how-to block ads
|
| | | | FAQ Revisions | Editors: skj  , Covenant , aryoba , Phraxos
Last modified on 2009-11-05 16:17:22
| |
|
|
30.0 Technologies·Things to expect when setup network for home or small business
·Technical Aspects in xDSL/Cable Internet connection
·Between DHCP, PPP, Dynamic, and Static IP Address
·Setting Up Private Site-To-Site Connections
·Basic Cisco Commands and Descriptions
·What are the various show commands?
·Choosing Gateway IP Address for a network
·What is the difference between the different gateways in the routing table?
·Restrict Traffic Flow including P2P (Peer to Peer) using NBAR: An Overview
·What features does my IOS support?
·How can I find out how far I am from the CO.
·Circuit Commission and Troubleshooting
·How your ISP annouce your subnet via BGP to the Internet: BGP Looking Glass
·Understanding PIX Firewall/ASA
·Setting Up Wireless LAN
·VPN Concentrator 3000 series - Various Info
·Automatic Network Health Monitoring and Reporting System: An Introduction
·Routing and Switching - An Introduction
| | | Network Setup
The following is considered the most usual network setup when you deploy the following technology, even though it might not fit your situation. You can see the following info as a guide or reference, rather than a requirement.
Equipments to use
* Routers, firewalls, switches
* Category 5/5e patch cable for wired connection
* Servers, workstations
1. Router
* In most cases, you need to do IP routing between your ISP (the Internet) and your network
* With that in mind then you need a router that at least has two Layer-3 (routing) interfaces, one is facing the ISP and another facing your LAN
* Depends on the router model, one interface that is facing your LAN is Ethernet interface and another interface that is facing your ISP could be Ethernet or non-Ethernet interface
* Non-Ethernet interface could be T1/E1 (Serial), ISDN, and DSL
* When the router has Non-Ethernet interface, then the router might have integrated modem
* When you have T1/E1, DSL, or cable Internet; you could use dual-Ethernet interface router when there is supporting external modem with Ethernet port
* When the router has multiple Ethernet ports (i.e. dual-Ethernet router), verify if any of those ports are capable as Layer-3 (routing) interface
* When the router has integrated switch, then the all switch ports are considered one Layer-3 (routing) interface that will be facing your LAN
* The router might need to do NAT/PAT between your internal private subnet and the IP address provided by the ISP
* Typically routers don't do OSI Layer 5-7 inspection and/or filtering (i.e. SPAM email filter). You might need a firewall specifically for these.
2. Firewall
* In most cases, you need to do IP routing between your ISP (the Internet) and your network
* In addition, you also need to have firewall for some Internet security
* With that in mind then you need a firewall that at least has two Layer-3 (routing) interfaces, one is facing the ISP and another facing your LAN
* Usually the firewall interfaces are Ethernet only without integrated modem
* You need to have an external modem or external integrated modem/router to connect the firewall to your ISP assuming no integrated modem exists
* When the firewall has multiple Ethernet ports, verify if any of those ports are capable as Layer-3 (routing) interface
* When the firewall has integrated switch, then the all switch ports are considered one Layer-3 (routing) interface that will be facing your LAN
* The firewall might need to do NAT/PAT between your internal private subnet and the IP address provided by the ISP
3. Switch
* Most home or small business network use Layer-2 switch
* With Layer-2 switch, all ports are considered one Layer-3 (routing) interface
* Layer-2 switch does not do routing; only switching or bridging
* You still need to do routing between your ISP (the Internet) and your LAN; hence you still need either a router or a firewall
* You will connect the switch to the router or firewall LAN interface
* When the router or firewall has integrated switch, then you probably need a crossover Category 5/5e patch cable instead of the straight-through type when connecting the switch to the router/firewall
4. Servers and Workstations
* You will connect servers and workstations to the switch ports
* When the workstations need to receive IP address automatically, then you may need to set the router or firewall as DHCP server and the workstations as DHCP client
* Servers need to have static IP address; refer to the server operating system on how to set static IP address
Choosing ISP
Whenever possible, choose ISP that has reliable connection to backbone network. Note that the ISP does not need to be the Tier-1 class (such as AT&T or Verizon), especially when your area is only served by Tier-3 class ISP. As long as the ISP has such reliable connection, you should be in good shape for the most of time.
To find out how reliable your ISP connection to backbone network, you can ask following questions
* What kind of circuit does the ISP have to the backbone network? OC-X (OC-3, OC-12, or higher)? SONET ring? DWDM?
* How many transit provider does the ISP connect to? Three should be the "standard"
* Who are the transit providers? Are they Tier-1 class providers? Something like Level 3, Cogent, Sprint, or Internap should be sufficient.
Choosing Circuit Connection to ISP
The most common circuit connections for home or small businesses are the following
1. T1/E1, Point-To-Point (Dedicated Leased Line), or Frame Relay
2. ISDN
3. Broadband: DSL, Cable Internet
4. Wireless
The first two kind of circuits are considered "top of the line" for home or small businesses. The standard SLA (Service Level Agreement) should include 4-hour response time which may not present on broadband circuit kind. In most cases, these two circuit kinds are more reliable than the broadband; hence require "top dollar" fee compared to the broadband.
Choosing circuit connection to ISP depend on how critical your Internet applications are. If you or your organizations require constant, stable, and reliable Internet connection 24/7, then the first two circuit kind should be the choice. If you or your organization can tolerate some down time (no Internet connection for some time), then the last two choices should be sufficient.
Between T1/E1, DSL, and Cable Internet
Let's say you have following choices of ISP connection speed (bandwidth)
1. A 1.5MBps full T1 circuit
2. A 1.5MBps ADSL over POTS (phone line)
3. A 3 MBps Cable Internet
For home users or small businesses, the third choice looks most attractive since it usually offers more bandwidth with the lowest cost. Keep in mind that broadband connection (including Cable Internet) has minimal or no SLA compared to the T1 circuit.
In addition, a lot of time Cable Internet provider has some kind of bandwidth limit. The 3 MBps bandwidth or speed is most likely the burstable speed and may not reflect the actual speed. If you or your organization constantly use up the 3 MBps speed, the Cable Internet provider might give you or your organization penalties like charge extra fee or might reduce the speed without your consent or knowing.
Unlike Cable Internet, there is no such penalty on ADSL connection. In most cases, the speed connection is constant. When you have both T1 and ADSL from the same provider, you or your organization might be able to have some kind of Internet connection load balance or failover mechanism.
Side Note:
Check out following FAQ for more info on load balance or failover mechanism
»Cisco Forum FAQ »Redundant Link Graceful Internet Load Balance/Failover
However ADSL (and other xDSL technology) speed depends on the distance between your site and the ISP. The closer your site to the ISP, the more bandwidth or higher speed available to you. Specifically with xDSL connection that ride over POTS, there might be some electromagnetic interference factors you also need to consider.
Choosing Connection Speed/Bandwidth
How fast should your connection be? Is 1.5MBps connection fast enough? Should I choose the 6MBps speed instead of 1.5MBps speed?
Choosing connection speed should be based on your application performance. Locate your critical Internet applications that will take the ISP connection bandwidth the most. These applications vary between home users or small businesses. As illustration, the applications could be simple Internet browsing, email, online gaming, voice or video over the Internet, and web hosting.
Once you locate the applications, the next step is to find out what the most appropriate speed for such applications considering their workload. When you are unsure what the most appropriate speed is, the application customer support should be the first to contact.
If you are still unable to find out the most appropriate speed afterward, then the next consideration factor is your financial budget. When your budget is limited, then you should pick the least expensive connection (which also mean the slowest connection). Should you need faster connection in the future, you could always consider upgrading the speed.
Choosing Internet gateway device
The most common Internet gateway devices for home or small businesses are routers and firewall. Routers are usually preferable since they fit to most Internet connection environment compared to firewall. However firewall could be the choice when you or your organization only require default gateway route to your ISP and no plan of having T1/E1, Point-To-Point, Frame Relay, or ISDN circuit to your ISP.
Whichever device you choose, you should choose device that can provide at least decent security features or protections. In addition, business grade device is recommended since they are more reliable than the consumer grade.
In Cisco world, routers for home or small businesses are 800 series or higher. As to firewall choices, they should be ASA 5500 series or PIX Firewall.
Choosing Modem
As mentioned, you have a choice to use either external or internal (integrated) modem. When you have a broadband Internet such as ADSL and Cable Internet, typically you need to have an external modem. Should you prefer to use internal modem that is integrated into the Internet gateway device, make sure that the modem is compatible to your ISP connection.
In case that you use external modem, you need to verify if the modem is "just" a modem (dumb modem) or if the modem is an integrated modem/router. A simple dumb modem typically need no special configuration. You can just connect the modem into your Internet gateway device. If the modem is an integrated modem/router, then you need to confirm further issues like bridge/route mode, NAT/PAT active, and so on.
Connecting Router or Firewall To Your ISP
Followings are most common network scenarios for each ISP connection type
1. T1/E1, Point-To-Point, or Frame Relay
* use a router with either internal or external DSU
* receive static IP address with specific subnet mask from ISP
* the ISP static IP address may be a public IP address (Internet routable) or may be a private IP address (non-Internet routable)
* may or may not receive ISP DNS IP address
2. DSL
* use a router or firewall with either internal or external DSL modem
* When using a Cisco router with internal DSL modem, there might be a need to have interface BVI1 activated and to set VPI/VCI value for the ATM interface
* When there is no internal DSL modem, you should not need BVI interface
* receive either static or dynamic IP address with specific subnet mask from ISP
* the ISP IP address is a public IP address (Internet routable)
* ISP assign the IP address by either PPP (PPPoE or PPPoA), DHCP, or static
* may or may not receive ISP DNS IP address
2.1 When ISP uses PPP
* When you use Cisco router as the ISP gateway, there is a need to have interface Dialer1 activated
* You need to tie the WAN port interface with the interface Dialer1
* Under the interface Dialer1, there is a need to have either "ip address x.x.x.x y.y.y.y" (statically assigned) or "ip address negotiated" (dynamically assigned)
2.2. When ISP uses DHCP or static
* When using a Cisco router with internal DSL modem, there might be a need to have either "ip address x.x.x.x y.y.y.y" (statically assigned) or "ip address negotiated" (dynamically assigned) under the interface BVI1
* You might be required to set specific MAC address under the interface BVI1
* When you do use interface BVI1, you need to tie the WAN port interface with the interface BVI1
* When the router has no internal DSL modem, then the IP address assignment (either statically or dynamically) should be under the ISP-facing Ethernet interface
* Should you need to set specific MAC address and there is no internal DSL modem, the MAC address should be under the ISP-facing Ethernet interface
3. Cable Internet
* use a router or firewall with either internal or external cable modem
* receive either static or dynamic IP address with specific subnet mask from ISP
* the ISP IP address is a public IP address (Internet routable)
* You might be required to set specific MAC address under the WAN port interface (interface cable0 or Ethernet interface)
* may or may not receive ISP DNS IP address
4. ISDN
* use a router with either internal or external ISDN modem
* receive either static or dynamic IP address with specific subnet mask from ISP
* the ISP IP address is a public IP address (Internet routable)
* may or may not receive ISP DNS IP address
* since ISDN uses PPP, also check on part of "2.1 When ISP uses PPP"
Find out your suitable WAN connection type
Usually you already know that your LAN is Ethernet environment. But do you know what WAN environment you would have? Is it T1/E1, DSL, PPPoE, PPPoA, DHCP, or what?
