- •Table of Contents
- •Cisco Switching Black Book
- •Introduction
- •Overview
- •Is This Book for You?
- •How to Use This Book
- •The Black Book Philosophy
- •Chapter 1: Network Switching Fundamentals
- •In Depth
- •Physical Media and Switching Types
- •A Bit of History
- •Networking Architectures
- •The Pieces of Technology
- •Repeaters
- •Hubs
- •Bridges
- •Routers
- •Switches
- •Network Design
- •Collision Domains
- •Broadcast Domains
- •Why Upgrade to Switches?
- •Switched Forwarding
- •Switched Network Bottlenecks
- •The Rule of the Network Road
- •Switched Ethernet Innovations
- •Fast Ethernet
- •Gigabit Ethernet
- •The Cisco IOS
- •Connecting to the Switch
- •Powering Up the Switch
- •The Challenges
- •Entering and Exiting Privileged EXEC Mode
- •Entering and Exiting Global Configuration Mode
- •Entering and Exiting Interface Configuration Mode
- •Entering and Exiting Subinterface Configuration Mode
- •Saving Configuration Changes
- •Chapter 2: Basic Switch Configuration
- •In Depth
- •Campus Hierarchical Switching Model
- •Access Layer
- •Distribution Layer
- •Core Layer
- •Remote Network Monitoring
- •Connecting to the Console Port
- •Console Cable Pinouts
- •Console Connectors
- •Switch IOSs
- •The IOS Configuration Modes
- •Limiting Telnet Access
- •Implementing Privilege Levels
- •Setting the Login Passwords
- •Setting Privilege Levels
- •Assigning Allowable Commands
- •Configuring the Hostname
- •Configuring the Date and Time
- •Configuring an IP Address and Netmask
- •Configuring a Default Route and Gateway
- •Configuring Port Speed and Duplex
- •Enabling SNMP Contact
- •Logging On to a Switch
- •Setting the Login and Enable Passwords
- •Changing the Console Prompt
- •Entering a Contact Name and Location Information
- •Configuring System and Time Information
- •Configuring an IP Address and Netmask
- •Configuring a Default Route and Gateway
- •Viewing the Default Routes
- •Configuring Port Speed and Duplex
- •Enabling SNMP
- •Configuring Trap Message Targets
- •Configuring the Console Port
- •Configuring Telnet
- •Configuring the Password
- •Configuring an IP Address and Default Gateway
- •Configuring SNMP
- •Configuring ROM
- •Entering ROM Configuration Mode
- •Booting ROM Mode from a Flash Device
- •Configuring SNMP
- •Configuring RMON
- •Using Set/Clear Command Set Recall Key Sequences
- •Chapter 3: WAN Switching
- •In Depth
- •WAN Transmission Media
- •Synchronous Transport Signal (STS)
- •Cisco WAN Switches
- •MGX 8200 Series
- •IGX 8400 Series
- •WAN Switch Hardware Overview
- •Cisco WAN Switch Network Topologies
- •Network Management
- •WAN Manager
- •Accessing and Setting Up IGX and BPX Switches
- •Adding New Users
- •Using the History Command
- •Displaying a Summary of All Card Modules
- •Displaying Detailed Information for a Card Module
- •Displaying the Power and Temperature of a Switch
- •Displaying the ASM Statistics for BPX
- •Configuring the ASM Setting for BPX
- •Logging Out
- •Resetting the Switch
- •Displaying Other Switches
- •Setting the Switch Name
- •Setting the Time Zone
- •Configuring the Time and Date
- •Configuring the Control and Auxiliary Ports
- •Modifying the Functions of the Control and Auxiliary Ports
- •Configuring the Printing Function
- •Configuring the LAN Interface
- •Accessing the MGX 8850 and 8220
- •Adding New Users
- •Changing Passwords
- •Assigning a Switch Hostname
- •Displaying a Summary of All Modules
- •Displaying Detailed Information for the Current Card
- •Changing the Time and Date
- •Displaying the Configuration of the Maintenance and Control Ports
- •Displaying the IP Address
- •Configuring the IP Interface
- •Displaying the Alarm Level of the Switch
- •Chapter 4: LAN Switch Architectures
- •In Depth
- •The Catalyst Crescendo Architecture
- •ASICs
- •The Crescendo Processors
- •Crescendo Logic Units
- •Other Cisco Switch Processors, Buses, ASICs, and Logic Units
- •AXIS Bus
- •CEF ASIC
- •Phoenix ASIC
- •SAGE ASIC
- •QTP ASIC
- •QMAC
- •Bridging Types
- •Source Route Bridging
- •Source Route Transparent Bridging
- •Source Route Translational Bridging
- •Transparent Bridging
- •Source Route Switching
- •Switching Paths
- •Process Switching
- •Fast Switching
- •Autonomous Switching
- •Silicon Switching
- •Optimum Switching
- •Distributed Switching
- •NetFlow Switching
- •System Message Logging
- •Loading an Image on the Supervisor Engine III
- •Booting the Supervisor Engine III from Flash
- •Setting the Boot Configuration Register
- •Configuring Cisco Express Forwarding
- •Enabling CEF
- •Disabling CEF
- •Enabling dCEF
- •Disabling dCEF
- •Disabling CEF on an Individual Interface
- •Configuring CEF Load Balancing
- •Disabling CEF Load Balancing
- •Enabling Network Accounting for CEF
- •Setting Network Accounting for CEF to Collect Packet Numbers
- •Viewing Network Accounting for CEF Statistics
- •Viewing the Adjacency Table on the 8500 GSR
- •Clearing the Adjacency Table on the 8500 GSR
- •Clearing the Server Logging Table
- •Disabling Server Logging
- •Displaying the Logging Configuration
- •Displaying System Logging Messages
- •Chapter 5: Virtual Local Area Networks
- •In Depth
- •The Flat Network of Yesterday
- •Why Use VLANs?
