Welcome to official blog of LAN / WAN Professional.

Zone-based Firewall (quickie)

2011-07-22T11:19:00.000-07:00

=====================

zone-based firewall example

=====================

Quickie Steps

1. create class-map

2. create policy-map

3. create zones

4. add members (interfaces) to zones

5. create zone-pair rules

1) class-map type inspect match-any CMAP1

match protocol tcp

match protocol udp

match protocol icmp

2) policy-map type inspect PMAP1

class type inspect CMAP1

inspect

3) zone security inside

zone security outside

4) int fa0/0

zone-member security inside

int fa0/1

zone-member security outside

5) zone-pair sec IN2OUT source inside destination outside

service-policy type inspect PMAP1

---------------

Explanations

---------------

1) Create a class-map to identify types of packets that you would like to match or inspect. Ensure to use "inspect" as a class-map type and use "match-any". The default parameter is "match-all". Use match protocol command to match desired protocols.

2) Create a policy-map to define actions. In this case, the action is to "inspect."

3) Define zones. I have defined two zones: "inside" and "outside".

4) Add members to the predefined zones. I have marked interface FastEthernet 0/0 as "inside" and FastEthernet 0/1 as "outside".

5) Finally and most importantly, create a zone-pair. This command completes the zone-based firewall by defining a relationship between the two zones. In this case, the PMAP1 policy-map will be enforced when packets are traveling from inside to outside.

Manipulating OSPF Routing Table - Part 1

2011-07-20T14:37:00.000-07:00

Open Shortest Path First (OSPF) is a link-state routing protocol created in the mid-1980’s by the Internet Engineering Task Force (IETF). It is often valued as more advance protocol compared to Routing Information Protocol (RIP) and more flexible than Cisco’s Enhanced Internal Gateway Routing Protocol (EIGRP) because it is a multi-vendor protocol.

This blog assumes that you have a general understanding of the OSPF routing protocol as well as a proficiency to configure OSPF with the below features.

-OSPF LSA Types; (LSA type descriptions)

-Basic peering

-Inter-Area configuring

-OSPF authentication

-OSPF Virtual Links

-OSPF Stub Area

-OSPF Not-So-Stubby Area (NSSA)

The blog also assumes that you are familiar with configuring and performing basic troubleshooting the following technologies:

-IP Access Lists

-Route-map

The main topic for the blog is to manipulate entries for OSPF routing table, and this topic is not for a novice network engineer.

We often begin configuring the OSPF protocol by adding networks into the routing table. Then, we determine and configure which routers the routing table entries will be shared with. Finally, we may want to filter out particular networks from being advertised to certain neighbors or areas. We can achieve the final step by using a few different methods:

-Not advertise the network into OSPF routing protocol

-Use the filter-list command

-Use the area range command with the “not advertise” parameter

-Use the distribute-list command

-Use the route-maps command

-Use the prefix-suppression command

The first option is very basic and does not work if you are trying to share the network information with only a particular neighbor or an area. So, we will focus on the last five options.

---------------------------------------

use the filter-list command

---------------------------------------

-Filtering LSA Type : TYPE 3 LSA Filtering

-Performed Device Type: OSPF Area Border Router (ABR)

-Usage: This feature is used to filter out routes between different OSPF areas (inter-areas)

-Command:

-area x filter-list prefix name1 [in | out]

-ip prefix-list name1 seq x [deny | permit] A.B.C.D/y

-Caveat: Filtering routes into area 0 prevents the advertised network from propagating into all OSPF areas in the routing domain except the originating area.

-Condition: The basic connectivity as well as OSPF routing protocols have been already configured. Use filter-list command to prevent R4’s loopback address from propagating into R3’s routing table.

-Procedure: Configure R1_ABR to filter R4’s loopback address into OSPF Area 10.

R1_ABR#configure terminal

R1_ABR(config)#ip prefix-list From_R4_Loop seq 10 deny 4.4.4.4/32

R1_ABR(config)#ip prefix-list From_R4_Loop seq 20 permit 0.0.0.0/0 le 32

R1_ABR(config)#router ospf 1

R1_ABR(config-router)#area 10 filter-list prefix From_R4_Loop in

-With the above configuration, R1_ABR will remove 4.4.4.4/32 network from its OSPF Link-State database (LSD) under Area 10 while permitting any addresses that has a subnet mask of 32 or lower. It is important that you add the le 32 parameter at the end of the 3rd line to ensure that it allows all addresses.

---------------------------------------

Use the area range command with the “not advertise” parameter

---------------------------------------

-Filtering LSA Type : TYPE 3 LSA Filtering

-Performed Device Type: OSPF Area Border Router (ABR)

-Usage: This feature is used to filter out routes between different OSPF areas

-Command:

-area x range ip-address mask [advertise | not-advertise] [cost cost]

-Caveat: Ensure that the command is entered from an ABR.

-Condition: The basic connectivity as well as OSPF routing protocols have been already configured. Use area x range command with “not-advertise” parameter to prevent R4’s loopback address from being advertised outside of Area 20.

-Procedure: Configure R2_ABR to not advertise R4’s loopback address outside of Area 20.

R2_ABR#configure terminal

R2_ABR (config)# router ospf 1

R2_ABR (config-router)#area 20 range 4.4.4.4 255.255.255.255 not-advertise

-With the above configuration, R2_ABR will not advertise R4’s loopback address beyond OSPF Area 20.

---------------------------------------

Use the prefix suppression command

---------------------------------------

-Filtering LSA Type : TYPE 3 LSA Filtering

-Performed Device Type: Any OSPF routers

-Usage: This feature is used to filter out routes between different OSPF areas. This command is a new feature to IOS version 12.4(15)T to suppress IP prefixes propagation to Type 3 LSA database table from OSPF-enabled interfaces but excludes prefixes associated with loopbacks, secondary IP addresses, and passive interfaces.

