Router Switch Commandsc
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Router Switch Commandsc as PDF for free.
More details
- Words: 26,988
- Pages: 121
Router Commands
Router# Terminal History Size 256 Show history sh processes
cpu
Line con 0Logging sync
Keeps it on the same line
No ip domain lookup
keeps it from auto searching
use ip subnet 0 on the router to allow you to use subnet 0 with a router Switch#show running-config interface fastethernet 5/6 RouterP(config)#service password-encryption
---encrypts all paswds in wr
Can also do a search on the run configs – sh run | begin line vty alias exec
--not quite sure
check
Create a vlan with DLS2(config)#vlan 10 DLS2(config-vlan)#no shut %VLAN 10 is not shutdown. DLS2(config-vlan)#vlan 20 DLS2(config-vlan)#no shut %VLAN 20 is not shutdown. DLS2(config-vlan)#vlan 30 DLS2(config-vlan)#no shut %VLAN 30 is not shutdown. DLS2(config-vlan)#^Z Then can make it an SVI with ip routing and then add an address to each vlan under the interface command Int vlan 10 Network … SSH setup on a switch/router config Switch(config)# username cisco password cisco Switch(config)# ip domain-name cisco
Switch(config)# crypto key generate rsa Switch(config)# line vty 0 15
Switch(config-line)# login local
Switch(config-line)# transport input ssh ssh -l cisco 172.16.254.241 ---to connect to a remote host with ssh
To control the protocols that will be accepted on the vty, use the transport input <protocol> Remember that the command to create a standard access list for a single host is access-list permit host . b. Use this access list to define the access-class for the vty connections. Set the access-class to the vty lines (0 – 4) for inbound connections. Setting up local accounts on the router and what level to authenticate them as ----Only use login local when you have a user account setup 1st****8 http://www.petri.co.il/csc_how_to_configure_local_username_database_cisco_ios .htm conf t key chain ^_^ key 1 key-string cisco conf t banner motd ~ __ _ /\ \ \__ _| |_ ___ _ __ / \/ / _` | __/ _ \ '__| / /\ / (_| | || __/ | \_\ \/ \__,_|\__\___|_| .ed"""" """$$$$be. -" ^""**$$$e. ." Authorized Access'$$$c / ONLY "4$$b d 3 $$$$ $ * .$$$$$$ .$ ^c $$$$$e$$$$$$$$. d$L 4. 4$$$$$$$$$$$$$$b $$$$b ^ceeeee. 4$$ECL.F*$$$$$$$ e$""=. $$$$P d$$$$F $ $$$$$$$$$- $$$$$$ z$$b. ^c 3$$$F "$$$$b $"$$$$$$$ $$$$*" .=""$c 4$$$$L \ $$P" "$$b .$ $$$$$...e$$ .= e$$$. ^*$$$$$c %.. *c .. $$ 3$$$$$$$$$$eF zP d$$$$$ "**$$$ec "\ %ce"" $$$ $$$$$$$$$$* .r" =$$$$P"" "*$b. "c *$e. *** d$$$$$"L$$ .d" e$$***" ^*$$c ^$c $$$ 4J$$$$$% $$$ .e*".eeP" "$$$$$$"'$=e....$*$$**$cz$$" "..d$*" "*$$$ *=%4.$ L L$ P3$$$F $$$P" "$ "%*ebJLzb$e$$$$$b $P" %.. 4$$$$$$$$$$ " $$$e z$$$$$$$$$$% "*$c "$$$$$$$P" ."""*$$$$$$$$bc .-" .$***$$$"""*e.
.-" .e$" .=*"""" .e$*" .$" .z*" $$ee$c .d" ^*$E")$..$" $.d$$$* """""
~ Exit Conf t No ip domain-lookup ip domain-name cisco.com crypto key generate rsa
"*$c ^*b. "*bc "*$e.. ^*$e. "*****e. "*$. 3. * .ee==d% * J$$$e* "$$$"
ip ssh time-out 15 ip ssh authentication-retries 3 username cisco priv 15 password cisco service password-encryption enable secret class line con 0 login local password class login logging synchronous line vty 0 4 transport input ssh password cisco login local int s0/0 ip authentication key-chain eigrp 1 ^_^ ip authentication mode eigrp 1 md5
R1# conf t R1(config)# interface serial 0/0/0 R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS Now, apply the key chain to the interface with the ip authentication mode eigrp as_number md5 command: R1(config-if)# ip authentication mode eigrp 1 md5 Apply these commands on all active EIGRP interfaces. R1# conf t R1(config)# interface serial 0/0/0 R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS R1(config-if)# ip authentication mode eigrp 1 md5 R1(config-if)# interface serial 0/0/1 R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS R1(config-if)# ip authentication mode eigrp 1 md5 R1(config-if)# interface fastethernet 0/0 R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS R1(config-if)# ip authentication mode eigrp 1 md5
run tcl script from each router!!! tclsh
foreach address { 192.168.1.1 192.168.1.129 192.168.1.130 192.168.1.161 192.168.1.162 192.168.1.133 192.168.1.134 10.1.1.3 10.1.1.4 10.4.4.4 192.168.1.5 192.168.100.1 192.168.1.101 192.168.1.105 192.168.1.109 192.168.1.113 } { ping $address }
show controllers - indicates the state of the interface channels and whether a cable is attached to the interface •
debug serial interface - Verifies whether HDLC keepalive packets are incrementing. If they are not, a possible timing problem exists on the interface card or in the network.
•
debug arp - Indicates whether the router is sending information about or learning about routers (with ARP packets) on the other side of the WAN cloud. Use this command when some nodes on a TCP/IP network are responding, but others are not.
•
debug frame-relay lmi - Obtains Local Management Interface (LMI) information which is useful for determining whether a Frame Relay switch and a router are sending and receiving LMI packets.
•
debug frame-relay events - Determines whether exchanges are occurring between a router and a Frame Relay switch.
•
debug ppp negotiation - Shows Point-to-Point Protocol (PPP) packets transmitted during PPP startup where PPP options are negotiated.
•
debug ppp packet - Shows PPP packets being sent and received. This command displays low-level packet dumps.
•
debug ppp - Shows PPP errors, such as illegal or malformed frames, associated with PPP connection negotiation and operation.
•
debug ppp authentication - Shows PPP Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP) packet exchanges.
router# show ip route -> show routing table router# show ip route static shows static routes router# show ip int brief router# show int router(config)#ip route 0.0.0.0 0.0.0.0 default route router (config)# logging on router (config)# logging console SSH Configuration refer to CCSP Module 2 Step 7 Setting Privilege Levels By default, the Cisco IOS software has two modes of password security: user mode (EXEC) and privilege mode (enable). There are 16 hierarchical levels of commands for each mode that can be defined. By configuring multiple passwords, different sets of users are allowed access to specified commands. The command to assign allowed commands to a privilege mode is privilege exec level level. In this task, assign an enable secret password for privilege level 10 for system operators, and make specific debug commands available to anyone with that privilege level enabled. a. Begin by entering the global configuration mode, RouterP(config)#, and complete the following steps: i. Assign privilege level passwords ii. It is recommended to assign a password to each privilege level that is defined. To set a privilege level password use the enable secret level level password command. iii. Define an enable secret of pswd10 for level 10 by entering the following command: RouterP(config)#enable secret level 10 pswd10 What are the available arguments for the enable secret level 10 command? Displaying current privilege level d. To verify the current privilege level, enter the show privilege command. What privilege level is shown? e. Login to privilege level 10 i. To enter into a specific privilege level, use the enable level command. Exit out of the router and then reconnect. Enter the following commands to enter privilege level 10: RouterP>enable 10 Password: pswd10 RouterP# How can current privilege level be displayed? What is the current privilege level? Using the debug ? command, what debug options are available at level 10? d. Exit out of privilege level 10 and return to level 15.
Next, assign specific commands to be used in privilege level 10. To configure a new privilege level for users and associate commands to that privilege level, use the privilege command. The syntax for the privilege command is privilege mode {level level | reset} command-string. Enter the following commands to assign specific commands to the privilege level 10: RouterP(config)# privilege exec level 10 debug ppp auth RouterP(config)# privilege exec level 10 debug ppp error RouterP(config)# privilege exec level 10 debug ppp negotiation In the above commands, specific debug commands were allowed for anyone logging in with privilege level 10. f. Verify privilege level commands i. Exit the router and return to privilege level 10. After the current privilege level of 10 is confirmed, verify the previously configured privilege level 10 commands. Enter the following commands to verify the defined privileges enter the following commands: RouterP#debug ? RouterP#debug ppp ? What are the available parameters for the debug ? command? --------------------------------------------------------OSPF IP OSPF cost – can be used to manually set link costs for calculation show ip ospf database – shows link-state age and sequence numbers are kept in the database. debug ip ospf packet command is used in troubleshooting and to verify that OSPF packets are flowing properly between two routers Using the router-id command is the preferred procedure to set the router ID and is always used in preference to the other two procedures. If not set will use highest loopback ip then physical After the router-id command is configured, use the clear ip ospf process command. This command restarts the OSPF routing process so that it will reselect the new IP address as its router ID. Highest ID wins the battle show ip ospf command to verify the OSPF router ID - also displays OSPF timer settings and other statistics, including the number of times the SPF algorithm has been run
•
show ip protocols—Displays IP routing protocol parameters about timers, filters, metrics, networks, and other information for the entire router.
•
show ip route ospf—Displays the OSPF routes known to the router. This command is one of the most useful in determining connectivity between the local router and the rest of the internetwork. Optional parameters allow you to further specify the information to be displayed, including the OSPF process ID.
•
show ip ospf interface—Verifies that interfaces are configured in the intended areas. In addition, this command displays the timer intervals (including the hello interval) and shows the neighbor adjacencies.
•
show ip ospf—Displays the OSPF router ID, OSPF timers, the number of times the SPF algorithm has been executed, and LSA information.
•
show ip ospf neighbor—Displays a list of neighbors, including their OSPF router ID, their OSPF priority, their neighbor adjacency state (for example, init, exstart, or full), and the dead timer.
•
show ip route ospf command to verify the OSPF routes in the IP routing table. In Figure , the O code represents OSPF routes, and IA is “interarea.” The 10.2.1.0 subnet is recognized on FastEthernet 0/0 via neighbor 10.64.0.2. The entry [110/782] represents the administrative distance assigned to OSPF (110), and the total cost of the route to subnet 10.2.1.0 (782). The show ip ospf interface [type number] [brief] command displays OSPFrelated interface information. The command output in Figure is from router A from the previous configuration example and details the OSPF status of FastEthernet 0/0 interface. This command verifies that OSPF is running on this particular interface and lists the OSPF area that it is in. This command also displays other OSPF information, such as the process ID, router ID, network type, DR and BDR, timers, and neighbor adjacency.
•
• • •
show ip ospf neighbor command. OSPF does not send or receive updates without having full adjacencies established between neighbors. The show ip ospf neighbor [type number] [neighbor-id] [detail] Show ip ospf database nssa-external – this displays specific details of each lsa type 7 update in database To clear all routes from the IP routing table, use the following command: Router#clear ip route * To clear a specific route from the IP routing table, use the following command: Router#clear ip route A.B.C.D To debug OSPF operations, use the debug ip ospf command with an option listed in Figure Useful options when troubleshooting include:
.
Router#debug ip ospf events Router#debug ip packet To configure an area as a stub, use the following steps: ***must be a different area than area 0 backbone network Step 1
Configure OSPF.
Step 2
Define the area as a stub by issuing the area area-id stub command to all routers within the area. Figure lists the parameters of this command.
To configure an area as totally stubby, use the following steps: Step 1
Configure OSPF.
Step 2
Define the area as a stub area by issuing the area area-id stub command to all routers within the area.
Step 3
At the ABR only, add the no-summary keyword to the area area-id stub command.
Example on 3.7.6 Example 3.7.8 To configure an area as an NSSA, use the following steps: Step 1
Configure OSPF.
Step 2
Define the area as an NSSA by issuing the area area-id nssa command to all routers within the area. All routers in the NSSA must have this command configured. Routers cannot form an adjacency unless both are configured as NSSA. Figure lists the parameters of this command. To cause router 2 (the NSSA ABR) to generate an O *N2 default route (O *N2 0.0.0.0/0) into the NSSA, use the default-information-originate option of the area area-id nssa command on router 2.
In a multiaccess broadcast environment, each network segment has its own DR and BDR. A router connected to multiple multiaccess broadcast networks can be a DR on one segment and a regular router on another segment.Use the ip ospf priority interface command to designate which router interfaces on a multiaccess link are the DR and the BDR. The default priority is 1, and the range is from 0 to 255. The interface with the highest priority becomes the DR, and the interface with the secondhighest priority becomes the BDR. Interfaces set to zero priority cannot be involved in the DR or BDR election process. Here is a configuration example: interface FastEthernet 0/0 ip ospf priority 10 --add encap frame-relay if that type is needed Also in NBMA networks you can yse the neighbor command in conf t to statically assign a neighbor To configure basic single-area and multiarea OSPF, complete the following steps: Step 1
Enable OSPF on the router using the router ospf process-id command as shown in Figure . Note Unlike the process ID in EIGRP, the OSPF process ID is not an autonomous system number. The process-id an be any positive integer and only has significance to the local router.
Step 2
Identify which interfaces on the router are part of the OSPF process, using the network area command, as shown in Figure . This command also identifies the OSPF area to which the network belongs. Figure describes the parameters of this command. Uses wild card masks OSPF can be enabled directly on the interface using the ip ospf area command, which simplifies the configuration of unnumbered interfaces. Since the command is configured explicitly on the interface, it takes precedence over the network area command Router A uses a general network 10.0.0.0 0.255.255.255 statement. This technique assigns all interfaces defined in the 10.0.0.0 network to OSPF process 1. Router B uses a specific host address technique. The wildcard mask of 0.0.0.0 requires a match on all four octets of the address. This technique allows the operator to define which specific interfaces will run OSPF. Network 10.1.1.1 0.0.0.0 area 0
Figure shows an example of a multiarea OSPF configuration. Router A is in area 0, router C is in area 1, and router B is the ABR between the two areas. The configuration for router A is the same as in the previous example. Router B has a network statement for area 0. The configuration for area 1 in this example uses the ip ospf 50 area 1 command. Alternatively, a separate network router configuration command could have been used.
Virtual links Use the area area-id virtual-link router-id router configuration command, along with any necessary optional parameters, to define an OSPF virtual link. To remove a virtual link, use the no form of this command. The area virtual-link command includes the router ID of the far-end router. To find the router ID in the far-end router, use the show ip ospf, show ip ospf interface, or show ip protocol commands on that remote router, as illustrated in Figure .
show ip ospf virtual-links command to verify that the configured virtual link works properly. show ip ospf neighbor, show ip ospf database, and debug ip ospf adj nterarea Route Summarization on an ABR To configure manual interarea route summarization on an ABR, use the following steps:
Step 1
Configure OSPF.
Step 2
Use the area range command to instruct the ABR to summarize routes for a specific area before injecting them into a different area via the backbone as type 3 summary LSAs. Figure describes the command parameters.
Cisco IOS software creates a summary route to interface null0 when manual summarization is configured to prevent routing loops.
•
area 0 range 172.16.96.0 255.255.224.0: Identifies area 0 as the area containing the range of networks to be summarized into area 1. ABR router R1 summarizes the range of subnets from 172.16.96.0 to 172.16.127.0 into one range: 172.16.96.0 255.255.224.0.
•
area 1 range 172.16.32.0 255.255.224.0: Identifies area 1 as the area containing the range of networks to be summarized into area 0. ABR router R1 summarizes the range of subnets from 172.16.32.0 to 172.16.63.0 into one range: 172.16.32.0 255.255.224.0.
For OSPF to generate a default route, you must use the default-information originate command.
To configure OSPF simple password authentication, use the following steps: Step 1
Assign a password to be used with neighboring routers using the ip ospf authentication-key command, as shown in Figure .
Note In Cisco IOS Software Release 12.4, the router gives a warning message if you try to configure a password longer than eight characters, and only the first eight characters will be used. Some earlier Cisco IOS releases did not provide this warning. The password created by this command is used as a key that is inserted directly into the OSPF header when Cisco IOS software originates routing protocol packets. A separate password can be assigned to each network on a per-interface basis. All neighboring routers on the same network must have the same password to be able to exchange OSPF information.
Note If the service password-encryption command is not used when configuring OSPF authentication, the key is stored as plain text in the router configuration. If you configure the service passwordencryption command, the key is stored and displayed in an encrypted form. When it is displayed, an encryption type of 7 is specified before the encrypted key. Step 2
Specify the authentication type using the ip ospf authentication command, as shown in Figure .
For simple password authentication, use the ip ospf authentication command with no parameters. Before using this command, configure a password for the interface using the ip ospf authentication-key command. To configure OSPF MD5 authentication, a key and key ID must be configured on each router. To configure MD5 authentication, use the following steps: Step 1
Assign a key ID and key to be used with neighboring routers that are using the OSPF MD5 authentication, using the ip ospf message-digest-key command, as shown in Figure .
Note In Cisco IOS Software Release 12.4, the router gives a warning message if you try to configure a password longer than 16 characters, and only the first 16 characters are used. Some earlier Cisco IOS releases did not provide this warning. The key and the key ID specified in the ip ospf message-digest-key command are used to generate a message digest (also called a hash) of each OSPF packet. The message digest is appended to the packet. A separate password can be assigned to each network on a per-interface basis. Usually, one key per interface is used to generate authentication information when sending packets and to authenticate incoming packets. All neighboring routers on the same network must have the same password to be able to exchange OSPF information. Therefore, the same key ID on the neighbor router must have the same key value. The key ID allows for uninterrupted transitions between keys, which is helpful for administrators who wish to change the OSPF password without disrupting communication. If an interface is configured with a new key, the router sends multiple copies of the same packet, each authenticated by different keys. The router stops sending duplicate packets when it detects that all of its neighbors have adopted the new key. For example, if this is the current configuration: interface FastEthernet 0/0 ip ospf message-digest-key 100 md5 OLD You change the configuration to the following: interface FastEthernet 0/0 ip ospf message-digest-key 101 md5 NEW The system assumes that its neighbors do not have the new key yet, so it begins a rollover process. It sends multiple copies of the same packet, each authenticated by different keys. In this example, the system sends out two copies of the same packet, the first one authenticated by key 100 and the second one authenticated by key 101. Rollover allows neighboring routers to continue communication while the network administrator is updating them with the new key. Rollover stops when the local system finds that all its neighbors know the new key. The system detects that a neighbor has the new key when it receives packets from the neighbor authenticated by the new key. After all neighbors have been updated with the new key, the old key should be removed. In this example, you would enter the following:
interface FastEthernet 0/0 no ip ospf message-digest-key 100 Then only key 101 is used for authentication on Fast Ethernet interface 0/0. It is recommended that you do not keep more than one key per interface. Every time you add a new key, you should remove the old key to prevent the local system from continuing to communicate with a hostile system that knows the old key. Note If the service password-encryption command is not used when configuring OSPF authentication, the key is stored as plain text in the router configuration. If you configure the service passwordencryption command, the key is stored and displayed in an encrypted form. When it is displayed, an encryption type of 7 is specified before the encrypted key. Step 2
Specify the authentication type using the ip ospf authentication command, as shown in Figure . For MD5 authentication, use the ip ospf authentication command with the message-digest parameter. Before using this command, configure the message digest key for the interface with the ip ospf message-digest-key command.
The ip ospf authentication command was introduced in Cisco IOS Software Release 12.0. For backward compatibility, the MD5 authentication type for an area is still supported using the area areaid authentication message-digest router configuration command.
debug ip ospf adj command displays OSPF adjacency-related events and is very useful when troubleshooting authentication. --------------------------------------------------------EIGRP
Perform the following steps to configure EIGRP for IP: Step 1
Enable EIGRP and define the autonomous system using the router eigrp autonomous-system-number command. The autonomous system number value must match on all routers within the autonomous system.
Step 2
Indicate which networks are part of the EIGRP autonomous system using the network command. This command determines which interfaces of the router are participating in EIGRP and which networks the router advertises. Figure lists the parameters for the network command. USE wildcard mask on that
Step 3
When using serial links, define the bandwidth of the link for the purpose of sending routing update traffic, using the bandwidth kilobits command. In this command, the parameter kilobits indicates the intended bandwidth in kilobits per second. For example, for a 64-kbps link, use the following command: router(config-if)#bandwidth 64
If you do not change the bandwidth for serial interfaces, EIGRP assumes that the bandwidth on the link is the default T1 speed. If the link is actually slower, the router might not be able to converge, or routing updates might be lost. For generic serial interfaces such as PPP or High-Level Data Link Control (HDLC), set the bandwidth to the line speed. For Frame Relay on point-to-point interfaces, set the bandwidth to the committed information rate (CIR). For Frame Relay multipoint connections, set the bandwidth to the sum of all CIRs, or if the permanent virtual circuits (PVCs) have different CIRs, set the bandwidth to the lowest CIR multiplied by the number of PVCs on the multipoint connection. You can create an EIGRP default route with the ip default-network network-number global configuration command. The configured router advertises the specified network listed as the gateway of last resort. Other routers use their next-hop address to the advertised network as their default route. Static Default Routes EIGRP and IGRP behave differently than RIP when you are using the ip route 0.0.0.0 0.0.0.0 command. For example, EIGRP does not redistribute the 0.0.0.0 0.0.0.0 default route by default. The configuration in Figure router.
results in the 0.0.0.0 route being passed to the EIGRP neighbors of the
Show ip eigrp neighbors Show ip eigrp topology show ip eigrp neighbors command to verify that the router recognizes its neighbors. Use the show ip route eigrp command to verify that the router recognizes routes from its neighbors. show ip protocols command gives information about all dynamic routing protocols running on the router--- Shows current K value settings Because the routers must have identical K values for EIGRP to establish an adjacency The internal distance (administrative distance 90) applies to networks from other routers inside the autonomous system. The external distance (administrative distance 170) applies to networks introduced to EIGRP from outside this autonomous system through redistribution. show ip eigrp interfaces command displays information about interfaces configured for EIGRP. show ip eigrp topology –
•
P (Passive): Network is available, and installation can occur in the routing table. Passive is the correct state for a stable network.
•
A (Active): Network is currently unavailable, and installation cannot occur in the routing table. Active means that there are outstanding queries for this network.
•
U (Update): Network is being updated (placed in an update packet). This code also applies if the router is waiting for an acknowledgment for this update packet.
•
Q (Query): Outstanding query packet for this network. This code also applies if the router is waiting for an acknowledgment for a query packet. Basically, this code indicates that the router has sent a query packet to a neighbor router.
•
R (Reply status): Router is generating a reply for this network or is waiting for an acknowledgment for the reply packet.
•
S (Stuck-in-active status): EIGRP convergence problem for the network with which it is associated.
show ip eigrp traffic command - To display the number of various EIGRP packets sent and received no auto-summary- use when having discontinuous networks between your access Create your own summarization
EIGRP can also balance traffic across multiple routes that have different metrics, which is called unequalcost load balancing. The degree to which EIGRP performs load balancing is controlled with the variance command,
ip bandwidth-percent eigrp as-number percent command to specify the maximum percentage of the bandwidth of an interface that EIGRP will use. --use when link is shared in wan topology to divide bandwidth into half of each link has equally. To configure MD5 authentication for EIGRP, complete the following steps:
Step 1
Enter configuration mode for the interface on which you want to enable authentication.
Step 2
Specify MD5 authentication for EIGRP packets using the ip authentication mode eigrp md5 command, as shown in Figure
.
Step 3
Enable the authentication of EIGRP packets with a key specified in a key chain by using the ip authentication key-chain eigrp command, as shown in Figure .
Step 4
Enter the configuration mode for the key chain using the key chain command, as shown Figure .
Step 5
Identify a key ID to use, and enter configuration mode for that key using the key command, as shown in Figure .
Step 6
Identify the key string (password) for this key using the key-string command, as shown in Figure .
Step 7
Optionally, specify the time period during which this key is accepted for use on received packets using the accept-lifetime command, as shown in Figure . Figure displays the parameters for this command.
Step 8
Optionally, specify the time period during which this key can be used for sending packets using the send-lifetime command, as shown in the Figure . Figure displays the parameters for this command.
Note If the service password-encryption command is not used when implementing EIGRP authentication, the key string is stored as plain text in the router configuration. If you configure the service password-encryption command, the key string is stored and displayed in an encrypted form. When it is displayed, an encryption type of 7 is specified before the encrypted key string.
