|
| ||||
 |
|
Home | Reviews | Tools | Forums | FAQs | Find Service | ISP News | Maps | About |
|
how-to block ads |
30.0 Technologies
The following is considered the most usual network setup when you deploy the following technology, even though it might not fit your situation. You can see the following info as a guide or reference, rather than a requirement. Equipments to use * Routers, firewalls, switches * Category 5/5e/6 patch cable for wired connection * Servers, workstations 1. Router * In most cases, you need to do IP routing between your ISP (the Internet) and your network * With that in mind then you need a router that at least has two Layer-3 (routing) interfaces, one is facing the ISP and another facing your LAN * Depends on the router model, one interface that is facing your LAN is Ethernet interface and another interface that is facing your ISP could be Ethernet or non-Ethernet interface * Non-Ethernet interface could be T1/E1 (Serial), ISDN, and DSL * When the router has Non-Ethernet interface, then the router might have integrated modem * When you have T1/E1, DSL, or cable Internet; you could use dual-Ethernet interface router when there is supporting external modem with Ethernet port * When the router has multiple Ethernet ports (i.e. dual-Ethernet router), verify if any of those ports are capable as Layer-3 (routing) interface * When the router has integrated switch, then the all switch ports are considered one Layer-3 (routing) interface that will be facing your LAN * The router might need to do NAT/PAT between your internal private subnet and the IP address provided by the ISP * Typically routers don't do OSI Layer 5-7 inspection and/or filtering (i.e. SPAM email filter). You might need a firewall specifically for these. 2. Firewall * In most cases, you need to do IP routing between your ISP (the Internet) and your network * In addition, you also need to have firewall for some Internet security * With that in mind then you need a firewall that at least has two Layer-3 (routing) interfaces, one is facing the ISP and another facing your LAN * Usually the firewall interfaces are Ethernet only without integrated modem * You need to have an external modem or external integrated modem/router to connect the firewall to your ISP assuming no integrated modem exists * When the firewall has multiple Ethernet ports, verify if any of those ports are capable as Layer-3 (routing) interface * When the firewall has integrated switch, then the all switch ports are considered one Layer-3 (routing) interface that will be facing your LAN * The firewall might need to do NAT/PAT between your internal private subnet and the IP address provided by the ISP 3. Switch * Most home or small business network use Layer-2 switch * With Layer-2 switch, all ports are considered one Layer-3 (routing) interface * Layer-2 switch does not do routing; only switching or bridging * You still need to do routing between your ISP (the Internet) and your LAN; hence you still need either a router or a firewall * You will connect the switch to the router or firewall LAN interface * When the router or firewall has integrated switch, then you probably need a crossover Category 5/5e patch cable instead of the straight-through type when connecting the switch to the router/firewall 4. Servers and Workstations * You will connect servers and workstations to the switch ports * When the workstations need to receive IP address automatically, then you may need to set the router or firewall as DHCP server and the workstations as DHCP client * Servers need to have static IP address; refer to the server operating system on how to set static IP address Choosing ISP Whenever possible, choose ISP that has reliable connection to backbone network. Note that the ISP does not need to be the Tier-1 class (such as AT&T or Verizon), especially when your area is only served by Tier-3 class ISP. As long as the ISP has such reliable connection, you should be in good shape for the most of time. To find out how reliable your ISP connection to backbone network, you can ask following questions * What kind of circuit does the ISP have to the backbone network? OC-X (OC-3, OC-12, or higher)? SONET ring? DWDM? * How many transit provider does the ISP connect to? Three should be the "standard" * Who are the transit providers? Are they Tier-1 class providers? Something like Level 3, Cogent, Sprint, or Internap should be sufficient. Choosing Circuit Connection to ISP The most common circuit connections for home or small businesses are the following 1. T1/E1, Point-To-Point (Dedicated Leased Line), or Frame Relay 2. ISDN 3. Broadband: DSL, Cable Internet 4. Wireless The first two kind of circuits are considered "top of the line" for home or small businesses. The standard SLA (Service Level Agreement) should include 4-hour response time which may not present on broadband circuit kind. In most cases, these two circuit kinds are more reliable than the broadband; hence require "top dollar" fee compared to the broadband. Choosing circuit connection to ISP depend on how critical your Internet applications are. If you or your organizations require constant, stable, and reliable Internet connection 24/7, then the first two circuit kind should be the choice. If you or your organization can tolerate some down time (no Internet connection for some time), then the last two choices should be sufficient. Note that Wireless solution can or cannot be equal to T1/E1 or even DS-3 circuits, depending on your area. Key in Wireless solution is LOS (Line of Sight) and distance. If the distance between your location and ISP is closed enough and there is a clear LOS between the two locations, then Wireless can be cheap and robust solution. Hosting Network Devices As mentioned earlier, the T1/E1, the point-to-point, Frame Relay, and ISDN circuits are "top of the line" services which require "top dollar" fee compared to the broadband connection. Should you consider to have "top of the line" circuit services with lower fee, hosting solution is an alternative. Typically companies that provide hosting solution have at least DS-3 or larger bandwidth connection to ISP and the Internet. When you have your network devices (i.e. servers) hosted within these companies' data center, you don't have to worry about costs of bring in your own circuits. In addition, you don't have to worry about power consumption and cooling system your network devices need since all of these are included and managed by the hosting companies. All you need to worry is to make sure your applications run on those servers are behaving as they should. Between T1/E1, DSL, and Cable Internet Let's say you have following choices of ISP connection speed (bandwidth) 1. A 1.5MBps full T1 circuit 2. A 1.5MBps ADSL over POTS (phone line) 3. A 3 MBps Cable Internet For home users or small businesses, the third choice looks most attractive since it usually offers more bandwidth with the lowest cost. Keep in mind that broadband connection (including Cable Internet) has minimal or no SLA compared to the T1 circuit. In addition, a lot of time Cable Internet provider has some kind of bandwidth limit. The 3 MBps bandwidth or speed is most likely the burstable speed and may not reflect the actual speed. If you or your organization constantly use up the 3 MBps speed, the Cable Internet provider might give you or your organization penalties like charge extra fee or might reduce the speed without your consent or knowing. Unlike Cable Internet, there is no such penalty on ADSL connection. In most cases, the speed connection is constant. When you have both T1 and ADSL from the same provider, you or your organization might be able to have some kind of Internet connection load balance or failover mechanism. Side Note: Check out following FAQ for more info on load balance or failover mechanism »Cisco Forum FAQ »Redundant Link Graceful Internet Load Balance/Failover However ADSL (and other xDSL technology) speed depends on the distance between your site and the ISP. The closer your site to the ISP, the more bandwidth or higher speed available to you. Specifically with xDSL connection that ride over POTS, there might be some electromagnetic interference factors you also need to consider. Choosing Connection Speed/Bandwidth How fast should your connection be? Is 1.5MBps connection fast enough? Should I choose the 6MBps speed instead of 1.5MBps speed? Choosing connection speed should be based on your application performance. Locate your critical Internet applications that will take the ISP connection bandwidth the most. These applications vary between home users or small businesses. As illustration, the applications could be simple Internet browsing, email, online gaming, voice or video over the Internet, and web hosting. Once you locate the applications, the next step is to find out what the most appropriate speed for such applications considering their workload. When you are unsure what the most appropriate speed is, the application customer support should be the first to contact. If you are still unable to find out the most appropriate speed afterward, then the next consideration factor is your financial budget. When your budget is limited, then you should pick the least expensive connection (which also mean the slowest connection). Should you need faster connection in the future, you could always consider upgrading the speed. Choosing Internet gateway device The most common Internet gateway devices for home or small businesses are routers and firewall. Routers are usually preferable since they fit to most Internet connection environment compared to firewall. However firewall could be the choice when you or your organization only require default gateway route to your ISP and no plan of having T1/E1, Point-To-Point, Frame Relay, or ISDN circuit to your ISP. Whichever device you choose, you should choose device that can provide at least decent security features or protections. In addition, business grade device is recommended since they are more reliable than the consumer grade. In Cisco world, routers for home or small businesses are 800 series or higher. As to firewall choices, they should be ASA 5500 series or PIX Firewall. Choosing Modem As mentioned, you have a choice to use either external or internal (integrated) modem. When you have a broadband Internet such as ADSL and Cable Internet, typically you need to have an external modem. Should you prefer to use internal modem that is integrated into the Internet gateway device, make sure that the modem is compatible to your ISP connection. In case that you use external modem, you need to verify if the modem is "just" a modem (dumb modem) or if the modem is an integrated modem/router. A simple dumb modem typically need no special configuration. You can just connect the modem into your Internet gateway device. If the modem is an integrated modem/router, then you need to confirm further issues like bridge/route mode, NAT/PAT active, and so on. Connecting Router or Firewall To Your ISP Followings are most common network scenarios for each ISP connection type 1. T1/E1, Point-To-Point, or Frame Relay * use a router with either internal or external DSU * receive static IP address with specific subnet mask from ISP * the ISP static IP address may be a public IP address (Internet routable) or may be a private IP address (non-Internet routable) * may or may not receive ISP DNS IP address 2. DSL * use a router or firewall with either internal or external DSL modem * When using a Cisco router with internal DSL modem, there might be a need to have interface BVI1 activated and to set VPI/VCI value for the ATM interface * When there is no internal DSL modem, you should not need BVI interface * receive either static or dynamic IP address with specific subnet mask from ISP * the ISP IP address is a public IP address (Internet routable) * ISP assign the IP address by either PPP (PPPoE or PPPoA), DHCP, or static * may or may not receive ISP DNS IP address 2.1 When ISP uses PPP * When you use Cisco router as the ISP gateway, there is a need to have interface Dialer1 activated * You need to tie the WAN port interface with the interface Dialer1 * Under the interface Dialer1, there is a need to have either "ip address x.x.x.x y.y.y.y" (statically assigned) or "ip address negotiated" (dynamically assigned) 2.2. When ISP uses DHCP or static * When using a Cisco router with internal DSL modem, there might be a need to have either "ip address x.x.x.x y.y.y.y" (statically assigned) or "ip address negotiated" (dynamically assigned) under the interface BVI1 * You might be required to set specific MAC address under the interface BVI1 * When you do use interface BVI1, you need to tie the WAN port interface with the interface BVI1 * When the router has no internal DSL modem, then the IP address assignment (either statically or dynamically) should be under the ISP-facing Ethernet interface * Should you need to set specific MAC address and there is no internal DSL modem, the MAC address should be under the ISP-facing Ethernet interface 3. Cable Internet * use a router or firewall with either internal or external cable modem * receive either static or dynamic IP address with specific subnet mask from ISP * the ISP IP address is a public IP address (Internet routable) * You might be required to set specific MAC address under the WAN port interface (interface cable0 or Ethernet interface) * may or may not receive ISP DNS IP address 4. ISDN * use a router with either internal or external ISDN modem * receive either static or dynamic IP address with specific subnet mask from ISP * the ISP IP address is a public IP address (Internet routable) * may or may not receive ISP DNS IP address * since ISDN uses PPP, also check on part of "2.1 When ISP uses PPP" Find out your suitable WAN connection type Usually you already know that your LAN is Ethernet environment. But do you know what WAN environment you would have? Is it T1/E1, DSL, PPPoE, PPPoA, DHCP, or what? The only people who know what your WAN environment would be is your ISP. Please consult with your ISP representative regarding the connection type. Usually when you are a new customer, your ISP would provide you necessary info of how to connect your LAN to the Internet; either by mail, email, or phone. Keep in mind that the ISP provided info might not be as technical or unclear. Here is a suggestion. Document all info provided here in this FAQ. You then consult the WAN connection type with your ISP representative. Ask the representative to find out which WAN connection type provided here that would match. Some key words you need to discuss with your ISP representative are followings: * Physical (Layer 1) connection: T1/E1, ISDN, DSL, Cable Internet * Modem existence: external or internal modem * Layer 2 connection: PPPoA, PPPoE, DHCP, Static IP addresses * IP Address Assignment: Which IP address