Categories
Labs

Port Aggregation

Port aggregation is a technique to bind more than one physical port and create a bigger virtual port. It is done for multiple purposes.

The biggest advantage of this technique is increasing the bandwidth of a port. If you have two 100Mb ports and you need a port that can support 200Mb bandwidth then you just have to merge two ports and you will get the 200Mb bandwidth.

Another reason is redundancy if we want to provide resources with zero second downtime we can use this technique for redundancy and if one ports fails to work the other will be able to transmit the data and keep the services up and running.

This technique is quite popular and used for more power and efficiency. You can use up to 8 ports for aggregation purpose.

There is a question, Is this technology better than rapid spanning-tree in term of redundancy?

The answer is yes, because this gives more bandwidth and if the port goes down the other port still works where in spanning-tree only one port can work at one time.

Cisco uses three ways to apply this technology, Ether-channel, Port aggregation protocol (PAgP), and Link aggregation control protocol (LACP).

LACP is open standard of IEEE and it is used widely almost everywhere, if you have to configure aggregation go with it. PAgP and Ether-channel are Cisco proprietary and are not used now but you have to know all three.

Ether-channel is a static configuration mode and it is not quite used in production because if other switch fails to meet the requirements the port will no longer work. Where, PAgP, and LACP are dynamic and if switches do not match the configuration the ports work in normal way they do not stop working. It is recommended that you use dynamic technique and more specifically go with LACP.

Static Aggregation

Port Aggregation with Ether-Channel

We will work with the simple topology having two core switches.
It is a static method and is not recommended to use but it is there for use if you need to.

First we will get into CORE-1 shutdown the interfaces, and then configure the static aggregation mode. All we need to do is to make a group for channel this group is also called a port channel. It is important to keep in mind that you do the same configuration at both switches otherwise it could be difficult to troubleshoot if you get into an issue.

Interfaces are as following;

Spanning-tree status and neighbor information is as follows:

Configuration

Notice that channel-group supports only 48 groups, it can vary from switch to switch. Another thing to notice that there are 5 modes where 2 belongs to LACP and 2 to PAgP and only one is static which is on.

Now we need to do the same thing on CORE-2 as well.

Now we just need to turn on the switches ports and this is all.

The Po1 is the name of channel or we can say the name of virtual interface.
(SU) tells that channel is in Layer2 device and it is in used. The abbreviation for Flags has been listed in device to know the meaning of Flags.
Fa0/1(P) Fa0/2(P) shows that the two ports are part of port-channel.

Here are MAC addresses of Po1.

Look we have a new interface named Port-chanel1.

Notice that the interface has 300Mb of speed and it shows that Fa0/1, Fa0/2 are part of this channel.
Now if we see the status of spanning-tree.

Notice that there is only one interface which is Po1 and Type is Shr. There is no second link to the switch which could make a loop and we merged the two interfaces into one.

Now it is important that you deal these two ports at same time, if you make changes to one and do not do this for another then this channel will break. It is recommended that you make changes for Po1 interface so both the underlying ports are get treated equally.

Dynamic Aggregation

The dynamic configuration is not ideal in many cases but when it comes to aggregation, this mode is quite satisfactory. Because if you do static aggregation if there is any issue with aggregation the frames will not be transmitted but if it happens in dynamic mode the ports will get back to their normal behavior and frames will work fine.

There are two dynamic modes as we have discussed LACP and PAgP. The LACP is only better because it is open standard by IEEE and supported by all vendors, excluding this difference there is no underlying technical difference between these.
When configuring dynamic aggregation go with LACP because it is open standard and supported by all vendors.

Dynamic Modes

Active belongs to LACP and it means that the channel will continuously ask its neighbor to get aggregated if neighbor supports aggregation.
Desirable belongs to PAgP and it works same as Active, meaning that it keeps asking its neighbor to get aggregated.
Auto also belongs to PAgP but it is a bit shy one it does not ask to get aggregated but it waits for another party to offer invitation to get aggregated.
Passive belongs to LACP and it works same as Auto.

