Note:
1: Enable secret password is encrypted by default. Enable password is not.
2: If both enable secret and enable password are specified, the enable secret overrides the enable password.

1. Set a console password to chicagotech
1) Router(config)#line con 0
Router(config-line)#login
Router(config-line)#password chicagotech

2. Set a telnet password to chicagotech
1) Router(config)#line vty 0 4
2) Router(config-line)#login
3) Router(config-line)#password chicagotech
=================================================

Enable SNMP on PIX
——————-
I just installed Netflow to monitor our Internet traffic rate. I have enabled snmp on our Cisco PIX515. The netflow displays ?No devices have sent NetFlow exports to the software yet?. I am not sure the problem is PIX configuration or Netflow settings. How do I test the snmp settings in PIX?

access-list outside_in permit icmp any any unreachable
access-list outside_in permit tcp any host 192.168.11.253 eq 3389
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit tcp any host 192.168.10.10 eq 3389
access-list 192_splitTunnelAcl permit ip LAN 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip LAN 255.255.255.0 VPN 255.255.255
.240
access-list inside_outbound_nat0_acl permit ip LAN 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any VPN 255.255.255.240
access-list outside_cryptomap_20 permit ip LAN 255.255.255.0 any
pager lines 24
logging on
logging trap errors
logging history informational
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip address outside 192.168.10.254 255.255.255.0
ip address inside 192.168.11.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 192.168.21.1-192.168.21.9
pdm location 192.168.11.253 255.255.255.255 inside
pdm location VPN 255.255.255.0 inside
pdm location LAN 255.255.255.0 outside
pdm location VPN 255.255.255.0 outside
pdm location LAN 255.255.255.255 inside
pdm location RDC 255.255.255.255 inside
pdm location 192.168.11.2 255.255.255.255 inside
pdm location 192.168.10.104 255.255.255.255 outside
pdm location 192.168.11.254 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 2 192.168.10.250-192.168.10.253
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.11.253 192.168.11.253 netmask 255.255.255.255 0
0
static (inside,outside) 192.168.10.10 RDC netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http LAN 255.255.255.255 inside
http LAN 255.255.255.0 inside
snmp-server host outside 192.168.11.254
snmp-server host inside 192.168.11.254
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
tftp-server outside 192.168.10.115 c:\
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 206.81.53.106
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 206.81.53.106 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup 192 address-pool VPN
vpngroup 192 dns-server 4.2.2.1
vpngroup 192 split-tunnel 192_splitTunnelAcl
vpngroup 192 idle-time 1800
vpngroup 192 password ********
=====================================================

How to configure ASA to open port 3389 for TS
———————————————-
You need these two lines:

access-list outside_access_out extended permit tcp any host x.x.x.198 eq 3389

static (inside,outside) tcp interface 3389 10.0.3.2 3389 netmask 255.255.255.255

If you use ASDM, id for the Rule and if for the NAT
======================================================

How to view and save PIX/ASA configuration
——————————————
1. “copy run start” and “write terminal” to save running-config to startup-config.
2. “show startup-config to view the configuration in flash memory.
3. “show running-config” and “write terminal” to view the current running configuration .
========================================================

configure Cisco 831 router for two public IP addresse
—————————————————-
The following is the sample of NAT on 831.

ip dhcp excluded-address 172.16.5.1 172.16.5.9
ip dhcp excluded-address 172.16.5.51 172.16.5.254
!
ip dhcp pool sdm-pool1
network 172.16.5.0 255.255.255.0
default-router 172.16.5.1
dns-server 4.2.2.1
!
!
no ip bootp server
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 smtp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip inspect name sdm_ins_in_100 icmp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$
ip address 172.16.5.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
!
interface Ethernet1
description $FW_OUTSIDE$$ETH-WAN$
ip address 192.168.10.70 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect sdm_ins_in_100 in
duplex auto
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 172.16.5.13 3389 192.168.10.70 3389 extendable
ip nat inside source static tcp 172.16.5.13 3389 192.168.10.71 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.1 permanent
ip http server
ip http authentication local
ip http secure-server
!
access-list 1 permit 172.0.0.0 0.255.255.255
no cdp run
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
end

831#
===============================================

Reset a Cisco Router Back to Factory Defaults
———————————————-
chicagotech831#conf t
Enter configuration commands, one per line. End with CNTL/Z.
chicagotech831(config)#config-register 0×2102
chicagotech831(config)#end
chicagotech831#wr erase
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
chicagotech831#reload

System configuration has been modified. Save? [yes/no]: n
Proceed with reload? [confirm]
======================================

Router modes
————-
User mode = Router>
Privileged mode = Router#
Global configuration mode = Router(config)#
Interface mode = Router(config-if)#
Subinterface mode = Router(config-subif)#
Line mode = Router(config-line)
Router configuration mode = Router(config-router)#
===============================================

Cisco Router Modes
——————–
Router> User mode

Router# Privileged mode (to chnage to Privileged mode, do Router> enable)

Router(config)# Global configuration mode (Router# conf t)

Router(config-if)# interafce mode (Router(config)# interafce ethernet0)

Router(config-subif)# Subinterface mode
Router(config-line)# Line mode
Router(config-router)# Router configuration mode
================================================

command lines
————–
1. To verify the operation of a routing protocol
show ip protocols

2. Display the IP routing table.
show ip route
=================================================

configure SSH for Secure Access
——————————–
ChicagoTech>En

Password:

ChicagoTech#conf terminal

Enter configuration commands, one per line.  End with CNTL/Z.

ChicagoTech(config)#hostname ChicagoTech

ChicagoTech(config)#ip domain-name howtocisco.com

ChicagoTech(config)#crypto key generate rsa

ChicagoTech(config)#ip ssh time-out 60

ChicagoTech(config)#ip ssh authentication-retries 4

ChicagoTech(config)#end

ChicagoTech#wr mem
===================================================

Create a VTP domain
———————–
chicagotech>en
password:
chicagotech#conf t
chicagotech(config)#vtp mode server
chicagotech(config)#vtp domain ms-mvps
chicagotech(config)#vtp password chicagotech
chicagotech(config)#end
chicagotech>copy running-config startup-config
==================================================

find the Switch and Port You are connecting to
———————————————
1. Find my laptop Mac address by using ipconfig /all. It is 00-16-D4-BA-D7-77
2. Telnet one of the switch and enable it.
3. Type “show mac-address-table address 00-16-D4-BA-D7-77”, it display
====================================================

Limit access #
—————
With Cisco Port Security, you can configure the port to accept certain Mac addresses and an additionl access will be denied. In this case, our maximum access # is 15.

Chicagotech>En
Chicagotech>password:
Chicagotech#conf t
Chicagotech(config)#interface fastethernet 0/9
Chicagotech(config-if)#switchport mode access
Chicagotech(config-if)#switchport port-security
Chicagotech(config-if)#switchport port-security max 15
Chicagotech(config-if)#switchport port-security violation protect
Chicagotech(config-if)#end
====================================================

setup interface
——————
Router#config
Router(config)#interface serial 1/1
Router(config-if)#ip address 10.0.0.10 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#ctrl-Z
Router#
=====================================================

shutdown multiple ports
————————
CHICAGOTECH>EN
CHICAGOTECH>PASSWORD:
CHICAGOTECH>CONF T
CHICAGOTECH(config)#inter range fastethernet 0/11 – 12
CHICAGOTECH(config-if-range)#no shutdown
CHICAGOTECH(config-if-range)#
CHICAGOTECH(config-if-range)#end
=====================================================

Interface command lines
————————–
1. to verify the status of the switch connections
show ip interface brief

2. Configure range interface
Switch(config)#interface range fastethernet 0/# – #, #, # – #
=======================================================

Configure trunking and VLAN routing
———————————–
Switch>en
password:
Switch#configure terminal
Switch(config)#interface fastethernet 0/1
Switch(config-if)#switchport mode trunk
Switch(config-if)#end
====================================================

confiugre Virtual Interface on a VLAN
————————————–
Router>en
passwrod:
Router#configure terminal
Router(config)#interface fastethernet 0/0.2
Router(config-subif)#encapsulation dot1q 2
Router(config-subif)#ip address 192.168.11.2 255.255.255.0
Router(config-subif)#exit
Router(config)#router rip
Router(config-router)#network 10.0.0.0
Router(config-router)#end
======================================================

Configure VLAN Subnets
———————-
Router>en
password:
Router#configure terminal
Router(config)#interface fastethernet 0/1
Router(config-if)#ip address 192.168.11.1 255.255.255.0
Router(config-if)#end
======================================================

How to delete switchport access vlan 200 line
——————————————–
CHICAGOTECH_1#show run inter
CHICAGOTECH_1#sh run interface gi1/0/7
Building configuration…

Current configuration : 151 bytes
!
interface GigabitEthernet1/0/7
switchport access vlan 200
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
end

CHICAGOTECH_1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CHICAGOTECH_1(config)#int
CHICAGOTECH_1(config)#interface gi1/0/7
CHICAGOTECH_1(config-if)#default switchport access vlan
CHICAGOTECH_1(config-if)#no spanning-tree portfast
CHICAGOTECH_1(config-if)#do sh run int
CHICAGOTECH_1(config-if)#do sh run inter
CHICAGOTECH_1(config-if)#do sh run int gi1/0/7
Building configuration…

Current configuration : 99 bytes
!
interface GigabitEthernet1/0/7
switchport trunk encapsulation dot1q
switchport mode trunk
end
====================================================

Re-configure VLAN for AP
————————-
Add or modify VLAN name
————————
chicagotech>en
password:
chicagotech#conf t
chicagotech(config)#vlan 1
chicagotech(config)#name lab1
===================================================

Situation: the client have 4 VLAN and they want to the Access Point to access all 4 VLAN. This is the show mac-address-table address 0019.3033.6a2a command result:

Mac Address Table
——————————————-

Vlan Mac Address Type Ports
—- ———– ——– —–
1 0019.3033.6a2a DYNAMIC Gi1/0/22
Total Mac Addresses for this criterion: 1

Resolution: The port configuration looks l ike this (default is VLAN 1)

interface GigabitEthernet1/0/22
switchport mode access
no ip address
no mdix auto
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable

Change to:
interface GigabitEthernet1/0/22
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
no mdix auto

This is the result after changing:

show mac-address-table address 0019.3033.6a2a
Mac Address Table
——————————————-

Vlan Mac Address Type Ports
—- ———– ——– —–
1 0019.3033.6a2a DYNAMIC Gi1/0/22
100 0019.3033.6a2a DYNAMIC Gi1/0/22
200 0019.3033.6a2a DYNAMIC Gi1/0/22
300 0019.3033.6a2a DYNAMIC Gi1/0/22
Total Mac Addresses for this criterion: 4
=====================================================

VLAN command lines
——————-
1. How to check last modified VTP configuration
show vtp status

2. Verify a Trunk
show interface interface switchport | trunk

3. Verify A VLAN
show vlan brief | id vln_id | name vlan_name

4. Assign switch ports to a vlan
switchport access vlan vlan# | dynamic

5. configure dot1q trunk
switchport mode trunk | access | dynamic desirable | dynamic auto

6. verify STP for a VLAN
show spanning-tree active | detail | vlan_id | summery
==========================================================

How to enable Cisco ASA Web VPN
——————————–
To enable the HTTP Service on the ASA, please follow these steps:
1. Enable the HTTP server.
2. Enable WebVPN on the outside interface.
3. Configure WebVPN group attributes.
4. Configure user authentication.

1. enable.
2. Chicagotech#conf t
3. Chicagotech(config)# http server enable
4. Chicagotech(config)# http redirect outside 80
5. Chicagotech(config)# webvpn
6. Chicagotech(config-webvpn)# enable outside
7. Chicagotech(config-webvpn)#exit
8. Chicagotech(config)# group-policy VPNGroup internal
9. Chicagotech(config)# group-policy VPNGroup attributes
10. Chicagotech(config-group-policy)# vpn-tunnel-protocol webvpn
11. Chicagotech(config-group-policy)# webvpn
12. Chicagotech(config-group-webvpn)# functions file-access file-entry file-browsing
13. Chicagotech(config-group-webvpn)# exit
14. Chicagotech(config)# username chicagotech password ms-mvps
15. Chicagotech(config)# webvpn
16. Chicagotech(config-webvpn)# authentication-server-group LOCAL
========================================================

Configure routing
——————
Configure RIP Routing
Router#configure terminal
Router(config)# router rip
Router(config-router)# network 192.168.11.0
Router(config-router)# network 192.168.22.0
Router(config-router)#end

Configure EIGRP Routing
Router#configure terminal
Router(config)#router eigrp 10
Router(config-router)#network 192.168.11.0
Router(config-router)#network 192.168.22.0
Router(config-router)#end

Configure OSPF Routing
Router#configure terminal
Router(config)#router ospf 100
Router(config-router)#network 192.168.11.0 0.0.0.255 area 0
Router(config-router)#network 192.168.22.0 0.0.0.255 area 0
Router(config-router)#end

Verify the running configuration by displaying the router status at the first line
show running-config | begin router

To dump the routing table type
clear ip route *
====================================================

Sample of configuring Cisco 2955S switch
—————————————-
The Cisco Switch 2955 basic configuration will setup IP address, Subnet, Enable secret password, Enable password, and Telnet password. This is the sample.
Would you like to enter the initial configuration dialog? [yes/no]: Y (press Enter)

Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system.

Would you like to enter basic management setup? [yes/no]: Y (press Enter)

Enter host name [Switch]: chicagotech

Enter enable secret: switch

Enter enable password: cisco

Enter virtual terminal password: ms-mvps

Configure SNMP Network Management? [no]: n

Enter interface name used to connect to the
management network from the above interface summary: vlan1

Configuring interface vlan1:
Configure IP on this interface? [yes]: y
IP address for this interface: 10.0.20.51
Subnet mask for this interface [255.0.0.0]: 255.255.0.0

Would you like to enable as a cluster command switch? [yes/no]: n

The following configuration command script was created:
hostname host_name
enable secret 5 #3$Max7$Qgr2rXBhtcYJw4KK7ac650
enable password cisco
line vty 0 15 password ms-mvps
snmp-server community public
……

[0] Go to the IOS command prompt without saving this config.

[1] Return back to the setup without saving this config.

[2] Save this configuration to nvram and exit.

If you want to save the configuration and use it the next time the switch reboots,
save it in nonvolatile RAM (NVRAM) by selecting option 2.

Enter your selection [2]:2
=====================================================

Introduction of Cisco Network Assistant
—————————————-
Cisco Network Assistant (CNA)  is a free, simple, smart, and  secure graphic tool to manage your Cisco network. With CNA, you can manage all your Cisco devices such as switches, routers, PIX 515 firewalls, IP phones, and wireless access-points in one software.. To me this is the greatest benefit to using Cisco Network Assistant. the following lists some of the features the tool offers.
1. Toolbar Icons
2. Checking Total Power Usage of the IP Phones and Wireless Access Points
3. Topology View
4. Checking Link Properties from the Topology View
5. Configuring VLANs or Applying Port Configurations to Multiple Ports Across Switches
6. Cisco IOS® Software Upgrade
7. Need Help?
8. Saving and Restoring Configuration Files
9. Smartports Advisor
10. Creating a Community
=============================================================

change time in Cisco
———————

1. show time information:
chicagotech1#sh clock
chicagotech1#*20:10:59.033 UTC Fri Mar 1 2002

2. Change to Central time:
chicagotech1#1(config)#clock timezone CST -6

3. Reset to current time:
clock set 10:50:00 Oct 26 2006
===========================================================

clear configuration
—————————
1. “clear configuration all” clears the current running configuration and is reset to the default running configuration.
2. To restore the startup configuration, go “copy st run”.
3. “write erase” clears startup configuration and is reset to the factory default configuration with “reload” command.
============================================================

load a new code for ASA
————————
1. Downlaod the code first.
2. Run ASDM and then choose tools/upgrade software.
3. Select the code from Local File Path by using Browse Local Files.
4. In the Flash File System Path, type or Browse Flash: disk0:/asa722-22-8k.bin
5. Click Upload Image.
===========================================================

show and modify Cisco Wireless Bridge date and time
—————————————————
1. “show clock” to display the time and date.
2. For following are examples how to modify the time and date.

config terminal
clock set 14:20:00 31 december 2007
clock timezone central -6.
=========================================================

SHOW COMMANDS
————–
Show access-lists – all access lists on the router
Show cdp – cdp timer and holdtime frequency
Show cdp entry * – same as next
Show cdp neighbors detail – details of neighbor with ip add and ios version
Show cdp neighbors – id, local interface, holdtime, capability, platform portid
Show cdp interface – int’s running cdp and their encapsulation
Show cdp traffic – cdp packets sent and received
Show clock – displays time set on the router
Show controllers serial 0 – DTE or DCE status
Show dialer – number of times dialer string has been reached, other stats
Show flash – files in flash
Show frame-relay lmi – lmi stats
Show frame-relay map – static and dynamic maps for PVC’s
Show frame-relay pvc – pvc’s and dlci’s
Show history – commands entered
Show hosts – contents of host table
Show interface – displays statistics of all interfaces
Show int f0/26 – stats of f0/26
Show interface Ethernet 0 – show stats of Ethernet 0
Show interface brief – displays a summary of all interface, includng status and IP address assigned
Show ip – ip config of switch
Show ip access-lists – ip access-lists on switch
Show ip interface – ip config of interface
Show ip protocols – routing protocols and timers
Show ip route – Displays IP routing table
Show ipx access-lists – same, only ipx
Show ipx interfaces – RIP and SAP info being sent and received, IPX addresses
Show ipx route – ipx routes in the table
Show ipx servers – SAP table
Show ipx traffic – RIP and SAP info
Show isdn active – number with active status
Show isdn status – shows if SPIDs are valid, if connected
Show mac-address-table – contents of the dynamic table
Show protocols – routed protocols and net_addresses of interfaces
Show running-config – dram config file
Show sessions – connections via telnet to remote device
Show startup-config – nvram config file
Show terminal – shows history size
Show trunk a/b – trunk stat of port 26/27
Show users – displays all users connected to the router
Show version – ios info, uptime, address of switch
Show vlan – all configured vlan’s
Show vlan-membership – vlan assignments
Show vtp – vtp configs
=================================================

What’s it Overloading?

Overloadingis a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. Known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.

=================================================

ASA 5510 backup and restore using TFTP
————————————-
Backup:

1. Run TFTP server.
2. Run telnet to access ASA.
3. Type enable, then the password..
5. Then follow the this procedure:
chicagotechpix# copy startup-config tftp:
Address or name of remote host []? 192.168.0.2

Destination filename [startup-config]? 072406
!!!
8507 bytes copied in 0.40 secs

Restore:
1. Run TFTP server.
2. Run telnet to access ASA.
3. Enable.
5. Then follow the this procedure:

chiacgotechpix# copy tftp start

Address or name of remote host []? 192.168.0.2

Source filename []? 072306tftp

Accessing tftp://192.168.0.2/072306tftp…!!!
Writing system file…
!!!
8507 bytes copied in 0.260 secs
ciscoasa# wr mem

Note: 1. to copy TFTP file to running-config, do copy tftp run, give tftp Ip, source file name and press enter to confirm Running-config.
2. show run to display running-config.
3. show start to display start config.
===================================================

backup/restore switch configuration using TFTP
———————————————
1. Telnet the switch.
2. Issue enable command.
3. Issue copy running-config tftp: command.

This is the example.

chicagotech01#copy running-config tftp:
Address or name of remote host []? 10.0.0.11
Destination filename [chicagotech1-confg]? chicagotech1
!!
1825 bytes copied in 1.780 secs (1025 bytes/sec)

To Rstore, run copy tftp: running-configand then follow the instruction.
=============================================================

backup/restore Cisco PIX
————————-
Cisco pix backup

It depends on the PIX version. You may try the following commands.

To copy configuration to tftp
chicagotechpix (config)#configure net 10.0.0.254:/filename

Note: You may be able to do that in enable mode
or

chicagotechpix #write net 10.0.0.254:/filename
Note: You may be able to do that in config mode

or

To copy the PIX image from Flash to the TFTP server:
chicagotechpix #copy flash tftp

To copy the image from TFTP to Flash without intervention.
chicagotechpix(config)#copy tftp: flash
===========================================================

copy config.txt to Cisco switch
——————————–
1. Copy and save the configuration as config.txtx
2. Download and install TFTP32.
3. Run TFTP32 and Browse the config.txt.
4. Telnet the switch.
5. Use copy tftp: command to downalod the configuration
===========================================================

Copy configuration from TFTP
—————————-
To erase the running configuration and re-load the configuration file from FTFP, follow theses steps:

Chicagotech>en
Chicagotech>password:
Chicagotech#erase startup-config
Erasing the nvram filesystem will remove all configuration files!
Continue? [confirm]
[OK]
Erase of nvram: complete
Chicagotech#show startup-config
startup-config is not present
Chicagotech#copy tftp://192.168.2.254/Chicagotech startup-config
===============================================================

restore config.txt from tftp
—————————-
1. Run the tftpd32.
2. Browse the file and click OK.
3. Check Show Dir to make sure the config.txt is there.
4. Login the wireless router/switch and enable mode.
5. Type this command: copy tftp://ipaddress/config.txt flash: config.txt.

