tag:blogger.com,1999:blog-66294989856046939122024-03-04T22:00:25.035-08:00Computer Networking TutorialComputer networking tutorial, Cisco, Server, Linux, Unix, EtcUnknownnoreply@blogger.comBlogger26125tag:blogger.com,1999:blog-6629498985604693912.post-88045751825471397362009-10-18T02:24:00.000-07:002010-01-09T22:17:01.817-08:00routing redistribution<div><div style="text-align: center;"><b>Cisco administration 101: Routing redistribution</b></div><div style="text-align: center;"><br /></div></div><div style="text-align: center;">by David "Davis CCIE, MCSE+I, SCSA"<br />( Dec 08, 2005 8:00:00 AM)<br /><br /></div><div style="text-align: center;"><br /></div><div>Takeaway: Routing redistribution involves taking the routes from one source of routing information and sending those routes to another routing protocol. If you're not familiar with the finer points of redistribution, let David Davis bring you up to speed with this overview.</div><div>--------------------------------------------------------------------------------------</div><div>People who read this, also read...<br /><br /></div><div><a href="http://articles.techrepublic.com.com/5100-10878_11-5994982.html?tag=rbxccnbtr1">Take a closer look at routing redistribution</a></div><div><a href="http://articles.techrepublic.com.com/5100-10878_11-1052840.html?tag=btxcsim">Dynamic routing with RIP</a></div><div><a href="http://articles.techrepublic.com.com/5100-10878_11-5033675.html?tag=btxcsim">RIP explained: The gory details</a></div><div><a href="http://articles.techrepublic.com.com/5100-10878_11-1036099.html?tag=btxcsim">Get IT Done: OSPF boasts enterprise benefits</a></div><div><a href="http://articles.techrepublic.com.com/5100-10878_11-6132046.html?tag=btxcsim">Cisco administration 101: What you need to know about OSPF</a><br />----------------------------------------------------------------------------------------</div><div> </div><div>It's important that <a style="font-weight: bold;" href="http://networking-irfansyah.blogspot.com/2009/06/index-article-about-cisco-administrator.html">network administrators</a> know what routing redistribution is and understand which situations call for it. Routing redistribution involves taking the routes from one source of routing information and sending those routes to another routing protocol.</div><div><br /></div><div>Network administrators typically use redistribution between routing protocols—for example, redistributing routes from the Routing Information Protocol (RIP) to the Open Shortest Path First (OSPF) protocol. However, in some cases, a network administrator may also redistribute routes that are either static or that connect directly to the router.</div><div><br /></div><div><span class="Apple-style-span" style="color: rgb(255, 102, 0);">How do I use redistribution?<br /></span><br /></div><div>You can redistribute routes using the <span class="Apple-style-span" style="color: rgb(51, 204, 0);">redistribute</span> command. However, keep in mind that you can only use this command in the routing configuration for a certain protocol. Here's an example:</div><div><br /></div><div><span class="Apple-style-span" style="color: rgb(51, 204, 0);">Router(config)# router ospf 100</span></div><div><span class="Apple-style-span" style="color: rgb(51, 204, 0);">Router(config-router)# redistribute rip<br /></span><br /></div><div><span class="Apple-style-span" style="color: rgb(255, 102, 0);">When should I use routing redistribution?<br /><br /></span></div><div>You don't want to use redistribution unless you have a special situation that requires it. That's because redistribution complicates configuration and troubleshooting efforts. It can even make routing protocols so complex that you might develop a routing loop and bring your network down.</div><div><br /></div><div>In other words, you don't want to use redistribution unless you have to. Ideally, it's a best practice to choose a single routing protocol for your network (for example, OSPF) and use only that routing protocol. That said, there are valid reasons to use redistribution. Let's look at some examples to better understand the use of redistribution.</div><div><br /></div><div><span class="Apple-style-span" style="color: rgb(255, 102, 0);">Situation 1: You have two different routing protocols on a network<br /><br /></span></div><div>Let's say your company has purchased another company, and the two use different routing protocols. Your company has one set of routers running OSPF, and the new company's set of routers run RIP.</div><div><br /></div><div>You don't want to run OSPF and RIP on the same routers—often referred to as <span class="Apple-style-span" style="color: rgb(255, 0, 0);">ships-in-the-night routing. </span>To move the OSPF routes into RIP, you can redistribute the OSPF routes to RIP. Conversely, to move the RIP routes into OSPF, you can redistribute RIP into OSPF.</div><div><br /></div><div>Redistributing both routes is what we call <span class="Apple-style-span" style="color: rgb(255, 0, 0);">mutual redistribution</span>. You must be very careful when doing this—you can easily create routing loops in your network.</div><div><br /></div><div>To prevent a routing loop, you need to control exactly which routes go into which protocol. One method to do this is by using a <span class="Apple-style-span" style="color: rgb(255, 0, 0);">route map</span>.</div><div><br /></div><div>In addition, you also must be conscious of how the different routing protocols work. For example, RIP V1 doesn't support classless networks.</div><div><br /></div><div>How should you configure this? On the network where you've performed the mutual redistribution, you should have a single router that's running both RIP and OSPF. That router would be the single distribution point between the two routing domains.</div><div><br /></div><div><span class="Apple-style-span" style="color: rgb(255, 102, 0);">Situation 2: You have devices that don't support the routing protocol of your network<br /><br /></span></div><div>Some firewalls and other lower-end network devices only support a single routing protocol, such as RIP. If your organization has a firewall that only supports RIP but it uses OSPF on its network, you may need to connect the network devices to the firewall in order for the internal routers to see them.</div><div><br /></div><div>To do this, configure the router closest to the firewall to use RIP, and redistribute the RIP routes to OSPF. It's very likely that you don't need to redistribute the OSPF routes to RIP because you can just configure the firewall running RIP with a default route to point to the closest router.</div><div><br /></div><div><span class="Apple-style-span" style="color: rgb(255, 102, 0);">Situation 3: You have static routes that you need to move into your dynamic routing protocol<br /><br /></span></div><div>There will always be special cases where you have some static routes but would like to put them into a dynamic routing protocol, such as OSPF. To do this, use the redistribute static command. This command takes the static routes and sends them through the existing routing protocol to all routers on the network.</div><div><br /></div><div><span class="Apple-style-span" style="color: rgb(255, 102, 0);">Miss a column?</span></div><div>Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.</div><div><br /></div><div>Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!</div><div><br /></div><div>David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.</div><div><br /></div><div>source : www.techrepublic.com<br /><br /></div>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-6629498985604693912.post-52535955852140492982009-08-10T11:09:00.000-07:002010-01-09T22:17:58.451-08:00Ensure Cisco router redundancy with HSRP<div style="text-align: center;"><span style="font-weight: bold;">Ensure Cisco router redundancy with HSRP</span><br /></div><br /><div style="text-align: center;">by David "Davis CCIE, MCSE+I, SCSA"<br />(Apr 20, 2006)<br /></div><br /><br />Takeaway: What happens if your Internet router goes down and you lose all Internet access? That's why it's important to include redundancy in your network. In this edition of<span style="font-style: italic;"> <a style="font-weight: bold;" href="http://networking-irfansyah.blogspot.com/2009/06/index-article-about-cisco-administrator.html">Cisco Routers and Switches</a></span>, David Davis explains how you can use the Hot Standby Router Protocol (HSRP) to ensure redundancy.<br /><br />People who read this, also read...<br /><br /> * <a href="http://articles.techrepublic.com.com/5100-10878_11-5032947.html?tag=rbxccnbtr1">Add network redundancy with Cisco HSRP</a><br /> * <a href="http://articles.techrepublic.com.com/5100-10878_11-6031170.html?tag=btxcsim">Cisco networking 101: Five more things you should know</a><br /><br /><br /><br />What happens if your Internet router goes down and you lose all Internet access? Is that acceptable for your organization? You can probably get away with it for about two minutes, but you need to have a better plan than just calling a support desk.<br /><br />That's why it's important to include redundancy in your network. Consider adding a backup router to your current router that can take over at a moment's notice. All you need is the hardware, and the Cisco software can take care of the rest. Let's examine how to configure this using the Hot Standby Router Protocol (HSRP).<br /><br /><span style="color: rgb(255, 102, 0);">What is HSRP?</span><br /><br />HSRP is a Cisco proprietary protocol for redundancy. It provides nearly 100 percent router availability and redundancy. So, if one router goes down, a backup router takes over the routing functions of the primary one.<br /><br />However, there are other available industry protocols supported by Cisco. One industry standard is the Virtual Router Redundancy Protocol (VRRP). Another HSRP alternative is the Gateway Load Balancing Protocol (GLBP), another Cisco proprietary solution.<br /><br /><br /><span style="color: rgb(255, 102, 0);">A sample network</span><br /><br />Before we discuss how to configure HSRP, let's take a look at the network we'll use for this example. To help you better understand how HSRP works, here's a basic network diagram:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-YyrW7_Kw0bwMzsz591n-9qAFH37Xs_PW9EKiVwC8YOYV2fZ6y2BhkVDqu3_ii3V5QXkC81eOJf4nB9z1RWTfIF0iCKvA2gNGmRwf3rqNCZAcyPS43I6MC8TvCKywTgTsR4-vADUdIVwb/s1600-h/cisco.hsrp.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 349px; height: 336px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-YyrW7_Kw0bwMzsz591n-9qAFH37Xs_PW9EKiVwC8YOYV2fZ6y2BhkVDqu3_ii3V5QXkC81eOJf4nB9z1RWTfIF0iCKvA2gNGmRwf3rqNCZAcyPS43I6MC8TvCKywTgTsR4-vADUdIVwb/s400/cisco.hsrp.jpg" alt="" id="BLOGGER_PHOTO_ID_5368405692078513874" border="0" /></a><br /><br />In our sample network, we've configured the PC's default gateway to IP address 10.1.1.3. However, that IP address doesn't point to a real device; instead, it serves as the virtual IP address for whichever router is the primary.<br /><br /><span style="color: rgb(255, 102, 0);">How does HSRP work?</span><br /><br />When using HSRP, routers can either be primary or standby. If the primary router doesn't send out the HELLO packet to the standby router for a period of time, the standby router assumes the primary router is down and thus takes over. The standby router then assumes responsibility for the virtual IP address and begins responding to the virtual Ethernet MAC address to which the virtual IP address is pointing.<br /><br />The primary and standby routers exchange HSRP HELLO packets so that each knows the other router is there. These HELLO packets use multicast 224.0.0.2 and UDP port 1985. The most basic form of HSRP has been available since IOS 10.0, but there have been newer features released in the 11 and 12 versions of the IOS.<br /><br />What determines the active router? First, you can configure a priority number to determine it, and then it's by the highest IP address. The default priority number is 100; a higher priority number signifies the preferred router.<br /><br />Of course, when setting up router redundancy, you aren't limited to just two routers. In fact, you can set up groups of routers that work together and have multiple "standby" routers.<br /><br /><span style="color: rgb(255, 102, 0);">How do you configure HSRP?</span><br /><br />You can accomplish almost all HSRP configuration in the router's Interface Configuration Mode using the standby command. Let's look at the steps I took to configure the network shown in the diagram.<br /><br /><span style="color: rgb(255, 102, 0);">For Router 1:</span><br /><br />1. Configure the IP address on the Ethernet interface.<br />2. Configure the standby IP address.<br />3. Configure standby preempt. (With preempt, Router 1 will always be the primary router as long as it's available.)<br /><br /><span style="color: rgb(255, 102, 0);">For Router 2:</span><br /><br />1. Configure the IP address on the Ethernet interface.<br />2. Configure the standby IP address.<br />3. Configure standby priority to be less than 100. (In this case, it's 99.)<br /><br />Now, let's look at the configuration for our sample network.<br /><br />Router 1<br /><br />(show running-config output)<br /><span style="color: rgb(0, 153, 0);">interface Ethernet0/0</span><br /><span style="color: rgb(0, 153, 0);"> ip address 10.1.1.1 255.255.255.0</span><br /><span style="color: rgb(0, 153, 0);"> standby ip 10.1.1.3</span><br /><span style="color: rgb(0, 153, 0);"> standby preempt</span><br /><br /><span style="color: rgb(0, 153, 0);">Router1# show standby</span><br /><span style="color: rgb(0, 153, 0);">Ethernet0/0 - Group 0</span><br /><span style="color: rgb(0, 153, 0);"> State is Active</span><br /><span style="color: rgb(0, 153, 0);"> 2 state changes, last state change 00:00:29</span><br /><span style="color: rgb(0, 153, 0);"> Virtual IP address is 10.1.1.3</span><br /><span style="color: rgb(0, 153, 0);"> Active virtual MAC address is 0000.0c07.ac00</span><br /><span style="color: rgb(0, 153, 0);"> Local virtual MAC address is 0000.0c07.ac00 (default)</span><br /><span style="color: rgb(0, 153, 0);"> Hello time 3 sec, hold time 10 sec</span><br /><span style="color: rgb(0, 153, 0);"> Next hello sent in 0.692 secs</span><br /><span style="color: rgb(0, 153, 0);"> Preemption enabled</span><br /><span style="color: rgb(0, 153, 0);"> Active router is local</span><br /><span style="color: rgb(0, 153, 0);"> Standby router is 10.1.1.2, priority 99 (expires in 8.097 sec)</span><br /><span style="color: rgb(0, 153, 0);"> Priority 100 (default 100)</span><br /><span style="color: rgb(0, 153, 0);"> IP redundancy name is "hsrp-Et0/0-0" (default)</span><br /><br /><span style="color: rgb(0, 153, 0);">Router1#</span><br /><br />Router 2<br /><br />(show running-config output)<br /><span style="color: rgb(0, 153, 0);">interface Ethernet0/0</span><br /><span style="color: rgb(0, 153, 0);"> ip address 10.1.1.2 255.255.255.0</span><br /><span style="color: rgb(0, 153, 0);"> standby ip 10.1.1.3</span><br /><span style="color: rgb(0, 153, 0);"> standby priority 99</span><br /><br /><span style="color: rgb(0, 153, 0);">Router2# show standby</span><br /><span style="color: rgb(0, 153, 0);">Ethernet0/0 - Group 0</span><br /><span style="color: rgb(0, 153, 0);"> Local state is Standby, priority 99</span><br /><span style="color: rgb(0, 153, 0);"> Hellotime 3 sec, holdtime 10 sec</span><br /><span style="color: rgb(0, 153, 0);"> Next hello sent in 1.014</span><br /><span style="color: rgb(0, 153, 0);"> Virtual IP address is 10.1.1.3 configured</span><br /><span style="color: rgb(0, 153, 0);"> Active router is 10.1.1.1, priority 100 expires in 7.159</span><br /><span style="color: rgb(0, 153, 0);"> Standby router is local</span><br /><span style="color: rgb(0, 153, 0);"> 4 state changes, last state change 00:02:02</span><br /><br /><span style="color: rgb(0, 153, 0);">Router2#</span><br /><br />You can use the show standby command when in Privileged Mode to check the status of HSRP. This command tells you which router is active and which is standby, as well as a number of other statistics.<br /><br />On the PC, the default IP address should point to 10.1.1.3—not either of the routers. This way, if one of the routers goes down, the other will take over. And you may even be able to use this redundancy to take production routers down during the day because the HSRP failover time is less than 10 seconds.<br /><br />HSRP is a valuable tool for ensuring high availability and router redundancy. Of course, there are also several HSRP options that I didn't address in this article. For more information, check out the <a href="http://www.cisco.com/en/US/tech/tk648/tk362/technologies_q_and_a_item09186a00800a9679.shtml">Cisco HSRP FAQ.</a><br /><br /><br /><span style="color: rgb(255, 102, 0);">Miss a column?</span><br /><br />Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.<br /><br />Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!<br /><br />David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.<br /><br />source : www.techrepublic.comUnknownnoreply@blogger.com1tag:blogger.com,1999:blog-6629498985604693912.post-15331612591317634802009-08-08T06:55:00.000-07:002009-08-08T07:04:56.861-07:00Preserve NAT translations when a Cisco router fails<div style="text-align: center; font-weight: bold;">Preserve NAT translations when a Cisco router fails<br /></div><br /><div style="text-align: center;">(by David "Davis CCIE, MCSE+I, SCSA")<br />(Apr 2006)<br /></div><br /><br />Takeaway: When you have two routers running HSRP, the standby router takes over if the active router goes down. But if this happens when you're using NAT, it severs all connections going through the active <span style="font-style: italic;">router</span>. David Davis tells you how to use HSRP and SNAT to preserve these NAT translations.<br /><br />Last time, I discussed how you can <a href="http://articles.techrepublic.com.com/5100-10878_11-6063344.html">achieve Cisco router redundancy using the Hot Standby Router Protocol (HSRP)</a>. This time, let's delve a little deeper into your other HSRP options. If you're interested in using Network Address Translation (NAT) with HSRP, you should familiarize yourself with the <span style="font-style: italic;">Cisco IOS Stateful NAT (SNAT)</span> feature, which helps provide higher availability and higher redundancy on your network when using NAT.<br /><br />To quickly review, when you have two routers running HSRP, the standby router takes over if the active router goes down. However, if this happens when you're using NAT, it severs all connections going through the active router using dynamic NAT, and users would need to reestablish those connections. That's where SNAT comes in.