April 17, 2007
译文:按需路由选择原理
译者:JOY
电邮:hughr_going `@` hotmail `DOT` com
有传说在布署静态路由的网络拓朴改变时,管理员必须手工进行调整.也有传说动态路由将带来大的系统资源的开销.在一个星形(hub-and-spoke)的网络里面,无论是布署静态路由所带来的管理成本抑或是动态路由所带来的系统资源开销,都是需要考虑的.
有方法-按需路由选择.ODR使用CISCO发现协议(CDP)在末端路由器和中心路由器之间传递网络信息.与动态路由选择协议相比,ODR在提供IP信息之余使用了较少的网络资源,且需要更少的手动配置.
ODR适用于星型网络,因为每个末梢路由器仅与中心路由器相邻近.用另一个术语来描述末梢路由器则可以称作:stub路由器.末梢路由器通常会与一些LAN相连接,且通过某种WAN技术与中心路由器相连.中心路由器显然需要能识别所有连接到它本身的末梢路由器,但末梢路由器仅仅需要一条默认路由到中心.
在己经完成配置的末梢路由器上,ODR将使用CDP将IP前缀信息发送至中心路由器.这包含与该末梢路由器相关联的所有网络的信息.鉴于ODR传递子网掩码,显然它是支持VLSM的.
作为回应,中心路由器给末悄路由器发送一条指向它本身的默认路由并将从末悄路由器所获得的网络信息安装在自身的路由表里面.也可以将这些信息重分发到动态路由里面.中心路由器使用末梢路由器的IP地址作为下一点IP地址.
因为交换信息中仅仅包含IP前缀信息和一条默认路由,所以ODR并不是一种真正意义上的路由选择协议-这里面没有度量值.然而通过使用ODR,中心路由器却可以在没有过多的动态路由选择协议的开销的前提下动态的获取信息.更好的是,末梢路由器上的默认路由不需要管理员手动配置.
April 18, 2007
EIGRP Overview
In present day and future routing environments, Enhanced Interior Gateway Routing Protocol(EIGRP) offers benefits and features over historial distance-vector routing protocols like Routing Information Protocol version1(RIPv1) and Interior Gateway Routing Protocol(IGRP). These benefits include rapid convergence, lower bandwidth utilization, and multiple routed protocol support(IP, Internet Packet Exchange(IPX), and Appletalk).
EIGRP uses three databases in the path selection process: the EIGRP neighbor table, the EIGRP topology table, and the IP routing table. The neighbor table contains a list of directly connected EIGRP routers that have established an adjacency with a given router. The topology table includes route entries for all destinations that the router has learned. EIGRP chooses the best successor routers to a destination from the topology table and places these routers in the routing table.
EIGRP supports five packet type: hello, update, query, reply, and acknowledgement(ACK). Fields in the hello packet build adjacencies between EIGRP neighbors. The CISCO ISO software debug and show commands are used to troubleshoot EIGRP neighbor adjacencies problems.
The EIGRP Diffusing Update Algorithm(DUAL) finite state machine embodies the decision process for all route computations. DUAL tracks all routers advertised by all EIGRP neighbors, then uses a formula to calculate the best route.
A basic EIGRP configuration contains a default network and uses the wildcard option for the network statement. The Cisco IOS show commands can be used to troubleshoot EIGRP configuration problems. Advanced configuration options for EIGRP include manual route summarization, unequal path-cost load balancing, and limiting EIGRP bandwidth utilization on WAN links.
EIGRP is scaled in large and growing internetworks by using two methods to perform query scoping, with limits the range of EIGRP queries. These two methods are: effective route summarization and the EIGRP stub command.
April 20, 2007
EIGRP Features
Chinese Version:http://www.hughr.org/archives/2007/000210.html
EIGRP is a Cisco proprietary protocol that combines the advantages of link-state and distance-vector routing protocols. As a hybrid protocol, EIGRP includes the following features:
EIGRP特性
原文:http://www.hughr.org/archives/2007/000209.html
EIGRP是CISCO专有的集链路状态和距离向量的优点于一体的路由协议,该协议拥有以下特性:
EIGRP-Rapid convergence
EIGRP uses the Diffusing Update Algorithm (DUAL) to achieve rapid convergence. A router using EIGRP stores all available backup routers for destinations so that it can quickly adapt to alternate routers. If no appropriate route or backup route exists in the local routing table, EIGRP queries its neighbors to discover an alternate route. EIGRP transmits these queries until it finds an alternate route.
EIGRP的快速收敛
EIGRP使用扩散更新算法(DUAL)以达到惊人的收敛速度.一台运行EIGRP的路由器将存贮所有到目的网络的备份路由,以便能更快地布署替代路由.如果本地路由表内没有合适的备份路由,EIGRP将向邻居查询该替代路由,直到成功为止.