must be the gateway; which should be host * NAT/PAT: Is it possible to use gateway (router) IP address to go out to the Internet using PAT? * DNS IP addresses: Which are they? How do you use them on your system? If your representative is not technical enough, ask to speak with one of their technical person. This way, you would be sure you have necessary info on how to connect your LAN to the Internet. As an insight, following is some technical aspect description of DSL and Cable Internet »Cisco Forum FAQ »Technical Aspects in xDSL/Cable Internet connection Preparing Yourself before discussing with ISP representative Before contacting your ISP, you need to understand your system you plan to use. This system is including your Internet gateway (router or firewall), servers, workstations, and all other hosts. Familiarize yourself with the router or firewall innerworking and features, as well as the operating system of your workstations, servers, and all other hosts. The key technology to familiarize with is how to setup network using DHCP, PPP (PPPoA/PPPoE), and static IP addresses on your system. As to the router and firewall, it is suggested that you to be comfortable around various WAN connection type and deployment. Review router and firewall sample configuration of all WAN connection type; from DHCP, PPP, to static IP address. Eventhough your ISP would be using DHCP and not PPP for example, it is a good idea to be familiar on both to understand similarities and differences between the two technologies. Check out the following FAQ for further info regarding DHCP, PPP, dynamic, and static IP address »Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address Following is the sample configuration list of specific WAN connection type for further review. The sample configuration covers most common WAN connection type such as T1/E1, cable Internet, DSL, external and internal modem, PPPoA, PPPoE, DHCP, and Static IP. It also cover multiple platforms; from routers of various model to PIX Firewall or ASA. Various PPPoE/PPPoA/DHCP/Static Sample Configuration with Cisco Most of all sample configurations are written in CLI (Command Line Interface) and not in a Web GUI. In case you are not familiar with CLI, following FAQ is showing CLI introduction. »Cisco Forum FAQ »The most straight-forward way to configure Cisco router: Introduction to CLI »Cisco Forum FAQ »Straight-forward way to configure Cisco PIX Firewall/ASA: Introduction to CLI By reviewing all of your system innerworking in advance, you are better prepared; which would make the ISP WAN connection type and deployment discussion process with their representative go smoother. Deployment Process When you are ready to do the actual deployment, you can check out the following FAQ for insights »Cisco Forum FAQ »Quick and Easy Subnetting on Routing, Switching and Network Design Relationship »Cisco Forum FAQ »Choosing Gateway IP Address for a network »Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices »Cisco Forum FAQ »Network Design Tips »Cisco Forum FAQ »Setting Up Private Site-To-Site Connections
 got feedback?by aryoba »Cisco Forum FAQ »Things to expect when setup network for home or small business When you decide to have Broadband Internet access using xDSL (i.e. ADSL, SDSL) and Cable Internet, you most likely will deal with following aspects * To use either a router or a firewall as the Internet gateway * Layer-1: using either internal or external modem; Category 5/6 cable extension * Layer-2: PPP (PPPoA, PPPoE); MAC address for DHCP * Layer-3: auto-negotiate or static WAN IP address Following are some details. PPP When you are using xDSL, ISDN, or T1/E1 circuits, you probably will be dealing with PPP technology. In a nutshell, PPP is Layer-2 technology providing connectivity to remote user (PPP client) to server (PPP server) using specific username and password. In this case, the PPP client is your Internet gateway (either router or firewall) and the PPP server is the ISP. Typically you need a router as the PPP client. Specifically with PPPoE, you could use a firewall. However for PPPoA or legacy PPP, you need a router. DHCP When you are using either xDSL or Cable Internet, you probably will be dealing with DHCP technology. In a nutshell, DHCP is a mechanism that providing IP address and subnet mask dynamically to specific machine that needs one. In this case, the machine is your Internet gateway (either router or firewall) which will be the DHCP client and the DHCP server is at the ISP network. Typically you could use either router or firewall as DHCP client. Unlike PPP that uses username and password to connect, DHCP process might require certain MAC address to connect to the ISP. Following FAQ is some info on PPP, DHCP, and Static IP address assignment »Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address Between Internal Modem and External Modem Usage When you use an external modem, your Internet gateway might receive Ethernet hand-off. This is applicable when you use a firewall or a router without integrated modem. From practical perspective, you then only need to configure the Layer-2/Layer-3 aspect on the Internet gateway. For PPP, in general you only need to configure the username, password, and authentication method. For DHCP, in general you only need to verify that your Internet gateway MAC address is on the ISP database. There are some things you need to confirm whether you use external or internal (integrated) modem. Some examples are your ISP DSL signaling type, bridge mode configuration, and VPI/VCI value settings when you use xDSL service. Fortunately, you may not need to worry about this when you use the "ISP-approved" external modem since those settings are pre-configured. Note that the keyword is "may". When you use a router with integrated DSL modem for xDSL service, your integrated modem/router may not be the "ISP-approved" xDSL equipment. Note that even though the router is not "ISP-approved", doesn't necessarily mean that the router won't work. In any case (either using integrated modem or external modem; "ISP-approved" or "ISP-non-approved"), you need to verify the Layer-1/Layer-2/Layer-3 aspects. As illustration, you need verify things like DSL signaling and ATM VPI/VCI value in addition of the username, password, and authentication method. Whatever technology your ISP uses (DSL, Cable, or else), you need to make sure their setup matches yours to make things work. Check out the following FAQ for more info. »Cisco Forum FAQ »Generic PPPoA/PPPoE/RFC1483 Bridging/RFC1483 Routing Guide One good thing about using integrated modem within a router is that you can see Layer-1/Layer-2/Layer-3 aspects on one device which is the router itself. When you use an external modem, then you need to confirm two device configurations which are the external modem and the router. Understanding DSL Technology Connecting Cisco Routers to Service Provider DSL Networks Cisco DSL router DSL/ATM command output descriptions ADSL Sample Technology - show dsl interface atm command output ATM IMA Sample Technology - show controllers atm Some Deployment and/or Troubleshooting Insights Following are some discussions of troubleshooting Layer-1/Layer-2/Layer-3 issues »Trouble with ADSL connection after a weird router reset 877 »[HELP] How to read dsl interface »What do these sh dsl int atm0/0 - atm0/1 mean ?? »2800 series routers »[HELP] Cisco 1721 and WIC-1ADSL Slow, 320Kbit »Frequent disconnects with 1801 »[HELP] Cisco 857W and Qwest »[HELP] cisoc 3640 nm-1fe-2w + wic1-adsl speed problem. »[Config] Fun with Cisco 1720 WIC-1ADSL, WIC-1ENET and Cisco PIX »Cisco 8x7 CRCs on logical interface only »[HELP] Help with CISCO 1801 router For more info on Layer-1 xDSL troubleshooting, you can always visit the DSL forum FAQ such as this »SBC DSL FAQ For more info on Layer-1 Cable Internet troubleshooting, you can always visit the Cable Internet forum FAQ such as this Cable Modem General Info Cable Modem Troubleshooting
got feedback?by aryoba »Cisco Forum FAQ »Things to expect when setup network for home or small business When you are using ISP to connect to the Internet, most likely you will be dealing with DHCP, PPP, dynamic, or static IP address assignment (whether you are aware or unaware of it). Let's say you have to configure Cisco router Ethernet 0 interface to have specific IP address. Then the following is illustration on how to configure the IP address. 1. Assign IP address by DHCP interface Ethernet0 ip address dhcp 2. Assign IP address by PPP interface Ethernet0 ip address negotiated 3. Assign IP address statically interface Ethernet0 ip address xx.xx.xx.xx yy.yy.yy.yy where xx.xx.xx.xx is the IP address and yy.yy.yy.yy is the subnet mask In early days; DHCP and PPP were used to dynamically assign IP address to hosts. However with additional features, it is technically possible to assign "static IP address" via DHCP and PPP. By referring to specific MAC address of a host, the host is always receiving the same IP address via DHCP. By referring to specific username and password, a host is also always receiving the same IP address via PPP. Why would your ISP use DHCP or PPP to "statically assign" IP addresses to their customer and not use the traditional way of statically assign IP addresses? Probably it is simpler from their network administration point of view. Whatever the reason is, you have to choose the most appropriate way to assign your ISP IP address and experience with the tip and tricks when you need to access the Internet using your ISP. Assign Your Internet Gateway's IP Address In term of configuring your Internet gateway's IP address, you need to consult with your ISP as to how exactly they assign IP address to your device. When your ISP says the IP address would be assigned dynamically, you need to confirm the followings * if they use DHCP or PPP (or PPPoE/PPPoA) technology to assign the IP address * if they use PPP, confirm the username and password for the PPP authentication process * if they use DHCP, confirm if the ISP lock down your IP address with specific MAC address * if the IP address is always the same everytime or constantly changing * assuming the IP address is changing, how frequent the change takes place and which event will trigger the change When your ISP says the IP address would be static, you need to confirm the followings * if they use DHCP or PPP technology to assign the IP address * if the IP address might change * assuming the IP address is changing, how frequent the change takes place and which event will trigger the change Important Note: Make sure that when you discuss this with your ISP representative, the representative is the technical person who knows what he or she is talking about. You don't want to get misinformed since you might not be able to access the Internet when you don't have the correct info. Static IP without DHCP or PPP If your ISP says "No DHCP, No PPP. It is static"; then it might mean that you have to statically configure your Internet gateway device with your assigned IP address. On Cisco router, you should then use the "ip address xx.xx.xx.xx yy.yy.yy.yy" command. Check out this forum's FAQ for specific sample configuration of Cisco router with statically-assigned IP address »Cisco Forum FAQ »How can I configure broadband router with cable/dsl using static IP address Static IP with DHCP When your ISP uses DCHP to "statically assign" your Internet gateway device, then from device perspective it is still DHCP (still somewhat dynamic IP address with "sticky IP" approach). To configure your Cisco router, you then still need to use the "ip address dhcp" command under the ISP-facing interface. Check out this forum's FAQ for specific sample configuration of Cisco router as DHCP client. »Cisco Forum FAQ »Configure router as DHCP client using external modem Dynamic IP with DHCP From DHCP client perspective, there is no difference between "static" and dynamic IP address assignment. As mentioned, "statically assigned" DHCP-based IP address is still dynamic process. Therefore you can use the same above FAQ for specific sample configuration of Cisco router as DHCP client when you only have dynamic IP address from your ISP. As a note, the difference between DHCP-based static and dynamic IP address is probably the ISP requirement to lock down your Internet gateway device MAC address to a specific IP address. Although it is possible that the ISP administer MAC address lock down for both dynamic and static IP account customers due to network management simplicity. Check out the following thread for insight. »[help] 851W and ISP DHCP Dynamic IP with PPP In general, your ISP usually supplies username and password for the PPP authentication process. Once your Internet gateway device successfully establishes PPP connection with your ISP (pass the Layer-2 process), then your device will deal with the IP address assignment issue (the Layer-3 process). Under normal PPP-IP network environment, dynamic IP address assignment will require the "ip address negotiated" command under the ISP-facing interface on Cisco equipments. With static IP address, you need to use the "ip address xx.xx.xx.xx yy.yy.yy.yy" assignment on Cisco router. However there might be exception for certain ISP. If you have a static IP with PPP, read the next discussion. Check out this forum's FAQ for specific sample configuration of Cisco router as PPP client »Cisco Forum FAQ »Quick Guide of Configuring Cisco router for PPPoE using external modem Static IP with PPP When your ISP uses PPP to "statically assign" your Internet gateway device, then you may experience some unusual situation. To configure a Cisco router, you need to use the "ip address xx.xx.xx.xx yy.yy.yy.yy" command under the ISP-facing interface in normal static IP address environment. However for some ISP, you need to use the "ip address negotiated" command under the ISP-facing interface. If you are in this situation, then you might try to use the 1st approach (the "ip address xx.xx.xx.xx yy.yy.yy.yy" command) and see if you are able to host public servers or establish VPN IPSec tunnel with remote end. If your public server is inaccessible from the Internet or you are unable to establish VPN tunnel, then try the 2nd approach ("ip address negotiated" command) and see if it makes any difference. When the 2nd approach works, then the 2nd approach is considered the most appropriate way to assign IP address to your ISP-facing interface. Like the DHCP, static and dynamic IP address assignment in PPP-IP environment is using similar configuration. Therefore you can refer to the previous sample configuration of Cisco router as PPP client in static IP address assignment. Additional Sample Configurations For more sample configurations, check out the following FAQ Various PPPoA/PPPoE/DHCP/Static Sample Configuration with Cisco
got feedback?Great information...and I don't even have a Cicso router!