-Command:

-(config-router)#prefix-suppression

-(config-if)#ip ospf prefix-suppression {disable}

-Caveat: The command can be entered from both the global router mode (e.g. router ospf) and the interface mode. The command at the interface level will overwrite the ones from the global router mode.

-Procedure 1: Configure R2_ABR to not advertise the prefixes associated with its OSPF-enabled interfaces

R2_ABR#configure terminal

R2_ABR (config)# router ospf 1

R2_ABR (config-router)#prefix-suppression

-Procedure 2: Configure R4 to not advertise its loopback address of 4.4.4.4/32

R4#configure terminal

R4 (config)# interface loopback 1

R4 (config-if)#ip ospf prefix-suppression

-Loopback addresses can be suppressed by entering the command from the loopback interface.

-Verification: Verify that R4 has suppressed the 4.4.4.4/32 network from its OSPF LSD

-----------------------------

THE BLOG SUMMARY

-----------------------------

The main focus of this blog is to introduce methods to filter out unwanted networks from propagating or being advertised to particular areas. There are two main methods in producing the desired outcomes:

-Removing entries from LSD

-Use the filter-list command

-Use the area range command with “not-advertised” parameter

-Use the prefix suppression command

-Removing entries from Routing Tables

-Use the distribute-list command

-Use the route-maps command: This option improves the flexibility of filtering based on matching other parameters as metric, route-type, and next-hop.

In the Part 2 of the blog, I will introduce the second part of using distribute-list and route-maps.

Rolling Back Your Configurations

2011-03-02T15:33:00.000-08:00

We've all had to bear the pain of having to erase the startup-config and reload to get a fresh, out of the box configuration on a Cisco router or switch. Once you caught on to the patterns in the lab guides, you probably even saved your configurations after you typed in the base configs and then reloaded to return to that point. Even then, reloading is a process that takes time. If you're impatient like me, it's too much time.

Well, there is a command to revert you back to your last save point almost immediately. It is as follows:

R1#config replace nvram:startup-config force

As stated, this command will almost instantly boot up the startup-config (aka the last time you performed a copy run start or wr command). If you saved it immediately after your basic configs, this command will wipe out everything but those in a matter of seconds.

If you wanted to save even more time, alias the command.

R1(config)#alias exec rr config replace nvram:startup-config force

This command ties the "config replace" command to "rr". You can use any letter combo instead of "rr". That's just what I use. I'll cover alias commands in another blog.

So now, to instantly revert back to the last save point:

R1# rr

Total number of passes: 1
Rollback Done

Enjoy!!

Cisco Tips for Time Saving Awareness: Smart Skillful and Efficient Navigational Habits for Time Savings Develo

2010-02-23T11:32:00.000-08:00

We have seen in one of our previous articles how utilizing specific filtering methods better provides technicians with a more efficient search process to view configuration commands on our routing and switching devices. Refer to (cisco show running-configuration filter) .

While at first it may or may not appear to be such a necessary endeavor at any one particular time, however, if you find yourself constantly in need of opening a console session, it would be most beneficial to develop a smart habit by enforcing these time saving methods.

For example if you’re constantly using the show run command, it may not dawn on you that the amount of time you spend waiting for the routing or switch device to go through the thinking process can add up exponentially. You may find that by the end of the week you spent over an hour or more wasted in watching and scrolling. It reminds me of an old tune by the Moody Blues entitled, “Watching and Waiting” If its not the actual name of the song I assure you that those are the first lines in the song lyrics. J

Being part of a training group in which you coach where one is constantly in an environment surrounded by students and other IT professionals working towards validating their skill sets, its imperative to utilize such time saving approaches. Not to mention that what you demonstrate can positively rub off on to others.

Just to further extrapolate; An IT training facilitator delegated with the chore in need of scrolling through basic configurations from top to bottom, will find the following command, ‘show run exclude !’ , plays a useful role in reducing the time it takes when bypassing all of those seemingly incessant exclamation points, not to mention the time saving benefits when you copy the configuration to a notepad which further complements your time savings when the need arises to add those same configurations on other router or switch devices in your lab or other non productive testing environments.

I know what you may be thinking by now. Your thinking…, “but I like having the exclamation points and besides they are needed because it is important for documenting comments and it assists me in queuing where one configuration ends and where one configuration begins.” No argument here. You’re right. My reasoning for using this sample line command was to emphasize the good habits you are instilling. It is apparently more useful and beneficial using show run begin or show run include as depicted in the article previously referenced, since it sends you to the specific area of the configuration depending on the object you would want to search. Again, an excellent time savings endeavor.

More time saving techniques can be adhered to by practicing the “ do” command which can allow you to apply show commands normally only viewed from the execution mode but instead used in the global configuration terminal mode. Example While in the ( config )# ”Do show ip int brief” (Notice I didn’t say do show run) but you can.

Where is the times savings here for that endeavor? It gives you one less level to scale down to, and one less level to move you back up. Add that up in a days work. J

Let’s take a look at some other fun ‘saving tip’ navigational skills you can do on your switches without using the show run command.

Here is what I will go over: Show vlan-s
Show int tr
Sh eth summ

Let’s say you want to check on the specific trunks that you have configured: Instead of ‘show run’, you can do ‘sh vlans-s’.

You can then view the port numbers that are shown as vlans. If you don’t see a port number then you know the ports that are missing are configured as trunk ports.

On the other hand, you can do a ‘sh int tr’: short for show interface trunk; this will provide you a view of which ports are set up as trunk ports.

The command ‘sh eth summ’: short for show ether-channel summary. This would provide us with the ports configured as Ether channel groups, assuming they were configured. If nothing shows up, that means none have been configured.

Ether Channel is used to provide for load balancing and fault tolerance, but that is for another topic at another time, and is beyond the scope of this article.