<br /><br /><br /><span style="color: rgb(255, 102, 0);">What is SNAT?</span><br /><br />There's some confusion out there about what exactly SNAT stands for, and a Google search will return a variety of definitions. According to Microsoft, SNAT stands for <span style="font-style: italic;">Secure NAT</span> and is available on ISA Server. In addition, SNAT can stand for Source NAT. However, in the Cisco arena, SNAT stands for <span style="font-style: italic;">Stateful NAT</span>.<br /><br />SNAT involves two or more routers performing the NAT function as a group. These NAT routers exchange information in their NAT translation databases with each other. You can view this information using the show ip nat translationscommand, whose output lists the protocol, inside global IP, inside local IP, outside local IP, and outside global IP.<br /><br />Whenever a new NAT connection occurs via one of the NAT routers, the router relays that information to the others in the SNAT group. But these routers aren't just exchanging the IP addresses of the NAT IP flows; they're also exchanging the TCP state of those flows. The standby routers have already created the NAT translation table and are waiting for a failure on the active router.<br /><br />In other words, the purpose for this exchange of NAT flow information is to ensure one of the standby NAT routers can take over if the active NAT router goes down. While you can configure SNAT in its own primary/backup mode, it works best when configured with HSRP.<br /><br />Cisco has released SNAT in phases. In the first phase, released in Cisco in IOS 12.2(13)T, it only worked with protocols that didn't contain IP information in the application layer. But as of Cisco IOS 12.3(7)T, SNAT supports applications that have IP information embedded in the application layer, such as FTP. In addition, Cisco released some scalability enhancements for SNAT in IOS 12.4(4)T.<br /><br /><span style="color: rgb(255, 102, 0);">How do you configure SNAT?</span><br /><br />To configure SNAT with HSRP, start by using the regular HSRP standby commands on your HSRP interfaces. You also need to configure an HSRP router with a group name of SNATHSRP to use the SNAT HSRP API.<br /><br />Your standby command might look something like this:<br /><br /><span style="color: rgb(51, 204, 0);">standby name SNATHSRP</span><br /><span style="color: rgb(51, 204, 0);">standby ip 10.10.10.1 secondary</span><br /><br />You also need to ensure the full exchange of NAT state information between the routers in the SNAT group. Here's an example:<br /><br /><span style="color: rgb(51, 204, 0);">standby delay reload 60</span><br /><span style="color: rgb(51, 204, 0);">standby 1 preempt delay minimum 60 reload 60 sync 60</span><br /><br />After exiting Interface Configuration Mode, enter the ip nat stateful command; make sure it includes the same SNATHSRP group name. Here's an example:<br /><br /><span style="color: rgb(51, 204, 0);">ip nat stateful id 1</span><br /><span style="color: rgb(51, 204, 0);"> redundancy SNATHSRP</span><br /><span style="color: rgb(51, 204, 0);"> mapping-id 10</span><br /><br />Now you can enter your standard NAT commands to create your translation pools. Here's an example:<br /><br /><span style="color: rgb(51, 204, 0);">ip nat pool snatpool1 10.10.10.1 10.10.10.9 prefix-length 24</span><br /><span style="color: rgb(51, 204, 0);">ip nat inside source route-map rm-snat1 pool snatpool1 mapping-id 10 overload</span><br /><br />Next, create your access control list and route map, according to the network for which you're configuring NAT. Here's an example:<br /><br /><span style="color: rgb(51, 204, 0);">access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.0 0.0.0.255</span><br /><br /><span style="color: rgb(51, 204, 0);">route-map rm-snat1 permit 10</span><br /><span style="color: rgb(51, 204, 0);">match ip address 101</span><br /><br />Finally, configure the other routers in your SNAT and HSRP pools to communicate. After that, you can use the traditional NAT commands such as <span style="color: rgb(51, 204, 0);">show ip nat translations</span> and <span style="color: rgb(51, 204, 0);">show ip nat statistics</span>, as well as the<span style="color: rgb(51, 204, 0);"> show ip snat</span> command.<br /><br />The combination of SNAT and HSRP working together preserves NAT translations when a failure occurs. A standby router can step in and take over the active role—possibly without users ever realizing there was a failure. Even better, you can be home asleep when it happens.<br />Want to learn more? Check out these Cisco resources<br /><br /><br />* <a href="http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftsnat.html">Stateful Failover of Network Address Translation (SNAT) Phase 1</a><br />*<a href="http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtsnatay.html"> NAT Stateful Failover for Asymmetric Outside-to-Inside and ALG Support—Stateful NAT Phase 2</a><br /><br />* <a href="http://www.cisco.com/en/US/docs/ios/12_4/12_4_mainline/snatsca.html">Scalability for Stateful NAT</a><br />* <a href="http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008044edaa.html">Configuring NAT for High Availability</a><br />* <a href="http://www.cisco.com/en/US/products/ps6600/products_white_paper09186a0080118b04.shtml">Enhanced IP Resiliency using Cisco Stateful NAT</a><br /><br /><span style="color: rgb(255, 102, 0);">Miss a column?</span><br /><br />Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.<br /><br />Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!<br /><br />David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.<br /><br />article source : www.techrepublic.comUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-30583680301988037992009-08-06T12:45:00.000-07:002009-08-06T12:58:07.948-07:00Learn to configure Cisco IOS NAT on a stick<div style="text-align: center;"><span style="font-weight: bold;">Learn to configure Cisco IOS NAT on a stick</span><br /></div><br /><div style="text-align: center;">by : David Davis<br />(april 2008)<br /><br /></div>A well known NAT configuration is called “<span style="font-weight: bold;">NAT on a stick</span>.” Besides having a funny name, NAT on a stick can be very useful to network administrators. In this article, learn what NAT on a stick is and how it can help you.<br /><br /><span style="font-weight: bold; color: rgb(255, 102, 0);">What is Network Address Translation?</span><br /><br />Network Address Translation (NAT) is used to translate IP addresses from one network into IP addresses for another network. NAT is performed by a router and is commonly used to translate private IP addresses used in homes and businesses into the public IP addresses that are used on the Internet.<br /><br />When configuring NAT, there are a number of terms and concepts you need to know. For example: the difference between inside local, inside global, outside local, outside global, NAT vs. PAT, and “NAT overload.” You can learn about these terms and how NAT works, in my article, “<a href="http://networking-irfansyah.blogspot.com/2009/08/set-up-nat-using-cisco-ios.html">Set up NAT using the Cisco IOS</a>.” Additionally, you should take a look at the “<a href="http://networking-irfansyah.blogspot.com/2009/08/understand-order-of-operations-for.html">Cisco IOS NAT order of Operations</a>.”<br /><br />I don’t recommend that you configure NAT on a stick until you have a good understanding of NAT. I recommend that you try one of the easier NAT configurations prior to NAT on a stick.<br /><br />For more information on NAT, see the Cisco Systems white paper, “<a href="http://whitepapers.techrepublic.com.com/abstract.aspx?docid=13046">How NAT Works</a>,” in TechRepublic’s white paper directory.<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 102, 0);">What is NAT on a stick?</span><br /><br />First, the “stick” is just a single router interface. As NAT is typically performed between two router interfaces, NAT on a stick is used to describe a NAT configuration where a single router interface is used and NAT is performed. Thus, we are really talking about NAT on a single-router interface (but that’s not as catchy, is it?).<br /><br />For NAT to work, a packet has to be sent from an inside NAT interface to an outside NAT interface. This is still true with NAT on a stick, but we are able to get around having only a single interface because we use a virtual interface to accomplish the same task. You use a policy-based route (PBR) to route and NAT the traffic between the virtual interface, which is a Cisco IOS loopback interface, and the physical interface.<br /><br />Prior to configuring NAT on a stick, you should make sure that your Cisco IOS supports this feature. To do this, you can use the <a href="http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp">Cisco IOS Feature Navigator</a>.<br /><br /><span style="font-weight: bold; color: rgb(255, 102, 0);">How can NAT on a stick help you?</span><br /><br />NAT on a stick is not what I would consider a common configuration. However, I have seen it listed on Cisco certification exam objectives; I have heard Cisco instructors talk about it; and I have had readers ask me questions about it. So, even though you won’t find NAT on a stick in use on most enterprise networks, I think that it is important that you know what it is, how it can help you, and that it is yet another tool available to you, should you need it.<br /><br />While there are a number of options for using NAT on a stick, here is a scenario in which I’ve seen it in use. (I have selected this scenario because it is based on the official Cisco documentation on this topic where you can go to find more information.)<br /><br />You have a LAN with a number of computers, a single Cisco router with one Ethernet interface, and a cable DSL modem. Your ISP has given you a single IP address plus a block of two other IP addresses on a different network. Usually, you would get around this by using NAT (actually PAT or NAT overload) with a home/SMB router such as Linksys, Netgear, D-Link, or Belkin. But let’s say that you want to use a Cisco router only, and unfortunately, all you have is a 2501 (single Ethernet and Serial interface). The DSL modem is just a bridge (not a router) and the Cisco router cannot be connected directly to the cable modem because the router only has one LAN interface. You put a small hub in between the DSL modem and the 2501 Cisco router.<br /><br />While this might sound like a wild scenario to some, and we all agree that you just need to buy more hardware — I don’t want to leave out any possible option that you could consider for using the Cisco IOS to solve a problem. Should this configuration be used on the Internet in production? No. Is it valuable to know how to configure NAT on a stick? Absolutely!<br /><br /><span style="color: rgb(255, 102, 0); font-weight: bold;">How do you configure NAT on a stick?</span><br /><br />The sample configuration below for NAT on a stick is based on the following details: The local LAN is the 192.168.1.0 network. You are given one useable IP address on this network from the ISP, plus a block of two IP addresses on the 192.168.2.0 network. This network has access to the DSL modem. The 10.0.0.0 network is the LAN where you will have as many devices as you want and the devices on that LAN will rely on NAT on a stick.<br /><br />Remember — the Cisco IOS loopback interface is the virtual interface that helps us get around the “one interface only” issue. Here is what you need to do:<br /><br /><span style="color: rgb(255, 102, 0); font-weight: bold;">Configure Interfaces with NAT statements and IP policy routing</span><br /><br /><span style="color: rgb(51, 204, 0);">interface Loopback0</span><br /><br /><span style="color: rgb(51, 204, 0);"> ip address 10.0.1.1 255.255.255.252</span><br /><br /><span style="color: rgb(51, 204, 0);"> ip nat outside</span><br /><br /><span style="color: rgb(51, 204, 0);">interface Ethernet0</span><br /><br /><span style="color: rgb(51, 204, 0);"> ip address 192.168.1.2 255.255.255.0 secondary</span><br /><br /><span style="color: rgb(51, 204, 0);"> ip address 10.0.0.2 255.255.255.0</span><br /><br /><span style="color: rgb(51, 204, 0);"> ip nat inside</span><br /><br /><span style="color: rgb(51, 204, 0);"> ip policy route-map nat-loop</span><br /><br /><span style="font-weight: bold; color: rgb(0, 0, 0);">Configure your NAT pools</span><br /><br /><span style="color: rgb(51, 204, 0);">ip nat pool external 192.168.2.2 192.168.2.3 prefix-length 29</span><br /><br /><span style="color: rgb(51, 204, 0);">ip nat inside source list 10 pool external overload</span><br /><br /><span style="font-weight: bold;">Ensure that you have IP Routes</span><br /><br /><span style="color: rgb(51, 204, 0);">ip route 0.0.0.0 0.0.0.0 192.168.1.1</span><br /><br /><span style="color: rgb(51, 204, 0);">ip route 192.168.2.0 255.255.255.0 Ethernet0</span><br /><br /><span style="font-weight: bold;">Create ACLs for NAT and the Policy Routing</span><br /><br /><span style="color: rgb(51, 204, 0);">access-list 10 permit 10.0.0.0 0.0.0.255</span><br /><br /><span style="color: rgb(51, 204, 0);">access-list 102 permit ip any 192.168.2.0 0.0.0.255</span><br /><br /><span style="color: rgb(51, 204, 0);">access-list 102 permit ip 10.0.0.0 0.0.0.255 any</span><br /><br /><span style="font-weight: bold;">Create the Route Map that is applied to the Ethernet interface</span><br /><br /><span style="color: rgb(51, 204, 0);">route-map Nat-loop permit 10</span><br /><br /><span style="color: rgb(51, 204, 0);"> match ip address 102</span><br /><br /><span style="color: rgb(51, 204, 0);"> set interface loopback0</span><br /><br />With this configuration, the PC clients, assigned with 10.0.0.x network IP addresses will be NATed when their traffic arrives on the Ethernet0 interface. That NATing will use the 192.168.2.x pool.<br /><br />You should note that you will have to configure the router’s primary Ethernet IP as the default gateway for all PCs in the NAT network. Also, you will also have to do ONE of the following:<br /><br />1. Have the ISP or any other router on the other side of the NAT network create a static route for your 192.168.2.0/29, pointing to your router’s 192.168.1.2 IP address<br /><br />2. Have your router advertise that network (in #1) via a dynamic routing protocol like RIP, OSPF, or EIGRP<br /><br />This configuration is based on the example provided in Cisco’s official Network Address Translation on a Stick documentation. Please review it if you have questions on this example as it has a diagram and debug steps.<br /><br /><span style="color: rgb(255, 102, 0);">In Conclusion</span><br /><br />NAT on a Stick is one of the many tools that a network admin may need to employ in certain situations. If nothing else, it is a configuration that you should recognize by name if you are asked about it on certification exams or by colleagues. For some admins, it is an irreplaceable tool.<br /><br />Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!<br /><br />David DavisDavid Davis has worked in the IT industry for 15+ years and holds several certifications, including CCIE, CCNA, CCNP, MCSE, CISSP, VCP. He has authored hundreds of articles and numerous IT training videos. Today, David is the Director of Infrastructure at Train Signal.com. Train Signal, Inc. is the global leader in video training for IT Professionals and end users. Read his full bio and profile.<br /><br />article source = www.techrepublic.comUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-29285027286812560292009-08-05T09:59:00.000-07:002009-08-05T10:03:31.581-07:00Understand the order of operations for Cisco IOS<div style="text-align: center;"><span style="font-weight: bold;">Understand the order of operations for Cisco IOS</span><br /></div><br /><div style="text-align: center;">by David "Davis CCIE, MCSE+I, SCSA"<br />(Mar 2006)<br /></div><br />Takeaway: Being familiar with the Cisco IOS order of operations is vital when it comes to understanding how the traffic within a router is flowing and how to control that traffic. This week, David Davis walks you through the two different order of operations tables:<a href="http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml"> the NAT Order of Operations</a> and <a href="http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a0080160fc1.shtml">the QoS Order of Operations</a>.<br /><br />The Cisco IOS order of operations plays an important role in how a router processes traffic. The order of operations tells the router how to process traffic according to the configuration of different router features.<br /><br />If you're simply using the most basic features of the router, chances are good that you'll never have to think about the order of operations. However, when configuring features such as Network Address Translation (NAT), Quality of Service (QoS), and encryption, it's essential to understand the order of operations in order to configure these features successfully.<br /><br />Using the Cisco IOS actually involves two different order of operations tables: the NAT Order of Operations and the QoS Order of Operations. Let's take a look at each.<br /><br /><br /><span style="color: rgb(255, 102, 0);">NAT Order of Operations</span><br /><br />Before you can understand the NAT Order of Operations list, you first need to understand NAT itself. In its most basic form, NAT translates one IP address to another IP address.<br /><br />When the router uses this order of operations, it takes the inbound packet, starting at the top and moves down the list. If the packet is from a NAT inside-designated interface, it uses the inside-to-outside list. If the packet is from an outside-to-inside interface, it uses that list.<br /><br />Here's the order of operations for the inside-to-outside list:<br /><br /> * If IPSec, then check input access list<br /> * Decryption—for Cisco Encryption Technology (CET) or IPSec<br /> * Check input access list<br /> * Check input rate limits<br /> * Input accounting<br /> * Policy routing<br /> * Routing<br /> * Redirect to Web cache<br /> * NAT inside to outside (local to global translation)<br /> * Crypto (check map and mark for encryption)<br /> * Check output access list<br /> * Inspect context-based access control (CBAC)<br /> * TCP intercept<br /> * Encryption<br /><br />Here's the order of operations for the outside-to-inside list:<br /><br /> * If IPSec, then check input access list<br /> * Decryption—for CET or IPSec<br /> * Check input access list<br /> * Check input rate limits<br /> * Input accounting<br /> * NAT outside to inside (global to local translation)<br /> * Policy routing<br /> * Routing<br /> * Redirect to Web cache<br /> * Crypto (check map and mark for encryption)<br /> * Check output access list<br /> * Inspect CBAC<br /> * TCP intercept<br /> * Encryption<br /><br />Let's say that you have an IP packet coming in from an outside-to-inside interface. When translating that packet, you want to use an access control list to block traffic from certain IP addresses. Which IP address should you put in the ACL—the IP address before the packet's translation (i.e., the public IP address), or the IP address after the packet's translation (i.e., the private address)?