The only people who know what your WAN environment would be is your ISP. Please consult with your ISP representative regarding the connection type. Usually when you are a new customer, your ISP would provide you necessary info of how to connect your LAN to the Internet; either by mail, email, or phone.
Keep in mind that the ISP provided info might not be as technical or unclear. Here is a suggestion. Document all info provided here in this FAQ. You then consult the WAN connection type with your ISP representative. Ask the representative to find out which WAN connection type provided here that would match.
Some key words you need to discuss with your ISP representative are followings:
* Physical (Layer 1) connection: T1/E1, ISDN, DSL, Cable Internet
* Modem existence: external or internal modem
* Layer 2 connection: PPPoA, PPPoE, DHCP, Static IP addresses
* IP Address Assignment: Which IP address must be the gateway; which should be host
* NAT/PAT: Is it possible to use gateway (router) IP address to go out to the Internet using PAT?
* DNS IP addresses: Which are they? How do you use them on your system?
If your representative is not technical enough, ask to speak with one of their technical person. This way, you would be sure you have necessary info on how to connect your LAN to the Internet.
As an insight, following is some technical aspect description of DSL and Cable Internet
»Cisco Forum FAQ »Technical Aspects in xDSL/Cable Internet connection
Preparing Yourself before discussing with ISP representative
Before contacting your ISP, you need to understand your system you plan to use. This system is including your Internet gateway (router or firewall), servers, workstations, and all other hosts. Familiarize yourself with the router or firewall innerworking and features, as well as the operating system of your workstations, servers, and all other hosts. The key technology to familiarize with is how to setup network using DHCP, PPP (PPPoA/PPPoE), and static IP addresses on your system.
As to the router and firewall, it is suggested that you to be comfortable around various WAN connection type and deployment. Review router and firewall sample configuration of all WAN connection type; from DHCP, PPP, to static IP address. Eventhough your ISP would be using DHCP and not PPP for example, it is a good idea to be familiar on both to understand similarities and differences between the two technologies.
Check out the following FAQ for further info regarding DHCP, PPP, dynamic, and static IP address
»Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address
Following is the sample configuration list of specific WAN connection type for further review. The sample configuration covers most common WAN connection type such as T1/E1, cable Internet, DSL, external and internal modem, PPPoA, PPPoE, DHCP, and Static IP. It also cover multiple platforms; from routers of various model to PIX Firewall or ASA.
Various PPPoE/PPPoA/DHCP/Static Sample Configuration with Cisco
Most of all sample configurations are written in CLI (Command Line Interface) and not in a Web GUI. In case you are not familiar with CLI, following FAQ is showing CLI introduction.
»Cisco Forum FAQ »The most straight-forward way to configure Cisco router: Introduction to CLI
»Cisco Forum FAQ »Straight-forward way to configure Cisco PIX Firewall/ASA: Introduction to CLI
By reviewing all of your system innerworking in advance, you are better prepared; which would make the ISP WAN connection type and deployment discussion process with their representative go smoother.
Deployment Process
When you are ready to do the actual deployment, you can check out the following FAQ for insights
»Cisco Forum FAQ »Quick and Easy Subnetting on Routing, Switching and Network Design Relationship
»Cisco Forum FAQ »Choosing Gateway IP Address for a network
»Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices
»Cisco Forum FAQ »Network Design Tips
»Cisco Forum FAQ »Setting Up Private Site-To-Site Connections
 feedback form
 feedback form
by aryoba
last modified: 2008-01-30 14:16:17 | | | Prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business
When you decide to have Broadband Internet access using xDSL (i.e. ADSL, SDSL) and Cable Internet, you most likely will deal with following aspects
* To use either a router or a firewall as the Internet gateway
* Layer-1: using either internal or external modem; Category 5/6 cable extension
* Layer-2: PPP (PPPoA, PPPoE); MAC address for DHCP
* Layer-3: auto-negotiate or static WAN IP address
Following are some details.
PPP
When you are using xDSL, ISDN, or T1/E1 circuits, you probably will be dealing with PPP technology. In a nutshell, PPP is Layer-2 technology providing connectivity to remote user (PPP client) to server (PPP server) using specific username and password. In this case, the PPP client is your Internet gateway (either router or firewall) and the PPP server is the ISP.
Typically you need a router as the PPP client. Specifically with PPPoE, you could use a firewall. However for PPPoA or legacy PPP, you need a router.
DHCP
When you are using either xDSL or Cable Internet, you probably will be dealing with DHCP technology. In a nutshell, DHCP is a mechanism that providing IP address and subnet mask dynamically to specific machine that needs one. In this case, the machine is your Internet gateway (either router or firewall) which will be the DHCP client and the DHCP server is at the ISP network.
Typically you could use either router or firewall as DHCP client. Unlike PPP that uses username and password to connect, DHCP process might require certain MAC address to connect to the ISP.
Following FAQ is some info on PPP, DHCP, and Static IP address assignment
»Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address
Between Internal Modem and External Modem Usage
When you use an external modem, your Internet gateway might receive Ethernet hand-off. This is applicable when you use a firewall or a router without integrated modem. From practical perspective, you then only need to configure the Layer-2/Layer-3 aspect on the Internet gateway. For PPP, in general you only need to configure the username, password, and authentication method. For DHCP, in general you only need to verify that your Internet gateway MAC address is on the ISP database.
There are some things you need to confirm whether you use external or internal (integrated) modem. Some examples are your ISP DSL signaling type, bridge mode configuration, and VPI/VCI value settings when you use xDSL service. Fortunately, you may not need to worry about this when you use the "ISP-approved" external modem since those settings are pre-configured. Note that the keyword is "may".
When you use a router with integrated DSL modem for xDSL service, your integrated modem/router may not be the "ISP-approved" xDSL equipment. Note that even though the router is not "ISP-approved", doesn't necessarily mean that the router won't work. In any case (either using integrated modem or external modem; "ISP-approved" or "ISP-non-approved"), you need to verify the Layer-1/Layer-2/Layer-3 aspects. As illustration, you need verify things like DSL signaling and ATM VPI/VCI value in addition of the username, password, and authentication method. Whatever technology your ISP uses (DSL, Cable, or else), you need to make sure their setup matches yours to make things work. Check out the following FAQ for more info.
»Cisco Forum FAQ »Generic PPPoA/PPPoE/RFC1483 Bridging/RFC1483 Routing Guide
One good thing about using integrated modem within a router is that you can see Layer-1/Layer-2/Layer-3 aspects on one device which is the router itself. When you use an external modem, then you need to confirm two device configurations which are the external modem and the router.
Some Deployment and/or Troubleshooting Insights
Following are some discussions of troubleshooting Layer-1/Layer-2/Layer-3 issues
»[HELP] How to read dsl interface
»What do these sh dsl int atm0/0 - atm0/1 mean ??
»2800 series routers
»[HELP] Cisco 1721 and WIC-1ADSL Slow, 320Kbit
»Frequent disconnects with 1801
»[HELP] Cisco 857W and Qwest
»[HELP] cisoc 3640 nm-1fe-2w + wic1-adsl speed problem.
»[Config] Fun with Cisco 1720 WIC-1ADSL, WIC-1ENET and Cisco PIX
»Cisco 8x7 CRCs on logical interface only
»[HELP] Help with CISCO 1801 router
For more info on Layer-1 xDSL troubleshooting, you can always visit the DSL forum FAQ such as this
»SBC DSL FAQ
For more info on Layer-1 Cable Internet troubleshooting, you can always visit the Cable Internet forum FAQ such as this
Cable Modem General Info
Cable Modem Troubleshooting
feedback form
feedback form
by aryoba
last modified: 2009-01-13 14:52:02 | | | Suggested prerequisite reading
»Cisco Forum FAQ »Things to expect when setup network for home or small business
When you are using ISP to connect to the Internet, most likely you will be dealing with DHCP, PPP, dynamic, or static IP address assignment (whether you are aware or unaware of it).
Let's say you have to configure Cisco router Ethernet 0 interface to have specific IP address. Then the following is illustration on how to configure the IP address.
1. Assign IP address by DHCP
interface Ethernet0
ip address dhcp
2. Assign IP address by PPP
interface Ethernet0
ip address negotiated
3. Assign IP address statically
interface Ethernet0
ip address xx.xx.xx.xx yy.yy.yy.yy
where xx.xx.xx.xx is the IP address and yy.yy.yy.yy is the subnet mask
In early days; DHCP and PPP were used to dynamically assign IP address to hosts. However with additional features, it is technically possible to assign "static IP address" via DHCP and PPP. By referring to specific MAC address of a host, the host is always receiving the same IP address via DHCP. By referring to specific username and password, a host is also always receiving the same IP address via PPP.
Why would your ISP use DHCP or PPP to "statically assign" IP addresses to their customer and not use the traditional way of statically assign IP addresses? Probably it is simpler from their network administration point of view. Whatever the reason is, you have to choose the most appropriate way to assign your ISP IP address and experience with the tip and tricks when you need to access the Internet using your ISP.
Assign Your Internet Gateway's IP Address
In term of configuring your Internet gateway's IP address, you need to consult with your ISP as to how exactly they assign IP address to your device.