Thanks for posting it. 2010-08-16 12:09:59 by aryoba Dedicated Circuit Dedicated Circuit is a circuit to provide private dedicated connection between two sites or more. In other word, no other organization will use this circuit since it is dedicated to only one organization among its all sites end to end. Following is the most common dedicated circuit type 1. T1/E1, DS-3 2. ISDN 3. Frame Relay 4. Fiber: OC-X, Metro Ethernet, SONET Ring, DWDM To have this circuit, usually organization contact its preferred ISP to setup one. The organization could choose to use the ISP network as "intermediate network" between organization sites, or choose to have direct connection between sites bypassing ISP network. Using T1/E1 circuit for such direct connection for example, the circuit would be some type of leased line; point to point between two sites. When there are more sites to connect, usually organization would use the ISP network at some point to reduce cost and to be more manageable. This kind of connection technology is considered "top of the line" since it is the most reliable connection (at least for most of the time) compared to broadband connection such as DSL and Cable Internet. This nature requires the organization to pay premium maintenance cost compared to the broadband connection. Wireless In some situations, using wireless technology (i.e. microwaves) to provide private site-to-site connection is a good approach. Typically following are the situations that make wireless deployment is a "no-brainer" solution.
Check out the following for more insights. »Wireless Networking Forum FAQ »Carrier Grade ~1Gbps solutions VPN (Virtual Private Network) With today's virtual communication technology, one organization could use some form of VPN (Virtual Private Network) to provide private and secure site-to-site connection. Using VPN, connection between two locations could ride over public network (i.e. The Internet) while keep maintaining secure or private connection. This is done by creating logical or virtual connection between the locations that ride over any physical circuit. There are several technology to set such connection 1. HTTPS/SSL 2. IPSec 3. MPLS Following is the breakdown. HTTPS/SSL-based Approach One factor that contributes to decisions of setting up private or secure connection for internal communications is depending on the application, such as the file transfer and email. Let's say your organization uses web-based email or any web-based application accessible using your Internet browser (such as Internet Explorer, Netscape, or Mozilla) for site inter-communication. When this is the case, then one way of setting up private connection is to utilize HTTPS/SSL-based connection over the Internet. HTTPS/SSL-based connection is basically HTTP (web) communication that can ride over any connection, including the Internet (public network) via any ISP while still maintain secure and private environment. By utilizing this HTTPS/SSL-based technology approach, any organization sites only need basic Internet connection without require special network setup. Note that HTTPS/SSL-based network over the Internet only works when all necessary applications within the organizations are web-based applications. Some applications cannot be accessed simply by using Internet browser. For example, you cannot use Internet Explorer (as the Internet browser) to map share drives in Active Directory Microsoft network. When remote users need to access these applications, then HTTPS/SSL-based approach will not work. To make it work, there would be a need to have network-layer connection technology approach (by go lower to OSI Layer 1 to 3) to setup such secure or private connections. Using network-layer connection technology approach, any application (web or non-web based) will work since this approach is more general and not depended by specific application types. IPSec Approach Both IPSec and HTTPS/SSL technology are VPN connection. They both create encrypted data connection ("tunnel") between two sites. The difference is that HTTPS/SSL is web (OSI Layer 7) approach and IPSec is network (OSI Layer 3) approach. As mentioned, IPSec VPN is capable of supporting web or non-web applications since it is using network-layer connection technology approach. Example of non-web application is accessing data in Microsoft Active Directory network share drives. Note: Both IPSec and HTTPS/SSL VPN technology is also applicable to remote users connecting to office temporary as following description. Within an organization, there is probably at least one employee that is always "on the run" and need to access work remotely from anywhere. Sometime this type of employee is called "road warrior". There are also other type of employees that need to access work remotely from home, hotels, or any place from time to time. The nature of such connection need is temporary access, where access is available only when it is needed. When the access is not needed anymore, the access could be closed or removed. For this nature of remote access, either IPSec or HTTPS/SSL VPN should be a good choice to provide private and secure connection to office/sites; since these VPN technology create "temporary tunnel" between the office and remote users or sites to provide necessary data passing between the locations. When there are no more data passing, the tunnel will be removed. On implementation, the employees (remote users) could go to the nearest Internet cafe or could use public wireless network to establish IPSec tunnel or HTTPS/SSL to office for work; assuming the employees have necessary tools or equipments. Between Broadband and Dedicated Circuit For most small organizations, broadband connection such as DSL and Cable Internet are preferred instead of having dedicated point-to-point circuit due to financial constraint. To provide the private and secure site-to-site connection, such organizations would utilize HTTPS/SSL, IPSec, or both technology. As illustration, there is a small organization that has two sites. One site has DSL and another has Cable Internet connection. To provide a private an secure site-to-site connection, the organization has a choice to deploy T1 circuit to connect the two sites. Another choice is to deploy IPSec VPN tunnel between sites where each site utilizes the existing broadband connection. Since the T1 circuit is "more expensive" than the DSL or Cable Internet, the organization then chooses to deploy the second choice. Keep in mind that DSL and cable Internet have lower SLA compared to the dedicated circuit. When the broadband connection is down, the ISP response time will be longer than the dedicated circuit ISP response time. In addition, these VPN technology could be down "by itself" without obvious reason. Using dedicated circuit, in general the connection is more stable. MPLS MPLS is OSI Layer-2/3 VPN approach which is using dedicated point-to-point circuit between organization site to its ISP. Unlike the previous Dedicated Circuit network, MPLS will use the ISP public network that ride over ISP IP-based network devices without deal with the customer IP information. In other word, MPLS approach is somewhat between the Dedicated Circuit approach and IPSec VPN approach. Generally speaking, ISP network will handle the VPN aspect and use the ISP public network securely and privately; which will be transparent to the organization (the ISP customer) sites. Using MPLS, site-to-site connection is pretty much like the previous dedicated site-to-site connection between sites from the organization perspective. Network-Layer Site-to-Site Connection Approach The network-layer site-to-site connection approach refers to IPSec VPN, Dedicated Circuit, and MPLS technology. As mentioned, this network-layer approach is needed to provide connection to the remote sites for any application type including non-web-based applications. The next discussion will relate to considerations of having such site-to-site connection. Note that these considerations apply to site-to-site connection and do not apply to road-warrior-to-site connection. Network Topology When there are only two sites to communicate, the site-to-site connection setup should be just a straight point-to-point. When there are more sites to communicate, there are further considerations to review. One of the consideration is the network topology. Most common site-to-site network topology setup for three sites or more as follows 1. Full Mesh 2. Hub and Spoke 3. Partially Mesh Full Mesh With Full Mesh connection, each site has dedicated connection to each other site as follows:
Typical organization that employ this connection is organization that has small number of branches or sites with relatively low data throughput. When the organization has dedicated point-to-point circuits, then there will be (let's say) multiple dedicated T1 connections between sites. Reviewing illustration above, there will be three T1 from one site to others; which make the total of six T1 circuits. When the organization had dedicated VPN tunnels, there will be a total of six tunnels which each site has three tunnels to others. Since each site has dedicated connection to each other, there will be no single point of failure. If one site is down, other sites still have connections within themselves. However this kind of setup is considered high cost to manage when number of sites grow and/or larger data throughput are pushed down. With more sites, there will be more dedicated connections to each additional sites. With dedicated circuits, then there will be more circuits to setup at each site which may be financially prohibitive. With VPN tunnels, then there will be more tunnels to setup which may consume too much VPN device resources such as CPU and memory. Hub and Spoke With Hub and Spoke connection, each site will only have a single connection to one central site. This central site then has multiple connections to each other site as follows
Site A to D are called "spoke" and Site Z is called "hub". Note that some people refer this setup as "star topology". Usually medium to large organizations have this setup. The hub is usually the corporate office and the spokes are branches, smaller offices, or remote offices. When the organization uses dedicated circuits, there is only a single circuit needed to connect any other sites. With VPN tunnels, the VPN device resources are not consumed much compared to the Full Mesh setup. The down side is that there is a single point of failure at Site Z (the central site). When this site is down, then all other sites lose connections. Partially Mesh Reviewing the two previous setup, you may wonder which the feasible setup that has no single point of failure but not cost prohibitive. The answer is probably the Partially Mesh setup. With Partially Mesh setup, there will be not much existing connections like Full Mesh; and no single point of failure like Hub and Spoke. Following is illustration.
The Site Y and Site Z are the "hubs". Site A to F are "spokes" to both Site Y and Site Z. This setup is the preferred one on medium to large organizations. The both hubs are usually two large offices. The spokes are branches, smaller offices, or remote offices. IP Routing With either Point-to-Point, Hub and Spoke, Full Mesh, or Partially Mesh network setup; IP routing should be used to interconnect all sites. With this in mind, each site has its own subnet. Router will be used to interconnect sites. Specifically for IPSec VPN, you could consider to have the router to terminate the VPN tunnel. You could also consider using dedicated VPN box such as firewall or VPN concentrator to provide the VPN tunnel; and use router only to interconnect sites. Combination of Point-to-Point and Partially Mesh As mentioned, traditional connection between two sites is just a single point-to-point. However it is possible to have redundant (multiple) point-to-point connection between two sites to provide automatic failover and/or load balance mechanism; where each connection has its own circuit on each site. Following is the illustration. Let's say there are two sites that have two redundant point-to-point connections between each other. One site has a dedicated point-to-point T1 circuit to the other site and DSL connection. Another site has the other end of dedicated point-to-point T1 circuit and Cable Internet connection. Between the DSL on one site and Cable Internet on the other site, there is a IPSec VPN tunnel connecting the two sites as alternate path of the T1. With such automatic failover and/or load balance mechanism in mind, following setup could be in place as well.
When there are redundant connections, it means there are multiple path between two sites. Note that with Full Mesh and Partially Mesh network, there are also multiple path between two sites. For such multiple path, dynamic IP routing should be deployed to optimize connections. In addition, packet-based or destination-based load balancing could be considered as well. With hub and spoke setup, static routing should be sufficient. Starting to Design the Network When you start designing the network, several aspects come into play
Typical network design for site-to-site connection from circuit choice perspective are following
For small organizations, it is probably preferable to have full-mesh site-to-site VPN using broadband connection (DSL or Cable Internet) at each location. For simplicity, it is suggested to use the same ISP to provide the broadband connection at all sites. As illustration, all sites could be using Cisco ASA 5505 with 3MBps Cable Internet connection to have the full-mesh site-to-site VPN. When you choose to have partially mesh or hub and spoke setup (either the circuit or VPN), make sure that the hub has large bandwidth and powerful network device to handle data throughput from other sites. As illustration, the hub could be using Cisco 3825 router with DS-3 circuit where spokes could be using Cisco 1841 router with 1.5MBps DSL connection to have hub-and-spoke site-to-site VPN. Note: For more info on Cisco equipment performance, check out the following FAQ »Cisco Forum FAQ »Cisco Equipment Performance (per pps and Mbps) Following is illustration. Let's say you decide to use the second choice where there are dedicated circuits between sites as primary connection and IPSec VPN tunnel over the Internet between sites as alternate connection. To start designing the network, you may start to question yourself these and go from there.