- •VLAN Basics
- •A Properly Switched Network
- •Switched Internetwork Security
- •Scaling with VLANs
- •VLAN Boundaries
- •VLAN Membership Types
- •Traffic Patterns Flowing through the Network
- •VLAN Trunking
- •Trunk Types
- •LAN Emulation (LANE)
- •VLAN Trunking Protocol (VTP)
- •VTP Versions
- •VTP Advertisements
- •VTP Switch Modes
- •Methods for VLAN Identification
- •Dynamic Trunking Protocol
- •InterVLAN Routing
- •Internal Route Processors
- •How InterVLAN Routing Works
- •Configuring a Static VLAN on a Catalyst 5000 Series Switch
- •Configuring Multiple VLANs on a Catalyst 5000 Series Switch
- •Creating VLANs on a Catalyst 1900EN Series
- •Assigning a Static VLAN to an Interface on a 1900EN Series
- •Viewing the VLAN Configuration on a 1900 Series
- •Viewing an Individual VLAN Configuration on a 1900 Series
- •Configuring a Trunk Port on a Cisco 5000 Series
- •Mapping VLANs to a Trunk Port
- •Configuring a Trunk Port on a Cisco 1900EN Series
- •Clearing VLANs from Trunk Links on a Cisco 5000 Series
- •Clearing VLANs from Trunk Links on a Cisco 1900EN Series
- •Verifying a Trunk Link Configuration on a 5000 Series
- •Verifying a Trunk Link Configuration on a 1900EN Series
- •Configuring the VTP Version on a Catalyst 5000 Switch
- •Configuring a VTP Domain on a Catalyst 1900 Switch
- •Setting a VTP Domain Password on a Catalyst Switch
- •Configuring a Catalyst 1900 Switch as a VTP Server
- •Configuring a Catalyst 1900 Switch as a VTP Client
- •Configuring a Catalyst 1900 Switch for Transparent Mode
- •Configuring VTP Pruning on a Catalyst 1900 Switch
- •Configuring VTP on a Set/Clear CLI Switch
- •Configuring VTP on a 1900 Cisco IOS CLI Switch
- •Verifying the VTP Configuration on a Set/Clear CLI
- •Displaying VTP Statistics
- •Configuring VTP Pruning on a Set/Clear CLI Switch
- •Disabling Pruning for Unwanted VLANs
- •Configuring IP InterVLAN Routing on an External Cisco Router
- •Configuring IPX InterVLAN Routing on an External Router
- •In Depth
- •Internal Route Processors
- •Available Route Processors
- •Routing Protocol Assignment
- •Supervisor Engine Modules
- •Supervisor Engines I and II
- •Supervisor Engine III
- •Using the Supervisor Engine
- •Etherport Modules
- •Port Security
- •Manually Configured MAC Addresses
- •Determining the Slot Number in Which a Module Resides
- •Accessing the Internal Route Processor from the Switch
- •Configuring a Hostname on the RSM
- •Assigning an IP Address and Encapsulation Type to an Ethernet Interface
- •Setting the Port Speed and Port Name on an Ethernet Interface
- •Configuring a Default Gateway on a Catalyst 5000
- •Verifying the IP Configuration on a Catalyst 5000
- •Enabling RIP on an RSM
- •Configuring InterVLAN Routing on an RSM
- •Configuring IPX InterVLAN Routing on the RSM
- •Configuring AppleTalk InterVLAN Routing on an RSM
- •Viewing the RSM Configuration
- •Assigning a MAC Address to a VLAN
- •Viewing the MAC Addresses
- •Configuring Filtering on an Ethernet Interface
- •Configuring Port Security on an Ethernet Module
- •Clearing MAC Addresses
- •Configuring the Catalyst 5000 Supervisor Engine Module
- •Changing the Management VLAN on a Supervisor Engine
- •Viewing the Supervisor Engine Configuration
- •Configuring the Cisco 2621 External Router for ISL Trunking
- •Configuring Redundancy Using HSRP
- •Chapter 7: IP Multicast
- •In Depth
- •IP Multicasting Overview
- •Broadcast
- •Unicast
- •Multicast
- •IP Multicasting Addresses
- •The Multicast IP Structure
- •Delivery of Multicast Datagrams
- •Multicast Distribution Tree
- •Multicast Forwarding