Eigrp default network
-----------------------------------------------------------------------------Passwords conf t enable secret <password> line con 0 password <enter password here> login line vty 0 4 password <enter password here> login
exit conf t enable secret cisco line con 0 password class login line vty 0 4 password class login exit example Router#configure terminal Router(config)#hostname ISP ISP(config)#enable password cisco ISP(config)#enable secret class ISP(config)#line console 0 ISP(config-line)#password cisco ISP(config-line)#login ISP(config-line)#exit ISP(config)#line vty 0 4 ISP(config-line)#password cisco ISP(config-line)#login ISP(config-line)#exit ISP(config)#interface loopback 0 ISP(config-if)#ip add 172.16.1.1 255.255.255.255 ISP(config-if)#no shutdown ISP(config-if)#exit ISP(config)#interface serial 0 ISP(config-if)#ip add 200.2.2.17 255.255.255.252 ISP(config-if)#clock rate 64000 no shut - to interfaces PPP
The following example enables PPP encapsulation on serial interface 0/0: Router#configure terminal Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Point-to-point software compression can be configured on serial interfaces that use PPP encapsulation. Compression is performed in software and might significantly affect system performance. Compression is not recommended if most of the traffic consists of compressed files. To configure compression over PPP, enter the following commands: Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Router(config-if)#compress [predictor | stac] Enter the following to monitor the data dropped on the link, and avoid frame looping: Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp
Router(config-if)#ppp quality percentage The following commands perform load balancing across multiple links: Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Router(config-if)#ppp multilink Use the show interfaces serial command to verify proper configuration of HDLC or PPP encapsulation. When PPP is configured, its Link Control Protocol (LCP) and Network Control Protocol (NCP) states can be checked using the show interfaces serial command.
ISDN BRI
SPIDs are specified in interface configuration mode. To enter interface configuration mode, use the interface bri command in the global configuration mode: Router(config)#interface brislot/port Router(config)#interface bri0/0 Router(config-if)#isdn spid1 51055540000001 5554000 Router(config-if)#isdn spid2 51055540010001 5554001 ISDN PRI
Defining static routes for DDR (Dial on demand routing) Clear int bri 0 to erase spid id
Show Dialers Show ISDN stat
To configure a static route for IP use the following command: Router(config)#ip route net-prefix mask {address | interface } [distance ] [permanent]
DDR calls are triggered by interesting traffic. This traffic can be defined as any of the following: •
IP traffic of a particular protocol type
•
Packets with a particular source address or destination
•
Other criteria as defined by the network administrator
Use the dialer-list command to identify interesting traffic. The command syntax is as follows: Router(config)#dialer-listdialer-group-num protocolprotocol-name {permit | deny | listaccesslist-number } Thedialer-group-num is an integer between 1 and 10 that identifies the dialer list to the router. The command dialer-list 1 protocol ip permit will allow all IP traffic to trigger a call. Instead of permitting all IP traffic, a dialer list can point to an access list in order to specify exactly what types of traffic should bring up the link. The reference to access list 101 in dialer list 2 prevents FTP and Telnet traffic from activating the DDR link. Any other IP packet is considered interesting, and will therefore initiate the DDR link. Dialer group command is given on the interface and is the same as the dialer list #.
Configure routing protocols as uninteresting so line doesn’t keep coming up. Also use no cdp to keep the line from going up (MAKE INTERFACE PASSIVE TO NOT GIVE OUT UPDATE TRAFFIC) A dialer list specifying the interesting traffic for this DDR interface needs to be associated with the DDR interface. This is done using the dialer-group group-number command: Home(config-if)#dialer-group 1 In the command, group-number specifies the number of the dialer group to which the interface belongs. The group number can be an integer from 1 to 10. This number must match the dialerlistgroup-number . Each interface can have only one dialer group. However, the same dialer list can be assigned to multiple interfaces with the dialer-group command. The correct dialing information for the remote DDR interface needs to be specified. This is done using the dialer map command. The dialer map command maps the remote protocol address to a telephone number. This command is necessary to dial multiple sites. Router(config-if)#dialer map protocol next-hop-address [name hostname ] [speed 56 | 64] [broadcast] dial-string If dialing only one site, use an unconditional dialer string command that always dials the one phone number regardless of the traffic destination. This step is unique to legacy DDR. Although the information is always required, the steps to configure destination information are different when using dialer profiles instead of legacy DDR.
To configure PPP on the DDR interface use the following commands: Home(config)#username Central password cisco Home(config)#interface bri0/0 Home(config-if)#encapsulation ppp Home(config-if)#ppp authentication chap Home(config-if)#ip address 10.1.0.1 255.255.255.0 The dialer idle-timeoutseconds command may be used to specify the number of idle seconds before a call is disconnected. The seconds represent the number of seconds until a call is disconnected after the last interesting packet is sent. The default is 120.
Multiple dialer interfaces may be configured on a router. Each dialer interface is the complete configuration for a destination. The interface dialer command creates a dialer interface and enters interface configuration mode. To configure the dialer interface, perform the following tasks: 1. Configure one or more dialer interfaces with all the basic DDR commands: •
IP address
•
Encapsulation type and authentication
•
Idle-timer
•
Dialer-group for interesting traffic
2. Configure a dialer string and dialer remote-name to specify the remote router name and
phone number to dial it. The dialer pool associates this logical interface with a pool of physical interfaces. 3. Configure the physical interfaces and assign them to a dialer pool using the dialer pool-
member command. An interface can be assigned to multiple dialer pools by using multiple dialer pool-member commands. If more than one physical interface exists in the pool, use the priority option of the dialer pool-member command to set the priority of the interface within a dialer pool. If multiple calls need to be placed and only one interface is available, then the dialer pool with the highest priority is the one that dials out. A combination of any of these interfaces may be used with dialer pools: •
Synchronous Serial
•
Asynchronous Serial
•
BRI
•
PRI
**Clear int Bri To get the clear out of REFER TO LAB FOR EXACT SETUP FRAME RELAY
encapsulation frame-relay[cisco | ietf] command. cisco Uses the Cisco proprietary Frame Relay encapsulation. Use this option if connecting to another Cisco router. Many non-Cisco devices also support this encapsulation type. This is the default. ietf Sets the encapsulation method to comply with the Internet Engineering Task Force (IETF) standard RFC 1490. Select this if connecting to a non-Cisco router.
Set an IP address on the interface using the ip address command. Set the bandwidth of the serial interface using the bandwidth command. Bandwidth is specified in kilobits per second (kbps). This command is used to notify the routing protocol that bandwidth is statically configured on the link. The bandwidth value is used by Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway Routing Protocol (EIGRP), and Open Shortest Path First (OSPF) to determine the metric of the link.
The local DLCI must be statically mapped to the network layer address of the remote router when the remote router does not support Inverse ARP. This is also true when broadcast traffic and multicast traffic over the PVC must be controlled. These static Frame Relay map entries are referred to as static maps. Use the frame-relay map protocol protocol-address dlci [broadcast] command to statically map the remote network layer address to the local DLCI---Used on HQ Router Split-horizon updates reduce routing loops by not allowing a routing update received on one interface to be forwarded out the same interface. One way to solve the split-horizon problem is to use a fully meshed topology. However, this will increase the cost because more PVCs are required. The preferred solution is to use subinterfaces. Create a subinterface by Int s0.301 point-to-point
To enable the forwarding of broadcast routing updates in a hub-and-spoke Frame Relay topology, configure the hub router with logically assigned interfaces. These interfaces are called subinterfaces. Subinterfaces are logical subdivisions of a physical interface. In split-horizon routing environments, routing updates received on one subinterface can be sent out another subinterface. In a subinterface configuration, each virtual circuit can be configured as a point-to-point connection. This allows each subinterface to act similarly to a leased line. Using a Frame Relay point-to-point subinterface, each pair of the point-to-point routers is on its own subnet. Frame Relay subinterfaces can be configured in either point-to-point or multipoint mode: •
Point-to-point - A single point-to-point subinterface is used to establish one PVC connection to another physical interface or subinterface on a remote router. In this case, each pair of the point-to-point routers is on its own subnet and each point-to-point subinterface would have a single DLCI. In a point-to-point environment, each subinterface is acting like a point-to-point interface. Therefore, routing update traffic is not subject to the split-horizon rule.
•
Multipoint - A single multipoint subinterface is used to establish multiple PVC connections to multiple physical interfaces or subinterfaces on remote routers. All the participating interfaces would be in the same subnet. The subinterface acts like an NBMA Frame Relay interface so routing update traffic is subject to the split-horizon rule.
The encapsulation frame-relay command is assigned to the physical interface. All other configuration items, such as the network layer address and DLCIs, are assigned to the subinterface. Multipoint configurations can be used to conserve addresses that can be especially helpful if Variable Length Subnet Masking (VLSM) is not being used. However, multipoint configurations may not work properly given the broadcast traffic and split-horizon considerations. The point-to-point subinterface option was created to avoid these issues. In the figure, Router A has two point-to-point subinterfaces. The s0/0.110 subinterface connects to router B and the s0/0.120 subinterface connects to router C. Each subinterface is on a different subnet. To configure subinterfaces on a physical interface, the following steps are required: •
Configure Frame Relay encapsulation on the physical interface using the encapsulation frame-relay command
•
For each of the defined PVCs, create a logical subinterface
router(config-if)#interface serialnumber.subinterface-number [multipoint | point-to-point] To create a subinterface, use the interface serial command. Specify the port number, followed by a period (.), and then by the subinterface number. Usually, the subinterface number is chosen to be that of the DLCI. This makes troubleshooting easier. The final required parameter is stating whether the subinterface is a point-to-point or point-to-multipoint interface. Either the multipoint or point-to-point keyword is required. There is no default. The following commands create the subinterface for the PVC to router B: routerA(config-if)#interface serial 0/0.110 point-to-point If the subinterface is configured as point-to-point, then the local DLCI for the subinterface must also be configured in order to distinguish it from the physical interface. The DLCI is also required for multipoint subinterfaces for which Inverse ARP is enabled. It is not required for multipoint subinterfaces configured with static route maps. The frame-relay interface-dlci command is used to configure the local DLCI on the subinterface router(config-subif)#frame-relay interface-dlci dlci-number The show interfaces command displays information regarding the encapsulation and Layer 1 and Layer 2 status. It also displays information about the following: •
The LMI type
•
The LMI DLCI
•
The Frame Relay data terminal equipment/data circuit-terminating equipment (DTE/DCE) type
show frame-relay lmi command to display LMI traffic statistics. Use the show frame-relay pvc [interface interface] [dlci] command to display the status of each configured PVC as well as traffic statistics. This command is also useful for viewing the number of BECN and FECN packets received by the router. The PVC status can be active, inactive, or deleted. show frame-relay pvc command displays the status of all the PVCs configured on the router. show frame-relay map command to display the current map entries and information about the connections.
debug frame-relay lmi command to determine whether the router and the Frame Relay switch are sending and receiving LMI packets properlyThe "out" is an LMI status message sent by the router. The "in" is a message received from the Frame Relay switch. A full LMI status message is a "type 0". An LMI exchange is a "type 1". The "dlci 100, status 0x2" means that the status of DLCI 100 is active. The possible values of the status field are as follows: •
0x0 - Added/inactive means that the switch has this DLCI programmed but for some reason it is not usable. The reason could possibly be the other end of the PVC is down.
•
0x2 - Added/active means the Frame Relay switch has the DLCI and everything is operational.
•
0x4 - Deleted means that the Frame Relay switch does not have this DLCI programmed for the router, but that it was programmed at some point in the past. This could also be caused by the DLCIs being reversed on the router, or by the PVC being deleted by the service provider in the Frame Relay cloud.
------------------------------------------------------------------------------------------------------------Switch Commands
switch(config)#ip default-gateway --> sets the default gateway for the switch (to be set under conf t)
**More detailed spanning tree info spanning-tree portfast —> to be used with conf t and maybe on the interface itself to make the interface instantly up and connected (Use the spanning-
tree portfast global configuration command to globally enable BPDU filtering on Port Fast-enabled ports, the BPDU guard feature on Port Fast-enabled ports, or the Port Fast feature on all nontrunking ports. The BPDU filtering feature prevents the switch port from sending or receiving BPDUs. The BPDU guard feature puts Port Fast-enabled ports that receive BPDUs in an error-disabled state.) show trunk show interface vlan 1 --> used in priv exec mode, shows mac, ip, and port info show spanning-tree or show spanning-tree brief --> used in priv exec mode, shows port status (forwarding/blocking) root router, priority and mac address use only on non trunking ports Show mac-address-table clear mac-address-table dynamic --> clearsmac addresses #password configs and hostname is setup the same way (except for line vty 0 15) ***Add trunking commands to the tutorial guide (DTP) stuff Switchport mode trunk 802.1q (or How to setup VLAN -- and what not to forget to setup switch(config)#int vlan 1 switch(config)#ip add
dat 101 102 103 104 105 106 107 108 109 110
name name name name name name name name name name
Voice101 Voice102 Voice103 Voice104 Voice105 Voice106 Voice107 Voice108 Voice109 Voice110
To setup VTP (designated switch to duplicate vlan configurations to other switches that are connected together) VLAN Trunking Protocol vlan dat vtp client vtp domain Cisco
vlan dat---old way – try new commands on the next pict vtp server vtp domain Cisco
2.5. 6
Best Practice for VTP Configuration
Following is a list of general best practices with regard to configuring VTP in the enterprise composite network model: •
Plan boundaries for the VTP domain. Not all switches in the network need information on all VLANs in the network. In the enterprise composite model, the VTP domain should be restricted to redundant distribution switches and the access switches that they serve.
•
Have only one or two switches specifically configured as VTP servers and the remainder as clients.
•
Configure a password so that no switch can join the VTP domain with a domain name only (which can be derived dynamically).
•
Manually configure the VTP domain name on all switches that are installed in the network so that the mode can be specified and the default server mode on all switches can be overwritten.
•
When you are setting up a new domain, configure VTP client switches first so that they participate passively. Then configure servers to update client devices.
•
In an existing domain, if you are performing VTP cleanup, configure passwords on servers first. Clients may need to maintain current VLAN information until the server contains a complete VLAN database. After the VLAN database on the server is verified as complete, client passwords can be configured to be the same as the servers. Clients will then accept updates from the server.
•
WHEN ADDING A DIFFERENT SWITCH TO A NETWORK (MOVING CABLES) TAKE IT OUT OF THE VTP DOMAIN, CHANGE, THEN RE-ADD SO THE REVISION NUMBR IS RESET TO ONE SO IT DOESN’T OVERRIDE THE OTHER ONE
What VLan you belong to and mode for each interface interface FastEthernet0/1 switchport access vlan 101 switchport mode access no ip address spanning-tree portfast ! interface FastEthernet0/2
switchport access vlan 101 switchport mode access no ip address spanning-tree portfast ! interface FastEthernet0/3 switchport access vlan 102 switchport mode access no ip address spanning-tree portfast int range fa 0/2 – 5 delete vlan.dat or delete flash:vlan.dat
2.5. 2
Resolving Issues with 802.1Q Native VLANs
Consider the following issues when you are configuring a native VLAN on an 802.1Q trunk link: •
The native VLAN interface configurations must match at both ends of the link or the trunk may not form.
•
By default, the native VLAN is VLAN1. For the purpose of security, the native VLAN on a trunk should be set to a specific VID that is not used for normal operations elsewhere on the network.
Switch(config-if)#switchport trunk native vlan vlan-id
•
OR switchport trunk
•
If there is a native VLAN mismatch on an 802.1Q link, CDP (if used and functioning) issues a “native VLAN mismatch” error.
•
On select versions of Cisco IOS software, CDP may not be transmitted or automatically turns off if VLAN1 is disabled on the trunk.
•
If there is a native VLAN mismatch on either side of an 802.1Q link, Layer 2 loops may occur because VLAN 1 STP BPDUs are sent to the IEEE STP MAC address (0180.c200.0000) untagged.
•
When troubleshooting VLANs, note that a link can have one native VLAN association when in access mode, and another native VLAN association when in trunk mode.
When implementing VLANs, you should consider a few measures to secure the VLAN and the switch itself. The security policy of the organization will likely have more detailed recommendations, but these can provide a foundation. •
Create a “parking-lot” VLAN with a VLAN ID (VID) other than VLAN1, and place all unused switch ports in this VLAN. This VLAN may provide the user with some minimal network connectivity. (Check on the security policy of your organization before implementing.)
•
Disable unused switch ports, depending on the security policy of the organization.
Trunk links should be configured statically whenever possible. However, Cisco Catalyst switch ports run Dynamic Trunking Protocol (DTP), which can automatically negotiate a trunk link. This Cisco proprietary protocol can determine an operational trunking mode and protocol on a switch port when it is connected to another device that is also capable of dynamic trunk negotiation. (show dtp interface)
•
To enable trunking to a device that does not support DTP, use the switchport mode trunk and switchport nonegotiate interface configuration commands to cause the interface to become a trunk but to not generate DTP frames.
•
Use the switchport trunk encapsulation isl or switchport trunk
encapsulation dot1q interface to select the encapsulation type on the trunk port. Regardless if a device supports DTP, general best practice is to configure trunks statically by configuring the interface to trunk and nonegotiate.
2.3. Configuring Trunking---has pictures for more examples 7 Switch ports are configured for trunking using Cisco IOS commands. To configure a switch port as an 802.1Q or an ISL trunking port, follow these steps on each trunk interface. Step 1 Enter interface configuration mode. Step 2 Shut down the interface to prevent the possibility of premature autoconfiguration. Step 3 Select the trunking encapsulation. Note that some switches support only ISL or 802.1Q. In particular, the Catalyst 2950 and 2960 support only 802.1Q. Step 4 Configure the interface as a Layer 2 trunk. Step 5 Configure the trunking native VLAN number for 802.1Q links. This number must match at both ends of an 802.1Q trunk.
Step 6 Configure the allowable VLANs for this trunk. This is necessary if VLANs are restricted to certain trunk links. This is best practice with the Enterprise Composite Network Model and leads to the correct operation of VLAN interfaces. Step 7 Use the no shutdown command on the interface to activate the trunking process. Step 8 Verify the trunk configuration using show commands. Figure shows how to configure interface Fast Ethernet 5/8 as an 802.1Q trunk. Frames from VLANs 1, 5, 11, and 1002 to 1005 will be allowed to traverse the trunk link. The switchport mode for the interface is trunk (on), and no DTP messages will be sent on the interface. Note: For security reasons, the native VLAN has been configured to be an “unused” VLAN. This will be discussed in more detail later. Figure 3. 1
describes the commands used to configure a switch port as an 802.1Q trunk link.
Describing STP Describin g the Root Bridge STP uses a root bridge, root ports, and designated ports to establish a loop free path through the network. The first step in creating a loop free spanning tree is to select a root bridge to be the reference point that all switches use to establish forwarding paths. The STP topology is converged after a root bridge has been selected, and each bridge has selected its root port, designated bridge, and the participating ports. STP uses BPDUs as it transitions port states to achieve convergence. 3.1. 5
Spanning tree elects a root bridge in each broadcast domain on the LAN. Path calculation through the network is based on the root bridge. The bridge is selected using the bridge ID (BID), which consists of a 2-byte Priority field plus a 6-byte MAC address. In spanning tree, lower BID values are preferred. The Priority field value helps determine which bridge is going to be the root and can be manually altered. In a default configuration, the Priority field is set at 32768. When the default Priority field is the same for all bridges, selecting the root bridge is based on the lowest MAC address. The root bridge maintains the stability of the forwarding paths between all switches for a single STP instance. A spanning tree instance is when all switches exchanging BPDUs and participating in spanning tree negotiation are associated with a single root. If this is done for all VLANs, it is called a Common Spanning Tree (CST) instance. There is also a Per VLAN Spanning Tree (PVST) implementation that provides one instance, and therefore one root bridge, for each VLAN. The BID and root ID are each 8-byte fields carried in a BPDU. These values are used to complete the root bridge election process. A switch identifies the root bridge by evaluating the root ID field in the BPDUs that it receives. The unique BID is carried in the Root ID field of the BPDUs sent by each switch in the tree. When a switch first boots and begins sending BPDUs, it has no knowledge of a root ID, so it populates the Root ID field of outbound BPDUs with its own BID. The switch with the lowest numerical BID assumes the role of root bridge for that spanning tree instance. If a switch receives BPDUs with a lower BID than its own, it places the lowest value into the Root ID field of its outbound BPDUs. Spanning tree operation requires that each switch have a unique BID. In the original 802.1D standard, the BID was composed of the Priority Field and the MAC address of the switch, and all VLANs were represented by a CST. Because PVST requires that a separate instance of spanning tree run for each VLAN, the BID field is required to carry VLAN ID (VID) information, which is accomplished by reusing a portion of the Priority field as the extended system ID.
To accommodate the extended system ID, the original 802.1D 16-bit Bridge Priority field is split into two fields, resulting in these components in the BID :
•
Bridge Priority: A 4-bit field that carries the bridge priority. Because of the limited bit count, priority is conveyed in discrete values in increments of 4096 rather than discrete values in increments of 1, as they would be in a full 16-bit field. The default priority, in accordance with IEEE 802.1D, is 32,768, which is the mid-range value.
•
Extended System ID: A 12-bit field that carries the VID for PVST.
•
MAC address: A 6-byte field with the MAC address of a single switch.
By virtue of the MAC address, a BID is always unique. When the priority and extended system ID are appended to the switch MAC address, each VLAN on the switch can be represented by a unique BID. If no priority has been configured, every switch has the same default priority and the election of the root for each VLAN is based on the MAC address. This is a fairly random means of selecting the ideal root bridge and, for this reason, it is advisable to assign a lower priority to the switch that should serve as root bridge. Only four bits are used to set the bridge priority. Because of the limited bit count, priority is configurable only in increments of 4096. A switch responds with the possible priority values if an incorrect value is entered: Switch(config)#spanning-tree vlan 1 priority 1234 % Bridge Priority must be in increments of 4096. % Allowed values are:
0 4096 8192 12288 16384 20480 24576 28672
32768 36864 40960 45056 49152 53248 57344 61440 If no priority has been configured, every switch will have the same default priority of 32768. Assuming all other switches are at default priority, the spanning-tree vlan vlan-id root primary command sets a value of 24576. Also, assuming all other switches are at default priority, the spanning-tree vlan vlan-id root secondary command sets a value of 28672. The switch with the lowest BID becomes the root bridge for a VLAN. Specific configuration commands are used to determine which switch will become the root bridge. A Cisco Catalyst switch running PVST maintains an instance of spanning tree for each active VLAN that is configured on the switch. A unique BID is associated with each instance. For each VLAN, the switch with the lowest BID becomes the root bridge for that VLAN. Whenever the bridge priority changes, the BID also changes. This results in the recomputation of the root bridge for the VLAN. To configure a switch to become the root bridge for a specified VLAN, use the spanning-tree vlan vlan-ID root primary command. CAUTION: Spanning tree commands take effect immediately, so network traffic is disrupted while the reconfiguration occurs. A secondary root is a switch that may become the root bridge for a VLAN if the primary root bridge fails. To configure a switch as the secondary root bridge for the VLAN, use the command spanning-tree vlan vlan-ID root secondary. Assuming that the other bridges in the VLAN retain their default STP priority, this switch will become the root bridge in the event that the primary root bridge fails. This command can be executed on more than one switch to configure
multiple backup root bridges. BPDUs are exchanged between switches, and the analysis of the BID and root ID information from those BPDUs determines which bridge is selected as the root bridge. and In the example shown, both switches have the same priority for the same VLAN. The switch with the lowest MAC address is elected as the root bridge. In the example, switch X is the root bridge for VLAN 1, with a BID of 0x8001:0c0011111111.
BETTER TO USE RAPID SPANNING TREE PROTOCOL
The SVI for the VLAN provides Layer 3 processing for packets from all switch ports associated with that VLAN. Only one SVI can be associated with a VLAN. You configure an SVI for a VLAN for the following reasons: •
To provide a default gateway for a VLAN so that traffic can be routed between VLANs
•
To provide fallback bridging if it is required for non-routable protocols
•
To provide Layer 3 IP connectivity to the switch
•
To support routing protocol and bridging configurations
By default, an SVI is created for the default VLAN (VLAN1) to permit remote switch administration. Additional SVIs must be explicitly created. SVIs are created the first time a VLAN interface configuration mode is entered for a particular VLAN SVI. The VLAN corresponds to the VLAN tag associated with data frames on an Ethernet trunk or to the VLAN ID (VID) configured for an access port. An IP address is assigned in interface configuration mode to each VLAN SVI that is to route traffic off of and on to the local VLAN.