Next discussions will view other important aspects. Network Device Choice When the organization chooses to use dedicated circuits to have private site-to-site connections, usually the network device would be either router or layer-3 switch where the WAN port would match the circuit specification. Let's say the circuit would be Frame Relay and the organization selects Cisco router for all sites as the network device. You would use the router WAN port to connect to the Frame Relay circuit. This WAN port should be something like WIC T1 or E1 for internal DSU/CSU or WIC 1T for external DSU/CSU. If the circuit is Gigabit Ethernet for example, then the network device could be a router or layer-3 switch. In Cisco world, the router could be something like 2821 model; and the layer-3 switch could be something like Catalyst 3750 switch. When VPN connection is selected to provide the private site-to-site connection, there are also multiple network device alternatives such as router, layer-3 switch, firewall, and VPN concentrator. For small businesses, typical choices are firewall and router. In Cisco world, the firewall is ASA 5500 series and the router is 800 series or higher. Whichever network device chosen, it is suggested to have the same brand for all of them. When you decide to use Cisco equipments let's say, then all sites should also use Cisco as the network device peer. In theory, multi-vendor equipments are inter-operate-able. However in practice, there are sometime unexpected behaviors when establishing connections between multi-vendor equipments. With single-vendor equipment, network behaviors are more predictable and controllable, leads to more stable network. Another aspect of having the same-vendor equipments throughout the organization is network administration simplification. Network administrators could concentrate to only a single brand to administer. You don't have to deal with multi vendor when it comes to the network device technical or customer support. You might even receive discounts when you have device large volume number from the same single vendor. Note: To guide you in choosing the proper Cisco equipment, check out the following FAQ »Cisco Forum FAQ »Which Cisco solution is right for my situation? Internal and External Connections All the site interconnections such as file transfer between sites are considered internal connection. External connection is a connection to an outside world, such as connection to server located at the Internet or at external site; or Internet browsing. For internal connections, the traffic should take the private connection. For external connections, there are multiple choices to consider. One way is to go directly out off the site to the external site. Another way is to go through other internal site before going out to the external site. Let's review the following situation. Let's say one remote office need to have the updated Microsoft Windows patches. To retrieve the patches, there are several choices. One is to go directly out to the Internet, access the Microsoft sites, and download patches. Another way is to go to central office where the central office run a server that provide updated patches. For small organizations, usually the preferred way for the remote office to receive the patches is by going directly out to the Internet to retrieve patches. However some situations require the remote office to access the central office's server to retrieve patches. Should the organization have this second situation, there would probably a need to configure remote office network device to direct traffic to the central office's server for remote office upgrade patch need; and block any attempt from remote office to access the Internet directly to retrieve patches. With this situation, the network is considered more secure since the traffic is more controllable. Remote Site and Internet Access As previously mentioned, some situations require remote office to access central office before accessing external sites. However situation such as Internet browsing could not require central office access from remote office perspective. The remote office could just go out to the Internet for Internet browsing. A good side of accessing the Internet directly without going through central office is that the central office bandwidth is not bogged down by the remote office's Internet traffic. The central office bandwidth then can be conserved for strictly internal access such as file sharing. The down side of this approach is that the central office probably has no or minimum control of remote office's Internet access activities. Without such control, there is possible security risk or improper use of Internet access such downloading illegal software or virus/worm attack without the central office approval. Therefore for larger organizations, all traffic from remote offices including Internet access must go through central offices for data traffic management, including traffic policing at all sites. Note that from network security and network management perspective, traffic policing at all sites might be considered necessary eventhough it could create network administrative burden. Keep in mind that it is possible to have the same level of control of remote office Internet access activities as the central offices when those remote offices have their own local Internet connection. With this kind of setup, the organization then has to control multiple Internet connection that are spread among multiple sites (both central and remote offices). Any type of control that take place in central offices must take place in remote offices as well. This is also a common practice for larger organizations. Note that this kind of remote office control might mean additional investment on each remote office to duplicate or to mimic central office. Whichever the preferred setup, the network administrator should consider the trade offs between the two setup choices. For small business, direct Internet access from remote offices could be the preferred choice. When the organization is concerned more on the network security, then the organization might consider the second setup choice. IPSec VPN and Internet (External Connection) Access Let's say an organization permit their remote offices to go out to the Internet directly without going through central office. Typically there would be two separate connections at the remote office. One is to serve the internal access and another is to serve the Internet access. Specifically for organizations that use IPSec VPN connections to serve the site inter-communication, there should be some kind of split tunneling to provide the separate connections between the Internet access and internal access. For Internet access, typically PAT (Port Address Translation) is used to bridge Private Subnet used in internal network (LAN) and the Internet. Using PAT; application traffic that use the most common IP protocol such as TCP, UDP (and ICMP) from local LAN are PAT-ed to the Public IP address. Let's review the IPSec VPN tunnel setup requirement. IPSec tunnel would use IP Protocol 50 (ESP) or 51 (AH) to setup the VPN tunnel. Unlike TCP and UDP, ESP and AH have no concept of port numbers; hence in theory, these security protocols cannot be PAT-ed. Should the organization permit remote offices to go out to the Internet directly and the organization deploys VPN tunnel to serve internal access; then each site should have at least two Public IP addresses. One IP address would serve the Internet access (to be PAT-ed as many as needed) and another IP address would be reserved for the VPN peer to other sites (or for any IP protocols that are un-PAT-able). For small business, it is probably preferable to have each site having those two Public IP addresses assigned to the same gateway (or peer) network device, which then the traffic will ride over the same circuit. For medium or large business that quite large number of sites, each Public IP address could reside at different network device and could ride over different circuit. Name Resolution In sharing files between sites, the organization might use DNS server to resolve name to IP addresses. When the organization deploys Microsoft network, then there might also be WINS server in addition to the DNS server. Let's say the organization permit remote office to go out to the Internet directly without going through the central office. The preferred way is to have the remote office to use the local ISP DNS server to reach the Internet sites. For internal access, the remote office uses internal DNS server to reach internal servers. The unwanted setup is to have the remote office to use the central office's internal DNS server to access the Internet since it will bog down the central office's bandwidth. To have the preferred way, there are alternatives to setup the DNS/WINS servers at remote offices. One way is to setup local DNS/WINS server at each remote site. With this setup, any traffic (internal or external traffic) from remote office will use the local DNS/WINS server. The central office's DNS/WINS servers will be used only if the traffic are internal. When the traffic are external, only ISP DNS server will be used. The external traffic from remote office will never go through the central office. The down side is that this setup is probably cost prohibitive, not to mention network administration prohibitive. Another way to setup is to assign multiple DNS/WINS IP addresses at remote site hosts. Assign both central office's DNS/WINS servers and also assign the remote site's local ISP DNS IP addresses to all remote site hosts. In addition, there might be a need to create traffic filtering on the remote office's network device to allow name resolving traffic to use central office's DNS/WINS server only when the traffic are internal; and to block attempted central office's DNS/WINS server access for external traffic. Similarly, there would be traffic filtering to allow name resolving traffic to use the local ISP DNS IP address only when the traffic are external. With this setup, there should be no need to deploy DNS/WINS servers at each remote site to provide name resolving and still be able to avoid central office bandwidth bogged down by the remote office's external traffic. Real Network Illustration Check out the following threads for illustration »IPsec help 1811 »[HELP] BGP Failover to IPSEC »How to Loadshare between a E1 LInka nd Ebgp(MPLS) Link Deployment Process Check out the following FAQ for following topics in network design 1. Between Hub and Spoke, Full Mesh, and Partially Mesh »Cisco Forum FAQ »Tips in Designing Network on Hub-and-Spoke, Full-Mesh, or Partially-Mesh setup 2. IPSec VPN »Cisco Forum FAQ »Between GRE/IPSEC and IPSEC VPN tunnels »Cisco Forum FAQ »Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall »Cisco Forum FAQ »Private Routing over VPN: NAT/PAT, GRE, IPSec Sample Configurations
got feedback?by aryoba »Cisco Forum FAQ »The most straight-forward way to configure Cisco router: Introduction to CLI Following is a list of commands that are applicable to most IOS-based equipments such as routers and switches. Check out the following links for full commands. IOS Commands 12.4 version on Routers IOS and Catalyst OS Commands on 6500 series Switches IOS Commands 12.2 version on 4500 series Switches IOS Commands 12.2 version on 3560 series Switches ASA and PIX Firewall OS Commands 6.2 version and above ? Gives you a help screen 0.0.0.0 255.255.255.255 A wildcard command; same as the any command access-class Applies a standard IP access list to a VTY line access-list Creates a list of tests to filter the networks 9 any Specifies any host or any network; same as the 0.0.0.0 255.255.255.255 command Backspace Deletes a single character bandwidth Sets the bandwidth on a serial interface banner Creates a banner for users who log into the router cdp enable Turns on CDP on an individual interface cdp holdtime Changes the holdtime of CDP packets cdp run Turns on CDP on a router cdp timer Changes the CDP update timer clear counters Clears the statistics from an interface clear line Clears a connection connected via Telnet to your router clear mac-address-table Clears the filter table created dynamically by the switch clock rate Provides clocking on a serial DCE interface config memory Copies the startup-config to running-config config network Copies a configuration stored on a TFTP host to running-config config terminal Puts you in global configuration mode and changes the running-config config-register Tells the router how to boot and to change the configuration register setting copy flash tftp Copies a file from flash memory to a TFTP host copy run start Short for copy running-config startup-config; places a configuration into NVRAM copy run tftp Copies the running-config file to a TFTP host copy tftp flash Copies a file from a TFTP host to flash memory copy tftp run Copies a configuration from a TFTP host to the running-config file Ctrl+A Moves your cursor to the beginning of the line Ctrl+D Deletes a single character Ctrl+E Moves your cursor to the end of the line Ctrl+F Moves forward one character Ctrl+R Redisplays a line Ctrl+Shift+6, then X (keyboard combination) Returns you to the originating router when you telnet to numerous routers Ctrl+U Erases a line Ctrl+W Erases a word Ctrl+Z Ends configuration mode and returns to EXEC debug dialer Shows you the call setup and teardown procedures debug frame-relay lmi Shows the lmi exchanges between the router and the Frame Relay switch debug ip igrp events Provides a summary of the IGRP routing information running on the network debug ip igrp transactions Shows message requests from neighbor routers asking for an update and the broadcasts sent from your router to that neighbor router debug ip rip Sends console messages displaying informa-tion about RIP packets being sent and received on a router interface debug ipx Shows the RIP and SAP information as it passes through the router debug isdn q921 Shows layer-2 processes debug isdn q931 Shows layer-3 processes delete nvram Deletes the contents of NVRAM on a 1900 switch delete vtp Deletes VTP configurations from a switch description Sets a description on an interface dialer idle-timeout number Tells the BRI line when to drop if no interesting traffic is found dialer list number protocol protocol permit/deny Specifies interesting traffic for a DDR link dialer load-threshold number inbound/outbound/either Sets the parameters that describe when the second BRI comes up on an ISDN link dialer map protocol address name hostname number Used instead of a dialer string to provide more security in an ISDN network dialer string Sets the phone number to dial for a BRI interface disable Takes you from privileged mode back to user mode disconnect Disconnects a connection to a remote router from the originating router duplex Sets the duplex of an interface enable Puts you into privileged mode enable password Sets the unencrypted enable password enable password level 1 Sets the user mode password enable password level 15 Sets the enable mode password enable secret Sets the encrypted enable secret password. Supersedes the enable password if set encapsulation Sets the frame type used on an interface encapsulation frame-relay Changes the encapsulation to Frame Relay on a serial link encapsulation frame-relay ietf Sets the encapsulation type to the Internet Engineering Task Force (IETF); connects Cisco routers to off-brand routers encapsulation hdlc Restores the default encapsulation of HDLC on a serial link encapsulation isl 2 Sets ISL routing for VLAN encapsulation ppp Changes the encapsulation on a serial link to PPP erase startup Deletes the startup-config erase startup-config Deletes the contents of NVRAM on a router Esc+B Moves back one word Esc+F Moves forward one word exec-timeout Sets the timeout in seconds and minutes for the console connection exit Disconnects a connection to a remote router via Telnet frame-relay interface-dlci Configures the PVC address on a serial interface or subinterface frame-relay lmi-type Configures the LMI type on a serial link frame-relay map protocol address Creates a static mapping for use with a Frame Relay network Host Specifies a single host address hostname Sets the name of a router or a switch int e0.10 Creates a subinterface int f0/0.1 Creates a subinterface interface Puts you in interface configuration mode; also used with show commands interface e0/5 Configures Ethernet interface interface ethernet 0/1 Configures interface e0/1 interface f0/26 Configures Fast Ethernet interface 26 interface fastethernet 0/0 Puts you in interface configuration mode for a Fast Ethernet port; also used with show commands interface fastethernet 0/0.1 Creates a subinterface interface fastethernet 0/26 Configures interface f0/26 interface s0.16 multipoint Creates