address bindings  Entries in DHCP snooping binding table.  Static IP source entries that you configure.  You can enable IP Source Guard on Layer 2 interfaces that are not trusted by DHCP snooping.  When you initially enable IP Source Guard, all inbound IP traffic on the interface is blocked except for the following:  DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results of inspecting the packet.  IP traffic from a source whose static IP entries are configured in the Cisco Nexus 1000V.
Nexus 1000v IP Source Guard www.silantia.com17  Configuration: (can be done under port-profile) N1KV-VSM(config)# interface vethernet 31 N1KV-VSM(config-if)# ip verify source dhcp- snooping-vlan  Verification: switch (config-if)# show ip verify source interface vethernet 3 Filter Mode(for static bindings): IP-MAC IP source guard is enabled on this interface. Interface Filter-mode IP-address Mac-address Vlan ---------- ----------- ---------- ----------- ---- Vethernet3 active 1.182.56.137 00:50:56:82:56:3e 1053  Adding Static entry in for IP SG. N1KV-VSM(config)# ip source binding 10.5.22.17 001f.28bd.0013 vlan 100 interface vethernet 3
Nexus 1000v DAI and IPSG www.silantia.com18
Nexus 1000v ACL www.silantia.com19  Two types of ACLs are supported in Nexus 1000v  IP ACL- Applied only to IP traffic  MAC ACL – Applied only to Non IP traffic  Order of ACL application  Ingress port ACL  Egress port ACL  MAC ACL supports following additional filtering options. Layer 3 protocol VLAN ID Class of Service (CoS)
Nexus 1000v IP ACL www.silantia.com20  IP ACL supports following additional filtering options.  Layer 4 protocol  TCP and UDP ports  ICMP types and codes  IGMP types  Precedence level  Differentiated Services Code Point (DSCP) value  TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set  All ACL are configured via CLI on VSM and when ACLs are applied to port-profile or veth/ethernet port it will be processed at VEM level.
Nexus 1000v IP ACL www.silantia.com21  Configuration example: ip access-list DENY_OSPF 10 deny ip any 224.0.0.5/32 20 deny ip any 224.0.0.6/32 30 permit ip any any ip access-list DENY_TELNET 10 deny tcp any 150.10.2.1/32 eq telnet 20 permit ip any any port-profile type veth SERVERFARM1 ip access-group DENY_TELNET in
Nexus 1000v Private VLANs www.silantia.com22  Private VLANs partition a regular VLAN domain into subdomains and can have multiple VLAN pairs.  All VLAN pairs in a private VLAN share the same Primary VLAN. The secondary VLAN ID differentiates one subdomain from another.  All members in the private VLAN share a common address space, which is allocated to the primary VLAN.  Private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. (uplink ports in case of Nexus 1000v)
Nexus 1000v Private Vlans www.silantia.com23  Enable private vlan and configure primary and secondary vlans feature private-vlan vlan 153 private-vlan primary private-vlan association 154-155 vlan 154 private-vlan community vlan 155 private-vlan isolated
Nexus 1000v Private Vlans www.silantia.com24 ! Private vlan configured on port-profile port-profile type vethernet pv154 vmware port-group switchport mode private-vlan host switchport private-vlan host-association 153 154 no shutdown state enabled ! You can configure private vlan on Veth port itself. port-profile type vethernet pv155 vmware port-group switchport mode private-vlan host switchport private-vlan host-association 153 155 no shutdown state enabled !
Nexus 1000v Private Vlans www.silantia.com25 Create uplink port-profile carrying private vlans. port-profile type ethernet pcpvtrunk vmware port-group switchport mode private-vlan trunk promiscuous switchport private-vlan mapping trunk 153 154-155 switchport private-vlan trunk allowed vlan 153-155 channel-group auto mode on mac-pinning no shutdown state enabled

Recommended

Nexus 1000v
Nexus 1000vNexus 1000v
Nexus 1000v
Krunal Shah
 
BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v Virtual Switch on ...
BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v Virtual Switch on ...BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v Virtual Switch on ...
BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v Virtual Switch on ...
Rassul Ismailov
 
Cohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 Administration
Cohesive Networks
 