- •IGMP Protocols
- •Internet Group Management Protocol (IGMP)
- •IGMPv1
- •IGMPv2
- •Time to Live
- •Multicast at Layer 2
- •IGMP Snooping
- •Cisco Group Management Protocol
- •Router Group Management Protocol
- •GARP Multicast Registration Protocol
- •Configuring IP Multicast Routing
- •Disabling IP Multicast Routing
- •Enabling PIM on an Interface
- •Disabling PIM on an Interface
- •Configuring the Rendezvous Point
- •Adding a Router to a Multicast Group
- •Configuring a Router to Be a Static Multicast Group Member
- •Restricting Access to a Multicast Group
- •Changing the IGMP Version
- •Configuring Multicast Groups
- •Removing Multicast Groups
- •Configuring Multicast Router Ports
- •Displaying Multicast Routers
- •Removing the Multicast Router
- •Configuring IGMP Snooping
- •Disabling IGMP Snooping
- •Displaying IGMP Statistics
- •Displaying Multicast Routers Learned from IGMP
- •Displaying IGMP Multicast Groups
- •Configuring CGMP
- •Disabling CGMP
- •Displaying CGMP Statistics
- •Configuring RGMP on the Switch
- •Disabling RGMP on the Switch
- •Configuring RGMP on the Router
- •Disabling RGMP on the Router
- •Displaying RGMP Groups
- •Displaying RGMP VLAN Statistics
- •Configuring GMRP
- •Disabling GMRP
- •Enabling GMRP on Individual Ports
- •Disabling GMRP on Individual Ports
- •Configuring GMRP Registration
- •Displaying the GMRP Configuration
- •Setting GMRP Timers
- •Displaying GMRP Timers
- •Disabling Multicast Suppression
- •Chapter 8: WAN Cell Switching
- •In Depth
- •ATM Overview
- •LANE
- •ATM Protocols
- •ATM Circuit Switching
- •ATM Cells
- •The ATM Switch and ATM Endpoints
- •The ATM Reference Model
- •Specifying ATM Connections
- •ATM Addressing
- •Local Area Network Emulation (LANE)
- •LANE Components
- •Integrated Local Management Interface (ILMI)
- •LANE Communication
- •LANE Configuration Guidelines
- •How LANE Works
- •Implementing LANE
- •Configuring ATM on the 5000 Switch
- •Connecting in an ATM Network
- •Monitoring and Maintaining LANE
- •Accessing the ATM LANE Module
- •Displaying the Selector Field
- •Configuring the LES/BUS
- •Verifying the LES/BUS Configuration
- •Configuring a LEC for an ELAN
- •Verifying a LEC Configuration on an ELAN
- •Configuring the LECS
- •Viewing the LANE Database
- •Binding the LECS Address to an Interface
- •Verifying the LECS Configuration
- •Chapter 9: LightStream Switches
- •In Depth
- •LightStream 100
- •LightStream 1010
- •LightStream 2020
- •Neighborhood Discovery Function
- •Virtual Path Connections
- •LightStream Troubleshooting Tools
- •LightStream Boot Process
- •Supported Troubleshooting Protocols
- •Snooping Mechanisms
- •Multiprotocol Over ATM
- •Configuring the Hostname
- •Configuring an Enable Password
- •Configuring the Processor Card Ethernet Interface
- •Configuring Virtual Private Tunnels
- •Verifying an ATM Interface Connection Status
- •Viewing the Configured Virtual Connections
- •Configuring the LECS ATM Address on a LightStream 1010 Switch
- •Configuring the Advertised LECS Address
- •Viewing the LANE Configuration
- •Viewing the Installed Modules
- •Configuring the MPC
- •Configuring the MPS
- •Changing the MPS Variables
- •Monitoring the MPS
- •Enabling ILMI Autoconfiguration
- •Configuring LANE on a LightStream 1010
- •Powering on the LightStream 100 ATM Switch
- •Configuring the LS100 Switch
- •Recovering a Lost Password
- •Chapter 10: Layer 2 Redundant Links
- •In Depth
- •Layer 2 Switching Overview
- •Frames
- •Broadcast and Multicast Frames
- •Unknown Unicasts
- •Layer 2 Network Loops
- •Danger! Data Loops!