Note: To check the flash files, use this command: sh flash.
=================================================================

restore Cisco config from TFTP
——————————
1. Run a TFTP program.
2. Telnet to the Cisco router and enable it. Then follow these steps:

chicagotech831#copy tftp: running-config
Address or name of remote host []? 192.168.10.100
Source filename []? chicagotech831-config
Destination filename [running-config]?
Accessing tftp://192.168.10.100/chicagotech831-config…
Loading 121306-internetok from 192.168.10.100 (via Ethernet1): !
[OK - 2115 bytes]

2115 bytes copied in 10.284 secs (206 bytes/sec)
================================================================

Save cisco router configuration to TFTP
—————————————
1. Run a TFTP program.
2. Telnet to the Cisco router and enable it. Then follow these steps:

chicagotech831#copy running-config tftp:
Address or name of remote host []? 192.168.10.100
Destination filename [chicagotech831-confg]?
!!
2115 bytes copied in 1.512 secs (1399 bytes/sec)
chicagotech831#
==============================================================

Use an FTP server to restore Cisco config
—————————————–
1. Make sure the FTP is running and let you uploag.
2. Telnet to the Cisco router and enable it.
3. Configure the FTP username and password.
CHICAGOTECH831#conf t
CHICAGOTECH831(config)#ip ftp username chicagotech
CHICAGOTECH831(config)#ip ftp password chicagotech
CHICAGOTECH831(config)#end
CHICAGOTECH831#

4. Router#copy ftp: running-config
5. Address or name of remote host [192.168.10.100]?
6. Source filename [CHICAGOTECH831_confg]?
7. Destination filename [running-config]?
8. Accessing ftp:// 192.168.10.100/ CHICAGOTECH831_confg…
9. Loading CHICAGOTECH831_confg!
10. [OK - 1423/4764 bytes] 1425 bytes copied in 13.423 secs (76 bytes/sec)
================================================================

Restore config issue

Situation: the client had a Cisco consultant to setup Outdoor wireless 1310 bridge. After finishing the configuration, the consultant save the config file as word format. When the client tries to restore the config using the word file, he losses the configuration in the ridge. After rebooting it, the bridge shows hostname\par>. He can’t logon using the enable password.

Solution: Turn off the bridge and turn it on while hold esc key. That will restore to the manufacturer default settings. Then restore the config using text format instead of word format.

==============================================================

How to upgrade Cisco IOS for 2900 and 3500 Switch
————————————————
1. Check the Flash memory.

chicagotech#dir flash:

Directory of flash:/

2  drwx         704   Feb 28 1993 18:03:50  html

4  -rwx         109   Feb 28 1993 18:01:57  info

5  -rwx     1751867   Feb 28 1993 18:03:00  c3500XL-c3h2s-mz.120-5.WC3b.bin

16  -rwx         109   Feb 28 1993 18:03:50  info.ver

17  -rwx       94680   Feb 28 1993 18:04:08  c3500XL-hdiag-mz-120.5.2-XU

18  -rwx         355   Dec 31 1969 18:00:08  env_vars

19  -rwx         616   Jan 22 2008 15:21:16  vlan.dat

21  -rwx        2462   Jun 19 1993 18:02:13  config.text

3612672 bytes total (358912 bytes free)

2. Delete the existing image since the file to be loaded is larger than the available capacity.

chicagotech#delete flash:c3500XL-c3h2s-mz.120-5.WC3b.bin

Delete filename [c3500XL-c3h2s-mz.120-5.WC3b.bin]?

Delete flash:c3500XL-c3h2s-mz.120-5.WC3b.bin? [confirm]

3. Delete access to the switch HTML pages.

chicagotech#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

chicagotech(config)#no ip http server

chicagotech(config)#end

chicagotech#delete flash:html/*

Delete filename [html/*]?

Delete flash:html/Snmp? [confirm]

%Error deleting flash:html/Snmp (Is a directory)

Delete flash:html/homepage.htm? [confirm]

Delete flash:html/not_supported.html? [confirm]

Delete flash:html/common.js? [confirm]

Delete flash:html/cms_splash.gif? [confirm]

Delete flash:html/cms_12.html? [confirm]

Delete flash:html/cms_13.html? [confirm]

Delete flash:html/cluster.html? [confirm]

Delete flash:html/CMS.jar? [confirm]

Delete flash:html/CiscoChartPanel.jar? [confirm]

Delete flash:html/Redirect.jar? [confirm]

4. Us etar command to copy the combined .tar file to the switch.

chicagotech#tar /x tftp://10.0.0.11/c3500xl-c3h2s-tar.120-5.WC17.tar flash:

Loading c3500xl-c3h2s-tar.120-5.WC17.tar from 10.0.0.11 (via VLAN1): !

extracting c3500xl-c3h2s-mz.120-5.WC17.bin (1811552 bytes)!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!

html/ (directory)

extracting html/homepage.htm (3988 bytes)!

extracting html/not_supported.html (1392 bytes)

extracting html/common.js (9449 bytes)!!

extracting html/cms_splash.gif (22152 bytes)!!!!

extracting html/cms_13.html (1211 bytes)!

extracting html/cluster.html (2823 bytes)!

extracting html/Redirect.jar (4229 bytes)!

extracting html/c4v4_disc.sgz (9806 bytes)!!

extracting html/CMS.sgz (955595 bytes)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

extracting html/CiscoChartPanel.sgz (58784 bytes)!!!!!!!!!!!!

extracting html/cms_boot.jar (44484 bytes)!!!!!!!!!

extracting info (109 bytes)

extracting info.ver (109 bytes)

[OK - 2938368 bytes]

chicagotech#

5. Use dir flash command to make sure the new image in the Flash.

chicagotech#dir flash:

Directory of flash:/

2  drwx         768   Jan 22 2008 16:12:20  html

4  -rwx         109   Jan 22 2008 16:12:22  info

5  -rwx     1811552   Jan 22 2008 16:11:36  c3500xl-c3h2s-mz.120-5.WC17.bin

16  -rwx         109   Jan 22 2008 16:12:22  info.ver

17  -rwx       94680   Feb 28 1993 18:04:08  c3500XL-hdiag-mz-120.5.2-XU

18  -rwx         355   Dec 31 1969 18:00:08  env_vars

19  -rwx         616   Jan 22 2008 16:12:16  vlan.dat

21  -rwx        2462   Jun 19 1993 18:02:13  config.text

3612672 bytes total (582144 bytes free)

6. Set the boot parameter so that the switch will boots with the new image after reloading.

chicagotech#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

chicagotech(config)#boot system flash:c3500xl-c3h2s-mz.120-5.WC17.bin

7. Re-enable access to the switch HTTP pages.

chicagotech(config)#ip http server

chicagotech(config)#end

8. Reload the new image.

chicagotech#reload

System configuration has been modified. Save? [yes/no]: y

Building configuration…

[OK]

Proceed with reload? [confirm]
===================================================================

test certificate is working using Cisco command
———————————————
The command line is

test aaa gr r username password l.

When using test aaa to test windows IAS, you may receive Event ID 2: Reason-Code = 66. That means the Cisco router is talking to the IAS server, but don’t recognize the non-domain user.

=============================================================

TROUBLESHOOT
—————

Problem: We have a used Cisco 1720 router. No one knows the password. I am trying to recover the password, but I can’t. I press Break on the terminal (windows XP, 2000) keyboard within 60 seconds while turn on the router, but the router still loads the image and asks for the password. I have tried Ctrl+Break, Shift+Break, Shift+F5. I also tried 3 computers. Any suggestions.

A: Try TeraTerm.

Q: Downloaded TeraTerm that helps me to recover the password. These are the steps:

1. Turn on the power while hold Alt+B.
2. Type confreg 0×2142 at the rommon 1>
3. Type reset at the rommon 2>
4. You will have
— System Configuration Dialog —

Would you like to enter the initial configuration dialog? [yes/no]:

5. Type yes to continue and you will see

“Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system”.

Would you like to enter basic management setup? [yes/no]:

6. Type yes to continue and follow the instruction to configure the router.

Related Topic

Password Recovery Procedures [Cisco IOS Software Releases 12.1 Mainline] – This … o Password Recovery Procedure for the Cisco 806, 827, and 837 Routers …
=======================================================

http://www.howtocisco.com/

http://www.chicagotech.net/netforums/

Open Systems Interconnection (OSI)
OSI consists of two environments; the OSI environment, which is made up
of seven
layers of OSI protocols and the local system environment, which is the
end computer
system. The reason for dividing the environment in this way was to avoid
interfering with
the innovation of the design and implementation of computer systems. OSI
facilitates a
vehicle to communicate between dissimilar or similar computer based
systems. The local
computer system environment has a closed operating system and performs
its designed
functions within these bounds. All application processes that do not
require
communicating with other systems to complete its tasks, will provide, the
end result with
out any problems. However when an application process needs to
communicate with
another application process located in a remote system, both systems must
become open
to the OSI environment Many operations and concepts are involved in this
process. There
is interaction between peer entities within a layer and interaction
between layers.
Important concepts to understand OSI Layering are:
·
Each layer performs unique and specific task

·
A layer only has knowledge of its immediately adjacent layers

·
A layer uses services of the layer below

·
A layer performs functions and provides services to the layer above

·
A layer service is independent of the implementation

The Application layer is unique among the seven layers in that, it has no
layer above. The
application consists of `Service Elements’ that are incorporated within
the application
process when it needs to become a part of the OSI environment.

CONCEPT OF A LAYER
Each layer contains a logical groupings of functions that provide
specific services for
facilitating a communication. A function, or a group of functions, making
up a functional
unit is a logical entity that accepts one or more inputs (arguments) and
produces a single
output (value) determined by the nature of the function. Functions can be
grouped in a collective unit, which is then defined as (N) layer having
(N+1) layer an upper layer
boundary and (N-1) layer as a lower boundary. The N layer receives
services from N-1
layer and provides services to N+1 layer.
SEVEN LAYERS OF THE OSI MODEL AND THEIR FUNCTIONS
·
Layer 7 is the APPLICATION layer: provides services directly to
applications. Responsible for
identifying and establishing the availability of the intended partner,
and required resources. It is also
responsible for determining if there exist sufficient communication
resources to reach the remote
partner.
·
Layer 6 is the PRESENTATION layer: Data encryption, decryption,
compression and decompression
are functions of this layer. It does this by using Abstract Syntax
Notation 1 (ASN.1) ASN.1
standardization allows differing computer architectures to exchange data
that are from differing
computer architectures.
·
Layer 5 is the SESSION layer: facilitates a dialog between communicating
systems and controls the
dialog. Offers three different dialogs, simplex, half-duplex and full
duplex. Session is set up by
connection establishment, data transfer and connection release.
·
Layer 4 is the TRANSPORT layer: Segments data and also reassembles data
from upper layers.
Delivers data in a connection and connection less modes. Includes simplex
(one way) half duplex (both
ways one at a time) full duplex (both ways simultaneously). Also flow
control and error recovery.
·
Layer 3 is the NETWORK layer: Establishes a connection between two nodes
by physical and logical
addressing. Includes routing and relaying data through internetworks.
This layer’s primary function is
to deliver packets from the source network to the destination network.
·
Layer 2 is the DATA LINK layer: Ensures hardware addressing of the
device, and delivery to the
correct device. Translates data messages from upper layers to frames,
enabling hardware to transmit
upper layer messages as a bit stream. Provides flow control to the layer
2. Also carries a Frame Check
Sequence to make sure the frame received is identical to the one
transmitted.

·
Logical Link Control (LLC) Sublayer of the Data Link Control layer
provides flexibility to Network
Layer and the Media Access Control (MAC) layer. It runs between Network
Layer and the MAC
sublayer of the data Link Layer.

·
Media Access Control (MAC) Sub Layer of the Data Link Layer is
responsible for framing. It builds
frames from the 1s and 0s that the Physical Layer picks up from the wire.
·
Layer 1 is the PHYSICAL layer: Which transmits the raw bit stream and
includes electrical signaling
and hardware interface.

(2)
Describe connection orientated network service and connection less
network service.
Identify the key difference between them.
Department of Defense (DOD) model is analogous to the OSI model and is
the model
used in the TCP/IP protocol suite. Following are the layers of the DOD
model:
DOD Model
Analogous to
OSI Model
·
Process/Application
Application
Presentation
Session
·
Host to Host
Transport
·
Internet
Network

·
Network Access
Data Link
Physical

At the transport layer of OSI and the Host to Host layer of DOD, there is
a connection
establishment process with the end system. This is a very impotent
process where the
sending system decides whether to use a reliable link, which is
connection orientated,
resource intensive or to use an unreliable link, connection less access
to the end system
with very much less resource utilization.
The two protocols involved in the connection establishment of the end
system is
Transmission Control Protocol (TCP) for reliable connection and User
Datagram
Protocol UDP for unreliable connection.
TCP is defined in the RFC 793 and defines a reliable, connection
orientated full duplex
byte stream for a user process. TCP creates a CONNECTION orientated
service by
contacting the end system and establishing a set of guidelines both can
support. Such
agreements as how much data segments can be transferred before an
acknowledgement is
received. TCP takes large blocks of data coming from upper layers and
segments them.
Then it adds numbers to the segments so the end system can sequence them
at arrival and
assemble the original block before sending it to the upper layer. When
TCP creates a
connection between two end systems, it is called a VIRTUAL CIRCUIT. This
virtual
circuit is created at the time the one system needs to send a data stream
to the end system
and takes it down when the data transfer is completed.

The three phases of the TCP are CONNECTION ESTABLISHMENT, CONNECTION
MAINTENANCE and CONNECTION TIREDOWN.

UDP is defined in RFC 768. It is the protocol that does not consume
system resources as
much as TCP but it unreliable and transfers data to the destination
system with out
establishing a connection and hence, connectionless protocol. UDP sends
data to the
destination system in numbered segments same as TCP but it can not
retransmit erred
segments if they get lost or damaged.

·
Key differences between connection orientated network service and
connection less network service.

Packet header:
Connection orientated service
Connection less service

Source Port, Destination Port
Source Port, Destination Port

Sequence number
No Sequence Number

Acknowledgement Number
No Acknowledgement number

Data offset
No data offset

Length of data
Variable length of data

Flags
No flags

Window
No window

Check sum
Check sum

Urgent pointer
No Urgent pointer

Options and Padding
No Options and Padding

Both TCP and UDP use the concept of ports and sockets to identify a
connection between
two communicating computers. A connection-orientated service is mainly
used for secure
and reliable data transfer, where the requirement is also transfer of
data in timely manner.
If the underlying network, drops data packets because the network is
congested or the end
system buffers overflow, a connection orientated service can recover, but
the connection
less service cannot recover from such faults because, once the data frame
leaves the
sending systems buffer, it is cleared by the sending system and there are
no
acknowledgement sent to the sending system. To get the high reliability
with the
connection orientated system, large amount of system resources has to be
allocated for
buffers and CPU time. As for the connection less service it is analogous
to mailing a
letter and is not resource intensive. The buffers can be much smaller
because the frame
that is transmitted does not have to wait for an acknowledgment before
been discarded.

CPU utilization is much less for connectionless service because of the
absence
windowing mechanism.

(3)
Describe Data Link addresses and Network Address, and identify the key
differences.
Data Link addresses are the source address and the destination address of
the 48 bit BIA
of the hardware NIC card. At each interface these addresses change
because, on route to
the destination a frame has to pass may INC cards. Address Resolution
Protocol (ARP)
finds the MAC address when it moves to a different segment. Network layer
address has
a source and a destination address, which are end points of the
transmitting and receiving
systems. It provides routing and relaying functions to achieve it goal.
It provides a
transparent path to the transport layer for a best end to end packet
delivery service.

(4) Identify at least three reasons why industry uses a layered model
Layered model avoids interfering with the innovation of design and
implementation of
computer systems
Facilitates communication between dissimilar systems
Allow changes to one layer with out changing other layers
Facilitate systematic network trouble shooting
Reduce the complexity of networking into more manageable layers and sub
layers

(5)
Define and explain the five conversion steps of data encapculation
·
User information is converted to data
·
Data is converted to segments
·
Segments are converted to packets or datagrams
·
Packets or datagrams are converted to frames
·
·
Frames are converted to bits (1s and 0s)

(6)
Define Flow Control and describe the three basic methods used in networkig
Flow control stops a sending station from flooding the receiver station
buffers, if it has no
resources to match the speed of data arriving from the receiving station.
Once the buffers
are emptied at the receiver, it sends a message to the transmitter to
start sending again. It
is called windowing and controls how much data is transmitted from one
end to the other.
Has a fixed window say 7, the transmitting station sends seven packets
before waiting for
an acknowledgement packet. Once the acknowledgement is received at the
receiver, it
sends another seven packets.
Window size of one. Every packet sent to the receiver has to be
acknowledged before the
transmitter can send the next packet.

Variable window, if the receiving station for some reason finds difficult
to catch up with
buffer emptying, it then tells receiver to reduce the window size and the
sender does so.

(6)
List the key internetworking functions of the OSI network layer and how
they are
performed in a router.
Network layer of the OSI seven layer model conations many protocols that
a router use
to evaluate the best route it should take and it is updated regularly so
the best route is
available for the packet to be transported. Network layers primary
function is to send
packets from the originating network to destination network. After the
router has decided
the best path from source to the destination network, the router switches
the packet to it.
This is known as packet switching. Essentially, this is forwarding the
packet received by
the router on one network interface (NIC card), or port to the port that
connects to the
best path through the network cloud. An internetwork must continually
designate all
paths of its media connections. All routers in the internetwork cloud are
connected by
media (cables), each line connecting a router to another is numbered.
Routers use these
numbers as network addresses. These addresses posses and convey important
information
about the path of the media connections. They are used by routing
protocols to pass
packets from a source onward towards to its destination. The network
layer creates a
composite “network map” and a communication strategy model by combining
information about the sets of links into an internetwork with path
discrimination, path
switching and route processing functions. It can also use these addresses
to provide relay
capability and to interconnect independent networks. Routers using
network layer
protocols streamline network performance by not letting unnecessary
broadcasts get into
the internetwok cloud.

Knowledge of WAN protocols
(8)
Differentiate between the following WAN services: FRAME RELAY, ISDN/LAPD,
HDLC and PPP

Frame relay is used to connect large number of sites in the network
because it is
relatively inexpensive to do so. The service provider gives you a frame
relay circuit and
is charged for the amount of data and the bandwidth you use as oppose to
T1 circuit that
charges with a flat monthly rate whether you use partial bandwidth or the
full bandwidth
regardless. Frame relay is a high performance WAN protocol that operates
at the Data
Link layer and the Physical layer of the OSI model.
Integrated Services Digital Network (ISDN) is designed to run over
existing telephone
networks. It can deliver end to end digital service carrying voice and
data. ISDN operates
at OSI model, physical layer, data link layer and network layer. It can
carry multimedia
and graphics with all other voice, data services. ISDN supports all upper
layer protocols
and you can choose PPP, HDLC or LAPD as your encapsulation protocol. It
has two
offerings, Primary rate which is 23B+D channels. 23, 64 kbps and one
64kbps mainly
used for signaling. The other is the Basic Rate which has 2B+D channels
two 64kbps and
one 16kbps.
At data link layer ISDN supports two protocols; LAPB and LAPD. LAPB is
used to
mainly transfer data from upper layers and has three types of frames.
I-Frames carry
upper layer information and carries out sequencing, flow control, error
detection and
recovery. S- Frames carry control information for the I-frame. LAPD
provides an additional multiplexing function to the upper layers
enabling number of network entities
to operate over a single physical access. Each individual link procedure
acts
independently of others. The multiplex procedure combines and distributes
the data link
channels according to the address information of the frame. Each link is
associated with a
specific Service Access Point (SAP), which is identified in the part of
the address field.
High Level Data Link Control (HDLC) is a bit oriented data link layer
frame protocol
that has many versions similar to LAP, LAPB, and LAPD. CISCO routers
default
encapsulation is HDLC, but it is proprietary to CISCO.
Point to Point Protocol (PPP) is a Data Link Layer protocol that can be
used over ether
asynchronous (dial up) or synchronous (ISDN) lines. It uses Link Control
Protocol (LCP)
to build and maintain data link connections. Included in PPP is the
authentication
protocols, PAP and CHAP, and data compression. It supports IP, IPX,
AppleTalk,
DECnet and OSI/CLNS.
(9)
Recognize key Frame Relay terms and features

Frame Relay is a high performance WAN protocol that operates at the
physical and data
link layer of the OSI reference model. It was originally designed to
operate on ISDN
circuits, but today it is used on variety of network interfaces. To
configure Frame Relay
on a CISCO router, we have to specify it as an encapsulation on a serial
interface. There
are only two encapsulation methods are available, CISCO, the default and
the type IETF.
A frame Relay connection between CISCO devices the type: CISCO is used
and between
a CISCO device and a non CISCO device type IETF is used.
#encapsulation frame relay cisco or #encapsulation frame relay ietf
Frame Relay virtual circuits are identified by Data Link Connection
Identifiers (DLCI).
DLCIs are issued by the Frame Relay service provider. It is used to map
IP addresses at
each end of the virtual circuit. Local Management Interface (LMI) was
developed by
CISCO and others to enhance the CCITT-ITU standard with protocol features
that
allowed internetworking devices communicate easily with a Frame Relay
network. LMI
messages provide current DLCI values, global or local significance of the
DLCI values
and the status of virtual circuits. CISCO supports three types of LMIs:
CISCO which is
the default, ANSI and Q933A.