Inter-VLAN Routing
Routed Switch ports A routed port has the following characteristics and functions: •
Physical switch port with Layer 3 capability
•
Not associated with any VLAN
•
Serves as the default gateway for devices out that switch port
•
Layer 2 port functionality must be removed before it can be configured
conf t int range fa0/1 – 6 switchport port-security <specific mac address> sets the specific mac address to that interface switchport port-security max (1-132) how many mac addresses the port is to remember switchport port-security violation {shutdown, restrict, protect} port security max-mac-count{1-132}enables port security and sets the max mac count port security action shutdown if more than specified mac address is hit the port is shutdown arp timeout seconds to a smaller time to mitigate the mac address spoofing to verify do a show port-security or show port-security interface To access this mode, the vlan database command is executed from privileged EXEC mode. From this mode, you can add, delete, and modify configurations for VLANs in the range 1 to 1005. Note: This mode has been deprecated and will be removed in some future release. The move to the global VLAN configuration mode is consistent with a more traditional Cisco router IOS-type approach. ---Configuring Multiple Spanning Tree protocol (MSTP) -refer to 3.3.5-3.3.6 cpt176 Switch#show spanning-tree mst Switch#show spanning-tree mst <mst instance #>
However, the switch does not automatically revert to Rapid PVST+ or MSTP mode if it no longer receives IEEE 802.1D BPDUs, because it cannot determine whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. Use the following command in this situation :
Switch#clear spanning-tree detected-protocols Switch#show spanning-tree mst interface fastethernet 4/4
Switch#show spanning-tree mst 1 interface fastethernet 4/4 This example displays detailed MSTP information for a specific instance. Switch#show spanning-tree mst 1 detail ----EtherChannel Configuration 3.4.3---more on part 2 of same page3.4.4
Load balancing is applied globally for all EtherChannel bundles in the switch. To configure EtherChannel load balancing, use the port-channel load-balance command. Load balancing can be based on the following variables: • src-mac: Source MAC address
•
dst-mac: Destination MAC address
•
src-dst-mac: Source and destination MAC addresses
•
src-ip: Source IP address
•
dst-ip: Destination IP address
•
src-dst-ip: Source and destination IP addresses (default)
•
src-port: Source TCP/User Datagram Protocol (UDP) port
•
dst-port: Destination TCP/UDP port
•
src-dst-port: Source and destination TCP/UDP ports
This example shows an example of how to configure and verify EtherChannel load balancing. Switch(config)# port-channel load-balance src-dst-ip Switch(config)# exit
Switch# show etherchannel load-balance Source XOR Destination IP address
Switch DHCP spoofing
DHCP Snooping Configuration Guidelines These are the configuration guidelines for DHCP snooping. •
DHCP snooping must be enabled globally on the switch.
•
DHCP snooping is not active until DHCP snooping is enabled on a VLAN.
•
Before configuring the DHCP information option on the switch, make sure to configure the device that is acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server can assign or exclude must be specified, or DHCP options for devices must be configured.
Conf t Ip dhcp snooping Must be specified to a vlan to take effect Ip dhcp snooping vlan vlan_id {,vlan_ID} Interface Ip dhcp snooping trust make that port a trusted DHCP port snooper Ip dhcp snooping limit rate 100 set rate to limit dhcp snooping on that interface (DHCP packets per second (100) usually don’t do more than 100 packets–do both commands on the same interface
The show ip dhcp snooping binding command displays the DHCP snooping binding entries for a switch, as shown in Figure One of the more important elements is to use dedicated VLAN IDs for all trunk ports. Also, disable all unused switch ports and place them in an unused VLAN. Set all user ports to non-trunking mode by explicitly turning off DTP on those ports. This is accomplished on IOS switches by setting the switch port mode to access with the switchport mode access interface configuration command. ACLs can be configured on the router port to mitigate private VLAN attacks. VLAN ACLs (VACLs) can also be used to help mitigate the effects of private VLAN attacks. An example of using ACLs on the router port is if a server farm segment were 172.16.34.0/24, then configuring the ACLs shown in Figure on the default gateway would mitigate the private VLAN proxy attack.
Conf t Int Use the spanning-tree guard interface configuration command to enable root guard or loop guard on all the VLANs associated with the selected
interface. Root guard restricts which interface is allowed to be the Spanning-Tree root port or the path to the root for the switch. Loop guard prevents alternate or root ports from becoming designated ports when a failure creates a unidirectional link. **Put loop guard on the trunks Globally enable spanning-tree portfast bpduguard default **Don’t put portfast on trunks or other routers prevent it from sending default BPDUs out that interface. ---------------------------------------------------------------------------------NAT
Dynamic
To define the pool of public addresses, use the ip nat pool command: Gateway(config)#ip nat pool public-access 199.99.9.40 199.99.9.62 netmask 255.255.255.224 Step 8 Define an access list that will match the inside private IP addresses To define the access list to match the inside private addresses, use the access list command: Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255 Step 9 Define the NAT translation from inside list to outside pool To define the NAT translation, use the ip nat inside source command: Gateway(config)#ip nat inside source list 1 pool public-access router(config-if)#ip nat inside --can be defined inside or outside --translations occur between inside and outside --on router must have and in and out on 2 interfaces int fa0/0 ip add ip nat inside convert from private to public for an IP (from a server) that needs internet access/wan ip nat inside source static <external ip>
Display active translation router#show ip nat translations [verbose] router#show ip nat stat
Debug ip nat Debug ip nat detailed
Overloading Overloading is configured in two ways depending on how public IP addresses have been allocated. An ISP can allocate a network only one public IP address, and this is typically assigned to the outside interface which connects to the ISP. Figure shows how to configure overloading in this situation. Another way of configuring overload is if the ISP has given one or more public IP addresses for use as a NAT pool. This pool can be overloaded as shown in the configuration in Figure . Figure
shows an example configuration of PAT.
-----------------------------------------------------------------------------------DHCP router(config)#ip dhcp pool --> specifies the DHCP pool router(dhcp-config)#network --> specifies the range *multiple DHCP pools can be created on a server ---------Configure DHCP excluding IP router(config)#ip dhcp excluded-address ip-add [end-ip-address] router(config)#ip dhcp excluded-add 172.16.1.1 172.16.1.10 range> router(config)#ip dhcp excluded-add 172.16.1.254
*address is reserved for the router interface so it needs to be blocked out of the lits
Create the DHCP address pool To configure the campus LAN pool, use the following commands: campus(config)#ip dhcp pool campus
campus(dhcp-config)#network 172.16.12.0 255.255.255.0 campus(dhcp-config)#default-router 172.16.12.1 campus(dhcp-config)#dns-server 172.16.1.2
campus(dhcp-config)#domain-name foo.com
campus(dhcp-config)#netbios-name-server 172.16.1.10 ----------------------------Verifying DHCP Router#show ip dhcp binding router#show ip dhcp server events ---> shows leases and expiration ------------------------------To get a DHCP from the server that is on a different network ex. server on 172.17.1.0 clients on 172.16.1.0 --look at last slide for ip helpers in module 1
ip helper-addresscommand to relay broadcast requests for these key UDP services. -> when DHCP tries to broadcast between routers ip helpers don’t block it.
6.2.7 Configuring SNMP
In order to have the NMS communicate with networked devices, the devices must have SNMP enabled and the SNMP community strings configured. These devices are configured using the command line syntax described in the following paragraphs. More than one read-only string is supported. The default on most systems for this community string is public. It is not advisable to use the default value in an enterprise network. To set the read-only community string used by the agent, use the following command: Router(config)#snmp-server community string ro •
String – Community string that acts like a password and permits access to the SNMP protocol
•
ro – (Optional) Specifies read-only access. Authorized management stations are only able to retrieve MIB objects.
More than one read-write string is supported. All SNMP objects are available for write access. The default on most systems for this community string is private. It is not advisable to use this value in an enterprise network. To set the read-write community string used by the agent, use the following command: Router(config)#snmp-server community string rw •
rw – (Optional) Specifies read-write access. Authorized management stations are able to both retrieve and modify MIB objects
There are several strings that can be used to specify location of the managed device and the main system contact for the device. Router(config)#snmp-server location text
Router(config)#snmp-server contact text •
text – String that describes the system location information
These values are stored in the MIB objects sysLocation and sysContact .
Network management in an internetworked environment typically requires one monitor per subnetwork.
SNMP Configuration (string values are private or public) other apps to monitor
Host commands C:\host1>arp –an Route commands Netstat Route print and other route commands Ping Sweep Another method for collecting MAC addresses is to employ a ping sweep across a range of IP addresses. A ping sweep is a scanning method that can be executed at
the command line or by using network administration tools. These tools provide a way to specify a range of hosts to ping with one command. Using the ping sweep, network data can be generated in two ways. First, many of the ping sweep tools construct a table of responding hosts. These tables often list the hosts by IP address and MAC address. This provides a map of active hosts at the time of the sweep. As each ping is attempted, an ARP request is made to get the IP address in the ARP cache. This activates each host with recent access and ensures that the ARP table is current. The arp command can return the table of MAC addresses, as discussed above, but now there is reasonable confidence that the ARP table is up-to-date. SDM Configuration
Use the following process to access SDM for the first time . This procedure assumes that an out-of-box router with SDM installed is being used, or that a default SDM configuration was loaded into flash. Step 1 Connect a PC to the lowest number LAN Ethernet port of the router using a cross-over cable. Step 2 Assign a static IP address to the PC. It is recommended to use 10.10.10.2 with a 255.255.255.0 subnet mask. Step 3 Launch a supported web browser. Step 4 Use the URL https://10.10.10.1. A login prompt will appear. Step 5 Log in using the default user account: Username: sdm Password: sdm The SDM startup wizard opens, requiring a basic network configuration to be entered . To access SDM after the initial startup wizard is completed, use either http: or https:, followed by the router IP address. When you enter https: it specifies that the Secure Sockets Layer (SSL) protocol be used for a secure connection. If SSL is not available, use http: to access the router. Once the WAN interface is configured, SDM is accessible through a LAN or WAN interface. NOTE: The startup wizard information needs to be entered only once and will only appear when a default configuration is detected. Troubleshooting SDM Access Use the following tips to troubleshoot SDM access problems: •
First determine if there is a web browser problem by checking the following:
○ Are Java and JavaScript enabled on the browser? Enable them. ○ Are popup windows being blocked? Disable popup blockers on the PC, since SDM requires popup windows. ○ Are there any unsupported Java plug-ins installed and running? Disable them using the Windows Control Panel. •
Is the router preventing access? Remember that certain configuration settings are required for SDM to work. Check the following: ○ Is one of the default configurations being used, or is an existing router configuration being used? Sometimes new configurations disable SDM access. ○ Is HTTP server enabled on the router? If it is not, enable it and check that other SDM prerequisite parameters are configured as well. Refer to the "Downloading and Installing Cisco SDM" document for the required settings. This document can be found at the weblink below. ○ Did SDM access work before, but now its not? Ensure that the PC is not being blocked by a new ACL. Remember that SDM requires HTTP, SSH, and Telnet access to the router, which could have been inadvertently disabled in a security lockdown.
•
Is SDM installed? ○
The quickest way to determine this is to access it using the appropriate HTTP or HTTPS method https:///flash/sdm.shtml.
○
Use the show flash command to view the flash file system and make sure that the required SDM files are present.
Refer to NS1 labs PIX
The primary rule for security levels is that an interface with a higher security level can access an interface with a lower security level. Conversely, an interface with a lower security level cannot access an interface with a higher security level without an access control list (ACL). Security levels range from 0 to 100.
•
Higher security level interface to a lower security level interface – For traffic originating from the inside interface of the PIX with a security level of 100 to the outside interface of the PIX with a security level of 0, all IP-based traffic is allowed unless it is restricted by ACLs, authentication, or authorization.
•
Lower security level interface to a higher security level interface – For traffic originating from the outside interface of the PIX with a security level of 0 to the inside interface of the PIX with a security level of 100,all packets are dropped unless specifically allowed by an access-list command. The traffic can be restricted further if authentication and authorization is used.
•
Same secure interface to a same secure interface – No traffic flows between two Interfaces with the same security level.
•
hostname – assigns a hostname to the PIX.
•
interface – Configures the type and capability of each perimeter interface.
•
nameif – Assigns a name to each perimeter interface.
•
ip address – Assigns an IP address to each interface.
•
security level – Assigns the security level for the perimeter interface.
•
speed – Assigns the connection speed.
•
duplex – Assigns the duplex communications.
n the interface configuration sub-commands, hardware speed and duplex, interface name, security level, IP address, and many other settings can be configured. For an
interface to pass traffic, the nameif, ip address, security level, and no shutdown interface configuration sub-commands are necessary nameif assigns a name to each interface on the PIX Security Appliance. The first two interfaces have the default names inside and outside ip address dhcp – have it acquire ip information If it is necessary that interfaces with the same security level are able to communicate, use the same-security-traffic command. Two interfaces could be assigned to the same level to allow them to communicate without using NAT •
nat-control – Enable or disable NAT configuration requirement.
•
nat – Shields IP addresses on the inside network from the outside network.
•
global – Creates a pool of one or more IP addresses for use in NAT and PAT.
•
route – Defines a static or default route for an interface.
•
he nat Command The first step in enabling NAT on a PIX Security Appliance is entering the nat command. The nat command can specify translation for a single host or a range of hosts. The nat command has two major components, nat_id and IP address or range of IP addresses. A nat_id is a number from 1 to 2147483647 which specifies the hosts for dynamic address translation. The dynamic addresses are chosen from a global address pool created with the global command. The nat command nat_id number must match the nat_id number in the global command if you want to use that specific global pool of IP addresses for the dynamic address translation. For example, the nat (inside) 1 10.0.0.0 255.255.255.0 command means that all outbound connections from a host within the specified network, 10.0.0.0, can pass through the PIX Security Appliance with address translation. The nat (inside) 1 10.0.0.11 255.255.255.255 command means that only outbound connections originating from the inside host 10.0.0.11 are translated as the packet passes through the PIX. Administrators can use 0.0.0.0 to allow all hosts to be translated. The 0.0.0.0 can be abbreviated as 0. As shown in the Figure all inside hosts making outbound connections with the nat (inside) 1 0.0.0.0 0.0.0.0 command are translated. The nat_id identifies the global address pool the PIX will use for the dynamic address translation. The syntax for the nat command is shown in Figure . The global Command In order for a local address to be translated using NAT, a global pool of addresses must be defined. In a PIX Security Appliance configuration, there may be more than one global pool configured. Each outbound network address translation is associated with a nat id. Each global pool has a corresponding nat_id. The PIX uses the nat_id of the outbound IP packet to identify which global pool of addresses to select a translation IP address from. The nat_id of the outbound packet must match the nat_id of the global pool. The PIX assigns addresses from the designated global pool starting from the low end to the high end of the range specified in the global command. The pool of global IP addresses is configured with the global command.
•
• •
•
•
In Figure , host 10.0.0.11 starts an outbound connection. The nat_id of the outbound packet is 1. In this instance, a global IP address pool of 192.168.0.20-254 is also identified with a nat_id of 1. The PIX assigns an IP address of 192.168.0.20. It is the lowest available IP address of the range specified in the global command. Packets from host 10.0.0.11 are seen on the outside as having a source address of 192.168.0.20. The syntax for the global command is shown in Figure . If the nat command is used, the companion command, global, must be configured to define the pool of translated IP addresses. Use the no global command to delete a global entry.
NOTE: The PIX Security Appliance uses the global addresses to assign a virtual IP address to an internal NAT address. After adding, changing, or removing a global statement, use the clear xlate command to make the IP addresses available in the translation table.
route command to enter a static route for an interface. Static routes can be created to access specific networks beyond the locally connected networks. For example, in Figure , PIX Security Appliance sends all packets destined to the 10.0.1.0 255.255.255.0 network out the inside interface to the router at IP address 10.0.0.102. This static route was created by using the command route inside 10.0.1.0 255.255.255.0 10.0.0.102 1. The router knows how to route the packet to the destination network of 10.0.1.0.
Commonly Used show Commands The show memory command displays a summary of the maximum physical memory, current used memory, and current free memory available to the PIX Security Appliance operating system. The show cpu usage command displays CPU use. Use the show version command to display the PIX Security Appliance software version, operating time since the last reboot, processor type, Flash memory type, interface boards, serial number, BIOS identification, and activation key value . The show ip address command is used to view the IP addresses that are assigned to the network interfaces. The show interface command is used to view network interface information. This is one of the first commands that should be used when trying to establish connectivity. Use the show nameif command to view the named interfaces. In Figure , the first two interfaces have the default names inside and outside. The inside interface has a default security level of 100, and the outside interface has a default security level of 0. Ethernet2 is assigned a name of dmz with a security level of 50. If it is necessary to allow internal hosts to be able to ping external hosts, an ACL for echo reply is necessary. If pings through the PIX Security Appliance between hosts or routers are not successful, use the debug icmp trace command to monitor the success of the ping.
The show run nat command to display a single host or range of hosts to be translated. In Figure , all hosts on the 10.0.0.0 network will be translated when traversing the PIX Security Appliance. The nat-id is 1. The show run global command displays the global pools of addresses configured in the PIX Security Appliance. In Figure there is currently one pool configured. The pool is configured on the outside interface. The pool has an IP address range of 192.168.0.20 to 192.168.0.254. The nat_id is 1. The show xlate command displays the contents of the translation slot. In Figure , the number of currently used translations is 1 with a maximum count of 1. The current translation is a local IP address of 10.0.0.11 to a global IP address of 192.168.0.20. NTP The ntp server command synchronizes the PIX Security Appliance with a specified network timeserver . The PIX can be configured to require authentication before synchronizing with the NTP server. To enable and support authentication, there are several forms of the ntp command that work with the ntp server command. Additional information about the ntp command forms and their uses is available in the Command Reference. The show run ntp command can be used to display the current NTP configuration. The show ntp status •
0 – emergencies – System unusable messages
•
1 – alerts – Take immediate action
•
2 – critical – Critical condition
•
3 – errors – Error message
•
4 – warnings – Warning message
•
5 – notifications – Normal but significant condition
•
6 – informational – Information message
•
7 – debugging – Debug messages and log FTP commands and WWW URLs
The show logging Command Use the show logging command to see the logging configuration and any internally buffered messages. Use the clear logging
The primary rule for security levels is that an interface with a higher security level can access an interface with a lower security level.
Two Interfaces with NAT In Figure , the first nat command statement permits all hosts on the 10.0.0.0 network to start outbound connections using the IP addresses from a global pool. The second nat command statement permits all hosts on the 10.2.0.0 network to do the same. The nat_id in the first nat command statement tells the PIX Security Appliance to translate the 10.0.0.0 addresses to those in the global pool containing the same nat_id . Likewise, the nat_id in the second nat command statement tells the PIX to translate addresses for hosts on network 10.2.0.0 to the addresses in the global pool containing nat_id 2. Three Interfaces with NAT In Figure , the first nat command statement enables hosts on the inside interface, which has a security level of 100, to start connections to hosts on interfaces with lower security levels. In this case, that includes hosts on the outside interface and hosts on the demilitarized zone (DMZ). The second nat command statement enables hosts on the DMZ, which has a security level of 50, to start connections to hosts on interfaces with lower security levels. In this case, that includes only the outside interface. Because both global pools and the nat (inside) command statement use a nat_id of 1, addresses for hosts on the 10.0.0.0 network can be translated to those in either global pool. Therefore, when users on the inside interface access hosts on the DMZ, their source addresses will be translated to addresses in the 172.16.0.20−172.16.0.254 range from the global (dmz) command statement. When they access hosts on the outside, their source addresses will be translated to addresses in the 192.168.0.20−192.168.0.254 range from the global (outside) command statement.
When users on the DMZ access hosts on the outside, their source addresses will always be translated to addresses in the 192.168.0.20−192.168.0.254 range from the global (outside) command statement.
Use the static command for outbound connections that must be mapped to the same global IP address. the address 192.168.0.9 is not translated. When the command nat (DMZ) 0 192.168.0.9 255.255.255.255 is entered, the PIX Security Appliance displays the following message: NAT 0 enables the Internet server address to be visible on the outside interface. The administrator also needs to add a static in combination with an access-list to allow users on the outside to connect with the Internet server. The show conn command displays information about the active TCP connections.
The show conn detail Command When the show conn detail option is used, the system displays information about the translation type, interface information, IP address/port number, and connection flags. In Figure , the two connections display a flag value of UIO. According the flag definition, the connections are up. The connections are passing inbound and outbound data. The show local-host Command The show local-host command displays the network states of local hosts. A local-host entry is created for any host that forwards traffic to, or through, the PIX Security Appliance. This command shows the translation and connection slots for the local hosts. In Figure , the inside
host 10.0.0.11 establishes a web connection with server 192.168.10.11. The output of the show local-host command is displayed in Figure .
To configure OSPF on the PIX Security Appliance requires the administrator to do the following: •
Enable OSPF
•
Define the PIX Security Appliance interfaces on which OSPF runs
•
Define OSPF areas
Enable OSPF To enable OSPF routing, use the router ospf command. The syntax for the router ospf command is shown in Figure . The PIX Security Appliance can be configured for one or two processes, or OSPF routing domains. If the PIX is functioning as an ABR and it is configured for one process, the PIX will pass type 3 LSA between defined OSPF areas. In the example in Figure , the PIX is configured for one OSPF process, OSPF 1. Define Network Interfaces To define the interfaces on which OSPF runs and the area ID for those interfaces, use the network area subcommand. The syntax for the network area command is shown in Figure
.
FWSM, the following tasks must be completed: •
Initialize the FWSM.
•
Configure the switch VLANs.
•
Associate VLANs with the FWSM.
The switch CLI is accessible through a Telnet connection to the switch or through the switch console interface. Verify FWSM Installation Before the FWSM can be used, it must be verified that the card is installed and recognized by the switch. Enter the show module command to verify that the system acknowledges the new module and has brought it online . The syntax for the show module command is shown in Figure
.
Configure the Switch VLANs The FWSM does not include any external physical interfaces. Instead, it uses VLAN interfaces . Hosts are connected to ports VLANs are assigned to these physical switch ports. To prevent mismatched VLANs, the administrator should first configure a VLAN on the MSFC, and then configure the VLANs on the FWSM. VLAN IDs must be the same for the switch and the FWSM. After the MSFC VLAN is configured, specific VLANs can be associated with a FWSM. The first step was to add VLANS to the MSFC. The next step is to associate VLANs to be inspected by the FWSM. A VLAN can be linked with a specific FWSM by using the firewall command. The firewall vlan-group command creates a group of firewall VLANs named by the vlan-group parameter. The syntax for the firewall vlan-group command is shown in Figure .
Once a group of VLANs are assigned to a group, the firewall module command associates a VLAN group with a specific FWSM. The syntax for the firewall module command is shown in Figure In the example in Figure , VLANs 100, 200, and 300 have been placed into Firewall VLANgroup 1. The FWSM in slot 4 is associated with VLAN-group 1, VLANs 100, 200, and 300. Verify the MSFC Configuration The administrator can verify that the MSFC is properly configured for interaction with the FWSM. The show firewall vlan-group command verifies which VLANs are assigned to each firewall. VLAN-group. The show firewall module command verifies that the VLAN-groups are assigned to the associated slot where the FWSM resides . Configure the FWSM Interfaces The FWSM is now installed. The MSFC VLANs are configured. The FWSM VLANs are associated with a specific FSWM. The next step is to configure the security policy on the FWSM. The FWSM can be accessed by using the session command. Use the default password cisco for the FWSM when prompted. A prompt for an enable mode password is then displayed. By default, there is no password, and the Enter key can be pressed to access the enable mode. It is recommended that you change the enable password to a valid value and use this for future access to this mode. Once on the FWSM, standard security appliance commands are used to configure interface names, add security levels, and specify IP addresses. The example in Figure shows the use of the nameif command and associates VLAN 100 as the outside interface and sets the interface with a security level of 0. It also defines VLAN 200 as the inside interface. It specifies VLAN 300 as the dmz interface. In all cases, the use of the ip address command is used to add an IP address to each interface. Configure A Default Route A default route may also need to be added. In the example in Figure pointing to the VLAN 100 interface of the MSFC.
, a default route is created,
It may also be necessary to create static routes. Multiple context mode does not support dynamic routing, so static routes must be used to reach any networks to which the FWSM is not directly connected, such as when a router is between the destination network and the FWSM. Static routes might be appropriate in single context mode if: •
The network uses a routing protocol other than RIP or OSPF.
•
The network is small and static routes can be easily managed.
•
The traffic or CPU overhead associated with routing protocols is to be avoided.
Configure the FWSM access-lists The administrator needs to create ACLs to allow outbound as well as inbound traffic because the FWSM, unlike the security appliances, denies all inbound and outbound connections that are not explicitly permitted by ACLs . Explicit access rules need to be configured using the access-list command and attached to the appropriate interface using the access-group command to allow traffic to pass through that interface. Traffic that has been permitted into an interface can exit through any other interface. Return traffic matching the session information is permitted without an explicit ACL.
Firewall Services Module Operation
3.8
3.8. Using PDM with the FWSM 3
PDM v. 4.0 can be used to configure and monitor FWSM v. 2.2. Figure shows the steps needed to prepare the FWSM to use PDM. Be sure to initialize the FWSM before attempting to install PDM. •
Use the copy tftp flash command to copy the PDM image into FWSM flash
copy tftp://10.1.1.1/pdm-XXX.bin flash:pdm (where XXX = pdm image version number) •
Enable the http server on the FWSM. Without it, PDM will not start.
http server enable •
Identify the specific hosts/networks that can access the FWSM using HTTP.
http 1.1.1.0 255.255.255.0 inside Hosts from network 10.1.1.0 (on the inside interface) are permitted http access. •
Launch the browser and enter the following address:
https://10.1.1.1 (FWSM inside interface) Resetting and Rebooting the FWSM If the module cannot be reached through the CLI or an external Telnet session, enter the hwmod module module_number reset command to reset and reboot the module. The reset process requires several minutes. The syntax for the command is shown in Figure . The example in Figure
shows how to reset the module, installed in slot 4, from the CLI.