EIGRP-Reduced bandwidth usage
EIGRP does not make periodic updates. Instead, it sends partial updates when the path or the metric changes for that route. When path information changes, DUAL sends an update about only that link rather than the entire table. DUAL sends the information only to the routers that require it, in contrast to link-state protocols, in which an update is transmitted to all link-state routers within an area.
EIGRP-更低的带宽占用率
EIGRP并不产生周期性的更新.相反,仅当链路本身或者度量量发生改变时才会引发针对该路由的更新.当路径信息改变时,DUAL仅发送该条信息,并不会将整个路由表通告出去.另外,DUAL并不像其它链路状态路由协议一样将该信息更新通告至该区域内所有的路由器,它仅仅将该更新通告给require it的路由器.
May 8, 2007
Floating Static Routes
Based on administrative distance, routers believe static routes over any dynamically learned route. A directly connected interface is the only default administrive distance lower than that of a static route. There may be times when default behavior is not the desired behavior.
When you configure a static route as a backup to a dynamically learned route, the static route should not be used as long as the dynamic route is available. First, consider that the syntax for configuring a static route is ip route prefix mask address/interface [distance].
The optional administrative distance value in this command can be manipulated to make the state route appear less desirable. Administrative distance can also be manipulated to make one static route appear less desirable than another static route. A static route that appears in the routing table only when the primary route goes away is called a floating static route.
Note It is important to remember that the lower the administrative distance, the more reliable the protocol is assumed to be.
May 9, 2007
Criteria for Inserting Routes in the IP Routing Table
One of the intriguing aspects of Cisco routers is the way the router chooses the best route among those presented by routing protocols, manual configuration , and various other means. While route selection is not difficult, to understand it completely requires some knowledge about the way Cisco routers work. The router must consider the following four criteria:
-- EIGRP(internal): 192.168.32.0/16
-- RIP: 192.168.32.0/24
-- OSPF: 192.168.32.0/19
Because each route has a different prefix length, also know as the subnet mask, the routers are considered different destinations and are installed in the rouing table.
Protocols, Ports, and Reliablility
| Routing Protocol | Protocol No. | Port No. | Update Reliability |
| IGRP | 9 | Best effort delivery | |
| EIGRP | 88 | 1-to-1 window | |
| OSPF | 89 | 1-to-1 window | |
| RIP | UDP 520 | Best effort delivery | |
| BGP | TCP 179 | Uses TCP windowing |
IGRP, EIGRP, and OSPF are transport-layer protocols that run directly over IP. IGRP uses connectiuonless delivery for its routing updates. Routers receiving IGRPupdates do not need to acknowledge that receipt of these updates. EIGRP and OSPF have more reliability built into their update processes. They both require the acknowledgment of one update before they send another. Thus, they have a 1-to-1 window----one update and one acknowledgment.
RIP and BGP both reside at the application layer. RIP uses User Datagram Protocol (UDP) as its transport protocol; its updates are sent unreliably with best-effort delivery.
BGP uses TCP as its transport protocol. It takes advantage of the reliability mechanisms and windowing of TCP, which is important when you consider the number of routes a BGP router sends in its updates. BGP routers often carry well over 100,000 routes in their routing tables. If OSPF or EIGRP had to send updates for 100,000 routes in their 1-to-1 window, it would take a long time. Even if information for 100 routes could fit in one update, it would still take 1000 updates to send the entire table. Each update would have to be acknowledged before sending another. On the other hand, BGP routers using TCP have a 65,535-byte window limit for their updates. The routers can send information with many more routers in each update than either OSPF or EIGRP.
Note IS-IS is a network-layer protocol and does not use the services of IP to carry its routing information. IS-IS packets are encapsulated directly into a data-link layer frame
EIGRP Databases
This topic reviews the EIGRP neighbor and topology databases and their relationship to the IP routing table. This topic also defines key fileds in the EIGRP topology table and explains their association with the IP routing table.
Each EIGRP router maintains a neighbor table. The table includes the following characteristics:
Each EIGRP router maintains a topology table for each routed protocol configuration. The topology table includes route
May 18, 2007
Cisco 3560 Multi-layer switch password recovery guide
check out the password recovery guide here.
Cisco 3560 Multi-layer switch password recovery guide
check out the password recovery guide here.