These are only just a few command lines to help us become more aware of time saving skills that we would otherwise unknowingly drain away in our daily schedule.

By enforcing smart and skillful navigational habits, we will be keeping our minds sharp and our actions more efficient in many endeavors we undertake.

Keep on practicing.

GRE over IPSec with EIGRP to Route Through Two Remote Sites Configuration Example

2009-07-20T14:03:00.000-07:00

Introduction

Let's consider the scenario when our company has two sites. They are equally big and some users require accessing other network devices directly by using its local IPs, or maybe you even have to replicate domain controllers over this tunnel. Let's say you want to access OWA and not too often check some shared files. The reason why I said not too often is because this will create some serious traffic over internet, if file is big.
Cisco GRE-Based VPN is the best choice for use, because it supports routing, QoS, Multicast and also non-IP protocols. You can configure it using SDM or CLI. The main downside is that this configuration is not multivendor. So both routers has to be Cisco routers with IOS that support VPN.

Refer here for differences between VPNs:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure0900aecd80582078.pdf

Network Diagram

Please check the diagram before you start to read further.

Components Used

- 2 Cisco routers 3745 running Cisco IOS (C3745-ADVIPSERVICESK9-M), Version 12.4(9)T1
- 2 Windows XP
- 1 Windows Server 2003 Enterprise

Configuration

This process has 3 steps:
- Configure the Generic Routing Encapsulation (GRE) Tunnels
- Configure Encryption for the GRE Tunnels
- Configure the Routing Protocol

Configure the GRE Tunnels

R1:
interface Tunnel0
ip address 172.31.0.1 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.2

R2:
interface Tunnel0
ip address 172.31.0.2 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.1

Check if you can ping by interface IP and by Tunnel IPs.

R2#ping 172.31.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
R2#ping 172.16.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/16/48 ms

R1#ping 172.16.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#ping 172.31.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Configure the Encryption for the GRE Tunnels

First create a access list to define which traffic to encypt:

R1:

access-list 100 permit gre host 172.16.0.1 host 172.16.0.2

R2:

access-list 100 permit gre host 172.16.0.2 host 172.16.0.1

Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.

R1 & R2:

crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport

Configure the crypto map

R1:

crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.2
set transform-set strong
match address 100

R2:
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.1
set transform-set strong
match address 100

Apply on BOTH:

R1 & R2:
interface FastEthernet0/1
crypto map vpn

interface Tunnel0
crypto map vpn

Enable EIGRP

R1:

router eigrp 60
network 172.31.0.0
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes

R2:
router eigrp 60
network 10.0.0.0
network 172.31.0.0
auto-summary
no eigrp log-neighbor-changes

Full config

R1:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$JZ2K$15BvDKP555bzNmcnoxc2D.
!
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
username cisc0 privilege 15 password 0 cisc0
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.2
set transform-set strong
match address 100
!
!
!
!
!
interface Tunnel0
ip address 172.31.0.1 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.2
crypto map vpn
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.1 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
router eigrp 60
network 172.31.0.0
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes
!
!
!
access-list 100 permit gre host 172.16.0.1 host 172.16.0.2
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
alias exec s show ip inter brief
alias exec sr show run
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password v
transport input telnet ssh
!
!
!
!
end

R2:
Building configuration...

Current configuration : 1412 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$aIoH$XR1H76kiRYuPGtAV07ST3.
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.1
set transform-set strong
match address 100
!
!
!
!
!
interface Tunnel0
ip address 172.31.0.2 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.1
crypto map vpn
!
interface FastEthernet0/0
ip address 10.0.0.2 255.0.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.2 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
router eigrp 60
network 10.0.0.0
network 172.31.0.0
auto-summary
no eigrp log-neighbor-changes
!
!
!
ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 100 permit gre host 172.16.0.2 host 172.16.0.1
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
alias exec s show ip inter brief
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

This post is based on:
GRE over IPSec with EIGRP to Route Through a Hub and Multiple Remote Sites Configuration

Other Examples:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

Teleworker: Thin-Client SSL VPN (WebVPN) IOS Configuration Example with SDM

2009-07-13T15:28:00.000-07:00

Before we proceed to the hard core part let's take a look at Cisco promotion video first, Cisco Teleworking Solutions - The World Is Your Office:

One of the key portion of that advanced product is SSL VPN. It used to be called in the past Web VPN. It is usefull in the situations where you need to reach network resources in your company LAN from remote location. Most likely it will be home, cofee shop etc. In this post we will focus on how to access your computer at work from home using Remote Desktop, OWA (Outlook Web Access) and internal website with News and Anouncements, it can be even Sharepoint site.

Take a look at the logical diagram:

As you can see we have 2 Routers. One of them for your remote location (R2) and one of them (R1) at our company site. R2 does not have to be cisco router, it just has to provide internet connection. The network between R1 and R2 (172.16.0.0/16) acts as an internet in this lab environment. In this lab both routers are Cisco 3745 with IOS C3745-ADVIPSERVICESK9-M 12.4 (9) T1.

The configuration can be done via SDM (GUI software to configure Cisco Devices) or CLI.

R2 config:

R2#show run
Building configuration...