KPUCC-Rs instructor ppt_chapter3_final
KPUCC-Rs instructor ppt_chapter3_finalKPUCC-Rs instructor ppt_chapter3_final
KPUCC-Rs instructor ppt_chapter3_final
Fisal Anwari
 
Day 14.2 configuringvla ns
Day 14.2 configuringvla nsDay 14.2 configuringvla ns
Day 14.2 configuringvla ns
CYBERINTELLIGENTS
 
ASBIS: Virtualization Aware Networking - Cisco Nexus 1000V
ASBIS: Virtualization Aware Networking - Cisco Nexus 1000VASBIS: Virtualization Aware Networking - Cisco Nexus 1000V
ASBIS: Virtualization Aware Networking - Cisco Nexus 1000V
ASBIS SK
 
Olive Introduction for TOI
Olive Introduction for TOIOlive Introduction for TOI
Olive Introduction for TOI
Johnson Liu
 
VMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEX
VMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEXVMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEX
VMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEX
David Pasek
 

Recommended

Nexus 1000v
Nexus 1000vNexus 1000v
Nexus 1000v
Krunal Shah
 
BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v Virtual Switch on ...
BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v Virtual Switch on ...BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v Virtual Switch on ...
BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v Virtual Switch on ...
Rassul Ismailov
 
Cohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 Administration
Cohesive Networks
 
KPUCC-Rs instructor ppt_chapter3_final
KPUCC-Rs instructor ppt_chapter3_finalKPUCC-Rs instructor ppt_chapter3_final
KPUCC-Rs instructor ppt_chapter3_final
Fisal Anwari
 
Day 14.2 configuringvla ns
Day 14.2 configuringvla nsDay 14.2 configuringvla ns
Day 14.2 configuringvla ns
CYBERINTELLIGENTS
 
ASBIS: Virtualization Aware Networking - Cisco Nexus 1000V
ASBIS: Virtualization Aware Networking - Cisco Nexus 1000VASBIS: Virtualization Aware Networking - Cisco Nexus 1000V
ASBIS: Virtualization Aware Networking - Cisco Nexus 1000V
ASBIS SK
 
Olive Introduction for TOI
Olive Introduction for TOIOlive Introduction for TOI
Olive Introduction for TOI
Johnson Liu
 
VMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEX
VMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEXVMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEX
VMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEX
David Pasek
 
App Note Vlan Br Vlanid Transl
App Note Vlan Br Vlanid TranslApp Note Vlan Br Vlanid Transl
App Note Vlan Br Vlanid Transl
Hussein Elmenshawy
 
Westermo WeOS Multicast Tunneling
Westermo WeOS Multicast TunnelingWestermo WeOS Multicast Tunneling
Westermo WeOS Multicast Tunneling
Fabian Vandendyck
 
Private VLANs
Private VLANsPrivate VLANs
Private VLANs
NetProtocol Xpert
 
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5
Nil Menon
 
Packet Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 SwitchingPacket Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 Switching
Johnson Liu
 
VXLAN
VXLANVXLAN
VXLAN
SAliyev1
 
Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_
Jide Akintola JNCIE-M&T/SP #496 CCIE-SP#28552
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service Node
David Lapsley
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routing
Wilfredzeng
 
At8000 s configurando vla_ns
At8000 s configurando vla_nsAt8000 s configurando vla_ns
At8000 s configurando vla_ns
NetPlus
 
CCNA- part 9 vlan
CCNA- part 9 vlanCCNA- part 9 vlan
CCNA- part 9 vlan
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Ccna Quick Notes –VLANs
Ccna Quick Notes –VLANsCcna Quick Notes –VLANs
Ccna Quick Notes –VLANs
CCNAResources
 
Storm-Control
Storm-ControlStorm-Control
Storm-Control
NetProtocol Xpert
 
Lab 6.4.1 InterVLAN routing
Lab 6.4.1 InterVLAN routingLab 6.4.1 InterVLAN routing
Lab 6.4.1 InterVLAN routing
Muhd Mu'izuddin
 
vlan
vlanvlan
vlan
Sunrise Dawn
 
Introduction to vxlan
Introduction to vxlanIntroduction to vxlan
Introduction to vxlan
Mohammed Umair
 