Aggregation LACP

Switch-1

Switch-2

Aggregation Result

Active

Active

Aggregation Successful

Passive

Active

Aggregation Successful

Active

Passive

Aggregation Successful

Passive

Passive

Aggregation Unsuccessful

 

 

 

 

Aggregation PAgP

Switch-1

Switch-2

Aggregation Result

Auto

Desirable

Aggregation Successful

Desirable

Auto

Aggregation Successful

Desirable

Desirable

Aggregation Successful

Auto

Auto

Aggregation Unsuccessful

 

 

 

 

LACP Aggregation Configuration

The steps are same as we did for static aggregation, if you have already a static aggregated channel you need to delete it first.

Now do the same for CORE-1 Switch.

Now turn on the ports.

Look now the ether-channel is using LACP mode which is dynamic.

There is a question, If there are both Gigabits and Megabits ports and you aggregate them, will they become aggregated?

The answer is Yes, they will become aggregated but the switch will only use Gigabit ports and if they fails to work then the Megabit ports will be used.
For example if you have aggregated 4 ports in which 2 are Gigabits and 2 are Megabits then only Gigabits ports will be used and Megabits will sit idle, even the bandwidth of Megabits ports will not be aggregated unless the Gigabits ports stop working.

Stackwise is another technique to get redundancy and more bandwidth. Read about it.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
Labs

Layer 2 Threat Mitigation Part 2

VLAN Hopping

An attack in which an attacker jumps from one VLAN to another VLAN by tagging targeted VLAN number to frame. For example I am an attacker and I am connected to VLAN 10 but I want to get access to VLAN 1 so what I do that I grab the packet before it leaves my NIC and I tag it with VLAN ID 1 so now when it gets to the switch it will tag another VLAN ID which is 10 because I am connected to VLAN 10 but when this frame gets to another switch then the switch will open the first tag VLAN ID which is in this case 1, now the attacker has jumped from his connected VLAN to target VLAN.

This attack has almost been mitigated by Cisco switches so they discard any VLAN ID frame on Access port. Meaning that if I have tag my frame with VLAN ID 10 before it gets to the switch, when frame gets to switch it will discard the VLAN ID header on access port.
This is not feature on trunking port so it is highly recommended that you do not use dynamic trunking protocol.

Native VLAN Issue

The native VLAN ID is 1, so if the frame has no VLAN tag on it, the frame will be sent to native VLAN. Attacker can damage their VLAN ID tag to get there frame into native VLAN to do some malicious purposes.

Cisco recommends that you change the ID of native VLAN and do not allow any port on native VLAN so if attacker has still get into the VLAN he can do no harm.

The issue is with 802.1q trunking protocol which allows VLAN hopping, you can either get with ISL trunking mode or you can change the native VLAN ID.

It is important that you change the native VLAN at both end of cable it should be same at both side if it is not then the data from one switch will land to different VLAN.
For example if on one switch you have defined the native VLAN 999 and on another it is 1 then the untagged data from 999 will land to 1 on other side and vice versa.

Configuring Native VLAN

Native VLAN is configured on trunk port.

Switchport trunk encapsulation dot1q tells switch to use the dot1q trunking.

Switchport mode trunk says that change the port mode to trunk.

Switchport nonegotiate says that stay trunk do not negotiate to other end of cable you have to be trunk.

Switchport trunk native vlan 999 define the VLAN 999 as native.

The error messages shown because the other end of switch was using native VLAN ID 1 and we needed to change that.

The status shows the detail of trunking port. We need to the same for the other switch which is connected to this switch.

Physical Layer 2 Security

There are two ways to secure the ports of switch the one is to turn off the unused ports all the time it is easy and simple approach and other is using 802.1x authentication.

802.1X Authentication

It is a low level authentication which is used to authenticate the user using a certificate/key.
This approach is not easy it requires a lot of administration and a strong infrastructure, because any new device that needs to be connected to the network will need to get to the administration desk they will burn the certificate into the device and then the certificate will be authenticated at time of connection. If certificate does not match the port blocks the communication.
The switch itself cannot read or authenticate the certificates, we need a separate server that will be doing authentication and commanding switch to permit the access or deny. The switch is just working an intermediate device between server and client who passes the authentication certificate and does whatever server tells it.

