Description Cisco ProCurve
A port that belongs to a unique VLAN Access mode Untagged
A port carries multiple VLANs using 802.1q tags Trunk mode Tagged
Showing posts with label Cisco. Show all posts
Showing posts with label Cisco. Show all posts
Wednesday, October 31, 2012
VLAN Trunk Between Cisco and HP Procurve switch
With a small example we are going to see how we can use Cisco and HP switches together for Vlan trunking. Before we going to discuss that in detail, let me describe the difference in 'terms' using both in Cisco and HP.
Description Cisco ProCurve
A port that belongs to a unique VLAN Access mode Untagged
A port carries multiple VLANs using 802.1q tags Trunk mode Tagged
Description Cisco ProCurve
A port that belongs to a unique VLAN Access mode Untagged
A port carries multiple VLANs using 802.1q tags Trunk mode Tagged
Tuesday, March 13, 2012
Configure Cisco 1841 router as an Edge Router with NAT and IOS firewall
In small Offices or branch Offices, instead of buying separate devices for edge router and Firewall we can configure the edge router as a firewall and NAT device also. This will reduce the cost of overall IT budget and which will ease the management also.
Here is a step by step configuration example to configure a Cisco 1841 integrated service router as an Edge router with NAT and a basic IOS firewall.
All the router comes with or able to install Cisco SDM, a graphical tool to make the configuration which is very helpful to make the configuration and monitor the device. But in this tutorial we will go through the CLI configuration method.
Topology
We are going to discuss is a very simple topology consists of,
Starting the basic configuration
We will start configure the router through the console port of the router using a console cable, which normally provided with the router itself.
Here is a step by step configuration example to configure a Cisco 1841 integrated service router as an Edge router with NAT and a basic IOS firewall.
All the router comes with or able to install Cisco SDM, a graphical tool to make the configuration which is very helpful to make the configuration and monitor the device. But in this tutorial we will go through the CLI configuration method.
Topology
We are going to discuss is a very simple topology consists of,
- One Internet connection ends in the WAN interface of the router (FastEthernet0/0).
- One LAN interface (FastEthernet0/1) connects to the internal LAN L3/L2 switch.
- LAN IP address: 10.2.2.1/24
- WAN IP address: 2.3.3.2/30
Starting the basic configuration
We will start configure the router through the console port of the router using a console cable, which normally provided with the router itself.
First make sure the router should be clean from older configurations, you can assure this by clearing the existing configurations. If you are sure with your router configuration, you can skip this stage.
router#configure terminal
router(config)#config-register 0x2102 < This register value can be found from sh version command
router(config)#end
router#write erase
router#reload
System configuration has been modified. Save? [yes/no]: n
Proceed with reload? [confirm]
When the router comes up, which will prompt you for doing the initial configuration through the configuration assistant, you can skip this because we will be doing it manually.
Configure the hostname for the router, I am going to put as Edge-01
router>en
router#conf t
router(config)#hostname Edge-01
Configure the external interface of the router with the ip address of 2.3.3.2
Edge-01(config)#interface FastEthernet0/0
Edge-01(config-if)#ip address 2.3.3.2 255.255.255.252
Edge-01(config-if)#speed 100
Edge-01(config-if)#duplex full
Edge-01(config-if)#speed 100
Edge-01(config-if)#no shut
Now configure the internal interface of the router.
Edge-01(config-if)#interface FastEthernet0/1
Edge-01(config-if)#ip address 10.2.2.1 255.255.255.0
Edge-01(config-if)#speed 100
Edge-01(config-if)#duplex full
Edge-01(config-if)#speed 100
Edge-01(config-if)#no shut
Configure the default gateway as 2.3.3.1 (change it accordingly)
Edge-01(config)#ip route 0.0.0.0 0.0.0.0 2.3.3.1
Enabling SSH:
For securely accessing this router, we will be using ssh as a remote access mechanism instead of telnet, so we need to enable ssh now.
Edge-01(config)#aaa new-model
Edge-01(config)#ip domain-name my.domain.com < This need to change with your domain-name
Edge-01(config)#crypto key generate rsa
Edge-01(config)#ip ssh time-out 60
Edge-01(config)#ip ssh authentication-retries 2
Edge-01(config)#ip ssh version 2
Enabling NAT:
For the internal clients to access the internet the router should be configured with NAT especially NAT with overload (PAT). The following commands will enable PAT and all the internal clients will be able to access the internet through this router.
