None
blog at digidraft.net

HA

2017-08-10

Introduction

    In most cases network security components are very critical points of failure, since all traffic passes through it. A high availability (HA) feature provides redundancy solution for two or many network devices. FortiOS can eliminate vulnerability of standalone point  by number of protocols:

  • FortiGate Cluster Protocol (FGCP) - allows to create a cluster of two to four FortiGates which appears to function as a single unit
  • FortiGate Session Life Support Protocol (FGSP) - allows to create peers which processes already balanced traffic and synchronize sessions and part of configuration
  • Session-Aware Load Balancing Clustering (SLBC) - consist of one or more FortiControllers acting as load balancers and FortiGate-5000s and operating as workers all installed in one or two FortiGate-5000 series chassis
  • Enhanced Load Balanced Clustering (ELBC) - uses FortiSwitch-5000 series load balancers to load balance traffic to FortiGate-5000 workers installed in a FortiGate-5000 chassis
  • Content Clustering - employs FortiSwitch-5203Bs or FortiController-5902Ds to load balance content sessions to FortiGate-5000 workers
  • VRRP - industry standard

FGCP with multi vdom enabled

    The diagram below shows two network segments with a router and a fortigate1200D on each.

ha_1

    Each fortigate have 4 vdom two of which are ....

continue reading comments

Secure Access

2017-07-03

Switch Access

Error Conditions

    By default, a Catalyst switch detects an error condition on every switch port for every possible cause. If an error condition is detected, the switch port is put into the “errdisable” state and is disabled.

Switch(config)# [ no ] errdisable detect cause [ all | cause-name ]
  • all - detects every possible cause
  • arp-inspection - detects errors with dynamic ARP inspection
  • bpduguard - detects when a spanning-tree bridge protocol data unit (BPDU) is received on a port configured for STP PortFast
  • dhcp-rate-limit - detects an error with DHCP snooping
  • dtp-flap - detects when trunking encapsulation is changing from one type to another
  • gbic-invalid - detects the presence of an invalid GBIC or SFP module
  • inline-power - detects an error with offering PoE inline power
  • l2ptguard - detects an error with Layer 2 Protocol Tunneling
  • link-flap - detects when the port link state is “flapping” between the up and down states
  • loopback - detects when an interface has been looped back
  • pagp-flap - detects when an EtherChannel bundle’s ports no longer have consistent configurations
  • pppoe-ia-rate-limit - detects errors with PPPoE Intermediate Agent rate limiting
  • psecure-violation - detects conditions that trigger port security configured on a ....
continue reading comments

High Availability

2017-06-21

Leveraging Logical Switches

StackWise

    The same daisy-chain scheme can be used to connect up to nine physical switches. The ring can be broken to add or remove a switch, but the remaining switches stay connected over the rest of the ring. In other words, you can make changes to the stack without interrupting its operation.

Virtual Switching System

    With platforms like the Cisco Catalyst 4500R, 6500, and 8500, you can configure two identical chassis to work as one logical switch. This is known as a Virtual Switching System (VSS), often called a VSS pair. To build the logical switch, the two chassis must be linked together by multiple interfaces that have been configured as a virtual switch link (VSL).

    VSS1440 refers to the VSS formed by two Cisco Catalyst 6500 Series Switches with the Virtual Switching Supervisor 720-10GE. In a VSS, the data plane and switch fabric with capacity of 720 Gbps of supervisor engine in each chassis are active at the same time on both chassis, combining for an active 1400-Gbps switching capacity per VSS. Only one of the virtual switch members has the active control plane. Both chassis are kept in sync with the interchassis Stateful Switchover (SSO) ....

continue reading comments

Monitoring Campus

2017-06-16

Logging

Severity Levels

Emergencies(0) Alerts(1) Critical(2) Errors(3)

crashes

stopped processes

paltform errors

hardware issues

port security

STP

ACl issues

TCAM issues

PAgP problems

ethernet controller

interface Up/Down

Warnings(4) Notofications(5) Informational(6) Debugging(7)

DHCP snooping

802.1X

DTP

EthernetChannel

inline power

STP

interface line protocol

stack events

port security

pynamic ARP inspection

VTP

UDLD

STP

hardware diagmostics

debug output

Message format

00:30:39 %SYS  5 CONFIG_I:  Configured from Console by Console
Timestamp Facility Severity Mnemonic Message Text
  • Timestamp - the date and time from the internal switch clock. Up time by default.
  • Facility Code - a system identifier that categorizes the switch function or module that has generated the message; the facility code always begins with a percent sign.
  • Severity - a number from 0 to 7 that indicates how important or severe the event is; a lower severity means the event is more critical.
  • Mnemonic - a short text string that categorizes the event within the facility code
  • Message Text - a ....
continue reading comments