Vxlan frame format and forwarding
Vxlan frame format and forwardingVxlan frame format and forwarding
Vxlan frame format and forwarding
Mohammed Umair
 
Des 3800 howto-en_guest-vlan_20060623
Des 3800 howto-en_guest-vlan_20060623Des 3800 howto-en_guest-vlan_20060623
Des 3800 howto-en_guest-vlan_20060623
Conrad Cruz
 
Inter VLAN Routing
Inter VLAN RoutingInter VLAN Routing
Inter VLAN Routing
Netwax Lab
 
Vlan Types
Vlan TypesVlan Types
Vlan Types
IT Tech
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
NetProtocol Xpert
 
Seminariode Seguridad L2
Seminariode Seguridad L2Seminariode Seguridad L2
Seminariode Seguridad L2
christian nieto
 

More Related Content

What's hot

App Note Vlan Br Vlanid Transl
App Note Vlan Br Vlanid TranslApp Note Vlan Br Vlanid Transl
App Note Vlan Br Vlanid Transl
Hussein Elmenshawy
 
Westermo WeOS Multicast Tunneling
Westermo WeOS Multicast TunnelingWestermo WeOS Multicast Tunneling
Westermo WeOS Multicast Tunneling
Fabian Vandendyck
 
Private VLANs
Private VLANsPrivate VLANs
Private VLANs
NetProtocol Xpert
 
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5
Nil Menon
 
Packet Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 SwitchingPacket Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 Switching
Johnson Liu
 
VXLAN
VXLANVXLAN
VXLAN
SAliyev1
 
Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_
Jide Akintola JNCIE-M&T/SP #496 CCIE-SP#28552
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service Node
David Lapsley
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routing
Wilfredzeng
 
At8000 s configurando vla_ns
At8000 s configurando vla_nsAt8000 s configurando vla_ns
At8000 s configurando vla_ns
NetPlus
 
CCNA- part 9 vlan
CCNA- part 9 vlanCCNA- part 9 vlan
CCNA- part 9 vlan
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Ccna Quick Notes –VLANs
Ccna Quick Notes –VLANsCcna Quick Notes –VLANs
Ccna Quick Notes –VLANs
CCNAResources
 
Storm-Control
Storm-ControlStorm-Control
Storm-Control
NetProtocol Xpert
 
Lab 6.4.1 InterVLAN routing
Lab 6.4.1 InterVLAN routingLab 6.4.1 InterVLAN routing
Lab 6.4.1 InterVLAN routing
Muhd Mu'izuddin
 
vlan
vlanvlan
vlan
Sunrise Dawn
 
Introduction to vxlan
Introduction to vxlanIntroduction to vxlan
Introduction to vxlan
Mohammed Umair
 
Vxlan frame format and forwarding
Vxlan frame format and forwardingVxlan frame format and forwarding
Vxlan frame format and forwarding
Mohammed Umair
 
Des 3800 howto-en_guest-vlan_20060623
Des 3800 howto-en_guest-vlan_20060623Des 3800 howto-en_guest-vlan_20060623
Des 3800 howto-en_guest-vlan_20060623
Conrad Cruz
 
Inter VLAN Routing
Inter VLAN RoutingInter VLAN Routing
Inter VLAN Routing
Netwax Lab
 
Vlan Types
Vlan TypesVlan Types
Vlan Types
IT Tech
 

What's hot (20)

App Note Vlan Br Vlanid Transl
App Note Vlan Br Vlanid TranslApp Note Vlan Br Vlanid Transl
App Note Vlan Br Vlanid Transl
 
Westermo WeOS Multicast Tunneling
Westermo WeOS Multicast TunnelingWestermo WeOS Multicast Tunneling
Westermo WeOS Multicast Tunneling
 
Private VLANs
Private VLANsPrivate VLANs
Private VLANs
 
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5
 
Packet Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 SwitchingPacket Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 Switching
 
VXLAN
VXLANVXLAN
VXLAN
 
Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service Node
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routing
 
At8000 s configurando vla_ns
At8000 s configurando vla_nsAt8000 s configurando vla_ns
At8000 s configurando vla_ns
 
CCNA- part 9 vlan
CCNA- part 9 vlanCCNA- part 9 vlan
CCNA- part 9 vlan
 
Ccna Quick Notes –VLANs
Ccna Quick Notes –VLANsCcna Quick Notes –VLANs
Ccna Quick Notes –VLANs
 