- •STP Root Bridges
- •Bridge Protocol Data Units
- •Root Bridge Selection
- •Spanning Tree Convergence Time
- •STP Port States
- •EtherChannel
- •Link Failure
- •Port Aggregation Protocol
- •Fast Convergence Components of STP
- •PortFast
- •UplinkFast
- •BackboneFast
- •Viewing the STP Configuration on a Command Line Switch
- •Configuring the STP Root Switch
- •Configuring the STP Secondary Root Switch
- •Verifying the VLAN Priority Settings
- •Preparing to Enable EtherChannel
- •Verifying the EtherChannel Configuration
- •Defining an EtherChannel Administrative Group
- •Viewing an EtherChannel Administrative Group
- •Identifying the Template Port
- •Verifying the EtherChannel Configuration on a Command Line Interface IOS
- •Verifying the PortFast Configuration
- •Verifying the UplinkFast Configuration
- •Viewing the BackboneFast Configuration
- •Chapter 11: Multilayer Switching
- •In Depth
- •How MLS Works
- •MLS Components
- •MLS Flows
- •Access List Flow Masks
- •MLS Troubleshooting Notes
- •Configuring MLS
- •MLS Cache
- •Aging Timers
- •VLAN ID
- •VTP Domain
- •Management Interfaces
- •Configuring an External MLS Route Processor
- •Assigning a VLAN ID
- •Adding an MLS Interface to a VTP Domain
- •Enabling MLS on an Individual Interface
- •Disabling MLS on an External Router Interface
- •Configuring the MLS Switch Engine
- •Disabling MLS on a Catalyst 6000
- •Disabling MLS on a Catalyst 5000
- •Configuring the MLS Cache on the Catalyst 5000
- •Configuring Fast Aging on a Catalyst 5000
- •Configuring Fast Aging on a Catalyst 6000
- •Disabling Fast Aging on a Catalyst 6000
- •Configuring Long Aging on the Catalyst 6000
- •Disabling Long Aging on the Catalyst 6000
- •Configuring Normal Aging on the Catalyst 6000
- •Disabling Normal Aging on the Catalyst 6000
- •Assigning MLS Management to an Interface on the Catalyst 5000
- •Disabling MLS Management on an Interface on the Catalyst 5000
- •Monitoring and Viewing the MLS Configuration
- •Viewing the MLS Aging Configuration on a Catalyst 6000
- •Displaying the IP MLS Configuration
- •Displaying MLS VTP Domain Information
- •Viewing the MLS VLAN Interface Information
- •Viewing MLS Statistics on the Catalyst 5000
- •Viewing MLS Statistics on the Catalyst 6000
- •Viewing MLS Entries
- •Chapter 12: Hot Standby Routing Protocol
- •In Depth
- •Routing Problems
- •Routing Information Protocol
- •Proxy ARP
- •ICMP Router Discovery Protocol
- •The Solution
- •HSRP Message Format
- •The HSRP States
- •HSRP Configuration
- •HSRP Interface Tracking
- •Opening a Session on an Internal Route Processor
- •Entering Configuration Mode on an RSM
- •Enabling HSRP and Assigning an IP Address to a Standby Group
- •Assigning an HSRP Interface Priority
- •Assigning a Preempt Delay to a Standby Group
- •Removing a Preempt Delay from a Standby Group
- •Setting the HSRP Hello and Hold Timers
- •Removing the HSRP Hello and Hold Timers
- •Configuring Two RSFC Interfaces as One HSRP Group
- •Enabling Interface Tracking
- •Using the show standby Command
- •Using the debug Command
- •Chapter 13: Policy Networking
- •In Depth
- •Access Security Policies
- •Core Layer Policies
- •Distribution Layer Policies
- •Security at the Access Layer
- •Configuring Passwords
- •Limiting Telnet Access
- •Implementing Privilege Levels
- •Configuring Banner Messages
- •Physical Device Security
- •Port Security
- •VLAN Management
- •Creating a Standard Access List
- •Creating an Extended Access List
- •Implementing Privilege Levels on a 1900EN
- •Configuring Banner Messages
- •Enabling HTTP Access
- •Enabling Port Security
- •Displaying the MAC Address Table
- •Chapter 14: Web Management
- •In Depth
- •Standard and Enterprise Edition CVSM
- •CVSM Client Requirements
- •CVSM Access Levels
- •CVSM Default Home Page
- •The Switch Image
- •Configuring the Switch with an IP Address and Setting the Default Web Administration Port
- •Connecting to the Web Management Console
- •Configuring the Switch Port Analyzer
- •Chapter 15: The Standard Edition IOS
- •In Depth
- •The 1900 and 2820 Series Switches
- •Main Menu Choices
- •[C] Console Settings
- •[A] Port Addressing
- •[R] Multicast Registration
- •Configuring Network Settings on the 1900 and 2820 Series
- •Configuring Broadcast Storm Control on Switch Ports
- •Configuring SNMP on the 1900 Series
- •Configuring Port Monitoring on the Standard Edition IOS
- •Configuring VLANs on the Standard Edition IOS
- •Configuring Spanning Tree Protocol
- •Chapter 16: Switch Troubleshooting
- •In Depth
- •Hardware Troubleshooting
- •No Power
- •POST
- •Indicator Lights