When your ISP says the IP address would be assigned dynamically, you need to confirm the followings
* if they use DHCP or PPP (or PPPoE/PPPoA) technology to assign the IP address
* if they use PPP, confirm the username and password for the PPP authentication process
* if they use DHCP, confirm if the ISP lock down your IP address with specific MAC address
* if the IP address is always the same everytime or constantly changing
* assuming the IP address is changing, how frequent the change takes place and which event will trigger the change
When your ISP says the IP address would be static, you need to confirm the followings
* if they use DHCP or PPP technology to assign the IP address
* if the IP address might change
* assuming the IP address is changing, how frequent the change takes place and which event will trigger the change
Important Note:
Make sure that when you discuss this with your ISP representative, the representative is the technical person who knows what he or she is talking about. You don't want to get misinformed since you might not be able to access the Internet when you don't have the correct info.
Static IP without DHCP or PPP
If your ISP says "No DHCP, No PPP. It is static"; then it might mean that you have to statically configure your Internet gateway device with your assigned IP address. On Cisco router, you should then use the "ip address xx.xx.xx.xx yy.yy.yy.yy" command.
Check out this forum's FAQ for specific sample configuration of Cisco router with statically-assigned IP address
»Cisco Forum FAQ »How can I configure broadband router with cable/dsl using static IP address
Static IP with DHCP
When your ISP uses DCHP to "statically assign" your Internet gateway device, then from device perspective it is still DHCP (still somewhat dynamic IP address with "sticky IP" approach). To configure your Cisco router, you then still need to use the "ip address dhcp" command under the ISP-facing interface.
Check out this forum's FAQ for specific sample configuration of Cisco router as DHCP client.
»Cisco Forum FAQ »Configure router as DHCP client using external modem
Dynamic IP with DHCP
From DHCP client perspective, there is no difference between "static" and dynamic IP address assignment. As mentioned, "statically assigned" DHCP-based IP address is still dynamic process. Therefore you can use the same above FAQ for specific sample configuration of Cisco router as DHCP client when you only have dynamic IP address from your ISP.
As a note, the difference between DHCP-based static and dynamic IP address is probably the ISP requirement to lock down your Internet gateway device MAC address to a specific IP address. Although it is possible that the ISP administer MAC address lock down for both dynamic and static IP account customers due to network management simplicity. Check out the following thread for insight.
»[help] 851W and ISP DHCP
Dynamic IP with PPP
In general, your ISP usually supplies username and password for the PPP authentication process. Once your Internet gateway device successfully establishes PPP connection with your ISP (pass the Layer-2 process), then your device will deal with the IP address assignment issue (the Layer-3 process).
Under normal PPP-IP network environment, dynamic IP address assignment will require the "ip address negotiated" command under the ISP-facing interface on Cisco equipments. With static IP address, you need to use the "ip address xx.xx.xx.xx yy.yy.yy.yy" assignment on Cisco router. However there might be exception for certain ISP. If you have a static IP with PPP, read the next discussion.
Check out this forum's FAQ for specific sample configuration of Cisco router as PPP client
»Cisco Forum FAQ »Quick Guide of Configuring Cisco router for PPPoE using external modem
Static IP with PPP
When your ISP uses PPP to "statically assign" your Internet gateway device, then you may experience some unusual situation. To configure a Cisco router, you need to use the "ip address xx.xx.xx.xx yy.yy.yy.yy" command under the ISP-facing interface in normal static IP address environment. However for some ISP, you need to use the "ip address negotiated" command under the ISP-facing interface.
If you are in this situation, then you might try to use the 1st approach (the "ip address xx.xx.xx.xx yy.yy.yy.yy" command) and see if you are able to host public servers or establish VPN IPSec tunnel with remote end. If your public server is inaccessible from the Internet or you are unable to establish VPN tunnel, then try the 2nd approach ("ip address negotiated" command) and see if it makes any difference. When the 2nd approach works, then the 2nd approach is considered the most appropriate way to assign IP address to your ISP-facing interface.
Like the DHCP, static and dynamic IP address assignment in PPP-IP environment is using similar configuration. Therefore you can refer to the previous sample configuration of Cisco router as PPP client in static IP address assignment.
Additional Sample Configurations
For more sample configurations, check out the following FAQ
Various PPPoA/PPPoE/DHCP/Static Sample Configuration with Cisco
feedback form
feedback form
by aryoba
last modified: 2008-01-04 09:18:58 | | | Communications between internal sites within the same organization is preferred to be delivered in a form of secure or private connection, which ride over some circuit. The circuit could be in the form of dedicated circuit or broadband circuit such as DSL and Cable Internet.
Dedicated Circuit
Dedicated Circuit is a circuit to provide private dedicated connection between two sites or more. In other word, no other organization will use this circuit since it is dedicated to only one organization among its all sites end to end.
Following is the most common dedicated circuit type
1. T1/E1, DS-3
2. ISDN
3. Frame Relay
4. Fiber: OC-X, Metro Ethernet, SONET Ring, DWDM
To have this circuit, usually organization contact its preferred ISP to setup one. The organization could choose to use the ISP network as "intermediate network" between organization sites, or choose to have direct connection between sites bypassing ISP network.
Using T1/E1 circuit for such direct connection for example, the circuit would be some type of leased line; point to point between two sites. When there are more sites to connect, usually organization would use the ISP network at some point to reduce cost and to be more manageable.
This kind of connection technology is considered "top of the line" since it is the most reliable connection (at least for most of the time) compared to broadband connection such as DSL and Cable Internet. This nature requires the organization to pay premium maintenance cost compared to the broadband connection.
Wireless
In some situations, using wireless technology (i.e. microwaves) to provide private site-to-site connection is a good approach. Typically following are the situations that make wireless deployment is a "no-brainer" solution.
• Distance between all sites are pretty closed to each other
• Line of sight (LOS) between antennas are not blocked. In other words; neither trees, hills, mountains, nor buildings are between sites
• You need "unlimited" bandwidth with limited time and budget constraints to deploy
• "Little service abruption" is acceptable
Check out the following for more insights.
»Wireless Networking Forum FAQ
»Carrier Grade ~1Gbps solutions
VPN (Virtual Private Network)
With today's virtual communication technology, one organization could use some form of VPN (Virtual Private Network) to provide private and secure site-to-site connection.
Using VPN, connection between two locations could ride over public network (i.e. The Internet) while keep maintaining secure or private connection. This is done by creating logical or virtual connection between the locations that ride over any physical circuit.
There are several technology to set such connection
1. HTTPS/SSL
2. IPSec
3. MPLS
Following is the breakdown.
HTTPS/SSL-based Approach
One factor that contributes to decisions of setting up private or secure connection for internal communications is depending on the application, such as the file transfer and email. Let's say your organization uses web-based email or any web-based application accessible using your Internet browser (such as Internet Explorer, Netscape, or Mozilla) for site inter-communication. When this is the case, then one way of setting up private connection is to utilize HTTPS/SSL-based connection over the Internet.
HTTPS/SSL-based connection is basically HTTP (web) communication that can ride over any connection, including the Internet (public network) via any ISP while still maintain secure and private environment. By utilizing this HTTPS/SSL-based technology approach, any organization sites only need basic Internet connection without require special network setup.
Note that HTTPS/SSL-based network over the Internet only works when all necessary applications within the organizations are web-based applications. Some applications cannot be accessed simply by using Internet browser. For example, you cannot use Internet Explorer (as the Internet browser) to map share drives in Active Directory Microsoft network.
When remote users need to access these applications, then HTTPS/SSL-based approach will not work. To make it work, there would be a need to have network-layer connection technology approach (by go lower to OSI Layer 1 to 3) to setup such secure or private connections.
Using network-layer connection technology approach, any application (web or non-web based) will work since this approach is more general and not depended by specific application types.
IPSec Approach
Both IPSec and HTTPS/SSL technology are VPN connection. They both create encrypted data connection ("tunnel") between two sites. The difference is that HTTPS/SSL is web (OSI Layer 7) approach and IPSec is network (OSI Layer 3) approach.
As mentioned, IPSec VPN is capable of supporting web or non-web applications since it is using network-layer connection technology approach. Example of non-web application is accessing data in Microsoft Active Directory network share drives.
Note:
Both IPSec and HTTPS/SSL VPN technology is also applicable to remote users connecting to office temporary as following description.
Within an organization, there is probably at least one employee that is always "on the run" and need to access work remotely from anywhere. Sometime this type of employee is called "road warrior". There are also other type of employees that need to access work remotely from home, hotels, or any place from time to time.
The nature of such connection need is temporary access, where access is available only when it is needed. When the access is not needed anymore, the access could be closed or removed.
For this nature of remote access, either IPSec or HTTPS/SSL VPN should be a good choice to provide private and secure connection to office/sites; since these VPN technology create "temporary tunnel" between the office and remote users or sites to provide necessary data passing between the locations. When there are no more data passing, the tunnel will be removed.
On implementation, the employees (remote users) could go to the nearest Internet cafe or could use public wireless network to establish IPSec tunnel or HTTPS/SSL to office for work; assuming the employees have necessary tools or equipments.
Between Broadband and Dedicated Circuit
For most small organizations, broadband connection such as DSL and Cable Internet are preferred instead of having dedicated point-to-point circuit due to financial constraint. To provide the private and secure site-to-site connection, such organizations would utilize HTTPS/SSL, IPSec, or both technology.
As illustration, there is a small organization that has two sites. One site has DSL and another has Cable Internet connection. To provide a private an secure site-to-site connection, the organization has a choice to deploy T1 circuit to connect the two sites. Another choice is to deploy IPSec VPN tunnel between sites where each site utilizes the existing broadband connection.
Since the T1 circuit is "more expensive" than the DSL or Cable Internet, the organization then chooses to deploy the second choice. Keep in mind that DSL and cable Internet have lower SLA compared to the dedicated circuit. When the broadband connection is down, the ISP response time will be longer than the dedicated circuit ISP response time.
In addition, these VPN technology could be down "by itself" without obvious reason. Using dedicated circuit, in general the connection is more stable.
MPLS
MPLS is OSI Layer-2/3 VPN approach which is using dedicated point-to-point circuit between organization site to its ISP. Unlike the previous Dedicated Circuit network, MPLS will use the ISP public network that ride over ISP IP-based network devices without deal with the customer IP information. In other word, MPLS approach is somewhat between the Dedicated Circuit approach and IPSec VPN approach.
Generally speaking, ISP network will handle the VPN aspect and use the ISP public network securely and privately; which will be transparent to the organization (the ISP customer) sites. Using MPLS, site-to-site connection is pretty much like the previous dedicated site-to-site connection between sites from the organization perspective.