Configuring 802.1X

aaa new-model turns on the authentication protocols.

dot1x system-auth-control handles the certificate from clients.

radius server server01 is name of the server which will authenticate users.

address ipv4 192.168.0.200 auth-port 1812 is the port number for authentication it is new number the older is 1645.

key cisco123 is the key that clients need to have in order to talk to the server.

aaa authentication dot1x default group radius tells switch to send the authentication requests to the RADIUS server.

This is all for server side configuration on switch now we have to tell the switch that what ports should be authenticated by this service and what should be action.

dot1x pae authenticator tells that these ports needs to be authenticated before allowing permissions.

dot1x port-control auto tells that take automatic actions as well for instance if certificate is bad then block the access.

This protocol is awesome level authentication protocol for low-level security, it is hard to break but it also requires a lot of infrastructure work to get implemented. You need to manage and set the authenticator server, then you need to burn certificates into current and new devices, then you need configuration on switches and management at time to time as well.

Notice that this protocol should only be configured on access ports.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
Labs

Layer 2 Threat Mitigation

Layer 2 threat mitigation is important, it is defense from an insider who aims to damage the network. There are security devices such as firewall, IDS/IPS, and other systems to protect the network but these technologies do not work at layer 2.
There are many threat that can be initiated by an insider in a local network, such as insider could leak or grab information, he/she can cause a denial of service condition to switch or servers.

MAC Flooding

It is the attack against switches that feeds too many false MAC addresses to flood the switch and make it unresponsive resulting in a denial of service. Port security is featuring on switches to handle this type of attack.

DHCP Starving

This is another attack that works on layer 2 and results in a denial of service condition. In this attack the attacker sends too many MAC address to server to get IP addresses and it empties the pool of addresses in result the legitimate user cannot get access to the network resources.
DHCP work on DORA mechanism where this attack only Discovers and gets the Offer, it does not replies with Request and starves the DHCP server.
DHCP snooping is a feature in switches that could handle this type of attack, it is also a layer 2 attack because this protocol works on layer 2 communication.

DHCP Snooping

It is a measure that could be used on ports to allow N number Discover of requests from client and block of limits exceeds and also N number of Offer request from server to clients.
This technology does not only protect you from DHCP starving but it also protects you from Rogue DHCP server.
The configuration is quite simple, turn on the snooping in global configuration, assign VLANs to it, limit the requests from clients to DHCP and allow the port that is connected to DHCP server to assign IP configuration to clients.

The first figure shows that the feature is disabled by default.

Now enable the feature globally.

Assign VLANs to this feature.

Apply rate limit on client ports so they can never exceeds the discovery message limit.

Now each client can make 10 request of DHCP recovery if it exceeds the limit switch blocks the request.

Now we need to assign trust port for DHCP server so the server can Offer the addresses. Notice that this port should be the one on which the DHCP server is directly connected to or the trunk link port.

Notice that all ports have rate limit of 10 and the trust is no which means no other port can offer the DHCP configuration except port fa0/24.

With this simple practice we have mitigated two major threats together one is DHCP starving and other is Rogue DHCP.

DHCP starving threat has been mitigated by limiting the clients to 10 requests of Discovery.

Rogue DHCP threat has been mitigated by only assigning one port to be responsible for DHCP by giving it trust. Now if any other port offers the DHCP configuration it will be blocked.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
Labs

Quality of Service

image002

QoS is an umbrella term that includes many tools and techniques to improve the performance of network, it is very complex topic as well.

QoS is intended to prioritize the traffic on the basis of protocols. For example, the VoIP traffic take 64Kb bandwidth for entire session the call is up and if there is quite a much other traffic in your service then it could affect the VoIP call and there could be dozens of glitters in call. The sole purpose of this technology is to prioritize certain protocol over other protocols.

The Cisco network architecture divides into three tiers Core, Distribution, and Access and QoS technology works on access level where your switches are placed. It is really run on switches because switches do not do much than sending traffic based on destination MAC addresses.