(10)
List commands to configure, maps and subinterfaces

To configure DLCI (config-if) #frame-relay interface-dlci 16
Any number from 0 to 4292967295 can be as the DLCI number.
To configure LMI
(config-if)#frame-relay lim-type q933a
Subinterfaces can have multiple virtual circuits on a single serial
interface and treat each
virtual circuit as a separate interface. The advantage of using
subinterfaces is that you can
assign different network layer characteristics each subinterface and
virtual circuit, such as
IP routing on one virtual circuit and IPX routing on another.
(config)# int s0.16 The serial interface s0 configured with a
subinterface 16
There are two types of subinterfaces, point to point and multipoint.
Point to point is used
when a single virtual circuit connect one router to another. Multipoint
is used when the
router is in the middle of star virtual circuits.

Map command is used to map IP devices address at the end of the virtual
circuits to
DLCIs so that they can communicate. There are two types of mapping: Use
Frame Relay
map command and use inverse-arp function. Example of Frame Relay map
command:
#int s).16
#encap frame relay ietf
#no inverse-arp
#ip address 172.16.30.1 255.255.255.0
#frame relay map ip 172.16.30.17 30 cisco broadcast

Example of Frame Relay inverse-arp command:
#int s0.16
#encap frame-relay ietf
#ip address 172.16.30.1 255.255.255.0
(11)
List commands to monitor Frame Relay operation on the router

In the user mode key in the following:
Router>sho frame ?
ip
show frame relay IP statics
lmi
show frame relay lmi statics
map
show frame relay map table
pvc
show frame relay pvc statics
route show frame relay route
traffic show frame relay protocol statics

(12)
Identify PPP operations to encapsulate WAN data on CISCO routers

Point to Point Protocol (PPP) is a data link protocol that can be used on
asynchronous
(dial up) or synchronous ISDN circuits. It uses Link Control Protocol
(LCP) to build and
maintain data link connections. Some features included in PPP are:
Password
Authentication Protocol (PAP) and Challenge Handshake Password
Authentication
Protocol (CHAP). Data compression and multiprotocols such as IP, IPX ,
AppleTalk
DECnet and OSI/CLNS are supported. Encapsulate PPP on the router
#int s0
#encapsulate ppp
(13)
State a relevant use and context for ISDN networking

Integrated Services Digital Network (ISDN) can run on existing telephones
lines to
provide an end to end digital service for both domestic and business
uses. ISDN can
carry, in addition to voice and data, multimedia as well. ISDN can used
as a backup
circuit for high speed network links. CISCO routers can be configured to
automatically
dial up on an ISDN link when the main network link goes down.
(14)
Identify ISDN protocols, function groups, reference points and channels

ISDN protocols were defined by CCITT (now ITU-T), and there are three
protocols that
define the complex transmission issues:
·
Protocol specifications beginning with latter E, specify ISDN on the
existing telephone network, ie;
Analog lines.

·
Protocol specifications beginning with letter I, specify concepts,
terminology and services.
·
Protocol specifications beginning with letter Q, specify trunk switching
and signaling.

(15)
Describe CISCO’s Implementation of ISDN BRI

ISDN Basic Rate Interface (BRI), service provides two B channels and D
channel, which
is also known as 2B+D. B channels operate at 64 kbps and carries user
information where
D channel operates at 16 kbps and usually carry control and signaling
information. D
channel signaling protocol spans the OSI reference model’s, Physical
layer, Data link
layer and the Network layer. The two 64 kbps lines can be used as a
single 128 kbps
channel. To place a call on ISDN is similar to placing a call on Plain
Old Telephones
(POTS). For ISDN network to identify a call placed on its network, you
must use
directory numbers and Service Profile Identifiers (SPID)s. These two
items are given to
you by the service provider. Directory number is a telephone number you
will use when
you call. The SPID is a number the telephone uses to identify equipment
on your ISDN
connection. Majority of switches in US are either AT&T 5ESS, 4ESS or
Northern
Telcom DMS 100. Attaching a CISCO router to ISDN needs either a Network
Termination 1 or an ISDN modem. If router has a BRI interface, (called
Terminal End
Point 1) then it is ready to be connected to the ISDN network.
Router#config t
Router(config)#isdn switch-type basic-dms100
Router(config)#int bri0
Router(config-if)#encap ppp
Router(config-if)#isdn spid 775456721
Router(config-if)#ppp authentication chap

IOS
(16)
Log in to a router in user and privilege mode

CISCO IOS software has a command interpreter called Exec. Exec has two
levels of
access: User mode and privilege mode. These two levels serve as for
access into the
different levels of commands. In user mode one can only do: Check router
status,
connecting to remote devices, making temporary changes to terminal
settings and
viewing basic system information. In the privilege mode you can change the
configuration of the router and get detail reports of router status. Test
and run debug
operations. Access global configuration modes.
When you first log into a router, press ENTER and you will be in the Exec
mode. At the
prompt it will ask if you need a password. Router> This is the User mode
as stated above
very little can be done at this level. When you type in Enable:
Router>Enable and press
return it will ask for the password. Once you key in the correct
password, your in the
privilege mode. Now the prompt will show you Router#.
(17)
Use the context-sensitive help facility

One can receive help on any command by typing ? after the command. In the
following
example: Router# clock ? you typed in clock a space and the question
mark, and pressed
enter. Reply was as follows: set
Set the time and date. Now you want to know what
format to enter. So you put another question after the set as follows:
Router# clock set ?.
Now you will get the format in the reply as follows: hh:mm:ss: Current
Time (hh:mm:ss)
(18)
Use the command history and editing features

The user interface comes in with an editing feature to help you type in
repetitive
commands. One can turn off editing by typing terminal no editing and
again turn it on
by typing terminal editing.
The router keeps the last ten commands you entered during your console or
terminal
session, in a special memory buffer called command history. One can
recall commands
from the command history buffer and reuse them or modify slightly to save
on typing. To
see all the commands type the following at the command prompt Router#show
history
and press enter. All commands you typed in will be shown. To increase the
size of the
command history buffer you type the following: Router#terminal history
size 100. This
will increase the size to 100 lines from the default value. VT 100
terminal emulation
gives use of up down and side arrows in addition to the other keys as
shown below:
·
CTRL+A
Move to the beginning of the command line
·
CTRL+E
Move to the end of the command line
·
CTRL+F (or right arrow)
Move one character forward
·
CTRL+B (or left arrow)
Move one character backward
·
CTRL+P (or up arrow)
Repeat previous command entry
·
CTRL+N (or down arrow)
Most recent command recall
·
ESC+B
Move backward one word
·
ESC+F
Move forward one word

(19)
Examine router elements (RAM,ROM,CDP,show)

CISCO routers use the following type of memory:
·
Random Access Memory (RAM) stores the running configuration when the
router is running and it is
cleared when switched off. Also provides cashing, routing tables and
packet buffering. The IOS
operates from RAM
·
Flash Memory is an electrically erasable, re-programmable ROM that holds
the operating system
image and microcode. This facilitates the upgrades to the operating
system with out replacing the chips
on the motherboard.
·
Read Only Memory (ROM) is used by the router to store bootstrap program,
operation system software
and Power On Self Test (POST). The ROM chips are installed in sockets on
the router’s motherboard,
so that they can be replaced or upgraded. ROM holds the smaller version
of IOS and is loaded during
power up so the router can boot up.
·
Nonvolatile RAM (NVRAM) This memory does not loose its information when
the router is powered
down. Stores the systems start up configuration file and the virtual
configuration register.

Cisco Discovery Protocol (CDP) is CISCO’s proprietary protocol that
allows you to
access configuration on other routers with a single command. By running
Sub Network
Access Protocol (SNAP) at the data link layer, two devices running
different Network
Layer protocols can communicate and learn about each other. These devices
include all
LAN and some WANs. CDP starts by default on any router version 1.3
earlier and
discovers neighboring CISCO routers running CDP by doing a Data Link
broadcasts. It
does not matter what protocol is running at the network layer. Once CDP
has disproved a
router, it can then display information about the upper layer protocols,
such as IP and
IPX. The router caches the information it receives from its CDP
neighbors. Any time a
router receives up dated information that a CDP neighbor has changed, it
discards the old
information in favor of the broadcast.
There are many show commands available for the administrator to manage
the router.
They can be found by typing at the command prompt Router#sh ?.
(20)
Manage configuration files from the privilege exec mode.

When the router is powered up, it does a self-test, then a loads the IOS
image, and finds
the configuration file and loads it. Startup configuration is in NVRAM
and the operating
system places it on to the RAM. To manage configuration files you must be
in privilege
mode. At start up you will be in user mode. To get to the privilege mode
do the
following: Router>enable, if passwords are enabled then enter them when
asked. Now
your in privilege mode. Router#. By typing config t you can modify
configuration files.
Following are commands for starting and saving configurations:

·
Show startup-config
Shows the configuration that will loaded when the router boots.
·
Show running-config
Show the configuration that is currently loaded to RAM and is running
·
Erase startup-config This command will erase the configuration in
NVRAM and put you in to the initial configuration dialog
·
Reload
This command will reload the startup-config to
Memory
·
Setup
This command starts the initial configuration dialog

Software version 10.3 and earlier should run the following router
commands:
·
Show config
Same as show startup-config
·
Write term
Same as show running-config
·
Write erase
Same as erase startup-config
·
Write mem
Same as copy running-config startup config

(21)
Control router password, identification and banner

There are five different passwords that is used to secure CISCO routers
and they are as
follows:
Enable secret
is a cryptographic password used in version 10.3 and up. It has precedence
over the enable password when it exists. One can configure this password,
ether during
the setup mode or by typing the following:
Router#config t
Router(config)#enable secret kit (kit is the password you entered)
Enable password
is used when there is no enable secret and when you are using older
software, and some older images. The administrator manually encrypts it.
One can set
this password during the setup process or by typing the following:
Router#config t
Router(config)#enable password athul (athul is the password)
If both passwords are present, both passwords can not be the same

Virtual Terminal Password
is used for Telnet sessions with the router. You can change
the password at any time , but it must be specified or you will not be
able to telnet in to
the router. The password can be set up as follows:
Router#config t
Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password kit (kit is the password)
Line vty 0 4 specifies the number of telnet sessions allowed in router.
One can also setup
a different password each line by typing line vty [port number]
Auxiliary Password
is used to setup a password for the auxiliary port. This port is used
to connect a modem to the router for remote console connection. It is set
as follows:
Router#config t
Router(congfig)#line aux 0
Router(config-line)#login
Router(config-line) #password kit (kit is the password)

Console Password
is used to setup a password for the console port. It can be set up as
follows:
Router#config t
Router(config)$line con 0
Router(config-line)#login
Router(config-line)#password kit (kit is the password)

Entering a Banner
The banner added will be displayed when ever any one logs in to the CISCO
router. The
command to enter is banner #.motd. Message of the day (motd) has to start
with a
delimiting character. Type as follows: Router(config)#banner motd k (k is
the delimiter)
Now enter the text message and end with the character `k’. So we enter
the following: If
you are not authorized log out immediately
K(and press enter)
Router(config)#end
(22) Identify the main CISCO IOS commands for router startup.

Router’s configuration files contain the configuration of the router.
There are two basic
configuration files for each router: startup and running. Startup
configuration is held in
NVRAM and is accessed when router is started. The startup configuration
is placed in
RAM for the router to run. Following command will display the startup
configuration.
Router#sh star

(23)
Enter the initial configuration using the setup command

Setup command facility is an interactive facility that allows you to
perform first time
configuration and other basic configuration procedure on the router. The
command parser
allows you to make detail changes to your configuration. However, some
major
configuration changes do not require granularity provided by the command
parser. In this
case you can use the setup command facility to make major enhancements to
the
configuration. Set up can make add a protocol suite, to make major
addressing schemes
changes, or configure a newly installed interface. Setup command facility
provides you
with a high level view of the configuration and guides you through the
configuration
change process. If you are not familiar with CISCO products and the
command parser,
the setup command facility is a particularly valuable tool, because it
asks you questions
required to make configuration changes. To start setup, key in the
following:
Router#setup and press enter.

(24)
Copy and manipulate configuration files

Binary executable IOS image is held in flash memory. IOS image is the
binary program
that parses and executes the configuration, while IOS configuration tells
the device its
current configuration. You can copy the content of the flash to a TFTP
server by entering
the following command Router#copy flash tftp
One can copy TFTP server to flash memory by typing Router#copy tftp
flash. An
interactive dialog begins and asks whether to erase the entire content of
the flash before
copying the file. Content of the flash memory can be displayed by the
command
Router>sh flash
One can copy the current configuration from a router to a TFTP server by
typing
Router#copy run tftp.
Or telnet to the router, copy a TFTP configuration file to running
conflagration by typing
the following command: Router#copy run
(25)
List the commands to load CISCO IOS software from: flash memory,
TFTP server, or ROM.
One can specify where the router should look for the CISCO IOS software
to create a fall
back in case one configuration does not load or one needs to load from a
TFTP server. To
load the CISCO IOS from a TFTP server, use the following command string:
Boot system TFTP ios_filename TFTP_ipaddress. There are three places that
the CISCO
router can look for the a valid IOS: flash, TFTP server or ROM. Following
commands
will load the IOS from flash and ROM
Router(config)#boot flash
Router(config)#boot rom
(26) Prepare to backup, upgrade and load a backup CISCO IOS image
Use the TFTP server to backup the IOS image. Type the following command
at the
command prompt: Router(config) copy flash tftp. Flash memory can be used
to upgrade
the IOS without physically changing the EEPROM. To load a backup image
can be
carried out from TFTP server, flash and ROM. Typing the following command
will cause
the router to try the other alternatives if the flash configuration does
not come up.
boot system flash ios_filename
boot system TFTP ios_filename
boot system rom
(27)
Prepare the initial configuration of your router and enable IP
When you power up the router, it does a POST and finds and loads the IOS
image, the
operation system for the router. Before the router can function, as you
want it to, it needs
to finds its configuration and apply it. If the router does not find a
configuration file and it
is not configured to find one on the network, it will begin the setup
dialog. The setup is
menu driven and all you have to do is to answer the questions. Setup
dialog will let you
get the router up and running with a very basic configuration. It will
allow you to give a
host name, set both password and secret password, enable any network
layer protocols
assign appropriate addresses to router interfaces and enable dynamic
routing protocols.
Every CISCO router has a 16 bit configuration register, which is stored
in a secial
memory location in NVRAM. This register controls number of functions and
some of
which are listed below:
·
Force the system in to the bootstrap program
·
Select a boot source and default boot file name
·
Enable or disable the console Break function
·
Set the console terminal baud rate
·
Load operating software from ROM
·
Enable booting from a TFTP server

The configuration register boot field is the portion of the configuration
register that
determines whether the router loads an IOS image, and if so where to get
it from. The
least significant four bits, 0 through 3, make up the boot field. If the
boot field is 0×0 (all
four bits set to zeros) then the router will enter ROM monitor mode. If
the boot field
value is set to 0×1 (binary 0001) the router will boot from the image in
ROM. If the boot
field value is 0×2 through 0xF (binary 0000 through 1111) then the router
will follow the
normal boot sequence and will look for the boot system commands in the
configuration
file on the NVRAM.. Type Router# sh ver, will display the configuration
register value
currently in effect and the value that will be used at the next reload.
Display line in the
discussion is displayed on the screen is as follows:
Configuration register is 0×142 (will be 0×102 at next reload)
You can place special commands in the router’s configuration file that
will instruct it
where to find the IOS image. If you do not specify a file name, the
router will load the
first valid file it finds in the flash memory. Following are the boot
commands:
Router(config)#boot system flash
Boots from flash
Router(config)#boot system tftp 172.16.1.150 Boots from a TFTP server
with ip address
172.16.1.150
Router(config)#boot system ROM
Boots from ROM (this is last resort if nothing
works and should be changed after the flash is corrected)
Network Protocols
(28)
Monitor Novell IPX operation on the router

Once you have IPX configured and running, following show commands can be
used to
verify and track router is communicating correctly:
Router#sh ipx servers. This command will show the content of the SAP
table. Server
name, IPX address, port, route, hops and interface.
Router#sh ipx route This command will display the IPX routing table
entries that the
router knows about. The router reports networks to which is connected to
directly and
also the networks that it has learned since coming on line.

If you were to up parallel IPX paths between routers, by default, the
CISCO routers will
not learn about these paths. The router will learn a single path to the
destination and
discard alternative parallel, equal cost paths. If you need more than one
parallel path to a
destination then the router has to be configured Router(config)#ipx
maximum paths 2 (up
to 512).
Router#sh ipx traffic. This command will display a summary of the number
of IPX
packets received and transmitted by the router. Summary will show IPX,
RIP and SAP
update packets.
Router#sh ipx int e0
The debug IPX command will display IPX packets as its running through your
internetwork
Router#debug ipx routing can have two commands, debug routing activity or
debug
routing events. Since debug IPX command is CPU intensive, it should be
switched off as
soon as monitoring process is over as shown: Router#undebug ipx routing
act
(29)
Describe two parts of network addressing, then identify the parts in
specific protocol
address examples.

The 32 bit structure of the IP address is comprised of a network address
and host address.
Number of bits assigned to each of these components varies with the
address class.
IP addressing is analogues to the address of a letter. Street address is
analogues to the
network address and the house number is analogues to the host address.
The concept of
subnetting allows the network portion of the address to be subdivided in
to number of
logical sections; subnets. With subnetting the two part IP address
becomes a three part
address, a network address, subnetwork address and a host address.
In Class A address, the most significant bit of the first octet is set to
0 and first octet is set
for the network address, leaving 24 bits for the host address. This
corresponds to possible
network addresses of 0 to 127. The reserved values are 0 and 127, leaving
1 to 126 for
network addressing in class A.
In Class B address, the most significant bit and one after it is set to
10 leaving 16 bits for
the network address and 16 bits for the host address. This corresponds to
possible
network address of 128 to 191.
In Classes C address, the most significant bit and two bits after are set
to 110 leaving 24
bits for network address and 8 bits for host address. This corresponds to
possible network
address of 192 to 223.
Class D and Class E is not required for the CCNA examination.
(30)
Create different classes of IP addresses (and subnetting)

For the subnet address scheme to work, every host on the network must
know which part
of the host address will be used as the subnet address. This is
accomplished by assigning
a subnet mask to each host. Following are the subnet masks for each Class
·
Class A
net.node.node.node
default subnet mask
255.0.0.0
·
Class B
net.net.node.node default subnet mask
255.255.0.0
·
Class C
net.net,net,node default sunet mask
255.255.255.0

(31)
Configure IP addresses
Following commands will configure the IP address for the Ethernet
interface 0
Router#config t
Router(config)#int e0
Router(config-if)#ip address 172.16.50.10 255.255.255.0
Router(config-if)#no shut

(32)
Verify IP addresses

Router#sh ip int e0 will display the following:
Ethernet0 is up, line protocol is up
Internet address is 172.16.50.10 255.255.255.0
Broadcast address is 255.255.255.255
Also many other interface details
(33)
List required IPX addresses and encapsulation type

IPX performs functions at layer 3 and 4 of the OSI model. It controls the
assignment of
IPX addresses (software addressing) on individual nodes, governs packet
delivery across
networks, and make routing decisions based on information provided by
routing
protocols, RIP or NLS. IPX is a connectionless protocol and it does not
require an
acknowledgement from the destination node. To communicate with upper layer
protocols, IPX uses sockets. These are similar to TCP/IP ports, in that
they are used to
address, multiple independent applications running on the same machine.
Sequence Packet eXchange (SPX) is a connection-orientated protocol as
oppose to IPX.
Through it upper layers can be assured that the data was delivered from
the source to the
destination. SPX works by creating virtual circuits or connections
between machines,
with each connection having a specific connection ID, included in the SPX
header.
Routing Information Protocol (RIP) is a distance vector routing protocol
used to discover
IPX routes through internetworks. It employs ticks (1/8 th of a second)
and the hop count
(number of routers between nodes) as metric for determine preferred
routes.
Service Advertising Protocol (SAP) allows servers to advertise the
services they provide
on the network. There are three types of SAP packets defined: Periodic
updates, service
quires and service response.
Netware Link Services Protocol (NLSP) is an advanced link state routing
protocol,
intended to replace Novell RIP and SAP.
Netware Core Protocol (NCP) provides clients with server resources such
as file access,
security and printing.