Network-Layer Site-to-Site Connection Approach
The network-layer site-to-site connection approach refers to IPSec VPN, Dedicated Circuit, and MPLS technology. As mentioned, this network-layer approach is needed to provide connection to the remote sites for any application type including non-web-based applications.
The next discussion will relate to considerations of having such site-to-site connection. Note that these considerations apply to site-to-site connection and do not apply to road-warrior-to-site connection.
Network Topology
When there are only two sites to communicate, the site-to-site connection setup should be just a straight point-to-point. When there are more sites to communicate, there are further considerations to review.
One of the consideration is the network topology. Most common site-to-site network topology setup for three sites or more as follows
1. Full Mesh
2. Hub and Spoke
3. Partially Mesh
Full Mesh
With Full Mesh connection, each site has dedicated connection to each other site as follows:
Site A --- Site B
| \ / |
| \ / |
| \ / |
| X |
| / \ |
| / \ |
| / \ |
Site C --- Site D
Typical organization that employ this connection is organization that has small number of branches or sites with relatively low data throughput.
When the organization has dedicated point-to-point circuits, then there will be (let's say) multiple dedicated T1 connections between sites. Reviewing illustration above, there will be three T1 from one site to others; which make the total of six T1 circuits. When the organization had dedicated VPN tunnels, there will be a total of six tunnels which each site has three tunnels to others.
Since each site has dedicated connection to each other, there will be no single point of failure. If one site is down, other sites still have connections within themselves.
However this kind of setup is considered high cost to manage when number of sites grow and/or larger data throughput are pushed down. With more sites, there will be more dedicated connections to each additional sites.
With dedicated circuits, then there will be more circuits to setup at each site which may be financially prohibitive. With VPN tunnels, then there will be more tunnels to setup which may consume too much VPN device resources such as CPU and memory.
Hub and Spoke
With Hub and Spoke connection, each site will only have a single connection to one central site. This central site then has multiple connections to each other site as follows
Site A
|
|
Site B ---- Site Z ---- Site C
|
|
Site D
Site A to D are called "spoke" and Site Z is called "hub". Note that some people refer this setup as "star topology".
Usually medium to large organizations have this setup. The hub is usually the corporate office and the spokes are branches, smaller offices, or remote offices.
When the organization uses dedicated circuits, there is only a single circuit needed to connect any other sites. With VPN tunnels, the VPN device resources are not consumed much compared to the Full Mesh setup.
The down side is that there is a single point of failure at Site Z (the central site). When this site is down, then all other sites lose connections.
Partially Mesh
Reviewing the two previous setup, you may wonder which the feasible setup that has no single point of failure but not cost prohibitive. The answer is probably the Partially Mesh setup.
With Partially Mesh setup, there will be not much existing connections like Full Mesh; and no single point of failure like Hub and Spoke. Following is illustration.
+------------------+
/ Site A | Site D --------+
/ / \ | / |
/ / \ | / |
Site B --- Site Y ---- Site Z --- Site E |
/ | | \ / \ | |
/ | | \ / \ | |
| | | Site C Site F | |
| | | | | |
| | +--------------+ | |
| | | |
| +------------------------+ |
| |
+---------------------------------+
The Site Y and Site Z are the "hubs". Site A to F are "spokes" to both Site Y and Site Z.
This setup is the preferred one on medium to large organizations. The both hubs are usually two large offices. The spokes are branches, smaller offices, or remote offices.
IP Routing
With either Point-to-Point, Hub and Spoke, Full Mesh, or Partially Mesh network setup; IP routing should be used to interconnect all sites. With this in mind, each site has its own subnet. Router will be used to interconnect sites.
Specifically for IPSec VPN, you could consider to have the router to terminate the VPN tunnel. You could also consider using dedicated VPN box such as firewall or VPN concentrator to provide the VPN tunnel; and use router only to interconnect sites.
Combination of Point-to-Point and Partially Mesh
As mentioned, traditional connection between two sites is just a single point-to-point. However it is possible to have redundant (multiple) point-to-point connection between two sites to provide automatic failover and/or load balance mechanism; where each connection has its own circuit on each site.
Following is the illustration. Let's say there are two sites that have two redundant point-to-point connections between each other. One site has a dedicated point-to-point T1 circuit to the other site and DSL connection. Another site has the other end of dedicated point-to-point T1 circuit and Cable Internet connection. Between the DSL on one site and Cable Internet on the other site, there is a IPSec VPN tunnel connecting the two sites as alternate path of the T1.
With such automatic failover and/or load balance mechanism in mind, following setup could be in place as well.
• Redundant connections between two Hubs in Partially Mesh network
• Redundant connections between one Hub and one Spoke
When there are redundant connections, it means there are multiple path between two sites. Note that with Full Mesh and Partially Mesh network, there are also multiple path between two sites. For such multiple path, dynamic IP routing should be deployed to optimize connections. In addition, packet-based or destination-based load balancing could be considered as well. With hub and spoke setup, static routing should be sufficient.
Starting to Design the Network
When you start designing the network, several aspects come into play
• Circuit choice
• IP address or subnet to use
• Routing protocol to provide connection
Typical network design for site-to-site connection from circuit choice perspective are following
• Dedicated circuit between sites; either uses private point-to-point, frame relay, or MPLS
• Dedicated circuit between sites as primary connection and IPSec VPN tunnel between sites as alternate connection
• IPSec VPN tunnel between sites
For small organizations, it is probably preferable to have full-mesh site-to-site VPN using broadband connection (DSL or Cable Internet) at each location. For simplicity, it is suggested to use the same ISP to provide the broadband connection at all sites. As illustration, all sites could be using Cisco ASA 5505 with 3MBps Cable Internet connection to have the full-mesh site-to-site VPN.
When you choose to have partially mesh or hub and spoke setup (either the circuit or VPN), make sure that the hub has large bandwidth and powerful network device to handle data throughput from other sites. As illustration, the hub could be using Cisco 3825 router with DS-3 circuit where spokes could be using Cisco 1841 router with 1.5MBps DSL connection to have hub-and-spoke site-to-site VPN.
Note:
For more info on Cisco equipment performance, check out the following FAQ
»Cisco Forum FAQ »Cisco Equipment Performance (per pps and Mbps)
Following is illustration. Let's say you decide to use the second choice where there are dedicated circuits between sites as primary connection and IPSec VPN tunnel over the Internet between sites as alternate connection. To start designing the network, you may start to question yourself these and go from there.
• Do you need dedicated equipment for Internet gateway and another for private site-to-site connection?
• Which is the suitable routing protocol to set dedicated circuit as primary connection and to set IPSec VPN tunnel as alternate connection?
• Is there possibility of site-to-site interconnectivity without going over IPSec VPN tunnel eventhough the connection goes over the Internet?
• Which IP address or subnet to use, Private or Public IP address?
• Will there be a NAT/PAT process in place?
• How much budget to spend to cover everything (equipments, circuits, infrastructures, etc.)
• How much connection downtime you can tolerate
• How much data throughput travel across each connection
• How long it takes to test the new network setup
• How immediate you need to have "live" network
Next discussions will view other important aspects.
Network Device Choice
When the organization chooses to use dedicated circuits to have private site-to-site connections, usually the network device would be either router or layer-3 switch where the WAN port would match the circuit specification.
Let's say the circuit would be Frame Relay and the organization selects Cisco router for all sites as the network device. You would use the router WAN port to connect to the Frame Relay circuit. This WAN port should be something like WIC T1 or E1 for internal DSU/CSU or WIC 1T for external DSU/CSU.
If the circuit is Gigabit Ethernet for example, then the network device could be a router or layer-3 switch. In Cisco world, the router could be something like 2821 model; and the layer-3 switch could be something like Catalyst 3750 switch.
When VPN connection is selected to provide the private site-to-site connection, there are also multiple network device alternatives such as router, layer-3 switch, firewall, and VPN concentrator. For small businesses, typical choices are firewall and router. In Cisco world, the firewall is ASA 5500 series and the router is 800 series or higher.
Whichever network device chosen, it is suggested to have the same brand for all of them. When you decide to use Cisco equipments let's say, then all sites should also use Cisco as the network device peer. In theory, multi-vendor equipments are inter-operate-able. However in practice, there are sometime unexpected behaviors when establishing connections between multi-vendor equipments. With single-vendor equipment, network behaviors are more predictable and controllable, leads to more stable network.
Another aspect of having the same-vendor equipments throughout the organization is network administration simplification. Network administrators could concentrate to only a single brand to administer. You don't have to deal with multi vendor when it comes to the network device technical or customer support. You might even receive discounts when you have device large volume number from the same single vendor.
Note:
To guide you in choosing the proper Cisco equipment, check out the following FAQ
»Cisco Forum FAQ »Which Cisco router, switch, VPN, firewall, or else is right for my situation?
Internal and External Connections
All the site interconnections such as file transfer between sites are considered internal connection. External connection is a connection to an outside world, such as connection to server located at the Internet or at external site; or Internet browsing.
For internal connections, the traffic should take the private connection. For external connections, there are multiple choices to consider. One way is to go directly out off the site to the external site. Another way is to go through other internal site before going out to the external site.
Let's review the following situation. Let's say one remote office need to have the updated Microsoft Windows patches. To retrieve the patches, there are several choices. One is to go directly out to the Internet, access the Microsoft sites, and download patches. Another way is to go to central office where the central office run a server that provide updated patches.
For small organizations, usually the preferred way for the remote office to receive the patches is by going directly out to the Internet to retrieve patches. However some situations require the remote office to access the central office's server to retrieve patches.
Should the organization have this second situation, there would probably a need to configure remote office network device to direct traffic to the central office's server for remote office upgrade patch need; and block any attempt from remote office to access the Internet directly to retrieve patches. With this situation, the network is considered more secure since the traffic is more controllable.
Remote Site and Internet Access
As previously mentioned, some situations require remote office to access central office before accessing external sites. However situation such as Internet browsing could not require central office access from remote office perspective. The remote office could just go out to the Internet for Internet browsing.
A good side of accessing the Internet directly without going through central office is that the central office bandwidth is not bogged down by the remote office's Internet traffic. The central office bandwidth then can be conserved for strictly internal access such as file sharing.
The down side of this approach is that the central office probably has no or minimum control of remote office's Internet access activities. Without such control, there is possible security risk or improper use of Internet access such downloading illegal software or virus/worm attack without the central office approval. Therefore for larger organizations, all traffic from remote offices including Internet access must go through central offices for data traffic management, including traffic policing at all sites. Note that from network security and network management perspective, traffic policing at all sites might be considered necessary eventhough it could create network administrative burden.