When the FWSM initially boots, by default it runs a partial memory test. To perform a full memory test, use the hw-module module module_number mem-test-full command. The syntax of the command is shown in Figure . A full memory test takes more time to complete than a partial memory test depending on the memory size. The table in Figure lists the memory and approximate boot time for a long memory test.
PIX ACLs
The show access-list command also lists a hit count that indicates the number of times an element has been matched during an access-list command search. The clear access-list command is used to clear an access list counter. If no ACL is specified, all of the access list counters are cleared. If the counters option is specified, it clears the hit count for the specified ACL. If no ACL is specified all the access lists counters are cleared. The no access-list command removes an access-list command from the configuration. If all of the access-list command statements in an ACL group are removed, the no access-list command also removes the corresponding access-group command from the configuration. The access-list mode command allows the administrator to specify whether the defined ACL should be active immediately or when specified. . The access-list commit command activates the previously created ACL . Use the access-list id line line-num command to insert an access-list command statement, and the no access-list id line line-num command to delete an accesslist command statement. Line numbers are maintained internally in increasing order, starting from 1. A user can insert a new entry between two consecutive ACEs by choosing the line number of the ACE with the higher line
n Figure the users in the corporate office wish to communicate with the branch site over a VPN tunnel. To accomplish this, the administrator employs nat 0 access-list. The IP source network, 10.0.0.0/24, and IP destination network, 10.200.0.0/24, are defined in the ACL. The ACL is applied to the nat 0 command. Any VPN traffic originating at 10.0.0.0/24 and destined for 10.200.0.0/24 is not translated by the PIX.
ActiveX Filtering Another application that can be filtered by the PIX Security Appliance in order protect against malicious applets is ActiveX. ActiveX controls are applets that can be inserted in Web pages or other applications. They were formerly known as Object Linking and Embedding (OLE) or Object Linking and Embedding Control (OCX). ActiveX controls create a potential security problem because they provide a way for someone to attack servers. Due to this security threat, administrators have the option of using the PIX to block all ActiveX controls. The filter {activex | java} command filters out ActiveX or Java usage from outbound packets. In the example in Figure , the command specifies that ActiveX is being filtered on port 80 from any internal host and for connection to any external host. The Command Reference provides more information about the commands and syntax for blocking ActiveX or Java.
Use the url-server command to designate the server on which the URL filtering application runs, and then enable the URL filtering service with the filter url command. PIX Security Appliance Software Versions 6.1 and earlier do not support the filtering of URLs longer than 1159 bytes. PIX version 6.2 supports the filtering of URLs up to 6 KB for the Websense filtering server. The maximum allowable length of a single URL can be increased by entering the url-block url-size command. This option is available with Websense URL filtering only. HTTPS and FTP Filtering This feature extends Web-based URL filtering to HTTPS and FTP. The filter ftp and filter https commands were added to the filter command in PIX Security Appliance Software Version 6.3. The filter ftp command enables FTP filtering. The filter https command enables HTTPS filtering. The filter ftp and filter https commands are available with Websense URL filtering only. The example command in Figure instructs the PIX Security Appliance to send all URL requests to the URL filtering server to be filtered. The allow option in the filter command is crucial to the use of the PIX URL filtering feature. If the allow option is used and the URL filtering server goes offline, the PIX lets all FTP and HTTPS URL requests continue without filtering. If the allow option is not specified, all FTP and HTTPS URL requests are stopped until the server is back online. •
Network – Used to group client hosts, server hosts, or subnets.
•
Protocol – Used to group protocols. It can contain one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. Use the keyword ip to match any Internet protocol, including ICMP, TCP, and UDP.
•
Service – Used to group TCP or UDP port numbers assigned to a different service.
•
ICMP-type – Used to group ICMP message types which are permitted or dennied access.
Applying a PIX Security Appliance object group to a command is the equivalent of applying every element of the object group to the command. In the example shown in Figure , the group DMZ_Servers contains servers 192.168.0.10, 192.168.0.11, and 192.168.0.12. The group DMZ_Services supports HTTP, HTTPS, and FTP protocols. Applying the groups DMZ_Servers and DMZ_Services to an ACE is the same as applying all of the hosts and protocols individually.
9.2.2 Getting started with object groups
Complete the following steps to configure an object group and to use it in the configuration of ACLs:
Step 1 Use the object-group command to enter the appropriate subcommand mode for the type of group to be configured. All subcommands entered from the subcommand prompt apply to the object group identified by the object-group command. Step 2 In subcommand mode, define the members of the object group. In subcommand mode, object grouping subcommands as well as all other PIX Security Appliance commands can be entered, including show commands and clear commands. Enter a question mark (?) in the subcommand mode to view the permitted subcommands. Step 3 (Optional) Use the description subcommand to describe the object group. Step 4 Return to configuration mode by entering the exit command or the quit command. When any valid configuration command other than one designed for object grouping is entered, the subcommand mode is terminated. Step 5 (Optional) Use the show object-group command to verify that the object group has been configured successfully. This command displays a list of the currently configured object groups of the specified type. Without a parameter, the command displays all object groups. Step 6 Apply the object group to the access-list command. Replace the parameters of the access-list command with the corresponding object group, as summarized in Figure . Step 7 (Optional) Use the show access-list command to display the expanded ACEs.
The group-object command is used to construct hierarchical, or nested, object groups. The group-object command, which is not to be confused with the object-group command, places one object group into another . The difference in object groups and group objects is as follows: •
An object group is group consisting of objects.
•
A group object is an object in a nested group and is itself a group.
Nested Object Group Examples In Figure , the access-list named ALL enables all hosts in HOSTGROUP1 and HOSTGROUP2 to make outbound FTP connections. Without nesting, all the IP addresses in HOSTGROUP1 and HOSTGROUP2 would have to be redefined in the ALLHOSTS group. With nesting, however, the duplicated definitions of the hosts are eliminated. Figure illustrates multiple nested object groups configured so that one ACL entry enables remote hosts 172.26.26.50 and 172.26.26.51 to initiate FTP and SMTP connections to all local hosts in the ALLHOSTS group. Note that with object grouping configured, only one ACL entry is required. •
show object-group
•
no object-group
•
clear object-group
9.3.2 Configure a class map
The class-map command is used to classify a set of traffic with which security actions may be associated. Configuring a class map is a two step process. The steps are to name a class of traffic and define the attributes of the traffic. A name is assigned to each
individual class of traffic. For example in Figure , there are four traffic classes named. The class-map se command identifies the system engineer remote VPN traffic from the system engineers. The class-map s2s command identifies the remote VPN traffic from the system engineers. The syntax of the class-map commands is as follows: class-map class_map_name After a class of traffic is named, the characteristics of the traffic flow are identified. To be considered part of a named class, a traffic flow must match a defined set of attributes. There are various types of match criteria in a class map. One example of match criteria is an access list that defines all traffic from the Internet to the DMZ. Another match is VPN tunnel-group. This includes all members of the SE and EXEC tunnel-groups. Another such match is a TCP or UDP port number. This could be used to define all HTTP or FTP traffic. The following is the class matching criteria
:
•
match access-list – This keyword specifies to match an entry in an access-list.
•
match any – This keyword specifies that all traffic is to be matched. Match any is used in the class-default class-map.
•
match dcsp – This keyword specifies to match the IETF defined Differentiated Service Code Point (DSCP) value in the IP header. This allows the administrator to define classes based on the DCSP values defined within the TOS byte in the IP header.
•
match flow – This keyword specifies to match each IP flow within a tunnel-group. This match command must be used in conjunction with the match tunnel-group command.
•
match port – This keyword specifies to match traffic using a TCP or UDP destination port.
•
match precedence – This keyword specifies to match the precedence value represented by the TOS byte in the IP header. This allows the administrator to define classes based on the precedence defined within the TOS byte in the IP header.
•
match rtp – This keyword specifies to match Real-Time Transport Protocol (RTP) destination port. This allows the administrator to match on a UDP port number within the specified range. The allowed range is targeted at capturing applications likely to be using RTP.
•
match tunnel-group – This keyword specifies to match tunnel traffic.
A traffic class is a set of traffic that is identifiable by its packet content. For example, TCP traffic with a port value of 21 and 80 may be classified as an Internet traffic class.
9.3.3 Configure a policy map
The policy-map command is used to configure various policies. A policy consists of a class command and its associated actions. The PIX Security Appliance supports one policy per interface and one global policy. Each policy map may support multiple classes and policy actions. In the example in Figure , there are two policy maps, the outside policy map and the global policy map. The outside policy map supports four class maps, these are the Internet, SE, EXEC, and S2S class maps. IDS, Inspect, police, and priority actions are associated with the aforementioned classes. The global policy map supports default inspection criteria for all traffic. The following steps are use to define a policy map: Step 1 Name the policy. Step 2 Identify a class of traffic covered by this policy. Step 3 Associate an action or actions with each traffic flow. The first step is to define the policy maps. In the example in Figure policy maps, outside and global.
, there are two
The next step is to identify which traffic flows, or classes, are specified in a policy map. Each traffic flow is identified by a class map name. In the example in Figure , the outside policy map is identified. Internet class traffic flow is assigned to the outside policy map. The syntax of the policy-map commands is as follows: policy-mappolicymap_name description text classclassmap_name The last step is to associate actions with specific traffic flows within a policy map. In the example in Figure , the policy map name, outside, is defined. The Internet class of traffic is defined. The administrator must next associate actions with this traffic flow. The policy action options are to forward traffic to IDS, perform specified protocol inspections, police the bandwidth used by the specified flow, direct the flow to the low latency queue, or set connection parameters on these flows. To display all of the policy map configurations or the default policy map configuration, use the show running-config policy-map command. More information about the syntax of the policy-map command is available in the Command Reference.
9.3.4 Configure a service policy
To activate a policy map globally on all interfaces or on a single interface, use the servicepolicy command in privileged EXEC mode . The interface can be a VLAN interface or a physical interface. In general, a service-policy command can be applied to any interface that can be defined by the nameif command. To disable, use the no form of this command.
To display all currently running service policy configurations, use the show runningconfig service-policy command in global configuration mode . To display the configured service policies, use the show service-policy command in global configuration mode . The syntax for these commands is available in the Command Reference. Advanced protocol inspection how to add an insepection and set a policy
se the ftp-map command to define which FTP commands should be blocked. After the administrator enters the ftp-map command and a map name, the system enters the FTP map configuration mode. The deny-request-cmd command enables the administrator to list which FTP request commands should be blocked. In the example in Figure , the inbound_ftp ftpmap was defined. The inbound_ftp ftp-map identifies the commands to be filtered. In the example in Figure , the inbound_ftp ftp-map identifies six FTP request commands to filter. The class map inbound_ftp_traffic matches traffic defined by access-list 101, FTP traffic between any host and host 192.168.1.11, the FTP server. In the inbound policy map, the FTP command request restrictions defined in the ftp map inbound_ftp, are associated with the inbound_ftp_traffic class of traffic. Lastly, the inbound policy is enabled on the outside interface.
To enable enhanced HTTP inspection, use the inspect http http-map command. The enhanced rules that apply to HTTP traffic are defined by http-map command. 9.4.5Enhanced HTTP Inspection Configuration Configuring enhanced HTTP inspection is a four step process are as follows:
. The four steps in the process
Step 1 Configure the http-map command to define the enhanced HTTP inspection parameters and the action taken when a parameter in the configured category is detected. Step 2 Identify the flow of traffic using the class-map command. The administrator can use the default class map, inspection_default. The administrator can also define a new traffic flow, for example any hosts trying to access the corporate web server from the internet. Step 3 Associate the HTTP map with a class of traffic with the policy-map command. The administrator can use the default policy map, asa_global_fw_policy. The administrator can also define a new policy, such as an inbound traffic policy for any hosts trying to access the corporate web server from the internet. Step 4 Apply the policy to an interface, or globally, using the service-policy command. The administrator can use the default service-policy, asa_global_fw_policy. The administrator can also define a new service policy, such as a policy for all inbound internet-sourced traffic, and apply the service policy to the outside interface. In the example in Figure , the administrator created a new modular policy for HTTP traffic from the Internet to the corporate web server with an IP address of 192.168.1.11, rather than modify the existing default global modular policy. To accomplish this, the administrator configured a new HTTP map, class map, policy map and service policy. The administrator created an HTTP map, inbound_http. In the HTTP map, they restricted RPC request methods, defined message critera, and restricted HTTP applications. In the class map, they identified the traffic flow with a matching ACL, access-list 102. In a new policy map, the administrator associated the actions in the new HTTP map with traffic identified in the ACL. Lastly, the new service policy is enabled on the outside interface. Passive interface on Redistributing Routes However, sending updates out E0 is a waste of resources, since no other routers on the 10.4.4.0 subnetwork can receive the updates. Meanwhile, sending updates creates a slight overhead and may cause a potential security risk. A malicious user could use a packet sniffer to capture routing updates and glean key network information. A passive interface essentially makes a router a silent host on a network. Identifying an interface as passive prevents routing updates for a routing protocol from being sent through a router interface. You can use the passive-interface command with most IP interior gateway protocols, including RIP, EIGRP, OSPF, and IS-IS. To configure a passive interface, use the following procedure: Step 1
Select the router and routing protocol that requires the passive interface.
Step 2
Determine the interfaces through which you do not want routing update traffic (or hellos for link-state routing protocols and EIGRP) to be sent.
Step 3
Configure the router using the passive-interface command. displays the command parameters.
Figure
5.3.3 To solve this configuration scalability, the passive-interface default command can be used to set all interfaces to passive. You can then enable routing on individual interfaces where you require adjacencies using the no passive-interface command.
Block propagation of distributed lists with Distribute Lists (5.3.5)
Multicast show ip igmp group When there are two IGMP routers on the same Ethernet segment (broadcast domain), the router with the highest IP address is the designated querier. In IGMPv3, reports are sent to 224.0.0.22 rather than 224.0.0.2. Use the show ip igmp interface command to determine which version of IGMP is currently active on an interface. The solution is to implement IGMP snooping on high-end switches with special application-specific integrated circuits (ASICs) that can perform the IGMP checks in hardware. CGMP is a better option for low-end switches without special hardware. There are basically two types of multicast routing protocols: dense mode and sparse mode: •
Dense mode protocols flood multicast traffic to all parts of the network and prune the flows where there are no receivers, using a periodic flood-and-prune mechanism.
•
Sparse mode protocols use an explicit join mechanism where distribution trees are built on demand by explicit tree join messages sent by routers that have directly connected receivers
The global command ip multicast-routing enables support for IP multicast on a router.
•
The interface command ip pim sparse-mode enables PIM-SM operation on the selected interface. The ip pim sparse-dense-mode command enables the interface on the router to operate in PIM-SM for sparse-mode groups (those with known RPs) and in dense mode for other groups.
•
The global command ip pim send-rp-announce {interface type} scope {ttl} group-list {acl} is issued on the router that you want to be an RP. This router sends an auto-RP message to 224.0.1.39, announcing the router as a candidate RP for the groups in the range described by the access list.
•
The global command ip pim send-rp-discovery {interface type} scope {ttl} configures the router as an RP mapping agent. It listens to the 224.0.1.39 address and sends a RP-to-group mapping message to 224.0.1.40. Other PIM routers listen to 224.0.1.40 to automatically discover the RP.
•
The ip pim spt-threshold {rate | infinity} command controls the switchover from the shared distribution tree to the SPT in sparse mode. The keyword infinity means the switchover will never occur.
Note The recommended method for configuring an interface for PIM-SM operation is to use the ip pim sparse-dense-mode interface command. This method permits auto RP, bootstrap router (BSR), or statically defined RPs to be used with the least configuration effort. The show ip mroute command is the most useful command for determining the state of multicast sources and groups from the perspective of the selected router. When PIM-SM is configured, the first step in verifying proper operation is to check PIM-enabled interfaces and to determine whether the PIM neighbors are correct. You can use the following commands to accomplish this:
•
show ip pim interface: Displays the information about interfaces configured for PIM.
•
show ip pim neighbor: Displays the discovered PIM neighbors.
•
mrinfo: Displays information on multicast routers that are peering with the local router (no address) or with the addressed router.
show ip pim interface show ip pim neighbor he RP for a certain multicast group operating in PIM-SM has to be reachable and known to the router. In addition to using a unicast ping, you can use the following commands when troubleshooting RP reachability:
•
show ip pim rp: Displays, without arguments, RP information on active groups. If the group address or name is provided, only the RP information for the selected group is shown (assuming that it is an active group).
•
show ip pim rp mapping: Displays the contents of the important group-to-RP mapping cache that contains the information about which RP is active for which group range. This cache is populated by the auto-RP or BSR mechanisms and by static RP assignments. It is very important to check this information to verify that the router possesses the RP mapping information consistent with proper network operation.
•
show ip rpf: Displays RPF information for the RP or for the source.
The show ip pim rp command just lists all active groups and their associated RPs. This form of the command is becoming obsolete, because it offers limited information. In most cases, you should use the show ip pim rp mapping instead , because it provides details on the actual contents of the groupto-RP mapping cache, such as the following: show ip rpf command displays RPF information associated with the specified source address.
•
ip igmp join-group : The router accepts the multicast packets in addition to forwarding them. Accepting the multicast packets prevents the router from fast switching.
•
ip igmp static-group: The router does not accept the packets but forwards them. Hence, this method allows fast switching. The outgoing interface appears in the IGMP cache, but the router itself is not a member, as evidenced by the lack of an L (local) flag in the multicast route entry.
show ip igmp snooping command to display the snooping configuration information for all VLANs on the switch or for a specified VLAN. show mac-address-table multicast command to display the entries in the MAC address table for a VLAN that has IGMP snooping enabled.
7.2 Configuring 802.1x Port-Based Authentication 7.2.2 Enabling 802.1x authentication
To enable 802.1x port-based authentication, AAA must be enabled and an authentication method list must be specified. A method list describes the sequence and authentication methods to be queried to authenticate a user. The software uses the first method listed to authenticate users. If that method fails to respond, the software selects the next authentication method in the list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle,
the authentication process stops, and no other authentication methods are attempted. Beginning in privileged EXEC mode, the following steps are used to configure 802.1x port-based authentication. The associated commands are shown in Figure . Step 1 Enter global configuration mode. Step 2 Enable AAA. Step 3 Create an authentication method list with the aaa authentication dot1x {default} method1 [method2...] command. To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces. At least one of the following keywords must be entered: •
group radius – Use the list of all RADIUS servers for authentication.
•
none – Use no authentication. The client is automatically authenticated by the switch without using the information supplied by the client.
Step 4 Enter interface configuration mode, and specify the interface connected to the client that is to be enabled for 802.1x authentication. Step 5 Enable 802.1x authentication on the interface. The port authorization state is controlled by using the dot1x port-control interface configuration command and the following keywords: •
force-authorized – disables 802.1x and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1x-based authentication of the client. This is the default setting.
•
force-unauthorized – causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the interface.
•
auto – enables 802.1x authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up, or when an EAPOL-start frame is received. The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each client attempting to access the network is uniquely identified by the switch by using the client's MAC address.
Step 6 Return to privileged EXEC mode. Step 7 Verify the configuration. To disable 802.1x AAA authentication, use the no aaa authentication dot1x {default | list-name} method1 [method2...] global configuration command. To disable 802.1x
authentication, use the dot1x port-control force-authorized or the no dot1x portcontrol interface configuration command. The example in Figure 0/12.
shows how to enable AAA and 802.1x on Fast Ethernet port
7.2.3 Configuring the switch-to-RADIUS-server communication
RADIUS security servers are identified by host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service, such as authentication, the second host entry configured acts as the fail-over backup to the first one. The RADIUS host entries are tried in the order that they are configured. Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on the switch. Step 1 Enter global configuration mode. Step 2 Configure the RADIUS server parameters on the switch with the radius-server host {hostname | ip-address} auth-port port-number key string command. For hostname | ip-address, specify the host name or IP address of the remote RADIUS server. For auth-port port-number, specify the UDP destination port for authentication requests. The default is 1812. For key string, specify the authentication and encryption key used between the switch and the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server. NOTE: Always configure the key as the last item in the radius-server host command syntax because leading spaces are ignored, but spaces within and at the end of the key are used. If spaces are used in the key, do not enclose the key in quotation marks unless the quotation marks are part of the key. If multiple RADIUS servers are to be used, re-enter this command. Step 3 Return to privileged EXEC mode. Step 4 Verify the configuration. To delete the specified RADIUS server, use the no radius-server host {hostname | ipaddress} global configuration command. The example in Figure shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server. The timeout, retransmission, and encryption key values for all RADIUS servers can be globally configured by using the radius-server host global configuration command. To
configure these options on a per-server basis, use the radius-server timeout, radiusserver retransmit, and the radius-server key global configuration commands. Some settings on the RADIUS server need to be configured as well. These settings include the IP address of the switch and the key string to be shared by both the server and the switch.
Periodic 802.1x client re-authentication, as well as how often it occurs, can be configured . If a time period before enabling re-authentication is not specified, the number of seconds between reauthentication attempts is 3600. Automatic 802.1x client re-authentication is a global setting and cannot be set for clients connected to individual ports. Beginning in privileged EXEC mode, the following steps are used to enable periodic reauthentication of the client and to configure the number of seconds between re-authentication attempts: Step 1 Enter global configuration mode. Step 2 Enable periodic re-authentication of the client, which is disabled by default, with the dot1x re-authentication command. Step 3 Set the number of seconds between re-authentication attempts with the dot1x timeout reauthperiod seconds command. The range is 1 to 4294967295 and the default is 3600 seconds. This command affects the behavior of the switch only if periodic re-authentication is enabled. Step 4 Return to privileged EXEC mode. Step 5 Verify the configuration. To disable periodic re-authentication, use the no dot1x re-authentication global configuration command. To return to the default number of seconds between re-authentication attempts, use the no dot1x timeout re-authperiod global configuration command. The example in Figure shows how to enable periodic re-authentication and set the number of seconds between re-authentication attempts to 4000. The client connected to a specific port can be manually re-authenticated at any time by entering the dot1x re-authenticate interface interface-id privileged EXEC command. -------
7.2.6 Enabling multiple hosts
Multiple hosts can be attached to a single 802.1x-enabled port. In this mode, only one of the attached hosts must be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized, such as in the case that re-authentication fails or an EAPOL-logoff message is received, all attached clients are denied access to the network.
Beginning in privileged EXEC mode, follow these steps to allow multiple hosts on an 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. The commands used in this process are shown in Figure . Step 1 Enter global configuration mode. Step 2 Enter interface configuration mode, and specify the interface to which multiple hosts are indirectly attached. Step 3 Allow multiple hosts on an 802.1x-authorized port with the dot1x multiple-hosts command. Make sure that the dot1x port-control interface configuration command set is set to auto for the specified interface. Step 4 Return to privileged EXEC mode. Step 5 Verify the configuration with the show dot1x interface interface-id command. To disable multiple hosts on the port, use the no dot1x multiple-hosts interface configuration command. The example in Figure allow multiple hosts.
shows how to enable 802.1x on FastEthernet interface 0/1 and to
7.2 Configuring 802.1x Port-Based Authentication 7.2.7 Resetting the 802.1x configuration to the default values
Beginning in privileged EXEC mode, follow these steps to reset the 802.1x configuration to the default values : Step 1 Enter global configuration mode. Step 2 Reset the configurable 802.1x parameters to the default values with the dot1x default command. Step 3 Return to privileged EXEC mode. Step 4 Verify the configuration with the show dot1x command. ---
To display 802.1x statistics for all interfaces, use the show dot1x statistics privileged EXEC command. To display 802.1x statistics for a specific interface, use the show dot1x statistics interface interface-id privileged EXEC command. To display the 802.1x administrative and operational status for the switch, use the show dot1x privileged EXEC command. To display the 802.1x administrative and operational status for a specific interface, use the show dot1x interface interface-id privileged EXEC command.