The Core layer should be quite fast because it is connected to the WAN and there should be no filtering and intelligence work on this layer. It consists of routers, and firewalls intended to move the traffic as fast as possible.
The Distribution layer works hard on intelligence such as traffic filtering and more and this layer consist routers, layer-3 switches, and firewalls as well.

image004

QoS Components

QoS has three different components that we have to worry about at CCNA level.

Tagging System

Tagging system puts the tags on traffic such as telnet, VoIP, SSH, HTTP, and more. It is also called classification because it classifies the different data and it happens at access layer. DiffServe Code Point or Differentiated Services Code Point (DSCP) is a mechanism of traffic classification it consists of two digit hexadecimal value. The most high prioritize value is EF and there are 4 levels of this value such as, 11, 12, 13, 14.

There are 4 tier and each tier has 4 levels in it and the most top priority level is EF-11 (Tier-1, Level-1).

Trust System

It is trustworthiness of packets prioritization tag, it is to make sure that the packets are classified (prioritized) by intermediated devices (switches, routers) not by client.

Prioritize System

It works at the Core layer which just takes the packet reads it tag and sends it immediately if it is high prioritized.

Normal Traffic Flow in Switches

Normally switches receive the data they store the traffic in buffer and they forward the traffic in First In First Out (FIFO) algorithm. We can describe it in different stages as following:

At very first movement when the switches boot up there is no traffic and memory buffer is completely empty at this stage.

image006

Now over switch starts receiving traffic and some traffic is video and other is web and all are put in the queue to get transmitted and each packet has to wait for a little in order to get its turn.

image008

Now the packet at 1st place of memory gets transmitted and all other packets moving forward to get their turn.

image010

Now everything is working fine and VoIP packet comes into buffer at very last place and it will have to wait for its turn in this normal network flow.

image012

Traffic Flow with Basic QoS

Let’s say we have classified the VoIP traffic and now the switch will not place this traffic at free space but the packet will be placed at very first box and all other packets will be paused for a little while.

image014

Buffer Management

It is the most complex topic that you are taught in CCNP level where you work with the memory buffer management.

Traffic Shaping / Traffic Policing

Traffic policing is the technique to drop the traffic when it exceeds certain threshold. For example you set the threshold for web traffic for 80% of the bandwidth and when traffic exceeds the limit it is discarder. It is used to make sure there is always some space in the buffer for the important traffic. For example if the buffer is full then the prioritize data will never get prioritized because buffer is full and there is no space for any new packet. This technology helps to keep the certain portion of buffer empty so when the high priority traffic gets into the buffer it gets room and it is sent with priority.

image016

Traffic shaping is another hand is also defines the threshold but it does not drops the packets it manages the packets so they can get to their destination.

Traffic Shaping and Classification work together in order to implement the QoS.

image018

Tail Down is the mechanism that switches perform when there is not free memory in buffer and this mechanism simply discards the new packets completely and packets should be regenerated at client-side in order to make communication.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
Labs

Spanning Tree Protocol Part 3

Spanning tree (802.1d) also known as common spanning tree (CST) which means only one big spanning tree for all VLANs.
Where Cisco uses per vlan spanning tree (PVST+) which means running individuals spanning tree for each VLAN.

Rapid Spanning Tree Protocol

It is 802.1w which does not takes 30 seconds to shutdown or turn on loop protocol.

This protocol looks for alternate port or back-over port to turn on when primary ports gets fail.

Note: Cisco highly recommends that you run either common spanning tree or rapid spanning tree on all your switches, if you use both it will result network downtime.

As spanning tree is layer-2 protocol and if you use router between switches than you can use common spanning tree at one side and rapid at other because this message does not pass router.

STP State (802.1d)

RSTP State (802.1w)

 

Blocking

Discarding

Listening

Discarding

Learning

Learning

Forwarding

Forwarding

Disabled

Discarding

 

Generic Spanning Tree to Rapid Spanning Tree

We only need one command to change the mode but it is important that you change all the switches to exact same mode. This is only one time configuration you set the mode and root bridge and you forget it.

image002

image004

This is all you have to do to change the mode, only one command and you are on fly.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
Labs

Quality of Service Part – 2

Random Early Detection – RED

Random Early Detection (RED) is the mechanism that detects the memory buffer size before it gets full. It looks for the hosts that are sending more data and it drops the packet of host that is transmitting more data and it lets go the host who is sending low data. For example, Host – A is sending 100Mb traffic and Host – B is sending 100Kb traffic now when RED detects the buffer is getting full it will start dropping the Host – A because it is transmitting more data. RED mechanism defines the equal network resources usage for all users in the network.

