Category: Switching

WoL – Wake On LAN

If a computer on local LAN network is turned off and administrator needs to do some regular maintenance on it, he will need to use Wake-On-LAN (WoL) to power the system up remotely.

Of course, network devices need to be configured to enable that kind of “magic” packet forwarding.

NIC cards on machines need to support WoL for this to work, but we don’t bother with this here..

WoL is sending “magic packets” to computer NIC card in order to start the system up. NIC which supports WoL is still receiving power when PC is turned off. NIC then keeps listening on the network for the magic packet and if received it will initialise the system boot process and power up the PC.

Magic packet is specially crafted network directed broadcast packet typically sent with connectionless UDP, port 7.

You would usually have a WoL server somewhere on you network which will be used to source magic packets. If you send magic packets across network segments (between VLANs or from some remote subnet), last router in the path, one having client subnet locally connected, needs to be configured with directed broadcast. The first router on the path, router with server subnet locally connected, should have ip helper configured pointing to directed broadcast IP address (in our case 172.19.1.255).

In our example below, both ip helper and directed broadcast are configured on the same L3 device since this is the only router connecting two subnets.

Directed broadcast on Cisco devices is off by default since IOS 12.0 and needs to be configured on specific subnets where WoL will be needed.

You need directed broadcast because PC which needs to be woken up is asleep and while asleep it will not have an IP nor it will respond to ARP. Only way to get some packets to that PC without an ARP resolution is by using local subnet L2 broadcast.

Furthermore, we can surely assume that your PCs are connected to L2 Access Switch. That switch will not know to which port is the PC connected while that PC is asleep. Only a Layer 2 broadcast (and unknown unicast) will be sent out all ports on a switch.

| Continue Reading.. |

How to Enable Dot1x – more complex setup for wired network

This one is long. Do not be afraid though, I made it just to give you the fastest way to deploy functional dot1x to your company HQ without reading even more documentation and searching for those little timer default settings.

I the article prior to this I showed you how to setup your environment with simple dot1x and make it as simple as possible. I will not repeat again the part about setting up Radius Clients on server side, everything else is here once again just more complex. Now is time for a more complex example that will make your implementation work out-of-the-box for end users and they will probably not even know that you completed the implementation of one nice but fairly complex network security enhancement.

So, as I said, this is a better way to do it because it will be less intrusive and people in the office will start to use it but without prompt starting to show on everybody’s PC.

What needs to be done:

Here are the steps needed on all systems so you do not forget some of them. Of course you will not forget, but I know people who did forget, for example, the whole client computer part.

  1. We will configure the switch for dot1x but with much more options now.
  2. We will create Radius NPS policy to enable our Windows machines to authenticate using user or computer certificate. (This will enable us to skip boring credentials prompts mentioned above)
    Here the Radius config skips radius client configuration mentioned in previous article about dot1x.
  3. We will setup a new GPO object that will automatically setup all PC’s for dot1x.

What will we get using dot1x:

It’s give you all descriptions of all possible options that you would need and the example in the end will show configuration of all those components together. You will see, it will be easy to recognise which command does what. If there would be some thing not clear enough, I am fairly quick with my comment replies 😉

Basic

Dot1x will allow access to network only to authenticated users on your wired LAN. It’s also used to authenticate users on Corporate WiFi network but we will skip that part now.

Give Internet only to unauthenticated users

Don’t be cruel, maybe you have some guests in your meeting room. If they connect and get denied they will tell you your network jacks are not working and blame you that you are not doing your job as network admin.

“Hey, network is not working in meeting room! Some guest are complaining, is bad publicity :)”

If the users are not authenticated switch port where they connected the cable does not get them access to the network. There is an option to use VLAN auto-configuration in conjunction to basic security feature to get unauthenticated users access to the network but only to some isolated or Internet only VLAN. Cool.

| Continue Reading.. |

How to Enable Dot1x authentication for wired clients

If your LAN is extending to some places where unauthorised people can just plug in and gain access to your protected network, it’s time to implement some security on your access switch. The best thing to do is to implement IEEE 802.1X port-based authentication which will enable users/machine authentication and prevent unauthorized devices from getting access switch port running when connected. IEEE 802.1X port-based authentication is mostly called simply as dot1x.

In this article I will show you how to configure some basic dot1x stuff on switch side. I will also include Windows machine side of configuration as this is something most people presume it’s working out-of-the-box but of course that’s not the case. Radius server policy is fairly simple so a screenshot of the policy will get you going. So as you see, to get dot1x running you need to configure:

| Continue Reading.. |

What is a non-blocking switch?

It is fairly common to hear about switch being non-blocking. It’s because almost all switches today are non-blocking. But what that means? When I asked people around me on what exactly non-blocking switch means, they were unable to get to the same conclusion.

I was going through a lot of different internet places and vendor documents before I wrote this here, but, do not hesitate to add something in comments if you have different view on the subject.

Line-rate switch means the same as if you would said wire-speed switch. It basically means that this switch has the forwarding capacity that supports concurrently all ports at full port capacity. It should be true for minimum packet sizes to. Non-blocking switch means the same thing. Non-blocking Switch internal bandwidth can handle all the port bandwidths, at the same time, at full capacity. Sometimes for high end switches non-blocking is also refereed to switch architecture ability to significantly reduce head-of-line blocking (HOL blocking).

| Continue Reading.. |

HOL Head-of-line blocking

Head-of-line blocking (HOL blocking) in networking is a performance issue that occurs when a bunch of packets is blocked by the first packet in line. It can happen specially in input buffered network switches where out-of-order delivery of packets can occur. A switch can be composed of input buffered ports, output buffered ports and switch fabric.

When first-in first-out input buffers are used, only the first received packet is prepared to be forwarded. All packets received afterwards are not forwarded if the first one cannot be forwarded. That is basically what HOL blocking really is.

| Continue Reading.. |