IPX addressing is somewhat different from IP addressing. The
administrator assigns the
network part of the address and the node part is automatically assigned.
IPX address has
80 bits or 10 bytes. It is divided in to network address, which is 4
bytes and the node
address which is the remaining 6 bytes. An example of an IPX address is
as follows:
0000.7C80.0000.8609.33E9. The first 8 hex digits (0000.7C80) represents
the network
part of the address, next 8 hex digits (0000.8609) represents the node
part of the address
and the last 4 hex digits (33E9) represents the socket.
Encapsulation or framing is the process of taking packets from upper
layer protocols and
building frames to transmit across the network. Encapsulation takes IPX
datagarms from
Layer 3 and builds frames at layer 2 to transmit on one of the supported
media.
Encapsulation on following media is as follows:
·
Ethernet
Cisco Keyword

Netware Frame:
Ethernet_802.3
novell-ether (default
Netware 3.11)

Ethernet_802.2
sap

Ethernet_II
arpa

Ethernet_snap
snap
·
Token Ring

Netware Frame:
Token-Ring
sap (default)

Token-Ring_snap
snap

·
FDDI

Netware Frame:
fddi_snap
snap (default)

Fddi_802.2
sap

Fddi_raw
novell-fddi

(34)
Enable the Novell IPX protocol and configure interfaces

First you enable IPX routing and after you enable IPX protocol on each
interface as
follows:
Router(config)#ipx routing
Router(config)#int e0
Router(config-in)#ipx network 2100
You can add multiple frame types to the same interfaces follows: using
the old way
Router(config)#int so
Router(config-in)#ipx netwok 3200 encap hdlc sec

Next is to use the current method:
Router(config)#int e0.100
Router(config-subif)#ipx network 2300 sap
(35)
Identify functions of the TCP/IP Transport layer

The Transport layer protocol equivalent to the layer in the DOD model is
the Host to
Host protocol. Its main purpose is to shield the upper layer applications
from the
complexities of the network. Transmission Control Protocol (TCP) and the
User
Datagram Protocol (UDP) operate at this layer. TCP is a
connection-orientated protocol,
which means that it first establishes a connection on a virtual circuit
between source and
destination, before sending user data. UDP is a connection less protocol,
which means the
source is not concerned whether the datagram it sent to the destination,
did arrive there or
not. TCP and UDP both receive large chunks of data form the upper layers
and they
break them down to manageable segments so that they can be transmitted to
their
destinations. Each segment is numbered so that at the destination they
can be
reassembled. Only TCP keeps tract of this reassembly process, by
requesting the missing
segment from the source. If a segment is missing from a UDP transmission,
the
destination does not have a mechanism request it from the source.
Therefore UDP is a
unreliable protocol. TCP carries out error checking, and requests a
retransmission, also
through a windowing mechanism it controls the data flow so that receiver
buffers are not
flooded by the source. TCP is a full duplex, connection orientated,
reliable and accurate
protocol.
(36)
Identify the functions of the TCP/IP network layer protocol.

At network layer, the TCP/IP protocol suit has the Internet Protocol (IP)
in operation. The
function of IP includes, packet routing and providing a single network
interface to the
upper layers. The lower layers do not carry out any routing and routing
occurs at the IP
internet layer. To route, IP looks at each packet’s IP address, then
using a routing table it
decides where a packet is to be sent next, choosing the best path. All
hosts on a network
has an IP address and it contains the required routing information to
enabling the packet
to travel to the destination. IP receive data segments from the next
upper layer, which is
the Host to Host layer and fragments them to datagrams or packets. Each
datagram is
assigned an IP address of the sender and the IP address of the recipient.
Each machine
that receives the datagram makes a routing decision based upon the
packet’s destination
IP address. The IP packet has a header and in it there is a field which
carries an IP type
number. This number indicate the socket number that the IP datagram
should use to pass
the data to upper layer which is the Host to Host layer. Data travelling
on the internet
layer is, either a TCP datagrma or a UDP datagram.

(37)
Identify Functions performed by ICMP

Internet Control Message Protocol (ICMP)is a management protocol and a
messaging
service provider for IP. Its messages are carried as IP datagrams. RFC
1256 ICMP Router
Discovery Messages is an annex to ICMP, which affords hosts extend
capability in
discovering routes to gateways. Periodically, router advertisements are
announced over
the network, reporting IP addresses for its network interfaces. Hosts
listens for these
network infomercials to acquire route information. A router solicitation
is a request for
immediate advertisement and may be sent by a host when it starts up.
Following are some
common events and messages that ICMP relates to:
·
Destination Unreachable: If a router cannot send an IP address any
further, it uses ICMP to send a
message back to the sender advertising it of the situation. For example
if the router receives a packet
destined to a network that the router does not know about, it will send
an ICMP Destination
Unreachable message back to the sending station.
·
Buffer full: If a router’s memory buffer for receiving in coming
datagrams is full, it will use ICMP to
send out this message.
·
Hops: Each IP datagram is allotted a certain number of routers that it
may go through, called Hops. If it
reaches its limit of hops before arriving at its destination, the last
router to receive that datagram
deletes it. The executioner router then uses ICMP to send an message to
the originator that the
datagram is dead.
·
Ping: Packet Internet Groper uses ICMP echo message to check the physical
connectivity of machines
on an internetwork.

(38)
Configure IPX access lists and SAP filters to control basic Novell traffic

Similar to IP access lists IPX has two types of access lists: Standard
IPX Access Lists and
Extended IPX Access lists.
Standard IPX access lists allow or deny packets based on source and
destination IPX
addresses. Template to enter standard IPX access lists is as follows:
Access-list (number from 800 to 899) (permit or deny) (source network IPX
number)
(destination network IPX number)
Following example will show how the access list will permit or deny
access to IPX
packets.
Router#config t
Router(config)#access-list 810 permit 30 10
Router(config)#int e0
Router(config-if)#ipx access-group 810 out

810 correspond to the 800 to 899 range. This access-list mean that any
network other than
30 will be denied access network 10. If we wanted to allow access all
networks to 10
other than 50 the access-list entry will be as follows:
Router(config)#access-list 810 deny 50 10
Once we configure the access-list we must apply it to the interface, and
it applied as
follows:
Router(config)#int e0
Router(config-if)#ipx access-group 810 out
Which means that the above restriction is applied to the interface
Ethernet 0, IPX
outgoing packets from the router to the network.
Extended IPX access lists can filter based on the following: Source
network, source node,
destination network, destination node, IPX protocol (SAP, SPX etc) and
IPX sockets.
Template to enter the extended IPX access list is as follows:
access-list (number, 900 to 999) permit or deny (protocol) (source IPX
network number)
(source socket) (destination IPX network number) (destination socket)
Following example will show how the extended access list will permit or
deny IPX
network access using extended access lists
Router(config)#access-list 910 deny ­1 50 0 10 0
This means that the access is denied to any IPX protocol type from IPX
network 50 on all
sockets to enter IPX network 10 on all sockets.
If you want to let any network access any network, any protocol and on
any socket the
entry will be as follows:
Router(config)#access-list 910 permit ­1 ­1 0 ­1 0
Again once the access list is configured it has to be applied the
interface as follows:
Router(config)int e0
Router(config-if)#access-group 910 out

IPX SAP filters are used to control access IPX devices. The template for
implementing
IPX SAP filters are as follows: access-list (number 1000 to 1099) (permit
or deny)
(source network.node address of the server) (service type)
Source address here is the IXP internal address for example
0000.7c80.0000.8609.33e9
Router(config)#access-list 1010 permit 0000.7c80.0000.33e9 0
Access list 1010 is in the range, 1000 to 1099 reserved for IPX SAP
filters. This IPX
SAP filter will allow packets from 0000.7c80.0000.8609.33e9 to enter the
Ethernet
interface and be included in SAP updates across the network. The last
entry is the service
type and we entered 0, which means all services should be allowed.
Now that we created the SAP filter, lets apply it to the interface for it
to be operational.
We apply it to the interface as follows:
Router(config)#int e0
Router(config-if)#ipx input­sap-filter 1010

Routing
(39) Add the RIP routing protocol to your configuration

Route Information Protocol (RIP) is a distance vector routing protocol
that practices
classfull routing, which is used to discover the cost of a given route in
terms of hops and
stores that information on a routing table.
The router can then consult the table to select the least costly most
efficient route to a
destination. It gathers information by watching for routing table
broadcasts by other
routers and updating its own table in the event that a change occurs. RIP
routing tables
has following minimum entries: IP destination address, A metric (1 to 15)
indicative of
the total cost in hops, of a particular route to a destination, IP
address of a the next router
that a datagram would reach , on the path to its destination, A maker
signaling recent
changes to a route, Timers, which are used to regulate performance,
Flags, which indicate
whether the information about the routers has recently changed,
Hold-downs used to
prevent regular update messages from reinstating a route that is no
longer functional,
Split horizon used to prevent routing loops. A poison reverse updates
used to prevent
routing loops. RIP sends out routing updates at regular intervals and
whenever a network
topology changes occurs. And uses the following timers to regulate its
performance.
Routing table update timer typically 30 seconds
Route invalid timer 90 seconds
Route flush timer 240 seconds
To add RIP routing to a router type in the following:
Router#config t
Router(config)#router rip
Router(config-router)#network 172.16.0.0
Router(config-router)#^Z
Router#wr mem (write to the running configration)
(40) Add the IGRP routing protocol to your configuration

Interior Gateway Routing Protocol (IGRP) is a CISCO proprietary, distance
vector
interior routing protocol that was designed by CISCO to overcome the
limitations
presented by RIP. IGRP hop count is 255 as oppose to RIP’s limited 15
hop count.
IGRP advertises three types of routes:
Interior: These are routes between subnets. If a network is not subnetted
then IGRP will
not advertise the interior routes.
System: These are routes to networks within an Autonomous System. They
are derived
from directly connected interfaces, other IGRP routes, or access servers.
They do not
include subnet information.
Exterior: These are routes to networks out side of the Autonomous System.
They are
considered when identifying a gateway of last resort. The gateway of last
resort is chosen
from the list of exterior routes that IGRP provides.
Type in the following to add IGRP routing
Router(config)#router igrp 10 (10 is the Autonomous System number it can
be any
number from 1 to 65535)
Router(config-router)#network 172.16.0.0
Router(config-router)#^Z
Router#wt mem
(41) Explain the services of separate and integrated multiprotocol routing

A separate protocol routing is when the routing device, eg: a switch uses
a routing table
based on MAC address, and can accommodate only one encapsulation type.
This type of
routing is carried out at the data link, MAC sublayer.
Multiprotocol routing is carried out mostly by routers and similar
devices because, the
routing decisions are made at network layer and the routing tables are at
network layer.
At network layer there can exist, many different protocols and with them
comes their
own associated routing tables. So a router can have a IP routing table,
IPX routing table
and a Apple Talk routing table.
A bridge or a switch connects two or more physical networks into a single
logical
network, where as routers connects two or more logical networks and
routes between
them using information that is built by routing protocols and kept in
routing tables. The
advantage of a router as compared to a bridge or a switch is that it
physically and
logically breaks a network in to multiple manageable pieces, allows for
control of routed
packets, and routes network layer protocols at the same time.
(42)
List problems that each routing type encounters when dealing with
topology changes and
describe techniques to reduce the number of these problems.

(43)
Describe the benefits of network segmentation with routers
Routers filter by both the hardware and network addresses. Routers only
forward packets
to the network segment that the packet is destined for. The benefits of
network
segmentation could be summarized as follows:
Manageability: Multiple routing protocols give the flexibility of
designing for optimum
requirements of the network.
Increased functionality: CISCO routers addresses the issues of flow
control, error control
congestion control and fragmentation, Also efficient control over packet
lifetime.
Multiple active paths: Using the protocols DSAPs, SSAPs and path metrics,
routers can
make informed routing decisions as well as interpret the next layer
protocol. CISCO
routers can have more than on active link between routers.

Network Security
(44) Configure standard and extended access lists to filter IP

Access lists are used to control access via a router to the network or
from the network to
another network or to a device attached to the router. Packet filtering
is performed by the
access lists, to either, entering packets to the router, or exiting
packets from the router.
Apart from providing security to the network, access lists provide
valuable static on
packet flow.
Access lists are a list of conditions that the network designer can
enforce to get total
control of access to the network and exit from the network. When you
apply the access
list to the router interface, it has the total control of packets
entering and leaving the
interface. Configuring the Standard IP access list and applying to the
interface is as
follows: First you configure the access list then you apply it to the
interface.
Configure access list as follows using the template:
Access-list (number) (permit or deny) (source address)
Router(configt)#access-list 10 permit 172.16.30.2
Access list number for standard IP access list is any number from 1 to 99
Now we apply it to the interface as follows:
Router(config)#int e0
Router(config-if)#access-group 10 out
out at the end of the command means that the restriction is for the
packets going out of
the e0 interface.
(45) Monitor and verify selected access lists

Router#sh access ­1 Will show all the access lists running on the router.
Following
example will show the output;
Extended access list 110
Permit tcp 172.16.50.2 host 172.16.10.2 eq 8080 (34 matches)
What the above two lines show is as follows: first line gives the access
number, which is
110 an extended IP access list (any number from 100 to 199). The second
line shows the
number of packets that matched.
Router#sh ip access-list Will show only the IP access lists as shown below
Extended IP access list 110
Permit tcp host 172.16.50.2 host 172.16.10.2 eq 8080 (15 matches)
If the log command was used on the access list the console will then
display the
following:
Access list number, Source address, Source port, Destination address
Destination address,
Number of packets.
When monitoring access lists it is important to find out which interface
an access list
applied to. The two commands to display this information is
Router#sh int e0 and Router#sh run
LAN Switching
(46) Describe the advantage of LAN segmentation

A single Ethernet LAN will work well for a limited number of users
attached to the
Ethernet. As time goes by and the number of users attached to the
Ethernet increases and
the number of people want to get on the network at the same time also
increases.
Congestion begins to creep in and the user access to the network begins
to slow down.
The remedy for this situation is to segment the LAN in to manageable
parts so that each
part or segment has a amount of users attached to it so that it will get
congested even if
all the users access simultaneously. There are many ways to do this
segmentation.
(47) Describe LAN segmentation using Bridges

Physical segmentation: You can segment by bridges and routers. Bridges
segment at the
MAC address of the Data Link layer. A bridge will first look at a routing
table and match
the packet to a segment and forwards it.
(48) Describe LAN segmentation using Routers

Routers use the network layer to segment the network with network layer
address and the
MAC address of the interface. The routing table will give the MAC address
and the
network layer addressing protocol address. eg IP address, IPX address or
apple Talk
address.
(49)
Describe LAN segmentation using Switches

LAN switches uses at line speed by using the destination MAC address. In
order to
ensure that the packet is forwarded to the correct port, cut through
switching is used. Cut
through looks at the in coming frame FCS has passed it as error free, it
looks at the
destination MAC address and starts to forward before the full packet is
received. Cut
through switching greatly improves the throughput.
(50)
Name and describe two switching methods

The two switching methods or modes are Store and Forward, and Cut Through.
With Store and Forward switching method, the LAN router copies the entire
frame in to
its buffer and checks the following and discards the frame if they are
not correct:
A CRC error, if the frame is runt (less than 64 bytes including the CRC)
or a giant (more
than 1518 bytes including CRC). The frame has no errors then the router
looks up the
routing table and sends to the correct interface for transmission down
the line. Latency
due to this error checking varies with the length of the frame.
Cut Through switching, the LAN switch copies only the destination address
to its buffers
(six bytes after the preamble). It then looks at the destination address
on the switching
table, determines the outgoing interface and submits it to the correct
interface for
transmission down the line. Cut through switching reduce latency because,
first it does
not copy the complete frame to the buffer and secondly it starts to
transmitting the frame
as soon as it locate the destination address from the routing table.
(51)
Describe full and half duplex Ethernet operation

Full duplex can transmit and receive simultaneously, but to do so one
needs a CISCO
switch that has a full duplex interface. The end user needs a full duplex
NIC card so that
it can be connected to the switch full duplex switch interface. Full
duplex Ethernet uses
point to point connections and it is collusion free transmission. This is
because it does not
share bandwidth with any other device. The frames sent by two nodes can
not collide
because they are on physically separate transmit and receive circuits. If
you have a full
duplex 10 Mbps Ethernet operating on the same switch port it can
theoretically have a
throughput of 20 Mbps.
Half duplex will send and receive, one at a time. When the transmitter is
transmitting his
receiving circuit is in active. Same with the receiver, when his
receiving circuit is active
his transmitting circuit is inactive.

(52)
Describe the congestion problem in Ethernetworks

Ethernet device gets access to the network by listening to the signals on
the cable. If no
one is transmitting then the device starts to transmit. If two devices
start to transmit at the
same time a collusion will occur and each station will back off and
retransmit the frame
later. This is good for a small number of devices attached to the network
but when there
are too many devices gets attached, the collisions become more frequent
and delays
occur.

(53)
Describe the benefits of network segmentation with bridges

Bridges segment the network by the MAC address of the data link layer. By
segmenting a
logical network in to multiple physical segments, it ensures network
reliability,
availability, scalability and manageability.

(54)
Describe the benefits of network segmentation with switches.

Just like bridges LAN switches use destination MAC address in order to
ensure that the
packet gets to the right out going port. Switches are similar to bridges
with more ports
attached to it.

(55)
Describe the features and benefits of fast Ethernet

Fast Ethernet is the IEEE 802.3u standard also known as 100 Base T. It is
10 times faster
because the bit rate is 100 Mbps instead of 10 Mbps for 10 Base T. This
standard defines
the physical layer and the data link layer, and uses the same CSMA/CD
transmission
technology as 10 Base T. The other standards associated with Fast
Ethernet are as
follows: 100 Base FX which is 100 Mbps two strand multi mode 50/125 or
62.5/125-
micron fiber optic cable. 100 Base T4 can use CAT 3,4,or 5 cabling with
RJ 45
connector. 100 Base TX can use CAT 5 or 100 ohm two pair shielded twisted
pair or type
1 cable.
Benefits of fast Ethernet can listed as follows:
·
100 Base T is 10 times faster as 10 Base T
·
Existing cabling and network equipment can be used
·
10 Mbps and 100 Mbps can exist on the same cable media
·
It uses tried and tested CSMA/CD
·
Migration to 100 Mbps from 10 Mbps does not create any problems

(56)
Describe the guide lines and distance limitations of Fast Ethernet

To exist on the same cable media, 10 Base T and 100 Base T, the time
slots should be the
same. Standard defined round trip is shorter for 100 Base T. Therefore
maximum
distance between transmitter and receiver is shorter for 100 Base T.
Maximum distance
between end nodes for 100 Base TX is 100 meters and for 100 Base FX is
412 meters

(57)
Distinguish between Cut Through and Store and Forward LAN switching

Cut through switching, the LAN switching device copies destination
address to its in put
buffer and looks at the destination switching table for the destination
address. As soon as
it finds the destination address, it starts to transmit the frame to the
destination. This
reducers the latency associated with store and forward
Store and forward switching, the LAN switching device copies the entire
frame to its in
put buffer and does a CRC check, runt check and a giant check on the
frame. If any of
them checks gives errors then the frame is dropped, if not it looks at
the routing table and
locates the destination address and sends the frame to the appropriate
interface to transmit
it down the line. All these checks take time and latency time increases
for store and
forward switching.
(58)
Describe the operation of Spanning Tree Protocol and its benefits

IEEE 802.1d standard defines the Spanning Tree Protocol and was developed
to prevent
routing loops in a network. If a router, a switch or a hub has more than
one path to the
same destination, then a routing loop problem could occur. To prevent
this, the spanning
tree protocol is executed between devices to detect and logically block
redundant paths
on the network. For fault networks there should be redundant links
between devices, and
to be loop free it should also execute the spanning tree protocol.
(59)
Describe the benefits of virtual LANs

Virtual LAN (VLAN) is a logical group of end users and resources
connected to defined
ports on a switch. This logical group communicates at layer 2 and layer 3
to establish the
Virtual LAN. Most beneficial asset in implementing is the functional
group. It is secure
because on out side of the VLAN group can get access to the group and the
members of
the group can not go out side of the group. Next item is that if a member
of the VLAN
group is moved from one floor to another, no set ups are required because
the member
can go to the next floor be connected to a different switch with a port
that is in the same
VLAN group. Because VLAN operates at layer 2 and 3, broadcasts can be
controlled.
Following are the primary benefits of VLAN: Broadcast control, Functional
groups and
Security.

(60)
Define and describe the function of the MAC address

Media Access Control (MAC) address is the hardware address of the
interface and it is
burned in to the NIC card. This is a unique number issued by IEEE to the
manufacturer.
It is 6 bytes long and the first 24 bits represents the vendor and next
24 bits represents the
serial number of the NIC card. This hardware address is used by the MAC
layer of the
Data Link layer to identify uniquely, the LAN device, to the network
layer.

http://chicothelaanhluan.googlepages.com/cisco

A bridge is a way to connect two Ethernet segments together in a protocol independent way. Packets are forwarded based on Ethernet address, rather than IP address (like a router). Since forwarding is done at Layer 2, all protocols can go transparently through a bridge.

You can think of a bridge like a network switch. We will be using this Linux Transparent Squid Bridge like a switch according to the network diagram below:

Internet (5)

↑↓

Router (4)

↑↓

Linux Bridge (3)

↑↓

Physical Switch (2)

↑↓

LAN Network (1)

Reasons for running a Linux bridge are:

(A.) The job of the bridge is to examine the destination of the data packets one at a time and decide whether or not to pass the packets to the other side of the Ethernet segment. The result is a faster, quieter network with less collisions.

(B.) You can overcome hardware incompatibilities with a bridge, without leaving the address-range of your IP-net or subnet. E.g. it’s possible to bridge between different physical media like 10 Base T and 100 Base TX.

(C.) You don’t need to change your existing network layout. You just plug in the bridge and you start working. If for some reasons, your Linux bridge box should go down, reconnect the cables from your switch (2) to your router (4), and nobody will even notice that something was not working!

Features of a Linux Bridge box:

STP

The Spanning Tree Protocol is a nifty method of keeping Ethernet devices connected in multiple paths working. The participating switches negotiate the shortest available path by STP.

Multiple Bridge Instances

Multiple bridge instances allow you to have more than one bridge on your box up and running, and to control each instance separately.