- •Switch Cabling
- •Cable Problems
- •Switch Troubleshooting Tools
- •CiscoWorks for Switched Internetworks
- •IOS Software Troubleshooting Commands
- •Viewing the Set/Clear IOS Configuration
- •Viewing the VTP Domain Configuration on a Set/Clear IOS
- •Viewing Port Statistics on a Set/Clear IOS
- •Launching the Diagnostic Console on a Cisco 1900 or 2820 Series Switch
- •Using the Diagnostic Console to Upgrade the Firmware on a Cisco 1900 or 2820 Series Switch
- •Using the Diagnostic Console for Debugging the Firmware and Hardware
- •Appendix A: Study Resources
- •Books
- •Cisco Group Study and Users Groups
- •Online Resources
- •Asynchronous Transfer Mode
- •Cisco IOS
- •Hot Standby Router Protocol
- •IP Multicast
- •Multilayer Switching
- •Quality of Service
- •Spanning Tree Protocol
- •TACACS+
- •VLANs
- •Standards Organizations
- •Cisco Job Search Sites
- •Overview
- •Appendix C: The Cisco Consultant
- •Overview
- •Establishing Credibility
- •Come Off As an Expert
- •Designing a Solution
- •Estimating the Cost
- •Presenting the Final Proposal and Creating Expectations
- •Contracting
- •Document, Document, Document
- •The Way to Fail
- •Failing to Be There When Promised, or Rushing through the Job
- •Failing to Manage Your Time
- •Assuming You Know What the Customer Needs
- •Failing to Take Responsibility
- •Conclusion
- •Required Equipment
- •Lab Objectives
- •Possible Solution
- •The 1912 Basic Configuration
- •The Catalyst 5000 Basic Configuration
- •Configuring the Cisco 2621 Interface for ISL Trunking
- •Appendix E: Switch Features
- •Access Layer Switches
- •Cisco Catalyst 1900
- •Cisco Catalyst 2820
- •Cisco Catalyst 2900
- •Cisco Catalyst 3000
- •Cisco Catalyst 3500 Series XL
- •Cisco Catalyst 3900 Series
- •Distribution Layer Switches
- •Cisco Catalyst 4000 Series
- •Catalyst 5000 Series
- •Catalyst 6000 Series
- •Core Layer/WAN Switches
- •Cisco Catalyst 8400 Series
- •Cisco Catalyst 8500 Series
- •BPX 8600 Series
- •MGX 8800 Series
- •12000 Series Gigabit Switch Routers
Chapter 13: Policy Networking
In Depth
Behind all switching implementations and configurations lies an area that, if left unattended, can render you and your network defenseless: access security policies. In this chapter, we will discuss the need for and creation of access security policies; we will also focus on how to implement these policies.
Security is one of the most important functions in today’s networks. Without it, competitors would have access to various data warehouses, and hackers and common users would have an open invitation to your network. With e−commerce booming, the need to strengthen network security in order to reduce network intrusion and network vulnerabilities becomes increasingly important.
Note |
You can never count on network and data security even if it is in place, because it’s only as |
|
secure as you make it. To implement strong security measures, you must begin at the physical |
|
device and extend them throughout your entire network. |
Once access policies have been created, it’s a great advantage to you, as the network administrator, to know how to implement these policies and how to distribute them. The following sections will cover this material in depth and explain how it relates to Internet Protocol (IP) switching and routing.
Access Security Policies
An access security policy is designed to help define what your network needs in order to be secure from all possible intrusions. Creating this policy for your business or entity allows you, as the network administrator, to provide service−level agreements (SLAs) based on a set of defined traffic and security standards.
An access security policy should define the following:
∙The physical security of all the devices in the network
∙Control of user access to the network through the implementation of virtual LANs (VLANs) and port security
∙What traffic should be allowed in and out of the network
∙Route filters to determine the data that should be sent through the network and what route filters should be applied at the Distribution layer
∙User groups that have access to each area of the network
∙Types of access each user group should have to the network
Each layer of the network has a different function and applies policies differently. Figure 13.1 shows the policies and switches found at each layer of the network. Policies defined in the access security policy need to be applied to all the devices in your network. In the following sections, we will address how security should be applied at each individual layer of the network.