Waited Random Early Detection – WRED

Waited Random Early Detection (WRED) is more advanced form of RED that not only looks for the traffic but the protocols behind the traffic as well to drop the packets. For example, Host – A is sending 100Mb traffic and Host – B is sending 100Kb traffic and in Host – A traffic there is VoIP traffic as well and RED would not detect this but WRED will detect this and it will allow VoIP traffic and drop other low prioritized traffic.

QoS Interfaces

The QoS is done at egress (outbound) interface meaning where the traffic will leave exit from network, because it is outbound interface that sends traffic to other network resources not inbound. However, the classification and prioritization of traffic is performed at ingress (inbound) interface.

QoS on MPLS

Nowadays many networks are using MPLS technology that support QoS as well but if you are using tunnel of MPLS then the QoS is really difficult and in this case you can make use of Frame-relay over MPLS to perform QoS.
Forward Early Congestion Notifications (FECNs) and Backward Early Congestion Notifications (BECN s) are the technologies used by Frame-relay to notify users to slow down the traffic rate in order to avoid traffic drop. These technologies work on WAN networks.

Auto QoS

It is set of best practices for QoS from Cisco, we usually implement this technology and then tweak it regarding our own network to get the best performance.

QoS Configuration

Checking Neighbours

At first we have to see the neighbors at our switch to determine whether there is any IP phone or not.

image002

Checking QoS Status

By default the QoS is turned off on most of the Cisco devices but we can always check the status whether it is on or off.

image004

Enable QoS

We need to run only mls qos command in global configuration to enable QoS.

image006

After turning on QoS it does not do much because we have not made any configuration.

Now we just need to move on the interface where we want QoS implementation and we use the auto qos to enable QoS.

image008

Now when we start enabling auto we will see 4 major templates defined by Cisco.

image010

Classify, trust, VoIP, and Video are Cisco best practices template and in the voip configuration we get three sub-categories where trust means the third party VoIP phones.

Now when after applying auto qos we look at interface it has policies and other configuration to set up QoS.

image012

The AutoQoS-Police-CiscoPhone is the policy that have been applied on this interface.
priority-queue out is telling that the qos is on outbound traffic.
mls qos trust device cisco-phone says that this policy trust Cisco phones.

Now when we see running-configuration we can see a huge amount of list and multiple class and policy map that have been automatically created for us by using auto qos technology to apply QoS on VoIP phones.

image014

Look at the above screenshot it is huge configuration for QoS that have been automatically generated for us.

image016

Above is the auto-generated policy map for our QoS that is defining that voip traffic can take upto 320000 bandwidth and more 8000 burst if it exceeds the limit after this the traffic will be policed (dropped)and we discuss the classification level where ef-11 is the highest notice we have attached this level to VoIP policy. The another class is for other type of traffic.

Caution: It is highly recommended that do not use QoS on your production network and the network that you are not completely aware of because it could be a nightmare. Create a lab practice it and then implement it on your production environment.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
Labs

Access Control List Part – 2

We discussed the standard ACL but there is a big limitation in this list that it can only work on source IP address. This can only work on layer 3.
The numbers for Standard ACL are 1 – 99 and 1300 – 1999.