Current configuration : 935 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret s
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
interface FastEthernet0/0
ip address 10.0.0.2 255.0.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.2 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
!
ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 10 permit 10.0.0.0 0.255.255.255
!
control-plane
!
alias exec s show ip inter brief
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password v
login
!
!
end

Below is a R1 config:

Current configuration : 3841 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret s
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
crypto pki trustpoint TP-self-signed-998521732
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-998521732
revocation-check none
rsakeypair TP-self-signed-998521732
!
!
crypto pki certificate chain TP-self-signed-998521732
certificate self-signed 01
!---- output cut ---
ED20B032 D4BDEF14 5A114136 4C9F1794 3C3AA01E E670BC18 FC19B9B5
quit
username cisc0 privilege 15 password 0 cisc0
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.1 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 10 permit 192.168.0.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
alias exec s show ip inter brief
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password v
transport input telnet ssh
!
!
webvpn gateway gateway_1
ip address 172.16.0.1 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-998521732
inservice
!

webvpn context First
title-color #FFFF00
secondary-color white
text-color black
ssl authenticate verify all
!
url-list "First"
heading "Web Sites"
url-text "OWA" url-value "http://192.168.0.10/owa/exchange"
url-text "News" url-value "http://192.168.0.10/news"
!

port-forward "portforward_list_1"
local-port 3000 remote-server "192.168.0.100" remote-port 3389 description "XP1 RD"
local-port 3001 remote-server "192.168.0.10" remote-port description "DC1 Remote Desktop"
!
policy group policy_1
url-list "First"
port-forward "portforward_list_1"
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway gateway_1 domain mydomain
inservice
!
!
end

If you accomplish that config on the XP2 you can connect using web browser. After you login you need to Start Application access. The Java applet will create a VPN and using IP 127.0.0.1:3000 you will be able to connect to your computer at work while being at home!

Login screen from XP2:

After you login and click Start Application Access you will see:

More info:

http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml

http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml

cisco show running-configuration filter

2009-07-09T09:49:00.000-07:00

Tired of having to scroll through your whole running-configuration just to read one line at the very end? Cisco has an in built command filter that allows you to specify more accurately what information you want from the running configurations, and mastering these commands not only makes you look like you know what you are doing ,they could save you lots of time and frustration having to look through irrelevant information.

There are mainly three widely used filter in the running config. BEGIN, EXCLUDE and INCLUDE. We can see this issuing the show running-configuration (sh run since we're trying to save time here) followed by the vertical bar key (|). We hit the question mark to see our options.

R1#sh run | ?
append Append redirected output to URL (URLs supporting append operation
only)
begin Begin with the line that matches
exclude Exclude lines that match
include Include lines that match
redirect Redirect output to URL
section Filter a section of output
tee Copy output to URL

The begin command filters through the configuration until it hits the first line that matches whatever word you put in after. Having an understanding of how lines are expressed in the configuration comes in handy when choosing what to type in.

As an example, here is the running-configuration of a router I am currently working on

R1#sh run
Building configuration...

Current configuration : 1238 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
username R2 password 0 lanwan
!
!
!
interface Serial0/0
no ip address
encapsulation frame-relay
serial restart-delay 0
no dce-terminal-timing-enable
no frame-relay inverse-arp
frame-relay lmi-type ansi
!
interface Serial0/0.2 point-to-point
ip address 10.0.12.1 255.255.255.0
no cdp enable
frame-relay interface-dlci 102
!
interface Serial0/1
ip address 10.1.12.1 255.255.255.0
encapsulation ppp
serial restart-delay 0
no dce-terminal-timing-enable
ppp authentication chap
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
ip http server
!
ip route 192.168.2.0 255.255.255.0 Serial0/0.2
!
!
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

If we only wanted informatin on the configured static routes, using the begin command we can filter to the exact line.

R1#sh run | begin ip route
ip route 192.168.2.0 255.255.255.0 Serial0/0.2
!
!
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

and we see that this begins the display with the first line that has the words "ip route"

We can use the include command to only display lines that have the words "ip route"

R1#sh run | include ip route
ip route 192.168.2.0 255.255.255.0 Serial0/0.2

This is much more succint output and gives a much neater and pleasing to the eye display.

The Exclude command eliminates all the lines that have the word you put in. For example, if you wanted to remove all the lines that have the word "line".

R1#sh run | exclude line
Building configuration...

Current configuration : 1238 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
username R2 password 0 lanwan
!
!
!
interface Serial0/0
no ip address
encapsulation frame-relay
serial restart-delay 0
no dce-terminal-timing-enable
no frame-relay inverse-arp
frame-relay lmi-type ansi
!
interface Serial0/0.2 point-to-point
ip address 10.0.12.1 255.255.255.0
no cdp enable
frame-relay interface-dlci 102
!
interface Serial0/1
ip address 10.1.12.1 255.255.255.0
encapsulation ppp
serial restart-delay 0
no dce-terminal-timing-enable
ppp authentication chap
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
ip http server
!
ip route 192.168.2.0 255.255.255.0 Serial0/0.2
!
!
no cdp run
!
control-plane
!
!
exec-timeout 0 0
logging synchronous
!
!
end

Personally , I prefer the BEGIN and INCLUDE commands as they are more effective. Further more the output of the EXCLUDE command leaves some information hanging and that may be a bit confusing.

configuring cisco catalyst switch VTP modes

2009-06-29T17:16:00.000-07:00

VTP (Vlan Trunking Protocol) modes are different ways a switch can be set to share or interact with VTP advertisements. The three modes are Server, client and Transparent.

Server mode is the default setting for Cisco catalyst switches. Within any VTP domain, there must contain at least one switch configured in server mode. When in this mode, the switch can be used to add, modify or delete VLAN related infrormation. These changes are then advertised to other switches in the same domain that are configured as either servers or clients. The receiving switches then compare the revision number from the received update and if the revision number is higher, then it changes its configuration

Client mode is simply a receiver of VTP information configured from a server. when in client mode, no changes can be mad to the switch.

Transparent mode is where a switch will not listen to VTP information being advertised but will pass on the information to other switches. It acts as a standalone device and any VLAN information can be configured.

Configuring the modes:

First we get into the vlan database.

SWITCH#vlan database

We can then type in the vtp command followed by a question mark to see the different options.