QoS
VOIP 2.5. 6
Cisco IOS Configurations for VoIP
Cisco IOS routers can be used as VoIP gateways. For a basic VoIP configuration, two gateways are needed. Both need a connection to a traditional telephony device, such as an analog telephone. The gateways themselves must have IP connectivity. In Figure
, the first router has these configuration settings:
•
Name: R1
•
IP address: 10.1.1.1/24
•
IP interface: FastEthernet 0/0
•
Voice port: 1/0/0
•
Extension of the telephone connected to the voice port: 1111
The second router is configured with similar settings:
•
Name: R2
•
IP address: 10.2.2.2/24
•
IP interface: FastEthernet 0/0
•
Voice port: 1/0/0
•
Extension of the telephone connected to the voice port: 2222
Based on this information, this configuration is applied to the first router: hostname R1 interface FastEthernet 0/0 ip address 10.1.1.1 255.255.255.0 ! dial-peer voice 1 pots destination-pattern 1111 port 1/0/0 ! dial-peer voice 2 voip destination-pattern 2222 session target ipv4:10.2.2.2 ! The second router has these configuration commands: hostname R2 interface FastEthernet 0/0 ip address 10.2.2.2 255.255.255.0 ! dial-peer voice 1 pots destination-pattern 2222 port 1/0/0 ! dial-peer voice 2 voip destination-pattern 1111 session target ipv4:10.1.1.1 ! The voice-specific commands in the configurations (two dial peers in each configuration) are
highlighted in gray. A dial peer describes where to find a telephone number, and the collection of all dial peers makes up the call routing table of a voice gateway. Two types of dial peers are shown in this example: POTS dial peers and VoIP dial peers. POTS dial peers indicate that the telephone number that is specified in the dial peer is found at a physical port. A VoIP dial peer refers to the IP address of a VoIP device. Figures and list the commands used for dial peers. The Voice-Specific Commands table provides details. Voice-Specific Commands Command
Description
dial-peer voice tag type
Use the dial-peer voice command to enter the dial peer subconfiguration mode. The tag value is a number that must be unique for all dial peers within the same gateway. The type value indicates the type of the dial peer (for example, POTS or VoIP).
destination-pattern telephone_number
The destination-pattern command, entered in dial peer subconfiguration mode, defines the telephone number that applies to the dial peer. A call that is placed to this number is routed according to the configuration type and port (in the case of a POTS type dial peer) or session target (in the case of a VoIP type dial peer) of the dial peer.
port port-number
The port command, entered in POTS dial peer subconfiguration mode, defines the port number that applies to the dial peer. Calls that are routed using this dial peer are sent to the specified port. The port command can be configured only on a POTS dial peer.
session target ipv4:ip-address
The session target command, entered in VoIP dial peer subconfiguration mode, defines the IP address of the target VoIP device that applies to the dial peer. Calls that are routed using this dial peer are sent to the specified IP address. The session target command can be configured only on a VoIP dial peer.
--more picts and examples in the section -------------------======================================= HSRP (hot standby routing protocol) Cisco proprietary
Switch#show running-config Building configuration... Current configuration:!
Router# Terminal History Size 256 Show history sh processes
cpu
Line con 0Logging sync
Keeps it on the same line
No ip domain lookup
keeps it from auto searching
use ip subnet 0 on the router to allow you to use subnet 0 with a router Switch#show running-config interface fastethernet 5/6 RouterP(config)#service password-encryption
---encrypts all paswds in wr
Can also do a search on the run configs – sh run | begin line vty alias exec
--not quite sure
check
Create a vlan with DLS2(config)#vlan 10 DLS2(config-vlan)#no shut %VLAN 10 is not shutdown. DLS2(config-vlan)#vlan 20 DLS2(config-vlan)#no shut %VLAN 20 is not shutdown. DLS2(config-vlan)#vlan 30 DLS2(config-vlan)#no shut %VLAN 30 is not shutdown. DLS2(config-vlan)#^Z Then can make it an SVI with ip routing and then add an address to each vlan under the interface command Int vlan 10 Network … SSH setup on a switch/router config Switch(config)# username cisco password cisco Switch(config)# ip domain-name cisco
Switch(config)# crypto key generate rsa Switch(config)# line vty 0 15
Switch(config-line)# login local
Switch(config-line)# transport input ssh ssh -l cisco 172.16.254.241 ---to connect to a remote host with ssh
To control the protocols that will be accepted on the vty, use the transport input <protocol> Remember that the command to create a standard access list for a single host is access-list
.-" .e$" .=*"""" .e$*" .$" .z*" $$ee$c .d" ^*$E")$..$" $.d$$$* """""
~ Exit Conf t No ip domain-lookup ip domain-name cisco.com crypto key generate rsa
"*$c ^*b. "*bc "*$e.. ^*$e. "*****e. "*$. 3. * .ee==d% * J$$$e* "$$$"
ip ssh time-out 15 ip ssh authentication-retries 3 username cisco priv 15 password cisco service password-encryption enable secret class line con 0 login local password class login logging synchronous line vty 0 4 transport input ssh password cisco login local int s0/0 ip authentication key-chain eigrp 1 ^_^ ip authentication mode eigrp 1 md5
R1# conf t R1(config)# interface serial 0/0/0 R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS Now, apply the key chain to the interface with the ip authentication mode eigrp as_number md5 command: R1(config-if)# ip authentication mode eigrp 1 md5 Apply these commands on all active EIGRP interfaces. R1# conf t R1(config)# interface serial 0/0/0 R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS R1(config-if)# ip authentication mode eigrp 1 md5 R1(config-if)# interface serial 0/0/1 R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS R1(config-if)# ip authentication mode eigrp 1 md5 R1(config-if)# interface fastethernet 0/0 R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS R1(config-if)# ip authentication mode eigrp 1 md5
run tcl script from each router!!! tclsh
foreach address { 192.168.1.1 192.168.1.129 192.168.1.130 192.168.1.161 192.168.1.162 192.168.1.133 192.168.1.134 10.1.1.3 10.1.1.4 10.4.4.4 192.168.1.5 192.168.100.1 192.168.1.101 192.168.1.105 192.168.1.109 192.168.1.113 } { ping $address }
show controllers - indicates the state of the interface channels and whether a cable is attached to the interface •
debug serial interface - Verifies whether HDLC keepalive packets are incrementing. If they are not, a possible timing problem exists on the interface card or in the network.
•
debug arp - Indicates whether the router is sending information about or learning about routers (with ARP packets) on the other side of the WAN cloud. Use this command when some nodes on a TCP/IP network are responding, but others are not.
•
debug frame-relay lmi - Obtains Local Management Interface (LMI) information which is useful for determining whether a Frame Relay switch and a router are sending and receiving LMI packets.
•
debug frame-relay events - Determines whether exchanges are occurring between a router and a Frame Relay switch.
•
debug ppp negotiation - Shows Point-to-Point Protocol (PPP) packets transmitted during PPP startup where PPP options are negotiated.
•
debug ppp packet - Shows PPP packets being sent and received. This command displays low-level packet dumps.
•
debug ppp - Shows PPP errors, such as illegal or malformed frames, associated with PPP connection negotiation and operation.
•
debug ppp authentication - Shows PPP Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP) packet exchanges.
router# show ip route -> show routing table router# show ip route static
Next, assign specific commands to be used in privilege level 10. To configure a new privilege level for users and associate commands to that privilege level, use the privilege command. The syntax for the privilege command is privilege mode {level level | reset} command-string. Enter the following commands to assign specific commands to the privilege level 10: RouterP(config)# privilege exec level 10 debug ppp auth RouterP(config)# privilege exec level 10 debug ppp error RouterP(config)# privilege exec level 10 debug ppp negotiation In the above commands, specific debug commands were allowed for anyone logging in with privilege level 10. f. Verify privilege level commands i. Exit the router and return to privilege level 10. After the current privilege level of 10 is confirmed, verify the previously configured privilege level 10 commands. Enter the following commands to verify the defined privileges enter the following commands: RouterP#debug ? RouterP#debug ppp ? What are the available parameters for the debug ? command? --------------------------------------------------------OSPF IP OSPF cost – can be used to manually set link costs for calculation show ip ospf database – shows link-state age and sequence numbers are kept in the database. debug ip ospf packet command is used in troubleshooting and to verify that OSPF packets are flowing properly between two routers Using the router-id command is the preferred procedure to set the router ID and is always used in preference to the other two procedures. If not set will use highest loopback ip then physical After the router-id command is configured, use the clear ip ospf process command. This command restarts the OSPF routing process so that it will reselect the new IP address as its router ID. Highest ID wins the battle show ip ospf command to verify the OSPF router ID - also displays OSPF timer settings and other statistics, including the number of times the SPF algorithm has been run
•
show ip protocols—Displays IP routing protocol parameters about timers, filters, metrics, networks, and other information for the entire router.
•
show ip route ospf—Displays the OSPF routes known to the router. This command is one of the most useful in determining connectivity between the local router and the rest of the internetwork. Optional parameters allow you to further specify the information to be displayed, including the OSPF process ID.
•
show ip ospf interface—Verifies that interfaces are configured in the intended areas. In addition, this command displays the timer intervals (including the hello interval) and shows the neighbor adjacencies.
•
show ip ospf—Displays the OSPF router ID, OSPF timers, the number of times the SPF algorithm has been executed, and LSA information.
•
show ip ospf neighbor—Displays a list of neighbors, including their OSPF router ID, their OSPF priority, their neighbor adjacency state (for example, init, exstart, or full), and the dead timer.
•
show ip route ospf command to verify the OSPF routes in the IP routing table. In Figure , the O code represents OSPF routes, and IA is “interarea.” The 10.2.1.0 subnet is recognized on FastEthernet 0/0 via neighbor 10.64.0.2. The entry [110/782] represents the administrative distance assigned to OSPF (110), and the total cost of the route to subnet 10.2.1.0 (782). The show ip ospf interface [type number] [brief] command displays OSPFrelated interface information. The command output in Figure is from router A from the previous configuration example and details the OSPF status of FastEthernet 0/0 interface. This command verifies that OSPF is running on this particular interface and lists the OSPF area that it is in. This command also displays other OSPF information, such as the process ID, router ID, network type, DR and BDR, timers, and neighbor adjacency.
•
• • •
show ip ospf neighbor command. OSPF does not send or receive updates without having full adjacencies established between neighbors. The show ip ospf neighbor [type number] [neighbor-id] [detail] Show ip ospf database nssa-external – this displays specific details of each lsa type 7 update in database To clear all routes from the IP routing table, use the following command: Router#clear ip route * To clear a specific route from the IP routing table, use the following command: Router#clear ip route A.B.C.D To debug OSPF operations, use the debug ip ospf command with an option listed in Figure Useful options when troubleshooting include:
.
Router#debug ip ospf events Router#debug ip packet To configure an area as a stub, use the following steps: ***must be a different area than area 0 backbone network Step 1
Configure OSPF.
Step 2
Define the area as a stub by issuing the area area-id stub command to all routers within the area. Figure lists the parameters of this command.
To configure an area as totally stubby, use the following steps: Step 1
Configure OSPF.
Step 2
Define the area as a stub area by issuing the area area-id stub command to all routers within the area.
Step 3
At the ABR only, add the no-summary keyword to the area area-id stub command.
Example on 3.7.6 Example 3.7.8 To configure an area as an NSSA, use the following steps: Step 1
Configure OSPF.
Step 2
Define the area as an NSSA by issuing the area area-id nssa command to all routers within the area. All routers in the NSSA must have this command configured. Routers cannot form an adjacency unless both are configured as NSSA. Figure lists the parameters of this command. To cause router 2 (the NSSA ABR) to generate an O *N2 default route (O *N2 0.0.0.0/0) into the NSSA, use the default-information-originate option of the area area-id nssa command on router 2.
In a multiaccess broadcast environment, each network segment has its own DR and BDR. A router connected to multiple multiaccess broadcast networks can be a DR on one segment and a regular router on another segment.Use the ip ospf priority interface command to designate which router interfaces on a multiaccess link are the DR and the BDR. The default priority is 1, and the range is from 0 to 255. The interface with the highest priority becomes the DR, and the interface with the secondhighest priority becomes the BDR. Interfaces set to zero priority cannot be involved in the DR or BDR election process. Here is a configuration example: interface FastEthernet 0/0 ip ospf priority 10 --add encap frame-relay if that type is needed Also in NBMA networks you can yse the neighbor command in conf t to statically assign a neighbor To configure basic single-area and multiarea OSPF, complete the following steps: Step 1
Enable OSPF on the router using the router ospf process-id command as shown in Figure . Note Unlike the process ID in EIGRP, the OSPF process ID is not an autonomous system number. The process-id an be any positive integer and only has significance to the local router.
Step 2
Identify which interfaces on the router are part of the OSPF process, using the network area command, as shown in Figure . This command also identifies the OSPF area to which the network belongs. Figure describes the parameters of this command. Uses wild card masks OSPF can be enabled directly on the interface using the ip ospf area command, which simplifies the configuration of unnumbered interfaces. Since the command is configured explicitly on the interface, it takes precedence over the network area command Router A uses a general network 10.0.0.0 0.255.255.255 statement. This technique assigns all interfaces defined in the 10.0.0.0 network to OSPF process 1. Router B uses a specific host address technique. The wildcard mask of 0.0.0.0 requires a match on all four octets of the address. This technique allows the operator to define which specific interfaces will run OSPF. Network 10.1.1.1 0.0.0.0 area 0
Figure shows an example of a multiarea OSPF configuration. Router A is in area 0, router C is in area 1, and router B is the ABR between the two areas. The configuration for router A is the same as in the previous example. Router B has a network statement for area 0. The configuration for area 1 in this example uses the ip ospf 50 area 1 command. Alternatively, a separate network router configuration command could have been used.
Virtual links Use the area area-id virtual-link router-id router configuration command, along with any necessary optional parameters, to define an OSPF virtual link. To remove a virtual link, use the no form of this command. The area virtual-link command includes the router ID of the far-end router. To find the router ID in the far-end router, use the show ip ospf, show ip ospf interface, or show ip protocol commands on that remote router, as illustrated in Figure .
show ip ospf virtual-links command to verify that the configured virtual link works properly. show ip ospf neighbor, show ip ospf database, and debug ip ospf adj nterarea Route Summarization on an ABR To configure manual interarea route summarization on an ABR, use the following steps:
Step 1
Configure OSPF.
Step 2
Use the area range command to instruct the ABR to summarize routes for a specific area before injecting them into a different area via the backbone as type 3 summary LSAs. Figure describes the command parameters.
Cisco IOS software creates a summary route to interface null0 when manual summarization is configured to prevent routing loops.
•
area 0 range 172.16.96.0 255.255.224.0: Identifies area 0 as the area containing the range of networks to be summarized into area 1. ABR router R1 summarizes the range of subnets from 172.16.96.0 to 172.16.127.0 into one range: 172.16.96.0 255.255.224.0.
•
area 1 range 172.16.32.0 255.255.224.0: Identifies area 1 as the area containing the range of networks to be summarized into area 0. ABR router R1 summarizes the range of subnets from 172.16.32.0 to 172.16.63.0 into one range: 172.16.32.0 255.255.224.0.
For OSPF to generate a default route, you must use the default-information originate command.
To configure OSPF simple password authentication, use the following steps: Step 1
Assign a password to be used with neighboring routers using the ip ospf authentication-key command, as shown in Figure .
Note In Cisco IOS Software Release 12.4, the router gives a warning message if you try to configure a password longer than eight characters, and only the first eight characters will be used. Some earlier Cisco IOS releases did not provide this warning. The password created by this command is used as a key that is inserted directly into the OSPF header when Cisco IOS software originates routing protocol packets. A separate password can be assigned to each network on a per-interface basis. All neighboring routers on the same network must have the same password to be able to exchange OSPF information.
Note If the service password-encryption command is not used when configuring OSPF authentication, the key is stored as plain text in the router configuration. If you configure the service passwordencryption command, the key is stored and displayed in an encrypted form. When it is displayed, an encryption type of 7 is specified before the encrypted key. Step 2
Specify the authentication type using the ip ospf authentication command, as shown in Figure .
For simple password authentication, use the ip ospf authentication command with no parameters. Before using this command, configure a password for the interface using the ip ospf authentication-key command. To configure OSPF MD5 authentication, a key and key ID must be configured on each router. To configure MD5 authentication, use the following steps: Step 1
Assign a key ID and key to be used with neighboring routers that are using the OSPF MD5 authentication, using the ip ospf message-digest-key command, as shown in Figure .
Note In Cisco IOS Software Release 12.4, the router gives a warning message if you try to configure a password longer than 16 characters, and only the first 16 characters are used. Some earlier Cisco IOS releases did not provide this warning. The key and the key ID specified in the ip ospf message-digest-key command are used to generate a message digest (also called a hash) of each OSPF packet. The message digest is appended to the packet. A separate password can be assigned to each network on a per-interface basis. Usually, one key per interface is used to generate authentication information when sending packets and to authenticate incoming packets. All neighboring routers on the same network must have the same password to be able to exchange OSPF information. Therefore, the same key ID on the neighbor router must have the same key value. The key ID allows for uninterrupted transitions between keys, which is helpful for administrators who wish to change the OSPF password without disrupting communication. If an interface is configured with a new key, the router sends multiple copies of the same packet, each authenticated by different keys. The router stops sending duplicate packets when it detects that all of its neighbors have adopted the new key. For example, if this is the current configuration: interface FastEthernet 0/0 ip ospf message-digest-key 100 md5 OLD You change the configuration to the following: interface FastEthernet 0/0 ip ospf message-digest-key 101 md5 NEW The system assumes that its neighbors do not have the new key yet, so it begins a rollover process. It sends multiple copies of the same packet, each authenticated by different keys. In this example, the system sends out two copies of the same packet, the first one authenticated by key 100 and the second one authenticated by key 101. Rollover allows neighboring routers to continue communication while the network administrator is updating them with the new key. Rollover stops when the local system finds that all its neighbors know the new key. The system detects that a neighbor has the new key when it receives packets from the neighbor authenticated by the new key. After all neighbors have been updated with the new key, the old key should be removed. In this example, you would enter the following:
interface FastEthernet 0/0 no ip ospf message-digest-key 100 Then only key 101 is used for authentication on Fast Ethernet interface 0/0. It is recommended that you do not keep more than one key per interface. Every time you add a new key, you should remove the old key to prevent the local system from continuing to communicate with a hostile system that knows the old key. Note If the service password-encryption command is not used when configuring OSPF authentication, the key is stored as plain text in the router configuration. If you configure the service passwordencryption command, the key is stored and displayed in an encrypted form. When it is displayed, an encryption type of 7 is specified before the encrypted key. Step 2
Specify the authentication type using the ip ospf authentication command, as shown in Figure . For MD5 authentication, use the ip ospf authentication command with the message-digest parameter. Before using this command, configure the message digest key for the interface with the ip ospf message-digest-key command.
The ip ospf authentication command was introduced in Cisco IOS Software Release 12.0. For backward compatibility, the MD5 authentication type for an area is still supported using the area areaid authentication message-digest router configuration command.
debug ip ospf adj command displays OSPF adjacency-related events and is very useful when troubleshooting authentication. --------------------------------------------------------EIGRP
Perform the following steps to configure EIGRP for IP: Step 1
Enable EIGRP and define the autonomous system using the router eigrp autonomous-system-number command. The autonomous system number value must match on all routers within the autonomous system.
Step 2
Indicate which networks are part of the EIGRP autonomous system using the network command. This command determines which interfaces of the router are participating in EIGRP and which networks the router advertises. Figure lists the parameters for the network command. USE wildcard mask on that
Step 3
When using serial links, define the bandwidth of the link for the purpose of sending routing update traffic, using the bandwidth kilobits command. In this command, the parameter kilobits indicates the intended bandwidth in kilobits per second. For example, for a 64-kbps link, use the following command: router(config-if)#bandwidth 64
If you do not change the bandwidth for serial interfaces, EIGRP assumes that the bandwidth on the link is the default T1 speed. If the link is actually slower, the router might not be able to converge, or routing updates might be lost. For generic serial interfaces such as PPP or High-Level Data Link Control (HDLC), set the bandwidth to the line speed. For Frame Relay on point-to-point interfaces, set the bandwidth to the committed information rate (CIR). For Frame Relay multipoint connections, set the bandwidth to the sum of all CIRs, or if the permanent virtual circuits (PVCs) have different CIRs, set the bandwidth to the lowest CIR multiplied by the number of PVCs on the multipoint connection. You can create an EIGRP default route with the ip default-network network-number global configuration command. The configured router advertises the specified network listed as the gateway of last resort. Other routers use their next-hop address to the advertised network as their default route. Static Default Routes EIGRP and IGRP behave differently than RIP when you are using the ip route 0.0.0.0 0.0.0.0 command. For example, EIGRP does not redistribute the 0.0.0.0 0.0.0.0 default route by default. The configuration in Figure router.
results in the 0.0.0.0 route being passed to the EIGRP neighbors of the
Show ip eigrp neighbors Show ip eigrp topology show ip eigrp neighbors command to verify that the router recognizes its neighbors. Use the show ip route eigrp command to verify that the router recognizes routes from its neighbors. show ip protocols command gives information about all dynamic routing protocols running on the router--- Shows current K value settings Because the routers must have identical K values for EIGRP to establish an adjacency The internal distance (administrative distance 90) applies to networks from other routers inside the autonomous system. The external distance (administrative distance 170) applies to networks introduced to EIGRP from outside this autonomous system through redistribution. show ip eigrp interfaces command displays information about interfaces configured for EIGRP. show ip eigrp topology –
•
P (Passive): Network is available, and installation can occur in the routing table. Passive is the correct state for a stable network.
•
A (Active): Network is currently unavailable, and installation cannot occur in the routing table. Active means that there are outstanding queries for this network.
•
U (Update): Network is being updated (placed in an update packet). This code also applies if the router is waiting for an acknowledgment for this update packet.
•
Q (Query): Outstanding query packet for this network. This code also applies if the router is waiting for an acknowledgment for a query packet. Basically, this code indicates that the router has sent a query packet to a neighbor router.
•
R (Reply status): Router is generating a reply for this network or is waiting for an acknowledgment for the reply packet.
•
S (Stuck-in-active status): EIGRP convergence problem for the network with which it is associated.
show ip eigrp traffic command - To display the number of various EIGRP packets sent and received no auto-summary- use when having discontinuous networks between your access Create your own summarization
EIGRP can also balance traffic across multiple routes that have different metrics, which is called unequalcost load balancing. The degree to which EIGRP performs load balancing is controlled with the variance command,
ip bandwidth-percent eigrp as-number percent command to specify the maximum percentage of the bandwidth of an interface that EIGRP will use. --use when link is shared in wan topology to divide bandwidth into half of each link has equally. To configure MD5 authentication for EIGRP, complete the following steps:
Step 1
Enter configuration mode for the interface on which you want to enable authentication.
Step 2
Specify MD5 authentication for EIGRP packets using the ip authentication mode eigrp md5 command, as shown in Figure
.
Step 3
Enable the authentication of EIGRP packets with a key specified in a key chain by using the ip authentication key-chain eigrp command, as shown in Figure .
Step 4
Enter the configuration mode for the key chain using the key chain command, as shown Figure .
Step 5
Identify a key ID to use, and enter configuration mode for that key using the key command, as shown in Figure .
Step 6
Identify the key string (password) for this key using the key-string command, as shown in Figure .
Step 7
Optionally, specify the time period during which this key is accepted for use on received packets using the accept-lifetime command, as shown in Figure . Figure displays the parameters for this command.
Step 8
Optionally, specify the time period during which this key can be used for sending packets using the send-lifetime command, as shown in the Figure . Figure displays the parameters for this command.
Note If the service password-encryption command is not used when implementing EIGRP authentication, the key string is stored as plain text in the router configuration. If you configure the service password-encryption command, the key string is stored and displayed in an encrypted form. When it is displayed, an encryption type of 7 is specified before the encrypted key string.
Eigrp default network
-----------------------------------------------------------------------------Passwords conf t enable secret <password> line con 0 password <enter password here> login line vty 0 4 password <enter password here> login
exit conf t enable secret cisco line con 0 password class login line vty 0 4 password class login exit example Router#configure terminal Router(config)#hostname ISP ISP(config)#enable password cisco ISP(config)#enable secret class ISP(config)#line console 0 ISP(config-line)#password cisco ISP(config-line)#login ISP(config-line)#exit ISP(config)#line vty 0 4 ISP(config-line)#password cisco ISP(config-line)#login ISP(config-line)#exit ISP(config)#interface loopback 0 ISP(config-if)#ip add 172.16.1.1 255.255.255.255 ISP(config-if)#no shutdown ISP(config-if)#exit ISP(config)#interface serial 0 ISP(config-if)#ip add 200.2.2.17 255.255.255.252 ISP(config-if)#clock rate 64000 no shut - to interfaces PPP
The following example enables PPP encapsulation on serial interface 0/0: Router#configure terminal Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Point-to-point software compression can be configured on serial interfaces that use PPP encapsulation. Compression is performed in software and might significantly affect system performance. Compression is not recommended if most of the traffic consists of compressed files. To configure compression over PPP, enter the following commands: Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Router(config-if)#compress [predictor | stac] Enter the following to monitor the data dropped on the link, and avoid frame looping: Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp
Router(config-if)#ppp quality percentage The following commands perform load balancing across multiple links: Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Router(config-if)#ppp multilink Use the show interfaces serial command to verify proper configuration of HDLC or PPP encapsulation. When PPP is configured, its Link Control Protocol (LCP) and Network Control Protocol (NCP) states can be checked using the show interfaces serial command.