Create an access-list which will be used to include the LAN addresses, the clients will be trying from
Edge-01(config)#access-list 1 permit 10.2.2.0 0.0.0.255
Now we need to tell which is internal and which is external interfaces for doing the nat.
Edge-01(config)#interface FastEthernet0/1
Edge-01(config-if)#ip nat inside
Edge-01(config-if)#interface FastEthernet0/0
Edge-01(config-if)#ip nat outside
Now we have to define the external IP address pool, which will be used by the internal clients to access the internet. Here I have only one public ip address, even if we need to define the pool, but we will use starting and ending as a single address.
Edge-01(config)#ip nat pool MYPOOL 2.3.3.2 2.3.3.2 netmast 255.255.255.252
Now define the nat with overload or PAT (Port Address Translation) as,
Edge-01(config)#ip nat inside source list 1 pool MYPOOL overload
At this point, we have a router which can be acted as the edge router and do the NAT(PAT) for the internal clients to access Internet. But it lacks a firewall so we cannot put this router in production until we configure a firewall on it.
Configure IOS Firewall
Now we are going to explore the zone based firewall functionality of Cisco IOS. Here we can create multiple security zones with various security levels which we can define. And finally we will add our router interfaces in to these security zones as zone members to avail the defined security levels.
Creating Zones and assigning interfaces
In this example we are going to create only two security zones (TRUSTED & INTERNET) and will assign each interfaces in to each of these security zones as zone members. But it is possible to create multiple security zones and also possible to add multiple interfaces (real or virtual) in to same security zones.
TRUSTED: Internal LAN connection
INTERNET: Internet connection
Create the security zones as follows,
Edge-01(config)#zone security Trusted
Edge-01(config-sec-zone)#zone security Internet
There is also a special default zone named "self". This zone applies to traffic which originates from or is destined for the control plane of router itself (e.g. routing protocols, SSH, SNMP, etc.). By default, all traffic is allowed into the self zone.
The interfaces now need to assign to security zones with the command zone-member security
Edge-01(config)#interface FastEthernet0/0
Edge-01(config-if)#zone-member security Internet
Edge-01(config-if)#interface FastEthernet0/1
Edge-01(config-if)#zone-member security Trusted
Edge-01#show zone security
Creating Zone Pairs
Zone pairs apply policy enforcement to traffic flowing from one security zone to another. A zone pair must be defined for each direction in which traffic is allowed to be initiated. For example, a common simple policy is that the internal network can initiate any sort of traffic to the Internet, but no traffic may be initiated from the Internet to the internal network. This policy requires only a single zone pair, from the internal zone to the Internet zone.
We'll create only one zone pair to meet our requirements:
Trusted to Internet - Allows Internet access from the internal network
The command to configure a zone pair uses the following syntax:
zone-pair security NAME source FROM-ZONE destination TO-ZONE
Here is our zone pair definition:
Edge-01(config)#zone-pair security Trusted->Internet source Trusted destination Internet
Edge-01(config-sec-zone-pair)#
Creating and Applying Security Policies
Finally, we'll define and apply our security policies to the zone pairs. Policies are defined as inspection policy maps, which are very similar in construct to policy maps used for quality of service (QoS) classification and marking. Policy maps reference class maps, which in turn reference access lists or NBAR definitions to classify traffic.
One of three security actions can be taken on traffic matched by a class map:
Drop - The traffic is dropped.
Pass - The traffic is permitted.
Inspect - The traffic is permitted and inspected statefully so that return traffic in the opposite direction is also permitted.
First, we'll create a class map to match all of the traffic we want to allow from the Trusted zone out to the Internet. We want to inspect all traffic outbound to the Internet so that return traffic is allowed statefully. Unfortunately, we can't use the inspect action with the default class map, so we'll need to create a custom class map to match the base protocols TCP, UDP, and ICMP. (This doesn't allow non-TCP/UDP protocols such as IPsec, but meets our needs.)
Edge-01(config)# class-map type inspect match-any All_Protocols
Edge-01(config-cmap)# match protocol tcp
Edge-01(config-cmap)# match protocol udp
Edge-01(config-cmap)# match protocol icmp
Our class maps need to be wrapped into service policies so that they can be associated with security actions. We do this by creating inspection policy maps.
Edge-01(config)#policy-map type inspect Trusted_to_Internet
Edge-01(config-pmap)#class type inspect All_Protocols
Edge-01(config-pmap-c)#inspect
Lastly, we'll apply the policy maps to their appropriate zone pairs.
Our Zone based firewall configuration is now completed, so its time to test the configuration. If you have lab with separated Internet connection, you can easily do the testing. Otherwise do simulate the scenario by connecting at least two machines in which one will act as LAN machine and other one will act as an Internet server.Edge-01(config)#zone-pair security Trusted->InternetWe can verify our configuration using the command show zone-pair security:
Edge-01(config-sec-zone-pair)# service-policy type inspect Trusted_to_InternetEdge-01# show zone-pair security
Zone-pair name Trusted->Internet
Source-Zone Trusted Destination-Zone Internet
service-policy Trusted_to_Internet
More detail regarding the entire firewall policy hierarchy can be achieved with the commandEdge-01#show policy-map type inspect zone-pair
Thursday, May 26, 2011
Setting Time on Cisco & HP switches
Setting correct time on the network devices is a very important step, when you configure new equipments. But most of the people don't care this in case of switches and other devices.
But be aware, the correct time on the devices will help you a lot when you refer logs to find out the details of any issues or access related items etc.
Here I am putting some simple commands to configure time on Cisco and HP Procurve switches.
Adding NTP server names in these devices is the easier and safer way, but if you don't have an NTP server in house and no interest of using public NTP servers, then you may need to set the time locally.
Cisco
On a Cisco device (switch or router), use the following commands to add an NTP server
switch01(config)# ntp server 131.107.1.10
switch01(config)# ntp server 202.152.74.200 prefer
prefer means this is the preferred one.
And if you want to set it manually on the machine, use the following commands.
switch01(config)#clock timezone IST +5
The above command will set the timezone, my time zone is IST and the +5 denotes it is 5 hour ahead from GMT.
For setting date and time, need to run the command on privileged execution mode (enable#). The following is the syntax of setting the same.
switch01#clock set 18:30:01 26 May 2011
We can check the current time on the switch by show clock command and the output will be similar as below,
switch01#show clock
18:31:19.738 IST Thu May 26 2011
HP Procurve
To setup Procurve to use external NTP servers for time synchronization, use the following commands.
switch02(config)#sntp server 192.43.244.18
switch02(config)#sntp unicast
switch02(config)#timesync sntp
If you prefer to set the time manually, you can use any of the following pair of commands.
time MM/DD[/[YY]YY]
time HH:MM[:SS]
(OR)
clock set MM/DD[/[YY]YY]
clock set HH:MM[:SS]
switch02(config)# clock set 05/26/2011
switch02(config)# clock set 18:35:01
We can use show time command to display the current time on the system and the output will be similar as follows,
switch02(config)#show time
Thu May 26 18:58:12 2011
Hope this will help somebody like me, who need to google several times a day to find valuable informations.
But be aware, the correct time on the devices will help you a lot when you refer logs to find out the details of any issues or access related items etc.
Here I am putting some simple commands to configure time on Cisco and HP Procurve switches.
Adding NTP server names in these devices is the easier and safer way, but if you don't have an NTP server in house and no interest of using public NTP servers, then you may need to set the time locally.
Cisco
On a Cisco device (switch or router), use the following commands to add an NTP server
switch01(config)# ntp server 131.107.1.10
switch01(config)# ntp server 202.152.74.200 prefer
prefer means this is the preferred one.
And if you want to set it manually on the machine, use the following commands.
switch01(config)#clock timezone IST +5
The above command will set the timezone, my time zone is IST and the +5 denotes it is 5 hour ahead from GMT.
For setting date and time, need to run the command on privileged execution mode (enable#). The following is the syntax of setting the same.
clock set hh:mm:ss <1-31> MONTH <1993-2035>
So we can run the command as follows,switch01#clock set 18:30:01 26 May 2011
We can check the current time on the switch by show clock command and the output will be similar as below,
switch01#show clock
18:31:19.738 IST Thu May 26 2011
HP Procurve
To setup Procurve to use external NTP servers for time synchronization, use the following commands.
switch02(config)#sntp server 192.43.244.18
switch02(config)#sntp unicast
switch02(config)#timesync sntp
If you prefer to set the time manually, you can use any of the following pair of commands.
time MM/DD[/[YY]YY]
time HH:MM[:SS]
(OR)
clock set MM/DD[/[YY]YY]
clock set HH:MM[:SS]
switch02(config)# clock set 05/26/2011
switch02(config)# clock set 18:35:01
We can use show time command to display the current time on the system and the output will be similar as follows,
switch02(config)#show time
Thu May 26 18:58:12 2011
Hope this will help somebody like me, who need to google several times a day to find valuable informations.
Subscribe to:
Posts (Atom)