May 24, 2007
Cisco路由器的配置寄存器
【摘要】很多人对cisco路由器的配置寄存器并不关心,也不知道其真正用途,本身对配置寄存器的参数配置也超出了一般网络维护人员的要求。但是,寄存器的配置参数与cisco路由器升级、密码恢复等操作密切相关,对于高级网络管理和维护人员 ,是必须了解的。本文介绍配置寄存器的用途以及相应参数的设置,并详细介绍了不同处理器的路由器密码恢复过程。
【关键字】cisco路由器 寄存器 密码恢复 启动次序 工作模式
1. 前言
配置寄存器是一个16位的虚拟寄存器,用于指定路由器启动的次序、中断参数和设置控制台波特率等。该寄存器的值通常是以十六进制来表示的。
利用配置命令config register可以改变配置寄存器的值。
2. 启动次序
配置寄存器的最后4位,指定的是,路由器在启动的时候必须使用的启动文件所在的位置:
l 0x0000指定路由器进入ROM监控模式
l 0x0001指定从ROM中启动
l 0x0002-0x000F的值则参照在NVRAM配置文件中命令boot system指定的顺序
如果配置文件中没有boot system命令,路由器会试图用系统Flash存储器中的第一个文件来启动,如果失败,路由器就会试图用TFTP从网络上加载一个缺省文件名的文件(由boot域的值确定,如cisco2-4500),如果还失败,系统就从启动Flash中加载启动。
缺省的文件名是采用单词cisco、启动位的值以及路由器类型或处理器的名称构成。例如某台4500上启动字段设为3,那么缺省的启动文件名就是cisco3-4500。
以MC3819(CPU型号,大多采用MOTOROLA)路由器启动顺序为例,下面就是启动的四个阶段:
1. 系统自举
2. 启动加载(读取配置信息和启动Flash文件系统的最小功能)
3. 启动系统IOS镜像文件
4. 接口初始化/系统重启
3. 配置寄存器
3.1. 各位的含义
表格 3&S209;1 配置寄存器各位的含义
October 31, 2007
Guard 配置Step by Step
Note: This article is directly quoted from the world wide web. used at your own risk.
1. Guard的连接和初始配置
对Guard的起始配置是需要通过串行线连接的,使用admin用户名,缺省口令为rhadmin.
Console8 ,N , 1 , Flow control: None ) Properties Settings
Insert the following values and click OK:
Emulation: VT100
Telnet terminal ID: VT100
Backscroll buffer lines: 500
login prompt: admin/rhadmin
2. Guard命令行配置网络部分
连接物理端口:
Interfaces: Eth0(百兆带外)-常用, Eth1 (千兆带外)
Giga0 与 Giga1 ( 首选带内 copper / fiber )
配置管理端口,带内GE端口的相关地址.
user@GUARD # Config terminal
user@GUARD-conf#interface giga1 ( 网络端口,可配置子接口)
user@GUARD-conf-if-giga1# ip address 61.55.134.243 255.255.255.248
user@GUARD-conf-if-giga1# no shutdown
user@GUARD-conf-if-giga1# exit
user@GUARD-conf#interface eth0 ( 管理端口 ,注意接对端口)
user@GUARD-conf-if-eth0# ip address 221.192.133.111 255.255.254.0
user@GUARD-conf-if-eth0# no shutdown
user@GUARD-conf-if-eth0# exit
启动SSH和WBM服务,并标明允许SSH, WEB访问的源地址.
WBM (https)管理
user@GUARD-conf # service wbm
user@GUARD-conf # permit wbm 192.168.30.32(* 表示任何地址)
SSH(缺省启动)
user@GUARD-conf# permit ssh *
SSH Key管理:
user@GUARD-conf# key add ssh-rsa 14513797528175730. . user@Guard.com(添加SSH key)
user@GUARD-conf# show keys Lilac
ssh-rsa 2352345234523456... user@Guard.com
user@GUARD-conf# key remove Lilac 2352345234523456...
配置缺省路由,proxy的地址等:
user@GUARD-conf# Default-gateway 221.192.133.254
user@GUARD-conf# Proxy 61.55.134.244 (最大10个作源地址校验)
配置日期:
user@GUARD-conf# date 1008171003.17
Wed Oct 8 17:10:17 EDT 2003
同步NTP
user@GUARD-conf# date 1008171003.17
user@GUARD-conf# timezone Africa/Timbuktu
user@GUARD-conf# service ntp
user@GUARD-conf# permit ntp 192.165.200.224
user@GUARD-conf# ntp server 192.165.200.224
进入路由模块,配置带内BGP路由和相关静态路由.
user@GUARD# Config terminal
user@GUARD-conf # Router ( 进入路由模块)
Router # Enable
Router #Config t
Router-conf# Router bgp 65000
见下面路由配置部分
在这些工作做完后,就可以在网络上通过HTTPS GUI或SSH做保护Zone和策略的配置了.