ISDN BRI
SPIDs are specified in interface configuration mode. To enter interface configuration mode, use the interface bri command in the global configuration mode: Router(config)#interface brislot/port Router(config)#interface bri0/0 Router(config-if)#isdn spid1 51055540000001 5554000 Router(config-if)#isdn spid2 51055540010001 5554001 ISDN PRI
Defining static routes for DDR (Dial on demand routing) Clear int bri 0 to erase spid id
Show Dialers Show ISDN stat
To configure a static route for IP use the following command: Router(config)#ip route net-prefix mask {address | interface } [distance ] [permanent]
DDR calls are triggered by interesting traffic. This traffic can be defined as any of the following: •
IP traffic of a particular protocol type
•
Packets with a particular source address or destination
•
Other criteria as defined by the network administrator
Use the dialer-list command to identify interesting traffic. The command syntax is as follows: Router(config)#dialer-listdialer-group-num protocolprotocol-name {permit | deny | listaccesslist-number } Thedialer-group-num is an integer between 1 and 10 that identifies the dialer list to the router. The command dialer-list 1 protocol ip permit will allow all IP traffic to trigger a call. Instead of permitting all IP traffic, a dialer list can point to an access list in order to specify exactly what types of traffic should bring up the link. The reference to access list 101 in dialer list 2 prevents FTP and Telnet traffic from activating the DDR link. Any other IP packet is considered interesting, and will therefore initiate the DDR link. Dialer group command is given on the interface and is the same as the dialer list #.
Configure routing protocols as uninteresting so line doesn’t keep coming up. Also use no cdp to keep the line from going up (MAKE INTERFACE PASSIVE TO NOT GIVE OUT UPDATE TRAFFIC) A dialer list specifying the interesting traffic for this DDR interface needs to be associated with the DDR interface. This is done using the dialer-group group-number command: Home(config-if)#dialer-group 1 In the command, group-number specifies the number of the dialer group to which the interface belongs. The group number can be an integer from 1 to 10. This number must match the dialerlistgroup-number . Each interface can have only one dialer group. However, the same dialer list can be assigned to multiple interfaces with the dialer-group command. The correct dialing information for the remote DDR interface needs to be specified. This is done using the dialer map command. The dialer map command maps the remote protocol address to a telephone number. This command is necessary to dial multiple sites. Router(config-if)#dialer map protocol next-hop-address [name hostname ] [speed 56 | 64] [broadcast] dial-string If dialing only one site, use an unconditional dialer string command that always dials the one phone number regardless of the traffic destination. This step is unique to legacy DDR. Although the information is always required, the steps to configure destination information are different when using dialer profiles instead of legacy DDR.
To configure PPP on the DDR interface use the following commands: Home(config)#username Central password cisco Home(config)#interface bri0/0 Home(config-if)#encapsulation ppp Home(config-if)#ppp authentication chap Home(config-if)#ip address 10.1.0.1 255.255.255.0 The dialer idle-timeoutseconds command may be used to specify the number of idle seconds before a call is disconnected. The seconds represent the number of seconds until a call is disconnected after the last interesting packet is sent. The default is 120.
Multiple dialer interfaces may be configured on a router. Each dialer interface is the complete configuration for a destination. The interface dialer command creates a dialer interface and enters interface configuration mode. To configure the dialer interface, perform the following tasks: 1. Configure one or more dialer interfaces with all the basic DDR commands: •
IP address
•
Encapsulation type and authentication
•
Idle-timer
•
Dialer-group for interesting traffic
2. Configure a dialer string and dialer remote-name to specify the remote router name and
phone number to dial it. The dialer pool associates this logical interface with a pool of physical interfaces. 3. Configure the physical interfaces and assign them to a dialer pool using the dialer pool-
member command. An interface can be assigned to multiple dialer pools by using multiple dialer pool-member commands. If more than one physical interface exists in the pool, use the priority option of the dialer pool-member command to set the priority of the interface within a dialer pool. If multiple calls need to be placed and only one interface is available, then the dialer pool with the highest priority is the one that dials out. A combination of any of these interfaces may be used with dialer pools: •
Synchronous Serial
•
Asynchronous Serial
•
BRI
•
PRI
**Clear int Bri To get the clear out of REFER TO LAB FOR EXACT SETUP FRAME RELAY
encapsulation frame-relay[cisco | ietf] command. cisco Uses the Cisco proprietary Frame Relay encapsulation. Use this option if connecting to another Cisco router. Many non-Cisco devices also support this encapsulation type. This is the default. ietf Sets the encapsulation method to comply with the Internet Engineering Task Force (IETF) standard RFC 1490. Select this if connecting to a non-Cisco router.
Set an IP address on the interface using the ip address command. Set the bandwidth of the serial interface using the bandwidth command. Bandwidth is specified in kilobits per second (kbps). This command is used to notify the routing protocol that bandwidth is statically configured on the link. The bandwidth value is used by Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway Routing Protocol (EIGRP), and Open Shortest Path First (OSPF) to determine the metric of the link.
The local DLCI must be statically mapped to the network layer address of the remote router when the remote router does not support Inverse ARP. This is also true when broadcast traffic and multicast traffic over the PVC must be controlled. These static Frame Relay map entries are referred to as static maps. Use the frame-relay map protocol protocol-address dlci [broadcast] command to statically map the remote network layer address to the local DLCI---Used on HQ Router Split-horizon updates reduce routing loops by not allowing a routing update received on one interface to be forwarded out the same interface. One way to solve the split-horizon problem is to use a fully meshed topology. However, this will increase the cost because more PVCs are required. The preferred solution is to use subinterfaces. Create a subinterface by Int s0.301 point-to-point
To enable the forwarding of broadcast routing updates in a hub-and-spoke Frame Relay topology, configure the hub router with logically assigned interfaces. These interfaces are called subinterfaces. Subinterfaces are logical subdivisions of a physical interface. In split-horizon routing environments, routing updates received on one subinterface can be sent out another subinterface. In a subinterface configuration, each virtual circuit can be configured as a point-to-point connection. This allows each subinterface to act similarly to a leased line. Using a Frame Relay point-to-point subinterface, each pair of the point-to-point routers is on its own subnet. Frame Relay subinterfaces can be configured in either point-to-point or multipoint mode: •
Point-to-point - A single point-to-point subinterface is used to establish one PVC connection to another physical interface or subinterface on a remote router. In this case, each pair of the point-to-point routers is on its own subnet and each point-to-point subinterface would have a single DLCI. In a point-to-point environment, each subinterface is acting like a point-to-point interface. Therefore, routing update traffic is not subject to the split-horizon rule.
•
Multipoint - A single multipoint subinterface is used to establish multiple PVC connections to multiple physical interfaces or subinterfaces on remote routers. All the participating interfaces would be in the same subnet. The subinterface acts like an NBMA Frame Relay interface so routing update traffic is subject to the split-horizon rule.
The encapsulation frame-relay command is assigned to the physical interface. All other configuration items, such as the network layer address and DLCIs, are assigned to the subinterface. Multipoint configurations can be used to conserve addresses that can be especially helpful if Variable Length Subnet Masking (VLSM) is not being used. However, multipoint configurations may not work properly given the broadcast traffic and split-horizon considerations. The point-to-point subinterface option was created to avoid these issues. In the figure, Router A has two point-to-point subinterfaces. The s0/0.110 subinterface connects to router B and the s0/0.120 subinterface connects to router C. Each subinterface is on a different subnet. To configure subinterfaces on a physical interface, the following steps are required: •
Configure Frame Relay encapsulation on the physical interface using the encapsulation frame-relay command
•
For each of the defined PVCs, create a logical subinterface
router(config-if)#interface serialnumber.subinterface-number [multipoint | point-to-point] To create a subinterface, use the interface serial command. Specify the port number, followed by a period (.), and then by the subinterface number. Usually, the subinterface number is chosen to be that of the DLCI. This makes troubleshooting easier. The final required parameter is stating whether the subinterface is a point-to-point or point-to-multipoint interface. Either the multipoint or point-to-point keyword is required. There is no default. The following commands create the subinterface for the PVC to router B: routerA(config-if)#interface serial 0/0.110 point-to-point If the subinterface is configured as point-to-point, then the local DLCI for the subinterface must also be configured in order to distinguish it from the physical interface. The DLCI is also required for multipoint subinterfaces for which Inverse ARP is enabled. It is not required for multipoint subinterfaces configured with static route maps. The frame-relay interface-dlci command is used to configure the local DLCI on the subinterface router(config-subif)#frame-relay interface-dlci dlci-number The show interfaces command displays information regarding the encapsulation and Layer 1 and Layer 2 status. It also displays information about the following: •
The LMI type
•
The LMI DLCI
•
The Frame Relay data terminal equipment/data circuit-terminating equipment (DTE/DCE) type
show frame-relay lmi command to display LMI traffic statistics. Use the show frame-relay pvc [interface interface] [dlci] command to display the status of each configured PVC as well as traffic statistics. This command is also useful for viewing the number of BECN and FECN packets received by the router. The PVC status can be active, inactive, or deleted. show frame-relay pvc command displays the status of all the PVCs configured on the router. show frame-relay map command to display the current map entries and information about the connections.
debug frame-relay lmi command to determine whether the router and the Frame Relay switch are sending and receiving LMI packets properlyThe "out" is an LMI status message sent by the router. The "in" is a message received from the Frame Relay switch. A full LMI status message is a "type 0". An LMI exchange is a "type 1". The "dlci 100, status 0x2" means that the status of DLCI 100 is active. The possible values of the status field are as follows: •
0x0 - Added/inactive means that the switch has this DLCI programmed but for some reason it is not usable. The reason could possibly be the other end of the PVC is down.
•
0x2 - Added/active means the Frame Relay switch has the DLCI and everything is operational.
•
0x4 - Deleted means that the Frame Relay switch does not have this DLCI programmed for the router, but that it was programmed at some point in the past. This could also be caused by the DLCIs being reversed on the router, or by the PVC being deleted by the service provider in the Frame Relay cloud.
------------------------------------------------------------------------------------------------------------Switch Commands
switch(config)#ip default-gateway
**More detailed spanning tree info spanning-tree portfast —> to be used with conf t and maybe on the interface itself to make the interface instantly up and connected (Use the spanning-
tree portfast global configuration command to globally enable BPDU filtering on Port Fast-enabled ports, the BPDU guard feature on Port Fast-enabled ports, or the Port Fast feature on all nontrunking ports. The BPDU filtering feature prevents the switch port from sending or receiving BPDUs. The BPDU guard feature puts Port Fast-enabled ports that receive BPDUs in an error-disabled state.) show trunk show interface vlan 1 --> used in priv exec mode, shows mac, ip, and port info show spanning-tree or show spanning-tree brief --> used in priv exec mode, shows port status (forwarding/blocking) root router, priority and mac address use only on non trunking ports Show mac-address-table clear mac-address-table dynamic --> clearsmac addresses #password configs and hostname is setup the same way (except for line vty 0 15) ***Add trunking commands to the tutorial guide (DTP) stuff Switchport mode trunk 802.1q (or How to setup VLAN -- and what not to forget to setup switch(config)#int vlan 1 switch(config)#ip add
dat 101 102 103 104 105 106 107 108 109 110
name name name name name name name name name name
Voice101 Voice102 Voice103 Voice104 Voice105 Voice106 Voice107 Voice108 Voice109 Voice110
To setup VTP (designated switch to duplicate vlan configurations to other switches that are connected together) VLAN Trunking Protocol vlan dat vtp client vtp domain Cisco
vlan dat---old way – try new commands on the next pict vtp server vtp domain Cisco
2.5. 6
Best Practice for VTP Configuration
Following is a list of general best practices with regard to configuring VTP in the enterprise composite network model: •
Plan boundaries for the VTP domain. Not all switches in the network need information on all VLANs in the network. In the enterprise composite model, the VTP domain should be restricted to redundant distribution switches and the access switches that they serve.
•
Have only one or two switches specifically configured as VTP servers and the remainder as clients.
•
Configure a password so that no switch can join the VTP domain with a domain name only (which can be derived dynamically).
•
Manually configure the VTP domain name on all switches that are installed in the network so that the mode can be specified and the default server mode on all switches can be overwritten.
•
When you are setting up a new domain, configure VTP client switches first so that they participate passively. Then configure servers to update client devices.
•
In an existing domain, if you are performing VTP cleanup, configure passwords on servers first. Clients may need to maintain current VLAN information until the server contains a complete VLAN database. After the VLAN database on the server is verified as complete, client passwords can be configured to be the same as the servers. Clients will then accept updates from the server.
•
WHEN ADDING A DIFFERENT SWITCH TO A NETWORK (MOVING CABLES) TAKE IT OUT OF THE VTP DOMAIN, CHANGE, THEN RE-ADD SO THE REVISION NUMBR IS RESET TO ONE SO IT DOESN’T OVERRIDE THE OTHER ONE
What VLan you belong to and mode for each interface interface FastEthernet0/1 switchport access vlan 101 switchport mode access no ip address spanning-tree portfast ! interface FastEthernet0/2
switchport access vlan 101 switchport mode access no ip address spanning-tree portfast ! interface FastEthernet0/3 switchport access vlan 102 switchport mode access no ip address spanning-tree portfast int range fa 0/2 – 5 delete vlan.dat or delete flash:vlan.dat
2.5. 2
Resolving Issues with 802.1Q Native VLANs
Consider the following issues when you are configuring a native VLAN on an 802.1Q trunk link: •
The native VLAN interface configurations must match at both ends of the link or the trunk may not form.
•
By default, the native VLAN is VLAN1. For the purpose of security, the native VLAN on a trunk should be set to a specific VID that is not used for normal operations elsewhere on the network.
Switch(config-if)#switchport trunk native vlan vlan-id
•
OR switchport trunk
•
If there is a native VLAN mismatch on an 802.1Q link, CDP (if used and functioning) issues a “native VLAN mismatch” error.
•
On select versions of Cisco IOS software, CDP may not be transmitted or automatically turns off if VLAN1 is disabled on the trunk.
•
If there is a native VLAN mismatch on either side of an 802.1Q link, Layer 2 loops may occur because VLAN 1 STP BPDUs are sent to the IEEE STP MAC address (0180.c200.0000) untagged.
•
When troubleshooting VLANs, note that a link can have one native VLAN association when in access mode, and another native VLAN association when in trunk mode.
When implementing VLANs, you should consider a few measures to secure the VLAN and the switch itself. The security policy of the organization will likely have more detailed recommendations, but these can provide a foundation. •
Create a “parking-lot” VLAN with a VLAN ID (VID) other than VLAN1, and place all unused switch ports in this VLAN. This VLAN may provide the user with some minimal network connectivity. (Check on the security policy of your organization before implementing.)
•
Disable unused switch ports, depending on the security policy of the organization.
Trunk links should be configured statically whenever possible. However, Cisco Catalyst switch ports run Dynamic Trunking Protocol (DTP), which can automatically negotiate a trunk link. This Cisco proprietary protocol can determine an operational trunking mode and protocol on a switch port when it is connected to another device that is also capable of dynamic trunk negotiation. (show dtp interface)
•
To enable trunking to a device that does not support DTP, use the switchport mode trunk and switchport nonegotiate interface configuration commands to cause the interface to become a trunk but to not generate DTP frames.
•
Use the switchport trunk encapsulation isl or switchport trunk
encapsulation dot1q interface to select the encapsulation type on the trunk port. Regardless if a device supports DTP, general best practice is to configure trunks statically by configuring the interface to trunk and nonegotiate.
2.3. Configuring Trunking---has pictures for more examples 7 Switch ports are configured for trunking using Cisco IOS commands. To configure a switch port as an 802.1Q or an ISL trunking port, follow these steps on each trunk interface. Step 1 Enter interface configuration mode. Step 2 Shut down the interface to prevent the possibility of premature autoconfiguration. Step 3 Select the trunking encapsulation. Note that some switches support only ISL or 802.1Q. In particular, the Catalyst 2950 and 2960 support only 802.1Q. Step 4 Configure the interface as a Layer 2 trunk. Step 5 Configure the trunking native VLAN number for 802.1Q links. This number must match at both ends of an 802.1Q trunk.
Step 6 Configure the allowable VLANs for this trunk. This is necessary if VLANs are restricted to certain trunk links. This is best practice with the Enterprise Composite Network Model and leads to the correct operation of VLAN interfaces. Step 7 Use the no shutdown command on the interface to activate the trunking process. Step 8 Verify the trunk configuration using show commands. Figure shows how to configure interface Fast Ethernet 5/8 as an 802.1Q trunk. Frames from VLANs 1, 5, 11, and 1002 to 1005 will be allowed to traverse the trunk link. The switchport mode for the interface is trunk (on), and no DTP messages will be sent on the interface. Note: For security reasons, the native VLAN has been configured to be an “unused” VLAN. This will be discussed in more detail later. Figure 3. 1
describes the commands used to configure a switch port as an 802.1Q trunk link.
Describing STP Describin g the Root Bridge STP uses a root bridge, root ports, and designated ports to establish a loop free path through the network. The first step in creating a loop free spanning tree is to select a root bridge to be the reference point that all switches use to establish forwarding paths. The STP topology is converged after a root bridge has been selected, and each bridge has selected its root port, designated bridge, and the participating ports. STP uses BPDUs as it transitions port states to achieve convergence. 3.1. 5
Spanning tree elects a root bridge in each broadcast domain on the LAN. Path calculation through the network is based on the root bridge. The bridge is selected using the bridge ID (BID), which consists of a 2-byte Priority field plus a 6-byte MAC address. In spanning tree, lower BID values are preferred. The Priority field value helps determine which bridge is going to be the root and can be manually altered. In a default configuration, the Priority field is set at 32768. When the default Priority field is the same for all bridges, selecting the root bridge is based on the lowest MAC address. The root bridge maintains the stability of the forwarding paths between all switches for a single STP instance. A spanning tree instance is when all switches exchanging BPDUs and participating in spanning tree negotiation are associated with a single root. If this is done for all VLANs, it is called a Common Spanning Tree (CST) instance. There is also a Per VLAN Spanning Tree (PVST) implementation that provides one instance, and therefore one root bridge, for each VLAN. The BID and root ID are each 8-byte fields carried in a BPDU. These values are used to complete the root bridge election process. A switch identifies the root bridge by evaluating the root ID field in the BPDUs that it receives. The unique BID is carried in the Root ID field of the BPDUs sent by each switch in the tree. When a switch first boots and begins sending BPDUs, it has no knowledge of a root ID, so it populates the Root ID field of outbound BPDUs with its own BID. The switch with the lowest numerical BID assumes the role of root bridge for that spanning tree instance. If a switch receives BPDUs with a lower BID than its own, it places the lowest value into the Root ID field of its outbound BPDUs. Spanning tree operation requires that each switch have a unique BID. In the original 802.1D standard, the BID was composed of the Priority Field and the MAC address of the switch, and all VLANs were represented by a CST. Because PVST requires that a separate instance of spanning tree run for each VLAN, the BID field is required to carry VLAN ID (VID) information, which is accomplished by reusing a portion of the Priority field as the extended system ID.
To accommodate the extended system ID, the original 802.1D 16-bit Bridge Priority field is split into two fields, resulting in these components in the BID :
•
Bridge Priority: A 4-bit field that carries the bridge priority. Because of the limited bit count, priority is conveyed in discrete values in increments of 4096 rather than discrete values in increments of 1, as they would be in a full 16-bit field. The default priority, in accordance with IEEE 802.1D, is 32,768, which is the mid-range value.
•
Extended System ID: A 12-bit field that carries the VID for PVST.
•
MAC address: A 6-byte field with the MAC address of a single switch.
By virtue of the MAC address, a BID is always unique. When the priority and extended system ID are appended to the switch MAC address, each VLAN on the switch can be represented by a unique BID. If no priority has been configured, every switch has the same default priority and the election of the root for each VLAN is based on the MAC address. This is a fairly random means of selecting the ideal root bridge and, for this reason, it is advisable to assign a lower priority to the switch that should serve as root bridge. Only four bits are used to set the bridge priority. Because of the limited bit count, priority is configurable only in increments of 4096. A switch responds with the possible priority values if an incorrect value is entered: Switch(config)#spanning-tree vlan 1 priority 1234 % Bridge Priority must be in increments of 4096. % Allowed values are:
0 4096 8192 12288 16384 20480 24576 28672
32768 36864 40960 45056 49152 53248 57344 61440 If no priority has been configured, every switch will have the same default priority of 32768. Assuming all other switches are at default priority, the spanning-tree vlan vlan-id root primary command sets a value of 24576. Also, assuming all other switches are at default priority, the spanning-tree vlan vlan-id root secondary command sets a value of 28672. The switch with the lowest BID becomes the root bridge for a VLAN. Specific configuration commands are used to determine which switch will become the root bridge. A Cisco Catalyst switch running PVST maintains an instance of spanning tree for each active VLAN that is configured on the switch. A unique BID is associated with each instance. For each VLAN, the switch with the lowest BID becomes the root bridge for that VLAN. Whenever the bridge priority changes, the BID also changes. This results in the recomputation of the root bridge for the VLAN. To configure a switch to become the root bridge for a specified VLAN, use the spanning-tree vlan vlan-ID root primary command. CAUTION: Spanning tree commands take effect immediately, so network traffic is disrupted while the reconfiguration occurs. A secondary root is a switch that may become the root bridge for a VLAN if the primary root bridge fails. To configure a switch as the secondary root bridge for the VLAN, use the command spanning-tree vlan vlan-ID root secondary. Assuming that the other bridges in the VLAN retain their default STP priority, this switch will become the root bridge in the event that the primary root bridge fails. This command can be executed on more than one switch to configure
multiple backup root bridges. BPDUs are exchanged between switches, and the analysis of the BID and root ID information from those BPDUs determines which bridge is selected as the root bridge. and In the example shown, both switches have the same priority for the same VLAN. The switch with the lowest MAC address is elected as the root bridge. In the example, switch X is the root bridge for VLAN 1, with a BID of 0x8001:0c0011111111.
BETTER TO USE RAPID SPANNING TREE PROTOCOL
The SVI for the VLAN provides Layer 3 processing for packets from all switch ports associated with that VLAN. Only one SVI can be associated with a VLAN. You configure an SVI for a VLAN for the following reasons: •
To provide a default gateway for a VLAN so that traffic can be routed between VLANs
•
To provide fallback bridging if it is required for non-routable protocols
•
To provide Layer 3 IP connectivity to the switch
•
To support routing protocol and bridging configurations
By default, an SVI is created for the default VLAN (VLAN1) to permit remote switch administration. Additional SVIs must be explicitly created. SVIs are created the first time a VLAN interface configuration mode is entered for a particular VLAN SVI. The VLAN corresponds to the VLAN tag associated with data frames on an Ethernet trunk or to the VLAN ID (VID) configured for an access port. An IP address is assigned in interface configuration mode to each VLAN SVI that is to route traffic off of and on to the local VLAN.
Inter-VLAN Routing
Routed Switch ports A routed port has the following characteristics and functions: •
Physical switch port with Layer 3 capability
•
Not associated with any VLAN
•
Serves as the default gateway for devices out that switch port
•
Layer 2 port functionality must be removed before it can be configured
conf t int range fa0/1 – 6 switchport port-security <specific mac address> sets the specific mac address to that interface switchport port-security max (1-132) how many mac addresses the port is to remember switchport port-security violation {shutdown, restrict, protect} port security max-mac-count{1-132}enables port security and sets the max mac count port security action shutdown if more than specified mac address is hit the port is shutdown arp timeout seconds to a smaller time to mitigate the mac address spoofing to verify do a show port-security
However, the switch does not automatically revert to Rapid PVST+ or MSTP mode if it no longer receives IEEE 802.1D BPDUs, because it cannot determine whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. Use the following command in this situation :
Switch#clear spanning-tree detected-protocols Switch#show spanning-tree mst interface fastethernet 4/4
Switch#show spanning-tree mst 1 interface fastethernet 4/4 This example displays detailed MSTP information for a specific instance. Switch#show spanning-tree mst 1 detail ----EtherChannel Configuration 3.4.3---more on part 2 of same page3.4.4
Load balancing is applied globally for all EtherChannel bundles in the switch. To configure EtherChannel load balancing, use the port-channel load-balance command. Load balancing can be based on the following variables: • src-mac: Source MAC address
•
dst-mac: Destination MAC address
•
src-dst-mac: Source and destination MAC addresses
•
src-ip: Source IP address
•
dst-ip: Destination IP address
•
src-dst-ip: Source and destination IP addresses (default)
•
src-port: Source TCP/User Datagram Protocol (UDP) port
•
dst-port: Destination TCP/UDP port
•
src-dst-port: Source and destination TCP/UDP ports
This example shows an example of how to configure and verify EtherChannel load balancing. Switch(config)# port-channel load-balance src-dst-ip Switch(config)# exit
Switch# show etherchannel load-balance Source XOR Destination IP address
Switch DHCP spoofing
DHCP Snooping Configuration Guidelines These are the configuration guidelines for DHCP snooping. •
DHCP snooping must be enabled globally on the switch.