<br /><br />By checking the order of operations, you can determine that the "NAT outside to inside" operation occurs after the "Check input access list" task. Therefore, you would use the public IP address in the ACL because the packet hasn't gone through NAT.<br /><br />On the other hand, what if you want to create a static route for traffic going through NAT? Should you use the public (outside) or private (inside) IP address? In this case, you would use the private (inside) IP address because the traffic has already gone through NAT when it gets to the "Routing" operation.<br /><br /><br /><span style="color: rgb(255, 102, 0);">QoS Order of Operations</span><br /><br />The Quality of Service (QoS) order of operations is another important list to know. Of course, this is only really important if you're using QoS. But if you are, you need to be familiar with it.<br /><br />Here's the order of operations for inbound traffic to the router:<br /><br /> * QoS Policy Propagation through Border Gateway Protocol (BGP)—or QPPB<br /> * Input common classification<br /> * Input ACLs<br /> * Input marking—class-based marking or Committed Access Rate (CAR)<br /> * Input policing—through a class-based policer or CAR<br /> * IPSec<br /> * Cisco Express Forwarding (CEF) or Fast Switching<br /><br />Here's the order of operations for outbound traffic from the router:<br /><br /> * CEF or Fast Switching<br /> * Output common classification<br /> * Output ACLs<br /> * Output marking<br /> * Output policing—through a class-based policer or CAR<br /> * Queueing—Class-Based Weighted Fair Queueing (CBWFQ) and Low Latency Queueing (LLQ))—and Weighted Random Early Detection (WRED)<br /><br />Being familiar with the order of operations is vital when it comes to understanding how the traffic within a router is flowing and how to control that traffic. In my experience, the NAT order of operations is most important when you're using any combination of NAT, crypto, ACLs, routing, or other features on the list.<br /><br />Without a proper understanding of the order of operations, you can spend an entire week troubleshooting a basic NAT and ACL combination—without any luck. Knowing about the order of operations can really make a difference.<br /><br /><br /><span style="color: rgb(255, 102, 0);">Miss a column?</span><br /><br />Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.<br /><br />Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!<br /><br />David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.<br /><br />source : www.techrepublic.comUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-74120141213493040692009-08-04T10:07:00.000-07:002009-08-04T10:31:26.478-07:00Set up Port Address Translation (PAT) in the Cisco IOS<div style="text-align: center;"><span style="font-weight: bold;">Set up Port Address Translation (PAT) in the Cisco IOS</span><br /></div><br /><div style="text-align: center;">by David Davis CCIE, MCSE+I, SCSA<br />(May 2007)<br /><br /></div>Takeaway: <span style="font-weight: bold;">NAT</span> is a valuable tool for admins, both for conserving public IP addresses and securing internal resources. Several variations of NAT are available, including its cousin PAT. See the differences and learn how to<span style="font-weight: bold;"> set up PAT using the Cisco IOS</span>.<br /><br /><br /> *<a href="http://articles.techrepublic.com.com/5100-10878_11-1039094.html?tag=rbxccnbtr1"> Set up NAT using the </a><a href="http://networking-irfansyah.blogspot.com/2009/08/set-up-nat-using-cisco-ios.html"><span style="font-weight: bold;">Cisco IOS</span></a><br /> * <a href="http://blogs.techrepublic.com.com/networking/?p=264&tag=rbxccnbtr1">Configure static NAT for inbound connections</a><br /> * <a href="http://blogs.techrepublic.com.com/networking/?p=486&tag=rbxccnbtr1">Learn to <span style="font-weight: bold;">configure Cisco IOS NAT</span> on a stick</a><br /> * <a href="http://articles.techrepublic.com.com/5100-22_11-5295012.html?tag=btxcsim">Using NAT to connect Windows 2003 to the Internet</a><br /> * <a href="http://articles.techrepublic.com.com/5100-10878_11-1033242.html?tag=btxcsim">Configure IT Quick: Configuring Routing and Remote Access on your Windows 2000 server</a><br /><br /><br />Port Address Translation (PAT) is a special kind of Network Address Translation (NAT). It can provide an excellent solution for a company that has multiple systems that need to access the Internet but that has only a few public IP addresses. Let's take a look at the distinctions between NAT and PAT and see how they are typically used. Then, I'll show you how to configure PAT on a Cisco router.<br /><br /><span style="color: rgb(255, 102, 0);">Understanding PAT and NAT</span><br /><br />Before discussing PAT, it will help to describe what NAT does in general. NAT was designed to be a solution to the lack of public IP addresses available on the Internet. The basic concept of NAT is that it allows inside/internal hosts to use the private address spaces (10/8, 172.16/12, and 192.168/16 networks—see <a href="http://en.wikipedia.org/wiki/Private_network">RFC1918</a>), go through the internal interface of a router running NAT, and then have the internal addresses translated to the router's public IP address on the external interface that connects to the Internet.<br /><br />If you dig into NAT a little deeper, you will discover that there are really three ways to configure it. From these configurations, you can perform a variety of functions. The three configurations are:<br /><br /><span style="color: rgb(255, 102, 0);">PAT</span><br />PAT is commonly known as “NAT overload” (or sometimes just “overload”). In this configuration, you have multiple clients on your inside network wanting to access an outside network (usually the Internet). You have few public IP addresses, many more than the number of clients, so you have to “overload” that real Internet IP address. In other words, you are mapping many inside clients to a single Internet IP address (many to one). For an illustration of PAT, see Figure A.<br /><br /><span style="color: rgb(255, 102, 0);">Figure A</span><br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6cTPI0otcJ7ZjTKcmpmPzjG77vyCDJAzlFw_rTHWZnXb4-cWlJOFuQDbwNkU-FCEIYSMeSSEloKGXpCKDCSyWdKgEzaDlpvM7gNJYKMiZmBSTFP7WQt2JfkwVKv1_kCIbFnyux0dhzNBJ/s1600-h/port.address.translation1.gif"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 255px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6cTPI0otcJ7ZjTKcmpmPzjG77vyCDJAzlFw_rTHWZnXb4-cWlJOFuQDbwNkU-FCEIYSMeSSEloKGXpCKDCSyWdKgEzaDlpvM7gNJYKMiZmBSTFP7WQt2JfkwVKv1_kCIbFnyux0dhzNBJ/s400/port.address.translation1.gif" alt="" id="BLOGGER_PHOTO_ID_5366158972811596754" border="0" /></a><br /><br /><br /><span style="color: rgb(255, 102, 0);">Pooled NAT</span><br /><br />Pooled NAT is similar to PAT except you have the luxury of having a one-to-one mapping of addresses. In other words, you have just as many inside network clients as you do outside network IP addresses. You tell the NAT router the pool of IP addresses that are available, and each client receives its own IP addresses when it requests a NAT translation. The client does not get the same address each time it requests a translation; it merely gets the next available address from the pool. In my article "<a style="font-weight: bold;" href="http://networking-irfansyah.blogspot.com/2009/08/set-up-nat-using-cisco-ios.html">Set up NAT using the Cisco IOS</a>," I explain how to configure Pooled NAT. For an illustration of Pooled NAT, see Figure B.<br /><br /><br />Figure B<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVyYDXVP5rgnsIUY1ZEaY_TOQVsFgqSjyNqgN2YLsxtTZXomXkZcMez8F1hHYTo0gVlt74U9NzE0YYnh6v8LleCXNCEciQZ5LrXfwAxYVsCkn9PaTCvFjbm5tjVGbwAMf0R2JYNyLrAdHo/s1600-h/port.address.translation2.gif"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 299px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVyYDXVP5rgnsIUY1ZEaY_TOQVsFgqSjyNqgN2YLsxtTZXomXkZcMez8F1hHYTo0gVlt74U9NzE0YYnh6v8LleCXNCEciQZ5LrXfwAxYVsCkn9PaTCvFjbm5tjVGbwAMf0R2JYNyLrAdHo/s400/port.address.translation2.gif" alt="" id="BLOGGER_PHOTO_ID_5366159152384880402" border="0" /></a><br /><br /><br /><br /><span style="color: rgb(255, 102, 0);">Static NAT</span><br /><br />Static NAT is the simplest form of NAT. The most likely example is a mail server on the inside of a private network. The private network connects to the public Internet. In between the two networks, a router performs NAT. For a dedicated server, like a mail server, you would want a static (not changing) IP address. This way, every time someone on the Internet sends e-mail to the mail server, that server has the same public IP address. For an illustration of Static NAT, see Figure C.<br /><br />Figure C<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgsRleTzISBWPvOjQ266iKN5YPlJM7nz-w5PayaNat8_XYscnbLGJ1Wvago25-M7Pams3tWJYyB5VuUDqhVlmHK7mRKCkV5aWysVQKjeEMnYYmr7NJ-0P7e6HZu4FFRTXvg4E7i8j2gZQj/s1600-h/port.address.translation3.gif"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 217px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgsRleTzISBWPvOjQ266iKN5YPlJM7nz-w5PayaNat8_XYscnbLGJ1Wvago25-M7Pams3tWJYyB5VuUDqhVlmHK7mRKCkV5aWysVQKjeEMnYYmr7NJ-0P7e6HZu4FFRTXvg4E7i8j2gZQj/s400/port.address.translation3.gif" alt="" id="BLOGGER_PHOTO_ID_5366159322545593586" border="0" /></a><br /><br />As I said, you can perform a variety of functions with these three configurations. For the purpose of this article, we will focus on configuring PAT.<br /><br /><span style="color: rgb(255, 102, 0);"><span style="font-weight: bold;">Configuring PAT</span><br /><br /></span>To configure PAT/NAT correctly the first time, you need to understand the Cisco NAT terminology and how your IP networks/addresses map to each of the entities listed below:<br /><br /> * <span style="color: rgb(255, 102, 0);">Inside Local</span>—This is the local IP address of a private host on your network (e.g., a workstation's IP address).<br /><br /> * <span style="color: rgb(255, 102, 0);">Inside Global</span>—This is the public IP address that the outside network sees as the IP address of your local host.<br /><br /> * <span style="color: rgb(255, 102, 0);">Outside Local</span>—This is the local IP address from the private network, which your local host sees as the IP address of the remote host.<br /><br /> * <span style="color: rgb(255, 102, 0);">Outside Global</span>—This is the public IP address of the remote host (e.g., the IP address of the remote Web server that a workstation is connecting to).<br /><br /><br />You'll configure your Cisco router using seven commands. Let's assume that your Internet service provider gave you a 30-bit network containing two public IP addresses. This configuration would allow one address for your router and one address for your internal clients and devices. The first command you'll execute will tell the router which public IP address you want to use for PAT:<br /><br /><span style="color: rgb(51, 204, 0);">ip nat pool mypool 63.63.63.2 63.63.63.2 prefix 30</span><br /><br />This command configures a pool (range) of IP addresses to use for your translation. In this case, we want only one address in our pool, which we will overload. We do this by assigning the same IP address (63.63.63.2) for the start and end of the pool.<br /><br />The next command will tell your router which IP addresses it is allowed to translate:<br /><br /><span style="color: rgb(0, 153, 0);">access-list 1 permit 10.10.10.0 0.0.0.255</span><br /><br />It's not a good idea to put “permit any” in the access list, even though you will occasionally see that as a recommendation in some sample configurations.<br /><br />The next command is:<br /><br /><span style="color: rgb(51, 204, 0);">ip nat inside source list 1 pool mypool overload</span><br /><br />This command puts the pool definition and the access list together. In other words, it tells the router what will be translated to what. The overload keyword turns this into a PAT configuration. If you left out overload, you would be able to translate only one IP address at a time, so only one client could use the Internet at a time.<br /><br />Next, you need to tell PAT/NAT what interfaces are the inside network and what interfaces are the outside network. Here's an example:<br /><br /><span style="color: rgb(0, 153, 0);">interface ethernet 0</span><br /><span style="color: rgb(0, 153, 0);">ip nat inside</span><br /><br /><br /><span style="color: rgb(51, 204, 0);">interface serial 0</span><br /><span style="color: rgb(51, 204, 0);">ip nat outside</span><br /><br />With these commands, your PAT configuration is finished. You have told the Cisco IOS you are translating your network A into a single IP address from network B, that network A is on the ethernet 0 interface and network B is on the serial 0 interface, and that you want to allow the inside network to overload the single IP address on the outside network.<br /><br />Finally, verify that NAT works. This can be as simple as doing a ping command from your inside local host to an outside global host. If the ping succeeds, chances are you have everything configured correctly. You can also use the following Cisco IOS commands to confirm and troubleshoot:<br /><br /><span style="color: rgb(51, 204, 0);">show ip nat translations [verbose]</span><br /><span style="color: rgb(51, 204, 0);">show ip nat statistics</span><br /><br />With the translations command, you should see the translation that was created from your ping test. But watch out: The translations will disappear after their time-out expires. If you have configured overload, these time-outs are configurable by traffic type.<br /><br /><span style="color: rgb(255, 102, 0);">Summary</span><br /><br />You should now understand the differences between PAT, Pooled NAT, and Static NAT, and you should be able to do a basic PAT configuration with the Cisco IOS. For more information, check out the links below.<br /><br />source : www.techrepublic.comUnknownnoreply@blogger.com3tag:blogger.com,1999:blog-6629498985604693912.post-91269931923459113442009-08-01T08:53:00.000-07:002009-08-07T03:38:02.746-07:00Set up NAT using the Cisco IOS<div style="text-align: center;"><span style="font-weight: bold;">Set up NAT using the Cisco IOS</span><br /></div><br /><div style="text-align: center;">by David Davis CCIE, MCSE+I, SCSA<br />(october 2001)<br /><br /></div>Takeaway: <span style="font-style: italic;">Network address translation (NAT)</span> has become one of the key components of today's corporate networks attached to the Internet. See how to set up and manage NAT using the <span style="font-style: italic;">Cisco Internetwork operating system</span>.<br /><br />Network address translation (NAT) is one of those rare information technology buzzwords that does exactly what its name implies. In this case, it translates one network address into another network address. The most popular use for NAT is to connect an internal network to the Internet. The proliferation of hosts that now connects to the Internet is causing a shortage of IP addresses, so NAT is a key tool for connecting corporate networks using private IP addresses to the Internet. Since Cisco provides the bulk of the routers that connects to the Internet, we’re going to show you how to set up NAT using the Cisco Internetwork Operating System (IOS).<br /><br /><span style="color: rgb(255, 102, 0); font-weight: bold;">Understanding NAT</span><br /><br />Using NAT to connect to the Internet allows you to:<br /><br />* Use only one public, registered IP address for Internet access for many thousands of private IP addresses at your site.<br /><br />* Change Internet service providers (ISPs) easily, without readdressing the majority of hosts on your network.<br /><br />* Hide the identity of hosts on your local network behind the single public IP address to keep outside hosts from easily targeting them.<br /><br /><br />The most difficult part of using NAT in the Cisco IOS is getting a handle on these four key terms:<br /><br />* <span style="color: rgb(255, 102, 0);">Inside Local</span>—This is the local IP address of the private host on your network (i.e., your PC’s IP address).<br /><br />* <span style="color: rgb(255, 102, 0);">Inside Globa</span>l—This is the public, legal, registered IP address that the outside network sees as the IP address of your local host.<br /><br />* <span style="color: rgb(255, 102, 0);">Outside Local</span>—This is the local IP address from the private network, which your local host sees as the IP address of the remote host.<br /><br />* <span style="color: rgb(255, 102, 0);">Outside Global</span>—This is the public, legal, registered IP address of the remote host (i.e., the IP address of the remote Web server that your PC is connecting to).<br /><br /><br />My first reaction after reading Cisco’s definitions for these terms was nearly total confusion, so don’t feel bad if you feel the same thing. But after seeing a diagram of these terms, it started to click for me. Take a look at Figure A for a logical diagram of these terms.<br /><br />Figure A<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2gRROTEkOB0kel000waafhoOr5aYF1nddlQ7ADm9KmlGJ5ATQhJYPkixLCA9vnQNXvAsEiaIYtptyTtGi3o823STSEBau4GTUezO9AExA1T3IUmhToj36Koz9ejmmAN-c72XCzZiYYX68/s1600-h/Network.adress.Translation.gif"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 235px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2gRROTEkOB0kel000waafhoOr5aYF1nddlQ7ADm9KmlGJ5ATQhJYPkixLCA9vnQNXvAsEiaIYtptyTtGi3o823STSEBau4GTUezO9AExA1T3IUmhToj36Koz9ejmmAN-c72XCzZiYYX68/s400/Network.adress.Translation.gif" alt="" id="BLOGGER_PHOTO_ID_5365027881112446066" border="0" /></a><br /><br /><br /><span style="color: rgb(255, 102, 0); font-weight: bold;">Configuring NAT</span><br /><br />To configure the standard NAT scenario I mentioned in the opening paragraph, refer to Figure B and then look at the simple steps that need to be taken if you are using a Cisco router between your local network and the Internet.