Fire-walling

Because we are running a Linux box with a kernel 2.4.x or 2.6.x, we can also apply some IPTABLES firewall rules.

What do I need to run such a Linux Bridge?

You just need a Linux OS with a kernel greater than 2.4. I prefer the 2.6 kernel. The minimum number of network interfaces in your Linux box should at least be 2. This guide assumes that the Linux box has 2 network interfaces, i.e., eth0 and eth1.

However, you may use any number of network interfaces supported on by the hardware of your Linux box.

You then need the “bridge-utils” package. The 2nd tool needed is “ebtables”.

You can use either the binaries installed by your OS distribution or simply download them from the internet.

On a Debian box , it’s as simple as: apt-get install bridge-utils ebtables

The Bridge-Utils package contains the main tools required to setup and configure a Linux bridge. Among the tools provided by bridge-utils, brctl will primarily be used to construct the bridge.

The ebtables program is a filtering tool for a bridging firewall. The filtering is focussed on the Link Layer Ethernet frame fields. It also gives us the ability to alter the Ethernet MAC addresses.

Now that you have a 2.4/2.6 Linux kernel box and you have somehow managed to install the bridge-utils and ebtables packages, we can move on to the next topic of configuring the bridge and running a transparent squid on it.

Installing and configuring Squid

(1.) Create the user squid and group squid

groupadd squid

useradd -g squid squid

(2.) Download the latest version of squid in /usr/local/src

cd /usr/local/src
wget http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE18.tar.gz

(3.) Unzip it’s contents

tar zxvf squid-2.6.STABLE18.tar.gz

(4.) Configure squid with the following parameters

cd squid-2.6.STABLE18

./configure –bindir=/usr/local/sbin \

–sysconfdir=/usr/local/etc/squid \
–datadir=/usr/local/etc/squid \
–libexecdir=/usr/local/libexec/squid \
–localstatedir=/usr/local/squid \
–enable-removal-policies=heap,lru \
–enable-storeio=diskd,aufs,coss,ufs,null \
–enable-time-hack \
–enable-snmp \
–with-large-files \
–enable-large-cache-files \
–prefix=/usr/local \
–disable-ident-lookups \
–enable-cache-digests \
–enable-underscores \
–enable-kill-parent-hack \
–enable-follow-x-forwarded-for

(5.) If all goes well, run

make all
make install

That’s it. Squid should now be installed. It’s time to do some Squid configurations.

Note: If you encounter problems in configuring or compilation, 99% of them can be solved. The errors are either related to missing compilers, packages or dependencies.

(6.) Create a new Cache directory for Squid

mkdir -p /usr/local/squid/cache

(7.) Create a new /usr/local/etc/squid/squid.conf

cd /usr/local/etc/squid

mv /usr/local/etc/squid/squid.conf /usr/local/etc/squid/squid.conf.default.config

vi /usr/local/etc/squid/squid.conf

##Copy and paste following working configuration
########### Start of squid.conf ##############
cache_effective_user squid
cache_effective_user squid

http_port 3128 transparent

cache_dir ufs /usr/local/squid/cache 2000 16 256

cache_access_log /usr/local/squid/logs/access.log
cache_log /usr/local/squid/logs/cache.log
cache_store_log none

emulate_httpd_log on

cache_mem 16 MB

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

hosts_file /etc/hosts

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 40% 4320

acl all src 0.0.0.0/0.0.0.0

##Define your network below

acl mynetwork src 192.168.0.0/24
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT

acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https

acl Safe_ports port 1025-65535 #unregistered ports

acl SSL_ports port 443 563

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access allow mynetwork
http_access deny all
http_reply_access allow all
icp_access allow mynetwork

icp_access deny all

visible_hostname proxybridge.hostname.com

coredump_dir /usr/local/squid

######## End of squid.conf ##########

(8.) Change the permissions of squid logs and cache_dir

chown -R squid:squid /usr/local/squid/

chown -R squid:squid /usr/local/etc/squid/

(9.) Initialize Squid’s cache and run Squid in daemon mode

/usr/local/sbin/squid -z

/usr/local/sbin/squid -D

Check for any errors. If there are none, put the proxy server manually in your web browser and try browsing websites!

Next, we will setup a bridge using the tools provided by the package “bridge_utils”

As stated above, 1 of the most important tools installed by the bridge-utils package is brctl command.

We will be using the brctl command for creating a logical bridge instance with the name br0. You will need at least 1 bridge instance for bridging to work.

(1.) Creating the logical bridge instance called br0.

#Add bridge instance called br0

brctl addbr br0

#Show your bridge status
brctl show

#Show MAC addresses on your bridge

brctl showmacs br0
(2.) Add your network interfaces to the bridge.

brctl addif br0 eth0

brctl addif br0 eth1

(3.) Zero in your IP network interfaces to 0.0.0.0 and bring it up.
ifconfig eth0 0.0.0.0 promisc up

ifconfig eth1 0.0.0.0 promisc up

(4.) Bring up the bridge. Since we also want to administer this bridge box, we point an IP address to the br0 interface.

ifconfig br0 192.168.100.9 netmask 255.255.255.0 up

(5.) Give your bridge interface br0 a default gateway so that you can access it via SSH, etc.

route add default gw 192.168.100.1 dev br0

That’s it. You have a simple yet a very effective Linux bridge box!

The final remaining part is to redirect the web requests from your network to your bridged box running Squid transparently.

(1.) To redirect web traffic from your LAN to your Bridge box transparently, run the following script called rc.bridge.

#####Start of rc.bridge script ######

#!/bin/sh

###Date: 12-Oct-2007

###tekbdrlimbu@hotmail.com####

/sbin/ebtables -t broute -A BROUTING -p IPv4 –ip-protocol 6 \
–ip-destination-port 80 -j redirect –redirect-target ACCEPT
/sbin/iptables -t nat -A PREROUTING -i br0 -p tcp –dport 80 \
-j REDIRECT –to-port 3128
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-ports 3128
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to-ports 3128
/sbin/iptables -t nat -A PREROUTING -i br0 -p tcp –dport 80 -j REDIRECT –to-ports 3128

######### End of rc.bridge script #####

Run this script and restart Squid. You will have a working Squid transproxy running in a Linux bridged box!!!

We will cover more advanced topics like Spanning Tree Protocol (STP) , MAC and ARP filtering , etc, in the coming days ahead.

Cisco’s WCCP (Web Cache Control Protocol) version 2 is used for sending web requests from clients to 1 or more Squid proxy servers. WCCP feature allows us to redirect Web traffic to our proxy servers which in turn provides Web caching, filtering, or other services, thus reducing transmission costs and downloading time.

With WCCP, we can build a “cache cluster” for load balancing, scaling, and fault tolerance.

For example, in the case of 2 proxy severs, if 1 proxy server goes down, WCCP redirects clients requests to the 2nd working proxy server.

In the rare circumstance where both or all of your proxy servers should go down, WCCP will determine the dead proxy servers and will route clients web requests directly from your cisco router.

Note: Only Cisco IOS Release 12.1 and later releases allow the use of either Version 1 (WCCPv1) or Version 2 (WCCPv2) of the WCCP.

How WCCP and transparent intercepting Squid caches work?

• A Client’s Web browser makes a request, which goes to the cisco router.

• The router intercepts the request.

• The router redirects the request to a new location inside a generic routing encapsulation (GRE) frame to prevent any modifications to the original packet.

• A (GRE) tunnel is established between our FreeBSD squid boxes and the cisco 3620/7206 router.

• All redirected requests from the router are encapsulated down the GRE tunnel to our FreeBSD Squid caches.

• The FreeBSD Squid boxes decapsulates the GRE traffic and redirects the WCCP packets onto Squid.

• This redirection is achieved transparently using FreeBSD IP forwarding and IPFW firewall.

• Squid pulls apart the request, then attempts to deliver the content either from the local cache or via direct request from target.

• The content is then delivered back to the router for delivery to the originator (ie. client’s browser).

Now to connect all the pieces of information regarding WCCP, the following steps are required:

(1.) Configure and compile your kernel

cd /usr/src/sys/i386/conf/

cp GENERIC SQUID_WCCP

vi SQUID_WCCP

(2.) Copy and paste the following kernel parameters

machine i386
cpu I686_CPU
ident SQUID_WCCP

options SCHED_4BSD # 4BSD scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options MD_ROOT # MD is a potential root device
options NFSCLIENT # Network Filesystem Client
options NFSSERVER # Network Filesystem Server
options NFS_ROOT # NFS usable as /, requires NFSCLIENT
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_GPT # GUID Partition Tables.
options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time #extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.

device apic # I/O APIC
device eisa
device pci
device fdc
device ata
device atadisk # ATA disk drives
device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
device atapifd # ATAPI floppy drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
device ahb # EISA AHA1742 family
device ahc # AHA2940 and onboard AIC7xxx devices
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
device ahd # AHA39320/29320 and onboard AIC79xx devices
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
device amd # AMD 53C974 (Tekram DC-390(T))
device isp # Qlogic family
device mpt # LSI-Logic MPT-Fusion
device sym # NCR/Symbios Logic (newer chipsets + those of `ncr’)
device trm # Tekram DC395U/UW/F DC315U adapters
device adv # Advansys SCSI adapters
device adw # Advansys wide SCSI adapters
device aha # Adaptec 154x SCSI adapters
device aic # Adaptec 15[012]x SCSI adapters, AIC-6[23]60.
device bt # Buslogic/Mylex MultiMaster SCSI adapters
device ncv # NCR 53C500
device nsp # Workbit Ninja SCSI-3
device stg # TMC 18C30/18C50
device scbus # SCSI bus (required for SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device cd # CD
device pass # Passthrough device (direct SCSI access)
device ses # SCSI Environmental Services (and SAF-TE)
device amr # AMI MegaRAID
device arcmsr # Areca SATA II RAID
device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
device ciss # Compaq Smart RAID 5*
device dpt # DPT Smartcache III, IV – See NOTES for options
device hptmv # Highpoint RocketRAID 182x
device rr232x # Highpoint RocketRAID 232x
device iir # Intel Integrated RAID
device ips # IBM (Adaptec) ServeRAID
device mly # Mylex AcceleRAID/eXtremeRAID
device twa # 3ware 9000 series PATA/SATA RAID
device aac # Adaptec FSA RAID
device aacp # SCSI passthrough for aac (requires CAM)
device ida # Compaq Smart RAID
device mfi # LSI MegaRAID SAS
device mlx # Mylex DAC960 family
device pst # Promise Supertrak SX6000
device twe # 3ware ATA RAID
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
device splash # Splash screen and screen saver support
device sc
device agp # support several AGP chipsets
device pmtimer
device cbb # cardbus (yenta) bridge
device pccard # PC Card (16-bit) bus
device cardbus # CardBus (32-bit) bus
device sio # 8250, 16[45]50 based serial ports
device ppc
device ppbus # Parallel port bus (required)
device lpt # Printer
device plip # TCP/IP over parallel
device ppi # Parallel port interface device
device de # DEC/Intel DC21×4x (“Tulip”)
device em # Intel PRO/1000 adapter Gigabit Ethernet Card
device ixgb # Intel PRO/10GbE Ethernet Card
device txp # 3Com 3cR990 (“Typhoon”)
device vx # 3Com 3c590, 3c595 (“Vortex”)
device miibus # MII bus support
device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet
device bfe # Broadcom BCM440x 10/100 Ethernet
device bge # Broadcom BCM570xx Gigabit Ethernet
device dc # DEC/Intel 21143 and various workalikes
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
device lge # Level 1 LXT1001 gigabit Ethernet
device nge # NatSemi DP83820 gigabit Ethernet
device nve # nVidia nForce MCP on-board Ethernet Networking
device pcn # AMD Am79C97x PCI 10/100(precedence over ‘lnc’)
device re # RealTek 8139C+/8169/8169S/8110S
device rl # RealTek 8129/8139
device sf # Adaptec AIC-6915 (“Starfire”)
device sis # Silicon Integrated Systems SiS 900/SiS 7016
device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet
device ste # Sundance ST201 (D-Link DFE-550TX)
device stge # Sundance/Tamarack TC9021 gigabit Ethernet
device ti # Alteon Networks Tigon I/II gigabit Ethernet
device tl # Texas Instruments ThunderLAN
device tx # SMC EtherPower II (83c170 “EPIC”)
device vge # VIA VT612x gigabit Ethernet
device vr # VIA Rhine, Rhine II
device wb # Winbond W89C840F
device xl # 3Com 3c90x (“Boomerang”, “Cyclone”)
device cs # Crystal Semiconductor CS89×0 NIC
device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
device ex # Intel EtherExpress Pro/10 and Pro/10+
device ep # Etherlink III based cards
device fe # Fujitsu MB8696x based cards
device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc.
device lnc # NE2100, NE32-VL Lance Ethernet cards
device sn # SMC’s 9000 series of Ethernet chips
device xe # Xircom pccard Ethernet
device wlan # 802.11 support
device wlan_wep # 802.11 WEP support
device wlan_ccmp # 802.11 CCMP support
device wlan_tkip # 802.11 TKIP support
device an # Aironet 4500/4800 802.11 wireless NICs.
device ath # Atheros pci/cardbus NIC’s
device ath_hal # Atheros HAL (Hardware Access Layer)
device ath_rate_sample # SampleRate tx rate control for ath
device awi # BayStack 660 and others
device ral # Ralink Technology RT2500 wireless NICs.
device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device sl # Kernel SLIP
device ppp # Kernel PPP
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
device md # Memory “disks”
device gif # IPv6 and IPv4 tunneling
device faith # IPv6-to-IPv4 relaying (translation)
device bpf # Berkeley packet filter
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
device ugen # Generic
device uhid # “Human Interface Devices”
device ukbd # Keyboard
device ulpt # Printer
device umass # Disks/Mass storage – Requires scbus and da
device ums # Mouse
device ural # Ralink Technology RT2500USB wireless NICs
device urio # Diamond Rio 500 MP3 player
device uscanner # Scanners
device aue # ADMtek USB Ethernet
device axe # ASIX Electronics USB Ethernet
device cdce # Generic USB over Ethernet
device cue # CATC USB Ethernet
device kue # Kawasaki LSI USB Ethernet
device rue # RealTek RTL8150 USB Ethernet
device firewire # FireWire bus code
device sbp # SCSI over FireWire (Requires scbus and da)
device fwe # Ethernet over FireWire (non-standard!)

#Enable IPFW in Kernel to DROP packets by default rule

options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_FORWARD #enable transparent proxy support
options IPFIREWALL_VERBOSE_LIMIT=500 #limit verbosity
options IPSTEALTH #support for stealth forwarding
options DUMMYNET
options NETGRAPH

options DEVICE_POLLING
options HZ=1000

options SHMSEG=128
options SHMMNI=256
options SHMMAX=50331648 # max shared memory segment size (bytes)
options SHMALL=16384 # max amount of shared memory (pages)
options MSGMNB=16384 # max # of bytes in a queue
options MSGMNI=48 # number of message queue identifiers
options MSGSEG=768 # number of message segments
options MSGSSZ=64 # size of a message segment
options MSGTQL=4096 # max messages in system

(3.) Configure and compile your new kernel

(a.) config SQUID_WCCP

(b.) cd ../compile/SQUID_WCCP/

(c.) make cleandepend

(d.) make depend

(e.) make

(f.) make install

(g.) reboot

If all goes well, your kernel has been compiled!!!. Reboot with your new kernel.

(4.) Create the GRE tunnel on your FreeBSD-6.x box

ifconfig gre0 create
ifconfig gre0 IP.OF.SQUID.BOX 10.20.30.40 netmask 255.255.255.255 link2 tunnel IP.OF.SQUID.BOX IP.OF.CISCO.ROUTER up

(3.) Configuring WCCP on your squid box. Add the following in your squid.conf

wccp2_router IP.OF.CISCO.ROUTER
#wccp2_router LoopBack.IP.OF.CISCOROUTER

wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
(4.) Create the firewall rules to redirect web requests to Squid’s 3128 port via the GRE tunnel.

We will create the script called rc.firewall to save our IPFW rules. Use the script below:

#!/bin/sh

##### Start of rc.firewall script ######

##Change the network interfaces and IP addresses to match your network!

NET_IF=”em0″
IPFW=”/sbin/ipfw -q”

#IP of Proxy Server
IF_ADDR=”192.168.0.10″

NTP_SERVER=”192.168.0.55″

PROXY_NET=”192.168.0.0/27″

ALL_NET=”192.168.0.0/24″
CLIENT_NET=”192.168.0.128/25″
WIRELESS_NET=”172.16.0.128/25″
ADMIN_NET=”192.168.0.48/28″
SSH_PORT=”12345″

LOCALHOST=”127.0.0.1″

$IPFW -f flush

$IPFW add allow all from any to any via lo0

$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 via gre0 in

$IPFW add fwd 127.0.0.1,3128 ip from any to any via gre0 in
$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 in
$IPFW add fwd 127.0.0.1,3128 tcp from any to any http in via gre0

#$IPFW add permit ip from any to any
$IPFW add allow all from $IF_ADDR to any

#$IPFW add fwd 127.0.0.1,3128 ip from any to any via gre0 in
#$IPFW add fwd 127.0.0.1,3128 tcp from any to any http in via gre0
#$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 in
#$IPFW add permit ip from any to any

#Allow local DNS caching
$IPFW add allow udp from $ALL_NET to any 53

$IPFW add allow udp from any 53 to $IF_ADDR
$IPFW add allow tcp from any 53 to $IF_ADDR

$IPFW add allow all from any to any out via $NET_IF

#######For DNS
#Allow DNS Query
$IPFW add allow udp from $ALL_NET 53 to $IF_ADDR
$IPFW add allow udp from $WIRELESS_NET 53 to $IF_ADDR

#For Proxy access
#$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 in

$IPFW add allow tcp from $ALL_NET to any 3128 in via $NET_IF
$IPFW add allow tcp from $WIRELESS_NET to any 3128 in via $NET_IF

#####Allow Established session
$IPFW add allow tcp from any to any in via $NET_IF established

#$IPFW add allow tcp from any to $IF_ADDR 113

#For ICP Query
$IPFW add allow UDP from $PROXY_NET to $PROXY_NET 3130

$IPFW add allow udp from $NTP_SERVER 123 to $IF_ADDR

###Only needed for Experimental Multicast
#$IPFW add allow all from 224.9.9.1 to any
#$IPFW add allow all from any to 224.9.9.1
#$IPFW add allow all from me to 224.9.9.1

#######For SSH

$IPFW add allow tcp from $ADMIN_NET to $IF_ADDR $SSH_PORT

#for snmpwalk from Admin network
$IPFW add allow udp from $ADMIN_NET to me 3001
$IPFW add allow udp from $ADMIN_NET to me 161
$IPFW add allow udp from $ADMIN_NET to me 161
$IPFW add allow udp from $LOCALHOST to me 3001
$IPFW add allow udp from $LOCALHOST to me 161

###########
$IPFW add allow ICMP from $ALL_NET to any
$IPFW add allow ICMP from $WIRELESS_NET to any
#################################################

###Only if you want the world to send ICMP packets to your server!!

#ipfw add allow icmp from any to any icmptypes 8
#ipfw add allow icmp from any to any

$IPFW add allow all from $ADMIN_NET to me
$IPFW add allow all from me to $ADMIN_NET

$IPFW add 65533 deny log all from any to any

############# End of rc.firewall ###############

(5.) Configure WCCP on your Cisco router

Global Configuration

Router (config)#  ip wccp version 2

Router (config)#  ip wccp web-cache redirect-list 160

Access-List 160

permit ip 192.168.0.0 0.0.0.255 any

permit ip 172.16.0.0 0.0.0.255 any

Router (config)#   interface fastethernet 0/0
Router(config-if)# ip wccp web-cache redirect in

Router# write

END of Router WCCP confiruration.

(6.) Restart Squid and reload your firewall. If all goes well, you will have a working WCCP2 on your FreeBSD Box with Squid-2.6.STABLE18.

Happy Proxying with Squid + FreeBSD + Cisco WCCP !!!

squid.conf

##Start of squid.conf###

cache_effective_user squid
cache_effective_group squid

wccp2_router IP.ADDRESS.OF.ROUTER
wccp2_router LoopBackIP.ADDRESS.OF.ROUTER
#wccp2_version 4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0

acl all src all

#icp_query_timeout 2000

high_memory_warning 500 MB

visible_hostname mycache.domain.com

cache_mem 128 MB

cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

cache_swap_low 90
cache_swap_high 95

maximum_object_size 131072 KB

########New test — Default is 8
maximum_object_size_in_memory 24 KB

#minimum_object_size 1 KB
#store_avg_object_size 20 KB

tcp_recv_bufsize 65535 bytes

ipcache_size 8192
fqdncache_size 8192

high_page_fault_warning 10
high_response_time_warning 2000
client_persistent_connections off
server_persistent_connections on
half_closed_clients off

cache_dir diskd /cache1 6144 16 256 Q1=72 Q2=64
cache_dir diskd /cache2 6144 16 256 Q1=72 Q2=64

log_icp_queries off

access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none

emulate_httpd_log on

cache_mgr info@sabinshrestha.com.np

refresh_pattern ^ftp: 1440 30% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 40% 4320

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

#Configure downloading even after aborted requests.
quick_abort_min 0 KB
quick_abort_max 0 KB
#quick_abort_pct 99

negative_dns_ttl 2 minutes

acl mynetwork src 192.168.0.0/24
acl admin src 192.168.0.85
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563 2082 2083 2087 2093 2096
acl Safe_ports port 80 21 443 563 70 210 3128 8000 11999 8080 2082 2083 2087 209 6 8082 8090
acl CONNECT method CONNECT

http_port 3128 transparent

http_access allow manager localhost
http_access allow manager admin
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow mynetwork

acl PURGE method PURGE
http_access allow PURGE localhost
http_access allow PURGE admin
http_access deny PURGE

http_access deny all

snmp_access deny all

icp_access allow mynetwork
icp_access deny all

miss_access allow all

ie_refresh on

###End of squid.conf###

Indeed I had made a typo mistake.

