Cisco


Access Control list:
A list used for controlling traffic on Cisco devices.

Overview ACLs are generally used to control access to network objects (files and other resources), access lists control the flow of packets through a router. Access lists do this by examining various criteria such as the source address, destination address, or port number within a packet’s header and then either forwarding the packet or blocking it from being passed through the device.

There are two types of Access List:
1. Standard Access List (based on source address)
2. Extended Access List (based on source address, destination address, port number, protocol)

Access lists used to configure to block traffic from source addresses of malicious systems or networks.

Implementation Access lists on Cisco routers can be created and configured for each router interface.
To control of traffic flow through the router, we can create two separate access lists to a given interface, one for inbound traffic and other for outbound traffic.

Each access list have unique name or number when apply to an interface and can contain multiple access list statements.

Also, you cannot re-order the statements within an access list.

Note: Deny statements always keep on the top, reason router will read the statements from top to bottom,if you permit the traffic in first statement then router read the first statement and permit all the traffic without inspecting it.


Trunking:
Trunking is the connection between the two or more switches via cross cable. Trunk links passes the VLAN traffic between the switches.Truking is a Layer-2 feature.
Trunking has two types of protocols:
1. ISl (InterSwitch Link)
a. Cisco prop.
b. encapsulate the entire Frame
c. Adds 26 bytes header before ethernet frame and 4 byte CRC

2. 802.1Q (dot1Q)
a. Open standard
b. Inserts tag into the frame after the source MAC address.
c. Tags only 4 byte header.

When you open  a brand new switch, the every port on switch is dynamic desirable, means when you attach a PC on that port it will work as Access mode and when you attach Switch on that port it will act as Trunk port.
               Here is drawback, an angry employee can destroy your network within a single minute, he attach its evil configured switch with company's switch and all the nework goes down.
So, always preffered to set ports manually.

To set interface on Access mode:
Switch#config t
Switch(config)#interface fastEthernet 0/1
Switch(config-if)#switchport mode access

Switch>en
Switch#config t
Switch(config)#interface fastEthernet 0/1
Switch(config-if)#switchport mode
Switch(config-if)#switchport mode ?
  access   Set trunking mode to ACCESS unconditionally
  dynamic  Set trunking mode to dynamically negotiate access or trunk mode
  trunk    Set trunking mode to TRUNK unconditionally
Switch(config-if)#switchport mode

Now set the port in Access, Trunk or in Dynamic desirable Mode.

How to create VLANs:
Switch#config t
Switch(config)#vlan 100
Switch(config-vlan)#name SALES
Switch(config-vlan)#vlan 200
Switch(config-vlan)#name MARKETING
Switch(config-vlan)#end

Verify the VLANs:
Switch#show vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
100  SALES                            active   
200  MARKETING                        active   
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
100  enet  100100     1500  -      -      -        -    -        0      0
200  enet  100200     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0  
1003 tr    101003     1500  -      -      -        -    -        0      0  
1004 fdnet 101004     1500  -      -      -        ieee -        0      0  
1005 trnet 101005     1500  -      -      -        ibm  -        0      0  
Remote SPAN VLANs
------------------------------------------------------------------------------

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
Switch#

To access the Vlan:
Switch#config t
Switch(config)#interface range fastEthernet 0/2 - 10
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 100
Switch(config-if-range)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
Switch#show vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/11, Fa0/12, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17, Fa0/18
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24
100  SALES                            active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10
200  MARKETING                        active   
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
100  enet  100100     1500  -      -      -        -    -        0      0
200  enet  100200     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0  
1003 tr    101003     1500  -      -      -        -    -        0      0  
1004 fdnet 101004     1500  -      -      -        ieee -        0      0  
1005 trnet 101005     1500  -      -      -        ibm  -        0      0  
Remote SPAN VLANs
------------------------------------------------------------------------------

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
Switch#


Spanning Tree Protocol:
Spanning  tree protocol blocks the redundant links to avoid the looping in the layer 2 network. The spanning tree was developed by DEC and IEEE revised the DEC Spanning Tree Algorithm and published under 802.1D specification.
The DEC and IEEE 802.1D algorithm are not the same and are not compatible. The catalyst switches use IEEE 802.1D Spanning tree Protocol. It enables on Cisco by default.
The purpose of the spanning tree protocol is to maintain the loop free network. A loop free path is accomplished when a device recognizes a loop in the topology and blocks the one or more redundant ports.
                    Spanning tree protocol runs continually so that a failure or addition of link, Switch or bridge is discovered quickly.When network topology changes,Spanning tree reconfigure the switch port to avoid the total loss of connectivity or the creation of the new loop.
source: cisco ICND 640-811 edited by: Steve Mcquerry (CCIE-6108)
To learn more about Spanning tree protocol, follow the link:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/sw_ntman/cwsimain/cwsi2/cwsiug2/vlan2/stpapp.htm
                                         figure source:http://tomicki.net/attacking.stp
Spanning Tree (IEEE 802.1D) Path Cost

Spanning tree path cost is an accumulated total path cost based on the bandwidth of all the links in the path.
Link Speed                     Cost
10  Mbps                        100
100 Mbps                       19
1 Gbps                            4
10 Gbps                          2

Spanning tree timers:
Hello Time - 2 Seconds (time between sending of configuration BPDUs by root bridge)
Forward Delay - 15 Seconds (duration of listening and learning states)
Max age - 20 Seconds (time BPDU is stored)


HOW TO RECOVER THE ROUTER CORRUPTED IMAGE FILE (IOS)

If it were in ROMMON mode:
rommon 1>IP_ADDRESS=10.1.1.25
rommon 2>IP_SUBNET_MASK=255.0.0.0
rommon 3>DEFAULT_GATEWAY=10.1.1.254 (IP ADDRESS OF PC NIC)
rommon 4>TFTP_SERVER=10.1.1.254 (IP ADDRESS OF PC)
rommon 5>TFTP_FILE=<ios image name>
rommon 6>tftpdnld
then file copying.........
enjoy!!!
Note:
1.Switch off the firewall of PC.
2.Use crossover cable to transfer the image.
3. Be sure TFTP server is running.
Subscribe to: Posts (Atom)