<br /><br />Figure B<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1n1pp1jauflah-RHdtaKvq6zJwqN_Nbmiw03uasZydwnRU-R5h_UDauzUPheD9MeTsjjv6p68VPhyCyb31U7FG06u3v_IplnQQGdpLGOLFb8pX15FGOy7qIVNY3Woe_D0YXw24BFew6S1/s1600-h/Network.adress.Translation1.gif"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 235px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1n1pp1jauflah-RHdtaKvq6zJwqN_Nbmiw03uasZydwnRU-R5h_UDauzUPheD9MeTsjjv6p68VPhyCyb31U7FG06u3v_IplnQQGdpLGOLFb8pX15FGOy7qIVNY3Woe_D0YXw24BFew6S1/s400/Network.adress.Translation1.gif" alt="" id="BLOGGER_PHOTO_ID_5365027968126684962" border="0" /></a><br /><br />1. · Configure your pool of legal, public IP addresses that the router can use to represent your local addresses on the Internet. This pool can contain as few as one or as many addresses as you would like to provide. For a small to medium-size network, one address is typically fine. The syntax is:<br /><br /><span style="color: rgb(51, 204, 0);">ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}</span><br /><br /><br />1. Define an access-list to specify what range of IP addresses is allowed to be translated from your local network to the remote network. This is, basically, a security feature asking you, “Who (what range of IP addresses) can use the NAT service?” The syntax is:<br /><br /><span style="color: rgb(51, 204, 0);">access-list access-list-number permit source [source-wildcard]</span><br /><br />1. Specify that you want a dynamic translation from the source IP address to the pool and that you want to overload the pool address (or addresses). The syntax is:<br /><br /><span style="color: rgb(51, 204, 0);">ip nat inside source list access-list-number pool name overload</span><br /><br />1. · Specify which of the router’s interfaces will be the “inside” address. The syntax for the Ethernet 0 interface is:<br /><br /><span style="color: rgb(51, 204, 0);">int en0</span><br /><span style="color: rgb(51, 204, 0);">ip nat inside</span><br /><br />1. · Specify which of the router’s interfaces will be the “outside” address. The syntax for the Serial 0 interface is:<br /><br /><span style="color: rgb(51, 204, 0);">int s0</span><br /><span style="color: rgb(51, 204, 0);">ip nat outside</span><br /><br />1. · Add a static route to your router to send any traffic not destined for your local network to the Internet interface. (In our case, I will use a default route to send traffic out the serial interface.) Here’s the syntax:<br /><br /><span style="color: rgb(51, 204, 0);">ip route 0.0.0.0 0.0.0.0 serial0</span><br /><br />Listing A shows the resulting configuration for the router. One way to examine this on your router would be to issue the command <span style="color: rgb(51, 204, 0);">show run</span>.<br /><br /><span style="color: rgb(255, 102, 0);">How is this possible?</span><br /><br />This configuration would allow any host on your local network (such as a desktop PC) to connect to the Internet using the single registered IP address that is being overloaded. Thus, any traffic from that local PC will have the source IP address of the router’s external interface.<br /><br />If you think about this for a minute, you might wonder how multiple hosts can share the same IP address in the overload configuration, since we are taught that one IP address is assigned to one host and there is no sharing (anymore than there is sharing of a social security number).<br /><br />The answer to that question is that NAT gets around this rule by making an entry in a translation table for every host using a port. In this translation table, there is a map between the inside local, a port on the inside global, another port on the outside local, and the outside global. By assigning these ports and keeping track of them in the table, the router is able to “overload” a single IP address with multiple hosts. This allows them to share a single IP address among them.<br /><br />You can learn more about NAT and how to configure the other two possible uses of NAT from the Cisco Tech Tips pages and from the online Cisco IOS documentation pages on configuring IP addressing and IP addressing commands.<br /><br />source : www.techrepublic.comUnknownnoreply@blogger.com1tag:blogger.com,1999:blog-6629498985604693912.post-65594303122602455722009-07-29T13:28:00.000-07:002009-08-01T09:24:09.176-07:00Configure static NAT for inbound connections<div style="text-align: center;"><span style="font-weight: bold;">Configure static NAT for inbound connections</span><br /></div><br /><div style="text-align: center;"> by : David Davis<br />(June 6th, 2007)<br /></div><br />Someone recently asked me how to configure Network Address Translation (NAT) so that computers on the Internet could access his internal Web and mail server through his <span style="font-weight: bold;">Cisco router</span>. This requires configuring a static NAT translation between the dedicated public IP address and the dedicated private IP address. Here’s how to do it.<br /><br />Most people use NAT to connect to the Internet these days. NAT transforms private IP addresses to public IP address so users can access the public Internet. Most of us use a form of NAT called <span style="color: rgb(255, 0, 0); font-weight: bold;">Port Address Translation (PAT)</span>, which Cisco refers to as <span style="font-weight: bold;">NAT overload</span>. (For more information, see “<a href="http://networking-irfansyah.blogspot.com/2009/08/set-up-nat-using-cisco-ios.html">Set up NAT using the Cisco IOS</a>” and “<a href="http://articles.techrepublic.com.com/5100-10878_11-1053789.html">Set up Port Address Translation (PAT) in the Cisco IOS</a>.”)<br /><br />To start off, let’s get a better idea of what we’re working with. Figure A offers a diagram to help visualize the network.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkVK7eyFTsCQdguOD0DEEBy6DXSClLZ0g7AzI1isv0FRAh4QHRDvsWmGDuH33ouJqzaYiCTTY4O8rOpsLmcmZRwddPbHKb_lTZXXOghyphenhyphenwSetXxXI7B4lXEADBUqzJtnO9PUrZlgwDZZk7R/s1600-h/nat.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 178px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkVK7eyFTsCQdguOD0DEEBy6DXSClLZ0g7AzI1isv0FRAh4QHRDvsWmGDuH33ouJqzaYiCTTY4O8rOpsLmcmZRwddPbHKb_lTZXXOghyphenhyphenwSetXxXI7B4lXEADBUqzJtnO9PUrZlgwDZZk7R/s400/nat.jpg" alt="" id="BLOGGER_PHOTO_ID_5363983051733296018" border="0" /></a><br /><br />Our example network<br /><br />Here’s our goal: We want to configure a static IP translation through the router from the outside (i.e., Internet) network to the inside (i.e., private) network.<br /><br />On a Linksys router with a basic Web interface, this isn’t very hard to do. However, on a Cisco router using the command-line interface (CLI), you’ll struggle if you don’t know the proper commands or where to apply them.<br /><br />It’s a good idea to gather the data you’ll need before you start. Here’s the information we need for our example:<br /><br />* Router inside interface E0/0: IP 10.1.1.1<br />* Router outside interface S0/0: IP 63.63.63.1<br />* Web/mail server private IP: 10.1.1.2<br />* Web/mail server public IP: 63.63.63.2<br /><br />There are two important steps to get this traffic inside your network and to your Web/mail server:<br /><br />1. NAT configuration<br />2. Firewall configuration<br /><br />In this post, I’ll provide the basic static NAT configuration. However, make sure that whatever you’re using for your firewall also allows this traffic in.<br /><br />Whether you’re using basic access control lists (ACLs) or the Cisco IOS firewall feature set, make sure you understand the<a href="http://articles.techrepublic.com.com/5100-10878_11-6055946.html"> Cisco IOS order of operations</a> to configure your firewall for the right IP addresses (public or private). In other words, what happens first — NAT translation or firewall filtering? For example, when using ACLs, a check of the input ACL occurs before NAT translation. So, you need to write ACLs with the public IP addresses in mind.<br /><br />Now that we’ve covered the background info, let’s get started with configuring static NAT. For our example, let’s say we start out with this basic configuration:<br /><br /><span style="color: rgb(51, 204, 0);">interface Serial0/0</span><br /><span style="color: rgb(51, 204, 0);">ip address 63.63.63.1 255.255.255.0</span><br /><span style="color: rgb(51, 204, 0);">ip nat outside</span><br /><br /><span style="color: rgb(51, 204, 0);">interface Ethernet0/0</span><br /><span style="color: rgb(51, 204, 0);">ip address 10.1.1.1 255.255.255.0</span><br /><span style="color: rgb(51, 204, 0);">ip nat inside</span><br /><br />We need the NAT translations to translate the outside IP address of the Web/mail server from 63.63.63.2 to 10.1.1.2 (and from 10.1.1.2 to 63.63.63.2). Here’s the missing link between the outside and inside NAT configurations:<br /><br /><span style="color: rgb(51, 204, 0);">router (config)# ip nat inside source static tcp 10.1.1.2 25 63.63.63.2 25</span><br /><span style="color: rgb(51, 204, 0);">router (config)# ip nat inside source static tcp 10.1.1.2 443 63.63.63.2 443</span><br /><span style="color: rgb(51, 204, 0);">router (config)# ip nat inside source static tcp 10.1.1.2 80 63.63.63.2 80</span><br /><span style="color: rgb(51, 204, 0);">router (config)# ip nat inside source static tcp 10.1.1.2 110 63.63.63.2 110</span><br /><br />We used the above port numbers because they fit the description of what we wanted to do, but keep in mind that your port numbers may be different. I chose port 25 for SMTP (sending mail), port 443 for HTTPS (secure Web), port 80 for HTTP (Web traffic), and port 110 for POP3 (receiving mail from the mail server when out on the Internet).<br /><br />This configuration assumes you have a block of IP addresses. If you don’t, you can use the outside IP address on your router (Serial 0/0 in our case), and you could configure it like this:<br /><br /><span style="color: rgb(51, 204, 0);">router (config)# ip nat inside source static tcp 10.1.1.2 25 interface serial 0/0 25</span><br /><br />You can even use this command if you have a dynamic DHCP IP address from your ISP on the outside of your router.<br /><br />We also need to register the IP address of the mail and Web server in the global Internet DNS registry. So when users enter www.mywebserver.com in their Web browser, the browser would translate it to 63.63.63.2, and the router would then translate it to 10.1.1.2. The Web server would receive that request and respond back through the router, which would translate it back to the global IP address.<br /><br />In addition to configuring static NAT, you may want to use dynamic NAT at the same time. With this, your inside PCs could access the Internet using dynamic NAT (i.e., NAT overload or PAT). But this gets a little more complex. For more information, see <a href="http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml">Cisco’s Configuring Static and Dynamic NAT Simultaneously documentation.</a><br /><br />David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.<br /><br />Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!<br /><br />David DavisDavid Davis has worked in the IT industry for 15+ years and holds several certifications, including CCIE, CCNA, CCNP, MCSE, CISSP, VCP. He has authored hundreds of articles and numerous IT training videos. Today, David is the Director of Infrastructure at Train Signal.com. Train Signal, Inc. is the global leader in video training for IT Professionals and end users. Read his full bio and profile.<br /><br />article source = www.techrepublic.comUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-31506914686034998192009-07-28T06:35:00.000-07:002009-07-28T06:52:58.231-07:00Get to know your logging options in the Cisco IOS<div style="text-align: center; font-weight: bold;">Get to know your logging options in the Cisco IOS<br /><br /></div><div style="text-align: center;">by<br />David "Davis CCIE, MCSE+I, SCSA.<br />(15 Juni 2006)<br /></div><br /><br /><br />Takeaway: Knowing how to properly use logging is a necessary skill for any network administrator, and the Cisco IOS offers many options for logging. To help bring you up to speed, David Davis discusses how to configure logging, examines how to view the log and its status, and looks at three common errors when it comes to logging.<br /><br /><br />Knowing how to properly use logging is a necessary skill for any network administrator. It's vital that you know how to use logging when it comes time to start troubleshooting.<br /><br />The Cisco IOS offers a great many options for logging. To help bring you up to speed, let's discuss how to configure logging, examine how to view the log and its status, and look at three common errors when it comes to logging.<br /><br />The logging command in Global Configuration Mode and the show logging command in Privileged Mode are two simple but powerful tools to configure and show all Cisco IOS logging options. Let's take a closer look.<br /><br />Configure logging in the Cisco IOS<br /><br />When configuring logging, the most important command to know is the logging command, used when in Global Configuration Mode. Here's an example of this command and its options.<br /><br /><span style="color: rgb(51, 204, 0);">router(config)# logging ?</span><br /><br /><span style="color: rgb(51, 204, 0);"> Hostname or A.B.C.D IP address of the logging host</span><br /><span style="color: rgb(51, 204, 0);"> buffered Set buffered logging parameters</span><br /><span style="color: rgb(51, 204, 0);"> buginf Enable buginf logging for debugging</span><br /><span style="color: rgb(51, 204, 0);"> cns-events Set CNS Event logging level</span><br /><span style="color: rgb(51, 204, 0);"> console Set console logging parameters</span><br /><span style="color: rgb(51, 204, 0);"> count Count every log message and timestamp last occurrence</span><br /><br /><span style="color: rgb(51, 204, 0);"> exception Limit size of exception flush output</span><br /><span style="color: rgb(51, 204, 0);"> facility Facility parameter for syslog messages</span><br /><span style="color: rgb(51, 204, 0);"> history Configure syslog history table</span><br /><span style="color: rgb(51, 204, 0);"> host Set syslog server IP address and parameters</span><br /><span style="color: rgb(51, 204, 0);"> monitor Set terminal line (monitor) logging parameters</span><br /><span style="color: rgb(51, 204, 0);"> on Enable logging to all supported destinations</span><br /><span style="color: rgb(51, 204, 0);"> origin-id Add origin ID to syslog messages</span><br /><span style="color: rgb(51, 204, 0);"> rate-limit Set messages per second limit</span><br /><span style="color: rgb(51, 204, 0);"> reload Set reload logging level</span><br /><span style="color: rgb(51, 204, 0);"> server-arp Enable sending ARP requests for syslog servers when </span><br /><span style="color: rgb(51, 204, 0);"> first configured</span><br /><br /><span style="color: rgb(51, 204, 0);"> source-interface Specify interface for source address in </span><br /><span style="color: rgb(51, 204, 0);"> logging transactions</span><br /><br /><span style="color: rgb(51, 204, 0);"> trap Set syslog server logging level</span><br /><span style="color: rgb(51, 204, 0);"> userinfo Enable logging of user info on privileged mode enabling</span><br /><br /><br /><span style="color: rgb(51, 204, 0);">router(config)# logging</span><br /><br />While the scope of this article prevents us from exploring every one of these options, let's take a look at the most common ones.<br /><br />You can configure the router to send buffered logging of its events to the memory. (Rebooting the router will lose all events stored in the buffered log.) Here's an example:<br /><br /><span style="color: rgb(51, 204, 0);">Router(config)# logging buffered 16384</span><br /><br />You can also send the router's events to a syslog server. This is an external server running on your network. Most likely, the syslog server is running on a Linux or Windows server. Because it's external to the router, there's an added benefit: It preserves events even if the router loses power. A syslog server also provides for centralized logging for all network devices.<br /><br />To configure syslog logging, all you need to do is use the logging command and the hostname or IP address of the syslog server. So, to configure your Cisco device to use a syslog server, use the following command:<br /><br /><span style="color: rgb(51, 204, 0);">Router(config)# logging 10.1.1.1</span><br /><br />To learn more about using syslog with the Cisco IOS, check out this TechRepublic download, "<a href="http://downloads.techrepublic.com.com/5138-10879-5920208.html">Use syslog to monitor and troubleshooting Cisco devices.</a>"<br /><br />The Cisco IOS enables logging to the console, monitor, and syslog by default. But there's a catch: There's no syslog host configured, so that output goes nowhere.<br /><br />There are eight different logging levels.<br /><br /> * 0—emergencies<br /> * 1—alerts<br /> * 2—critical<br /> * 3—errors<br /> * 4—warnings<br /> * 5—notification<br /> * 6—informational<br /> * 7—debugging<br /><br />The default level for console, monitor, and syslog is debugging. The logging on command is the default. To disable all logging, use the no logging on command.<br /><br />By default, the router logs anything at the level of debugging and greater. That means that logging occurs from level 7 (debugging) up to level 0 (emergencies). If you want to par down what the system logs, use something like the logging console notifications command.<br /><br />In addition, the router doesn't enable logging to the system buffer by default. That's why you must use the logging buffered command to enable it.<br />View the status of logging and the logging itself<br /><br />To view the status of your logging as well as the local buffered log, use the show logging command. Here's an example:<br /><br /><span style="color: rgb(51, 204, 0);">router# show logging</span><br /><br /><span style="color: rgb(51, 204, 0);">Syslog logging: enabled (0 messages dropped, 394 messages rate-limited,</span><br /><span style="color: rgb(51, 204, 0);"> 91 flushes, 0 overruns, xml disabled, filtering disabled)</span><br /><span style="color: rgb(51, 204, 0);"> Console logging: level debugging, 2766982 messages logged, xml disabled,</span><br /><span style="color: rgb(51, 204, 0);"> filtering disabled</span><br /><span style="color: rgb(51, 204, 0);"> Monitor logging: level debugging, 12370 messages logged, xml disabled,</span><br /><span style="color: rgb(51, 204, 0);"> filtering disabled</span><br /><span style="color: rgb(51, 204, 0);"> Buffer logging: level debugging, 2754146 messages logged, xml disabled,</span><br /><span style="color: rgb(51, 204, 0);"> filtering disabled</span><br /><span style="color: rgb(51, 204, 0);"> Logging Exception size (4096 bytes)</span><br /><span style="color: rgb(51, 204, 0);"> Count and timestamp logging messages: disabled</span><br /><span style="color: rgb(51, 204, 0);"> Trap logging: level debugging, 3420603 message lines logged</span><br /><span style="color: rgb(51, 204, 0);"> Logging to 10.1.1.1, 3420603 message lines logged, xml disabled,</span><br /><span style="color: rgb(51, 204, 0);"> filtering disabled</span><br /><span style="color: rgb(51, 204, 0);"> </span><br /><span style="color: rgb(51, 204, 0);">Log Buffer (10000000 bytes):</span><br /><span style="color: rgb(51, 204, 0);">i96</span><br /><span style="color: rgb(51, 204, 0);">Feb 7 13:34:00.065 CST: %LINK-3-UPDOWN: Interface Serial1/1:22, changed state </span><br /><span style="color: rgb(51, 204, 0);">to up</span><br /><span style="color: rgb(51, 204, 0);">Feb 7 13:34:00.069 CST: %DIALER-6-BIND: Interface Se1/1:22 bound </span><br /><span style="color: rgb(51, 204, 0);">to profile Di96</span><br /><br />Note that this router has enabled syslog logging and is sending it to host 10.1.1.1. In addition, console logging is at the debugging level, and the setting for local buffered logging is 10,000,000 bytes.