Storm-Control
Storm-ControlStorm-Control
Storm-Control
 
Lab 6.4.1 InterVLAN routing
Lab 6.4.1 InterVLAN routingLab 6.4.1 InterVLAN routing
Lab 6.4.1 InterVLAN routing
 
vlan
vlanvlan
vlan
 
Introduction to vxlan
Introduction to vxlanIntroduction to vxlan
Introduction to vxlan
 
Vxlan frame format and forwarding
Vxlan frame format and forwardingVxlan frame format and forwarding
Vxlan frame format and forwarding
 
Des 3800 howto-en_guest-vlan_20060623
Des 3800 howto-en_guest-vlan_20060623Des 3800 howto-en_guest-vlan_20060623
Des 3800 howto-en_guest-vlan_20060623
 
Inter VLAN Routing
Inter VLAN RoutingInter VLAN Routing
Inter VLAN Routing
 
Vlan Types
Vlan TypesVlan Types
Vlan Types
 

Viewers also liked

Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
NetProtocol Xpert
 
Seminariode Seguridad L2
Seminariode Seguridad L2Seminariode Seguridad L2
Seminariode Seguridad L2
christian nieto
 
Layer 3 redundancy hsrp
Layer 3 redundancy hsrpLayer 3 redundancy hsrp
Layer 3 redundancy hsrp
Edgardo Scrimaglia
 
CISCO HSRP VRRP GLBP
CISCO HSRP VRRP GLBPCISCO HSRP VRRP GLBP
CISCO HSRP VRRP GLBP
YACINE MESSAOUI
 
Ccna introduction
Ccna introductionCcna introduction
Ccna introduction
Mukesh Gautam
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Security
dkaya
 
CCNA
CCNACCNA
CCNA
niict
 
IPV4 Frame Format
IPV4 Frame FormatIPV4 Frame Format
IPV4 Frame Format
Aditya Rawat
 
Networking Basic and Cisco History
Networking Basic and Cisco History Networking Basic and Cisco History
Networking Basic and Cisco History
Er Aadarsh Srivastava
 
Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)
Peter R. Egli
 
Address resolution protocol
Address resolution protocolAddress resolution protocol
Address resolution protocol
asimnawaz54
 
CCNA Router and IOS Basics
CCNA Router and IOS BasicsCCNA Router and IOS Basics
CCNA Router and IOS Basics
Dsunte Wilson
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
Dsunte Wilson
 
CCNA TCP/IP
CCNA TCP/IPCCNA TCP/IP
CCNA TCP/IP
Dsunte Wilson
 
IPv6
IPv6IPv6
IPv6
Peter R. Egli
 
TCP-IP Reference Model
TCP-IP Reference ModelTCP-IP Reference Model
TCP-IP Reference Model
Mukesh Tekwani
 
CCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch ConfigurationCCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch Configuration
Dsunte Wilson
 
Chap 10 igmp
Chap 10 igmpChap 10 igmp
Chap 10 igmp
Noctorous Jamal
 
IGMP
IGMPIGMP
IGMP
Raghavendra Hamilpure
 
Arp and rarp
Arp and rarpArp and rarp
Arp and rarp
Nita Dalla
 

Viewers also liked (20)

Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
 
Seminariode Seguridad L2
Seminariode Seguridad L2Seminariode Seguridad L2
Seminariode Seguridad L2
 
Layer 3 redundancy hsrp
Layer 3 redundancy hsrpLayer 3 redundancy hsrp
Layer 3 redundancy hsrp
 
CISCO HSRP VRRP GLBP
CISCO HSRP VRRP GLBPCISCO HSRP VRRP GLBP
CISCO HSRP VRRP GLBP
 
Ccna introduction
Ccna introductionCcna introduction
Ccna introduction
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Security
 
CCNA
CCNACCNA
CCNA
 
IPV4 Frame Format
IPV4 Frame FormatIPV4 Frame Format
IPV4 Frame Format
 
Networking Basic and Cisco History
Networking Basic and Cisco History Networking Basic and Cisco History
Networking Basic and Cisco History
 
Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)
 