Extended ACL can work on source and destination IP address, sessions, ports, and protocols. This list an work on layer 3, 4, and 5. Extended ACL could work on more detailed rules.
The numbers for Extended ACL are 100 – 199 and 2000 – 2699.
A good advice is try to make the control that can fit into standard ACL to ease the complexity and increase the performance.

image002

Configuration

We want to allow the access to R4 from R1 using SSH not telnet.

image004

Case – 1

First let’s block the telnet connection using source and destination IP address but before that let’s make sure we can ping, telnet, and SSH to R4.

image006

We are going to create the ACL on R2 because it sits between our targets and hence best choice to filter the rules.

image008image010image012image014image016

Now we have configured to block the traffic from 192.168.1.1 to 192.168.2.4 this rule will block all the traffic. Keep in mind that there is a implicit deny rule and we have block all the traffic from R1 to R4. We need to allow other traffic and we also need to allow EIGRP traffic explicitly because our routers are using this protocol to run the routes and we also have to punch the rule to the interface.

image018

Now it is time to test the ACL, let’s do ping, telnet, and SSH again and see the response.

image020

We have successfully blocked the traffic we wanted to and here is the proof.

Case – 2

Allow all traffic from R1 to R4 and just block telnet connection because it is insecure.

image022

There are options eq, lt, neq, and gt first let’s discuss them.
eq means equal to this is the option for port as if we want to block port 443 we can use this switch.
gt is greater than we define the port and greater than that ports are affected, for instance we want to block all the ports above 49000 so we can use this switch.
lt is less than it works on lower ports.
neq is not equal to.

All of the above options are for source IP not for destination IP so we do not know that what port will be used for the telnet on source IP but we know the port that must be denied on the destination IP and the above options are for source so we have to move further and then pick the option.

image024

Now after entering the destination IP we can pick the port number and we did using eq switch. We need to apply this on interface and as soon as we apply this on interface the previous ACL will be overridden and this ACL will take effect.

image026

Now it is time to test the ACL and for this purpose we move to R1.

Note: ICMP does not use any port.

image028

Look at the result ICMP, and SSH are working perfectly but telnet in not working this is all because ACL.

 

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
Labs

Access Control List Part – 3

By this point we have created ACL and each access control entry (ACE) comes below the existed entries and here we are going to modify and manage the ACLs.

image002

Let’s say we have configured the ACL 103 with some entries and a new requirements come to create one more entry. We know that each entry comes below the previous defined entries and this makes rules inappropriate in order.

image004

Now there comes a new requirement and we implement another ACE, so this list becomes as shown below.

image006

Now this is useless list because the latest ACE will not take affect at all so we have to manage this list in appropriate order to make it useful and nice.

Approach – 1

The first approach that Cisco tells is to:

·       copy the entire ACL

·       paste it in notepad

·       rearrange the rules

·       remove ACL from router

·       and paste the arranged ACL from notepad to the router Console

Question: What could happen when the running ACL that is attached to the interface is removed?

Answer: Nothing happens routers avoids the ACL even the ACL is attached to interface.

Now when we paste the arranged ACL into the router console it appears as following.

image008

Caution: This approach could drop your SSH or Telnet connection to the router because of ACL implementation so keep it in mind before doing this.

Approach – 2

Named ACL

Cisco also offers named ACL that removes the hurdles of number ACL. There are two main benefits of named ACL:

·       It can make it easy to understand the purpose of ACL by providing name to it

·       It assigns a number to each ACE that makes it simple to rearrange the ACEs and manage the entire ACL

 The syntax difference between numbered and named ACL is:

·       Access-list for numbered ACL.

·       IP access-list for named ACL

image010

Configuring Named ACL

Now we are going to make the same ACL we made before but this time we are going to make it named ACL. It is important to know that named are case-sensitive.

image012

Above we created named ACL and showed it. Notice that there is gape of 10 among each ACE and it is flexible to add more ACEs in this empty space and these are the numbers that are assigned to each ACE in order to manage the entries.

Now if we want to create another entry and place it above number 50 we can easily do this by using any number in between 41 – 49.

image014

Look we just assigned number 45 to new ACE and it came right at its place.

Now for some reasons we come to a point where we decide to remove the number 20 ACE, so we can easily do this as following.

image016

Notice that the number sequence has changed when we removed number 20 ACE. The sequence is now 10, 30, 40, 45, and 50. Now we can make sequence ordered by executing resequence command.

We can implement this ACL on an interface as we did with previous ACLs.

image018

ACL for IPv6

The concept for IPv4 and IPv6 is same but there is a syntax difference for configuring these type types of ACLs.