<br /><br /><br /><span style="color: rgb(255, 102, 0); font-weight: bold;">Look out for these common logging errors</span><br /><br />Logging can be frustrating at times. To help prevent some of that frustration, let's look at three common errors.<br /><br /><span style="color: rgb(255, 102, 0);">Not setting the terminal to monitor logging</span><br /><br />If you Telnet into a router and can't see some of the logging you're expecting, check to see if you've set your terminal to monitor the logging. You can enable this with the <span style="color: rgb(51, 204, 0); font-style: italic;">terminal monitor </span>command. To disable it, use the terminal no monitor command.<br /><br />To determine whether you've enabled monitoring, use the <span style="color: rgb(51, 204, 0);">show termina</span>l command, and look for the following:<br /><br /><span style="color: rgb(51, 204, 0);">Capabilities: Receives Logging Output</span><br /><br />If you see this, you're monitoring logging output. If it returns None for capabilities, then the monitoring is off.<br /><br /><span style="color: rgb(255, 102, 0);">Using the incorrect logging level</span><br /><br />If you can't see logging output, you should also check whether you've set the level correctly. For example, if you've set the console logging to emergencies but you're running debugging, you won't see any debugging output on the console.<br /><br />To determine the set level, use the show logging command. Keep in mind that you need to set the level to a higher number to see all levels below it. For example, setting logging at debugging shows you every other level.<br /><br />In addition, make sure you match the type of logging that you want to see with the level you're configuring. If you configure monitor logging to debug but you're on the console and you've set it to informational, you won't see the debug output on the console.<br /><br /><span style="color: rgb(255, 102, 0);">Displaying the incorrect time and date in logs</span><br /><br />You may see log messages that don't exhibit the correct date and time. There are a variety of options to control the date and time that appear on logging output (either to the screen or to the buffer). To control this, use the following command:<br /><br /><span style="color: rgb(51, 204, 0);">Router(config)# service timestamps debug ?</span><br /><span style="color: rgb(51, 204, 0);"> datetime Timestamp with date and time</span><br /><span style="color: rgb(51, 204, 0);"> uptime Timestamp with system uptime</span><br /><br /><br />Remember that many problems require some kind of historical log to help find a solution. That's why it's important to make sure you've properly configured logging so you can use your logs to see the past.<br /><br /><span style="color: rgb(255, 102, 0);">Miss a column?</span><br /><br />Check out the <a href="http://networking-irfansyah.blogspot.com/2009/06/index-article-about-cisco-administrator.html">Cisco Routers and Switches Archive</a>, and catch up on David Davis' most recent columns.<br /><br />Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!<br /><br />David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.<br /><br />source : www.techrepublic.comUnknownnoreply@blogger.com1tag:blogger.com,1999:blog-6629498985604693912.post-19848855866174033702009-07-24T07:56:00.000-07:002009-07-24T08:15:51.241-07:0010 dumb things you can do to your Cisco router and how to fix them<div style="text-align: center;"><span style="font-weight: bold;">10 dumb things you can do to your Cisco router and how to fix them</span><br /></div><div style="text-align: center;"> Author: David Davis<br /></div><div style="text-align: center;"> (December 4th, 2008)<br /></div><br /> <br />TechRepublic author Deb Shinder detailed network administrator mistakes in her very popular article “<a href="http://blogs.techrepublic.com.com/10things/?p=437">10 Dumb Things IT Pros Do That Can Mess Up Their Networks.</a>” Deb’s 10 Things article inspired me to come up with one of my own with Cisco routers as the focus.<br /><br />——————————————————————————————————————<br /><br />As IT pros, we have many stories about end users who did something dumb with their computers (how many times have you heard the CD-ROM drive as a cup holder story?). However, we tend to keep our Cisco networking mistakes to ourselves, right? I am not too bashful to admit that I have taken down a network before due to a dumb mistake that could have been prevented (but I won’t tell you what it was). In order to help other network admins avoid costly mistakes, I’ve come up with a list of 10 dumb things you can do to your Cisco router.<br /><br /><span style="color: rgb(255, 102, 0);">#1: Not having a backup of your Cisco router configuration</span><br /><br />While these aren’t listed in any particular order, if they were, I would say that this belongs at the top of the most common router mistakes. Picture this: your Cisco router dies, but you’re getting a replacement overnight, so your boss is ecstatic. However, you, as the Cisco network admin, can’t seem to make the router pass traffic as you have no backup of the config. Don’t get put in the doghouse over this. It’s easy to make a backup using:<br /><br /><span style="color: rgb(51, 204, 0);">Router# copy running-configuration tftp</span><br /><br />Built into routers with newer IOS versions is IOS configuration archiving. This can automatically copy your router’s configuration off of the router when configuration changes are made. To learn more about it read, “<a href="http://blogs.techrepublic.com.com/networking/?p=532">Use the Cisco IOS Archive Command to Archive Your Router’s Configuration.”</a><br /><br />Also, there are many third-party GUI applications that will schedule this for you so that you can “set it and forget it.” For example, see my article on Kiwi CatTools and products from <a href="http://www.manageengine.com/products/oputils/">ManageEngine OpUtils</a> and <a href="http://packettrap.com/product/pt360_pro.aspx?fid=cisco_config">PacketTrap pt360 Pro</a>.<br /><br /><span style="color: rgb(255, 102, 0);">#2: Not having a backup of your Cisco router IOS software</span><br /><br />Not only is a Cisco router completely useless if it isn’t properly configured, but it is also useless if it has no IOS or it has the wrong IOS. As a Cisco network admin, you had better have a repository of all the different Cisco IOS router and switch IOS versions in use on your network today, stored on a file share somewhere.<br /><br />By doing this, you can copy the proper IOS back onto a Cisco router that is shipped to you from Cisco or reconfigure another Cisco router (say an older router off the shelf) to take the place of a broken Cisco router.<br /><br />Backing up the IOS is easy. Just TFTP it to your server with a command like this:<br /><br /><span style="color: rgb(51, 204, 0);">Router# copy flash tftp</span><br /><br />And you will be prompted to answer all the questions needed to back up your Cisco IOS.<br /><br /><span style="color: rgb(255, 102, 0);">#3: Not having spare router hardware</span><br /><br />I have found Cisco hardware to be extremely reliable. Still, I have had to replace both Cisco routers and switches periodically, over the years. These days, it’s not acceptable for the Internet connection to be down for a few days should a Cisco router go bad or an interface in the router start taking errors. You must be prepared to replace that hardware at a moment’s notice. The replacement hardware must have the same configuration (or a config that delivers the same network connectivity to the end users) and the IOS should also be the same (or offer the same features as needed by the config).<br /><br />Trust me, you don’t want to be making calls all over the country asking if anyone can overnight you a router for a hefty charge.<br /><br />If you aren’t going to have spare hardware on site, you should at least have a Cisco SmartNET contract on your router hardware that is able to deliver a replacement router to you in an acceptable amount of time.<br /><br /><span style="color: rgb(255, 102, 0);">#4: Never document changes</span><br /><br />When you discover that you are having networking issues, the first questions are always “when did this start?” and “did we change anything?” By setting up a change documentation or change management procedure, you can have a history of changes — what was changed and when. If you set up change management, you typically also have approval processes in there so that someone must have tested and then approved the changes before they went in.<br /><br />Another way to document changes is to use router configuration archiving. To learn more about it read “<a href="http://blogs.techrepublic.com.com/networking/?p=532">Use the Cisco IOS Archive Command to Archive Your Router’s Configuration</a>.”<br /><br /><span style="color: rgb(255, 102, 0);">#5: Don’t log your router events</span><br /><br />When issues do come up in the network, you first want to check out router logs. Not only should you have some buffered logs on the router for temporary storage, you should also have a central syslog repository of Cisco router logs. Cisco IOS logging is easy to configure, and you can use a free Linux syslog server or buy one for Windows such as <a href="http://www.kiwisyslog.com">Kiwi Syslog</a>.<br /><br />To learn all about configuring logging in the Cisco IOS, please see my article “<a href="http://articles.techrepublic.com.com/5100-10878_11-6084442.html">Get to Know Your Logging Options in the Cisco IOS.</a>”<br /><br /><span style="color: rgb(255, 102, 0);">#6: Not upgrading your Cisco IOS</span><br /><br />Like any operating system, the Cisco IOS periodically has bugs (see tip #7 on searching for bugs). Plus, over time, you will get new routers with new IOS versions and you want router IOS versions to maintain compatibility. For these reasons and others, you need to make sure that your Cisco IOS stays up to date.<br /><br />To upgrade your Cisco IOS, see my article “Upgrading” and my <a href="http://happyrouter.com/free-video-how-to-upgrade-the-cisco-ios">video on upgrading your Cisco IOS.<br /></a><br /><span style="color: rgb(255, 102, 0);">#7: Don’t know where to search for Cisco documentation and troubleshooting tips</span><br /><br />I get many Cisco IOS technical questions via e-mail, and many of these can be answered by using your favorite search engine. However, here are a couple of tips:<br /><br />* Use Google search with the “<span style="color: rgb(51, 102, 255);">site:cisco.com</span>” keyword to search only for articles on Cisco’s official Web site or the “<span style="color: rgb(51, 102, 255);">site:techrepublic.com</span>” keyword to search for articles at TechRepublic.<br /><br />* Install the Cisco Search Toolbars to your browser. With these, you can search the Cisco Bug database, Command Line lookups, error message decoder, your RMA orders, TAC Service requests, and Cisco netpro discussions. Trust me, these tools are very cool and make it easier to find the answer to your Cisco IOS problem. For more information read “<a href="http://www.cisco.com/web/tsweb/searchplugins/plugin_homepage.html">Adding Cisco.com Searches and Tools to Your Browser.</a>”<br /><br /><span style="color: rgb(255, 102, 0);">#8: Forgetting your password and not knowing how to reset it</span><br /><br />At some point, you may forget the password on a router. Or, an admin could leave and not tell you the password to a router. While these things can happen, what you need to know is how to reset a lost Cisco router password. To do this, check out these two resources:<br /><br /> * <a href="http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00801746e6.shtml">Cisco’s Master Password Recovery Instructions page</a><br /> * <a href="http://happyrouter.com/free-video-how-to-reset-or-recover-your-lost-cisco-router-or-switch-password">My video on how to reset your Cisco router password</a><br /><br /><span style="color: rgb(255, 102, 0);">#9: Not securing your router</span><br /><br />Security? Who has time for that, right? Well, if you don’t secure your routers and network, it could all be lost (and so could the company’s most critical data). Make sure you follow best practices to lock down your routers and your network. I recommend you start with reading my TechRepublic download on <a href="http://downloads.techrepublic.com.com/abstract.aspx?docid=173539">locking down your Cisco IOS router in 10 steps.<br /></a><br /><span style="color: rgb(255, 102, 0);">#10: Not spending the time to create documentation</span><br /><br />Most of us loathe having to create documentation, but let’s face it, we forget things and we aren’t going to be here forever. Wouldn’t you just love to tell a junior admin to “go read my document on how to reset a Cisco router password” when he asks you how to do it? To prevent mistakes and downtime in the future, make sure you keep your Cisco network documentation up to date.<br /><br />David DavisDavid Davis has worked in the IT industry for 15+ years and holds several certifications, including CCIE, CCNA, CCNP, MCSE, CISSP, VCP. He has authored hundreds of articles and numerous IT training videos. Today, David is the Director of Infrastructure at Train Signal.com. Train Signal, Inc. is the global leader in video training for IT Professionals and end users. Read his full bio and profile.<br /><br />source : www.techrepublic.comUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-55545347818221298592009-07-19T17:02:00.000-07:002009-07-19T17:57:43.425-07:00Five ways to secure your Cisco routers and switches<div style="text-align: center;"><span style="font-weight: bold;">Fundamentals:<br />Five ways to secure your Cisco routers and switches</span><br /></div><div style="text-align: center;"> Author: David Davis<br />(april 2008)<br /><br /></div><br />Recently, Cisco Subnet blogger Brad Reese wrote the article, “<a href="http://www.networkworld.com/community/node/26094">Expert warns of scam to blackmail companies for cash to get back access to their Cisco routers</a>.” In that post, he wrote about hackers who manage to hijack a company’s routers and then extort money from them by threatening to take down the network. The hackers were able to obtain control of the network because of poorly written Cisco IOS ACLs, easily guessed passwords, and unencrypted SNMP community strings (or easily guessed community strings).<br /><br />Don’t let this happen to you and your network. Here are my top five best practices to secure your routers, your network, and your company from malicious attacks.<br /><br /><span style="color: rgb(255, 102, 0); font-weight: bold;">1. Understand the basics of router security</span><br /><br />You must understand the basics of router security. Here are the essentials:<br /><br /><span style="color: rgb(255, 102, 0);">Physically secure the routers</span><br />If your routers are not physically secured, anyone can walk up, perform a password reset, and gain full access to that router’s configuration. Even if this isn’t a core router, they could take down your network by poisoning the routing tables on all routers. For this reason, routers should be in a locked room and preferably have video surveillance. Additionally, reliable electrical power and cooling must be provided.<br /><br /><span style="color: rgb(255, 102, 0);">Lock down the router with passwords</span><br />Routers must be secured with passwords at both the login mode (to prevent initial access) and the privileged mode (to prevent configuration changes). For more information on these different levels in the Cisco IOS, please see my article, “<a href="http://articles.techrepublic.com.com/5100-10878_11-5659259.html">Understand the levels of privilege in the Cisco IOS.”</a><br /><br /><span style="color: rgb(255, 102, 0);">Apply login mode passwords on Console, AUX, and VTY (telnet/ssh) interfaces</span><br />Password controlled access needs not only to be on the VTY lines to prevent network access, but also on the Console and AUX ports. If the Console port is locked but the AUX port doesn’t have a password, then locking the Console wasn’t of much use, was it?<br /><br /><span style="color: rgb(255, 102, 0);">Set the correct time and date</span><br />To ensure that logs are correct and have not been tampered with, you must ensure that the router has the correct time and date. For more information, please see “<a href="http://articles.techrepublic.com.com/5100-10878_11-5712046.html">Synchronize a Cisco router’s clock with Network Time Protocol (NTP).”</a><br /><br /><span style="color: rgb(255, 102, 0);">Enable proper logging</span><br />Logging should be enabled, preferably, back to a central source like a syslog server. At minimum, you need to configure a buffered log on the router. However, if the power is lost to that router, that local buffered log is lost. For this reason, to really be secure, you need to configure a syslog server (see the article, “<a href="http://articles.techrepublic.com.com/5100-22_11-5194745.html">SolutionBase: Monitor your network with Kiwi Syslog</a>“), and send all router logs to that server. You could also put in the open source or commercial version of <a href="http://www.tripwire.com/products/enterprise/ost/">Tripwire</a>. Preferably, you should increase the level of logging and even log configuration changes to the router. For example, you can use the following command to enable SNMP traps for configuration changes:<br /><br /><span style="color: rgb(51, 204, 0);">snmp-server enable traps config</span><br /><br />For more information on Cisco router logging, please see, “<a href="http://articles.techrepublic.com.com/5100-10878_11-6084442.html">Get to know your logging options in the Cisco IOS</a>.”<br /><br /><span style="color: rgb(255, 102, 0);">Back up router configurations to a central source</span><br />Let’s say that someone does take control of your router or wipes out your router configurations. To replace that router quickly or replace the configuration, you need to have a backup of that configuration. To do this, ensure that your routers are backed up whenever configuration changes are made or each week or day. I have enjoyed using Kiwi CatTools to do this. For more information, see “<a href="http://articles.techrepublic.com.com/5100-10878_11-6165659.html">Automate changes to your Cisco router with Kiwi CatTools</a>.”<br /><br /><span style="color: rgb(255, 102, 0);">Secure other network devices such as switches and wireless access</span><br />Most of the items listed here also apply to Cisco switches and wireless access points. Here are a couple of articles on those topics that you should check out:<br /><br /> * <a href="http://articles.techrepublic.com.com/5100-10878_11-5876956.html">10 things you should know about securing wireless connections</a><br /> * <a href="http://articles.techrepublic.com.com/5100-10878_11-6123047.html">Lock Down Switch Port Security</a><br /><br />Two more areas that I consider to be at the basic level of router security are locking down network access to the router with a stateful firewall or ACL and encrypting sensitive network traffic, but I will cover these points in more detail below (sections three and five, respectively).<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 102, 0);">2. Know your network: Diagram, audit, and document</span><br /><br />If you are responsible for the security of a network you should know that network like you know the vulnerable doors and windows (think entry points) of your house.<br /><br />You should diagram your network so that you have a map to help you and others visualize the entire network.<br /><br />You should have the router configurations backed up (see Kiwi CatTools above). Finally, you should periodically audit your network security, both internally and externally (via a third party). There are tons of network scanning and auditing tools available. Here is a recent article of mine that covered one of them: “<a href="http://blogs.techrepublic.com.com/security/?p=276">Audit your Cisco router’s security with Nipper</a>.”<br /><br /><span style="color: rgb(255, 102, 0); font-weight: bold;">3. Protect your router with a firewall and ACLs</span><br /><br />In Reese’s post about the hackers, he mentioned the fact that the company had poor access control lists (ACLs) in place on their routers. ACLs are typically what protect routers from attack. However, due to their complexity, many of them end up being misconfigured or ineffective. Make sure that your ACLs allow only traffic to the router and through the router that should be there. For internal routers this will only be internal traffic.<br /><br />Make sure you understand that whatever isn’t permitted will be denied (the implicit deny), that ACLs are processed from the top down, that there should never be a permit any in the ACL, and that the ACL must be applied to an interface in the proper direction to be enabled. For more information on ACLs, please see some of my articles and video on this topic:<br /><br /> * <a href="http://techrepublic.com.com/2346-1035_11-91987.html">Secure your router with Cisco’s SDM Firewall Policy Wizard</a><br /> * <a href="http://articles.techrepublic.com.com/5100-10878_11-5731134.html">Cisco IOS access lists: 10 things you should know</a><br /> * <a href="http://blogs.techrepublic.com.com/networking/?p=342">Use advanced parameters on your Cisco IOS ACLs</a><br /> * <a href="http://happyrouter.com/free-video-harden-your-cisco-router-with-ios-acls">VIDEO: Harden your Cisco Router with IOS ACLs</a><br /><br />Keep in mind that ACLs aren’t just used to prevent traffic from going through the router. They are also used to control SSH traffic, routing update, and to throttle traffic. For more information, see:<br /><br /> * <a href="http://articles.techrepublic.com.com/5100-10878_11-5917591.html">Learn additional uses for Cisco IOS access control lists</a><br /> * <a href="http://articles.techrepublic.com.com/5100-10878_11-6151305.html">Control unwanted traffic on your Cisco router with CAR</a><br /><br />Besides ACLs, the Cisco IOS offers a real stateful firewall if you use the Security/Firewall version of the IOS. A stateful firewall will be much better than just using ACLs. I recommend checking out my article, “<a href="http://blogs.techrepublic.com.com/security/?p=402">Protect your network with the Cisco IOS Firewall</a>,” and consider implementing one on your routers.<br /><br /><span style="font-weight: bold; color: rgb(255, 102, 0);">4. Change your passwords and make them complex</span><br /><br />Another method that hackers use to take control of networks is password guessing or password sniffing. To prevent this, you should CHANGE YOUR PASSWORDS TO COMPLEX PASSWORDS TODAY. Don’t wait another day! An example of a complex password is MySuper!S3cr3tPa$.<br /><br />Make sure you always use type 5 password encryption on your routers (see “<a href="http://articles.techrepublic.com.com/5100-10878_11-5634475.html">Be aware of how easily someone can crack a Cisco IOS password</a>“).<br /><br />Make sure this command is on your router to encrypt most (but not all) passwords with type 5 encryption:<br /><br /><span style="color: rgb(51, 204, 0);">service password-encryption</span><br /><br />Also, keep in mind that we aren’t just talking about login passwords. This includes all SNMP community strings and routing protocol update passwords. All of those should be complex and changed periodically.<br /><br />For more information on this topic, please see, “<a href="http://www.petri.co.il/csc_how_to_configure_passwords_to_secure_your_cisco_router.htm">How to Configure Passwords to Secure your Cisco Router</a>.”<br /><br /><span style="color: rgb(255, 102, 0); font-weight: bold;">5. Always encrypt sensitive network traffic</span><br /><br />Finally, hackers can obtain passwords to your routers by sniffing network traffic when you log in to your router with telnet, perform a “show run” via telnet, or use unencrypted SNMP strings.<br /><br />You should always encrypt sensitive network traffic by using SSH and SNMP encryption. Start by enabling SSH and disable telnet to all network devices that support it (see “<a href="http://articles.techrepublic.com.com/5100-10878_11-5875046.html">Configure SSH on your Cisco Router</a>“).<br /><br />If you are using SNMP, enable SNMP v3 with encryption and use it exclusively (for more information, see <a href="http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/snmpv3ae.html">AES and 3-DES Encryption Support for SNMP Version 3</a>).<br /><br /><span style="color: rgb(255, 102, 0);">Be careful</span><br /><br />The point of this article is to (1) encourage you to take action to secure your network before malicious attackers take control of it and (2) to show you exactly which actions you need to take.<br /><br />You shouldn’t assume that your network isn’t a target because your company isn’t high profile or your data wouldn’t be valuable to an attacker. Take every reasonable step to protect your network; as you can see from this post, these steps aren’t necessarily difficult or costly.<br /><br />Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!<br /><br />David DavisDavid Davis has worked in the IT industry for 15+ years and holds several certifications, including CCIE, CCNA, CCNP, MCSE, CISSP, VCP. He has authored hundreds of articles and numerous IT training videos. Today, David is the Director of Infrastructure at Train Signal.com. Train Signal, Inc. is the global leader in video training for IT Professionals and end users. Read his full bio and profile.<br /><br />souce : www.techrepublic.comUnknownnoreply@blogger.com1tag:blogger.com,1999:blog-6629498985604693912.post-4407934055805471622009-06-11T08:19:00.000-07:002009-06-11T08:23:09.250-07:00What you need to know about Cisco IOS access-list filtering<div class="entry"> <p style="font-weight: bold;">What you need to know about Cisco IOS access-list filtering<br /></p><p>Let’s face it, if you don’t use Cisco IOS access lists (ACL) every day, they can be very painful to use. Why are ACLs so painful? Besides just being difficult to use, the penalty for mistake is huge. In one swift swoop, you could incorrectly permit malicious attackers onto your network or incorrectly deny all valid users from your network. Either way, the consequences could be devastating to your company and to your career. So how do you prevent this from happening? If you follow these guidelines, you will be “feeling good again” about your Cisco ACLs.</p> <h2>Know what an ACL can and cannot do</h2> <p>In the simplest of terms, a Cisco IOS ACL is used to define traffic. Once that traffic is defined, some action can then be taken on that traffic.</p> <p>Commonly, an ACL is associated with the filtering of IP packets (Network Layer 3 of the OSI Model) as they pass through a router. In other words, it is used to <strong>permit</strong> or <strong>deny</strong> traffic through a router. However, if you just define the ACL only and don’t apply it to an interface using the <strong>access-group</strong> command, nothing happens.</p> <p>While ACLs can be used for many functions like QoS, route filtering, and allowing access to the router, in this article, we will focus on using ACLs for filtering traffic in and out of the router.</p> <h2>Know the syntax of ACLs</h2> <p>To configure an ACL you need to include some basic information about which packets to permit or deny.</p> <p>The general syntax for a standard access list is:</p> <p><strong>access-list {list number} permit | deny | [source address} [source mask]</strong></p> <p>Note that the standard ACL can only permit or deny traffic based on the <em>source</em> of the traffic.</p> <p>The general syntax of a TCP extended access list is:</p> <p><strong>access-list </strong>access-list-number [<strong>dynamic</strong> dynamic-name [<strong>timeout</strong> minutes]] {<strong>deny</strong> | <strong>permit</strong>} <strong>tcp </strong>source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [<strong>established</strong>] [<strong>precedence </strong>precedence] [<strong>tos </strong>tos] [<strong>log</strong> | <strong>log-input</strong>] [<strong>time-range</strong> time-range-name] [<strong>fragments</strong>]</p> <p>You should also know that extended ACL can filter IP traffic, TCP, UDP, ICMP, and other types of traffic. The syntax above is to filter TCP traffic.</p> <h2>Know that ACLs use wildcard masks</h2> <p>Cisco IOS ACLs use wildcard masks. These wildcard masks are required anytime you enter an IP address in your ACL. The only way NOT to enter an IP address (thus, using a wildcard mask) is to enter a keyword like “any” or use the keyword “host” before the absolute IP address of a host on the network.</p> <p>Wildcard masks are the binary reverse of a subnet mask. Thus, to calculate a wildcard mask, you take the subnet mask of a network address or IP address, convert it to binary, turn all the 1s into 0s and the 0s into 1s, and convert it back to decimal. Sounds complicated, but it really isn’t. If the subnet mask is masked at the 8-bit subnet boundaries, then a 0 will turn into a 255 and a 255 will turn into a 0. Here are a few examples:</p> <ul type="disc"><li>SN 255.0.0.0 = wildcard 0.255.255.255</li><li>SN 255.255.255.0 = wildcard 0.0.0.255</li><li>SN 255.255.128.0 = wildcard 0.0.127.255</li><li>SN 255.255.255.224 = 0.0.0.31</li></ul> <p>Do NOT use a subnet mask in a wildcard mask on a Cisco IOS router or switch, or you will end up with unintended results. (On the other hand, if you are configuring an ACL on a Cisco PIX, use regular subnet masks, not wildcard masks).</p> <h2>Know how to create an ACL and apply it to an interface</h2> <p>For example, here’s how a sample configuration might look for access list 1:</p> <p>Router(config)# <strong>access-list 1 permit <em>172.16.30.0 0.0.0.255</em></strong><br />Router(config-if)# <strong>interface e0/0</strong><br />Router(config-if)# <strong>ip access-group 1 out</strong></p> <p>The <a href="http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1078845" target="_blank"><strong>ip access-group</strong></a> command is used to apply an ACL to an interface and specify the direction that it applies.</p> <p>The commands above permit any traffic coming from IP network 172.16.30.0 going OUT the router’s Ethernet 0/0 interface.</p> <h2>Know the implicit deny</h2> <p>Let me ask you this: What is allowed through the ACL above? Answer: Only the traffic from the 172.16.30.0 /24 network. Why is that? That is because at the end of every ACL, whether you see it or not, ALL TRAFFIC IS IMPLICITLY DENIED.</p> <p>So, what traffic is allowed through the ACL below?</p> <p>Router(config)# <strong>access-list 1 deny </strong><em><strong>172.16.30.0 0.0.0.255</strong> </em></p> <p>That’s right - NO TRAFFIC is allowed because certain traffic is explicitly denied and ALL OTHER TRAFFIC IS DENIED by the implicit deny.</p> <p>How do you see the traffic being denied? You can enter your own explicit deny with the log keyword, like this:</p> <p>Router(config)# <strong>access-list</strong><strong> 1 permit <em>172.16.30.0 0.0.0.255</em></strong><br />Router(config)# <strong>access-list</strong><strong> 1 deny <em>any log </em></strong></p> <h2>Know that ACLs use top-down processing</h2> <p>Cisco IOS ACLs use <em>top-down processing</em>. This means that when a condition in the ACL is met, all processing is stopped. Thus, if there is a permit for network 1.1.1.0 in the fifth line of the ACL but it is denied in the third line of the ACL, then that traffic is denied.</p> <h2>Know the three Ps of ACLs</h2> <p>Remember, you can only apply <strong>ONE</strong> ACL:</p> <ul type="disc"><li>Per <strong>Interface</strong></li><li>Per <strong>Protocol</strong></li><li>Per<strong> Direction</strong></li></ul> <p>As most of us are applying IP ACLs, the protocol doesn’t matter that much, but the important thing to know is that you can apply only ONE ACL on each interface in each direction. In other words, you can apply only one INBOUND and one OUTBOUND ACL per interface.</p> <h2>Know how to verify which ACLs are applied and which are configured</h2> <p>Showing what ACLs are created and what ACLs are applied is easy if you know just a few commands. These commands are:</p> <ul type="disc"><li><strong>show access-lists</strong></li><li><strong>show ip interface </strong></li><li><strong>show running-config</strong></li></ul> <h2>Know that there are many methods and types of ACLs</h2> <p>The Cisco IOS supports IP Standard and Extended ACLs in both named and numbered versions. Additionally, there are reflexive, dynamic, and lock-and-key access lists, among many others.</p> <h2>Know how ACLs can be used in the real world</h2> <p>While you may understand the concept of ACLs and how to configure them, it is important to know how to use them in the real world.</p> <p>Here are a few business applications for ACLs:</p> <p>1. Basic packet filtering for security: Filter traffic from a host, a network, a protocol, or port.</p> <p>2. Packet filtering for bandwidth control: Say that a streaming audio or video application was using network bandwidth, and it was on a certain port number. With an ACL, you could discard those video and audio packets to prevent overutilization of bandwidth.</p> <p>3. Other functions with ACLs: Route filtering, QoS, controlling access to the router, etc.</p> <h2>Know where to find more resources to learn ACLs</h2> <p>There is a lot to know about ACLs, and we can’t cover it all in this short format. To learn more about ACLs, here are some links to other articles and videos I have created on this topic.</p> <ul style="color: rgb(51, 51, 255);" type="disc"><li>TechRepublic.com: Use Advanced Parameters on Your Cisco IOS ACLs</li><li>TechRepublic.com: Cisco IOS Access Lists - 10 Things You Should Know</li><li>HappyRouter.com: Free Video - Hardening Your Router with Cisco IOS ACLs</li><li>Petri.co.il: How to Edit Cisco IOS ACLs Using Line Numbers</li></ul> <p><strong>Conclusion</strong></p> <p>ACLs are the least understood feature that new Cisco administrators and CCNA candidates struggle with. I hope you find this information about Cisco IOS access lists helpful, and you keep it handy to “cure those ACL pains” whenever they come up.</p> <p><em></em><em><br /></em></p> </div><!-- /entry --> <div class="bloggerDesc clear"> <p><em> <img src="http://techrepublic.com.com/i/tr/techmails/tm_david_davis.gif" alt="David Davis" align="left" border="0" hspace="12" /><b>David Davis</b> has worked in the IT industry for 15+ years and holds several certifications, including CCIE, CCNA, CCNP, MCSE, CISSP, VCP. He has authored hundreds of articles and numerous IT training videos. Today, David is the Director of Infrastructure at <span style="color: rgb(51, 51, 255);">Train Signal.com</span>. Train Signal, Inc. is the global leader in video training for IT Professionals and end users. Read <span style="color: rgb(51, 51, 255);">his full bio and profile.