Address resolution protocol
Address resolution protocolAddress resolution protocol
Address resolution protocol
 
CCNA Router and IOS Basics
CCNA Router and IOS BasicsCCNA Router and IOS Basics
CCNA Router and IOS Basics
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
 
CCNA TCP/IP
CCNA TCP/IPCCNA TCP/IP
CCNA TCP/IP
 
IPv6
IPv6IPv6
IPv6
 
TCP-IP Reference Model
TCP-IP Reference ModelTCP-IP Reference Model
TCP-IP Reference Model
 
CCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch ConfigurationCCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch Configuration
 
Chap 10 igmp
Chap 10 igmpChap 10 igmp
Chap 10 igmp
 
IGMP
IGMPIGMP
IGMP
 
Arp and rarp
Arp and rarpArp and rarp
Arp and rarp
 

Similar to Nexus 1000v part ii

Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
dkaya
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
Mohmed Abou Elenein Attia
 
IP Source Guard
IP Source Guard IP Source Guard
IP Source Guard
NetProtocol Xpert
 
Otv notes
Otv notesOtv notes
Otv notes
Krunal Shah
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
APNIC
 
Hungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programmingHungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programming
Marton Kiss
 
Catalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your NetworkCatalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your Network
Cisco Russia
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
guestd05b31
 
Securing the network for VMs or Containers
Securing the network for VMs or ContainersSecuring the network for VMs or Containers
Securing the network for VMs or Containers
Marian Marinov
 
Switch security
Switch securitySwitch security
Switch security
nullowaspmumbai
 
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
NetProtocol Xpert
 
Firewall
FirewallFirewall
Firewall
Manikyala Rao
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
NetProtocol Xpert
 
Examen final ccna2
Examen final ccna2Examen final ccna2
Examen final ccna2
Juli Yaret
 
Ch6
Ch6Ch6
Ch6
scary5800
 
Ccna 4 Chapter 8 V4.0 Answers
Ccna 4 Chapter 8 V4.0 AnswersCcna 4 Chapter 8 V4.0 Answers
Ccna 4 Chapter 8 V4.0 Answers
ccna4discovery
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANWebinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Netgear Italia
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
idsecconf
 
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
雄也 日下部
 
Firewalls
FirewallsFirewalls
Firewalls
hemantag
 

Similar to Nexus 1000v part ii (20)

Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
 
IP Source Guard
IP Source Guard IP Source Guard
IP Source Guard
 
Otv notes
Otv notesOtv notes
Otv notes
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
 
Hungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programmingHungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programming
 
Catalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your NetworkCatalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your Network
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Securing the network for VMs or Containers
Securing the network for VMs or ContainersSecuring the network for VMs or Containers
Securing the network for VMs or Containers
 
Switch security
Switch securitySwitch security
Switch security
 
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
 
Firewall
FirewallFirewall
Firewall
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
 
Examen final ccna2
Examen final ccna2Examen final ccna2
Examen final ccna2
 
Ch6
Ch6Ch6
Ch6
 
Ccna 4 Chapter 8 V4.0 Answers
Ccna 4 Chapter 8 V4.0 AnswersCcna 4 Chapter 8 V4.0 Answers
Ccna 4 Chapter 8 V4.0 Answers
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANWebinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
 
Firewalls
FirewallsFirewalls
Firewalls
 

More from Krunal Shah

Vpc notes
Vpc notesVpc notes
Vpc notes
Krunal Shah
 
Ucs security part2
Ucs security part2Ucs security part2
Ucs security part2
Krunal Shah
 
Ucs rbac aaa-backu-ps
Ucs rbac aaa-backu-psUcs rbac aaa-backu-ps
Ucs rbac aaa-backu-ps
Krunal Shah
 
Ha nsf notes
Ha nsf notesHa nsf notes
Ha nsf notes
Krunal Shah
 
Fhrp notes
Fhrp notesFhrp notes
Fhrp notes
Krunal Shah
 
Topic 5 nx os management-ver 0.2
Topic 5 nx os management-ver 0.2Topic 5 nx os management-ver 0.2
Topic 5 nx os management-ver 0.2
Krunal Shah
 
Cisco data center support
Cisco data center supportCisco data center support
Cisco data center support
Krunal Shah
 