SWITCH(vlan)#vtp ?
client Set the device to client mode.
domain Set the name of the VTP administrative domain.
password Set the password for the VTP administrative domain.
pruning Set the administrative domain to permit pruning.
server Set the device to server mode.
transparent Set the device to transparent mode.
v2-mode Set the administrative domain to V2 mode.

for now we shall only concentrate on the three vtp mode options: Server, client and transparent.

To configure as a Server simply type in the vtp server command and you get a notification that the device is switching into server mode.

SWITCH(vlan)#vtp server
Setting device to VTP SERVER mode.

The same goes for configuring as a vtp client.

SWITCH(vlan)#vtp client
Setting device to VTP CLIENT mode.

as well as transparent mode.

SWITCH(vlan)#vtp transparent
Setting device to VTP TRANSPARENT mode

To save and exit into the vlan database, simply type in "exit".

SWITCH(vlan)#exit
APPLY completed.
Exiting....

To verify the VTP mode configured, we can use the "show vtp status" command.

SWITCH#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 256
Number of existing VLANs : 7
VTP Operating Mode : Transparent
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x1A 0x47 0x70 0xB8 0xD1 0x2F 0x7E 0x32
Configuration last modified by 10.1.35.2 at 3-1-02 00:48:56

In this instance, the switch is in Transparent VTP operating mode.

Part 1: Which Routing Protocol Should I Choose? RIPv2 vs. OSPF

2009-06-23T11:43:00.000-07:00

When designing a network, one of the most important decisions you have to make is determining which routing protocol is best suited for the design of the network that you have created. I thought in this article I would create a simple table with some basic information in regards to some differences and similarities between two of the more popular, widely used routing protocols out there: RIPv2 (Routing Information Protocol) and OSPF (Open Shortest Path First). Below are some of the more important aspects of each routing protocol and hopefully they will aid you in choosing which protocol best suites the design of your network.

Click here to enlarge picture

As you can see, OSPF looks to be the more beneficial routing protocol of the two to use. In a later article, I will discuss the similarities and differences between OSPFv2 and EIGRP (Enhanced Interior Gateway Routing Protocol) and from there, we can determine which of the two, under your network's circumstances, would be the most beneficial routing protocol to use for your network.

Configuring NAT Part 2: Static Translation

2009-06-22T18:16:00.000-07:00

This article is a continuation of Part 1, so if you haven't read the part 1, I highly recommend that you go back and read Part 1. In this article, I will be assuming that you know how to configure the basic dynamic NAT configuration. However, if you are familiar with NAT and just want to read up on configuring a Static NAT, you can continue on without reverting to the previous NAT blog.

Let's do a concise review of Dynamic NAT configuration before moving on.

Step 1: Determine inside and outside networks.

GatewayRouter(config)#int s0/0
GatewayRouter(config-if)#ip nat outside
GatewayRouter(config-if)#int fa1/0
GatewayRouter(config-if)#ip nat inside

Step 2: Ensure that the connectivity exists between the routers.

GatewayRouter(config)#ip route 0.0.0.0 0.0.0.0 s0/0

Step 3: Configure a pool private IP addresses.

GatewayRouter(config)#access-list 1 permit 10.0.0.0 0.0.0.255

Step 4: Configure a pool public IP addresses.

GatewayRouter(config)#ip nat pool OUTSIDE 216.116.120.250 216.116.120.254 net 255.255.255.248

Step 5: Configure Network Address Translation.

GatewayRouter(config)#ip nat inside source list 1 pool OUTSIDE

Step 6: Verification.

----------------------------------------------------------------------------------------

What is Static NAT

A type of Network Address Translation where an one-to-one map exists between a public IP address and an internal, private IP address. This method is manual and static; as a result, it is more time consuming and does not automatically react to changes in networks.

So, what is its purpose? When you publish your webservers or Front-end Exchange servers, you will need to associate those servers with a public IP address so that the clients and users can access the servers from external networks. Likewise, the above servers will also require a private IP address for internal users to access them. Instead of using two NIC's to resolve the above issue, it's recommended to use Static NAT to more securely kill two birds with one stone. Here are the general steps when configuring a Static NAT:

Step 1: Determine inside and outside networks. Label each interface as “inside” or “outside” using the ip nat inside and ip nat outside commands at the interface or subinterface configuration mode.

Step 2: Ensure that the connectivity exists between the routers. By using either static routes or dynamic routing protocols, make sure that your inside global network can connect to the outside network.

Step 3: Configure Static Network Address Translation. Define components that will be translated.

Step 4: Verify your work

In the below network diagram, let's configure a static NAT for the front-end Exchange Server.

Step 1: Determine inside and outside networks. Label each interface as “inside” or “outside” using the ip nat inside and ip nat outside commands at the interface or subinterface configuration mode.

GatewayRouter#conf t
GatewayRouter(config)#int s0/0
GatewayRouter(config-if)#ip nat outside
GatewayRouter(config-if)#int fa1/0
GatewayRouter(config-if)#ip nat inside

---------------------------------------------------------------------------------------------

Step 2: Ensure that the connectivity exists between the routers. By using either static routes or dynamic routing protocols, make sure that your inside global network can connect to the outside network.

GatewayRouter(config)#ip route 0.0.0.0 0.0.0.0 s0/0

---------------------------------------------------------------------------------------------

Step 3: Configure Network Address Translation. Define components that will be translated.

GatewayRouter(config)#ip nat inside source static 10.1.0.25 216.116.120.252

Note that for Static NAT, you do not need to configure a pool or an access-list.

Are you late? Synchronize cisco router with Network Time Protocol (NTP)

2009-06-18T17:31:00.001-07:00

One of the first thing you do when you purchase your desktop, laptop, cell phone, your PDA, server or mp3 player etc. is to check the calendar, check the time and hour. Is that right? I hope it is. Why should we not do the same with Cisco router (or switch). It is very important especially if you are about to read log information and understand them, or if you have VoIP system, this setting will be displayed on all phones. Yes, including your boss.