-CISCO GUARD配置注解
Guard与Detector互联通讯:
permit ssh * (允许任何地址通过ssh方式telnet到设备上)
permit wbm * (允许任何地址通过Web方式访问该设备)
!
interface eth0
ip address 221.192.133.111 255.255.254.0 (配置网络管理地址)
no shu
!
interface giga1
ip address 61.55.134.243 255.255.255.248 (配置guard同省网gsr互联地址)
no shu
speed aotu (配置光纤口速率模式)
!
default-gateway 221.192.133.254 (配置网关地址)
!
proxy 61.55.134.244 (配置代理地址需同gsr互联地址在同一网段)
!
Guard与GSR建立Neighbor
router bgp 65400 ( 自治域号 , 65私有号 )
bgp router-id 61.55.134.243 ( loop back )
redistribute guard ( 路由回注Guard管理Shell )
neighbor 61.55.134.242 remote-as 64630 ( EBGP自治域号 一个运营商)
neighbor 61.55.134.242 soft in
neighbor 61.55.134.242 description GSR
neighbor 61.55.134.242 distribute-list nothing-in in ( access-list )
neighbor 61.55.134.242 route-map Guard-out out ( route-map)
!
access-list nothing-in deny any
!
route-map Guard-out permit 10
set community no-export no-advertise ( AS 内部有效,不再传)
!
ip route 0.0.0.0/0 61.55.134.242 (6509同GSR互联的VLAN地址)
- CISCO DETECTOR的相关的配置
Detector与Guard互联:
permit ssh * (允许任何地址通过ssh方式telnet到设备上)
permit wbm * (允许任何地址通过Web方式访问该设备)
!
remote-guard 221.192.133.111 (建立同guard连接通道)
!
key generate (为同guard连接的通道加密)
!
default-gateway 221.192.133.254 (配置网关地址)
!
interface eth0
ip address 221.192.133.112 255.255.254.0 (配置网络管理地址)
no shu
!
interface giga1
speed aotu (配置光纤口速率模式)
!
interface giga0
– speed aotu (配置光纤口速率模式)
Guard 常见问题应答
-->
Detector与Guard交互配置说明
Part1 : Cisco Guard 和Detector 正常通讯:
A:Guard 配置
1.[email=admin@DETECTOR-conf#service]admin@DETECTOR-conf#service[/email] internode-comm
- 定义SSH通讯服务
2.[email=admin@DETECTOR-conf#permit]admin@DETECTOR-conf#permit[/email] ssh *
[email=admin@DETECTOR-conf#permit]admin@DETECTOR-conf#permit[/email] internode-comm *
- 定义SSH可访问
B:Detector配置
1.[email=admin@DETECTOR-conf#service]admin@DETECTOR-conf#service[/email] internode-comm
- 定义SSH通讯服务
[email=admin@DETECTOR-conf#permit]admin@DETECTOR-conf#permit[/email] ssh *
[email=admin@DETECTOR-conf#permit]admin@DETECTOR-conf#permit[/email] internode-comm *
- 定义SSH可访问
2.remote-guard ssh 218.61.23.2
-- 制定Guard 通讯地址
3.[email=admin@DETECTOR-conf#key]admin@DETECTOR-conf#key[/email] generate
-- 自动生成Key
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Keys were successfuly generated. Please use "key publish" to update remote-guards
--〉[email=admin@DETECTOR-conf#key]admin@DETECTOR-conf#key[/email] add ssh-rsa riverhead [email=riverhead@guard]riverhead@guard[/email]
- 或手动生成Key
4.[email=admin@DETECTOR-conf#key]admin@DETECTOR-conf#key[/email] publish *
-- 发布Key
updated 1 remote-guards (out of 1) with new key
5.[email=admin@DETECTOR-conf-zone-guoqing#dynamic-filter]admin@DETECTOR-conf-zone-guoqing#dynamic-filter[/email] remote-activate forever
--手动检测是否通讯激活Zone
6.再用https上Guard 218.25.16.141, 查看Guoqing Zone 激活;
Part 2 : Detector 配置Zone
1.配置Detector Zone .但要注意使用Guard Zone 模板.
建议使用GUI 配置
2.配置Zone 参数.
建议使用GUI 配置
3.配置Guard zone
? guard-conf (from zone configuration mode)
? configure zone-name guard-conf (from global mode)
? zone zone-name guard-conf (from configuration mode)
4, 开启自动学习功能并且导出配置给Guard
[email=user@DETECTOR-conf-zone-scannet]user@DETECTOR-conf-zone-scannet[/email]# learning-params sync accept
Part3 : 手动同步Zone 到 Guard 中
? sync zone zone-name local {remote-guards | remote-guard-address-to} (in global mode)
? sync local {remote-guards | remote-guard-address-to} (in zone configuration mode)
例如:
[email=user@DETECTOR#sync]user@DETECTOR#sync[/email] zone scannet local remote-guards
[email=user@DETECTOR-conf-zone-scannet-conf-zone-scannet]user@DETECTOR-conf-zone-scannet-conf-zone-scannet[/email]# sync local 192.168.100.5
以上配置均为实践所证明。
-->
节日期间Guard 防护应急要点:
A: 如遇到业务被Bloack, 可通过Bypass 功能将被Block的地址放行,再现场抓包分析,或关闭Policy中关于Block的策略或调大阈值!