More from Krunal Shah (7)

Vpc notes
Vpc notesVpc notes
Vpc notes
 
Ucs security part2
Ucs security part2Ucs security part2
Ucs security part2
 
Ucs rbac aaa-backu-ps
Ucs rbac aaa-backu-psUcs rbac aaa-backu-ps
Ucs rbac aaa-backu-ps
 
Ha nsf notes
Ha nsf notesHa nsf notes
Ha nsf notes
 
Fhrp notes
Fhrp notesFhrp notes
Fhrp notes
 
Topic 5 nx os management-ver 0.2
Topic 5 nx os management-ver 0.2Topic 5 nx os management-ver 0.2
Topic 5 nx os management-ver 0.2
 
Cisco data center support
Cisco data center supportCisco data center support
Cisco data center support
 

Recently uploaded

20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 

Recently uploaded (20)

20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 

Nexus 1000v part ii

  • 1. Nexus 1000v www.silantia.com1  IGMP Snooping  DHCP Snooping  Dynamic ARP Inspection (DAI)  IP Source Guard  Port Security  Access Control Lists (ACL)  Private VLANs (PVLAN)
  • 2. Nexus 1000v IGMP snooping www.silantia.com2  Nexus 1000v VEM can snoop IGMP conversation between VM adapter and router (default gateway).  Nexus 1000v is full IGMP snooping bridge but it cannot perform IGMP querier job. ip igmp snooping ! Enables at global level vlan 200 ip igmp snooping ! Enables per vlan IGMP snooping ip igmp snooping explicit-tracking ip igmp snooping mrouter interface ethernet 2/1 ! vEths are not supported as router ports ip igmp snooping static-group 230.0.0.1 interface vethernet 21 show ip igmp snooping vlan 200
  • 3. Nexus 1000v Layer 2 Security feature www.silantia.com3  Works exactly similar to Layer 2 security features in physical switches.  Security features requires Nexus 1000v Advanced License.  Layer 2 security is important in Virtual Desktop Infrastructure type of environment where each virtual machine is a user desktop.  Unmanaged VMs can bring down the whole Layer 2 network if it is not protected at VEM level.
  • 4. Nexus 1000v Port-security www.silantia.com4  MAC-to-Port Mapping  Don't allow any MAC addresses other than those mapped to pass traffic  Static = Static MAC-to-Port Mapping  Dynamic = Learn the MAC, map to the port, then don't allow anyone ELSE  Can also age this dynamic mapping out  Sticky = Same as dynamic, but store mapping VSM  Violations Shutdown = Shuts port down. Simple, done.  Restrict = Drops traffic from any Other MAC addresses  Protect = Basically drops traffic from any other MACs like Restrict, but first it learns the MAC of the 1st violator and logs him (still drops his traffic too)and doesn't learn any other violators' MACs
  • 5. Nexus 1000v Port-security www.silantia.com5  You can configure port security only on Layer 2 interfaces  Details about port security and different types of interfaces or ports are as follows:  Access ports  You can configure port security on interfaces that you have configured as Layer 2 access ports  On an access port, port security applies only to the access VLAN  Trunk ports  You can configure port security on interfaces that you have configured as Layer 2 trunk ports  The device allows VLAN maximums only for VLANs associated with the trunk port  SPAN ports  You can configure port security on SPAN source ports but not on SPAN destination ports
  • 6. Nexus 1000v DHCP snooping www.silantia.com6  DHCP snooping functions like a firewall between untrusted hosts and trusted DHCP servers by doing the following:  Validates DHCP messages received from untrusted sources and filters out invalid response messages from DHCP servers.  Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.  Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.  Dynamic ARP Inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping binding database.  When you enable DHCP snooping, by default, all vEthernet (vEth) ports are untrusted and all Ethernet
  • 7. Nexus 1000v DHCP snooping www.silantia.com7  DHCP operations are categorized into four basic phases:  IP Discovery  IP Lease Offer  IP Request  IP Lease Acknowledgement  Only DHCP messages that come from a server that is connected to a trusted port are accepted.  Any DHCP message on UDP port 68 that is data from the server to the client that is received on an untrusted port is dropped. Nexus 1000v VEM builds and maintains the DHCP snooping binding database, which contains information about clients with leased IP addresses.  Uses the DHCP snooping binding database to validate subsequent requests from clients.