a multipoint subinterface on a serial link that can be used with Frame Relay networks interface s0.16 point-to-point Creates a point-to-point subinterface on a serial link that can be used with Frame Relay interface serial 5 Puts you in configuration mode for interface serial 5 and can be used for show commands ip access-group Applies an IP access list to an interface ip address Sets an IP address on an interface or a switch ip classless A global configuration command used to tell a router to forward packets to a default route when the destination network is not in the routing table ip default-gateway Sets the default gateway of the switch ip domain-lookup Turns on DNS lookup (which is on by default) ip domain-name Appends a domain name to a DNS lookup ip host Creates a host table on a router ip name-server Sets the IP address of up to six DNS servers IP route Creates static and default routes on a router ipx access-group Applies an IPX access list to an interface ipx input-sap-filter Applies an inbound IPX SAP filter to an interface ipx network Assigns an IPX network number to an interface ipx output-sap-filter Applies an outbound IPX SAP filter to an interface ipx ping A Packet Internet Groper used to test IPX packet on an internetwork ipx routing Turns on IPX routing isdn spid1 Sets the number that identifies the first DS0 to the ISDN switch isdn spid2 Sets the number that identifies the second DS0 to the ISDN switch isdn switch-type Sets the type of ISDN switch that the router will communicate with; can be set at interface level or global configuration mode K Used at the startup of the 1900 switch and puts the switch into CLI mode line Puts you in configuration mode to change or set your user mode passwords line aux Puts you in the auxiliary interface configuration mode line console 0 Puts you in console configuration mode line vty Puts you in VTY (Telnet) interface configuration mode logging synchronous Stops console messages from overwriting your command-line input logout Logs you out of your console session mac-address-table permanent Makes a permanent MAC address entry in the filter database mac-address-table restricted static Sets a restricted address in the MAC filter database to allow only the configured interfaces to communicate with the restricted address media-type Sets the hardware media type on an interface network Tells the routing protocol what network to advertise no cdp enable Turns off CDP on an individual interface no cdp run Turns off CDP completely on a router no inverse-arp Turns off the dynamic IARP used with Frame Relay; static mappings must be configured no ip domain-lookup Turns off DNS lookup no ip host Removes a hostname from a host table No IP route Removes a static or default route no shutdown Turns on an interface o/r 0x2142 Changes a 2501 to boot without using the contents of NVRAM ping Tests IP connectivity to a remote device port secure max-mac-count Allows only the configured amount of devices to attach and work on an interface ppp authentication chap Tells PPP to use CHAP authentication ppp authentication pap Tells PPP to use PAP authentication router igrp as Turns on IP IGRP routing on a router router rip Puts you in router rip configuration mode secondary Adds a second IPX network on the same physical interface Service password-encryption Encrypts the user mode and enable password show access-list Shows all the access lists configured on the router show access-list 110 Shows only access list 110 show cdp Displays the CDP timer and holdtime frequencies show cdp entry * Same as show cdp neighbor detail, but does not work on a 1900 switch show cdp interface Shows the individual interfaces enabled with CDP show cdp neighbor Shows the directly connected neighbors and the details about them show cdp neighbor detail Shows the IP address and IOS version and type, and includes all of the information from the show cdp neighbor command show cdp traffic Shows the CDP packets sent and received on a device and any errors Show controllers s 0 Shows the DTE or DCE status of an interface show dialer Shows the number of times the dialer string has been reached, the idle-timeout values of each B channel, the length of call, and the name of the router to which the interface is connected show flash Shows the files in flash memory show frame-relay lmi Shows the LMI type on a serial interface show frame-relay map Shows the static and dynamic Network layer-to-PVC mappings show frame-relay pvc Shows the configured PVCs and DLCI numbers configured on a router show history Shows you the last 10 commands entered by default show hosts Shows the contents of the host table show int f0/26 Shows the statistics of f0/26 show inter e0/1 Shows the statistics of interface e0/1 show interface s0 Shows the statistics of interface serial 0 show ip Shows the IP configuration of the switch show ip access-list Shows only the IP access lists show ip interface Shows which interfaces have IP access lists applied show ip protocols Shows the routing protocols and timers associated with each routing protocol configured on a router show ip route Displays the IP routing table show ipx access-list Shows the IPX access lists configured on a router show ipx interface Shows the RIP and SAP information being sent and received on an individual interface; also shows the IPX address of the interface show ipx route Shows the IPX routing table show ipx servers Shows the SAP table on a Cisco router show ipx traffic Shows the RIP and SAP information sent and received on a Cisco router show isdn active Shows the number called and whether a call is in progress show isdn status Shows if your SPIDs are valid and if you are connected and communicating with the provider's switch show mac-address-table Shows the filter table created dynamically by the switch show protocols Shows the routed protocols and network addresses configured on each interface show run Short for show running-config; shows the configuration currently running on the router show sessions Shows your connections via Telnet to remote devices show snmp Gives you the router's serial number as the "chassis" output show start Short for show startup-config; shows the backup configuration stored in NVRAM show terminal Shows you your configured history size show trunk A Shows the trunking status of port 26 show trunk B Shows the trunking status of port 27 show version Gives the IOS information of the switch, as well as the uptime and base Ethernet address show vlan Shows all configured VLANs App. show vlan-membership Shows all port VLAN assignments show vtp Shows the VTP configuration of a switch shutdown Puts an interface in administratively down mode Tab Finishes typing a command for you telnet Connects, views, and runs programs on a remote device terminal history size Changes your history size from the default of 10 up to 256 trace Tests a connection to a remote device and shows the path it took through the internetwork to find the remote device traffic-share balanced Tells the IGRP routing protocol to share links inversely proportional to the metrics traffic-share min Tells the IGRP routing process to use routes that have only minimum costs trunk auto Sets the port to auto trunking mode trunk on Sets a port to permanent trunking mode username name password password Creates usernames and passwords for authentication on a Cisco router variance Controls the load balancing between the best metric and the worst acceptable metric vlan 2 name Sales Creates a VLAN 2 named Sales vlan-membership static 2 Assigns a static VLAN to a port vtp client Sets the switch to be a VTP client vtp domain Sets the domain name for the VTP configuration vtp password Sets a password on the VTP domain vtp pruning enable Makes the switch a pruning switch vtp server Sets the switch to be a VTP server
got feedback?really its very good document for descrption of all important commands
thanks a lot 2009-07-19 02:16:36 by flw
got feedback?by nozero 1) Image name as displayed in a “sh ver” (example: System image file is "flash:/c3550-i5q3l2-mz.121-14.EA1a.bin") 2) by Platform (example: 2500, 802, UBR905) 3) Serial number as displayed in a “sh diag” 4) Or by IOS major release The tool can be found here. In order to access the tool from Cisco you need a CCO account. CCO accounts are free and simple to set up. You can register for a CCO here.
got feedback?by dpocoroba "These are the distance estimates we got from these providers, for your address." We also have this link to the BBR site distance charts. "CLECs and ILECs work from distance estimates or actual checks before accepting an order. Here is what we know of the distance limits they work by." got feedback?by nozero »[Config] "crc 16" DS-1/T1/E1 »[HELP] Virus could be attaching router »New t1 connection: Standard CPE Configuration??? »T1 over a short run of Cat3 cable? »What is at the other end of a T1 »E1\T1 circuit - serial interface errors »[Config] Alarm light on 2621 T1 WIC »Flapping PTP T1 on Cisco 1721's »1841 service-module T1 timeslots 1-12 »Cisco 1751 with t1 card DS-3/E-3 »DS3 comming, what do I need? »DS3 Point To Point »VPN & Frags Cisco documentations Troubleshooting Serial Lines Understanding the show controllers e1 Command Blue and Yellow T1 Alarm Troubleshooting T1 Layer 1 Troubleshooting T1 Alarm Troubleshooting T1 Alarm Troubleshooting Flowchart Troubleshooting Line Problems and Errors on DS-3 and E3 ATM Interfaces ATM »What exactly is an atm interface? DSL/ATM Provider »[HELP] DSL project need help with ATM switch interface? OC-3 »Why I'm not Pinging using Alternating Pattern 0x5555? Metro Ethernet »Fiber GBIC Question
got feedback?by aryoba The routers in these links reside in public Internet. Therefore the BGP view should reflect your ISP BGP subnet announcement policy. BGP IPv4/IPv6 Looking Glass Servers - BGP Route Servers World Route Servers
got feedback?by aryoba Non-Official Cisco Support Introduction - How PIX Operates and the CLI. Basic PIX configuration Slightly Advanced PIX Configuration TCP, UDP, NAT and PAT as the PIX sees it Access Control Lists and Content Filtering Object Grouping Official Cisco Support Using PIX Firewall Cisco Security Appliance Command Line Configuration Guide, Version 7.0 Security Level as Stateful Firewall feature foundation Cisco ASA/PIX Firewall is designed as stateful firewall. From Cisco implementation perspective, there is a concept of Security Level as foundation of all stateful firewall features. In basic firewall concept, there are three security zones. The first zone is Untrusted network where Cisco implements as Outside network. The second zone is Trusted network where Cisco implements as Inside network. The third zone is DMZ network where Cisco also implements as DMZ network. Following basic firewall concept, a firewall is designed as perimeter guarding traffic flow between zones. With the concept of Security Level, the Untrusted (Outside) network has the lowest level of trust where Cisco by default assign the trust level as 0 (zero). Consequently the Trusted (Inside) network has the highest level of trust where Cisco by default assign the security level of 100. Since DMZ network is considered somewhat trusted and untrusted, Cisco by default assign (typically) even number between 0 and 100. Based on associated Security Level; you may notice that the higher a network level is, the more trusted a network is. In other words, Inside network is more trusted or more secure that DMZ network and DMZ network is more trusted or more secure than Outside network. When you put Cisco ASA/PIX Firewall as your Internet gateway or Internet firewall for example, the Outside network is the Internet, the Inside network is your internal network, and the DMZ network is your publicly-accessible web or email server. If you like to go further, you may segment your internal network further by putting a dedicated firewall between your internal servers and users' PC where the Inside network is where the internal servers are and the Outside network is where the users' PC are. When you consider to use only one firewall for all, then you may want to create multiple DMZ networks where the Outside network (Security Level 0) is the Internet, Inside network (Security Level 100) is the internal servers, DMZ 1 network (i.e. Security Level 1) is the publicly-accessible web or email server, DMZ 2 network (i.e. Security Level 4) is a guest wireless network, DMZ 3 network (i.e. Security Level 6) is the user's PC, and so on and so forth. Also based on associated Security Level, any incoming traffic from lower Security Level to higher Security Level is by default denied. When you have publicly-accessible web or email server let's say on your DMZ network, then you have to permit certain incoming traffic from the lower Security Level (the Internet or Outside) network to enter higher Security Level network which is the DMZ by using either nat command or static command. You can also control how many incoming permitted sessions for further protection. How Cisco ASA/PIX Firewall Treats TCP-based traffic differently than ICMP-based traffic You also have to permit incoming ICMP echo reply packets from least trusted network as a response of ICMP echo packets issued by a machine within more trusted network. For TCP-based traffic, by default all returning TCP traffic coming from least trusted network as a response of TCP packet initiated by a machine within more trusted network are permitted. Therefore you don't need to create rules to permit such returning TCP traffic. The reason of no need to create rules to permit such returning TCP traffic is that the firewall understands the concept of 3-way TCP handshake. Every time there is outbound TCP-based traffic initiated from more trusted network to less trusted network is inspected and stored in connectivity table (the show conn command reveals such table). When the firewall sees matching TCP packet coming from less trusted network toward the more trusted network as part of the 3-way handshake, the firewall permits those returning traffic. ICMP-based traffic however has different properties. Since there is no concept of 3-way handshake in ICMP, each ICMP traffic is treated as one-way traffic. Therefore you have to permit any necessary incoming ICMP traffic from less trusted network towards more trusted network when you plan to use something like ICMP ping or traceroute from more trusted network to less trusted network. TCP Transaction Protection For those TCP traffic, all incoming TCP traffic are inspected by Cisco ASA/PIX Firewall to make sure that there will be a 3-way handshake per TCP mechanism to complete TCP transaction. The firewall will drop any incomplete TCP transaction for protection from possible TCP-based attack. As example, the firewall keeps TCP session as part of the TCP 3-way handshake protection mechanism where there is some kind of hold timer. The firewall expects to receive responses from server within the hold timer interval, which the timer will expire. At the time the firewall does not receive the server response when the timer expires, the firewall drops any related TCP session and also drops "late" server response. Another example is having the firewall drops TCP packets when the TCP client keeps sending TCP synchronization (SYN) packet or sending TCP acknowledge (ACK) packet without sending TCP SYN packet first. In this situation, the firewall drops the TCP SYN and TCP ACK accordingly. There is also a TCP Initial Sequence Number (ISN) randomization protection feature which by default randomizing TCP sequence number to negotiate between client and server in order to provide TCP Sequence Prediction Attacks protection. One optional feature is setting maximum number of simultaneous TCP and UDP connections through the firewall for the entire subnet. The default is 0, which means unlimited connections and the firewall lets the server determine the number. Another optional feature is specifying the maximum number of embryonic connections per host. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Set a small value for slower systems, and a higher value for faster systems. The default is 0, which means unlimited embryonic connections. The embryonic connection limit lets you prevent a type of attack where processes are started without being completed. When the embryonic limit is surpassed, the TCP intercept feature intercepts TCP SYN packets from clients to servers on a higher security level. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and combines the two half-connections together transparently. Thus, connection attempts from unreachable hosts never reach the server. The PIX firewall and ASA accomplish TCP intercept functionality using SYN cookies. TCP/UDP Application-Specific Protocol Protection By default, the PIX Firewall and ASA provide TCP/UDP application-specific protection of the following protocols.