•
DHCP snooping is not active until DHCP snooping is enabled on a VLAN.
•
Before configuring the DHCP information option on the switch, make sure to configure the device that is acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server can assign or exclude must be specified, or DHCP options for devices must be configured.
Conf t Ip dhcp snooping Must be specified to a vlan to take effect Ip dhcp snooping vlan vlan_id {,vlan_ID} Interface
The show ip dhcp snooping binding command displays the DHCP snooping binding entries for a switch, as shown in Figure One of the more important elements is to use dedicated VLAN IDs for all trunk ports. Also, disable all unused switch ports and place them in an unused VLAN. Set all user ports to non-trunking mode by explicitly turning off DTP on those ports. This is accomplished on IOS switches by setting the switch port mode to access with the switchport mode access interface configuration command. ACLs can be configured on the router port to mitigate private VLAN attacks. VLAN ACLs (VACLs) can also be used to help mitigate the effects of private VLAN attacks. An example of using ACLs on the router port is if a server farm segment were 172.16.34.0/24, then configuring the ACLs shown in Figure on the default gateway would mitigate the private VLAN proxy attack.
Conf t Int
interface. Root guard restricts which interface is allowed to be the Spanning-Tree root port or the path to the root for the switch. Loop guard prevents alternate or root ports from becoming designated ports when a failure creates a unidirectional link. **Put loop guard on the trunks Globally enable spanning-tree portfast bpduguard default **Don’t put portfast on trunks or other routers prevent it from sending default BPDUs out that interface. ---------------------------------------------------------------------------------NAT
Dynamic
To define the pool of public addresses, use the ip nat pool command: Gateway(config)#ip nat pool public-access 199.99.9.40 199.99.9.62 netmask 255.255.255.224 Step 8 Define an access list that will match the inside private IP addresses To define the access list to match the inside private addresses, use the access list command: Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255 Step 9 Define the NAT translation from inside list to outside pool To define the NAT translation, use the ip nat inside source command: Gateway(config)#ip nat inside source list 1 pool public-access router(config-if)#ip nat inside --can be defined inside or outside --translations occur between inside and outside --on router must have and in and out on 2 interfaces int fa0/0 ip add
Display active translation router#show ip nat translations [verbose] router#show ip nat stat
Debug ip nat Debug ip nat detailed
Overloading Overloading is configured in two ways depending on how public IP addresses have been allocated. An ISP can allocate a network only one public IP address, and this is typically assigned to the outside interface which connects to the ISP. Figure shows how to configure overloading in this situation. Another way of configuring overload is if the ISP has given one or more public IP addresses for use as a NAT pool. This pool can be overloaded as shown in the configuration in Figure . Figure
shows an example configuration of PAT.
-----------------------------------------------------------------------------------DHCP router(config)#ip dhcp pool
*address is reserved for the router interface so it needs to be blocked out of the lits
Create the DHCP address pool To configure the campus LAN pool, use the following commands: campus(config)#ip dhcp pool campus
campus(dhcp-config)#network 172.16.12.0 255.255.255.0 campus(dhcp-config)#default-router 172.16.12.1 campus(dhcp-config)#dns-server 172.16.1.2
campus(dhcp-config)#domain-name foo.com
campus(dhcp-config)#netbios-name-server 172.16.1.10 ----------------------------Verifying DHCP Router#show ip dhcp binding router#show ip dhcp server events ---> shows leases and expiration ------------------------------To get a DHCP from the server that is on a different network ex. server on 172.17.1.0 clients on 172.16.1.0 --look at last slide for ip helpers in module 1
ip helper-addresscommand to relay broadcast requests for these key UDP services. -> when DHCP tries to broadcast between routers ip helpers don’t block it.
6.2.7 Configuring SNMP
In order to have the NMS communicate with networked devices, the devices must have SNMP enabled and the SNMP community strings configured. These devices are configured using the command line syntax described in the following paragraphs. More than one read-only string is supported. The default on most systems for this community string is public. It is not advisable to use the default value in an enterprise network. To set the read-only community string used by the agent, use the following command: Router(config)#snmp-server community string ro •
String – Community string that acts like a password and permits access to the SNMP protocol
•
ro – (Optional) Specifies read-only access. Authorized management stations are only able to retrieve MIB objects.
More than one read-write string is supported. All SNMP objects are available for write access. The default on most systems for this community string is private. It is not advisable to use this value in an enterprise network. To set the read-write community string used by the agent, use the following command: Router(config)#snmp-server community string rw •
rw – (Optional) Specifies read-write access. Authorized management stations are able to both retrieve and modify MIB objects
There are several strings that can be used to specify location of the managed device and the main system contact for the device. Router(config)#snmp-server location text
Router(config)#snmp-server contact text •
text – String that describes the system location information
These values are stored in the MIB objects sysLocation and sysContact .
Network management in an internetworked environment typically requires one monitor per subnetwork.
SNMP Configuration (string values are private or public) other apps to monitor
Host commands C:\host1>arp –an Route commands Netstat Route print and other route commands Ping Sweep Another method for collecting MAC addresses is to employ a ping sweep across a range of IP addresses. A ping sweep is a scanning method that can be executed at
the command line or by using network administration tools. These tools provide a way to specify a range of hosts to ping with one command. Using the ping sweep, network data can be generated in two ways. First, many of the ping sweep tools construct a table of responding hosts. These tables often list the hosts by IP address and MAC address. This provides a map of active hosts at the time of the sweep. As each ping is attempted, an ARP request is made to get the IP address in the ARP cache. This activates each host with recent access and ensures that the ARP table is current. The arp command can return the table of MAC addresses, as discussed above, but now there is reasonable confidence that the ARP table is up-to-date. SDM Configuration
Use the following process to access SDM for the first time . This procedure assumes that an out-of-box router with SDM installed is being used, or that a default SDM configuration was loaded into flash. Step 1 Connect a PC to the lowest number LAN Ethernet port of the router using a cross-over cable. Step 2 Assign a static IP address to the PC. It is recommended to use 10.10.10.2 with a 255.255.255.0 subnet mask. Step 3 Launch a supported web browser. Step 4 Use the URL https://10.10.10.1. A login prompt will appear. Step 5 Log in using the default user account: Username: sdm Password: sdm The SDM startup wizard opens, requiring a basic network configuration to be entered . To access SDM after the initial startup wizard is completed, use either http: or https:, followed by the router IP address. When you enter https: it specifies that the Secure Sockets Layer (SSL) protocol be used for a secure connection. If SSL is not available, use http: to access the router. Once the WAN interface is configured, SDM is accessible through a LAN or WAN interface. NOTE: The startup wizard information needs to be entered only once and will only appear when a default configuration is detected. Troubleshooting SDM Access Use the following tips to troubleshoot SDM access problems: •
First determine if there is a web browser problem by checking the following:
○ Are Java and JavaScript enabled on the browser? Enable them. ○ Are popup windows being blocked? Disable popup blockers on the PC, since SDM requires popup windows. ○ Are there any unsupported Java plug-ins installed and running? Disable them using the Windows Control Panel. •
Is the router preventing access? Remember that certain configuration settings are required for SDM to work. Check the following: ○ Is one of the default configurations being used, or is an existing router configuration being used? Sometimes new configurations disable SDM access. ○ Is HTTP server enabled on the router? If it is not, enable it and check that other SDM prerequisite parameters are configured as well. Refer to the "Downloading and Installing Cisco SDM" document for the required settings. This document can be found at the weblink below. ○ Did SDM access work before, but now its not? Ensure that the PC is not being blocked by a new ACL. Remember that SDM requires HTTP, SSH, and Telnet access to the router, which could have been inadvertently disabled in a security lockdown.
•
Is SDM installed? ○
The quickest way to determine this is to access it using the appropriate HTTP or HTTPS method https://
○
Use the show flash command to view the flash file system and make sure that the required SDM files are present.
Refer to NS1 labs PIX
The primary rule for security levels is that an interface with a higher security level can access an interface with a lower security level. Conversely, an interface with a lower security level cannot access an interface with a higher security level without an access control list (ACL). Security levels range from 0 to 100.
•
Higher security level interface to a lower security level interface – For traffic originating from the inside interface of the PIX with a security level of 100 to the outside interface of the PIX with a security level of 0, all IP-based traffic is allowed unless it is restricted by ACLs, authentication, or authorization.
•
Lower security level interface to a higher security level interface – For traffic originating from the outside interface of the PIX with a security level of 0 to the inside interface of the PIX with a security level of 100,all packets are dropped unless specifically allowed by an access-list command. The traffic can be restricted further if authentication and authorization is used.
•
Same secure interface to a same secure interface – No traffic flows between two Interfaces with the same security level.
•
hostname – assigns a hostname to the PIX.
•
interface – Configures the type and capability of each perimeter interface.
•
nameif – Assigns a name to each perimeter interface.
•
ip address – Assigns an IP address to each interface.
•
security level – Assigns the security level for the perimeter interface.
•
speed – Assigns the connection speed.
•
duplex – Assigns the duplex communications.
n the interface configuration sub-commands, hardware speed and duplex, interface name, security level, IP address, and many other settings can be configured. For an
interface to pass traffic, the nameif, ip address, security level, and no shutdown interface configuration sub-commands are necessary nameif assigns a name to each interface on the PIX Security Appliance. The first two interfaces have the default names inside and outside ip address dhcp – have it acquire ip information If it is necessary that interfaces with the same security level are able to communicate, use the same-security-traffic command. Two interfaces could be assigned to the same level to allow them to communicate without using NAT •
nat-control – Enable or disable NAT configuration requirement.
•
nat – Shields IP addresses on the inside network from the outside network.
•
global – Creates a pool of one or more IP addresses for use in NAT and PAT.
•
route – Defines a static or default route for an interface.
•
he nat Command The first step in enabling NAT on a PIX Security Appliance is entering the nat command. The nat command can specify translation for a single host or a range of hosts. The nat command has two major components, nat_id and IP address or range of IP addresses. A nat_id is a number from 1 to 2147483647 which specifies the hosts for dynamic address translation. The dynamic addresses are chosen from a global address pool created with the global command. The nat command nat_id number must match the nat_id number in the global command if you want to use that specific global pool of IP addresses for the dynamic address translation. For example, the nat (inside) 1 10.0.0.0 255.255.255.0 command means that all outbound connections from a host within the specified network, 10.0.0.0, can pass through the PIX Security Appliance with address translation. The nat (inside) 1 10.0.0.11 255.255.255.255 command means that only outbound connections originating from the inside host 10.0.0.11 are translated as the packet passes through the PIX. Administrators can use 0.0.0.0 to allow all hosts to be translated. The 0.0.0.0 can be abbreviated as 0. As shown in the Figure all inside hosts making outbound connections with the nat (inside) 1 0.0.0.0 0.0.0.0 command are translated. The nat_id identifies the global address pool the PIX will use for the dynamic address translation. The syntax for the nat command is shown in Figure . The global Command In order for a local address to be translated using NAT, a global pool of addresses must be defined. In a PIX Security Appliance configuration, there may be more than one global pool configured. Each outbound network address translation is associated with a nat id. Each global pool has a corresponding nat_id. The PIX uses the nat_id of the outbound IP packet to identify which global pool of addresses to select a translation IP address from. The nat_id of the outbound packet must match the nat_id of the global pool. The PIX assigns addresses from the designated global pool starting from the low end to the high end of the range specified in the global command. The pool of global IP addresses is configured with the global command.
•
• •
•
•
In Figure , host 10.0.0.11 starts an outbound connection. The nat_id of the outbound packet is 1. In this instance, a global IP address pool of 192.168.0.20-254 is also identified with a nat_id of 1. The PIX assigns an IP address of 192.168.0.20. It is the lowest available IP address of the range specified in the global command. Packets from host 10.0.0.11 are seen on the outside as having a source address of 192.168.0.20. The syntax for the global command is shown in Figure . If the nat command is used, the companion command, global, must be configured to define the pool of translated IP addresses. Use the no global command to delete a global entry.
NOTE: The PIX Security Appliance uses the global addresses to assign a virtual IP address to an internal NAT address. After adding, changing, or removing a global statement, use the clear xlate command to make the IP addresses available in the translation table.
route command to enter a static route for an interface. Static routes can be created to access specific networks beyond the locally connected networks. For example, in Figure , PIX Security Appliance sends all packets destined to the 10.0.1.0 255.255.255.0 network out the inside interface to the router at IP address 10.0.0.102. This static route was created by using the command route inside 10.0.1.0 255.255.255.0 10.0.0.102 1. The router knows how to route the packet to the destination network of 10.0.1.0.
Commonly Used show Commands The show memory command displays a summary of the maximum physical memory, current used memory, and current free memory available to the PIX Security Appliance operating system. The show cpu usage command displays CPU use. Use the show version command to display the PIX Security Appliance software version, operating time since the last reboot, processor type, Flash memory type, interface boards, serial number, BIOS identification, and activation key value . The show ip address command is used to view the IP addresses that are assigned to the network interfaces. The show interface command is used to view network interface information. This is one of the first commands that should be used when trying to establish connectivity. Use the show nameif command to view the named interfaces. In Figure , the first two interfaces have the default names inside and outside. The inside interface has a default security level of 100, and the outside interface has a default security level of 0. Ethernet2 is assigned a name of dmz with a security level of 50. If it is necessary to allow internal hosts to be able to ping external hosts, an ACL for echo reply is necessary. If pings through the PIX Security Appliance between hosts or routers are not successful, use the debug icmp trace command to monitor the success of the ping.
The show run nat command to display a single host or range of hosts to be translated. In Figure , all hosts on the 10.0.0.0 network will be translated when traversing the PIX Security Appliance. The nat-id is 1. The show run global command displays the global pools of addresses configured in the PIX Security Appliance. In Figure there is currently one pool configured. The pool is configured on the outside interface. The pool has an IP address range of 192.168.0.20 to 192.168.0.254. The nat_id is 1. The show xlate command displays the contents of the translation slot. In Figure , the number of currently used translations is 1 with a maximum count of 1. The current translation is a local IP address of 10.0.0.11 to a global IP address of 192.168.0.20. NTP The ntp server command synchronizes the PIX Security Appliance with a specified network timeserver . The PIX can be configured to require authentication before synchronizing with the NTP server. To enable and support authentication, there are several forms of the ntp command that work with the ntp server command. Additional information about the ntp command forms and their uses is available in the Command Reference. The show run ntp command can be used to display the current NTP configuration. The show ntp status •
0 – emergencies – System unusable messages
•
1 – alerts – Take immediate action
•
2 – critical – Critical condition
•
3 – errors – Error message
•
4 – warnings – Warning message
•
5 – notifications – Normal but significant condition
•
6 – informational – Information message
•
7 – debugging – Debug messages and log FTP commands and WWW URLs
The show logging Command Use the show logging command to see the logging configuration and any internally buffered messages. Use the clear logging
The primary rule for security levels is that an interface with a higher security level can access an interface with a lower security level.
Two Interfaces with NAT In Figure , the first nat command statement permits all hosts on the 10.0.0.0 network to start outbound connections using the IP addresses from a global pool. The second nat command statement permits all hosts on the 10.2.0.0 network to do the same. The nat_id in the first nat command statement tells the PIX Security Appliance to translate the 10.0.0.0 addresses to those in the global pool containing the same nat_id . Likewise, the nat_id in the second nat command statement tells the PIX to translate addresses for hosts on network 10.2.0.0 to the addresses in the global pool containing nat_id 2. Three Interfaces with NAT In Figure , the first nat command statement enables hosts on the inside interface, which has a security level of 100, to start connections to hosts on interfaces with lower security levels. In this case, that includes hosts on the outside interface and hosts on the demilitarized zone (DMZ). The second nat command statement enables hosts on the DMZ, which has a security level of 50, to start connections to hosts on interfaces with lower security levels. In this case, that includes only the outside interface. Because both global pools and the nat (inside) command statement use a nat_id of 1, addresses for hosts on the 10.0.0.0 network can be translated to those in either global pool. Therefore, when users on the inside interface access hosts on the DMZ, their source addresses will be translated to addresses in the 172.16.0.20−172.16.0.254 range from the global (dmz) command statement. When they access hosts on the outside, their source addresses will be translated to addresses in the 192.168.0.20−192.168.0.254 range from the global (outside) command statement.
When users on the DMZ access hosts on the outside, their source addresses will always be translated to addresses in the 192.168.0.20−192.168.0.254 range from the global (outside) command statement.
Use the static command for outbound connections that must be mapped to the same global IP address. the address 192.168.0.9 is not translated. When the command nat (DMZ) 0 192.168.0.9 255.255.255.255 is entered, the PIX Security Appliance displays the following message: NAT 0 enables the Internet server address to be visible on the outside interface. The administrator also needs to add a static in combination with an access-list to allow users on the outside to connect with the Internet server. The show conn command displays information about the active TCP connections.
The show conn detail Command When the show conn detail option is used, the system displays information about the translation type, interface information, IP address/port number, and connection flags. In Figure , the two connections display a flag value of UIO. According the flag definition, the connections are up. The connections are passing inbound and outbound data. The show local-host Command The show local-host command displays the network states of local hosts. A local-host entry is created for any host that forwards traffic to, or through, the PIX Security Appliance. This command shows the translation and connection slots for the local hosts. In Figure , the inside
host 10.0.0.11 establishes a web connection with server 192.168.10.11. The output of the show local-host command is displayed in Figure .
To configure OSPF on the PIX Security Appliance requires the administrator to do the following: •
Enable OSPF
•
Define the PIX Security Appliance interfaces on which OSPF runs
•
Define OSPF areas
Enable OSPF To enable OSPF routing, use the router ospf command. The syntax for the router ospf command is shown in Figure . The PIX Security Appliance can be configured for one or two processes, or OSPF routing domains. If the PIX is functioning as an ABR and it is configured for one process, the PIX will pass type 3 LSA between defined OSPF areas. In the example in Figure , the PIX is configured for one OSPF process, OSPF 1. Define Network Interfaces To define the interfaces on which OSPF runs and the area ID for those interfaces, use the network area subcommand. The syntax for the network area command is shown in Figure
.
FWSM, the following tasks must be completed: •
Initialize the FWSM.
•
Configure the switch VLANs.
•
Associate VLANs with the FWSM.
The switch CLI is accessible through a Telnet connection to the switch or through the switch console interface. Verify FWSM Installation Before the FWSM can be used, it must be verified that the card is installed and recognized by the switch. Enter the show module command to verify that the system acknowledges the new module and has brought it online . The syntax for the show module command is shown in Figure
.
Configure the Switch VLANs The FWSM does not include any external physical interfaces. Instead, it uses VLAN interfaces . Hosts are connected to ports VLANs are assigned to these physical switch ports. To prevent mismatched VLANs, the administrator should first configure a VLAN on the MSFC, and then configure the VLANs on the FWSM. VLAN IDs must be the same for the switch and the FWSM. After the MSFC VLAN is configured, specific VLANs can be associated with a FWSM. The first step was to add VLANS to the MSFC. The next step is to associate VLANs to be inspected by the FWSM. A VLAN can be linked with a specific FWSM by using the firewall command. The firewall vlan-group command creates a group of firewall VLANs named by the vlan-group parameter. The syntax for the firewall vlan-group command is shown in Figure .
Once a group of VLANs are assigned to a group, the firewall module command associates a VLAN group with a specific FWSM. The syntax for the firewall module command is shown in Figure In the example in Figure , VLANs 100, 200, and 300 have been placed into Firewall VLANgroup 1. The FWSM in slot 4 is associated with VLAN-group 1, VLANs 100, 200, and 300. Verify the MSFC Configuration The administrator can verify that the MSFC is properly configured for interaction with the FWSM. The show firewall vlan-group command verifies which VLANs are assigned to each firewall. VLAN-group. The show firewall module command verifies that the VLAN-groups are assigned to the associated slot where the FWSM resides . Configure the FWSM Interfaces The FWSM is now installed. The MSFC VLANs are configured. The FWSM VLANs are associated with a specific FSWM. The next step is to configure the security policy on the FWSM. The FWSM can be accessed by using the session command. Use the default password cisco for the FWSM when prompted. A prompt for an enable mode password is then displayed. By default, there is no password, and the Enter key can be pressed to access the enable mode. It is recommended that you change the enable password to a valid value and use this for future access to this mode. Once on the FWSM, standard security appliance commands are used to configure interface names, add security levels, and specify IP addresses. The example in Figure shows the use of the nameif command and associates VLAN 100 as the outside interface and sets the interface with a security level of 0. It also defines VLAN 200 as the inside interface. It specifies VLAN 300 as the dmz interface. In all cases, the use of the ip address command is used to add an IP address to each interface. Configure A Default Route A default route may also need to be added. In the example in Figure pointing to the VLAN 100 interface of the MSFC.
, a default route is created,
It may also be necessary to create static routes. Multiple context mode does not support dynamic routing, so static routes must be used to reach any networks to which the FWSM is not directly connected, such as when a router is between the destination network and the FWSM. Static routes might be appropriate in single context mode if: •
The network uses a routing protocol other than RIP or OSPF.
•
The network is small and static routes can be easily managed.
•
The traffic or CPU overhead associated with routing protocols is to be avoided.
Configure the FWSM access-lists The administrator needs to create ACLs to allow outbound as well as inbound traffic because the FWSM, unlike the security appliances, denies all inbound and outbound connections that are not explicitly permitted by ACLs . Explicit access rules need to be configured using the access-list command and attached to the appropriate interface using the access-group command to allow traffic to pass through that interface. Traffic that has been permitted into an interface can exit through any other interface. Return traffic matching the session information is permitted without an explicit ACL.
Firewall Services Module Operation
3.8
3.8. Using PDM with the FWSM 3
PDM v. 4.0 can be used to configure and monitor FWSM v. 2.2. Figure shows the steps needed to prepare the FWSM to use PDM. Be sure to initialize the FWSM before attempting to install PDM. •
Use the copy tftp flash command to copy the PDM image into FWSM flash
copy tftp://10.1.1.1/pdm-XXX.bin flash:pdm (where XXX = pdm image version number) •
Enable the http server on the FWSM. Without it, PDM will not start.
http server enable •
Identify the specific hosts/networks that can access the FWSM using HTTP.
http 1.1.1.0 255.255.255.0 inside Hosts from network 10.1.1.0 (on the inside interface) are permitted http access. •
Launch the browser and enter the following address:
https://10.1.1.1 (FWSM inside interface) Resetting and Rebooting the FWSM If the module cannot be reached through the CLI or an external Telnet session, enter the hwmod module module_number reset command to reset and reboot the module. The reset process requires several minutes. The syntax for the command is shown in Figure . The example in Figure
shows how to reset the module, installed in slot 4, from the CLI.
When the FWSM initially boots, by default it runs a partial memory test. To perform a full memory test, use the hw-module module module_number mem-test-full command. The syntax of the command is shown in Figure . A full memory test takes more time to complete than a partial memory test depending on the memory size. The table in Figure lists the memory and approximate boot time for a long memory test.
PIX ACLs
The show access-list command also lists a hit count that indicates the number of times an element has been matched during an access-list command search. The clear access-list command is used to clear an access list counter. If no ACL is specified, all of the access list counters are cleared. If the counters option is specified, it clears the hit count for the specified ACL. If no ACL is specified all the access lists counters are cleared. The no access-list command removes an access-list command from the configuration. If all of the access-list command statements in an ACL group are removed, the no access-list command also removes the corresponding access-group command from the configuration. The access-list mode command allows the administrator to specify whether the defined ACL should be active immediately or when specified. . The access-list commit command activates the previously created ACL . Use the access-list id line line-num command to insert an access-list command statement, and the no access-list id line line-num command to delete an accesslist command statement. Line numbers are maintained internally in increasing order, starting from 1. A user can insert a new entry between two consecutive ACEs by choosing the line number of the ACE with the higher line
n Figure the users in the corporate office wish to communicate with the branch site over a VPN tunnel. To accomplish this, the administrator employs nat 0 access-list. The IP source network, 10.0.0.0/24, and IP destination network, 10.200.0.0/24, are defined in the ACL. The ACL is applied to the nat 0 command. Any VPN traffic originating at 10.0.0.0/24 and destined for 10.200.0.0/24 is not translated by the PIX.
ActiveX Filtering Another application that can be filtered by the PIX Security Appliance in order protect against malicious applets is ActiveX. ActiveX controls are applets that can be inserted in Web pages or other applications. They were formerly known as Object Linking and Embedding (OLE) or Object Linking and Embedding Control (OCX). ActiveX controls create a potential security problem because they provide a way for someone to attack servers. Due to this security threat, administrators have the option of using the PIX to block all ActiveX controls. The filter {activex | java} command filters out ActiveX or Java usage from outbound packets. In the example in Figure , the command specifies that ActiveX is being filtered on port 80 from any internal host and for connection to any external host. The Command Reference provides more information about the commands and syntax for blocking ActiveX or Java.