Keep in mind that it is possible to have the same level of control of remote office Internet access activities as the central offices when those remote offices have their own local Internet connection. With this kind of setup, the organization then has to control multiple Internet connection that are spread among multiple sites (both central and remote offices). Any type of control that take place in central offices must take place in remote offices as well. This is also a common practice for larger organizations. Note that this kind of remote office control might mean additional investment on each remote office to duplicate or to mimic central office.
Whichever the preferred setup, the network administrator should consider the trade offs between the two setup choices. For small business, direct Internet access from remote offices could be the preferred choice. When the organization is concerned more on the network security, then the organization might consider the second setup choice.
IPSec VPN and Internet (External Connection) Access
Let's say an organization permit their remote offices to go out to the Internet directly without going through central office. Typically there would be two separate connections at the remote office. One is to serve the internal access and another is to serve the Internet access.
Specifically for organizations that use IPSec VPN connections to serve the site inter-communication, there should be some kind of split tunneling to provide the separate connections between the Internet access and internal access. For Internet access, typically PAT (Port Address Translation) is used to bridge Private Subnet used in internal network (LAN) and the Internet. Using PAT; application traffic that use the most common IP protocol such as TCP, UDP (and ICMP) from local LAN are PAT-ed to the Public IP address.
Let's review the IPSec VPN tunnel setup requirement. IPSec tunnel would use IP Protocol 50 (ESP) or 51 (AH) to setup the VPN tunnel. Unlike TCP and UDP, ESP and AH have no concept of port numbers; hence in theory, these security protocols cannot be PAT-ed.
Should the organization permit remote offices to go out to the Internet directly and the organization deploys VPN tunnel to serve internal access; then each site should have at least two Public IP addresses. One IP address would serve the Internet access (to be PAT-ed as many as needed) and another IP address would be reserved for the VPN peer to other sites (or for any IP protocols that are un-PAT-able).
For small business, it is probably preferable to have each site having those two Public IP addresses assigned to the same gateway (or peer) network device, which then the traffic will ride over the same circuit. For medium or large business that quite large number of sites, each Public IP address could reside at different network device and could ride over different circuit.
Name Resolution
In sharing files between sites, the organization might use DNS server to resolve name to IP addresses. When the organization deploys Microsoft network, then there might also be WINS server in addition to the DNS server.
Let's say the organization permit remote office to go out to the Internet directly without going through the central office. The preferred way is to have the remote office to use the local ISP DNS server to reach the Internet sites. For internal access, the remote office uses internal DNS server to reach internal servers. The unwanted setup is to have the remote office to use the central office's internal DNS server to access the Internet since it will bog down the central office's bandwidth.
To have the preferred way, there are alternatives to setup the DNS/WINS servers at remote offices. One way is to setup local DNS/WINS server at each remote site. With this setup, any traffic (internal or external traffic) from remote office will use the local DNS/WINS server. The central office's DNS/WINS servers will be used only if the traffic are internal. When the traffic are external, only ISP DNS server will be used. The external traffic from remote office will never go through the central office. The down side is that this setup is probably cost prohibitive, not to mention network administration prohibitive.
Another way to setup is to assign multiple DNS/WINS IP addresses at remote site hosts. Assign both central office's DNS/WINS servers and also assign the remote site's local ISP DNS IP addresses to all remote site hosts. In addition, there might be a need to create traffic filtering on the remote office's network device to allow name resolving traffic to use central office's DNS/WINS server only when the traffic are internal; and to block attempted central office's DNS/WINS server access for external traffic. Similarly, there would be traffic filtering to allow name resolving traffic to use the local ISP DNS IP address only when the traffic are external. With this setup, there should be no need to deploy DNS/WINS servers at each remote site to provide name resolving and still be able to avoid central office bandwidth bogged down by the remote office's external traffic.
Real Network Illustration
Check out the following threads for illustration
»IPsec help 1811
»[HELP] BGP Failover to IPSEC
»How to Loadshare between a E1 LInka nd Ebgp(MPLS) Link
Deployment Process
Check out the following FAQ for following topics in network design
1. Between Hub and Spoke, Full Mesh, and Partially Mesh
»Cisco Forum FAQ »Tips in Designing Network on Hub-and-Spoke, Full-Mesh, or Partially-Mesh setup
2. IPSec VPN
»Cisco Forum FAQ »Between GRE/IPSEC and IPSEC VPN tunnels
»Cisco Forum FAQ »Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall
»Cisco Forum FAQ »Private Routing over VPN: NAT/PAT, GRE, IPSec Sample Configurations
feedback form
feedback form
by aryoba
last modified: 2009-06-23 09:20:48 | | | Suggested prerequisite reading
»Cisco Forum FAQ »The most straight-forward way to configure Cisco router: Introduction to CLI
CCNA level Cisco Commands and Descriptions
Following is a list of commands that are applicable to most IOS-based equipments such as routers and switches. Check out the following links for full commands.
IOS Commands 12.4 version on Routers
IOS and Catalyst OS Commands on 6500 series Switches
IOS Commands 12.2 version on 4500 series Switches
IOS Commands 12.2 version on 3560 series Switches
ASA and PIX Firewall OS Commands 6.2 version and above
? Gives you a help screen
0.0.0.0 255.255.255.255 A wildcard command; same as the any command
access-class Applies a standard IP access list to a VTY line
access-list Creates a list of tests to filter the networks 9
any Specifies any host or any network; same as the 0.0.0.0 255.255.255.255 command
Backspace Deletes a single character
bandwidth Sets the bandwidth on a serial interface
banner Creates a banner for users who log into the router
cdp enable Turns on CDP on an individual interface
cdp holdtime Changes the holdtime of CDP packets
cdp run Turns on CDP on a router
cdp timer Changes the CDP update timer
clear counters Clears the statistics from an interface
clear line Clears a connection connected via Telnet to your router
clear mac-address-table Clears the filter table created dynamically by the switch
clock rate Provides clocking on a serial DCE interface
config memory Copies the startup-config to running-config
config network Copies a configuration stored on a TFTP host to running-config
config terminal Puts you in global configuration mode and changes the running-config
config-register Tells the router how to boot and to change the configuration register setting
copy flash tftp Copies a file from flash memory to a TFTP host
copy run start Short for copy running-config startup-config; places a configuration into NVRAM
copy run tftp Copies the running-config file to a TFTP host
copy tftp flash Copies a file from a TFTP host to flash memory
copy tftp run Copies a configuration from a TFTP host to the running-config file
Ctrl+A Moves your cursor to the beginning of the line
Ctrl+D Deletes a single character
Ctrl+E Moves your cursor to the end of the line
Ctrl+F Moves forward one character
Ctrl+R Redisplays a line
Ctrl+Shift+6, then X (keyboard combination) Returns you to the originating router when you telnet to numerous routers
Ctrl+U Erases a line
Ctrl+W Erases a word
Ctrl+Z Ends configuration mode and returns to EXEC
debug dialer Shows you the call setup and teardown procedures
debug frame-relay lmi Shows the lmi exchanges between the router and the Frame Relay switch
debug ip igrp events Provides a summary of the IGRP routing information running on the network
debug ip igrp transactions Shows message requests from neighbor routers asking for an update and the broadcasts sent from your router to that neighbor router
debug ip rip Sends console messages displaying informa-tion about RIP packets being sent and received on a router interface
debug ipx Shows the RIP and SAP information as it passes through the router
debug isdn q921 Shows layer-2 processes
debug isdn q931 Shows layer-3 processes
delete nvram Deletes the contents of NVRAM on a 1900 switch
delete vtp Deletes VTP configurations from a switch
description Sets a description on an interface
dialer idle-timeout number Tells the BRI line when to drop if no interesting traffic is found
dialer list number protocol protocol permit/deny Specifies interesting traffic for a DDR link
dialer load-threshold number inbound/outbound/either Sets the parameters that describe when the second BRI comes up on an ISDN link
dialer map protocol address name hostname number Used instead of a dialer string to provide more security in an ISDN network
dialer string Sets the phone number to dial for a BRI interface
disable Takes you from privileged mode back to user mode
disconnect Disconnects a connection to a remote router from the originating router
duplex Sets the duplex of an interface
enable Puts you into privileged mode
enable password Sets the unencrypted enable password
enable password level 1 Sets the user mode password
enable password level 15 Sets the enable mode password
enable secret Sets the encrypted enable secret password. Supersedes the enable password if set
encapsulation Sets the frame type used on an interface
encapsulation frame-relay Changes the encapsulation to Frame Relay on a serial link
encapsulation frame-relay ietf Sets the encapsulation type to the Internet Engineering Task Force (IETF); connects Cisco routers to off-brand routers
encapsulation hdlc Restores the default encapsulation of HDLC on a serial link
encapsulation isl 2 Sets ISL routing for VLAN
encapsulation ppp Changes the encapsulation on a serial link to PPP
erase startup Deletes the startup-config
erase startup-config Deletes the contents of NVRAM on a router
Esc+B Moves back one word
Esc+F Moves forward one word
exec-timeout Sets the timeout in seconds and minutes for the console connection
exit Disconnects a connection to a remote router via Telnet
frame-relay interface-dlci Configures the PVC address on a serial interface or subinterface
frame-relay lmi-type Configures the LMI type on a serial link
frame-relay map protocol address Creates a static mapping for use with a Frame Relay network
Host Specifies a single host address
hostname Sets the name of a router or a switch
int e0.10 Creates a subinterface
int f0/0.1 Creates a subinterface
interface Puts you in interface configuration mode; also used with show commands
interface e0/5 Configures Ethernet interface
interface ethernet 0/1 Configures interface e0/1
interface f0/26 Configures Fast Ethernet interface 26
interface fastethernet 0/0 Puts you in interface configuration mode for a Fast Ethernet port; also used with show commands
interface fastethernet 0/0.1 Creates a subinterface
interface fastethernet 0/26 Configures interface f0/26
interface s0.16 multipoint Creates a multipoint subinterface on a serial link that can be used with Frame Relay networks
interface s0.16 point-to-point Creates a point-to-point subinterface on a serial link that can be used with Frame Relay
interface serial 5 Puts you in configuration mode for interface serial 5 and can be used for show commands
ip access-group Applies an IP access list to an interface
ip address Sets an IP address on an interface or a switch
ip classless A global configuration command used to tell a router to forward packets to a default route when the destination network is not in the routing table
ip default-gateway Sets the default gateway of the switch
ip domain-lookup Turns on DNS lookup (which is on by default)
ip domain-name Appends a domain name to a DNS lookup
ip host Creates a host table on a router
ip name-server Sets the IP address of up to six DNS servers
IP route Creates static and default routes on a router
ipx access-group Applies an IPX access list to an interface
ipx input-sap-filter Applies an inbound IPX SAP filter to an interface
ipx network Assigns an IPX network number to an interface
ipx output-sap-filter Applies an outbound IPX SAP filter to an interface
ipx ping A Packet Internet Groper used to test IPX packet on an internetwork
ipx routing Turns on IPX routing
isdn spid1 Sets the number that identifies the first DS0 to the ISDN switch
isdn spid2 Sets the number that identifies the second DS0 to the ISDN switch
isdn switch-type Sets the type of ISDN switch that the router will communicate with; can be set at interface level or global configuration mode
K Used at the startup of the 1900 switch and puts the switch into CLI mode
line Puts you in configuration mode to change or set your user mode passwords
line aux Puts you in the auxiliary interface configuration mode
line console 0 Puts you in console configuration mode
line vty Puts you in VTY (Telnet) interface configuration mode
logging synchronous Stops console messages from overwriting your command-line input
logout Logs you out of your console session
mac-address-table permanent Makes a permanent MAC address entry in the filter database
mac-address-table restricted static Sets a restricted address in the MAC filter database to allow only the configured interfaces to communicate with the restricted address
media-type Sets the hardware media type on an interface
network Tells the routing protocol what network to advertise
no cdp enable Turns off CDP on an individual interface
no cdp run Turns off CDP completely on a router
no inverse-arp Turns off the dynamic IARP used with Frame Relay; static mappings must be configured
no ip domain-lookup Turns off DNS lookup
no ip host Removes a hostname from a host table
No IP route Removes a static or default route
no shutdown Turns on an interface
o/r 0x2142 Changes a 2501 to boot without using the contents of NVRAM
ping Tests IP connectivity to a remote device
port secure max-mac-count Allows only the configured amount of devices to attach and work on an interface
ppp authentication chap Tells PPP to use CHAP authentication
ppp authentication pap Tells PPP to use PAP authentication
router igrp as Turns on IP IGRP routing on a router
router rip Puts you in router rip configuration mode
secondary Adds a second IPX network on the same physical interface
Service password-encryption Encrypts the user mode and enable password
show access-list Shows all the access lists configured on the router
show access-list 110 Shows only access list 110
show cdp Displays the CDP timer and holdtime frequencies
show cdp entry * Same as show cdp neighbor detail, but does not work on a 1900 switch
show cdp interface Shows the individual interfaces enabled with CDP
show cdp neighbor Shows the directly connected neighbors and the details about them
show cdp neighbor detail Shows the IP address and IOS version and type, and includes all of the information from the show cdp neighbor command
show cdp traffic Shows the CDP packets sent and received on a device and any errors
Show controllers s 0 Shows the DTE or DCE status of an interface
show dialer Shows the number of times the dialer string has been reached, the idle-timeout values of each B channel, the length of call, and the name of the router to which the interface is connected
show flash Shows the files in flash memory
show frame-relay lmi Shows the LMI type on a serial interface
show frame-relay map Shows the static and dynamic Network layer-to-PVC mappings
show frame-relay pvc Shows the configured PVCs and DLCI numbers configured on a router
show history Shows you the last 10 commands entered by default
show hosts Shows the contents of the host table
show int f0/26 Shows the statistics of f0/26
show inter e0/1 Shows the statistics of interface e0/1
show interface s0 Shows the statistics of interface serial 0
show ip Shows the IP configuration of the switch
show ip access-list Shows only the IP access lists
show ip interface Shows which interfaces have IP access lists applied
show ip protocols Shows the routing protocols and timers associated with each routing protocol configured on a router
show ip route Displays the IP routing table
show ipx access-list Shows the IPX access lists configured on a router
show ipx interface Shows the RIP and SAP information being sent and received on an individual interface; also shows the IPX address of the interface
show ipx route Shows the IPX routing table
show ipx servers Shows the SAP table on a Cisco router
show ipx traffic Shows the RIP and SAP information sent and received on a Cisco router
show isdn active Shows the number called and whether a call is in progress
show isdn status Shows if your SPIDs are valid and if you are connected and communicating with the provider's switch
show mac-address-table Shows the filter table created dynamically by the switch
show protocols Shows the routed protocols and network addresses configured on each interface
show run Short for show running-config; shows the configuration currently running on the router
show sessions Shows your connections via Telnet to remote devices
show snmp Gives you the router's serial number as the "chassis" output
show start Short for show startup-config; shows the backup configuration stored in NVRAM
show terminal Shows you your configured history size
show trunk A Shows the trunking status of port 26
show trunk B Shows the trunking status of port 27
show version Gives the IOS information of the switch, as well as the uptime and base Ethernet address
show vlan Shows all configured VLANs App.
show vlan-membership Shows all port VLAN assignments
show vtp Shows the VTP configuration of a switch
shutdown Puts an interface in administratively down mode
Tab Finishes typing a command for you
telnet Connects, views, and runs programs on a remote device
terminal history size Changes your history size from the default of 10 up to 256
trace Tests a connection to a remote device and shows the path it took through the internetwork to find the remote device
traffic-share balanced Tells the IGRP routing protocol to share links inversely proportional to the metrics
traffic-share min Tells the IGRP routing process to use routes that have only minimum costs
trunk auto Sets the port to auto trunking mode
trunk on Sets a port to permanent trunking mode
username name password password Creates usernames and passwords for authentication on a Cisco router
variance Controls the load balancing between the best metric and the worst acceptable metric
vlan 2 name Sales Creates a VLAN 2 named Sales
vlan-membership static 2 Assigns a static VLAN to a port
vtp client Sets the switch to be a VTP client
vtp domain Sets the domain name for the VTP configuration
vtp password Sets a password on the VTP domain
vtp pruning enable Makes the switch a pruning switch
vtp server Sets the switch to be a VTP server
feedback form
feedback form
by flw edited by aryoba
last modified: 2008-09-19 14:17:54 | | |
feedback form
feedback form
by nozero edited by aryoba
last modified: 2009-04-01 11:46:28 | | | Suggested prerequisite reading:
»Cisco Forum FAQ »Quick and Easy Subnetting on Routing, Switching and Network Design Relationship
Let's say we have the following network
Internet
|
|
Router 4
|
|
Switch
| | |
+----------------+ | +-------------------+
| | |
Router 1 Router 2 Router 3
| | | | | |
1st | 3rd | 4th 5th network
2nd network Switch
| | |
+---+---+--------------------+-+-+-+-+--------------------+---+---+
| | | | | | | | |
Server | Server Server | Server Printer | Printer
Server Server Printer
Let's say that there is broadcast network in use here for all networks within the organization. Within a broadcast network, hosts intra-communicate by using Layer 2 mechanism (switching). To interconnect hosts from one network to another (or to the Internet), there will be Layer 3 mechanism (routing).
In routing technology, then there will be gateway within each network. Hosts within each network are considered "dumb device" that has no knowledge of routing. Hosts only have Layer-2 knowledge (switching) to intra-communicate with other hosts within the same network. Hosts then will rely on gateway to handle the routing. This is where the routers are needed in the organization to provide the routing, which is the network inter-communication and access to the Internet.
Choosing Gateway for specific network
When configuring host network info, you may wonder which device or which IP address to use as network gateway. Referring to the organization network design, here are gateways for each network.
1st network gateway : Router 1
2nd network gateway : Router 1
3rd network gateway : Router 1
Server farm gateway : Router 2
4th network gateway : Router 3
5th network gateway : Router 3
Router 1, 2, 3 gateway: Router 4
Router 4 gateway : ISP device
You may wonder what consideration used to choose specific device as gateway of specific network. Following questions may arise.
* Can we use Router 4 as the 1st network gateway?
* Can we use Router 3 as the 2nd network gateway?
* How about using the ISP device as Server Farm gateway?
Earlier, we decided to have independent networks within the organization. With independent network, it means that you segment the organization to multiple smaller networks. Each network will have dedicated subnet. There is routing to interconnect smaller networks and to provide Internet access. The smaller networks are the 1st to 5th network, Server Farm, and Between Routers.
Let's look at the 1st network. Note that hosts within this network are the "dumb device" (i.e. servers, workstations, printers). As mentioned, these dumb devices use switching to intra-communicate.
To communicate with other hosts at different network or at the Internet, the 1st network hosts rely on gateway which then will do routing. Since the 1st network hosts are only capable of Layer-2 communication technique, the network gateway must be capable of doing the same in addition of routing capability.
Keep in mind that the Layer-2 communication only takes place within the 1st broadcast network. Therefore the 1st network gateway must be within the same broadcast network with other 1st network hosts in order to perform the Layer-2 communication. Once there are traffic outbound from the 1st network to other network or vice versa (the inbound), the gateway will route traffic between the one network and others.
Referring to the network design, Router 1 is within the same broadcast network with 1st network hosts. Therefore it is logical choice to use Router 1 as the 1st network gateway. Similar concept applies to 2nd to 5th networks.
Choosing Gateway for the Between Routers network
Now let's review the Between Router network. This network is also broadcast network. The network hosts are Router 1 to 4.
Since they are all routers, they are all able to perform routing. Which router to choose as gateway then?
Note that the gateway concept is to provide last resort of unknown or undefined network reachability. The objective of the organization routing design is to provide connectivity among hosts (dumb devices) within the organization and between hosts and Internet.
Notice that 1st to 3rd networks are behind Router 1, Server Farm network is behind Router 2, and 4th to 5th networks are behind Router 3. The Internet (ISP) is in front of Router 4.
Let's look at Router 1. From Router 1's perspective, it will use Router 2 to reach Server Farm. Router 1 will use Router 3 to reach 4th and 5th networks. Router 1 will use Router 4 to reach the Internet.
Similar perspective occurs at Router 2. Router 2 will use Router 1 to reach 1st to 3rd networks. Router 2 will use Router 3 to reach 4th and 5th networks. Router 2 will use Router 4 to reach the Internet.
In the organization, the defined or known networks are the 1st to 5th networks and Server Farm. Internet is considered undefined or "miscellaneous" networks from the organization's perspective. Therefore to reach the Internet, Between Routers network uses Router 4 as the network gateway.