254
Figure 13.1: A short list of various switches overlapping into different areas of the policy layers.
Core Layer Policies
By implementing security policies at the Core layer, also known as the backbone, you increase the elapsed amount of time between when a device requests access to a network and when it is allowed to transmit because of the amount of processing that is done on the switch. The job of the Core layer is to pass traffic as quickly as possible. Policies should be applied at the Access and Distribution layers before the data reaches this level. The Core layer should rely on the other two layers to provide filtering and security policies.
Note According to Cisco, the only policies at the Core layer should relate to Quality of Service (QoS)—features that allow for lower processing on the switch processor. This allows for a guarantee of a particular level of service for a given connection. Limiting policies this way will aid in congestion management and congestion avoidance.
Distribution Layer Policies
The Distribution layer is the primary layer for implementing security access policies. Implementation at this layer can be as simple as applying policy blocking to workgroups, or as complex as defining which paths different types of data should take through the network. The Distribution layer is also responsible for advertising correct routes, blocking identified traffic, and limiting the amount of data sent to the Core layer.
Note When you configure route summarization and distribution lists at the Distribution layer, they may have an adverse affect on the Core layer—mainly in the form of increased latency. Be sure you have a firm understanding of what you want to accomplish when configuring these policies.
As the demarcation point between the Access and Core layers, the Distribution layer is the perfect location in the network to administer most of your policies. At this layer, you will define which resources and routes are to be sent to the Core layer, as well as what traffic should be allowed in or out of a switch block.
A good policy at this layer ensures that no unnecessary traffic or incorrect routes will be advertised to the Core layer. A good Distribution layer policy should define the following:
∙User traffic that can span different VLANs—This policy can be defined by applying access lists to identified interfaces to permit or deny certain data traffic.
∙Routes that should be seen by the core switch block—These can be defined by applying distribution lists, which are another form of access lists.
∙Services that will ultimately be advertised to the rest of the network—These services include the Domain Name Service (DNS) and Dynamic Host Configuration Protocol (DHCP).
In this section, we will cover the following issues relating to the Distribution layer of the network:
∙Access lists
∙Managing virtual terminal access
255
∙ Managing Hypertext Transfer Protocol (HTTP) access
Access Lists
An access list is a list of conditions that control access to the switch, router, or route processor. IP, AppleTalk, and Internetwork Packet Exchange (IPX) access lists are like gatekeepers that control access from or to different segments of the network. After you build an access list, it can be applied to an inbound interface or an outbound interface. Once it has been applied to the interface, an implied “deny all” appears at the end of each access list.
The packets are filtered by comparing an identified value and acting upon a permit or deny statement. The list compares the packets receiving information (such as the source and destination addresses) to the values in your access list. If a match is made, the list follows the order to permit or deny the data. If a packet is denied, an Internet Control Message Protocol (ICMP) message is sent to the sending interface listed in the packet header, notifying the requester that the packet has been denied.
In Figure 13.2, the source address of 10.1.128.6 is trying to send a data packet to 10.1.128.10. Because the configured access list doesn’t contain a permit statement for the source address, the access list automatically denies the packet.
Figure 13.2: The request from x.x.128.6 to x.x.128.10 encounters an access list with no permit statement applied to the interface. As a result, the request is denied.
Before you apply the access list to the currently used management station using a console port or virtual terminal port, always remember to check that you have a permit statement near the top of your access list for the management station you are using. You won’t believe how many times we have had to deal with an administrator who is unfamiliar with access lists and who has locked himself out of his own internal or external route processor.
Tip It is important to remember that an access list is read in the order that it is configured. Here’s an analogy: Suppose you’re walking down a lane in a parking lot, looking for your car. Once you find your car, you don’t continue looking. Access lists work the same way—if the access list makes a match, it does not continue looking for further instructions.
Access List Types
There are two types of access lists: standard and extended. Both types permit or deny based on certain criteria. The standard access list allows a permit or deny statement based only on the source address. The extended access list is a bit more complex—it allows you to permit or deny based on the source address, destination address, protocol type, application type, or port number of the packet.
Standard IP and IPX addresses are the easiest to configure. The configuration statement requires an access list number, a permit or deny statement, and then the source address. This statement allows packets originating from the identified source address to be permitted or denied through the interface to which the access list is applied. Let’s take a look at an example of permitting the source address from Figure 13.2 on access list 2:
CAT5KRSM (config)# access−list 2 permit 10.1.128.6
To identify a subnet in one statement, use a wildcard value after the IP address. If a wildcard value is not present, the source address must match completely. The wildcard value looks a lot like a subnet mask. A 0 in the wildcard string indicates that the value must match exactly in the same octet as the IP address; the value 255 allows any number in the corresponding octet of the IP address to be used. Let’s look at the following
256
access list string as an example:
access−list 2 permit 193.5.5.10 0.0.0.255 log
Tip An octet is the 8−bit value between each dotted decimal in an IP address. For the IP address of 193.5.5.10 the first octet is 193 and the fourth octet is 10. It is always important to remember which octet you want to mask.