Various Cisco ASA/PIX Firewall Features 1. SSH and Telnet as firewall management access You can only use SSH for the firewall management access when you are sitting in non-Inside network. By default you can use either telnet or SSH for the firewall management access when you are sitting in Inside network. 2. NAT In the PIX or ASA OS version prior 8.3, by default there is NAT in place for traffic between zones. In earlier OS version, you typically use the nat 0 command to eliminate NAT for traffic between zones. You could also use static command with the same IP subnet of pre- and post- NAT process. Further, there is a rule called NAT Order of Operation in earlier OS version to make sure that the NAT-related business is in order. NAT Concept on PIX Firewall running OS version 6.3 or later and ASA running OS version prior 8.3 Introduction to NAT Operation In network environment where there is a private network that is not (and should not) be visible directly from Outside network should be made invisible to the Outside network. PIX Firewall and ASA were originally designed to provide such invisibility and do NAT by default for traffic across security zones such as between Inside and Outside network. When the Outside network access is needed from more trusted network, you need to NAT the outbound traffic by using nat command. If the traffic is just outbound where connections are initiated from more trusted network to less trusted network, then the nat command should be associated with a global command. For inbound traffic where connections are initiated from less trusted network to more trusted network, the static command is needed to accommodate the NAT process. With the static command, the traffic flow between the less and more trusted network is established both way; meaning that the Outside network (less trusted network) can initiate traffic to the Inside network (more trusted network) at anytime and vice versa. There is no need to create specific nat command to accommodate the traffic flow. In regards of the static command use, you have a choice to either use the same or different IP address/subnet between the less and more trusted network. Following is list of possibilities where you want to use different IP address/subnet appearing on the less trusted network. 1. The private network (residing at the more trusted network) uses IP scheme that is not routable at the less trusted network; i.e. Internet access from LAN using private network of 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 2. The less trusted network is unable to do routing. In this case, the more trusted network uses NAT-ed IP address that is within the less trusted network IP subnet 3. There is conflicting IP scheme between less and more trusted network. In this case, the more trusted network uses NAT-ed IP address that is within the less trusted network IP scheme. Furthermore, you need to NAT the inbound traffic from less to more trusted network using NAT-ed IP address that is within the more trusted network IP scheme. When none of the above situation meets, you should use the same IP address/subnet between less and more trusted network. Note that just because you use the same IP address/subnet between less and more trusted network, it does not mean that there will be security risk on the more trusted network since the PIX Firewall or ASA provides sufficient stateful security feature as mentioned at earlier discussion. Different Types of NAT 1. Dynamic PAT Commands to use: nat, global Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is not needed Example 1.1 nat (inside) 1 192.168.1.0 255.255.255.0 global (outside) 1 203.43.45.93 Description: Any hosts within Inside IP subnet of 192.168.1.0/24 will be PAT-ed into 203.43.45.93 when there is outbound traffic from Inside to Outside network Example 1.2 nat (outside) 1 203.43.45.0 255.255.255.0 global (inside) 1 192.168.1.93 Description: Any hosts within Outside IP subnet of 203.43.45.0/24 will be PAT-ed into 192.168.1.93 when there is inbound traffic from Outside to Inside network 2. Static PAT Commands to use: static Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed Example 2.1 static (inside,outside) tcp 203.43.45.93 80 192.168.45.93 80 netmask 255.255.255.255 Description: Host 192.168.45.93 will be PAT-ed to 203.43.45.93 when there is outbound traffic initiated from 192.168.45.93 (within the Inside network) using TCP port 80 as source TCP port to the Outside network. Similarly, any IP address within Outside network will access 203.43.45.93 using TCP port 80 as destination TCP port in order to access 192.168.45.93 on TCP port 80 Example 2.2 static (outside,inside) tcp 192.168.45.93 80 203.43.45.93 80 netmask 255.255.255.255 Description: Host 203.43.45.93 will be PAT-ed to 192.168.45.93 when there is inbound traffic initiated from 203.43.45.93 (within the Outside network) using TCP port 80 as source TCP port to the Inside network. Similarly, any IP address within Inside network will access 192.168.45.93 using TCP port 80 as destination TCP port in order to access 203.43.45.93 on TCP port 80 3. Static NAT of single IP address Commands to use: static Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed. Furthermore, the command uses the entire IP protocols and ports within the provided IP address. Example 3.1 static (inside,outside) 203.43.45.93 192.168.45.93 netmask 255.255.255.255 Description: Host 192.168.45.93 will be NAT-ed to 203.43.45.93 when there is outbound traffic initiated from 192.168.45.93 (within the Inside network) using any IP protocol (including ESP, TCP, and UDP) to the Outside network. Similarly, any IP address within Outside network will access 203.43.45.93 using any IP protocol in order to access 192.168.45.93. Note: This static statement may seem as security risk since you are opening the IP address to any incoming IP protocol from less to more trusted network. Such risk is mitigated when there is access-list controlling inbound traffic to open necessary IP protocol and ports (i.e. just open inbound TCP port 80 and 443 where others are denied). Example 3.2 static (outside,inside) 192.168.45.93 203.43.45.93 netmask 255.255.255.255 Description: Host 203.43.45.93 will be PAT-ed to 192.168.45.93 when there is inbound traffic initiated from 203.43.45.93 (within the Outside network) using any IP protocol (including ESP, TCP, and UDP) to the Inside network. Similarly, any IP address within Inside network will access 192.168.45.93 using any IP protocol in order to access 203.43.45.93. 4. Static NAT of entire IP subnet Commands to use: static Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed. Furthermore, the command uses the entire IP protocols and ports within the provided IP address. Example 4.1 static (inside,outside) 203.43.45.0 192.168.45.0 netmask 255.255.255.0 Description: Any hosts within 192.168.45.0/24 will be NAT-ed to 203.43.45.0/24 when there is outbound traffic initiated from 192.168.45.0/24 (within the Inside network) using any IP protocol (including ESP, TCP, and UDP) to the Outside network. Similarly, any IP address within Outside network will access 203.43.45.0/24 using any IP protocol in order to access 192.168.45.0/24. Using IP subnet static NAT indicates the following static NAT in place
As you can see, the last octet will be the same while only the first three octets are different between the Outside and the Inside IP addresses. Note: The command is useful when you need to NAT the entire subnet without the requirement of creating multiple static command of each pair of Outside-Inside IP addresses. You can simply create static NAT for the entire subnet instead. Example 4.2 static (outside,inside) 192.168.45.0 203.43.45.0 netmask 255.255.255.0 Description: Any hosts within 203.43.45.0/24 will be NAT-ed to 192.168.45.0/24 when there is outbound traffic initiated from the Inside network using any IP protocol (including ESP, TCP, and UDP) to the Outside network. Similarly, IP address within 203.43.45.0/24 Outside network will access the any IP addresses within Inside network as 192.168.45.0/24 using any IP protocol. 5. Static NAT of entire IP subnet and keep the same IP scheme between less and more trusted network Command to use: access-list, nat 0, and/or static Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed. Furthermore, the command uses the entire IP protocols and ports within the provided IP address. All of these processes take place while keeping the same IP scheme between less and more trusted network. Example 5.1 - NAT exemption access-list nonat_inside-outside permit ip 192.168.45.0 255.255.255.0 192.168.1.0 255.255.255.0 nat (inside) 0 access-list nonat_inside-outside Description: Any hosts within 192.168.45.0/24 will appear as themselves when there is outbound traffic initiated from 192.168.45.0/24 (within the Inside network) using any IP protocol (including ESP, TCP, and UDP) to the Outside network of 192.168.1.0/24. Similarly, any IP address within Outside network of 192.168.1.0/24 will access 192.168.45.0/24 using any IP protocol directly. Example 5.2 static (inside,outside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0 Description: Any hosts within 192.168.45.0/24 will appear as themselves when there is outbound traffic initiated from 192.168.45.0/24 (within the Inside network) using any IP protocol (including ESP, TCP, and UDP) to any Outside network IP address. Similarly, any IP address within Outside network will access 192.168.45.0/24 using any IP protocol directly. Example 5.3 - Identity NAT nat (inside) 0 192.168.45.0 255.255.255.0 static (inside, outside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0 Description: The behavior is similar as Examples 5.1 and 5.2. This configuration is less popular since it seems more complex than it has to. 6. Static NAT Policy Command to use: access-list and static Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed. Furthermore, the command uses the entire IP protocols and ports within the provided IP address. All of these processes take place while keeping the same IP scheme between less and more trusted network. Example 6.1 access-list nat1_inside-outside permit ip 192.168.45.0 255.255.255.0 23.54.6.0 255.255.255.0 access-list nat2_inside-outside permit ip 192.168.45.0 255.255.255.0 23.54.7.0 255.255.255.0 nat (inside) 1 0.0.0.0 static (inside,outside) 23.54.6.254 access-list nat1_inside-outside static (inside,outside) 23.54.7.254 access-list nat2_inside-outside global (outside) 1 203.43.45.32 Description: Any 192.168.45.x within Inside network will be statically NAT as 23.54.6.254 when 192.168.45.x access 23.54.6.x that resides at Outside network. Similarly, any 192.168.45.x within Inside network will be statically NAT as 23.54.7.254 when 192.168.45.x access 23.54.7.x that resides at Outside network. When 192.168.45.x access any other IP addresses at Outside network beside 23.54.6.x and 23.54.7.x, the 192.168.45.x will be dynamically PAT-ed as 203.43.45.32. NAT Implementation Illustration For the sake of illustration, we assume the following Outside network: any IP subnet DMZ 1 network: 192.168.0.0/24, 192.168.1.0/24 DMZ 2 network: 192.168.2.0/24, 192.168.3.0/24 Inside network: 192.168.32.0/24, 192.168.33.0/24, 192.168.45.0/24 Example 1 access-list nonat permit ip 192.168.32.0 255.255.255.0 192.168.1.0 255.255.255.0 nat (inside) 0 access-list nonat nat (inside) 1 192.168.32.0 255.255.255.0 global (outside) 1 203.45.32.84 Description: When any IP address within 192.168.32.0/24 access the 192.168.1.0/24, the 192.168.32.x appears as themselves. If the 192.168.32.x access anything else that is at Outside network, there will be dynamic PAT to use 203.45.32.84 IP address to appear on the Outside network. Further, any machine within 192.168.1.0/24 can access 192.168.32.0/24 as themselves. In other words, 192.168.32.0/24 appears as themselves in the 192.168.1.0/24 presence and vice versa. The 192.168.33.x cannot access anything beyond Inside network. Similarly, the 192.168.0.x cannot access anything beyond DMZ 1 network. Anything at Outside and DMZ 2 cannot access anything at DMZ 1 and 192.168.33.x Inside network. Example 2 access-list nonat permit ip 192.168.32.0 255.255.255.0 192.168.0.0 255.255.255.0 nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 nat (dmz1) 2 192.168.0.0 255.255.255.0 global (dmz2) 1 192.168.2.254 global (outside) 2 204.54.65.231 static (inside,outside) 192.168.32.0 192.168.32.0 netmask 255.255.254.0 Description: The 192.168.0.x and 192.168.32.x can see each other as themselves. Any IP address within Inside network (including those that are not 192.168.32.x or 192.168.33.x if any such as 192.168.45.x) is able to access 192.168.2.x and 192.168.3.x using PAT-ed IP address of 192.168.2.254. Both 192.168.32.x and 192.168.33.x will appear as themselves when they are accessing Outside network. Any 192.168.0.x will appear as 204.54.65.231 to access Outside network. Example 3 access-list nonat permit ip 192.168.32.0 255.255.254.0 192.168.0.0 255.255.254.0 access-list nonat permit ip 192.168.45.0 255.255.255.0 192.168.0.0 255.255.254.0 access-list nat1_inside-dmz2 permit ip 192.168.32.0 255.255.254.0 192.168.2.0 255.255.255.0 access-list nat1_inside-dmz2 permit ip 192.168.45.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list nat2_inside-dmz2 permit ip 192.168.32.0 255.255.254.0 192.168.3.0 255.255.255.0 access-list nat2_inside-dmz2 permit ip 192.168.45.