In this post, I will show you how to:

check your current router clock
synchronize using ntp to one of the public NTP server
verify updated router clock

Cisco Router 2621 with IOS Version 12.3(19) was used during setup.

First let's check what is your current router clock setting:

Router#show clock
*07:34:56.011 UTC Sat Mar 20 1993

As we can see not so current. Check the date of this post to compare.

Find NTP server that you can synchronize to (http://support.ntp.org/bin/view/Servers/StratumOneTimeServers).

Try to ping it.

Router#ping selected.ntp.server

Translating "selected.ntp.server"...domain server (1.2.3.4) [OK]

If it works, you are ready to establish NTP peer. Which means you will be a client and selected host an NTP server.

It can be done by:

Router(config)#clock timezone PST -8
Router(config)#ntp peer selected.ntp.server
Router(config)#ntp source fa0/1

First line will setup you time zone. The second one is specifying source that will be used to synchronize your router time. In the last line, as you can see, we have specified a port in order to make sure that source IP is our public IP so NTP server can reach us.

At this point we would like to verify our work, by:

Router#show clock
17:18:57.505 PDT Thu Jun 18 2009

Great job!

I hope in your case it worked too. If not please check : http://www.cisco.com/en/US/docs/ios/12_1/configfun/configuration/guide/fcd303.html#wp1001612
or just go to:
http://www.cisco.com/univercd/home/home.htm

to find specific information about your particular model of device.

How to secure remote access to the cisco router (replace telnet with ssh)

2009-06-10T10:36:00.000-07:00

This post essentially was going to be about how to enable ssh on the cisco router. But.. I realized that in many cases when I say to someone:

You should stop using telnet while accessing your cisco device via public network (internet), because traffic is not encrypted and it is easy to sniff and see your passwords, your running config and anything you type and your router response. It is like having keylogger on your system. Use ssh instead, so traffic is encrypted and you are much safer.

That "someone" (you?) often says:

Really? Oh.. probably it is not so easy to sniff, come on!

Because of this I will show how "safe" you are using telnet. The second reason is because I can see the analogy from martial arts (I hope you like it). Before you learn how to block/protect yourself, you need to know how to strike first!

Please take a look at Figure 1. We will telnet from Microsoft Windows "XP" to Router "R", sniff the telnet traffi using wireshark, decode and read.

Below are scary results:

No way! You might say. As you can see if you use telnet someone can learn your passwords and your config, and if someone has bad day that time may wipe out your router config and reboot... You probably do not want to come to work and see this in the morning do you?

Let's fix it and enable ssh:

en
conf t
username cisco password cisco
aaa new-model
ip domain-name mydomain.com
cry key generate rsa
!
! --- use 2048 bit as a key length, and allow couple minutes for your router to generate key
!
line vty 0 4
!--- enable ssh service only
transport input ssh
end
wr

It will look like:

We are done, now we should use ssh client, from windows we will use putty. Take a look what can we sniff this time:

Try to guess my password now!

As we can see the security level has been improved a lot. It did not take too much effort either. I hope it will help to understand that telnet should be replaced by ssh usage, unless you do no care about security of your passwords or running config. It is possible if you are just using the router for quick and dirty testing or learning purposes.

Note: Please note that after you changed your connection type from telnet to ssh, you should change all passwords since someone could already sniff the current one.

Make sure your IOS support ssh using Ciso IOS advisor:
http://tools.cisco.com/ITDIT/ISTMAIN/servlet/index
(IOS used in this post was 12.4(9)T1 with Cisco 3745 router.)

More info:
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

Whats the purpose of Cisco-Loopback ip addresses?

2009-06-05T10:35:00.000-07:00

What is a purpose of a cisco loopback address? It is not assigned to any physical ports and cannot connect any networks to it. It almost seems useless and a waste of precious IP addresses. Furthermore, how do I go about assigning one.

Most people with a background in working with desktop computers have come across a loopback address, the most common being 127.0.0.1 that loops you back to your machine and checks pinging it checks if your TCP/IP stack is up and running.

With cisco devices, loopback addresses are virtual and are not assigned to physical interfaces that you can see. It can be a very powerful tool in any infrastructure as its strongest characteristic is that it never goes down unless the whole device goes down. This is very significant to processes that use IP addresses to point to a particular device. One example is ospf that uses router id's to establish neighbor addresses. The router ID is determined as the highest active loopback address. If this is not available then the highest IP address is chosen. In a situation where a physical port goes down that happens to be the root-id then the router is deemed to be unavailable, resulting in a whole election process for all routes through that router, even though in reality the other routes are still available. Another example of the use of loopback addresses is in lab environments to simulate networks behind a router. Assignig a loopback address is a simple task as shown below:

Router(config)#interface loopback 1
Router(config-if)#ip address 192.168.0.1 255.255.255.0
Router(config-if)#exit

Where the the number "1" is the loopback interface number and is locally significant. The address can be verified on the running config as well as usinig the "show ip interface brief command"

Serial0/0 unassigned YES unset administratively down down
Serial0/1 unassigned YES unset administratively down down
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
FastEthernet1/0 unassigned YES unset administratively down down
Loopback1 192.168.0.1 YES manual up up

As we can see, the interface immediately shows up as up and up even when all the other interfaces are down. Loopback addresses are great for management and if utilized properly can be a great tool to ping and check if your routers are up and running as well as for remote connection to a device.
What other uses can you think of ?

Configuring NAT Part 1: Dynamic Translation

2009-06-03T11:35:00.000-07:00

NAT was introduced to help resolve the issue of IP Address shortages. With a fast growing number of devices that require an IP Address, many experts predicted that the pool of IP addresses will run out soon. Before a well thought out, long-term solution can be implemented, a few short-term solutions were introduced. Amongst ingenious solutions such as CIDR and Private IP addresses, NAT was introduced.