The 0.0.0 of the wildcard address means that the first three octets of the source interface’s IP address must exactly match the first three octets of the network portion of the Class C IP address: 193.5.5. Because the last octet is 255, the last octet of the source interface of received data can be any value. This statement means that any host address with the network ID 193.5.5 will be permitted. Based on this IP scheme, you may be using variable−length subnet masks (VLSM).
To identify IP addresses that can be used within your chosen subnet mask, you must use the correct inverse address to identify those addresses. Table 13.1 shows the possible wildcard inverse addresses matched to the subnet mask.
Table 13.1: Possible wildcard inverse addresses.
Mask |
Wildcard Inverse Address |
255 |
0 |
254 |
1 |
252 |
3 |
248 |
7 |
240 |
15 |
224 |
31 |
192 |
63 |
128 |
127 |
0 |
255 |
There is an easy way to figure out the wildcard inverse mask for your access list or the first network available with any subnet mask. Always remember the magic number of 256, then subtract the network mask minus 1. For example, with 255.255.255.192, use the 192, subtract it from the magic number of 256, and you will get 64, which is your first network. Subtract one more and you will get the inverse wildcard mask for your access list identifying the network.
Here’s another example. Say you have a class C subnet mask of 255.255.255.224. Subtract 224 from the magic number of 256 and you will get the first valid network of 32. Subtract 1 and you will get the network inverse mask of 31.
You can use the same magic number to subnet. Let’s say you want to know the first and second networks of a 30−bit mask that is commonly used on point−to−point WAN links in order to conserve IP addresses. This would be a mask of 255.255.255.252. Taking the magic number of 256 and subtracting 252 we would get the number 4, which is our first valid network number. This time, instead of subtracting one, multiply by 2 and you get your second valid network, which is 8. This means that your valid hosts are 5 and 6 and your broadcast address is 7. This means we have just created a network with two hosts and wasted no IP addresses.
Let’s look at another example using 255.255.255.240, which is a 28−bit mask. Table 13.2 shows the first three valid networks, the network numbers, the valid hosts for each network, and the broadcast address for each subnetted network.
Table 13.2: Example of subnetting 255.255.255.240.
257
Item |
Network 1 |
Network 2 |
Network 3 |
Network |
16 |
32 |
48 |
First Host |
17 |
33 |
49 |
Last Host |
30 |
46 |
62 |
Broadcast Address |
31 |
47 |
63 |
Subnetting using variable length subnet masks (VLSM) seems pretty easy, doesn’t it?
The type of access list defined is identified by the number you assign to the access list. Table 13.3 identifies the types of access lists that can be configured, along with the associated string of numbers that can be used with each type.
Table 13.3: The available access list numbers and the associated access list types.
Available Numbers |
Access List Type |
1 through 99 |
IP standard |
100 through 199 |
IP extended |
200 through 299 |
Protocol−Type−Code |
300 through 399 |
DECnet |
600 through 699 |
AppleTalk |
700 through 799 |
48−bit Media Access Control (MAC) address |
800 through 899 |
IPX standard |
900 through 999 |
IPX extended |
1000 through 1099 |
IPX Service Advertising Protocol (SAP) |
1100 through 1199 |
Extended 48−bit MAC address |
1200 through 1299 |
IPX summary address |
Extended access lists use many of the same configuration rules as standard access lists. An extended access list allows filtering based on source address, destination address, protocol type, application, or TCP port number.
Note |
Just as in standard access lists, an implied “deny all” exists at the end of each extended access |
|
list. |
The IP extended access list command is more complex than the standard access list command and offers many more options. The IP extended access list syntax is shown here:
access−list access−list−number {deny|permit} {protocol type} source−address source−wildcard destination−address destination−wildcard [protocol specific options|operator] [log]
Tip You can use the syntax any as a parameter to replace the source or destination address; any implies all addresses. In IPX access lists, A(n−1) indicates an any syntax.
Let’s take a look at the syntax elements for the IP extended access list that are not included in the standard access list:
∙access−list−number—For an IP extended access list, the range of possible numbers is 100 to 199.
∙deny|permit—A permit indicates whether the source will be allowed in or out of an interface. A deny indicates that the data will be dropped and an ICMP message will be sent to the source address.
∙protocol type—This syntax element indicates the protocol to match. Possible options include eigrp, icmp, igrp, ip, nos, ospf, tcp, udp, or any number from 0 to 255.