Choosing Gateway for the Internet
There will be similar concept as the Between Routers network to apply to the Internet network. From Router 4's perspective, the Internet is in front of ISP device. From ISP perspective, the entire organization is behind the Router 4.
For the entire organization to reach the Internet, Router 4 will use ISP device as the gateway. Similarly, ISP device will use Router 4 to reach the entire organization.
Choosing the Gateway IP Address
Let's say that the entire network is using 192.168.0.0/24 subnet to support connectivity. The ISP assigns specific subnet to provide the organization Internet connectivity.
Let's say the followings are the subnet assignments
1st network: 192.168.0.0/27 (192.168.0.1 - 192.168.0.30)
2nd network: 192.168.0.32/27 (192.168.0.33 - 192.168.0.62)
3rd network: 192.168.0.64/28 (192.168.0.65 - 192.168.0.78)
4th network: 192.168.0.80/29 (192.168.0.81 - 192.168.0.86)
5th network: 192.168.0.88/29 (192.168.0.89 - 192.168.0.94)
Server Farm: 192.168.0.96/28 (192.168.0.97 - 192.168.0.110)
Between Routers
Subnet: 192.168.0.248/29
Router 4 - ISP Device
Subnet: 213.43.84.0/30
Within the organization, you as the network designer have full access to determine which IP addresses are for hosts and which are for gateways. Let's say you have the followings as the "dumb device" network gateways.
1st network: 192.168.0.1
2nd network: 192.168.0.33
3rd network: 192.168.0.65
4th network: 192.168.0.81
5th network: 192.168.0.89
Server Farm: 192.168.0.97
Let's say that Router 1 to Router 3 have four independent interfaces where Router 4 has two interfaces. These interfaces will handle the routing for each network and also serve as gateway for specific network.
Followings are the interface IP address assignment.
Router 1
1st interface: 192.168.0.1
2nd interface: 192.168.0.33
3rd interface: 192.168.0.65
4th interface: 192.168.0.249
Router 2
1st interface: 192.168.0.97
2nd interface: 192.168.0.250
Router 3
1st interface: 192.168.0.81
2nd interface: 192.168.0.89
3rd interface: 192.168.0.251
Router 4
1st interface: 192.168.0.252
Let's say the ISP decides to use 213.43.84.1 as their device that provide direct connection to the organization. Therefore you have the following IP address assignment.
Router 4
2nd interface: 213.43.84.2
With these IP address assignments, following are the gateways for each respective network.
Host network
1st network: 192.168.0.1 (Router 1)
2nd network: 192.168.0.33 (Router 1)
3rd network: 192.168.0.65 (Router 1)
4th network: 192.168.0.81 (Router 3)
5th network: 192.168.0.89 (Router 3)
Server Farm: 192.168.0.97 (Router 2)
Between Routers network
192.168.0.0/26 : 192.168.0.249 (Router 1)
192.168.0.64/28: 192.168.0.249 (Router 1)
192.168.0.80/28: 192.168.0.251 (Router 3)
192.168.0.96/28: 192.168.0.250 (Router 2)
The Internet : 192.168.0.252 (Router 4)
Router 4 - ISP Device
The Internet : 213.43.84.1 (ISP Device)
192.168.0.0/24: 213.43.84.2 (Router 4)
feedback form
feedback form
by aryoba
last modified: 2007-05-11 15:33:51 | | | A: Let's first start by defining what Gateway is. In general, Gateway in IP network is an IP address of a network device that separates multiple broadcast domains or as border between multiple broadcast domains.
When you talk about multiple broadcast domains and how traffic pass between the domains, you talk about routing functionality. Typically the network device in question that separates multiple broadcast domains is a router since by nature, router is to perform routing. However in reality the device could be a Layer-3 switch, firewall, or any device that understand Layer-3 routing.
Now let's compare all the choices of Gateways, which are Default Gateway, Default Network and the Gateway of Last Resort. Just by reading the names one would think these are similar if not the same things. Answer is basically yes and no. Here is a quick basic breakdown of each and when you might use them.
1) Default Gateway (ip default-gateway x.x.x.x)
This command serves non-routing network device that need to reach any network outside its own subnet or outside of its local network. The command is to function when the network device is not in routing mode. Typically the command exists in Layer-2 switches or switches that are in bridging mode only.
In order for this command to function in a router, ip routing must be disabled. When the ip routing is disabled, the router becomes merely a host, similar to regular PC. To reach any network outside its own subnet or outside of its local network, the device needs to have a default-gateway.
2) Default Network (ip default-network a.b.c.d)
This command establishes a default subnet or network for specific routing-speaking network device. Therefore the ip routing must be enabled on the device.
With this command in place, your Layer-3 network device will actually route packets unlike the default-gateway command. Second this command does not specify the next hop address, it specifies a network to be considered as default. In order for this command to set a default network, you must already have a static route in your routing table. You can tell if this is working if from a sh ip route there is a "gateway of last resort" configured.
3) Gateway of Last Resort (ip route 0.0.0.0 0.0.0.0 next-hop-ip/exit-interface)
This command also requires ip routing to be enabled. This command sets a default route for anything not in your routing table. After this command is entered it will show a "gateway of last resort" configured in your ip route table.
feedback form
feedback form
by dpocoroba edited by aryoba
last modified: 2009-07-28 16:37:37 | | | Introduction
NBAR (Network-Based Application Recognition) is a very indepth topic hence this FAQ will try to illustrate one of its many functionalities and how to action packets that match the protocol criteria required.
NBAR has its niche within the QoS (Quality of Service) crowd where specific applications are given precedence or not as the case maybe depending on the network requirements at the time of the implementation. NBAR allows recognition of a wide variety of applications where QoS may be implemented on them, i.e. from the bandwidth intensive Citrix to the port changing Kazaa P2P (Peer-to-Peer) application.
NBAR allows the classification of protocols from layer 4 to 7 hence allowing the router in some respects to disregard its layer 3 position and to look at the high layer protocols. NBAR can recognise:
• Statically assigned TCP and UDP port numbers
• Non-UDP and non-TCP IP protocols
• Dynamically assigned TCP and UDP port numbers. Classification of such applications requires stateful inspection; that is, the ability to discover the data connections to be classified by parsing the connections where the port assignments are made.
• Sub-port classification or classification based on deep packet inspection; that is, classification by looking deeper into the packet.
NBAR can classify static port protocols. Although access control lists (ACLs) can also be used for this purpose, NBAR is easier to configure and can provide classification statistics that are not available when using ACLs.
NBAR includes a Protocol Discovery feature that provides an easy way to discover application protocols that are transversing an interface. The Protocol Discovery feature discovers any protocol traffic supported by NBAR. Protocol Discovery maintains the following per-protocol statistics for enabled interfaces: total number of input and output packets and bytes, and input and output bit rates. The Protocol Discovery feature captures key statistics associated with each protocol in a network that can be used to define traffic classes and QoS policies for each traffic class.
The router (depending on model and IOS version) has built-in NBAR functionality which may be seen when configuring NBAR:
london-colo-east(config-cmap)#match protocol ?
Or when scrutinising a port-map:
london-colo-east-01-e-01#sh ip nbar port-map
which will demonstrate the ports and IP protocol of the various protoocols present.
An external Packet Description Language Module (PDLM) can be loaded at any time to extend the NBAR list of recognized protocols. PDLMs can also be used to enhance an existing protocol recognition capability. PDLMs allow NBAR to recognize new protocols without requiring a new Cisco IOS image or a router reload, hence PDLMs allow the router to gain the functionality of recognising applications at the application layer for the protoocols which when the router was shipped, was either not available or have changed in its function so much that an update is required.
To view a list of currently available PDLMs or to download a PDLM:
NBAR Packet Description Language Module Download
There are a number of examples, such as Citrix, gnuttella, skinny, etc. This type of traffic would have been hard to classify using standard QoS tecniques, either to minimise the impact of such programs on bandwidth, to drop them or to allocate the most amount of bandwidth to. PDLMs give the router this added ability to recognise the traffic specified by it as well as some other types of traffic pre-defined in the IOS.
Procedure (* optional if application NBAR required on is already present:
CEF should be enabled.
1.)* Copy the pdlm into the router's flash:
london-colo-east-01-e-01#copy tftp flash
Address or name of remote host []? 192.168.1.254
Source filename []? bittorrent.pdlm
Destination filename [bittorrent.pdlm]?
Accessing tftp://192.168.1.254/bittorrent.pdlm...
Erase flash: before copying? [confirm]n
Loading bittorrent.pdlm from 192.168.1.254 (via FastEthernet0.1): !
[OK - 4125 bytes]
Verifying checksum... OK (0xA1BF)
4125 bytes copied in 0.192 secs (21484 bytes/sec)
london-colo-east-01-e-01#sh flash:
System flash directory:
File Length Name/status
1 9773168 c1700-k9o3sy7-mz.123-10.bin
2 4125 bittorrent.pdlm
[9777424 bytes used, 6737644 available, 16515068 total]
16384K bytes of processor board System flash (Read/Write)
2.) Enable CEF
3.)* Reference the pdlm in the config:
The result
4.) Create a class-map and policy map and apply it to the interface concerned:
Basically, within the policy-map bittorrent-policy, the action for any packets matching that protocol arriving on the fa0 interface was to DROP them. Packet manipulation is possible using QoS such as setting the precedence bits or setting maximum/limited bandwidth for further processing down the line but in this instance, the packets are set to be dropped as soon as they arrive on the fa0 interface.
QoS (Quality of Service) and NBAR
QoS should be the suggested reading for any more indepth look at policy-maps. As illustration, following is sample configuration using NBAR and QoS CBWFQ (Class-Based Weighted Fair Queue) for most common P2P protocols.
Unlike the previous sample configuration where P2P traffic is dropped or blocked, this sample configuration objective is to permit with restriction. The restriction is that all P2P traffic will be limited to only 8 kbps bandwidth. Any attempt from P2P traffic to use more than 8 kbps bandwidth will be dropped or blocked.
feedback form
feedback form
by Covenant edited by aryoba
last modified: 2009-03-12 09:51:48 | | | A great tool on Cisco's website is their feature navigator tool. This allows you to search several different ways:
1) Image name as displayed in a “sh ver”
(example: System image file is "flash:/c3550-i5q3l2-mz.121-14.EA1a.bin")
2) by Platform
(example: 2500, 802, UBR905)
3) Serial number as displayed in a “sh diag”
4) Or by IOS major release
The tool can be found here.