<br /></span></em></p><p><br /><em></em></p><p><em><span style="color: rgb(51, 51, 255);"><span style="color: rgb(102, 0, 0);">article source : techrepublic.com</span><br /></span></em></p> </div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-72685779539320707232009-06-09T09:04:00.000-07:002009-10-18T02:42:11.451-07:00index article about cisco administratorIndex article about <span style="font-weight: bold;">cisco administrator</span> :<br /><br /><ol><li><a href="http://networking-irfansyah.blogspot.com/2009/07/10-dumb-things-you-can-do-to-your-cisco.html">10 dump things you can do to your cisco router and how to fix them</a><br /><ul><li>december 2008<br /></li></ul><br /></li><li><a href="http://networking-irfansyah.blogspot.com/2009/07/five-ways-to-secure-your-cisco-routers.html">5 ways to secure your cisco routers and switches<br /></a><ul><li>april 2008<br /></li></ul><br /></li><li><a href="http://networking-irfansyah.blogspot.com/2009/08/learn-to-configure-cisco-ios-nat-on.html">learn to configure cisco ios NAT on stick</a><br /><ul><li>april 2008<br /></li></ul><br /></li><li><a href="http://networking-irfansyah.blogspot.com/2009/07/configure-static-nat-for-inbound.html">configure static NAT for inbound connections</a><br /><ul><li>june 2007<br /></li></ul><a href="http://networking-irfansyah.blogspot.com/2009/08/set-up-port-address-translation-pat-in.html"><br /></a></li><li><a href="http://networking-irfansyah.blogspot.com/2009/08/set-up-port-address-translation-pat-in.html">set up port address translation (PAT) in the cisco IOS</a><br /><ul><li>may 2007<br /></li></ul><br /></li><li><a href="http://networking-irfansyah.blogspot.com/2009/07/get-to-know-your-logging-options-in.html">Get to know your logging options in the Cisco IOS</a><br /><ul><li>april 2006<br /></li></ul><a href="http://networking-irfansyah.blogspot.com/2009/08/preserve-nat-translations-when-cisco.html"><br /></a></li><li><a href="http://networking-irfansyah.blogspot.com/2009/08/preserve-nat-translations-when-cisco.html">preserve NAT translations when a cisco router fails</a><br /><ul><li>april 2006<br /></li></ul><a href="http://networking-irfansyah.blogspot.com/2009/08/ensure-cisco-router-redundancy-with.html"><br /></a></li><li><a href="http://networking-irfansyah.blogspot.com/2009/08/ensure-cisco-router-redundancy-with.html">ensure cisco router router redundancy with HSRP</a><br /><ul><li>april 2006<br /></li></ul><br /></li><li><a href="http://networking-irfansyah.blogspot.com/2009/08/understand-order-of-operations-for.html">understand the order of operations for cisco IOS</a><br /><ul><li>mar 2006<br /></li></ul><br /></li><li><a href="http://networking-irfansyah.blogspot.com/2009/10/routing-redistribution.html">routing redistribution</a><br />- Cisco Administration 101<br />- Dec 08, 2005<br /><br /></li><li><a href="http://networking-irfansyah.blogspot.com/2009/08/set-up-nat-using-cisco-ios.html">set up NAT using the Cisco IOS</a><br /><ul><li>October 2001<br /></li></ul><br /></li><li><a href="http://networking-irfansyah.blogspot.com/2008/07/cisco-administration-101-understand-osi.html">Understand the OSI Model to become a better cisco troubleshooter</a><br /><ul><li>Cisco Administration 101<br /><br /></li></ul></li><li><a href="http://networking-irfansyah.blogspot.com/2008/07/troubleshoot-cisco-routers-and-switches.html">Troubleshoot cisco routers and switches using the debug command<br /><br /></a></li><li><a href="http://networking-irfansyah.blogspot.com/2009/06/what-you-need-to-know-about-cisco-ios.html">What you need to know about Cisco IOS access-list-filtering<br /><br /></a></li><li><a href="http://networking-irfansyah.blogspot.com/2005/10/choose-network-troubleshooting.html">Choose a network troubleshooting methodology</a><br /><ul><li>oktober 2005<br /></li></ul></li></ol>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-11227439721600725032008-09-15T23:35:00.001-07:002008-09-15T23:36:34.276-07:00Cisco IP Accounting<span style="font-weight: bold; color: rgb(51, 51, 255);">IP Accounting</span><span style="color: rgb(51, 51, 255);"> is a very useful accounting feature in Cisco IOS, but it’s not as well known as other features, such as NetFlow. The fact that Cisco has considered replacing IP Accounting by adding new features to NetFlow potentially turns IP Accounting into a corner case solution.<br /><br />However, compared to NetFlow, IP Accounting offers some advantages that make it an interesting feature to investigate: easy results retrieval via a MIB and limited resource consumption. Furthermore, access-list accounting currently cannot be solved with the NetFlow implementation. Note that NetFlow recently added the export of the MAC address as a new information element</span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-30295222036194512082008-09-15T22:20:00.000-07:002008-11-23T02:00:32.312-08:00link-link networking<ul><li>http://www.net-sense.com/flash_report.htm<br /><br />Situs memanage cisco device dengan lebih cepat<br /></li></ul>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-79271079697541417492008-07-09T11:36:00.000-07:002008-07-21T08:58:23.314-07:00Troubleshoot Cisco routers and switches using the debug commands<span style="font-size:130%;"><span style="font-weight: bold;">Troubleshoot cisco routers and switches using the debug commands</span><br /><span style="font-weight: bold;">by = David Davis</span><br /></span><br /><br />Often, you cannot solve router and switch issues with “<span style="color: rgb(51, 51, 255);">show</span>” commands alone. At some point, you will have to use Debug commands to find out what is really going on behind the scenes. In this article, you will learn about <span style="font-weight: bold;">Cisco IOS Debug </span>commands and how they can help you.<br />What makes Cisco IOS Debug commands so useful?<br /><br /><span style="font-weight: bold;">Cisco IOS</span> Show commands can tell you many things about what is going on with your router or switch, but they can’t tell you everything. For example, Show commands cannot tell you when routes drop in or out of the routing table, why an ISDN line failed to connect, whether a packet really went out the router, or what ICMP error code was received. On the other hand, Cisco IOS Debug commands can tell you all these things, and more.<br /><br />Besides providing more detailed information than what Show commands can provide, Debug commands have the benefit of providing information in “real time” (or dynamically). This is contrary to Show commands that just take a snapshot in time and display the results on your console (somewhat static results). This real-time difference can be very helpful in diagnosing problems.<br /><br /><br />How do I use <span style="font-weight: bold;">Debug</span> commands?<br /><br />Let’s take a look at a simple example. We are going to view RIP (Routing Information Protocol) in Debug mode.<br /><br /><span style="color: rgb(51, 102, 255);">Router# debug ip RIP</span><br /><br /><span style="color: rgb(51, 102, 255);">RIP protocol debugging is on</span><br /><br />To verify what debugging is enabled, use this command:<br /><br /><span style="color: rgb(51, 102, 255);">Router# show debug</span><br /><br /><span style="color: rgb(51, 102, 255);"> RIP protocol debugging is on</span><br /><br />The output from whatever type of debug is enabled will be sent to wherever the Cisco IOS logging system tells that output to go. Either you will receive the output on your screen, it will go to the buffered log on the router, or it will go to a syslog server across the network (or all of these).<br /><br />To see what level the various outputs are set to and where the output will go, type:<br /><br /><span style="color: rgb(51, 102, 255);">Router# show logging</span><br /><br /><span style="color: rgb(51, 102, 255);">Syslog logging: enabled (1 messages dropped, 3 messages rate-limited,</span><br /><br /><span style="color: rgb(51, 102, 255);"> 0 flushes, 0 overruns, xml disabled, filtering disabled)</span><br /><br /><span style="color: rgb(51, 102, 255);"> Console logging: level debugging, 8 messages logged, xml disabled,</span><br /><br /><span style="color: rgb(51, 102, 255);"> filtering disabled</span><br /><br /><span style="color: rgb(51, 102, 255);"> Monitor logging: level debugging, 0 messages logged, xml disabled,</span><br /><br /><span style="color: rgb(51, 102, 255);"> filtering disabled</span><br /><br /><span style="color: rgb(51, 102, 255);"> Buffer logging: level warnings, 2 messages logged, xml disabled,</span><br /><br /><span style="color: rgb(51, 102, 255);"> filtering disabled</span><br /><br /><span style="color: rgb(51, 102, 255);"> Logging Exception size (4096 bytes)</span><br /><br /><span style="color: rgb(51, 102, 255);"> Count and timestamp logging messages: disabled</span><br /><br /><span style="color: rgb(51, 102, 255);"> Trap logging: level informational, 12 message lines logged</span><br /><br /><span style="color: rgb(51, 102, 255);">Log Buffer (51200 bytes):</span><br /><br /><span style="color: rgb(51, 102, 255);">*Jun 9 20:56:49.195: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up</span><br /><br /><span style="color: rgb(51, 102, 255);">*Jun 9 20:56:49.231: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up</span><br /><br /><span style="color: rgb(51, 102, 255);">Router#</span><br /><br />The console should display RIP updates that are sent and received through the RIP protocol. Here is an example of what you might see for RIP debugging:<br /><br /><span style="color: rgb(51, 102, 255);">*Jun 9 21:13:56.471: RIP: sending v1 update to 255.255.255.255 via FastEthernet0/0 (1.1.1.1)</span><br /><br /><span style="color: rgb(51, 102, 255);">*Jun 9 21:13:56.471: RIP: build update entries - suppressing null update</span><br /><br /><span style="color: rgb(51, 102, 255);">*Jun 9 21:14:22.519: RIP: sending v1 update to 255.255.255.255 via FastEthernet0/0 (1.1.1.1)</span><br /><br /><span style="color: rgb(51, 102, 255);">*Jun 9 21:14:22.519: RIP: build update entries - suppressing null update</span><br /><br />Remember that you should use Debug only for a short time to get a snippet of information, and then turn Debug off as it can be a serious performance hit on your router.<br /><br />There are several commands for turning off Debug. You could type undebug all or a precreated alias, un all (for more information on aliases, see my article “Enter Commands More Efficiently with Cisco Command Aliases“), but the no debug command works fine also.<br /><br /><span style="color: rgb(51, 51, 255);">Router# no debug</span><br /><br />If you type debug ?, you will see that there are over 200+ Debug commands, and each of those has many options. Debugging RIP is just a very simple example.<br /><br />What are the three most common mistakes made when using Debug?<br /><br />Using Debug can be a risky proposition, and even experienced admins have made mistakes when using it.<br /><br /><ul><li>I’d say the number one common mistake is to forget that you have left Debug on in a production environment. Sometimes, we get so focused on resolving the issue that when we get it resolved, we are on to the next “opportunity” and forget to issue the no debug command to turn off debugging. I think that many a network admin can attest to horror stories of when they brought their router to its knees because they forgot this simple task of turning off Debug.</li></ul><br /><ul><li>The second common mistake would be not realizing the effect on your router of issuing a lot of Debug commands at the same time. Remember that the router’s job is to forward packets, not to monitor processes and generate Debug messages. For example, you are having a problem with the packets on your router, so you issue the Debug statement debug ip packet. Then you decide that you want to view the events on the RIP protocol. Now, you have two separate Debug statements that are being processed and sent to the console. Debug statements are processed at a higher priority than other network traffic, so, needless to say, these Debug statements can jeopardize your router’s performance.</li></ul><br /><ul><li>The third common mistake made with the Debug command is entering debug all or debug ip packet detail on a production router. Either one of these commands can crash a heavily loaded production router. Luckily, there is an “are you sure” prompt before these take effect; however, that hasn’t prevented every debug-related catastrophe. You should be as specific as possible when using Debug, and then turn it off as quickly as possible. Also, always test your Debug commands on a test router before using them in a production environment.</li></ul><br />What are some common scenarios when using Debug to troubleshoot?<br /><br />To learn about the top 10 most useful Cisco IOS Debug commands, please read my TechRepublic article “Get IT Done: 10 Ways to Mitigate Problems Using Cisco IOS Debug.”<br /><br />In conclusion<br /><br />The Cisco IOS Debug commands are very powerful commands that every Cisco admin should know how to use properly. With Cisco IOS Debug commands, you can get down to the details of whatever protocol or feature you are troubleshooting in order to resolve your problem.<br /><br />For more information on Cisco IOS Debug commands, see the Cisco IOS Debug Command Reference.<br /><br />David Davis has worked in the IT industry for twelve years and holds several certifications, including <span style="font-weight: bold;">CCIE</span>, MCSE+I, <span style="font-weight: bold;">CISSP</span>, <span style="font-weight: bold;">CCNA</span>, <span style="font-weight: bold;">CCDA</span>, and <span style="font-weight: bold;">CCNP</span>. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.<br /><br /><br />Article Sources = www.techrepublic.comUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-46731822121990317752008-07-09T11:28:00.000-07:002009-06-11T08:29:32.705-07:00Cisco Administration 101 - Understand the OSI Model to become a better cisco Troubleshooter<h1><span class="snap_noshots" style="font-size:100%;">Cisco Administration 101: Understand the OSI model to become a better Cisco troubleshooter.<br /><br /></span><span style="font-size:100%;">By = David Davis</span><br /></h1><h2><span style="font-size:100%;"><br />What is the OSI model?</span><br /><span style="font-weight: normal;font-size:100%;" ><br />The OSI model is a hierarchical model of how different devices, protocols, and applications can interoperate to provide a network. The OSI (open systems interconnect) model was created by the International Standards Organization (ISO).</span></h2> <p>The applications and protocols that make up the network reside at different layers of the OSI model. Those layers are:</p> <ul style="margin-top: 0in;" type="disc"><li>Layer 7 – Application</li><li>Layer 6 – Presentation<o></o></li><li>Layer 5 – Session</li><li>Layer 4 – Transport</li><li>Layer 3 – Network</li><li>Layer 2 – Data Link</li><li>Layer 1 – Physical</li></ul> <p><span style="color:black;">For certification tests like the </span>Cisco CCNA certification<span style="color:black;">, most admins remember these layers by taking the first letter of the layer and matching it with a word. Here are some common ways to remember the OSI model:</span></p> <ul style="margin-top: 0in;" type="disc"><li>All <strong>P</strong>eople <strong>S</strong>eem <strong>T</strong>o <strong>N</strong>eed <strong>D</strong>ata <strong>P</strong>rocessing</li><li><strong>P</strong>lease <strong>D</strong>o <strong>N</strong>ot <strong>T</strong>hrow <strong>S</strong>ausage <strong>P</strong>izza <strong>A</strong>way</li><li><strong>P</strong>hew <strong>D</strong>ead <strong>N</strong>inja <strong>T</strong>urtles <strong>S</strong>mell <strong>P</strong>articularly <strong>A</strong>wful</li></ul> <p>A common question is, “What application or protocol resides at each of the layers?” Here is a general overview:</p> <ul><li><strong>Layer 7 - Application</strong><br /><br />The application layer is where the protocols and services that make up your application reside. Examples of what is located here are: Telnet, File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP).</li></ul> <ul><li><strong>Layer 6 - Presentation</strong><br /><br />The presentation layer “presents” the session layer data to the application. Examples of what is located here are: encryption (like IPSec), ASCII, and JPG.</li></ul> <ul><li><strong>Layer 5 - Session</strong><span style="color:black;"><br /><br />This layer is responsible for initiating and terminating network connections. Examples of the session layer are Remote Procedure Call (RPC) functions and the login portion of a SQL session.</span></li></ul> <ul><li><strong>Layer 4 - Transport</strong><span style="color:black;"><br /><br />TCP and UDP work at the transport layer. TCP provides the reliable, in-order delivery of your data, as well as error correction, sequencing, and windowing (flow control). Additionally, TCP at the transport layer provides source and destination port numbers that are commonly associated with applications. For example, TCP port 25 is SMTP, 23 is telnet, 22 is SSH, 80 is HTTP, and so on. These port numbers are very important if you are configuring an ACL (see my article, “</span><a class="snap_noshots" target="_blank" href="http://networking-irfansyah.blogspot.com/2009/06/what-you-need-to-know-about-cisco-ios.html">What you need to know about Cisco IOS access-list filtering</a>“) or studying for a certification test like the CCNA. Data at the transport layer is called a <em>segment</em>.</li></ul> <ul><li><strong>Layer 3 - Network</strong><br /><br />The network layer is where the “IP” part of “TCP/IP” happens. IP is responsible for addressing in the network. Because IP works at layer 3, you could also say that routing and routers work at layer 3. Any data at layer 3 is called a <em>packet</em>.</li></ul> <ul><li><strong>Layer 2 - Data Link</strong><span style="color:black;"><br /><br />If you think about a WAN, there are many protocols that work at layer 2 (like PPP and Frame-Relay).<br />However, if you just look at the LAN, the most well-known protocol associated with layer 2 is Ethernet. The Ethernet protocol uses MAC addresses to identify unique devices on the network. Any data at layer 2 is called a <em>frame</em>. Ethernet switches work at layer 2 to switch Ethernet packets. To do this, they keep a MAC address table or CAM table — mapping MAC addresses to switch ports.</span></li></ul> <ul><li><strong>Layer 1 - Physical</strong><span style="color:black;"><br /><br />The physical layer provides the actual connection between devices. Ethernet cables and fiber optic cables work at layer 1. Data goes through the cables via electricity or light. That data is now represented as a <em>bit</em> (a one or a zero). </span></li></ul> <h2>How does the OSI model help you on a practical basis?</h2> <p>While most of us know the OSI model, I believe that most of us do not make the very helpful connection between the OSI model and the daily, real-world tasks and troubleshooting that a Cisco admin must perform.</p> <p>Most of us think of the OSI model as some kind of arcane textbook concept that must be learned for the exam and can then be forgotten. On the contrary, I believe it can be extremely helpful to Cisco admins on a day-to-day basis. Here are four ways the OSI model can help you, as a Cisco admin:</p> <h3>Understanding the network “big picture”</h3> <p>There are many new Cisco admins out there who may understand how to unlock a switch port or how to configure IP addressing, but they don’t see, really, how the network functions. By understanding the OSI model, you can see the “big picture” of how the network really works.</p> <p>You can understand how bits are sent as electrical signals across copper wires; how those are reassembled into frames by Ethernet in layer 2; how the frames are switched to the right destination; how that PC disassembles the frame and packet to verify that it is the right destination IP; how it breaks up the segment at the transport layer, responds with an acknowledgement (ACK), and sends the data up to the session, presentation, and application layers; and how every tiny communication requires this whole process to happen many times per second.