B:如遇到攻击没有防住,可手动添加 Dynamic Filter -〉filter/Strong, 注意要策略置顶。(先删掉其他Dynamic Filter )
C:如遇到添加Zone后 Guard访问变慢,可CLI 下 Reload 后,等10分钟再登陆,删除新添加的Zone配置,重新添加,添加Zone是最好添加受攻击单个地址,以免各个Zone之间地址重叠问题;
D: Guard设备重启命令: §Reload ( IP更改需要reload)
Reboot ( Reset 重启)
Poweroff ( 关电关机)
AGM模块重启: §Sup# hw-module module 2 reset cf:1 重启 MP ( Show mod 查看 )
§
§Sup# hw-module module 8 reset cf:4 重启 AP (show mod )
E: Guard Troubleshooting 命令
arp -e 查映射
arp -v 查连接
§traceroute 10.10.10.34
Show running-config
Proxy IP 一定要 与被保护的Zone 可路由, 同时与Internet 上的访问地址可路由; 且不可与接口地址复用!负责无法实现:Strong模式!
3G lic升级的步骤我总结了一下,如下
·安装XG software for 3G lic
Hw-module module 2 reset cf:1 ----切换到mp
Show module all ----确认status ok
Copy ftp://192.168.1.1/c6svc-agmXG-k9.6-0-10.bin pclc#2-fs:
看到cli提示:you now can reset the module 后
Hw-module module 2 reset cf:4
·3G lic是与安装了XG software的AGM的mac地址邦定在一起
在AGM上:show license-key unique-identifier----记录下此命令展示出的mac地址
·收到lic文件后,用text editor打开,ctrl+c 拷贝内容
·在AGM上:license-key add,粘贴刚才拷贝的lic文件的内容,然后按enter
·Show license-key验证是否是3G
·升级完成之后可以使用giga1,2,3
Product Name IC-AGM-3G-K9=
Product Description IC-AGM-3G-K9= : Guard Module 3G License
Product Qty :1
Product Authorization Key :
Sales Order Number :
Mac Address :001C5861DFA1
Options Included: No additional features have been selected for this product.
LICENSE KEY INSTALLATION INSTRUCTIONS
Attached to this email you will find a file with the ".lic" extension. This is the file that will allow you to turn your Cisco Anomaly Guard/Detector Module to operational. Do not edit the contents of the .lic file in any way or you will render this file useless.
Before you proceed, make sure that the Cisco Anomaly Guard/Detector Module is turned on and is accessible so that you are able to log into its CLI and receive admin privileges.
Follow these steps to install your Cisco 3Gbps Guard/2Gbps Detector Module software license file:
Step 1. Open the attached license file (.lic) using a text editor and copy its contents into your desktop computer's clipboard.
Step 2. Login into your Cisco Anomaly Guard/Detector Module, make sure you have admin priviliges.
Step 3. Type: "configure terminal" and press the enter key in order to enter the configuration menu.
Step 4. Type: "license-key add" and press the enter key.
Step 5. Now paste your desktop computer clipboard's contents (containing the license key) and press the enter key twice.
The Cisco Anomaly Guard/Detector Module will now process the license key and inform you whether it's valid or not.
Caution: Do not edit the contents of the .lic file in any way or the Cisco Anomaly Guard/Detector Module will fail validating the license. The contents of the file are signed and must remain intact.
You should print this email, save the attachment to a floppy/disk on key, and store both for future use if needed.
If you encounter a problem with this license file, please contact our Licensing team at 800-553-2447 or open a service request using the TAC Service Request Tool
November 27, 2007
when you wanna trap more
try logging trap debugging
February 12, 2008
Some notes
I save it to this page, in case i needed them.
(updated @ 2008/02/14)
February 19, 2008
Multilayer Switching Network related
三层交换中网关的MAC是base MAC(Address)
Command: show mac-address-table
Topology like the following:
Router(PC)----------Switch(Layer3)----------Router(PC)
1. SVI (Switch Virtual Interface)
2. Routed Port
3. Router on a stick
arp encapsulation:
|Ethernet|ARP|......