In IPv6 ACL there is no concept of numbers assignment to list at creation time and there is also no keyword for standard and extended. If you use the word host it considers it as standard and if you use any protocol it considers it as extended ACL.

IPv6 ACL Configuration

image020

The above configuration of ACL tells that deny the telnet connection for specified host. It is important to remember that numbering is different in IPv6 and it is done as following.

image022

Notice that we used sequence command instead of typing number directly. The sequence number is attached at end of the ACE in this ACL.

image024

Now the last step in ACL configuration is to punch the ACL on an interface and this is done as following.

image026

Note: We can punch 4 maximum ACLs on an interface two with IPv4 for in and out direction and two with IPv6 for in and out direction.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
Labs

Access Control Lists

We learned about ACL in the CCENT course but there we only tired to understand the standard ACL which filters traffic using source IP address.

ACL is basically a filtering mechanism that makes a router a small firewall that inspect the traffic and filters it.

Extended ACL are the one we are going to discuss here, they are very powerful because they can work on the basis of IPs, ports, protocols, and more.

The important thing in ACL is interface either outbound or inbound. The question here is that does it matter to assign on either inbound or outbound?

 The answer is yes it does, the outbound takes more processing, because the router opens the packets picks the destination sends the packet to suitable interface performs CRC and then when the packet is filtered if the packet needs to be dropped it means all the working by router went useless.
The inbound checks the packet before operating it and if the packet needs to be dropped then it does not send packet to router operations so it makes less processing and it is recommended to use inbound filtering than outbound.

image002

In above case if we are to filter the traffic from R1 to R4 then the inbound & outbound interfaces will be like this.

Standard ACL

There are two things when we create a completely new ACL, a list and an entry. When we create a filter we create an ACL and an ACE (access-control entry). The list tells the type of ACL (standard or extended) and entry defines the filter.
Note that when you create another rule in the existing ACL then you only create and ACE.

We created the ACL to deny the traffic from host 192.168.1.1 and entire network 192.168.0.0/24.

image004

image006

We have created 2 ACEs in an ACL and both entries are for denying the traffic, but in background there is another deny rule in the ACL that is so called Implicit deny and this rule resides at the end of list and denies all the traffic. So if we leave this ACL as it is then it will deny all the traffic excluding 192.168.1.1 and 192.168.0.0/24.
We need to create a rule to allow some of the traffic.

image008

Now we have a good ACL that allows some traffic and denies some, but this is not enough we have to attach this to an interface and this is where we decide whether this is going to be on inbound or outbound.
As we are using the above diagram and blocking traffic for R3 from R1 in R2 so we are going to attach this on inbound.

image010

Now I have created an ACL that tells router that when you gets traffic from interface gig1/0 then use the ACL and check for filters and if the traffic is from 192.168.1.1 or 192.168.0.0/24 then deny it and allow all the other traffic.

Now what if I had set the direction to out on this interface. In this case the traffic will be received and it will routed to the R4 and when R4 sends back the packet in this interface then the packets would be filtered and hence the source address would not match the filters all the traffic would move back and forward. This is why the direction is quite important.

Use the standard ACL if you are good at it because it is resource efficient. The extended ACLs are used because they are more flexible and offer a lot more control and easy to implement and understand as well.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Categories
Labs

Using APIC-EM

image002

Advanced Policy Infrastructure Controller – Enterprise Module (APIC-EM) is a collection of tools available via web-interface for modern network operations. Enterprise module is one module from set of tools and it is designed to let you monitor your equipments and to test and diagnose your network. The modules are installed in a centralized server and then the operations are run using API (Application programming interface) calls.

This new technology can provide a testing environment for enterprise network where you can test your configuration before implementing in real network as well as it helps to implement the changes across the network.

Devnet sandbox is a free sandbox from Cisco that give you access to Cisco data center equipments to learn this APIC-EM technology. Following is the link to access and reserve your access to sandbox.

https://developer.cisco.com/site/sandbox/

image004

APIC-EM is a great simulator for practicing new configurations and to learn about it watch the video demo by watching this topic video.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo