In the second installment of our guide to access-lists we are going to talk a little about named access-lists, how they work, what the benefits are, and how using them allows us to create reflexive access-lists. Named access-lists are exactly what they sound like, they are an extended access-list that has a name instead of a number. One of the nice features of named access-lists is that each line of the access-list has a number. this way you can delete just one line in an access-list without removing the whole access-list. You can create a named access list by using the following command.

(more…)

Today I would like to take some time and talk about security. I want to discuss access-lists, extended access-lists, reflexive access-lists, and CBAC or content based access control. Learning how to properly use access-lists is so crucial to becoming a good network administrator. They are vital to securing your network and as you progress with your studies you will find that access-lists are used quite extensively in routing, QoS, and other important things.

(more…)

The new Cisco IOS 12.4 train has many new features that any engineer will find useful; one of the features that fix a pain point for me is the new config options available in 12.4. Have you ever been in a situation where an entered configuration does not work as expected? Now usually you have to back out the configuration one command at a time and hope for the best. Sometimes you may even reach a point where you can not completely remove a configuration without reloading the device, this is the case sometimes when trying to remove sub interfaces. Now if this is a datacenter or work environment then you may not be able to reload the router.
  (more…)

In our Last article we looked at creating GRE tunnels between networks to allow non-routable traffic to pass between remote offices.  GRE tunnels are a great solution however the traffic passing inside these tunnels is not encrypted and thus could be intercepted by unauthorized parties. In this article we are going to look at tunneling GRE inside of IPSEC. This will allow us to get the benefits of GRE and the security of IPSEC.

(more…)

Many time it is necessary to link a remote office to your main site and today we have many technologies to accomplish this task. We have IPSEC tunnels, IP-IN-IP tunnels, and GRE or Generic Routing Encapsulation Tunnels.

Each type of connectivity offers advantages and disadvantages. Some of these tunnels can even be overlaid on top of one another. For instance IPSEC can be used in a transport mode, which allows you to use the encryption with other tunnels or protocols. For this article we are going to discuss GRE tunnels. GRE is unique as tunneling technologies go in that is started out as a proprietary protocol developed by Cisco and later adopted as a standard. GRE was invented as a way of encapsulating non routable protocols in IP which is a routable protocol. In this way protocols such as multicast (this include OSPF, EIGRP), and other protocols like IPX could be tunneled across routable links.

  (more…)

How many time have you wanted to know how long a cable run was? Now if you are running cisco 3750 switches you can find out by issuing the following commands you can see how long that cable run really is.

Switch# test cable-diagnostics tdr interface gigabitethernet0/2
TDR test started on interface Gi0/2

A TDR test can take a few seconds to run on an interface. Use "show cable-diagnostics tdr" to read the TDR results.

Switch#show cable-diagnostics tdr interface gigabitEthernet 0/2
TDR test last run on: Dec 10 09:05:10

         Interface Speed Local pair Pair length Remote pair Pair status
         --------- ------ ---------- ------------ ------------ ----------
         Gi0/2 auto Pair A   22 +/- 4 m N/A Open
           Pair B    21 +/- 4 m N/A Open
           Pair C    5 +/- 4 m N/A Open
           Pair D    20 +/- 4 m N/A Open

 The Cisco IOS has many powerful security features that enable network engineers to protect their internal network. The Cisco IOS is capable of intrusion detection, deep packet inspection, and stateful firewall features. Setting up IPS allows the admin to push intrusion detection to the network edge. The Cisco IPS feature set can scan for spyware, viruses, worms, Trojans, and network intrusions by receiving updated signature files from Cisco. If a packet or series of packets matches a particular signature the router can, send an alert, drop the packet, or reset the connection of the offending user. In this way the network engineer can better protect the network by acting on suspicious packets before they can pose a risk to the network infrastructure, another advantage of pushing IPS duties to the network edge is it allows offending packets to be dropped before they take up finite network resources.  In large networks as much as 10 percent of network resources could be consumed by packets that ultimately will be dropped for security reasons deeper in the network. (more…)

This config is for the Cisco 1800 series router running IOS 12.4. IOS 12.4 has some command and syntax changes in reguards to interfaces and configuration commands for PPPOE. This config was submitted by my good friend Pedro Rivera.

(more…)

Configuring a Cisco router to use the WIC-1ADSL card is one of the most commonly asked question by people in the Cisco forums. There are some interesting and compelling reasons to use a WIC card instead of connecting PPPOE through the ADSL modem in bridged mode. One of the most compelling reasons is the ability to use advanced QOS features such as interleaving and fragmentation. Because the DSL WIC card shows up as an ATM WAN interface, the router is able to perform those advanced Quality of Service features.  The overhead of encapsulating a packet in PPPOE and sending it to the modem over some length of cable is also a reason to use a WIC card instead of the modem.

It is important to realize that with most ISP’s you can configure the connection to use either PPPOA or PPPOE, the difference in configuration is very subtle however it can save you a couple of bits of overhead as PPPOE is encapsulated more time Than PPPOA.  So without further a due: (more…)