Ethernet subinterface must be encapsulated either in ISL or .1q to have a ip address
When trunking router subinterface, the vlan must be out of VLAN1(the default admin vlan)
Catalyst 3550上的ACL
1) 使用sdm prefer access分配置acl條目資源
2) L2 port只能在in向apply acl
3) traffic分為兩種:ip & mac
4) 三種過濾的應用:
L3 port acl, this acl access-control traffic between vlans, and apply to L3 interfaces.
L2 port acl, this acl access-control traffic entering a L2 interface.
vlan acl, all traffic in the same vlan(all packets, frames, no matter it's routed or bridged)
5) in向的acl, L3 acl(vlan acl)與mac acl相沖
6) IP datagrams encapsulated with dot1Q are *NOT* filtered by L3 acl, but mac acl.
7) routed port, SVI, L3 PAgP port both in&out
8) ip fragment 中僅第一個分片包含L4信息(tcp/udp, port,icmp type/code, etc)
9) when log keyword used in acl, icmp unreachable is caused, hardware process overload increase hugely
10) logging is not supported in port acl(l2 port acl)
11) 為了防止tcam table濫用:更改SDM模板,使用out bound acl,多用隱含的permit/deny
12) 3550不支持以下feature:
a) non-ip protocol acl
b) bridge-group acl
c) ip accounting
d) in/out bound rate-limit
e) ip header less then 5 bytes (icmp parameters error)
f) reflexive acl
g) lock&key acl
h) L2 port not support logging, can't apply to the interface outbound.
ACLs
*The switch supports two types of ACLs:*
1) IP ACLs filter IP traffic, including TCP, User Datagram Protocol(UDP), Internet Group Management Protocol(IGMP), and Internet Control Message Protocol(ICMP).
2) Ethernet or MAC ACLs filter non-IP traffic.
The switch supports three applications of ACLs to filter traffic:
1) Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces. You can apply one router ACL in each direction on an interface.
2) Port ACLs access-control traffic entering a Layer 2 interface. The switch does not support port ACLs in the outbound direction. You can apply only one IP access and one MAC access list to a Layer 2 interface.
3) VLAN ACLs or VLAN maps access-control all packets(bridged and routed). You can use VLAN maps to filter traffic between devices in the same VLAN. VLAN maps are configured to provide access-control based on Layer 3 addresses for IP. Unsupported protocols are access-controlled through MAC addresses by using Ethernet ACLs. After a VLAN map is applied to a VLAN, all packets(routed or bridged) entering the VLAN are checked against the VLAN map. Packets can either enter the VLAN through a switch port or through a routed port after being routed.
You can use both router acls and vlan maps on the same switch. However, you can not use port ACLs on a switch that contains input router ACLs or VLAN maps.
1) When a switch has a layer 2 interface with an applied IP access list or MAC access list, you can create IP access lists and VLAN maps, but you can not apply an IP access list to an input layer 3 interface on that switch , and you can not apply a VLAN map to any of the switch VLANs. An error message is generated if you attempt to do so. You can still apply an IP access list to an outbound layer 3 interface on a switch with port ACLs.
2) When a switch has an input layer 3 acl or a vlan map applied to it, you can not apply an ip access list or mac access list to a layer 2 interface on that switch. An error message is generated if you attempt to do so. You can apply a port ACL if the switch has an ACL applied to an output layer 3 interface.
3) 在dot1Q的端口上不支持IP acl, vlan maps, port acl.只能應用mac acl.是因為不能識別dot1Q的包頭.
You can also apply acls to layer 2 interfaces on a switch, port acls are supported on physical interfaces only and not on EtherChannel interfaces. Port ACLs are applied on interfaces for inbound traffic only. These access lists are supported on layer 2 interfaces:
When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
Note an output ACL cannot log multicast packets. logging is not supported for acls applied to layer 2 interfaces.
ACL apply rules.
After you create an IP acl, you can apply it to one or more interfaces or terminal lines. ACLs can be applied on either outbound or inbound layer 3 interfaces, but only to inbound layer 2 interfaces. This section describes how to accomplish this task for both terminal lines and network interfaces. Note these guidelines:
- If you try to apply an acl to a layer 2 interface on a switch that has an input layer 3 acl or a vlan map applied to it, a conflict error message is generated. you can apply an acl to a layer 2 interface if the switch has output layer 3 acls applied.
- If you try to apply an acl to an input layer 3 interface on a switch that has a layer 2 acl applied to it, a conflict error message is generated. You can apply an acl to an output layer 3 interface if the switch has layer 2 acls applied.
- A layer 2 interface can have one IP access list applied to the input, a layer 3 interface can have on ip access list applied to the input and one ip access list applied to the output. if you apply an IP acl to an interface that already has an ip acl configured (in that direction), the new acl replaces the previously configured one.