In order to access the tool from Cisco you need a CCO account. CCO accounts are free and simple to set up. You can register for a CCO here.
feedback form
feedback form
by dpocoroba edited by aryoba
last modified: 2009-08-18 09:36:15 | | | BBR has this link.
"These are the distance estimates we got from these providers, for your address."
We also have this link to the BBR site distance charts.
"CLECs and ILECs work from distance estimates or actual checks before accepting an order. Here is what we know of the distance limits they work by."
feedback form
feedback form
by nozero edited by aryoba
last modified: 2005-09-15 10:07:47 | | | DS-1/T1/E1
»T1 over a short run of Cat3 cable?
»What is at the other end of a T1
»E1\T1 circuit - serial interface errors
»[Config] Alarm light on 2621 T1 WIC
»Flapping PTP T1 on Cisco 1721's
»1841 service-module T1 timeslots 1-12
DS-3/E-3
»DS3 comming, what do I need?
Cisco documentations
Troubleshooting Serial Lines
T1 Layer 1 Troubleshooting
Troubleshooting Line Problems and Errors on DS-3 and E3 ATM Interfaces
ATM
»What exactly is an atm interface?
DSL/ATM Provider
»[HELP] DSL project need help with ATM switch interface?
OC-3
»Why I'm not Pinging using Alternating Pattern 0x5555?
feedback form
feedback form
by aryoba
last modified: 2009-09-08 12:49:53 | | | Ever wonder how your ISP actually announce your subnet via BGP to the Internet? Are there any summarizations in place or is your subnet announced as it is? Using the following Looking Glass access, you can find that out.
The routers in these links reside in public Internet. Therefore the BGP view should reflect your ISP BGP subnet announcement policy.
BGP IPv4/IPv6 Looking Glass Servers - BGP Route Servers
World Route Servers
feedback form
feedback form
by aryoba
last modified: 2009-09-08 16:04:52 | | | Introduction
Non-Official Cisco Support
Introduction - How PIX Operates and the CLI.
Basic PIX configuration
Slightly Advanced PIX Configuration
TCP, UDP, NAT and PAT as the PIX sees it
Access Control Lists and Content Filtering
Object Grouping
Official Cisco Support
Using PIX Firewall
Cisco Security Appliance Command Line Configuration Guide, Version 7.0
What Is New On ASA (Or PIX OS 7.2 and above) Compared To PIX Firewall Running PIX OS 6.3?
Features
Legacy OS 6.3(5)
http://www.cisco.com/en/US/docs/security/pix/pix63/release/notes/pixrn635.html
OS 7.0(1)
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix_70rn.html#wp169795
OS 7.0(4)
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix704rn.html#wp213502
OS 7.0(5)
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix705rn.html#wp213502
OS 7.2(1)
http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn72.html#wp185529
OS 7.2(2)
http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn722.html#wp191103
OS 7.2(3)
http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn723.html#wp213761
OS 8.0
http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/pixrn80.html#wp191103
OS 8.0(3)
http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/prn803.html#wp191103
OS 8.0(4)
http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/pixrn804.html#wp191103
OS 8.1
http://www.cisco.com/en/US/docs/security/asa/asa81/release/notes/asarn81.html#wp23144
Enable/Disable Communication on OS 7.0 image and newer
1. Troubleshooting on OS 7.0 image and newer
Establish and Troubleshoot Connectivity through PIX/ASA
Packet/Traffic Troubleshooting
2. Sample Configuration on OS 7.0 image and newer
ASA/PIX EIGRP Routing Support
Backup/Failover Routing
Single Firewall Partitioned Into Multiple Independent Firewalls: Introduction to Multiple Context
Active/Active PIX/ASA Stateful Redundancy
Active/Standby PIX/ASA Stateful Redundancy
Transparent (Layer-2) Firewall
QoS
ASA As SSL Server
SSL VPN Client (SVC) on ASA with ASDM Configuration Example
Clientless SSL VPN (WebVPN) on ASA Configuration Example
Thin-Client SSL VPN (WebVPN) on ASA with ASDM Configuration Example
Block or Restrict the Instant Messaging (IM) Traffic
URL Filtering
feedback form
feedback form
by aryoba
last modified: 2008-09-02 16:35:53 | | | Some discussion
»[HELP] Anything to look out for when setting up a new WAP?
Sample Configuration
»Cisco Forum FAQ »Wireless Router Sample Configuration
Further info
»Wireless Networking Forum FAQ
feedback form
feedback form
by aryoba
last modified: 2008-01-10 10:29:58 | | | »[CCNA] Sanitizing a 3005 Concentrator...
feedback form
feedback form
by aryoba
last modified: 2008-12-05 10:22:07 | | | When you wish to have a system that can automatically detect your network health (i.e. up/down connection, checking bandwidth, network device status and utilization); usually you need some kind of automatic network health monitoring system that can send you alerts in form of either email, SMS/text, or flashy display on your PC monitor should the system detects issues. There are a lot of software out there that do this, from the "free" version to "premium-pay" version. Following are some of technology key words on how the software is designed.
* Syslog
* ICMP (Internet Control Message Protocol)
* SNMP (Simple Network Management Protocol)
* Netflow (Cisco specific)
Syslog
Typical business-grade network devices (i.e. routers, firewalls, switches) should be able to generate some kind of logs due to some event or incident such as up/down interface, routing updates, and configuration changes. This kind of logs in general are in the form of syslog messages. By default, these syslog messages are stored within the devices themselves.
When you have an automatic health monitoring system, the system should have a syslog server which collects all syslog messages generated by all network devices. To have this, following are the general idea.
* Install a syslog server
* Configure the server to receive and to store syslog messages from your network devices
* Configure your network devices to send syslog messages to syslog server
Note that you should be able to check syslog messages on the network devices themselves. However those devices are not designed to store syslog messages for a long time. Usually after a short period of time, the logs are deleted. Using a syslog server, you can store syslog messages much longer period (typically for 1 to 3 months) and even can back up the messages to other media such as tape backup.
ICMP (Internet Control Message Protocol)
In a lot of time, you may need to see if certain circuit or Internet connection is up or down. One simplest and common way to find out is to ping the Internet gateway (your ISP equipment) or pretty much any device that is at the other side of the circuit. This ping mechanism is based on assumption of receiving ICMP echo reply from the device you monitor in certain time frame as a response of ICMP echo your monitoring system is sending. If in certain time the ICMP echo reply is not received, the other end device could be safely assumed to be either down or busy.
SNMP (Simple Network Management Protocol)
In some cases, having a syslog server to collect syslog messages are insufficient. One case is that syslog messages don't provide more specific info regarding specific events or devices such as device CPU or memory utilization, bandwidth utilization, and device temperature. This is something that SNMP does provide.
SNMP is another essential part of your automatic health monitoring system. Similarly to Syslog, a SNMP server collects SNMP traps from SNMP clients. These SNMP clients could be any IP-based network devices such as routers, firewalls, switches, printers, and production servers (i.e. web or mail). As mentioned; up/down interface, CPU and memory utilization, port or bandwidth utilization, temperatures, and low on laser printer toner are just little things SNMP traps from specific devices can represent those device health condition.
Once SNMP server receives all of those SNMP traps, the server can generate reports on those specific conditions. If you like to see CPU and memory utilization on specific SNMP clients within certain time range for instance, you can pull a report regarding those. You can do similar task for switch port utilization.
Further, you can link your SNMP server to your mail server. This way you (or just anybody within your company) can receive mail alert when specific condition take place such as device temperature hits 80 degree Fahrenheit, CPU or memory utilization of a device hits 80% or more, and down devices.
Cisco Netflow
Specifically for bandwidth utilization, SNMP report only tells how much specific port or connection is utilized (i.e. 10% or 90% utilized). However the report does not tell you which traffic are utilizing the bandwidth.
When your network devices are Cisco that can provide Netflow reports, you can utilize Netflow to provide such specific details. In a nutshell, the Netflow reports show which traffic are utilizing the bandwidth from perspectives of source and destination IP address, TCP or UDP port, and how many IP packets are going through. For instance, your internal user (let's say 10.0.10.254 IP address) accesses your internal webserver (let's say 10.0.0.2 on TCP port 80) and www.yahoo.com on the Internet using 80% of available bandwidth.
Software To Choose
There are many software that can do Syslog, ICMP, SNMP, and Netflow collection and report as mentioned. A lot of companies like to use Solarwind or Whatsup products. Some companies like to use CiscoWorks.
There are free ICMP and SNMP software that are widely used such MRTG and Cacti. One popular free Syslog software is Kiwi Syslog.
Basically any software that you think work should do. Typically the "premium-pay" software is preferred when you have a large or complex networks, or you like details or thorough reports.
Software/Application Performance
A lot of time, network or Internet slowness is caused by software or application run on server or PC. This software or application could be mail (SMTP), web (HTTP, HTTPS, SSL, TLS), FTP, SQL databases, or even peer-to-peer applications such as Kaaza and eDonkey. Beside monitoring the network, monitoring the software and/or application performance is highly recommended as these software and/or application can be written incorrectly by the developers, causing poor performance.
There are many monitoring system you can choose as the software or application performance monitoring. Some of them are OPNET and Ixia. By using OPNET for example, you can find out exactly what happen during the client-server relationship on some software or application and if those events of client-server relationship happen as expected or not. The monitoring result should give you ideas of what happen and if the events you see may cause performance problem.
Note that you don't have to use the mentioned monitoring system. Those mentioned monitoring system are just picked as illustration (although they are proven to work and helpful on real-life production network). As a rule of thumb, any monitoring system should do as long as they are able to serve your need.
Related Topic
»Cisco Forum FAQ »Improving Small Business network performance
Some Discussions
»Network Monitoring
»[OT] Network Test tool http/Sql/Mapi/SIP, etc
feedback form
feedback form
by aryoba
last modified: 2009-09-16 08:39:05 | | | Introduction to Routing and Switching
Prerequisite reading
»Cisco Forum FAQ »Quick and Easy Subnetting on Routing, Switching and Network Design Relationship
»Cisco Forum FAQ »Choosing Gateway IP Address for a network
»Cisco Forum FAQ »What is the difference between the different gateways in the routing table?
Brief
Routing
Switching
Industry-Standard RFC
RFC 1180: A TCP/IP Tutorial
Some discussion
»[CCNA] CCNA Help for Test question
feedback form
feedback form
by aryoba
last modified: 2009-08-24 14:46:49 |
|