  • 8. Nexus 1000v DHCP snooping www.silantia.com8  Configuration  Enable the DHCP feature. feature dhcp  Enable DHCP snooping globally. ip dhcp snooping  Enable DHCP snooping on at least one VLAN.By default, DHCP snooping is disabled on all VLANs. Ensure that the  ip dhcp snooping vlan vlan-list  DHCP server is connected to the device using a trusted interface. N1KV-VSM(config)# port-profile profilename N1KV-VSM(config-port-profile)# ip dhcp snooping trust  Configuring the Rate Limit for DHCP Packets N1KV-VSM(config-if)#[no] ip dhcp snooping limit rate rate
  • 9. Nexus 1000v DHCP snooping www.silantia.com9  Configuration  Error disable detection and recovery errdisable detect cause dhcp-rate-limit Enables DHCP error-disabled detection. errdisable recovery cause dhcp-rate-limit  Enables DHCP error-disabled detection. errdisable recovery interval time interval  Sets the DHCP error-disabled recovery interval, where time interval is the number of seconds from 30 to 65535.
  • 10. Nexus 1000v DHCP snooping www.silantia.com10  Verification N1KV-VSM# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on the following VLANs: 100,200,250-252 DHCP snooping is operational on the following VLANs: 100,200,250-252 Insertion of Option 82 is disabled Verification of MAC address is enabled DHCP snooping trust is configured on the following interfaces: Interface Trusted Pkt Limit ------------ ------- --------- Vethernet1 No Unlimited Vethernet2 No Unlimited Vethernet3 Yes 15 Vethernet4 No Unlimited Vethernet5 No Unlimited
  • 11. Nexus 1000v DHCP snooping www.silantia.com11  Verification N1KV-VSM# show ip dhcp snooping statistics Packets processed 0 Packets forwarded 0 Total packets dropped 0 Packets dropped from untrusted ports 0 Packets dropped due to MAC address check failure 0 Packets dropped due to Option 82 insertion failure 0 Packets dropped due to o/p intf unknown 0 Packets dropped which were unknown 0 Packets dropped due to service dhcp not enabled 0 Packets dropped due to no binding entry 0 Packets dropped due to interface error/no interface 0 Packets dropped due to max hops exceeded 0
  • 12. Nexus 1000v Dynamic ARP inspection www.silantia.com12  DAI ensures that only valid ARP requests and responses are relayed by intercepting all ARP requests and responses on untrusted ports and verifying that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination.  DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses.  DAI is supported on vEthernet interfaces and private VLAN ports
  • 13. Nexus 1000v Dynamic ARP inspection www.silantia.com13  Configuration: N1KV-VSM(config)# ip arp inspection vlan # N1KV-VSM(config)# port-profile profilename N1KV-VSM(config-port-profile)# ip arp inspection trust  Verification switch# show ip arp inspection interfaces vethernet 3 Interface Trust State Pkt Limit Burst Interval ------------- ----------- --------- ---------------- Vethernet9 Untrusted 30 5
  • 14. Nexus 1000v Dynamic ARP inspection www.silantia.com14  Rate limiting ip arp inspection limit {rate pps [burst interval l bint] | none}  Configures the specified ARP inspection limit on the interface or the port profile as follows.  rate—Specifies that allowable values are between 1 and 2048 packets per second (pps).  The untrusted interface default is15 packets per second.  The trusted interface default is15 packets per second.  burst interval—Specifies that allowable values are between 1 and 15 seconds (the default is 5 seconds).  none—Specifies an unlimited number of packets per second.
  • 15. Nexus 1000v Dynamic ARP inspection www.silantia.com15  Can enable additional validation checks  ip arp inspection validate ?  src-mac: Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body for ARP requests and responses  dst-mac: Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body for ARP responses  ip: Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses  arp access-list UNK-SW  permit ip host 10.0.0.1 mac host 0000.0000.0001  ip arp inspection filter UNK-SW vlan 10  Error disable  Port may go into error disable when ARP inspection is violated. N1KV-VSM(config)# errdisable detect cause arp-inspection N1KV-VSM(config)# errdisable recovery cause arp-inspection  You can shut no shut port or configure error disable recovery to recover automatically.