</p> <h3>Configure ACLs for traffic filtering and QoS</h3> <p>By understanding the OSI model you will better be able to configure Cisco IOS ACLs. Those ACLs can them be used to filter traffic or provide for router services on that traffic -– like QoS. By knowing that the transport layer is where TCP is and that port numbers are used to identify applications, you will understand more clearly how to create ACLs that define that traffic. You will also create better ACLs when you keep in mind the different protocols that could be in use at the transport layer. For example, you might want an ACL that defines UDP or ICMP (ICMP actually functions at layer 3, network).</p> <p>Once you create the proper ACL, you can then take action on that traffic by filtering it or providing QoS for it. (See my articles “<a class="snap_noshots" target="_blank" href="http://articles.techrepublic.com.com/5100-10878_11-5731134.html">Cisco IOS access lists: 10 things you should know</a>” and “<a class="snap_noshots" target="_blank" href="http://blogs.techrepublic.com.com/networking/?p=536">What you need to know about Cisco IOS access-list filtering</a>.”)</p> <p>What is also interesting is that BGP works at layer 4 (transport) because it uses TCP; however, OSPF, IGMP, and ICMP all work at layer 3 (network). Also, ARP works between layers 2 and 3 as it maps MAC addresses to IP addresses.</p> <h3>Prepare for certification</h3> <p>Certainly, any entry-level certification will require you to learn about the OSI model and answer some questions about it. For example, the CCENT/CCNA and Network+ certifications all require that you understand the OSI model. I believe that this all comes back again to “knowing the big picture.”</p> <h3>Troubleshooting the network</h3> <p>Once you understand the OSI model, you will be a much better network troubleshooter. For example, in my article “<a class="snap_noshots" target="_blank" href="http://articles.techrepublic.com.com/5100-10878_11-5902706.html">Choosing a network troubleshooting methodology</a>,” I cover how to use the OSI model to troubleshoot the network either by starting at the top or the bottom or by using the “divide and conquer” approach.</p> <ul><li>If your Ethernet cable is disconnected, at what layer is your problem to be found? Answer: layer 1.</li><li>If your ACL is dropping your TCP data, where is the trouble? Answer: layer 4.</li><li>If your IPSec is misconfigured, where is the problem? Answer: layer 4.</li></ul> <h2>Learn more</h2> <p>By understanding the OSI model, you will be able to do a lot more than pass your certification test. The OSI model may have been designed to help vendors ensure that their network products interoperate with others, but it is here to help Cisco admins, like us, visualize how the network works and troubleshoot it when it doesn’t.</p> <p>For more information on the OSI model, see Cisco’s <a target="_blank" href="http://www.cisco.com/en/US/docs/internetworking/technology/handbook/OSI-Protocols.html">Internetworking Technology Handbook</a>.</p> <p><em>David Davis has worked in the IT industry for twelve years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.<br /><br />Article Source = www.techrepublic<br /></em></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-56795802521821835992008-07-09T11:21:00.000-07:002008-07-21T08:56:16.078-07:0010 commands you should master when working with the Cisco IOS<span style="font-weight: bold;">10 commands you should master when working with the Cisco IOS</span><span class="snap_noshots" style="font-size:100%;"><br />by = </span><span style="font-size:100%;">David Davis</span> <p><em><span style="font-weight: bold;font-size:100%;" ><br /></span>Editor’s Note: This article was originally published on TechRepublic July 25, 2006. For your convenience, I’m republishing it in the blog to be part of the e <a class="snap_noshots" target="_blank" href="http://blogs.techrepublic.com.com/focus/Cisco+Routers+and+Switches.html">Cisco Routers and Switches archive</a>. It is also available as a PDF Format<a class="snap_noshots" target="_blank" href="http://downloads.techrepublic.com.com/download.aspx?docid=172400"><br /></a></em></p> <p>The <span style="font-weight: bold;">Cisco</span> IOS provides thousands of commands, and configuring it can be challenging. Here are 10 commands you need to know, inside and out, when using the Cisco IOS.</p> <h2 style="font-weight: bold; color: rgb(51, 51, 255);"><br /><span style="font-size:100%;"><span style="font-weight: normal;">#1: The “?”</span></span></h2> <p>It may seem entirely too obvious that you should know how to type <em>?</em> to ask for help when using the Cisco IOS. However, the <span style="font-weight: bold;">Cisco</span> IOS is completely different from other operating systems when it comes to using the question mark (help key). As the IOS is a command-line operating system with thousands of possible commands and parameters, using the ? can save your day.</p> <p>You can use the command in many ways. First, use it when you don’t know what command to type. For example, type <em>?</em> at the command line for a list of all possible commands. You can also use ? when you don’t know what a command’s next parameter should be. For example, you might type <em>show ip ?</em> If the router requires no other parameters for the command, the router will offer CR as the only option. Finally, use ? to see all commands that start with a particular letter. For example, <em>show c?</em> will return a list of commands that start with the letter <em>c</em>.</p> <h2 style="font-weight: normal; color: rgb(51, 51, 255);"><span style="font-size:100%;">#2: show running-configuration</span></h2> <p>The <em>show running-config</em> command shows the router, switch, or firewall’s current configuration. The running-configuration is the config that is in the router’s memory. You change this config when you make changes to the router. Keep in mind that config is not saved until you do a <em>copy running-configuration startup-configuration</em>. This command can be abbreviated <em>sh</em><em> run</em>.</p> <h2 style="font-weight: normal; font-style: italic; color: rgb(51, 51, 255);"><span style="font-size:100%;">#3: copy running-configuration startup-configuration</span></h2> <p>This command will save the configuration that is currently being modified (in RAM), also known as the running-configuration, to the nonvolatile RAM (NVRAM). If the power is lost, the NVRAM will preserve this configuration. In other words, if you edit the router’s configuration, don’t use this command and reboot the router–those changes will be lost. This command can be abbreviated <em>copy run start</em>. The <em>copy</em> command can also be used to copy the running or startup configuration from the router to a TFTP server in case something happens to the router.</p> <h2 style="font-weight: normal; color: rgb(51, 51, 255);"><span style="font-size:100%;">#4: show interface</span></h2> <p>The <em>show interface</em> command displays the status of the router’s interfaces. Among other things, this output provides the following:</p> <ul><li>Interface status (up/down)</li><li>Protocol status on the interface</li><li>Utilization</li><li>Errors</li><li>MTU</li></ul> <p>This command is essential for troubleshooting a router or switch. It can also be used by specifying a certain interface, like <em>sh</em><em>int fa0/0</em>.</p> <h2 style="color: rgb(51, 51, 255); font-weight: normal;"><span style="font-size:100%;">#5: show ip interface</span></h2> <p>Even more popular than <em>show interface</em> are <em>show ip interface</em> and <em>show ip interface brief</em>. The <em>show ip interface</em> command provides tons of useful information about the configuration and status of the IP protocol and its services, on all interfaces. The <em>show ip interface brief</em> command provides a quick status of the interfaces on the router, including their IP address, Layer 2 status, and Layer 3 status.</p> <h2 style="color: rgb(51, 51, 255); font-weight: normal;"><span style="font-size:100%;">#6: config terminal, enable, interface, and router</span></h2> <p>Cisco routers have different modes where only certain things can be shown or certain things can be changed. Being able to move between these modes is critical to successfully configuring the router.</p> <p>For example, when logging in, you start off at the user mode (where the prompt looks like >). From there, you type <em>enable</em> to move to privileged mode (where the prompt looks like #). In privileged mode, you can show anything but not make changes. Next, type <em>config</em><em> terminal</em> (or <em>config</em><em> t</em>) to go to global configuration mode (where the prompt looks like router(config)# ). From here, you can change global parameters. To change a parameter on an interface (like the IP address), go to interface configuration mode with the <em>interface</em> command (where the prompt looks like router(config-if)#). Also from the global configuration mode, you can go into router configuration using the<em> router {protocol}</em> command. To exit from a mode, type <em>exit</em>.</p> <h2 style="color: rgb(51, 51, 255); font-weight: normal;"><span style="font-size:100%;">#7: no shutdown</span></h2> <p>The <em>no shutdown</em> command enables an interface (brings it up). This command must be used in interface configuration mode. It is useful for new interfaces and for troubleshooting. When you’re having trouble with an interface, you may want to try a <em>shut</em> and <em>no shut</em>. Of course, to bring the interface down, reverse the command and just say <em>shutdown</em>. This command can be abbreviated <em>no shut</em>.</p> <h2 style="color: rgb(51, 51, 255);"><span style="font-size:100%;">#8: show ip route</span></h2> <p>The <em>show ip route</em> command is used to show the router’s routing table. This is the list of all networks that the router can reach, their metric (the router’s preference for them), and how to get there. This command can be abbreviated <em>sh</em><em>ipro</em> and can have parameters after it, like <em>sh</em><em>iproospf</em> for all OSPF routers. To clear the routing table of all routes, you do <em>clear ip route *</em>. To clear it of just one route, do <em>clear ip route 1.1.1.1</em> for clearing out that particular network.</p> <h2 style="font-weight: normal; color: rgb(51, 51, 255);"><span style="font-size:100%;">#9: show version</span></h2> <p>The <em>show version</em> command gives you the router’s configuration register (essentially, the router’s firmware settings for booting up), the last time the router was booted, the version of the IOS, the name of the IOS file, the model of the router, and the router’s amount of RAM and Flash. This command can be abbreviated <em>sh</em><em>ver</em>.</p> <h2 style="color: rgb(51, 51, 255); font-style: italic; font-weight: normal;"><span style="font-size:100%;">#10: debug</span></h2> <p>The <em>debug</em> command has many options and does not work by itself. It provides detailed debugging output on a certain application, protocol, or service. For example, <em>debug ip route</em> will tell you every time a router is added to or removed from the router.<br /><br />Article Source = www.techrepublic.com<br /></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-77469538407519775902008-07-09T10:50:00.000-07:002008-07-09T10:53:44.599-07:00Cisco article resource website<span style="color: rgb(255, 0, 0);">(http://</span><span style="color: rgb(51, 204, 0);">tips</span><span style="color: rgb(255, 0, 0);">irfan.blogspot.com)</span><br /><br /><br />Cisco article resource website =<br /><br /><ul><li><a href="http://www.cisco.com/">www.cisco.com</a><br /><br /><b>Cisco Systems, Inc.</b> is a <span class="snap_shots">multinational corporation</span> with more than 63,000 employees and annual revenue of <span class="snap_shots">US$</span>35 billion as of 2007. Headquartered in <span class="snap_shots">San Jose, California</span>, it designs and sells networking and communications technology and services under five brands, namely Cisco, <span class="snap_shots">Linksys</span>, <span class="snap_shots">WebEx</span>, <span class="snap_shots">IronPort</span>, and <span class="mw-redirect snap_shots">Scientific Atlanta</span>.<br /><br /></li><li><a href="http://www.ciscopress.com/">www.ciscopress.com</a><br /><br /><b>Cisco Press</b> is a publishing alliance between <span class="snap_shots">Cisco Systems</span> and the <span class="snap_shots">Pearson Education</span> division of <span class="snap_shots">Pearson PLC</span>. Cisco Press distributes its titles through traditional resellers as well as through the <span class="snap_shots">Safari Books Online</span> e-reference service.<br /><br /><br /></li></ul>article resource = www.wikipedia.orgUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-52330909502407029612008-07-05T14:49:00.000-07:002008-07-09T10:58:35.991-07:002 cisco book publisherAccording to me, they are 2 publisher book that very good writing related with cisco certification.<br /><br /><ul><li><a href="http://www.ciscopress.com/">Cisco Press<br /><br /></a>This company cisco publisher. Theya are many good cisco certification books<br /><br /></li><li><a href="http://www.sybex.com/WileyCDA/">Sybex</a><br /><br /></li></ul>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-3839947419997586952008-07-03T01:24:00.001-07:002008-07-04T10:59:50.088-07:00Apa itu NMS ( Network Management System )<p>Di bawah saya ambil dari situs www.wikipedia tentang apa itu NMS.<br /><br /><br />A <b>Network Management System (NMS)</b> is a combination of hardware and software used to monitor and administer a network.<br /><br />Individual network elements (NEs) in a network are managed by an element management system.</p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-64360237989418169122008-07-03T01:17:00.000-07:002008-07-09T11:01:59.397-07:002 Penerbit buku cisco<span style="font-weight: bold;">2 Penerbit Buku Cisco.</span><br /><span style="color: rgb(51, 255, 51);">by Irfansyah K.P</span><br /><br />Menurut penulis ada 2 buah perusahaan yang bagus dalam menulis buku cisco yang berhubungan dengan Sertifikasi cisco, yaitu =<br /><br /><ul><li><a href="http://www.ciscopress.com/">Cisco Press</a> <br /><br /><b>Cisco Press</b> is a publishing alliance between Cisco Systems and the Pearson Education division of Pearson PLC. Cisco Press distributes its titles through traditional resellers as well as through the Safari Books Online e-reference service. (www.wikipedia)<br /><br /></li><li><a href="http://www.sybex.com/WileyCDA/">Sybex</a><br /><br /></li></ul>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-64317193054370593272008-07-03T01:14:00.000-07:002008-07-03T01:16:45.371-07:00Sertifikasi ciscoDi bawah ini adalah sertifikat - sertifikat Cisco :<br /><br /><ul><li>CCNA</li><li>CCNP</li><li>CCIE<br /><br /></li></ul>Untuk lebih keterangan lebih lengkap bisa dilihat di situs <a href="http://www.cisco.com">www.cisco.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-87985855324926606132008-07-03T01:03:00.001-07:002008-07-03T01:04:01.130-07:00PERKENALANHallo Nama saya Irfansyah..<br />Ini adalah merupakan tutorial dibidang networkingUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-6629498985604693912.post-79305918364712377712005-10-20T00:01:00.001-07:002010-12-09T06:08:04.203-08:00privacy policy for networking-irfansyah.blogspot.com<span style="font-weight: bold;">Privacy Policy for networking-irfansyah.blogspot.com</span><br /><br />If you require any more information or have any questions about our privacy policy, please feel free to contact us by email at indoirfan@gmail.com.<br /><br />At networking-irfansyah.blogspot.com, the privacy of our visitors is of extreme importance to us. This privacy policy document outlines the types of personal information is received and collected by networking-irfansyah.blogspot.com and how it is used.<br /><br /><span style="font-weight: bold;">Log Files</span><br />Like many other Web sites, networking-irfansyah.blogspot.com makes use of log files. The information inside the log files includes internet protocol ( IP ) addresses, type of browser, Internet Service Provider ( ISP ), date/time stamp, referring/exit pages, and number of clicks to analyze trends, administer the site, track user’s movement around the site, and gather demographic information. IP addresses, and other such information are not linked to any information that is personally identifiable.<br /><br /><span style="font-weight: bold;">Cookies and Web Beacons</span><br />networking-irfansyah.blogspot.com does use cookies to store information about visitors preferences, record user-specific information on which pages the user access or visit, customize Web page content based on visitors browser type or other information that the visitor sends via their browser.<br /><br /><span style="font-weight: bold;">DoubleClick DART Cookie</span><br />.:: Google, as a third party vendor, uses cookies to serve ads on networking-irfansyah.blogspot.com.<br />.:: Google's use of the DART cookie enables it to serve ads to users based on their visit to networking-irfansyah.blogspot.com and other sites on the Internet.<br />.:: Users may opt out of the use of the DART cookie by visiting the Google ad and content network privacy policy at the following URL - http://www.google.com/privacy_ads.html<br /><br />Some of our advertising partners may use cookies and web beacons on our site. Our advertising partners include ....<br />Google Adsense<br /><br /><br />These third-party ad servers or ad networks use technology to the advertisements and links that appear on networking-irfansyah.blogspot.com send directly to your browsers. They automatically receive your IP address when this occurs. Other technologies ( such as cookies, JavaScript, or Web Beacons ) may also be used by the third-party ad networks to measure the effectiveness of their advertisements and / or to personalize the advertising content that you see.<br /><br />networking-irfansyah.blogspot.com has no access to or control over these cookies that are used by third-party advertisers.<br /><br />You should consult the respective privacy policies of these third-party ad servers for more detailed information on their practices as well as for instructions about how to opt-out of certain practices. networking-irfansyah.blogspot.com's privacy policy does not apply to, and we cannot control the activities of, such other advertisers or web sites.<br /><br />If you wish to disable cookies, you may do so through your individual browser options. More detailed information about cookie management with specific web browsers can be found at the browsers' respective websites.Unknownnoreply@blogger.com0