February 20, 2008
一个proxy-arp的例子
Topology:
High Availability
Redundancy includes:
1) Modules
2) Links
3) Devices
Between two core switches:
1) Trunk
2) VTP
3) STP
4) HSRP/VRRP/IRDP/GLBP
Supervisors redundancy can only acts as a backup role, you can't run LB on it.
RPR(Router Processor Redundancy)
1) switchover 2~4 mins
2) MSFC(Multilayer Switching Feature Card) & PFC (Policy feature card) booted but not functional
RPR plus(RPR+)
1) switchover 30~60 secs
2) MSFC & PFC booted and operational.
SRM with SSO(Stateful SwitchOver)
NSF with SSO
configurations:
1) switch(config)# redundancy
2) switch(config-red)# mode rpr-plus
3) switch# show redundancy status
Serial interface dont support arp
when a pc is not configured with an ip address for the gateway, you can use proxy-arp to get to the remote network.
arp packets are broadcasted.
proxy-arp is enabled on all ethernet interface on cisco routers by default.
1) checking route table
2) reply arp request
when using proxy-arp
if the connected link is down, it takes arp-cache update time out to recover
4 hours by default on cisco routers.
if the upper link goes down, it takes the routing protocol conver time to recover.
February 21, 2008
Switch Security
Switch Security inclues:
MAC flooding attack
1) attacker floods CAM table with frames with numerous invalid source MAC, valid hosts can not create CAM entries.
2) normal traffic therefor flooded
A) Port security
1) unauthorized MAC address
2) MAC address limit (1 by default)
3) Define violation action
a) shutdown (put the port in err-disabled mode and send snmp trap)
b) restrict (drop frame, send snmp trap)
c) protect (drop frame, dont send snmp trap)
To recover the port state from err-disabled, there are two ways of doin' that:
1) shutdown, no shutdown command be excuted.
2) errdisable recovery cause psecure-violation (300 seconds by default)
February 27, 2008
site-to-site vpn basics
/*
sample configuration of site-to-site vpn
HELL(config)# crypto isakmp policy 10
HELL(config-isakmp)# encryption des
HELL(config-isakmp)# hash md5
HELL(config-isakmp)# authentication pre-share
HELL(config-isakmp)# group 2
HELL(config-isakmp)#
HELL(config)# crypto isakmp key KEY address 200.1.1.2
HELL(config)# crypto ipsec transform-set SET esp-des esp-md5-hmac
HELL(cfg-crypto-trans)# mode tunnel
HELL(cfg-crypto-trans)#
HELL(config)# crypto map VPN 10 ipsec-isakmp
HELL(config-crypto-map)# set peer 200.1.1.2
HELL(config-crypto-map)# match address 100
HELL(config-crypto-map)# set transform-set SET
HELL(config-crypto-map)# int s0
HELL(config-if)# crypto map VPN
HELL(config-if)#
*/
February 28, 2008
A simple IPSec VPN configuration
拓撲圖如下, 僅供參考, 現實中應該是要用到GRE over IPSec
Guangzhou & Huizhou的配置文件如下:
*********************************************
Guangzhou:
*********************************************
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 key address 200.1.1.2
!
!
crypto ipsec transform-set set esp-3des esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 200.1.1.2
set transform-set set
match address 100
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 200.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 2.2.2.2 0.0.0.0 area 0
network 200.1.1.0 0.0.0.255 area 0
!
access-list 100 permit ip any any
*********************************************
*********************************************
Huizhou:
*********************************************
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 key address 200.1.1.1
!
!
crypto ipsec transform-set set esp-3des esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 200.1.1.1
set transform-set set
match address 100
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Loopback1
ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
ip address 200.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 4.4.4.4 0.0.0.0 area 0
network 200.1.1.0 0.0.0.255 area 0
!
access-list 100 permit ip any any
!
*********************************************
February 29, 2008
pppoe connection establish
Router> en
Router# conf t
Router(config)# int dialer 1
Router(config-if)# ip address negotiated
Router(config-if)# encap ppp
Router(config-if)# ip mtu 1492
Router(config-if)# ip nat outside
Router(config-if)# ppp authentication pap callin
Router(config-if)# ppp pap sent-username $USERNAME password $PASSWORD
Router(config-if)# dialer pool 1
Router(config-if)# int fa0/4
Router(config-if)# pppoe enable
Router(config-if)# pppoe-client dial-pool-number 1
Router(config-if)# int fa0/1
Router(config-if)# ip nat inside
Router(config-if)# ip access-list ext NAT
Router(cnfig-ext-nacl)# permit ip 192.168.111.0 0.0.0.255 any
Router(config)# ip nat inside source list NAT interface dialer 1 overload
Router# show pppoe session
March 3, 2008
VLAN
vlans prevent excessive broadcasts from using bandwidth needlessly, while serving as a form of security.