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list nat_inside-outside permit ip 192.168.32.0 255.255.254.0 any access-list nat_inside-outside permit ip 192.168.45.0 255.255.255.0 any nat (inside) 0 access-list nonat nat (inside) 1 access-list nat1_inside-dmz2 nat (inside) 2 access-list nat2_inside-dmz2 nat (inside) 3 access-list nat_inside-outside global (dmz2) 1 192.168.2.254 global (dmz2) 2 192.168.3.254 global (outside) 3 204.54.65.231-204.54.65.253 global (outside) 3 204.54.65.254 static (dmz1,outside) 204.54.64.0 192.168.0.0 netmask 255.255.255.0 Description: The 192.168.32.x, 192.168.33.x, and 192.168.45.x appear as themselves when they access 192.168.0.x, 192.168.1.x and vice versa. The 192.168.32.x, 192.168.33.x, and 192.168.45.x appear as 192.168.2.254 when they access 192.168.2.x and appear as 192.168.3.254 when they access 192.168.3.x. The 192.168.0.x appear as 204.54.64.x when they access Outside network. Similarly, Outside network access 204.54.64.x in order to access 192.168.0.x. The 192.168.32.x, 192.168.33.x, and 192.168.45.x on the Inside network appear as any available IP address within range of 204.54.65.231 and 204.54.65.253 when those Inside networks access Outside network. Such range is called NAT pool where there will be dynamic one-one NAT relationship between 192.168.32.x, 192.168.33.x, 192.168.45.x on the Inside network and any available IP address within range of 204.54.65.231 and 204.54.65.253. When all IP addresses within the NAT pool are used up, the 204.54.65.254 will be used as last resort (as dynamic PAT instead of dynamic NAT). Note: For illustration, please check out all sample configuration using Cisco ASA/PIX Firewall in this Cisco Forum FAQ to better understand how Cisco firewall implementation look like. Traffic Flow Across Security Zones 1. Default Behavior and Ways To Tweak As a firewall, PIX Firewall and ASA by default expect to have traffic flow comes from one security zone to another. Any routing traffic that comes from one security zone and bounce back to the same security zone (called hair pinning) is denied. Another default behavior is to block traffic flow between security zones with equal security level. In regards of traffic flow coming from one security zone to another, following is default behavior * Initiated from Less-Trusted zone to More-Trusted zone, traffic is denied * Initiated from More-Trusted zone to Less-Trusted zone, traffic is permitted * Initiated from one security zone to another with equal security level, traffic is denied * Initiated from one security zone and bounce back (hair pinning), traffic is denied To adjust the above default behavior, following is the list of choices that applies for PIX Firewall and ASA running OS version 6.3 and later * Implement nat 0 or static command in addition to implement access-group command tied with specific access-list command to allow initiating traffic from Less-Trusted zone to More-Trusted zone * Implement access-group command tied with specific access-list command to restrict initiating traffic from More-Trusted zone to Less-Trusted zone When the PIX Firewall or ASA runs OS version 7.0 or later, following is a list of choices to adjust various default behaviors * Implement same-security-traffic permit command to allow initiating traffic from one security zone to another with equal security level. The same command is used to also allow hair-pinning traffic * Transform the Layer-3 firewall default behavior into Layer-2 firewall using firewall transparent command to avoid the firewall participating in routing * Transform the single physical firewall into multiple virtual firewall using mode command to allow Active/Active or Active/Standby traffic flow separating routing table between each virtual firewall 2. Traffic Flow Order of Operation For those traffic flow initiating from Less-Trusted to More-Trusted network, here is what Cisco devices including PIX Firewall and ASA expect * Incoming traffic hits IP address as seen in the IP scheme of the Less-Trusted network. If there is NAT in place, then the incoming traffic hits the NAT-ed IP address. * Cisco devices check incoming traffic to see if there is a match within the access-list. When there is a match; Cisco devices stop searching, treat the traffic per the rule, and exit. When there is no match, by default Cisco devices deny traffic * If static command is in place to manage the NAT/PAT-ed IP addresses, Cisco devices translate IP address accordingly and forward the traffic based on the routing table Since PIX Firewall and ASA are firewall, by design the firewall does traffic inspection before forwarding traffic based on the routing table as mentioned in early discussion. Any traffic that do not pass the inspection will be dropped and will not be forwarded. What Is New On ASA (Or PIX OS 7.2 and above) Compared To PIX Firewall Running PIX OS 6.3? Note: * PIX Firewall 500 series only support PIX OS up to 8.0(4) version. The ASA 5500 series support beyond OS 8.0(4) with possible DRAM/Flash upgrade * There is no known "real" differences between PIX OS 7.x and ASA OS 7.x from software perspective For further info, check out the following official Cisco online documentation links for specific OS version features. Features Legacy OS 6.3(5) http://www.cisco.com/en/US/docs/security/pix/pix63/release/notes/pixrn635.html OS 7.0(1) http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix_70rn.html#wp169795 OS 7.0(4) http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix704rn.html#wp213502 OS 7.0(5) http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix705rn.html#wp213502 OS 7.2(1) http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn72.html#wp185529 OS 7.2(2) http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn722.html#wp191103 OS 7.2(3) http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn723.html#wp213761 OS 8.0 http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/pixrn80.html#wp191103 OS 8.0(3) http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/prn803.html#wp191103 OS 8.0(4) http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/pixrn804.html#wp191103 OS 8.1 http://www.cisco.com/en/US/docs/security/asa/asa81/release/notes/asarn81.html#wp229690 Enable/Disable Communication on OS 7.0 image and newer 1. Troubleshooting on OS 7.0 image and newer Establish and Troubleshoot Connectivity through PIX/ASA Packet/Traffic Troubleshooting 2. Sample Configuration on OS 7.0 image and newer ASA/PIX EIGRP Routing Support Backup/Failover Routing Single Firewall Partitioned Into Multiple Independent Firewalls: Introduction to Multiple Context Active/Active PIX/ASA Stateful Redundancy Active/Standby PIX/ASA Stateful Redundancy Transparent (Layer-2) Firewall QoS ASA As SSL Server SSL VPN Client (SVC) on ASA with ASDM Configuration Example Clientless SSL VPN (WebVPN) on ASA Configuration Example Thin-Client SSL VPN (WebVPN) on ASA with ASDM Configuration Example Block or Restrict the Instant Messaging (IM) Traffic URL Filtering New Features and Deprecated Commands Starting OS version 8.3 You may notice that PIX Firewall appliances are unable to run latest OS version. PIX 501 can only run up to OS version 6.3(5) while PIX 515E and larger appliances can only run up to OS version 8.0. You need ASA 5500 series appliance to run newer OS version than 8.0. Cisco ASA 5500 Migration Guide for Version 8.3 Licenses For those who are eager to get their hands on ASA or PIX Firewall, they need to consider the license factor. With either ASA or PIX Firewall, you should get the one with Unlimited Inside Hosts instead of 10 or 50 Inside Hosts. For PIX Firewall, one with Unrestricted license has more features compared to one with Restricted license; while one with the Failover license can only work as backup firewall of the Unrestricted license. For ASA, one with Security Plus license supports more features similarly. Both Inside Hosts number and license type that firewall carries can be verified through the show version. Upgrading from lower license to higher license may cost you dearly where at that point, getting a new firewall with higher license may cost you less compared to upgrade your existing firewall to have higher license. You can check out the following discussion for some illustration. »[HELP] Upgrade ASA 5505 License Some Discussions »[Config] Question about a pix 506e »Firewalls »Cisco ASA latest version VPN issue
got feedback?by aryoba »[HELP] Anything to look out for when setting up a new WAP? Sample Configuration »Cisco Forum FAQ »Wireless Router Sample Configuration Further info »Wireless Networking Forum FAQ got feedback?by aryoba got feedback?by aryoba In typical "real-life" network, there should be some kind of automatic network health monitoring and reporting system. The idea of having such system is to have some network health management and report to provide at least general idea of how network health state is at. One aspect of network health management is the monitoring part. With automated system, one can receive automatic alert of general network health such as up/down connection, bandwidth utilization, network device status and utilization. Those automatic alert can be in form of either email, SMS/text, or flashy display on your PC monitor should the system detects issues. Such automatic alert is helpful when there are too many network devices to manage or there are no luxury to manually monitor network health in real time. As illustration, let's say there is a T1/E1 circuit that is crucial to business requirement, either as Internet circuit, private link, or the like. To ensure smooth business transaction over this circuit, the circuit's bandwidth utilization should never reach above 80%. You as network administrator would like to know if and when the circuit bandwidth utilization is "too high" without spending time manually watch the circuit utilization. With automated network health monitoring system, you can set the system to send you "yellow" (warning) alert when the circuit bandwidth utilization reaches 50% and to send you "red" (crucial) alert when the circuit bandwidth utilization reaches 80%. As mentioned, the automatic alert can be in form of either email, SMS/text, or flashy display on your PC monitor should the system detects issues. Therefore you could be physically away from the circuit doing other things yet you don't miss the moment of when the circuit is "over-utilized". Knowing immediately whether bandwidth currently over-utilized is great to know especially when users complaining of slow access, either slow Internet access (if the circuit is Internet circuit) or slow access to private server (if the line is private line). By knowing such info immediately, your job as network administration will be less troublesome since you already have the valid cause of such slow access (latency issue). The next aspect of network health management is the reporting part. With automated system, one can receive report of network usage within certain time range. This report type varies, which can include how often a circuit is up/down, how much bandwidth utilization is on certain circuit or connection, how much memory and CPU utilization is on certain network device, and how slow/fast certain application or software response is; depending on the automated system feature. As illustration, let's say you like to know how a circuit bandwidth utilization looks like since last month. With automated network health reporting system, you can set the system to send circuit bandwidth utilization report starting from last month to today. The monthly report typically shows some bar graph with daily use of the circuit bandwidth. On the report you may see that on Day 1, the circuit bandwidth is used up to 40%. On Day 15 let's say, the report may say that the circuit bandwidth is used up to 80%. With this kind of report, it will be useful to track the circuit bandwidth utilization level. When the circuit bandwidth is too often over-utilized (too often of 80% utilization let's say), then further action might be in order. Such action could be an investigation of what kind of traffic using the bandwidth and if those traffic are either legitimate or illegitimate. Another action could be considering of upgrading the bandwidth to larger one. How the Automatic Network Health System looks like The automatic network health monitoring and reporting system itself is a software installed in some server (typically either Unix, Windows, vendor-specific, or proprietary server). The software will communicate with the network devices to be monitored in some kind of protocol, which will be explained later. The network devices that can be monitored vary; typically routers, switches, firewall, server, printer, and wireless access point. Automatic Network Health System mechanism Most common monitoring system deal with IP-based network devices, meaning any devices that can have IP address. There are some monitoring system that deal with non-IP-based devices. This non-IP-based devices are typically legacy or "old-school" devices such as analog PBX or phones and legacy DAX in telco environment. The IP-based monitoring system as mentioned communicate with the monitored network devices use some kind of protocol (IP protocol). Most common protocol used are ICMP, TCP-, or UDP-based protocol. Example of TCP- or UDP-based protocol used is Syslog, SNMP, and Netflow (Cisco specific). Note that more advanced IP-based monitoring system can also monitor using higher level protocol like HTTP and SQL databases. In addition, this kind of software or application monitoring system can also detect and monitor IM (Instant Messaging) protocol and even peer-to-peer protocol such as Kaaza and eDonkey. This software or application monitoring system is typically deployed when specific software or application performance is crucial to