Router (config)# ip wccp web-cache redirect-list 360

should have been:
Router (config)# ip wccp web-cache redirect-list 160

A Cisco PIX firewall is meant to protect one network from another. There are PIX firewalls for small home networks and PIX firewalls for huge campus or corporate networks. In this example, we will be configuring a PIX 501 firewall. The 501 model is meant for a small home network or a small business.

PIX firewalls have the concept of inside and outside interfaces. The inside interface is the internal, usually private, network. The outside interface is the external, usually public, network. You are trying to protect the inside network from the outside network.

PIX firewalls also use the adaptive security algorithm (ASA). This algorithm assigns security levels to interfaces and says that no traffic can flow from a lower-level interface (like the outside interface) to a higher-level interface (like the inside interface) without a rule allowing it. The outside interface has a security level of zero and the inside interface has a security level of 100.

Here is what the output of the show nameif command looks like:
pixfirewall# show nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security100
pixfirewall#

Notice the ethernet0 interface is the outside interface (its default name) and the security level is 0. On the other hand, the ethernet1 interface is named inside (the default) and has a security level of 100.

Guidelines

Before beginning the configuration, your boss has given you some guidelines that you need to follow. Here they are:

• All passwords should be set to “cisco” (in reality, you make these whatever you want, but not “cisco”).
• The inside network is 10.0.0.0 with a 255.0.0.0 subnet mask. The inside IP address for this PIX should be 10.1.1.1.
• The outside network is 1.1.1.0 with a 255.255.255.0 subnet mask. The outside IP address for this PIX should be 1.1.1.1.
• You want to create a rule to allow all inside clients on the 10.0.0.0 network to do port address translation and connect to the outside network. They will all share the global IP address 1.1.1.2.
• However, clients should only have access to port 80 (Web browsing).
• The default route for the outside (Internet) network will be 1.1.1.254.

The configuration

You will be prompted to answer YES or NO as to whether or not you want to configure the PIX through interactive prompts. Answer NO to this question because you want to learn how to really configure the PIX firewall, not just answer a series of questions. After that, you will be sent to a prompt that looks like this:
pixfirewall>

With the “greater than” symbol at the end of the prompt, you are in the PIX user mode. Change to privileged mode with the en or enable command. Press “enter” at the Password prompt. Here is an example:

pixfirewall> en
Password:
pixfirewall#

You now have administrative mode to show things but would have to go into global configuration mode to configure the PIX.

Now, let’s move on to basic configuration of the PIX:

Basic PIX configuration

What I am calling basic configuration is made up of three things:

• Set the hostname
• Set passwords (login and enable)
• Configure IP addresses on interfaces
• Enable interfaces
• Configure a default route

Before you can do any of these things, you need to go into global configuration mode. To do this, type:

pixfirewall# config t
pixfirewall(config)#

To set the hostname, use the hostname command, like this:

pixfirewall(config)# hostname PIX1
PIX1(config)#

Notice that the prompt changed to the name that you set.

Next, set the login password to cisco, like this:

PIX1(config)# password cisco
PIX1(config)#

This is the password required to gain any access to the PIX except administrative access.

Now, configure the enable mode password, used to gain administrative mode access.

PIX1(config)# enable password cisco
PIX1(config)#

Now we need to configure IP addresses on interfaces and enable those interfaces. The PIX, unlike a router, has no concept of interface configuration mode. To configure the IP address on the inside interface, use this command:

PIX1(config)# ip address inside 10.1.1.1 255.0.0.0
PIX1(config)#

Now, configure the outside interface IP address:
PIX1(config)# ip address outside 1.1.1.1 255.255.255.0
PIX1(config)#

Next, enable both the inside and outside interfaces. Make sure that the Ethernet cable, on each interface, is connected to a switch. Note that the ethernet0 interface is the outside interface, and it is only a 10base-T interface on a PIX 501. The ethernet1 interface is the inside interface, and it is a 100Base-T interface. Here is how you enable these interfaces:

PIX1(config)# interface ethernet0 10baset
PIX1(config)# interface ethernet1 100full
PIX1(config)#

Note that you can do a show interfaces command, right from the global configuration prompt line.

Finally, let’s configure a default route so that all traffic sent to the PIX will flow to the next upstream router (the 1.1.1.254 IP address that we were given). Here is how you do this:

PIX1(config)# route outside 0 0 1.1.1.254
PIX1(config)#

The PIX firewall can, of course, support dynamic routing protocols as well (such as RIP and OSPF).

Now, let’s move on to some more advanced configuration.

Network Address Translation

Now that we have IP address connectivity, we need to use Network Address Translation (NAT) to allow inside users to connect to the outside. We will use a type of NAT, called PAT or NAT Overload, so that all inside devices can share one public IP address (the outside IP address of the PIX firewall). To do this, enter these commands:

PIX1(config)# nat (inside) 1 10.0.0.0 255.0.0.0
PIX1(config)# global (outside) 1 1.1.1.2
Global 1.1.1.2 will be Port Address Translated
PIX1(config)#

With this, all inside clients are able to connect to devices on the public network and share IP address 1.1.1.2. However, clients don’t yet have any rule allowing them to do this.

Firewall rules

These clients on the inside network have a NAT translation, but that doesn’t necessarily mean that they are allowed access. They now need a rule to allow them to access the outside network (the Internet). That rule will also allow the return traffic to come back in.

To make a rule to allow these clients port 80 (Web browsing), you would type this:

PIX1(config)# access-list outbound permit tcp 10.0.0.0 255.0.0.0 any eq 80
PIX1(config)# access-group outbound in interface inside
PIX1(config)#

Note that PIX access lists, unlike router access lists, use a normal subnet mask, not a wildcard mask.

With this access list, you have restricted the inside hosts to accessing Web servers only on the outside network (routers).

Showing and saving the configuration

Now that you have configured the PIX firewall, you can show your configuration with the show run command.

Make sure that you save your configuration with the write memory or wr m command. If you don’t, your configuration will be lost when the PIX is powered off.

What Does a PIX Do?

The PIX is a firewall appliance based on a hardened, specially built operating system, PIX OS, minimizing possible OS-specific security holes. The PIX has received ICSA Firewall and IPsec certification as well as Common Criteria EAL4 evaluation status.PIX firewalls provide a wide range of security and networking services including:

• Network Address Translation (NAT) or Port Address Translation (PAT)
• content filtering (Java/ActiveX)
• URL filtering
• IPsec VPN
• support for leading X.509 PKI solutions
• DHCP client/server
• PPPoE support
• advanced security services for multimedia applications and protocols including Voice over IP (VoIP), H.323, SIP, Skinny and Microsoft NetMeeting
• AAA (RADIUS/TACACS+) integration

PIX can be graphically managed using the integrated Web-based management interface known as the PIX Device Manager (PDM) or by the Cisco Secure Policy Manager 2.3f and 3.0f (not to be confused with CSPM 2.3.3i which is for intrusion detection system management).  The PDM is a PIX-specific device configuration and management tool whereas CSPM is generally used as part of a larger security management infrastructure and allows one to correlate organizational security policies with a PIX configuration. Management interfaces include command-line interface (CLI), telnet, Secure Shell (SSH 1.5), console port, SNMP, and syslog.

Cisco PIX Models

See http://www.cisco.com/warp/customer/cc/pd/fw/sqfw500/   for information about the PIX product line in general, or for more details or the latest models added to this product line.

PIX Terminology and Background Information

The following diagram shows a multi-port PIX connected to various networks. We will use this diagram as we build up a PIX configuration in this and any subsequent PIX articles.

PIX terminology: we generally refer to the user segment as the Inside subnet. The interface connected to the Internet router is the outside subnet. As shown, we probably have DMZ (De-Militarized Zone) subnet, the subnet where we quarantine all servers that are accessible from the outside. We might also have a separate management subnet and a subnet tying to a redundant PIX for failover (if supported/licensed).

The PIX Command-Line Interface (CLI) is somewhat like the Cisco IOS interface, but different. Use colon (“:”) for comments (which, as usual, are not retained).  Newer PIX OS uses ACL’s, replacing the former conduits (which were arguably more confusing to experienced Cisco router administrators).

PIX interfaces are normally shutdown until the administrator activates them.

PIX interfaces have an associated security level. Two interfaces at same level can’t send packets to each other. We’ll shortly see that you set levels with nameif command. Connections and traffic are normally permitted from higher to lower security level interfaces, although you do have to put in some basic configuration to allow traffic to flow. Connections the other way (from low to high security) are disallowed unless the configuration explicitly permits them.

You actually do not have to put any ACL if going from a higher security level to a lower. Everything will be allowed. Best practice is to put an ACL on all interfaces even if the ACL permits everything to flow using “ip any any”.  An ACL put inbound (PIX only does inbound ACLs) to the inside interface can control traffic destined going outbound. If an admin wants to only have www and dns traffic outbound he would allow only tcp on 80 and udp on 53 then everything else like real audio would be denied as it goes out.)

To let traffic flow from a high security level to a lower level, use the nat and global commands. For the opposite direction, from lower to higher, use the static and access-list commands. We suggest using nat and global when going from any non-outside interface to the outside interface (Internet usually unless the PIX is used as a border between business units) which is a little different than the first sentence above.  We also suggest using statics from any non-outside interface to any other non-outside interface (like inside to management or ethernet3 to ethernet4, below.)

The PIX normally uses stateful NAT connections and stateful security, referred to as the Adaptive Security Algorithm (ASA). The PIX does not pass multicast traffic. (Can you say “DVMRP tunnel”?)

Cisco and we recommend you do not dynamic routing to or through the PIX. The PIX does support RIP, but the authors both loathe RIP. And static routing is more secure, cannot be as easily fooled.

PIX Configuration

We’ll start off with good housekeeping. Enter configuration mode with “config t”. You’ll want to assign a hostname / prompt name so you can tell which device you’re on. You’ll also want to set up passwords.

We also need to assign IP addresses to the interfaces that will be carrying IP traffic. One trick you can use on a shutdown interface is to assign it the loopback address, 127.0.0.1. This prevents accidental forwarding of traffic through that interface.

We generally put a global command on each lower security interface we want our internal users to have access to, although statics can be preferable for internal-internal access (see below). The main decision (other than addressing design) is whether to use one or multiple NAT ID’s. Using unique NAT ID’s limits access to specific interfaces. Using one NAT ID is simpler and assumes the PIX will sort out which nat command (below) pairs up with which global command on which interface.

We put nat commands on the higher security interfaces, allowing users to start connections to lower security level interfaces with global commands on them. The NAT ID ties the inside addresses in the nat command to the pool of addresses in one or more global commands with the same NAT ID.

Port Address Translation is where all inside addresses appear as one outside address, with shifted ports. PAT has some restrictions, for example it cannot support H.323 or caching nameserver use, so you may want to use it to augment a range of global addresses rather than using it as your sole global address.

Let’s see what that looks like:

If you’ve used NAT before, you’ll recognize that servers on the inside that need to be connected to from the outside will need static mappings. The static command creates a permanent mapping (called a static translation slot or “xlate”) between a local IP address and a global IP address. Use the static and access-list commands when you are accessing an interface of a higher security level from an interface of a lower security level. When NAT exists between two interfaces the command takes the form of “static (high,low) low high” . Without address translation, the format of the static command becomes different: “static (high,low) high high“.

TIP: If you use statics you will also be able to go from higher to lower without having to use nat and global.  Example: suppose management station 10.2.2.2 (NMS) needs to talk to serv1 at 10.1.1.15 on the inside. Configure:

static (inside,management) 10.1.1.15 10.1.1.15 netmask 255.255.255.255
access-list from-management-coming-in permit tcp host 10.2.2.2 host 10.1.1.15 eq 8888
access-group from-management-coming-in in interface management

Because the static exists, 10.1.1.15 can also inititate connections to 10.2.2.2 but cannot talk to 10.2.2.50 (NMS2) because no method of translation exists.Another example:

static (inside,management) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

This allows each network to address the other. The inside can then talk to everything on the management net and reply packets are let back through by virtue of stateful inspection but an ACL must exist for the management net to initiate anything to the inside.There are some other variations one can do, but statics are more clear and you can predict behaviour because no timeouts for the connections exist and you still retain ultimate control via the ACL.

==========================================

Network Address Translation (NAT)

Network address translation is a method used to help conserve the limited number of IP addresses available for internet purposes.  We will return to the NAT discussion, specifically how to configure it, later on this page, but first a very basic introduction on how to configure and use the PIX.

Accessing the PIX command line

Via The Console Port

Your Cisco PIX will come with a console cable that will allow you to configure your PIX using terminal emulation software such as Hyperterm. Once you’ve set up your PIX with an IP address you’ll be able to access it via Telnet.

Via Telnet

o        One easy way to get access to any device on your network is using the /etc/hosts file. Here you list all the IP addresses of important devices that you may want to access with a corresponding nickname. Here is a sample in which the PIX firewall “pixfw” has the default IP address of 192.168.1.1 on its inside protected interface:

#

# Do not remove the following line, or various programs
# that require network functionality will fail.
#
127.0.0.1 localhost.localdomain localhost
192.168.1.1 pixfw
192.168.1.100 bigboy mail.my-site.com

o        Once connected to the network you can access the PIX via telnet

[root@bigboy tmp]# telnet pixfw
Trying 192.168.1.1…
Connected to pixfw.
Escape character is ‘^]’.

o        You’ll be prompted for a password and will need another password to get into the privileged “enable” mode. If you are directly connected to the console, you should get a similar prompt too. There is no password in a fresh out of the box PIX and simply hitting the “Enter” key will be enough.

User Access Verification

Password:
Type help or ‘?’ for a list of available commands.
pixfw> enable
Password: ********
pixfw#

o        Use the “write terminal” command to see the current configuration. You will want to change your “password” and “enable password” right after completing your initial configuration, this will be covered later.

# wr term
Building configuration…
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password dsjf5sdfgsjrgjwk encrypted
passwd sdffg8324dgrggjd encrypted
hostname pixfw
fixup protocol ftp 21
…

…

o        ALL PIX configuration commands need to be done in configuration mode, by issuing the “configure terminal” command from enable mode prompt.

pixfw# conf t
pixfw(config)# “Enter commands here”

pixfw(config)# exit

pixfw#

o        You can usually delete commands in the configuration by adding the word “no” to the beginning of the command you want to delete. Some commands that can only have a single value won’t accept a “no” to change them and will just be over-written when you issue the new command.

In the example below, we change the PIX’s name and then delete one of many access control list (ACL) entries attached to the outside (Internet) interface.

pixfw# conf t
pixfw(config)# no access-list inbound permit tcp any any eq www

pixfw(config)# hostname firewall

firewall(config)# exit

firewall#

o        One of the first things you should do is change the default passwords for the PIX.

pixfw# conf t
pixfw(config)# enable password enable-password-here

pixfw(config)# passwd telnet-password-here

pixfw(config)# exit

pixfw#

Note: The console password is the one used to gain access from the console or through telnet.

o        When you’ve finished configuring, you can permanently save your changes by using the “write memory” command:

pixfw# wr mem
Building configuration…
Cryptochecksum: 3af43873 d35d6f06 51f8c999 180c2342
[OK]
pixfw#

Sample PIX Configuration: DHCP

Configuring DSL PPPoE DHCP

o        DHCP and DSL require you to get a pppoe password and username from your ISP. Most ISPs have a homepage where you can register to get the username and password, ask customer service for the URL. You should substitute this username and password for “dsl-username” and “dsl-password” below. The VPDN group statements just assign a username, password, authentication type to a profile, in this case “ISP”. The configuration steps are relatively straight forward. (Remember to be in config mode)

ip address outside pppoe setroute

ip address inside 192.168.1.1 255.255.255.0
vpdn group ISP request dialout pppoe
vpdn group ISP localname dsl-username
vpdn group ISP ppp authentication pap
vpdn username dsl-username password dsl-password

In this example, the IP address of the PIX is 192.168.1.1. As the PIX will be acting as your default gateway to the internet, you will have to set the default gateway on all your servers to be 192.168.1.1 You must be using PIX IOS version 6.2 or greater for this to work.

Configuring Cable Modem DHCP

o        DHCP configuration for cable modems is much simpler, there is no password requirement like with regular DSL. The command to let your PIX get a DHCP IP address from your ISP is as follows:

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

In this example, the IP address of the PIX is 192.168.1.1. As the PIX will be acting as your default gateway to the internet, you will have to set the default gateway on all your servers to be 192.168.1.1

NAT Configuration with DHCP

Here we allow any traffic coming in on the inside (private/protected) interface to be NAT-ted to the IP address of the outside (Public/unprotected) interface of the firewall. If DSL – DHCP has assigned an address of 97.158.253.12 to your firewall then the traffic passing through the firewall, from your protected PCs, will appear to be coming from address 97.158.253.12. This is frequently called many-to-one NAT.

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Dynamic DNS Port Forwarding Entries

It is possible to host your own website on a DHCP DSL / cable modem connection using dynamic DNS. There are many providers to choose from.

Once you have registered with a dynamic DNS provider, you will need to configure your firewall. Here we allow all incoming www traffic (on TCP port 80) destined for the firewall’s interface to be forwarded to the web server at 192.168.1.100 on port 80 (www).

access-list inbound permit icmp any any
access-list inbound permit tcp any any eq www

access-group inbound in interface outside
static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.255

Once configured, you will be able to hit your webserver using the firewall’s outside interface’s IP address as the destination. eg: http://firewall-outside-ip-address. Remember, it’s not possible to hit your firewall’s public NAT IP address from servers on your home network. You’ll have to ask a friend to check it out.

How To Get Static IPs For DSL Cheaply

Many ISP DSL providers offer cheap DHCP (dynamic IP) service. Due to competition they’ll even throw in a DSL modem and even a router for free. This service frequently isn’t available for users with static IPs which the ISPs frequently feel are businesses. If you really want static IP addresses and are willing to pay the higher monthly fee, then you can reduce your installation costs by:

>        Ordering DHCP DSL first with the free modem and/or router

>        Upgrade to static IPs a week later. They probably won’t ask about the modem and/or router, and it becomes bundled in free.

Sample PIX configuration: DSL – Static IPs

PPPOE authentication is only required for DSL DHCP. Once you go for static IPs, the vpdn statements won’t be required. In this example, the ISP has assigned the Internet subnet 97.158.253.24 with a mask of 255.255.255.248 (/29). The IP address selected for the PIX is 97.158.253.25, the default gateway is 97.158.253.30

If you are converting from dynamic to static IP addresses, you do not need the vpdn PIX command statements for static IPs

ip address outside 97.158.253.25 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 97.158.253.30

In this example, the IP address of the PIX is 192.168.1.1. As the PIX will be acting as your default gateway to the internet, you will have to set the default gateway on all your servers to be 192.168.1.1

Note: When you receive your own /29 allocation all the IPs are exclusively yours whether you use them or not. This can be viewed as being wasteful in the eyes of some ISPs. Some service providers now use PPPoE with DHCP IP address reservations based on your MAC address. It appears to be an attempt to conserve on IP addresses by placing many customers on a large shared network that allows the ISP to add and subtract allocated IPs at will. This means that the ISP, and not its customers, are in possession of all unused IP addresses.

Outgoing Connections NAT Configuration

Here we allow connections originating from servers connected to the inside (private/protected) interface with an IP address in the range 192.168.1.0 to 192.168.1.255 to be NAT-ted to the IP address of the outside (Public/unprotected) interface of the firewall which is 97.158.253.25 :

global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0

This is another application of many-to-one NAT.

Incoming Connections NAT Configuration

It is possible to dedicate a single public IP address to a single server on your home network. This is called one-to-one NAT.

Here we allow the firewall to handle traffic to a second IP address, namely 97.158.253.26. We then allow all incoming traffic to be forwarded to the protected web server which has an IP address of 192.168.1.100. Only www and DNS (Port 53) traffic is allowed to access it via an access control list applied to the outside interface.

access-list inbound permit icmp any any

access-list inbound permit tcp any host 97.158.253.26 eq www

access-list inbound permit tcp any host 97.158.253.26 eq 53

access-list inbound permit udp any host 97.158.253.26 eq 53
access-group inbound in interface outside
static (inside,outside) 97.158.253.26 192.168.1.100 netmask 255.255.255.255 0 0

Once configured, you will be able to hit your webserver using the firewall’s outside interface’s IP address as the destination. eg: http://one-to-one-NAT-ip-address. Remember, it’s not possible to hit your firewall’s public NAT IP address from servers on your home network. You’ll have to ask a friend to check it out.