static vlans use the 'switchport mode access' and 'switchport access vlan x' commands. dynamic vlans use vmps(vlan manage policy server).
inter-vlan communication requires a router('router on a stick') or a multilayer switch.
vmps uses the mac address of a host to dynamically assign vlan port memberships. this mac-vlan mapping is kept on a tftp server.
dynamic ports are automatically portfast-enabled.
port security and trunking capabilities must be disabled before a port can be configured as dynamic.
trunk ports are members of all vlans, while access ports are members of one and only one vlan.
the native vlan is vlan 1 by default and can be changed with the switchport trunk native vlan command.
frames are tagged with vlan ids as they are sent across the trunk.
isl vs. dot1q
- isl is cisco-proprietary, dot1q is the open standard
- isl encapsulates all frames, dot1q adds only a 4-byte beader
- isl does not use the native vlan concept, dot1q does.
- isl has an issue with giant frames, since the 34 bytes of encap must put it over the limit of 1518 bytes. some cisco switches have hardware that allow them to handle giant frames.
- dot1q can have giant frames, but ieee802.3ac allows dot1q to handle frames up to 1522 bytes.
- dot1q adds no vlan id to frames destined for the native vlan
when trunking, watch the port speed and duplex settings.
both switches must be in the same vtp domain and must be using l2 ports to form the trunk('switchport' on a multilayer switch)
dynamic trunk protocol(dtp) is the trunk negotiation protocol. if trunking is unconditionally on, dtp can be disabled with the 'switchport nonegotiate' command. otherwise, dtp frames are sent every 30 seconds.
trunking modes: dynamic desirable, dynamic auto, on.('off' is accomplished by configuring the port as an access port)
only combination of those three modes that will not form a trunk: when both end ports are in dynamic auto mode.
remove and add the capabilities of the trunk to carry certain or all vlans with the switchport trunk allowed vlan command.
end-to-end vlans use the 80/20 rule, where 80% of the traffic stays on the local segment and 20% of the traffic will travel across the core switches.
end-to-end vlans must be accessible on every access-layer switch. user's physical location does not matter.
local vlans are designed with the 20/80 rule in mind, where 20% of the traffic stays local and 80% of the traffic will go across the core switches. users will be grouped by location.
understanding the foundation of voip
why an oganization would use ipt
trackable cost saving:
- moves, adds, and changes(MACS)
- bandwidth and equipment efficiency
- lower cost of voice transmission
- new applications and devices
phase one ip telephony migration
- keep the pbx system and digital phones
- calls routed over wan rather than pstn
- major benefit: free ld
- major requirement: quality of service
phase two ip telephony migration
- voice and data network have become one
- pbx and digital phones for sale on ebay
- true interation between voice and data
- typically new structures start here
call control models:
- distributed
- centralized
the pieces of ip telephony
- ip phone
- call agent
- vocie gateway
- h.323 mcu
- h.323 gatekeeper
- various other app server
foreign exchange connections:
- foreign exchange station(fxs)
- one port one call
- for analog devices
- generate dial tones
- foreign exchange office(fxo)
- receive dial tones
pbx connections: e+m
- ear and mouth
- receive and transmit
- earth and magneto
- trunk pbx and router
March 8, 2008
Partial Frame Relay Configuration
March 10, 2008
FR Sub interface
March 16, 2008
Schedule A Lab Exam Online
March 28, 2008
Basic IOS Based DHCP Configuration Commands
/*
by: Li Feng Shen
date: 10:04 2008-3-28
*/
Router(config)# ip dhcp excluded-address 10.1.1.1 10.1.1.19
Router(config)# ip dhcp pool Marketing_Subnet
Router(dhcp-config)# network 10.1.1.0 /24
Router(dhcp-config)# domain-name hughr.org
Router(dhcp-config)# dns-server 10.1.1.10 10.1.1.11
Router(dhcp-config)# default-router 10.1.1.2
Router(dhcp-config)# import all //optional
Router(config)# ip dhcp database tftp://10.1.1.50/dhcp-bindings.txt write-delay 180
Router# show ip dhcp binding
Router#
With ip helper-address x.x.x.x command, UDP ports are opened:
37 - TIME
49 - TACACS
53 - DNS
67 - DHCP-SERVER
68 - DHCP CLIENT
69 - TFTP
137 - NETBIOS NAME SERVICE
138 - NETBIOS DATAGRAM SERVICE
To custimize, you can go global config mode & type the following command:
Router(config)# no ip forward-protocol udp 37
Router(config)# no ip forward-protocol udp 137