The term NAT is used by many vendors, and it may differ slightly depending on which equipment you are using to configure NAT. In this blog, we will be exploring NAT used by Cisco IOS.

Here are general steps when configuring a NAT:

Step 1: Determine inside and outside networks. Label each interface as “inside” or “outside” using the ip nat inside and ip nat outside commands at the interface or subinterface configuration mode.

Step 2: Ensure that the connectivity exists between the routers. By using either static routes or dynamic routing protocols, make sure that your inside global network can connect to the outside network.

Step 3: Configure a pool private IP addresses that will be allowed to access the external network

Step 4: Configure a pool public IP addresses that will be used by your internal network to access the external network

Step 5: Configure Network Address Translation. Define components that will be translated.

Step 6: Verify your work

Let's configure the Gateway Router from the below diagram so that the PC's in the internal network can communicate with the devices in external networks.

Step 0: Configure base configuration and assign IP addresses according to above diagram

Router>enable
Router#configure terminal
Router(config)#hostname GatewayRouter
GatewayRouter(config)#interface s0/0
GatewayRouter(config-if)#ip add 216.116.120.250 255.255.255.248
GatewayRouter(config-if)#no shutdown
GatewayRouter(config-if)#int fa1/0
GatewayRouter(config-if)#ip add 10.0.0.1 255.255.255.0
GatewayRouter(config-if)#no shut

Always verify that IP addresses are inputted properly and the Status and Protocol are both up.

-------------------------------------------------------

GatewayRouter#conf t
GatewayRouter(config)#int s0/0
GatewayRouter(config-if)#ip nat outside
GatewayRouter(config-if)#int fa1/0
GatewayRouter(config-if)#ip nat inside

-------------------------------------------------------

GatewayRouter(config)#ip route 0.0.0.0 0.0.0.0 s0/0

-------------------------------------------------------

Step 3: Configure a pool private IP addresses that will be allowed to access the external network

You need to specify the source addresses that will be translated. In this exercise, you will be using an access-list to specify a pool of IP addresses. We will be allowing all internal IP addresses to pass through the gateway router.

GatewayRouter(config)#access-list 1 permit 10.0.0.0 0.0.0.255

-------------------------------------------------------

Step 4: Configure a pool public IP addresses that will be used by your internal network to access the external network

Next step is to specify the pool of IP addresses that will be used as Inside Global IP Addresses. Ensure that the pool name specified in the previous command matches the pool name you will be creating in the below command line. Please note that pool name is case-sensitive.

GatewayRouter(config)#ip nat pool OUTSIDE 216.116.120.250 216.116.120.254 net 255.255.255.248

Note that the first IP address marks the starting point of the Inside Global IP Address and the second IP address marks the last Inside Global IP Address to be used for NAT.

-------------------------------------------------------
Step 5: Configure Network Address Translation. Define components that will be translated.

GatewayRouter(config)#ip nat inside source list 1 pool OUTSIDE

As you can see there are many options to choose from. Let’s go over the options that we chose.

-------------------------------------------------------

Step 6: Verification

The last step is to verify that the Network Address Translation works. You can login to one of your PCs and ping out to the internet. If you have a DNS set up, you can ping a known websites such as google.com or yahoo.com. If your internet network does not have a DNS setup, try to ping an external DNS such as 4.2.2.3. Once you have successfully pinged an external entity, you can revert to GatewayRouter to verify the translation.

Translation is successful. Please note that port number from the output will vary, but the port numbers from Inside global and Inside local will generally match.

How Are IP Addresses and Subnet Masks Related?

2009-05-21T15:25:00.001-07:00

One of the topics that I (along with many others) had trouble understanding was how to differentiate the network side of an IP address with the host side of an IP address. For example, our computer has an IP address 192.168.1.1 with a subnet mask of 255.255.255.0. The subnet mask is key in determining the difference between your network address and host address.

Now let’s break down our computer’s IP. Every IP consists of four, 8-bit octets that range in decimal value from 0 to 255. For instance, 192 (our IP’s 1st octet) in decimal translates to 11000000 in binary (for more information on binary to decimal translation, see this article: http://www.wikihow.com/Convert-from-Binary-to-Decimal). This next step is key. ANY BINARY ‘1’ IN OUR SUBNET DEFINES THE NETWORK, and ANY ‘0’ IN OUR SUBNET DEFINES OUR HOST. Because our subnet mask’s 1ST, 2nd, and 3rd octets are 255 (or 11111111 in binary), this means that our network address that our IP exists in is 192.168.1.0. The 4th octet, thus, defines the host number in this network. So in this one particular network, 192.168.1.0, we can have up to 254 host computers. You may wonder why not 255?? This is because the host address 255 (192.168.1.255) is reserved for the network’s broadcast address. Therefore, we can only host 254 addresses on our network (1-254).

Let’s try a little harder example this time. Say we go to the command line on our computer and do an “ipconfig” command to display our IP and subnet mask. The output displays our IP address being 192.168.1.193 with a subnet mask of 255.255.255.192. The first thing to do is break the IP address into each octet. Luckily for us, the 1st three octets are all our network address as defined by the subnet being all 1’s (255 = 11111111 in binary). Now all we need to worry about is our last octet! The 192 in our subnet mask translates to 11000000 in binary (All ‘0s’ being possible host IP addresses). Because our network is defined by 1’s in the subnet, the first 2 bits of the last octet of our IP are still part of the network address. So, if we translate 193 to binary, we get 11000001. 193 ends up being the first host in the network 192.168.1.192! So in this case, our network address is 192.168.1.192 in which hosts in this network will range from 192.168.1.193 – 192.168.1.254!

Fortunately for us, IPv6 has been created which voids the need for differentiating the network address from the host address using a subnet mask. I will post this topic in a later article, but for now, IPv4 takes practice, practice, and even more practice to understand the concept of the relationship between your IP address and subnet mask. Try it yourself on your computer at home and let me know how things go!