Here are some additional TCP ports you may be interested in:

How To Configure Your PIX To Accept Telnet

The telnet command can be used to configure your PIX to accept telnet sessions. By default, it allows connections on the inside interface from the 192.168.1.0 network, as seen below:

telnet 192.168.2.0 255.255.255.0 inside

Of course, if you change the IP address of the inside interface, you may have to change the statement above.

You can also allow access to the outside interface with a similar command. In the case below we’re allowing access from the network 64.251.19.0. I generally wouldn’t recommended this, but in some cases the need to do it is unavoidable.

telnet 64.251.19.0 255.255.255.0 outside

As an added precaution, you can set the PIX to automatically log out telnet sessions that have been inactive for a period of time. Here is an example of a 15 minute timeout period.

telnet timeout 15

How To Make Your PIX A DHCP Server

Enabling your PIX to be a DHCP server for your home network requires very few statements. First you have to enable the feature on the desired interface, which is usually the “inside” interface. The next step is to set the range of IP addresses the PIX’s “inside” interface will manage, and finally, you need to state the IP address of the DNS server the DHCP clients will use.

The default DNS address the PIX provides its DHCP clients is the IP address of the “inside” protected interface. If the PIX is configured to get it’s Internet IP address from your ISP, then the PIX will automatically become a caching DNS server for your home network. This means that in this case you don’t have to use the DNS statement.

dhcpd enable inside

dhcpd address 192.168.1.20-192.168.1.30 inside

dhcpd dns 192.168.1.100

Basic PIX Troubleshooting

The “show interfaces” Command

The show interfaces command will show you the basic status of the PIX’s interfaces. I’ve included some sample output below:

pixfw# show interface

interface ethernet0 “outside” is up, line protocol is up

  Hardware is i82559 ethernet, address is 0009.e89c.fdaa

  IP address 97.158.253.25, subnet mask 255.255.255.248

  MTU 1500 bytes, BW 10000 Kbit half duplex

        5776596 packets input, 569192486 bytes, 0 no buffer

        Received 5315835 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        435752 packets output, 74618166 bytes, 0 underruns

        0 output errors, 3988 collisions, 0 interface resets

        0 babbles, 0 late collisions, 6978 deferred

        2 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (128/128) (0/77)

        output queue (curr/max blocks): hardware (0/53) software (0/1)

…

…

pixfw#

Your basic physical connectivity should be OK if the interfaces are seen as being in an “up” state with line protocol being “up”. If line protocol is down, you probably have your PIX incorrectly cabled to the Internet or your home network.

If the interfaces are seen as “administratively down”, then the PIX configuration will most likely have the interfaces configured as being “shutdown” like this:

interface ethernet0 10baset shutdown

This can be easily corrected. First use the “write terminal” command to confirm the shutdown state. Then you should enter “config” mode and reenter the “interface” command without the word “shutdown” at the end.

pixfw(config)# interface ethernet0 10baset

The “show interfaces” is also important as it shows you whether you have the correct IP addresses assigned to your interfaces and also the amount of traffic and errors associated with each.

The “show xlate” Command

This command will show whether the PIX is doing NAT translations correctly. Double check your configuration if there are no translations immediately after trying to access the Internet. NAT failure could also be due to bad cabling which will prevent Internet bound traffic from reaching the PIX at all.

aquapix# sh xlate

3 in use, 463 most used

PAT Global 97.158.253.25(38448) Local 192.168.1.105(3367)

PAT Global 97.158.253.25(25838) Local 192.168.1.105(2971)

PAT Global 97.158.253.25(26306) Local 192.168.1.105(3610)

aquapix#

Using syslog

A really good method for troubleshooting access control lists (ACLs) and also to view the types of methods people are using to access your site is to use

Other Things To Check

Always make sure your PIX has a:

o        correct default route. The default is the one with the lots of zeros.

aquapix# show route

        outside 0.0.0.0 0.0.0.0 97.158.253.30 1 DHCP static

        outside 12.210.24.0 255.255.252.0 12.210.27.161 1 CONNECT static

        inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static

aquapix#

o        default gateway that you can “ping”. In the case above the gateway is 97.158.253.30.

In this example we have two SOHO offices.

>        A VPN needs to be created between the two sites so that they can communicate with each other without the fear of eavesdropping.

>        For simplicity, neither site is site wants to invest in a CA certificate service or RSA infrastructure. They prefer to use pre-shared keys.

>        The network administrators at both sites are aware that permanent site � to � site VPNs require fixed Internet IP addresses and have upgraded from their basic DHCP services originally provided by their ISPs.

Site1

o        uses a private network of 192.168.1.0

o        has a router with an external Internet IP address of 97.158.253.25

o        uses a Cisco DSL router with a built in DSL modem like the Cisco 800 series of routers.

Site2

o        uses a private network of 192.168.2.0

o        uses a Cisco router with an external DSL modem or a PIX firewall.

o        uses a router (Scenario A) or firewall (Scenario B) with an external Internet IP address of 6.25.232.1

Other Information

The administrator at Site 1 wants to be able to access all the protected servers at site 2 by using their real IP addresses and vice versa. For example; Site 1 will refer to Site 2 servers with their 192.168.2.X IP addresses, not the Internet NAT addresses on the 6.25.232.X network.

Site 1 – Router VPN Configuration Steps

There are a number of steps that need to be done to create the VPN.

 IKE

Phase 1 of the creation of a VPN tunnel first requires an exchange of the encryption capabilities of the VPN devices at both ends of the tunnel. The second phase involves encrypting the data by either using either:

o        Pre-shared keys known to both VPN devices (This is what we’ll be using in all the examples below) or

o        Keys generated via the RSA methodology or

o        Keys obtained from Certification Authorities (CAs)

Cisco router / firewall devices usually require you to configure each of the various combinations of key encryption capabilities available. The device will then send all of the combinations to the remote VPN as part of the negotiation to decide which one to use.

o        Create an IKE key policy. The policy number “9″ identifies it from all other IKE policies that may be configured. This policy requires a pre-shared key.

 crypto isakmp policy 9

  hash md5

  authentication pre-share

I’ve chosen only one combination for the sake of simplicity, but you could add more like this. If your device is licensed appropriately, and you intend to establish a connection with a Linux VPN device, then you should consider a 3DES option which Linux FreeS/WAN prefers. Here is a snippet that includes 3DES and may other policy capabilities.

 crypto isakmp policy 1

  encr 3des

  authentication pre-share

 !

 crypto isakmp policy 4

  encr 3des

  authentication pre-share

  group 2

 !

 crypto isakmp policy 5

  encr 3des

  hash md5

  authentication pre-share

  group 2

 !

 crypto isakmp policy 10

  authentication pre-share

  group 2

 !

 crypto isakmp policy 12

  authentication pre-share

 !

 crypto isakmp policy 20

  hash md5

  authentication pre-share

  group 2

 !

 crypto isakmp policy 23

  encr 3des

  hash md5

  authentication pre-share

o        You’ll then need to configure a VPN shared key that can be used between this site and the VPN site at 6.25.232.1

 crypto isakmp key VPNsecretPASSWORD address 6.25.232.1

IPSec

o        Set a lifetime for the IPSec Security Associations. A security association is the equivalent of a site � to � site VPN relationship.

 crypto ipsec security-association lifetime seconds 86400

o        Configure an access list to define the valid traffic to be directed through the VPN from 192.168.1.0 to 192.168.2.0

 access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

o        Define which encryption transformations will be used to shield the VPN traffic as it passes over the Internet with the “crypto ipsec transform-set” command. Each “single line” set can be given its own name. In this case we’ve chosen set s1s2trans to use one of the most common combinations, esp-des and esp-md5-hmac.

 crypto ipsec transform-set s1s2trans esp-des esp-md5-hmac

If the remote site prefers to use the more secure 3DES method, (Linux FreeS/WAN only does 3DES) then you may want to replace the above statement with this one:

 crypto ipsec transform-set s1s2trans esp-3des esp-md5-hmac

You can create multiple transform sets depending on your security requirements. For example; you could create a transform set named “weak” with regular DES encryption and another named “strong” using the better 3DES method.

o        Create a crypto-map to match the valid traffic defined by the ACL with the transform set we want to use with VPN peer router/firewall at the other site. This example is creating a map entry of priority “10″.

 crypto map to-site2 10 ipsec-isakmp

  set peer 6.25.232.1

  set transform-set s1s2trans

  match address 101

You can add additional map entries to correspond with tunnels to other remote sites with additional priorities. Just remember to create the appropriate access control lists and pre-shared keys. Here is an example of additional map entries using two different transform sets:

 crypto map to-site2  150 ipsec-isakmp

  set peer 108.112.44.95

  set transform-set s1s2trans

  match address 101

 crypto map to-site2  153 ipsec-isakmp

  set peer 4.21.116.23

  set transform-set s1s2trans-strong

  match address 102

 crypto map to-site2  158 ipsec-isakmp

  set peer 223.52.37.25

  set transform-set s1s2trans-strong

  set pfs group2

  match address 103

o        Bind the crypto-map to the external interface of the router.

 interface BVI1

 �crypto map to-site2

This example assumes you are using a router with a built in DSL modem. In such a case, the external Internet facing interface would most likely be called BVI1 with a “sister” interface ATM0. Make sure both are configured correctly.

If you are using a router with an external DSL / Cable modem, then there will only be one Internet facing interface to configure. This interface would be usually named either Ethernet0 or Ethernet1 depending on the type of router. The Site 2 configuration uses an external DSL / Cable modem.

Site 1 � Configuration Example

Site 2 – Router VPN Configuration Steps (Scenario A)

Site 2 � PIX Firewall VPN Config. Steps (Scenario B)

IKE

o        Plan on creating an IPSec policy with a unique identifier number. The PIX will check each set of configured numbered policies for IKE till it achieves success. In this case we’ll only use one policy “20″.

o        Define the type of encryption to be used (DES or 3DES)

 isakmp policy 20 encryption des

o        Define the hashing method for authentication (SHA or MD5)

 isakmp policy 20 hash md5

o        Define the overall authentication method (Pre-shared key or rsa-sig). We’ll use the simpler pre-shared method.

 isakmp policy 20 authentication pre-share

o        Define the shared key to be used.

 isakmp key VPNsecretPASSWORD address 97.158.253.25 netmask 255.255.255.255

o        Specify how the hosts will identify themselves to one another (By address or hostname). The same method should be used on both ends.

 isakmp identity address

o        Enable ISAKMP on the external interface of the PIX

 isakmp enable outside

IPSec

o        Configure an access list to define the valid traffic to be directed through the VPN from 192.168.2.0 to 192.168.1.0

 access-list ipsec permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

o        Define which transformations will be used to shield the VPN traffic with the “crypto ipsec transform-set” command. Each set can be given its own name, in this case “s2s1trans”.

 crypto ipsec transform-set s2s1trans esp-des esp-md5-hmac

If the remote site prefers to use the more secure 3DES method, (Linux FreeS/WAN only does 3DES) then you may want to replace the above statement with this one:

 crypto ipsec transform-set s1s2trans esp-3des esp-md5-hmac

o        Create a crypto map to match the valid traffic, the transform set, the security-association lifetime with the VPN peer router/firewall at the other site.

 crypto map s2s1ipsec 10 match address ipsec
crypto map s2s1ipsec 10 set peer 97.158.253.25
crypto map s2s1ipsec 10 set transform-set s2s1trans

 crypto map s2s1ipsec 10 set security-association lifetime seconds 86400

In this case the crypto map is named “s2s1ipsec” and each statement has a sequence number or “ranking” of “10″. Statements with lower “sequence numbers” are considered before those with higher values.

Just like the routers, you can add more statements for tunnels to other remote VPN devices. You just have to remember to make sure that:

+        the crypto map statements referring to each remote site uses a unique sequence number,

+        that the shared secrets match and

+        that corresponding ACLs are created.

o        Bind the crypto-map to the external interface on which VPN traffic will originate

 crypto map s2s1ipsec interface outside

o        Let the PIX’s ASA always implicitly allow IPSec traffic through

 sysopt connection permit-ipsec

Site 2 � Configuration Example (Scenario B)

Here is a sample configuration for Site 2 when using a PIX firewall. There are a number of fully commented sample PIX configurations in the appendix in which each line is explained.

Troubleshooting Cisco VPNs

Cisco provides a number of commands to test the status of your site � to � site VPN tunnel. If your tunnel fails to be created you’ll need to ensure that all the parameters are set up correctly. The most common failure I’ve seen is having mismatched isakmp transform sets.

Displaying the Key Exchange Status

The “show crypto isakmp sa” command works on both routers and PIX firewalls and is used to determine whether the first phase of the VPN tunnel establishment (isakmp key exchange) was successful. In the example below Site 1 & 2 have a working tunnel with the status output showing the Internet IP addresses of the VPN devices at both ends of the tunnels.

soho1# show crypto isakmp sa

Total     : 1

Embryonic : 0

        dst               src      state     pending  � created

�6.25.232.1       97.158.253.25    QM_IDLE         0           0

soho1#

Displaying the IPSec Tunnel Status

The “show crypto ipsec sa” command works on both routers and PIX firewalls and is used to determine whether the second phase of the VPN tunnel establishment (IPSec) was successful. In the example below Site 1 & 2 have a working tunnel with the status output showing the Internet IP addresses of the VPN devices at both ends of the tunnels.

soho1# sh crypto ipsec sa

interface: BVI1

    Crypto map tag: to-site2, local addr. 6.25.232.1

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

   current_peer: 97.158.253.25:500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 871118, #pkts encrypt: 871118, #pkts digest 871118

    #pkts decaps: 917581, #pkts decrypt: 917581, #pkts verify 917581

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 99, #recv errors 0

     local crypto endpt.: 6.25.232.1, remote crypto endpt.: 97.158.253.25

     path mtu 1500, ipsec overhead 56, media mtu 1500

     current outbound spi: 95992f5

     inbound esp sas:

      spi: 0xe43e931d(3829306141)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 6, crypto map: to-site2

        sa timing: remaining key lifetime (k/sec): (4601836/22657)

        IV size: 8 bytes

        replay detection support: Y

     …

     …

     outbound esp sas:

      spi: 0x95992f5(156865269)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 5, crypto map: to-site2

        sa timing: remaining key lifetime (k/sec): (4605007/22656)

        IV size: 8 bytes

        replay detection support: Y

     …

     …

soho1#

Debugging

Cisco has the very useful debug set of commands which you can use to follow the sequence of events that occur during the establishment of the VPN tunnel. Unfortunately the use of the debug command is beyond the scope of this book.

With Built In DSL Modems

>        800 series

>        1700 / 2600 / 3600 series with the ADSL WIC installed

With External DSL Modems

>        1700 / 2600 / 3600 series

An Introduction to Network Address Translation (NAT)

Network address translation is a method used to help conserve the limited number of IP addresses available for internet purposes. The introduction to networking page explains the concept in more detail in addition to other fundamental topics. We will return to the NAT discussion, specifically how to configure it, later in this chapter, but first a very basic introduction on how to configure and use Cisco DSL routers.

Introduction to accessing the router command line

Via The Console Port

Your Cisco router will come with a console cable that will allow you to configure it using terminal emulation software such as Hyperterm. Once you’ve set up your router with an IP address you’ll be able to access it via Telnet.

Via Telnet

o        One easy way to get access to any device on your network is using the /etc/hosts file. Here you list all the IP addresses of important devices that you may want to access with a corresponding nickname. Here is a sample in which the router “ciscorouter” has the IP address 192.168.1.1:

# Do not remove the following line, or various programs
# that require network functionality will fail.
#
127.0.0.1 localhost.localdomain localhost
192.168.1.1 ciscorouter
192.168.1.100 bigboy mail.my-site.com

o        Once connected to the network you can access the router via telnet

[root@bigboy tmp]# telnet ciscorouter
Trying 192.168.1.1…
Connected to ciscorouter.
Escape character is ‘^]’.

o        You’ll be prompted for a password and will need another password to get into the privileged “enable” mode. If you are directly connected to the console, you should get a similar prompt too. There is no password in a fresh out of the box Cisco router and simply hitting the “Enter” key will be enough.

User Access Verification

Password:
Type help or ‘?’ for a list of available commands.
ciscorouter> enable
Password: ********
ciscorouter#

o        Use the “show running” command to see the current configuration. You will want to change your “password” and “enable password” right after completing your initial configuration.

ciscorouter# show run
Building configuration…
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
!
hostname ciscorouter
!
no logging console
no logging monitor
logging trap debugging
…

…

…

o        ALL router configuration commands need to be done in configuration mode, by issuing the “configure terminal” command from enable mode prompt.

ciscorouter# conf t
ciscorouter(config)# “Enter commands here”

ciscorouter(config)# exit

ciscorouter#

o        You can usually delete commands in the configuration by adding the word “no” to the beginning of the command you want to delete. Some commands that can only have a single value, won’t accept a “no” to change them and will just be over-written when you issue the new command.

In the example below, we change the router’s name and then delete one of its many access control list (ACL) entries.

ciscorouter# conf t
ciscorouter(config)# no access-list 150 deny ip host 10.1.2.1 host 10.3.2.5

ciscorouter(config)# hostname soho-router

soho-router(config)# exit

soho-router #

o        One of the first things you should do is change the default paswords for the router.

ciscorouter# conf t
ciscorouter(config)# enable secret “enable password here”

ciscorouter(config)# line con 0

ciscorouter(config-line)# password “console password here”

ciscorouter(config-line)# line vty 0 4

ciscorouter(config-line)# password “telnet password here”

ciscorouter(config-line)# ^z

ciscorouter#

o        When you’ve finished configuring, you can permanently save your changes by using the “write memory” command:

ciscorouter# wr mem
Building configuration…
Cryptochecksum: 3af43873 d35d6f06 51f8c999 180c2342
[OK]
ciscorouter#

Sample Configurations

DSL Router With Built-In Modem – DHCP

o        DHCP and DSL requires you to get a pppoe password and username from your ISP. Most ISPs have a homepage where you can register to get the username and password, ask customer service for the URL. You should substitute this username and password for PPP “username” and “password” listed below.

o        Cisco IOS doesn’t support DHCP DSL and NAT. If this is so, then putting an Internet accessible web server on your home network would be impossible using the routers mentioned above in this configuration.

o        Here is a sample configuration for a Cisco home router. Some of the commands listed are part of Cisco’s default settings. Do the “show run” command before starting to configure your router to see what commands you’ll really need.

o        Remember to be in “config” mode to enter these commands and remember to do a “write memory” at the end to permanently save the configuration

!

vpdn enable

no vpdn logging

!--- Configure the router's PPPoE client so that it

!--- can setup a session with the ISP

!

vpdn-group pppoe

 request-dialin

  protocol pppoe

!--- Configure the home / SOHO network interface's

!--- IP address

!--- The "ip nat" statement tells your router that

!--- this interface:

!--- 1) uses NAT

!--- 2) is the inside "private" interface

!

interface FastEthernet0

 ip address 192.168.1.1 255.255.255.0

 ip nat inside

!--- Configure the DSL interface

!--- Your ISP may provide you with a different pvc

!--- value not necesarily "1/1"

!

interface ATM0

 no ip address

 no atm ilmi-keepalive

 bundle-enable

 dsl operating-mode auto

 hold-queue 224 in

!

interface ATM0.1 point-to-point

 pvc 1/1

  pppoe-client dial-pool-number 1

!--- Cisco prefers to run the PPPoE client on a virtual

!--- "dialer" interface

!--- This is tied to the real ATM DSL interface with the !--- "dialer pool" command. The default ethernet MTU

!--- size has been reduced from 1500 to accommodate

!--- the PPPoE header overhead.

!

!--- The "ip nat" statement tells your router that

!--- this interface:

!--- 1) uses NAT

!--- 2) is the outside "public" interface

!

interface Dialer1

 ip address negotiated

 ip mtu 1492

 ip nat outside

 encapsulation ppp

 dialer pool 1

!--- Here are the commands to configure authentication

!--- with with your ISP. This example uses the "CHAP"

!--- method.

!--- Commands for using the "PAP" method are included at

!--- the end of this box

!

 ppp authentication chap callin

 ppp chap hostname <username>

 ppp chap password <password>

!

!--- Tells the router to NAT all traffic that passes

!--- through it:

!--- 1) From the inside to the outside,

!--- 2) And whose IP address is in the 192.168.1.0 network

!---    as given in access list 1

!--- 3) Giving it an outside "public" address that is the

!---    same as interface Dialer1 gets from the PPPoE

!---    connection

!

ip nat inside source list 1 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 dialer1

no ip http server

!

access-list 1 permit 192.168.1 0.0.0.255

o        If your ISP tells you that you need to do the PAP, and not the CHAP, type of authentication then you’ll have to replace the lines:

ppp authentication chap callin
ppp chap hostname <username>
ppp chap password <password>

with only these two:

ppp authentication pap callin
ppp pap sent-username <username> password <password>

DSL Router With Built-In Modem - Static IP

o        Here is a sample configuration for a Cisco home router with a built-in modem. Some of the commands listed are part of Cisco’s default settings. Do the “show run” command before starting to configure your router to see what commands you’ll really need.

o        This example also shows how to use NAT so you can have a web server / mail server / FTP server etc. in your home network.

o        Remember to be in “config” mode to enter these commands and remember to do a “write memory” at the end to permanently save the configuration

Current Configuration:

!

version 12.1

service timestamps debug uptime

service timestamps log uptime

!

hostname ciscorouter

!

ip subnet-zero

no ip domain-lookup

!

bridge irb

!--- Configure the home / SOHO network interface's IP address

!--- The "ip nat" statement tells your router that this

!--- interface:

!--- 1) uses NAT

!--- 2) is the inside "private" interface

!

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface ATM0

 no ip address

 no atm ilmi-keepalive

 pvc 0/35

 encapsulation aal5snap

 !

 bundle-enable

 dsl operating-mode auto

 bridge-group 1

!

!--- Cisco prefers to run the PPPoE client on a virtual

!--- "BVI" interface

!--- This is tied to the real ATM DSL interface with the

!--- "bridge-group" command above.

!--- (The BVI number always matches the bridge-group number)

!--- The "ip nat" statement tells your router that

!--- this interface:

!--- 1) uses NAT

!--- 2) is the outside "public" interface

!

interface BVI1

 ip address 97.158.253.25 255.255.255.248

 ip nat outside

!--- Tells the router to NAT all traffic that passes

!--- through it:

!--- 1) From the inside to the outside,

!--- 2) And whose IP address is in the 192.168.1.0 network

!---    as given in access list 1

!--- 3) Must get an outside "public" address that is the

!--- same as interface BVI1

!

ip nat inside source list 1 interface BVI1 overload

!--- This statement performs the static address

!--- translation for the Web server. With this statement,

!--- users trying to reach 97.158.253.26 port 80 (www) will be

!--- automatically redirected to 192.168.1.100 port 80

!--- (www), which in this case is the Web server.

!---

!

ip nat inside source static tcp 192.168.1.100 80 97.158.253.26 80 extendable

!--- Set your default gateway as provided by your ISP

!

ip classless

ip route 0.0.0.0 0.0.0.0 97.158.253.30

!

access-list 1 permit 192.168.1.0 0.0.0.255

bridge 1 protocol ieee

bridge 1 route ip

!

end

DSL Router With External Modem – Static IP

o        Here is a sample configuration for a Cisco home router with an external modem. Some of the commands listed are part of Cisco’s default settings. Do the “show run” command before starting to configure your router to see what commands you’ll really need.

o        This example also shows how to use NAT so you can have a web server / mail server / FTP server etc. in your home network.

o        Remember to be in “config” mode to enter these commands and remember to do a “write memory” at the end to permanently save the configuration

Current Configuration:

!

version 12.1

service timestamps debug uptime

service timestamps log uptime

!

hostname ciscorouter

!

ip subnet-zero

no ip domain-lookup

!

!--- Configure the home / SOHO network interface's IP address

!--- The "ip nat" statement tells your router that

!--- this interface:

!--- 1) uses NAT

!--- 2) is the inside "private" interface

!

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface Ethernet1

 ip address 97.158.253.25 255.255.255.248

 ip nat outside

!--- Tells the router to NAT all traffic that passes

!--- through it:

!--- 1) From the inside to the outside,

!--- 2) And whose IP address is in the 192.168.1.0 network

!---    as given in access list 1

!--- 3) Must get an outside "public" address that is the

!---    same as interface ethernet1

!

ip nat inside source list 1 interface ethernet1 overload

!--- This statement performs the static address translation

!--- for the Web server.

!--- With this statement, users trying to reach 97.158.253.26

!--- port 80 (www) will be automatically redirected to

!--- 192.168.1.100 port 80 (www), which in this case

!--- is the Web server.

!---

!

ip nat inside source static tcp 192.168.1.100 80 97.158.253.26 80 extendable

!--- Set your default gateway as provided by your ISP

!

ip classless

ip route 0.0.0.0 0.0.0.0 97.158.253.30

!

access-list 1 permit 192.168.1.0 0.0.0.255

!

end

Other NAT Topics

Commonly Used TCP And UDP Ports

Here are some additional TCP ports you may be interested in for NAT “ip nat inside source static” statements:

o        So for example, the command for SMTP mail would be:

ip nat inside source static tcp 192.168.1.100 25 97.158.253.26 25

o        DNS requires a UDP type NAT statement such as:

ip nat inside source static udp 192.168.1.100 53 97.158.253.25 53

o        To have all traffic trying to reach 97.158.253.26, regardless of port, to be NAT-ted to 192.168.1.100, then you can use the command:

ip nat inside source static 192.168.1.100 97.158.253.25

How To Verify That NAT Is Working Correctly

You can use the show ip nat translation command to determine whether NAT is actually occurring as expected:

ciscorouter> enable
Password: ********

ciscorouter#show ip nat translation
Pro Inside global     Inside local      Outside local      Outside global
tcp 97.158.253.26:80  192.168.1.100:80  — —
tcp 97.158.253.26:80  192.168.1.100:80  67.34.217.6:5698  67.34.217.6:5698
ciscorouter#

Cisco uses the following terms for the various IP addresses you’ll find in any NAT translation process.

o        The Inside local address is the actual IP address of the local server on your home network.

o        The Inside global address is the IP address of the server presented to the Internet after NAT.

o        The Outside local the actual IP address of the remote computer on its local network.

o        The Outside global the IP address of the remote computer as presented on the Internet.

As you can see, in this case, NAT seems to be functioning properly for the web server 192.168.1.100 on the home network

How To Troubleshoot NAT

To troubleshoot NAT after you have logged into the router via Telnet requires you to first activate logging to the telnet terminal with the terminal monitor command and then using the debug ip nat detailed command to visualize the translation process. The example below shows that translation occurs for port 80 traffic (HTTP / www) from address 97.158.253.26 to 192.168.1.100, and more specifically that remote host 67.34.217.6 was communicating with the inside global address of 97.158.253.26.

ciscorouter> enable
Password: ********
ciscorouter#term mon
ciscorouter#debug ip nat detailed
IP NAT detailed debugging is on
ciscorouter#
03:29:49: NAT: creating portlist proto 6 globaladdr 97.158.253.26
03:29:49: NAT: Allocated Port for 192.168.1.100 -> 97.158.253.26: wanted 80 got 80
03:29:49: NAT: o: tcp (198.133.219.1, 5698) -> (97.158.253.26, 80) [0]
…
…
…

Basic Troubleshooting Topics

The “show interfaces” Command

The show interfaces command will show you the basic status of the router’s interfaces. I’ve included some sample output below:

ciscorouter>show interface

Ethernet0/0 is up, line protocol is up

  Hardware is AmdP2, address is 0008.e3a0.7e80 (bia 0008.e3a0.7e80)

  Internet address is 172.16.1.1/24

  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:00, output 00:00:00, output hang never

  Last clearing of “show interface” counters never

  Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue :0/40 (size/max)

  5 minute input rate 0 bits/sec, 1 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     303 packets input, 19256 bytes, 0 no buffer

     Received 13 broadcasts, 0 runts, 0 giants, 0 throttles

     1 input errors, 1 CRC, 1 frame, 0 overrun, 0 ignored

     0 input packets with dribble condition detected

     60718 packets output, 5770201 bytes, 0 underruns

     0 output errors, 0 collisions, 2 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out

…

…

…

ciscorouter>

Your basic physical connectivity should be OK if the interfaces are seen as being in an “up” state with line protocol being “up”. If line protocol is down, you probably have your router incorrectly cabled to the Internet or your home network.

If the interfaces are seen as “administratively down”, then the router configuration will most likely have the interfaces configured as being “shutdown” like this:

…

…

…

interface ethernet0

�shutdown

…

…

This can be easily corrected. First use the “show running” command to confirm the shutdown state. Then you should enter “config” mode and enter the “no shutdown” command. Here is an example for interface ethernet0.

ciscorouter(config)# interface ethernet0

ciscorouter(config-if)# no shutdown

ciscorouter(config-if)#end

ciscorouter# write memory

The “show interfaces” is also important as it shows you whether you have the correct IP addresses assigned to your interfaces and also the amount of traffic and errors associated with each.

Using syslog

A really good method for troubleshooting access control lists (ACLs) and also to view the types of methods people are using to access your site is to use syslog

Other Things To Check

Always make sure your router has a:

o        correct default route. The default is the one with the lots of zeros.

ciscorouter>sh ip route

Codes: C – connected, S – static, I – IGRP, R – RIP, M – mobile, B – BGP

       D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area

       N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

       E1 – OSPF external type 1, E2 – OSPF external type 2, E – EGP

       i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area

       * – candidate default, U – per-user static route, o – ODR

       P – periodic downloaded static route

Gateway of last resort is 97.158.253.30 to network 0.0.0.0

     192.168.0.0/24 is subnetted, 1 subnets

C       192.168.1.0 is directly connected, Ethernet1

S*   0.0.0.0/0 [1/0] via 97.158.253.30

ciscorouter>

o        default gateway that you can “ping”. In the case above the gateway is 97.158.253.30.

syslog is a utility for tracking and logging all manner of system messages from the merely informational to the extremely critical. Each system message sent to the syslog server has two descriptive labels associated with it that makes the message easier to handle:

• The first describes the function (facility) of the application that generated it. For example, applications such as mail and cron generate messages with easily identifiable facilities named mail and cron.

• The second describes the degree of severity of the message. There are eight in all and they are listed in

  Severity Level	Keyword	Description	0	emergencies	System unusable
  1	alerts	Immediate action required
  2	critical	Critical condition
  3	errors	Error conditions
  4	warnings	Warning conditions
  5	notifications	Normal but significant conditions
  6	informational	Informational messages
  7	debugging	Debugging messages

You can configure syslog‘s /etc/syslog.conf configuration file to place messages of differing severity and facilities in different files. This procedure will be covered next.

The /etc/syslog.conf File

The files to which syslog writes each type of message received is set in the /etc/syslog.conf configuration file. This file consists of two columns: The first lists the facilities and severity of messages to expect, and the second lists the files to which they should be logged. By default, Red Hat/Fedora’s /etc/syslog.conf file is configured to put most of the messages in the file /var/log/messages. Here is a sample:

     .info;mail.none;authpriv.none;cron.none           /var/log/messages

In this case, all messages of severity “info” and above are logged, but none from the mail, cron, or authentication facilities/subsystems. You can make this logging even more sensitive by replacing the line above with one that captures all messages from debug severity and above in the /var/log/messages file. This may be more suitable for troubleshooting:

     *.debug                     /var/log/messages

Certain applications will additionally log to their own application specific log files and directories independent of the syslog.conf file. Here are some common examples:

Files

     /var/log/maillog           : Mail
     /var/log/httpd/access_log  : Apache web server page access logs

Directories

     /var/log
     /var/log/samba                : Samba messages
     /var/log/mrtg                 : MRTG messages
     /var/log/httpd                : Apache webserver messages

Activating Changes to the syslog Configuration File

Changes to /etc/syslog.conf will not take effect until you restart syslog. Issue this command to do so:

     [root@bigboy tmp]# service syslog restart

How to View New Log Entries as They Happen

If you want to get new log entries to scroll on the screen as they occur, you can use this command:

     [root@bigboy tmp]# tail -f /var/log/messages

Similar commands can be applied to all log files. This is probably one of the best troubleshooting tools available in Linux. Another good command to use apart from tail is grep. grep will help you search for all occurrences of a string in a log file; you can pipe it through the more command so that you only get one screen at a time. Here is an example:

     [root@bigboy tmp]# grep string /var/log/messages | more

You can also just use the plain old more command to see one screen at a time of the entire log file without filtering with grep. Here is an example:

     [root@bigboy tmp]# more /var/log/messages

Logging syslog Messages to a Remote Linux Server

Logging your system messages to a remote server is a good security practice. With all servers logging to a central syslog server, it becomes easier to correlate events across your company. It also makes covering up mistakes or malicious activities harder because the purposeful deletion of log files on a server cannot simultaneously occur on your logging server, especially if you restrict the user access to the logging server.

Configuring the Linux syslog Server

By default, syslog doesn’t expect to receive messages from remote clients. Here’s how to configure your Linux server to start listening for these messages.

As we saw previously, syslog checks its /etc/syslog.conf file to determine the expected names and locations of the log files it should create. It also checks the file /etc/sysconfig/syslog to determine the various modes in which it should operate. syslog will not listen for remote messages unless the SYSLOGD_OPTIONS variable in this file has an -r included in it:

     # Options to syslogd
     # -m 0 disables 'MARK' messages.
     # -r enables logging from remote machines
     # -x disables DNS lookups on messages received with -r
     # See syslogd(8) for more details
     SYSLOGD_OPTIONS="-m 0 -r"
     # Options to klogd
     # -2 prints all kernel oops messages twice; once for klogd to decode,
     and
     #    once for processing with 'ksymoops'
     # -x disables all klogd processing of oops messages entirely
     # See klogd(8) for more details
     KLOGD_OPTIONS="-2"

You have to restart syslog on the server for the changes to take effect. The server will now start to listen on UDP port 514, which you can verify using either one of the following netstat command variations:

     [root@bigboy tmp]# netstat -a | grep syslog
     udp        0      0 *:syslog                *:*
     [root@bigboy tmp]# netstat -an | grep 514
     udp        0      0 0.0.0.0:514             0.0.0.0:*
     [root@bigboy tmp]#

Configuring the Linux Client

The syslog server is now expecting to receive syslog messages. You have to configure your remote Linux client to send messages to it. This is done by editing the /etc/hosts file on the Linux client named smallfry. Here are the steps:

  IP-address    fully-qualified-domain-name    hostname    "loghost"

  192.168.1.100   bigboy.my-web-site.org    bigboy    loghost

*.debug                     @loghost
*.debug                     /var/log/messages

You have now configured all debug messages and higher to be logged to both server bigboy (“loghost”) and the local file /var/log/messages. Remember to restart syslog to get the remote logging started.

You can now test to make sure that the syslog server is receiving the messages with a simple test, such as restarting the lpd printer daemon and making sure the remote server sees the messages.

Linux Client

     [root@smallfry tmp]# service lpd restart
     Stopping lpd: [ OK ]
     Starting lpd: [ OK ]
     [root@smallfry tmp]#

Linux Server

     [root@bigboy tmp]# tail /var/log/messages
     ...
     ...
     Apr 11 22:09:35 smallfry lpd: lpd shutdown succeeded
     Apr 11 22:09:39 smallfry lpd: lpd startup succeeded
     ...
     ...
     [root@bigboy tmp]#

syslog Configuration and Cisco Network Devices

syslog reserves facilities local0 through local7 for log messages received from remote servers and network devices. Routers, switches, firewalls, and load balancerseach logging with a different facilitycan each have their own log files for easy troubleshooting. Appendix IV has examples of how to configure syslog to do this with Cisco devices using separate log files for the routers, switches, PIX firewalls, CSS load balancers, and LocalDirectors.

syslog and Firewalls

syslog listens by default on UDP port 514. If you are logging to a remote syslog server via a firewall, you have to allow traffic on this port to pass through the security device. syslog messages usually have UDP port 514 for both their source and destination UDP ports.

logrotate

The Linux utility logrotate renames and reuses system error log files on a periodic basis so that they don’t occupy excessive disk space.

The /etc/logrotate.conf File

The /etc/logrotate.conf file is logrotate‘s general configuration file in which you can specify the frequency with which the files are reused:

• You can specify either a weekly or daily rotation parameter. In the case below, the weekly option is commented out with a #, allowing daily updates.

• The rotate parameter specifies the number of copies of log files logrotate will maintain. In the case below, the 4 copy option is commented out with a #, while allowing 7 copies.

• The create parameter creates a new log file after each rotation.

Therefore, our sample configuration file will create daily archives of all the logfiles and store them for seven days. The files will have the following names, with logfile the current active version:

     logfile
     logfile.0
     logfile.1
     logfile.2
     logfile.3
     logfile.4
     logfile.5
     logfile.6

Sample Contents of /etc/logrotate.conf

     # rotate log files weekly
     #weekly

     # rotate log files daily
     daily

     # keep 4 weeks worth of backlogs
     #rotate 4

     # keep 7 days worth of backlogs
     rotate 7

     # create new (empty) log files after rotating old ones
     create

The /etc/logrotate.d Directory

Most Linux applications that use syslog put an additional configuration file in this directory to specify the names of the log files to be rotated. It is a good practice to verify that all new applications that you want to use the syslog log have configuration files in this directory. Here are some sample files that define the specific files to be rotated for each application.

The /etc/logrotate.d/syslog File (for General System Logging)

     /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler
     /var/log/boot.log /var/log/cron {
         sharedscripts
         postrotate
         /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2>
     /dev/null || true
         endscript
     }

The /etc/logrotate.d/apache File (for Apache)

     /var/log/httpd/access_log /var/log/httpd/agent_log
     /var/log/httpd/error_log /var/log/httpd/referer_log {
         missingok
         sharedscripts
         postrotate
         /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null
     || true
         endscript
     }

The /etc/logrotate.d/samba File (for Samba)

     /var/log/samba/*.log {
         notifempty
         missingok
         sharedscripts
         copytruncate
         postrotate
         /bin/kill -HUP `cat /var/lock/samba/*.pid 2> /dev/null` 2>
     /dev/null || true
         endscript
     }

Activating logrotate

The logrotate settings in the last section will not take effect until you issue the following command:

     [root@bigboy tmp]# logrotate -f

If you want logrotate to reload only a specific configuration file, and not all of them, issue the logrotate command with just that filename as the argument:

     [root@bigboy tmp]# logrotate -f /etc/logrotate.d/syslog

Compressing Your Log Files

On busy Web sites the size of your log files can become quite large. Compression can be activated by editing the logrotate.conf file and adding the compress option.

     #
     # File: /etc/logrotate.conf
     #

     # Activate log compression
     compress

The log files will then start to become archived with the gzip utility, each file having a .gz extension.

     [root@bigboy tmp]# ls /var/log/messages*
     /var/log/messages      /var/log/messages.1.gz /var/log/messages.2.gz
     /var/log/messages.3.gz /var/log/messages.4.gz /var/log/messages.5.gz
     /var/log/messages.6.gz /var/log/messages.7.gz
     [root@bigboy tmp]#

Viewing the contents of the files still remains easy because the zcat command can quickly output the contents to the screen. Use the command with the compressed file’s name as the argument:

     [root@bigboy tmp]# zcat /var/log/messages.1.gz
     ...
     ...
     Nov 15 04:08:02 bigboy httpd: httpd shutdown succeeded
     Nov 15 04:08:04 bigboy httpd: httpd startup succeeded
     Nov 15 04:08:05 bigboy sendmail[6003]: iACFMLHZ023165:
     to=<tvaughan@clematis4spiders.info>, delay=2+20:45:44,
     xdelay=00:00:02, mailer=esmtp, pri=6388168,
     relay=www.clematis4spiders.info. [222.134.66.34], dsn=4.0.0,
     stat=Deferred: Connection refused by www.clematis4spiders.info.
     [root@bigboy tmp]#

syslog Configuration and Cisco Devices

syslog reserves facilities local0 tHRough local7 for log messages received from remote servers and network devices. Routers, switches, firewalls, and load balancers each logging with a different facility can each have their own log files for easy troubleshooting. This appendix will show you how to have a different log file for each class of device. All the network device configuration examples that follow log to the remote Linux logging server 192.168.1.100. Remember, if you have a large data center, you may also want to switch off all logging to /var/log/messages for the home/SOHO environment

     service timestamps log datetime localtime
     no logging console
     no logging monitor
     logging 192.168.1.100

Catalyst CAT Switches Running CATOS

By default Cisco switches also send syslog messages to their logging server with a default facility of local7. Don’t change this facility either, therefore making routers and switches log to the same file.

     set logging server enable
     set logging server 192.168.1.100
     set logging level all 5
     set logging server severity 6

Cisco Local Director

Local Directors use the syslog output command to set the logging facility and severity. The value provided must be in the format FF.SS (facility.severity) using the numbering scheme in

This example uses facility local4 and the logging debugging messages from

     syslog output 20.7
     no syslog console
     syslog host 192.168.1.100

Cisco PIX Firewalls

PIX firewalls use the numbering scheme in to determine their logging facilities.

This configuration example assumes that the logging server is connected on the side of the “inside” protected interface. It sends log messages to facility local3 with a severity level of 5 (Notification) set by the logging trap command.

     logging on
     logging standby
     logging timestamp
     logging trap notifications
     logging facility 19
     logging host inside 192.168.1.100

Cisco CSS11000 (Arrowpoints)

The configuration for the Cisco CSS11000 load balancer series is more straightforward. You specify the facility with an intuitive number using the logging host command and set the severity with the logging subsystem command. This example shows the CSS11000 logging facility local6 and severity level 6 (Informational):

     logging host 192.168.1.100 facility 6
     set logging subsystem all info-6

     logging commands enable

The Sample Cisco syslog.conf File

     #
     # All LOCAL3 messages (debug and above) go to the firewall file
     ciscofw
     #

     local3.debug /var/log/cisco/ciscofw
     #
     # All LOCAL4 messages (debug and above) go to the Local Director file
     ciscold
     #
     local4.debug /var/log/cisco/ciscold

     #
     # All LOCAL6 messages (debug and above) go to the CSS file ciscocss
     #
     local6.debug /var/log/cisco/ciscocss

     #
     # All LOCAL7 messages (debug and above) go to the ciscoacl
     # This includes ACL logs which are logged at severity debug
     #
     local7.debug /var/log/cisco/ciscoacl

     #
     # LOCAL7 messages (notice and above) go to the ciscoinfo
     # This excludes ACL logs which are logged at severity debug
     #
     local7.notice /var/log/cisco/ciscoinfo