business requirement. There are a lot of software out there that do the IP-based monitoring, from the "free" version to "premium-pay" version. Following are some of technology key words on how the software is designed. * Syslog * ICMP (Internet Control Message Protocol) * SNMP (Simple Network Management Protocol) * Netflow (Cisco specific) * Software/Application performance monitoring: HTTP, SQL databases, IM, peer-to-peer protocols Syslog Typical business-grade network devices (i.e. routers, firewalls, switches from major vendor such as Cisco and Juniper) should be able to generate some kind of logs due to some event or incident such as up/down interface, routing updates, and configuration changes. This kind of logs in general are in the form of syslog messages. By default, these syslog messages are stored within the devices themselves. When you have an automatic health monitoring system, the system should have a syslog server which collects all syslog messages generated by all network devices. To have this, following are the general idea. * Install a syslog server * Configure the server to receive and to store syslog messages from your network devices * Configure your network devices to send syslog messages to syslog server Note that you should be able to check syslog messages on the network devices themselves. However those devices are not designed to store syslog messages for a long time. Usually after a short period of time, the logs are deleted. Using a syslog server, you can store syslog messages much longer period (typically for 1 to 3 months) and even can back up the messages to other media such as tape backup. ICMP (Internet Control Message Protocol) In a lot of time, you may need to see if certain circuit or Internet connection is up or down. One simplest and common way to find out is to ping the Internet gateway (your ISP equipment) or pretty much any device that is at the other side of the circuit. This ping mechanism is based on assumption of receiving ICMP echo reply from the device you monitor in certain time frame as a response of ICMP echo your monitoring system is sending. If in certain time the ICMP echo reply is not received, the other end device or the connection could be safely assumed to be either down or busy. Most network devices by default should be ping-able. By ping-able means that the device will send ICMP echo reply as a response to the ICMP echo it receives. Note that certain firewall however by default will not be ping-able. Should you choose to monitor network devices by ICMP, verify if the devices response to ping. SNMP (Simple Network Management Protocol) In some cases, having a syslog server to collect syslog messages are insufficient. One case is that syslog messages don't provide more specific info regarding specific events or devices such as device CPU or memory utilization, bandwidth utilization, and device temperature. This is something that SNMP does provide. SNMP is another essential part of your automatic health monitoring system. Similarly to Syslog, a SNMP server collects SNMP traps from SNMP clients. These SNMP clients could be any IP-based network devices such as routers, firewalls, switches, printers, and production servers (i.e. web or mail). As mentioned; up/down interface, CPU and memory utilization, port or bandwidth utilization, temperatures, and low on laser printer toner are just little things SNMP traps from specific devices can represent those device health condition. Depending on the network device feature, you may be able to configure the device to generate limited choice or large choice of SNMP traps. Once SNMP server receives all of those SNMP traps, the server can generate reports on those specific conditions. If you like to see CPU and memory utilization on specific SNMP clients within certain time range for instance, you can pull a report regarding those. You can do similar task for switch port utilization. Further, you can link your SNMP server to your mail server. This way you (or just anybody within your company) can receive mail alert when specific condition take place such as device temperature hits 80 degree Fahrenheit, CPU or memory utilization of a device hits 80% or more, and down devices. Typically only business-grade network devices support SNMP. This support means that the device will generate SNMP traps and is capable to send those SNMP traps to certain SNMP server. Should you decide to monitor the network device condition by SNMP, verify such SNMP trap you look for (i.e. up/down interface, CPU and memory utilization, port or bandwidth utilization, temperatures) is supported on the device. Cisco Netflow Specifically for bandwidth utilization, SNMP report only tells how much specific port or connection is utilized (i.e. 10% or 90% utilized). However the report does not tell you which traffic are utilizing the bandwidth. When your network devices are Cisco that can provide Netflow reports, you can utilize Netflow to provide such specific details. In a nutshell, the Netflow reports show which traffic are utilizing the bandwidth from perspectives of source and destination IP address, TCP or UDP port, and how many IP packets are going through. For instance, your internal user (let's say 10.0.10.254 IP address) accesses your internal webserver (let's say 10.0.0.2 on TCP port 80) and www.yahoo.com on the Internet using 80% of available bandwidth. More info on Cisco Netflow is available here Software/Application Performance A lot of time, network or Internet slowness is caused by software or application run on server or PC. This software or application could be mail (SMTP), web (HTTP, HTTPS, SSL, TLS), FTP, SQL databases, or even peer-to-peer applications such as Kaaza and eDonkey. Beside monitoring the network, monitoring the software and/or application performance is highly recommended as these software and/or application can be written incorrectly by the developers, causing poor performance. There are many monitoring system you can choose as the software or application performance monitoring. Some of them are OPNET and Ixia. By using OPNET for example, you can find out exactly what happen during the client-server relationship on some software or application and if those events of client-server relationship happen as expected or not. The monitoring result should give you ideas of what happen and if the events you see may cause performance problem. Another example of application monitoring system is Cisco MARS which can detect the use of IM (Instant Messaging) protocol such as Yahoo! or AOL IM; in addition to peer-to-peer protocol detection such as Kaaza and eDonkey. In some organization or company, the use of such application is forbidden, especially peer-to-peer application since such application can use up available bandwidth to the point where no more available bandwidth can be used for business-legitimate application. More info on Cisco MARS can be found here Software To Choose as Automatic Monitoring and Reporting System Note that you don't have to use the mentioned monitoring system. Those mentioned monitoring system are just picked as illustration (although they are proven to work and helpful on real-life production network). As a rule of thumb, any monitoring system should do as long as they are able to serve your need. There are many software that can do Syslog, ICMP, SNMP, and Netflow collection and report as mentioned. A lot of companies like to use Solarwind or Whatsup products. Some companies like to use CiscoWorks, which may include Cisco MARS. There are free ICMP and SNMP software that are widely used such MRTG and Cacti. One popular free Syslog software is Kiwi Syslog. As mentioned, basically any software that you think work should do. Typically the "premium-pay" software is preferred when you have a large or complex networks, or you like details or thorough reports. Related Topic »Cisco Forum FAQ »Improving Small Business network performance Some Discussions »Network Monitoring »[OT] Network Test tool http/Sql/Mapi/SIP, etc »Program for monitoring DSL statistics »Show Ip flow Top-talkers detail
got feedback?by aryoba got feedback?by aryoba Objective: setup NTP server for all network devices Meinberg NTP Software Download got feedback?by aryoba »catalyst 6509 »[H/W] What sup for a 6500? »6509 Simulator »2000 users 6509 traffic policing »[Config] QOS Questions got feedback?by aryoba Unlike traditional Catalyst switches running IOS, Nexus switches run NX-OS. There are some similarity between IOS and NX-OS. Also there are new features and commands introduced in NX-OS. In regards of CLI commands, there are several new commands on Nexus NX-OS image. There are also old commands you find on regular IOS image, and there are modified command compared to the regular IOS. Legacy command such as write memory is not supported anymore, therefore you have to get used to the copy running-config startup-config command. A nice feature in Nexus switch is that you don't have to exit configuration mode to type in any non-configuration commands. You don't type in the do command when you are on configuration mode to type in any non-configuration commands. You simply type in the non-configuration commands directly whether you are on regular enable mode or configuration mode, similar to PIX Firewall or ASA. All switch ports in Nexus switches only support 1 Gbps and 10 Gbps speed. Interestingly, these gigabit ports do not show as GigabitEthernet ports or TenGigabitEthernet ports on switch configurations. Instead the ports show as Ethernet interfaces. To find out which speed the ports are acting current, you can simply issue the good old show interface status or simply show interface command. Along with new commands and features, there are several new concept and technology in place. One new technology found in Nexus switch is FEX (Fabric Extender). Typically you use this FEX technology when you have Nexus 2000 and Nexus 5000 interconnectivity. This FEX technology is similar to the Catalyst 3750 stacking technology where switch configuration within the same "stack" is visible through just one switch. Similar to Catalyst 3750 stack switch configuration, the Nexus 5000 shows as the "module 1" and the Nexus 2000 shows as the "module 2". Unlike Catalyst 3750 stack switch, the Nexus do not use stack cable. The switch port to interconnect the two Nexus switches are SFP slot. In order to interconnect the two Nexus switches, the switch ports are configured as FEX ports instead of regular trunk or access ports. To start using this FEX feature, you have to activate FEX on the Nexus 5000. As you will see, you have to activate telnet and tacacs+ should your network need to use those as well. In other words, there are some features that you have to active when you plan to use the features as part of your Nexus switch network topology. Further, you have to define how the Nexus 2000 port number should look like. If let's say you configure the FEX port as FEX 101, then all Nexus 2000 switch port will show as interface Ethernet 101 (the "module 2") while the Nexus 5000 switch port show as the regular interface Ethernet 1 (the "module 1"). Note that there is no console port on Nexus 2000. There is console port however on Nexus 5000. Therefore you need to use the FEX technology to interconnect Nexus 2000 and Nexus 5000 in order to have console access to Nexus 2000. When you need to use the management port on the Nexus 5000 (and also Supervisor 6E of Catalyst 4500 series), make sure you have at least some familiarity with VRF (VPN Routing and Forwarding) technology since these management ports are using involving VRF. You can't disable the VRF or make the management (mgmt) interface as part of default VRF or global routing table since such action is not supported. The idea of having management port in different routing table is to separate management network and production network, in addition to integrate VRF into Nexus switch platform and new Catalyst 4500 Supervisor Engines. You will notice that there is a little difference in VRF command implementation between traditional IOS and NX-OS. You can also put in subnet mask in CIDR format, since Nexus platform saves any IP address info in CIDR format. Unlike traditional Catalyst switches that come with default Layer-2/3 VLAN 1, Nexus 5000 switches only come with default Layer-2 VLAN 1. If you are considering of using non-management switch port as your customized management port, it might not work. Note that Nexus 5000 and 2000 switches are Layer-2 switches. Therefore you can't create Layer-3 VLAN on Nexus switches as management VLAN (i.e. SVI VLAN interfaces 1, 50, or else) like you usually expect in traditional Catalyst switches. You can't convert any non-management switch port as routing port either. In other words, there is no choice but to use the mgmt port and get used to VRF environment when you are not used to it yet. Some management command like backing up your Nexus configuration to TFTP server (copy running-config tftp: command) is also considering VRF. With copy running-config tftp: command, you will be asked if the TFTP server is located within the default VRF or else (like the management VRF). Sample Configurations Check out the following FAQ for illustrations. »Cisco Forum FAQ »Sample Configuration: Nexus 5000 and Nexus 2000 with FEX Some Discussions »NX-OS
got feedback?by aryoba »Router Porn for the Day (3925 show tech) »Cisco 3925 web traffic slows to a crawl got feedback?by aryoba | |||||||||||||||||
| Wednesday, 23-May 18:24:46 | Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo over 12.5 years online © 1999-2012 dslreports.com. |
