Configuring RIP between HP ProCurve and Cisco Switches


I needed to distribute routes between an HP ProCurve and a Cisco Catalyst switch. The HP ProCurve switch mode used was a 3500-48yl without the premium license; therefore I was only able to use RIP and not OSPF. The Cisco switch used was a Catalyst 3560-8 IOS 12.2(55) IPBase. You will notice from the configuration below the difference in commands between the ProCurve and Cisco switches.

Continue reading “Configuring RIP between HP ProCurve and Cisco Switches”


Cisco ISR G2 Router bad IPSec performance

I’ve been testing a new DMVPN with IPSec encryption utilising brand new Cisco 3945 ISR G2 routers. I performed some basic performance tests using “iperf” with just a GRE tunnel (no encryption) between 2 sites and I was consistently getting 91Mbps throughput (not bad). Upon adding the encryption (AES-128) and re-running the tests the result were erratic with the throughput ranging from 16Mbps – 52.7Mbps with an average around 30Mbps.

Continue reading “Cisco ISR G2 Router bad IPSec performance”

Configuring Dynamic Multipoint VPN (DMVPN)

The Dynamic Multipoint VPN (DMVPN) allows for a large scale IPSec VPN deployment with reduced configuration/complexity. It uses GRE, Next Hop Resolution Protocol (NHRP) and IPSec Encryption and unlike traditional IPSec VPNs DMVPN does not require Crypto ACLs, instead DMVPN requires a single mGRE tunnel interface and a single IPSec profile. In a large DMVPN environment this greatly reduces the size of configuration on the hub router.

DMVPN can be deployed using two models; Hub-and-Spoke and Spoke-to-Spoke:

Hub-and-Spoke (Phase 1) – requires each spoke have a point-to-point to GRE interface to build a tunnel to the hub router, all traffic flows through the hub router.

Spoke-to-Spoke  (Phase 2 and Phase 3) – requires each spoke to have an mGRE interface, to provide spoke-to-spoke communication in addition to Hub-and-spoke communication.

Continue reading “Configuring Dynamic Multipoint VPN (DMVPN)”

CCNP SWITCH: DHCP Snooping and Dynamic ARP Inspection

DHCP Snooping

An attacker could connect a rogue DHCP server onto a network replying to client DHCP requests that designates an incorrect default gateway and DNS severs, leading to a man-in-the-middle attack enabling the hacker to gain sensitive information such as usernames and passwords. DHCP Snooping can prevent this by trusting the switch port(s) a legitimate DHCP server is connect to, with all other switch ports defined as un-trusted. An un-trusted port is blocked from sending any DHCP server responses and can only request and IP address.

DHCP snooping builds a binding table which contains the client MAC address, IP address, lease time, binding type, VLAN number and port ID recorded as clients request a DHCP address when plugged into an un-trusted port. All ports are un-trusted unless specifically configured as trusted.

Enable DHCP Snooping and enable on the VLAN

Switch (config)# ip dhcp snooping
Switch (config)# ip dhcp snooping vlan 10

Continue reading “CCNP SWITCH: DHCP Snooping and Dynamic ARP Inspection”

CCNP SWITCH: Portfast, BPDUGuard, RootGuard


Enable Portfast per interface

Switch (config)# interface range fastethernet 0/1-48
Switch (config-if)# spanning-tree portfast

Enable Portfast globally on all access ports (NOTE – this will not enable portfast on trunk link until you configure “spanning-tree portfast trunk” on the interface)

Switch (config)# spanning-tree portfast default

Troubleshooting commands

Switch (config)# show spanning-tree interface fastethernet 0/4 portfast
Switch (config)# show spanning-tree summary

Continue reading “CCNP SWITCH: Portfast, BPDUGuard, RootGuard”

CCNP SWITCH: VLAN Access Control Lists (VACL)

VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar to route maps and use route-map conventions in which sequences are checked in order. When traffic is matched the switch will process and take the required action (Forward, Redirect or Drop).

In the scenario below all computers in VLAN 10 will be blocked communicating on TCP 3389 (Remote Desktop) and TCP 80 (HTTP) and permit all other traffic to other computers within the same VLAN.

VACL Configuration

Define IP access list to identify ‘permit’ the source, destination and port(s)

3560-1(config)# ip access-list extended ACL-VLAN-10
3560-1(config-ext-nacl)# permit tcp eq 3389
3560-1(config-ext-nacl)# permit tcp eq 80
3560-1(config-ext-nacl)# exit

Continue reading “CCNP SWITCH: VLAN Access Control Lists (VACL)”

Disabling Check Point WebUI first time configuration wizard


To install a new Check Point appliance from fresh normally you must run the first time installation wizard, this can easily be overridden by running the command “touch /etc/.wizard_accepted” from expert mode. Once the first time wizard has been disabled you can run the “cpconfig” command to configure the appliance from the CLI.


You need to disable the wizard in expert mode, you must set the expert password before you can login to expert mode

Continue reading “Disabling Check Point WebUI first time configuration wizard”