IP Multicast Technology Overview

2009-05-20T16:10:00.000-07:00

Most of us are very familiar with p2p networks concept. They help to share or download files from many different sources at the same time, some of them are determining the closest source location before the download process starts. Even though the IP multicast works a little bit different than that, the concept and the goal is the same: to optimize the traffic and to utilize network connection more efficient if possible.

IP communication allows a host to send packets in two manner:

1. To a single host (called unicast transmission)
2. To all hosts (called broadcast transmission)

IP multicast provides a third possibility:

3. To a subset of all hosts (called a group transmission)

IP multicast is a bandwidth conserving technology that redueces traffic by simultaneously delivering a single stream of information to potentially thousands of corporate recipients and homes. Applications that take advantage of multicast include video conferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news.

IP multicast delivers application source traffic to multiple receivers without burdening the source or the receivers while using a minimum of network bandwidth. Multicast packets are replicated in the network at the point where paths diverge by Cisco routers enabled with Protocol Independent Multicast (PIM) and other supporting multicast protocols, resulting in the most efficient delivery of data to multiple receivers.

Many alternatives to IP multicast require the source to send more than one copy of the data. Some, such as application-level multicast, require the source to send an individual copy to each receiver. Even low-bandwidth applications can benefit from using Cisco IP multicast when there are thousands of receivers. High-bandwidth applications, such as MPEG video, may require a large portion of the available network bandwidth for a single stream. In these applications, IP multicast is the only way to send to more than one receiver simultaneously.

IP multicast addresses specify a “set” of IP hosts that have joined a group and are interested in receiving multicast traffic designated for that particular group. The Internet Assigned Numbers Authority (IANA) controls the assignment of IP multicast addresses. IANA has assigned the IPv4 Class D address space to be used for IP multicast. Therefore, all IP multicast group addresses fall in the range from 224.0.0.0 through 239.255.255.255.

The most important terms are:
RP (Rendezvous Point) - it is designated router in your network that is usually the "center" of it. It receives and decides which path to choose to deliver packet to all receivers that are interested.

PIM (Protocol Independent Multicast) - is IP routing protocol-independent and can leverage whichever unicast routing protocols are used to populate the unicast routing table, including Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), and static routes. PIM uses this unicast routing information to perform the multicast forwarding function. Although PIM is called a multicast routing protocol, it actually uses the unicast routing table to perform the RPF check function instead of building up a completely independent multicast routing table. Unlike other routing protocols, PIM does not send and receive routing updates between routers.

PIM-DM (PIM Dense Mode) - uses a push model to flood multicast traffic to every corner of the network. This push model is a brute force method for delivering data to the receivers. This method would be efficient in certain deployments in which there are active receivers on every subnet in the network.

PIM-SM (PIM Sparse Mode) - uses a pull model to deliver multicast traffic. Only network segments with active receivers that
have explicitly requested the data will receive the traffic.

Bidir-PIM (Bidirectional PIM) - is an enhancement of the PIM protocol that was designed for efficient many-to-many communications within an individual PIM domain. Multicast groups in bidirectional mode can scale to an arbitrary number of sources with only a minimal amount of additional overhead.

More information visit a Cisco documentation page, for a configuration guides click here.

Etherchannel in a Nutshell: Understanding and Configuring the Cisco Technology

2009-05-14T12:08:00.000-07:00

Ever feel like your internet connection isn’t as fast as you think it could be? Along with that, shouldn’t there be a way to create fault tolerance between your computers and the internet in the case that one of your cables happens to go bad? Fortunately for you, there is a way to kill two birds with one stone. It’s called EtherChannel, an easily-configurable technology used primarily on Cisco switches.

Etherchannel allows the grouping of multiple, physical Ethernet links into one logical link. This provides both increased bandwidth as well as fault tolerance between your routers, switches, servers, hosts, etc. Each Etherchannel can consist of between two and eight Fast Ethernet, Gigabit, or 10 Gigabit Ethernet channels. This means that, depending on how many Ethernet links you create, you can create multiplied bandwidth as well as fault tolerance without losing connection on your newly created, grouped Ethernet link.

For example, let’s say you have two Cisco switches, both which have four Gigabit Ethernet ports. You have already established connectivity using one Gigabit port on each switch, but users are saying it is taking them too long to transport large, necessary files to each other. Each of our switches has 3 additional Gigabit Ethernet ports, but unfortunately all they are doing right now is collecting dust. Creating 3 additional physical Gigabit Ethernet links allow us to group these all together into one logical link using Etherchannel to multiple our original Gigabit speed by four AND create backup links at the same time in case one of them fails! So in essence, our previous bandwidth of 1 Gbps is now 4 Gbps including fault tolerance!!!

For additional information on the subject, please refer to the following links:

Cisco EtherChannel Technology

Configuring EtherChannel

Using Question Mark For Secret Password With Cisco Routers and Switches

2009-05-11T10:53:00.000-07:00

As you know a question mark in Cisco IOS (Internetwork Operating System) is used to display available options in the context you actually are. What if you want to use a question mark as a one of the letters of your password? We will assume the password you want to use is "qm?".

If you use it here is what will show:

Router(config)#enable secret ?
0 Specifies an UNENCRYPTED password will follow
5 Specifies an ENCRYPTED secret will follow
LINE The UNENCRYPTED (cleartext) 'enable' secret
level Set exec level password

Even if you type the beginning of it:

Router(config)#enable secret qm?
LINE
Router(config)#enable secret qm

It still comes back to just "qm". So how can we use it? You need to press CTRL+v prior to pressing "?":

Router(config)#enable secret qm?

Whoala! The magic combination was CTRL+v.
By the way you may have the idea to cut and paste a "?" from the notepad into terminal try it... and let us know.