Tip The protocol syntax of ip indicates all protocol types.
258
∙operator—This syntax element compares source or destination ports. Possible syntaxes include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
∙log—This syntax enables logging of information about packets that match access list entries.
Warning The log command is optional and logs information about all packets that match the access list entry. Enabling this feature uses considerable processing power. You should use it for troubleshooting purposes only.
Let’s take a look at the any parameter:
CAT5KRSM(config)# access−list 199 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 gt 255
CAT5KRSM(config)# access−list 199 permit tcp any any gt 255
The first line permits any incoming IP address to any destination using any TCP port greater than port 255. The second line does the same thing, but replaces the source, destination, and wildcard addresses with the any command.
Now, let’s examine how well−known TCP ports can work:
CAT5KRSM(config)# access−list 199 permit tcp any any eq 25
CAT5KRSM(config)# access−list 199 permit tcp any any eq smtp
The first line indicates that access list 199 permits any address to enter the interface for TCP port 25, which is the well−known TCP port for Simple Mail Transfer Protocol (SMTP). The second line does the same thing, but instead of using the TCP port number, it uses the acronym.
The host syntax indicates a single host, as shown in the source address in this example:
CAT5KRSM(config)# access−list 199 permit tcp host 38.187.128.6 any eq smtp
The following example permits User Datagram Protocol (UDP) packets with a DNS name as the destination:
CAT5KRSM(config)# access−list 199 permit udp any eq domain any
You can add a message in your access list by using the remark command. This command can help you identify lines in your access list. The following is an example of using the remark command:
CAT5KRSM(config)# access−list 1 remark Sabrina’s IP Address
CAT5KRSM(config)# access−list 1 permit 18.1.12.25
CAT5KRSM(config)# access−list 1 remark Hanson’s IP Address
CAT5KRSM(config)# access−list 1 deny 18.1.12.26
To remove a remark, use a command like the following:
CAT5KRSM(config)# no access−list 5 remark Sean’s IP address
Applying Access Lists
Access lists are created in various ways. Once they’re created, you can use different commands to apply an access list to various types of interfaces.
Tip To disallow the flow of data through any port or interface, use the in syntax. To allow data to flow through the switch but not exit out a certain interface or port, use the out syntax on the outbound interface.
The following list shows the different commands and the types of interfaces associated with each command:
259
∙access−class—Applies the access list to an interface for security purposes. This command identifies users of specified VTY lines. By default, five VTY lines come in to your Cisco Internetwork Operating System (IOS) or router. Because you do not know which one you will be using when you Telnet into your switch or router, you must apply the same access list to all the interfaces.
∙access−group—Allows you to apply an access list configured in Global Configuration mode to an interface that can be used to filter data traffic based on source address, destination address, or many other protocol identifiers. For example, if a standard access list has been created and numbered access list 2 in Global Configuration mode and you want to deny traffic for the source address identified in the access list, use the command ip access−group 2 followed by either in or out. The in or out syntax indicates whether data will be filtered based on traffic entering or exiting out of the interface.
∙distribute−list—Identifies the routing update information that applies rules to allow the switch to learn new routes or advertise known routes to other routers or route processors. This is used on the (config−router) command mode when enabling a routing protocol.
∙ipx output−sap−filter—Allows the applied access list to determine what IPX protocol services will be advertised in or out of an interface.
Applying Access Lists to Route Filtering
By controlling the routing tables at the Core layer, you can limit the size of the tables on your network devices. Doing so allows the switches to process data more quickly, prevents users from getting to networks that do not have a default or static route, and maintains routing information integrity.
To do this, apply an access list using the distribute−list command. After creating a standard access list, you can apply it to an inbound or outbound interface. The following is the distribute−list command and the syntax for an inbound interface:
distribute−list {access−list number|name} in [type number]
Here is the syntax when using the distribute−list command to apply an access list to an outbound interface:
distribute−list {access−list number|name} out
[interface name|routing process|autonomous system number]
Figure 13.3 shows a standard Class C network in which two subnets intersect at the Distribution layer switch. Subnet 128 belongs to a production network, and subnet 129 is used only for testing and development of new LAN topologies. We want subnet 128 to be permitted through to the Core layer on Gigabit Ethernet port g0/0, which connects to the Core layer switch. The second network is used for testing purposes only, so the access list should block any traffic from that subnet from reaching the Core layer switches. For this scenario, we will assume there are no other subnets in our switch block to contend with.
Figure 13.3: Two Class C IP subnets connected from the Access layer to the Distribution layer switch. Let’s create an access list that allows traffic from network 192.128.0.0 but denies traffic from interface192.129.0.0. Use the following command, keeping in mind that an implied “deny all” exists at the end of our access list:
access−list 2 permit 192.128.0.0 0.0.255.255
260