Use the url-server command to designate the server on which the URL filtering application runs, and then enable the URL filtering service with the filter url command. PIX Security Appliance Software Versions 6.1 and earlier do not support the filtering of URLs longer than 1159 bytes. PIX version 6.2 supports the filtering of URLs up to 6 KB for the Websense filtering server. The maximum allowable length of a single URL can be increased by entering the url-block url-size command. This option is available with Websense URL filtering only. HTTPS and FTP Filtering This feature extends Web-based URL filtering to HTTPS and FTP. The filter ftp and filter https commands were added to the filter command in PIX Security Appliance Software Version 6.3. The filter ftp command enables FTP filtering. The filter https command enables HTTPS filtering. The filter ftp and filter https commands are available with Websense URL filtering only. The example command in Figure instructs the PIX Security Appliance to send all URL requests to the URL filtering server to be filtered. The allow option in the filter command is crucial to the use of the PIX URL filtering feature. If the allow option is used and the URL filtering server goes offline, the PIX lets all FTP and HTTPS URL requests continue without filtering. If the allow option is not specified, all FTP and HTTPS URL requests are stopped until the server is back online. •
Network – Used to group client hosts, server hosts, or subnets.
•
Protocol – Used to group protocols. It can contain one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. Use the keyword ip to match any Internet protocol, including ICMP, TCP, and UDP.
•
Service – Used to group TCP or UDP port numbers assigned to a different service.
•
ICMP-type – Used to group ICMP message types which are permitted or dennied access.
Applying a PIX Security Appliance object group to a command is the equivalent of applying every element of the object group to the command. In the example shown in Figure , the group DMZ_Servers contains servers 192.168.0.10, 192.168.0.11, and 192.168.0.12. The group DMZ_Services supports HTTP, HTTPS, and FTP protocols. Applying the groups DMZ_Servers and DMZ_Services to an ACE is the same as applying all of the hosts and protocols individually.
9.2.2 Getting started with object groups
Complete the following steps to configure an object group and to use it in the configuration of ACLs:
Step 1 Use the object-group command to enter the appropriate subcommand mode for the type of group to be configured. All subcommands entered from the subcommand prompt apply to the object group identified by the object-group command. Step 2 In subcommand mode, define the members of the object group. In subcommand mode, object grouping subcommands as well as all other PIX Security Appliance commands can be entered, including show commands and clear commands. Enter a question mark (?) in the subcommand mode to view the permitted subcommands. Step 3 (Optional) Use the description subcommand to describe the object group. Step 4 Return to configuration mode by entering the exit command or the quit command. When any valid configuration command other than one designed for object grouping is entered, the subcommand mode is terminated. Step 5 (Optional) Use the show object-group command to verify that the object group has been configured successfully. This command displays a list of the currently configured object groups of the specified type. Without a parameter, the command displays all object groups. Step 6 Apply the object group to the access-list command. Replace the parameters of the access-list command with the corresponding object group, as summarized in Figure . Step 7 (Optional) Use the show access-list command to display the expanded ACEs.
The group-object command is used to construct hierarchical, or nested, object groups. The group-object command, which is not to be confused with the object-group command, places one object group into another . The difference in object groups and group objects is as follows: •
An object group is group consisting of objects.
•
A group object is an object in a nested group and is itself a group.
Nested Object Group Examples In Figure , the access-list named ALL enables all hosts in HOSTGROUP1 and HOSTGROUP2 to make outbound FTP connections. Without nesting, all the IP addresses in HOSTGROUP1 and HOSTGROUP2 would have to be redefined in the ALLHOSTS group. With nesting, however, the duplicated definitions of the hosts are eliminated. Figure illustrates multiple nested object groups configured so that one ACL entry enables remote hosts 172.26.26.50 and 172.26.26.51 to initiate FTP and SMTP connections to all local hosts in the ALLHOSTS group. Note that with object grouping configured, only one ACL entry is required. •
show object-group
•
no object-group
•
clear object-group
9.3.2 Configure a class map
The class-map command is used to classify a set of traffic with which security actions may be associated. Configuring a class map is a two step process. The steps are to name a class of traffic and define the attributes of the traffic. A name is assigned to each
individual class of traffic. For example in Figure , there are four traffic classes named. The class-map se command identifies the system engineer remote VPN traffic from the system engineers. The class-map s2s command identifies the remote VPN traffic from the system engineers. The syntax of the class-map commands is as follows: class-map class_map_name After a class of traffic is named, the characteristics of the traffic flow are identified. To be considered part of a named class, a traffic flow must match a defined set of attributes. There are various types of match criteria in a class map. One example of match criteria is an access list that defines all traffic from the Internet to the DMZ. Another match is VPN tunnel-group. This includes all members of the SE and EXEC tunnel-groups. Another such match is a TCP or UDP port number. This could be used to define all HTTP or FTP traffic. The following is the class matching criteria
:
•
match access-list – This keyword specifies to match an entry in an access-list.
•
match any – This keyword specifies that all traffic is to be matched. Match any is used in the class-default class-map.
•
match dcsp – This keyword specifies to match the IETF defined Differentiated Service Code Point (DSCP) value in the IP header. This allows the administrator to define classes based on the DCSP values defined within the TOS byte in the IP header.
•
match flow – This keyword specifies to match each IP flow within a tunnel-group. This match command must be used in conjunction with the match tunnel-group command.
•
match port – This keyword specifies to match traffic using a TCP or UDP destination port.
•
match precedence – This keyword specifies to match the precedence value represented by the TOS byte in the IP header. This allows the administrator to define classes based on the precedence defined within the TOS byte in the IP header.
•
match rtp – This keyword specifies to match Real-Time Transport Protocol (RTP) destination port. This allows the administrator to match on a UDP port number within the specified range. The allowed range is targeted at capturing applications likely to be using RTP.
•
match tunnel-group – This keyword specifies to match tunnel traffic.
A traffic class is a set of traffic that is identifiable by its packet content. For example, TCP traffic with a port value of 21 and 80 may be classified as an Internet traffic class.
9.3.3 Configure a policy map
The policy-map command is used to configure various policies. A policy consists of a class command and its associated actions. The PIX Security Appliance supports one policy per interface and one global policy. Each policy map may support multiple classes and policy actions. In the example in Figure , there are two policy maps, the outside policy map and the global policy map. The outside policy map supports four class maps, these are the Internet, SE, EXEC, and S2S class maps. IDS, Inspect, police, and priority actions are associated with the aforementioned classes. The global policy map supports default inspection criteria for all traffic. The following steps are use to define a policy map: Step 1 Name the policy. Step 2 Identify a class of traffic covered by this policy. Step 3 Associate an action or actions with each traffic flow. The first step is to define the policy maps. In the example in Figure policy maps, outside and global.
, there are two
The next step is to identify which traffic flows, or classes, are specified in a policy map. Each traffic flow is identified by a class map name. In the example in Figure , the outside policy map is identified. Internet class traffic flow is assigned to the outside policy map. The syntax of the policy-map commands is as follows: policy-mappolicymap_name description text classclassmap_name The last step is to associate actions with specific traffic flows within a policy map. In the example in Figure , the policy map name, outside, is defined. The Internet class of traffic is defined. The administrator must next associate actions with this traffic flow. The policy action options are to forward traffic to IDS, perform specified protocol inspections, police the bandwidth used by the specified flow, direct the flow to the low latency queue, or set connection parameters on these flows. To display all of the policy map configurations or the default policy map configuration, use the show running-config policy-map command. More information about the syntax of the policy-map command is available in the Command Reference.
9.3.4 Configure a service policy
To activate a policy map globally on all interfaces or on a single interface, use the servicepolicy command in privileged EXEC mode . The interface can be a VLAN interface or a physical interface. In general, a service-policy command can be applied to any interface that can be defined by the nameif command. To disable, use the no form of this command.
To display all currently running service policy configurations, use the show runningconfig service-policy command in global configuration mode . To display the configured service policies, use the show service-policy command in global configuration mode . The syntax for these commands is available in the Command Reference. Advanced protocol inspection how to add an insepection and set a policy
se the ftp-map command to define which FTP commands should be blocked. After the administrator enters the ftp-map command and a map name, the system enters the FTP map configuration mode. The deny-request-cmd command enables the administrator to list which FTP request commands should be blocked. In the example in Figure , the inbound_ftp ftpmap was defined. The inbound_ftp ftp-map identifies the commands to be filtered. In the example in Figure , the inbound_ftp ftp-map identifies six FTP request commands to filter. The class map inbound_ftp_traffic matches traffic defined by access-list 101, FTP traffic between any host and host 192.168.1.11, the FTP server. In the inbound policy map, the FTP command request restrictions defined in the ftp map inbound_ftp, are associated with the inbound_ftp_traffic class of traffic. Lastly, the inbound policy is enabled on the outside interface.
To enable enhanced HTTP inspection, use the inspect http http-map command. The enhanced rules that apply to HTTP traffic are defined by http-map command. 9.4.5Enhanced HTTP Inspection Configuration Configuring enhanced HTTP inspection is a four step process are as follows:
. The four steps in the process
Step 1 Configure the http-map command to define the enhanced HTTP inspection parameters and the action taken when a parameter in the configured category is detected. Step 2 Identify the flow of traffic using the class-map command. The administrator can use the default class map, inspection_default. The administrator can also define a new traffic flow, for example any hosts trying to access the corporate web server from the internet. Step 3 Associate the HTTP map with a class of traffic with the policy-map command. The administrator can use the default policy map, asa_global_fw_policy. The administrator can also define a new policy, such as an inbound traffic policy for any hosts trying to access the corporate web server from the internet. Step 4 Apply the policy to an interface, or globally, using the service-policy command. The administrator can use the default service-policy, asa_global_fw_policy. The administrator can also define a new service policy, such as a policy for all inbound internet-sourced traffic, and apply the service policy to the outside interface. In the example in Figure , the administrator created a new modular policy for HTTP traffic from the Internet to the corporate web server with an IP address of 192.168.1.11, rather than modify the existing default global modular policy. To accomplish this, the administrator configured a new HTTP map, class map, policy map and service policy. The administrator created an HTTP map, inbound_http. In the HTTP map, they restricted RPC request methods, defined message critera, and restricted HTTP applications. In the class map, they identified the traffic flow with a matching ACL, access-list 102. In a new policy map, the administrator associated the actions in the new HTTP map with traffic identified in the ACL. Lastly, the new service policy is enabled on the outside interface. Passive interface on Redistributing Routes However, sending updates out E0 is a waste of resources, since no other routers on the 10.4.4.0 subnetwork can receive the updates. Meanwhile, sending updates creates a slight overhead and may cause a potential security risk. A malicious user could use a packet sniffer to capture routing updates and glean key network information. A passive interface essentially makes a router a silent host on a network. Identifying an interface as passive prevents routing updates for a routing protocol from being sent through a router interface. You can use the passive-interface command with most IP interior gateway protocols, including RIP, EIGRP, OSPF, and IS-IS. To configure a passive interface, use the following procedure: Step 1
Select the router and routing protocol that requires the passive interface.
Step 2
Determine the interfaces through which you do not want routing update traffic (or hellos for link-state routing protocols and EIGRP) to be sent.
Step 3
Configure the router using the passive-interface command. displays the command parameters.
Figure
5.3.3 To solve this configuration scalability, the passive-interface default command can be used to set all interfaces to passive. You can then enable routing on individual interfaces where you require adjacencies using the no passive-interface command.
Block propagation of distributed lists with Distribute Lists (5.3.5)
Multicast show ip igmp group When there are two IGMP routers on the same Ethernet segment (broadcast domain), the router with the highest IP address is the designated querier. In IGMPv3, reports are sent to 224.0.0.22 rather than 224.0.0.2. Use the show ip igmp interface command to determine which version of IGMP is currently active on an interface. The solution is to implement IGMP snooping on high-end switches with special application-specific integrated circuits (ASICs) that can perform the IGMP checks in hardware. CGMP is a better option for low-end switches without special hardware. There are basically two types of multicast routing protocols: dense mode and sparse mode: •
Dense mode protocols flood multicast traffic to all parts of the network and prune the flows where there are no receivers, using a periodic flood-and-prune mechanism.
•
Sparse mode protocols use an explicit join mechanism where distribution trees are built on demand by explicit tree join messages sent by routers that have directly connected receivers
The global command ip multicast-routing enables support for IP multicast on a router.
•
The interface command ip pim sparse-mode enables PIM-SM operation on the selected interface. The ip pim sparse-dense-mode command enables the interface on the router to operate in PIM-SM for sparse-mode groups (those with known RPs) and in dense mode for other groups.
•
The global command ip pim send-rp-announce {interface type} scope {ttl} group-list {acl} is issued on the router that you want to be an RP. This router sends an auto-RP message to 224.0.1.39, announcing the router as a candidate RP for the groups in the range described by the access list.
•
The global command ip pim send-rp-discovery {interface type} scope {ttl} configures the router as an RP mapping agent. It listens to the 224.0.1.39 address and sends a RP-to-group mapping message to 224.0.1.40. Other PIM routers listen to 224.0.1.40 to automatically discover the RP.
•
The ip pim spt-threshold {rate | infinity} command controls the switchover from the shared distribution tree to the SPT in sparse mode. The keyword infinity means the switchover will never occur.
Note The recommended method for configuring an interface for PIM-SM operation is to use the ip pim sparse-dense-mode interface command. This method permits auto RP, bootstrap router (BSR), or statically defined RPs to be used with the least configuration effort. The show ip mroute command is the most useful command for determining the state of multicast sources and groups from the perspective of the selected router. When PIM-SM is configured, the first step in verifying proper operation is to check PIM-enabled interfaces and to determine whether the PIM neighbors are correct. You can use the following commands to accomplish this:
•
show ip pim interface: Displays the information about interfaces configured for PIM.
•
show ip pim neighbor: Displays the discovered PIM neighbors.
•
mrinfo: Displays information on multicast routers that are peering with the local router (no address) or with the addressed router.
show ip pim interface show ip pim neighbor he RP for a certain multicast group operating in PIM-SM has to be reachable and known to the router. In addition to using a unicast ping, you can use the following commands when troubleshooting RP reachability:
•
show ip pim rp: Displays, without arguments, RP information on active groups. If the group address or name is provided, only the RP information for the selected group is shown (assuming that it is an active group).
•
show ip pim rp mapping: Displays the contents of the important group-to-RP mapping cache that contains the information about which RP is active for which group range. This cache is populated by the auto-RP or BSR mechanisms and by static RP assignments. It is very important to check this information to verify that the router possesses the RP mapping information consistent with proper network operation.
•
show ip rpf: Displays RPF information for the RP or for the source.
The show ip pim rp command just lists all active groups and their associated RPs. This form of the command is becoming obsolete, because it offers limited information. In most cases, you should use the show ip pim rp mapping instead , because it provides details on the actual contents of the groupto-RP mapping cache, such as the following: show ip rpf command displays RPF information associated with the specified source address.
•
ip igmp join-group : The router accepts the multicast packets in addition to forwarding them. Accepting the multicast packets prevents the router from fast switching.
•
ip igmp static-group: The router does not accept the packets but forwards them. Hence, this method allows fast switching. The outgoing interface appears in the IGMP cache, but the router itself is not a member, as evidenced by the lack of an L (local) flag in the multicast route entry.
show ip igmp snooping command to display the snooping configuration information for all VLANs on the switch or for a specified VLAN. show mac-address-table multicast command to display the entries in the MAC address table for a VLAN that has IGMP snooping enabled.
7.2 Configuring 802.1x Port-Based Authentication 7.2.2 Enabling 802.1x authentication
To enable 802.1x port-based authentication, AAA must be enabled and an authentication method list must be specified. A method list describes the sequence and authentication methods to be queried to authenticate a user. The software uses the first method listed to authenticate users. If that method fails to respond, the software selects the next authentication method in the list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle,
the authentication process stops, and no other authentication methods are attempted. Beginning in privileged EXEC mode, the following steps are used to configure 802.1x port-based authentication. The associated commands are shown in Figure . Step 1 Enter global configuration mode. Step 2 Enable AAA. Step 3 Create an authentication method list with the aaa authentication dot1x {default} method1 [method2...] command. To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces. At least one of the following keywords must be entered: •
group radius – Use the list of all RADIUS servers for authentication.
•
none – Use no authentication. The client is automatically authenticated by the switch without using the information supplied by the client.
Step 4 Enter interface configuration mode, and specify the interface connected to the client that is to be enabled for 802.1x authentication. Step 5 Enable 802.1x authentication on the interface. The port authorization state is controlled by using the dot1x port-control interface configuration command and the following keywords: •
force-authorized – disables 802.1x and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1x-based authentication of the client. This is the default setting.
•
force-unauthorized – causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the interface.
•
auto – enables 802.1x authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up, or when an EAPOL-start frame is received. The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each client attempting to access the network is uniquely identified by the switch by using the client's MAC address.
Step 6 Return to privileged EXEC mode. Step 7 Verify the configuration. To disable 802.1x AAA authentication, use the no aaa authentication dot1x {default | list-name} method1 [method2...] global configuration command. To disable 802.1x
authentication, use the dot1x port-control force-authorized or the no dot1x portcontrol interface configuration command. The example in Figure 0/12.
shows how to enable AAA and 802.1x on Fast Ethernet port
7.2.3 Configuring the switch-to-RADIUS-server communication
RADIUS security servers are identified by host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service, such as authentication, the second host entry configured acts as the fail-over backup to the first one. The RADIUS host entries are tried in the order that they are configured. Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on the switch. Step 1 Enter global configuration mode. Step 2 Configure the RADIUS server parameters on the switch with the radius-server host {hostname | ip-address} auth-port port-number key string command. For hostname | ip-address, specify the host name or IP address of the remote RADIUS server. For auth-port port-number, specify the UDP destination port for authentication requests. The default is 1812. For key string, specify the authentication and encryption key used between the switch and the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server. NOTE: Always configure the key as the last item in the radius-server host command syntax because leading spaces are ignored, but spaces within and at the end of the key are used. If spaces are used in the key, do not enclose the key in quotation marks unless the quotation marks are part of the key. If multiple RADIUS servers are to be used, re-enter this command. Step 3 Return to privileged EXEC mode. Step 4 Verify the configuration. To delete the specified RADIUS server, use the no radius-server host {hostname | ipaddress} global configuration command. The example in Figure shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server. The timeout, retransmission, and encryption key values for all RADIUS servers can be globally configured by using the radius-server host global configuration command. To
configure these options on a per-server basis, use the radius-server timeout, radiusserver retransmit, and the radius-server key global configuration commands. Some settings on the RADIUS server need to be configured as well. These settings include the IP address of the switch and the key string to be shared by both the server and the switch.
Periodic 802.1x client re-authentication, as well as how often it occurs, can be configured . If a time period before enabling re-authentication is not specified, the number of seconds between reauthentication attempts is 3600. Automatic 802.1x client re-authentication is a global setting and cannot be set for clients connected to individual ports. Beginning in privileged EXEC mode, the following steps are used to enable periodic reauthentication of the client and to configure the number of seconds between re-authentication attempts: Step 1 Enter global configuration mode. Step 2 Enable periodic re-authentication of the client, which is disabled by default, with the dot1x re-authentication command. Step 3 Set the number of seconds between re-authentication attempts with the dot1x timeout reauthperiod seconds command. The range is 1 to 4294967295 and the default is 3600 seconds. This command affects the behavior of the switch only if periodic re-authentication is enabled. Step 4 Return to privileged EXEC mode. Step 5 Verify the configuration. To disable periodic re-authentication, use the no dot1x re-authentication global configuration command. To return to the default number of seconds between re-authentication attempts, use the no dot1x timeout re-authperiod global configuration command. The example in Figure shows how to enable periodic re-authentication and set the number of seconds between re-authentication attempts to 4000. The client connected to a specific port can be manually re-authenticated at any time by entering the dot1x re-authenticate interface interface-id privileged EXEC command. -------
7.2.6 Enabling multiple hosts
Multiple hosts can be attached to a single 802.1x-enabled port. In this mode, only one of the attached hosts must be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized, such as in the case that re-authentication fails or an EAPOL-logoff message is received, all attached clients are denied access to the network.
Beginning in privileged EXEC mode, follow these steps to allow multiple hosts on an 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. The commands used in this process are shown in Figure . Step 1 Enter global configuration mode. Step 2 Enter interface configuration mode, and specify the interface to which multiple hosts are indirectly attached. Step 3 Allow multiple hosts on an 802.1x-authorized port with the dot1x multiple-hosts command. Make sure that the dot1x port-control interface configuration command set is set to auto for the specified interface. Step 4 Return to privileged EXEC mode. Step 5 Verify the configuration with the show dot1x interface interface-id command. To disable multiple hosts on the port, use the no dot1x multiple-hosts interface configuration command. The example in Figure allow multiple hosts.
shows how to enable 802.1x on FastEthernet interface 0/1 and to
7.2 Configuring 802.1x Port-Based Authentication 7.2.7 Resetting the 802.1x configuration to the default values
Beginning in privileged EXEC mode, follow these steps to reset the 802.1x configuration to the default values : Step 1 Enter global configuration mode. Step 2 Reset the configurable 802.1x parameters to the default values with the dot1x default command. Step 3 Return to privileged EXEC mode. Step 4 Verify the configuration with the show dot1x command. ---
To display 802.1x statistics for all interfaces, use the show dot1x statistics privileged EXEC command. To display 802.1x statistics for a specific interface, use the show dot1x statistics interface interface-id privileged EXEC command. To display the 802.1x administrative and operational status for the switch, use the show dot1x privileged EXEC command. To display the 802.1x administrative and operational status for a specific interface, use the show dot1x interface interface-id privileged EXEC command.
QoS
VOIP 2.5. 6
Cisco IOS Configurations for VoIP
Cisco IOS routers can be used as VoIP gateways. For a basic VoIP configuration, two gateways are needed. Both need a connection to a traditional telephony device, such as an analog telephone. The gateways themselves must have IP connectivity. In Figure
, the first router has these configuration settings:
•
Name: R1
•
IP address: 10.1.1.1/24
•
IP interface: FastEthernet 0/0
•
Voice port: 1/0/0
•
Extension of the telephone connected to the voice port: 1111
The second router is configured with similar settings:
•
Name: R2
•
IP address: 10.2.2.2/24
•
IP interface: FastEthernet 0/0
•
Voice port: 1/0/0
•
Extension of the telephone connected to the voice port: 2222
Based on this information, this configuration is applied to the first router: hostname R1 interface FastEthernet 0/0 ip address 10.1.1.1 255.255.255.0 ! dial-peer voice 1 pots destination-pattern 1111 port 1/0/0 ! dial-peer voice 2 voip destination-pattern 2222 session target ipv4:10.2.2.2 ! The second router has these configuration commands: hostname R2 interface FastEthernet 0/0 ip address 10.2.2.2 255.255.255.0 ! dial-peer voice 1 pots destination-pattern 2222 port 1/0/0 ! dial-peer voice 2 voip destination-pattern 1111 session target ipv4:10.1.1.1 ! The voice-specific commands in the configurations (two dial peers in each configuration) are
highlighted in gray. A dial peer describes where to find a telephone number, and the collection of all dial peers makes up the call routing table of a voice gateway. Two types of dial peers are shown in this example: POTS dial peers and VoIP dial peers. POTS dial peers indicate that the telephone number that is specified in the dial peer is found at a physical port. A VoIP dial peer refers to the IP address of a VoIP device. Figures and list the commands used for dial peers. The Voice-Specific Commands table provides details. Voice-Specific Commands Command
Description
dial-peer voice tag type
Use the dial-peer voice command to enter the dial peer subconfiguration mode. The tag value is a number that must be unique for all dial peers within the same gateway. The type value indicates the type of the dial peer (for example, POTS or VoIP).
destination-pattern telephone_number
The destination-pattern command, entered in dial peer subconfiguration mode, defines the telephone number that applies to the dial peer. A call that is placed to this number is routed according to the configuration type and port (in the case of a POTS type dial peer) or session target (in the case of a VoIP type dial peer) of the dial peer.
port port-number
The port command, entered in POTS dial peer subconfiguration mode, defines the port number that applies to the dial peer. Calls that are routed using this dial peer are sent to the specified port. The port command can be configured only on a POTS dial peer.
session target ipv4:ip-address
The session target command, entered in VoIP dial peer subconfiguration mode, defines the IP address of the target VoIP device that applies to the dial peer. Calls that are routed using this dial peer are sent to the specified IP address. The session target command can be configured only on a VoIP dial peer.
--more picts and examples in the section -------------------======================================= HSRP (hot standby routing protocol) Cisco proprietary
Switch#show running-config Building configuration... Current configuration:!
Related Documents
Router Switch Commandsc
April 2020 7
Router And Switch Commands
November 2019 11
Switch
October 2019 36
Switch
June 2020 11
Switch
November 2019 35