  • 16. Nexus 1000v IP Source Guard www.silantia.com16  IP SG is a per-interface traffic filter that permits IP traffic only when the IP address and MAC address of each packet matches one of two sources of IP and MAC address bindings  Entries in DHCP snooping binding table.  Static IP source entries that you configure.  You can enable IP Source Guard on Layer 2 interfaces that are not trusted by DHCP snooping.  When you initially enable IP Source Guard, all inbound IP traffic on the interface is blocked except for the following:  DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results of inspecting the packet.  IP traffic from a source whose static IP entries are configured in the Cisco Nexus 1000V.
  • 17. Nexus 1000v IP Source Guard www.silantia.com17  Configuration: (can be done under port-profile) N1KV-VSM(config)# interface vethernet 31 N1KV-VSM(config-if)# ip verify source dhcp- snooping-vlan  Verification: switch (config-if)# show ip verify source interface vethernet 3 Filter Mode(for static bindings): IP-MAC IP source guard is enabled on this interface. Interface Filter-mode IP-address Mac-address Vlan ---------- ----------- ---------- ----------- ---- Vethernet3 active 1.182.56.137 00:50:56:82:56:3e 1053  Adding Static entry in for IP SG. N1KV-VSM(config)# ip source binding 10.5.22.17 001f.28bd.0013 vlan 100 interface vethernet 3
  • 18. Nexus 1000v DAI and IPSG www.silantia.com18
  • 19. Nexus 1000v ACL www.silantia.com19  Two types of ACLs are supported in Nexus 1000v  IP ACL- Applied only to IP traffic  MAC ACL – Applied only to Non IP traffic  Order of ACL application  Ingress port ACL  Egress port ACL  MAC ACL supports following additional filtering options. Layer 3 protocol VLAN ID Class of Service (CoS)
  • 20. Nexus 1000v IP ACL www.silantia.com20  IP ACL supports following additional filtering options.  Layer 4 protocol  TCP and UDP ports  ICMP types and codes  IGMP types  Precedence level  Differentiated Services Code Point (DSCP) value  TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set  All ACL are configured via CLI on VSM and when ACLs are applied to port-profile or veth/ethernet port it will be processed at VEM level.
  • 21. Nexus 1000v IP ACL www.silantia.com21  Configuration example: ip access-list DENY_OSPF 10 deny ip any 224.0.0.5/32 20 deny ip any 224.0.0.6/32 30 permit ip any any ip access-list DENY_TELNET 10 deny tcp any 150.10.2.1/32 eq telnet 20 permit ip any any port-profile type veth SERVERFARM1 ip access-group DENY_TELNET in
  • 22. Nexus 1000v Private VLANs www.silantia.com22  Private VLANs partition a regular VLAN domain into subdomains and can have multiple VLAN pairs.  All VLAN pairs in a private VLAN share the same Primary VLAN. The secondary VLAN ID differentiates one subdomain from another.  All members in the private VLAN share a common address space, which is allocated to the primary VLAN.  Private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. (uplink ports in case of Nexus 1000v)
  • 23. Nexus 1000v Private Vlans www.silantia.com23  Enable private vlan and configure primary and secondary vlans feature private-vlan vlan 153 private-vlan primary private-vlan association 154-155 vlan 154 private-vlan community vlan 155 private-vlan isolated
  • 24. Nexus 1000v Private Vlans www.silantia.com24 ! Private vlan configured on port-profile port-profile type vethernet pv154 vmware port-group switchport mode private-vlan host switchport private-vlan host-association 153 154 no shutdown state enabled ! You can configure private vlan on Veth port itself. port-profile type vethernet pv155 vmware port-group switchport mode private-vlan host switchport private-vlan host-association 153 155 no shutdown state enabled !
  • 25. Nexus 1000v Private Vlans www.silantia.com25 Create uplink port-profile carrying private vlans. port-profile type ethernet pcpvtrunk vmware port-group switchport mode private-vlan trunk promiscuous switchport private-vlan mapping trunk 153 154-155 switchport private-vlan trunk allowed vlan 153-155 channel-group auto mode on mac-pinning no shutdown state enabled