Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Basic Information of RIP (Routing Information Protocol)

January 31 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Certification - CCNA - CCNP - CCIE

IP RIP (Routing Information Protocol) comes in two different versions: 1 and 2. Version 1 is a distance vector protocol (RFC 1058) and Version 2 is a hybrid protocol (RFCs 1721 and 1722).

Routing-Information-Protocol--RIP-.jpg

Routing Information Protocol Version 1 (RIPv1)

RIPv1 uses local broadcasts to share routing information. These updates are periodic in nature, occurring, by default, every 30 seconds. To prevent packets from circling around a loop forever, both versions of RIP solve counting to infinity by placing a hop count limit of 15 hops on packets. Any packet that reaches the sixteenth hop will be dropped. RIPv1 is a classful protocol. RIP supports up to six equal-cost paths to a singledestination. Equal-cost path are the paths where the metric is same (Hop count).

 

Routing Information Protocol (RIPv2)

RIPv2 is a distance vector protocol with routing enhancements built into it, and it is based on RIPV1. Therefore, it is commonly called a hybrid protocol.

 

RIPv2 uses multicasts instead of broadcasts. RIPv2 supports triggered updates. when a change occurs, a RIPv2 router will immediately propagate its routing information to its connected neighbours. RIPv2 is a classless protocol and it supports variable-length subnet masking (VLSM).

Both RIPv1 and RIPv2 uses hop count as the metric.

Differences between RIPv1 and RIPv2

RIPv1

• Supports only classful routing (Does not support VLSM).

• No authentication.

• RIPv1 uses Broadcast.

RIPv2

•Supports classless routing (Supports VLSM).

RIPv2 incorporates the addition of the network mask in the update to allow classless routing advertisements.

• Authentication is available.

• RIPv2 uses multi-cast instead of broadcast. Multicast communication reduces the burden on the network devices that do not need to listen to RIP updates.

 

More Related Tips:

Routing Information Protocol & RIP Configuration

Read more

OSPF Metrics Troubleshooting

January 29 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

 

When implementing any routing protocol, it is vital to have a handle on how the protocol operates and makes decisions. Without this knowledge, it is almost impossible to check and make sure that the protocol is configured properly and is operating as expected. This article takes a look at the Open Shortest Path First (OSPF) routing protocol, how its metric is calculated, and how this information can be used to ensure that traffic is taking the path that is expected.

OSPF Metric Calculation

OSPF has one of the easiest metric calculations; by default, the bandwidth of the outbound interface is used to calculate each part of the route path. The default formula is shown in Figure 1:

OSPF-Metric-Formula.jpg

Figure 1 - OSPF Metric Formula

 

For example, a network contained two routers that were connected together, as shown in Figure 2:

OSPF-Metric-Sample-Topology.jpg

Figure 2 - OSPF Metric Sample Topology

 

Assuming that OSPF is configured, R1 would have an OSPF routing table entry for the network that is connected to R2’s F0/1 interface. For traffic from R1 to reach that network it would need to pass through both R1’s F0/0 interface and R2’s F0/1 interface. R2 would calculate the OSPF metric for its F0/1 interface (100,000,000 / 100,000,000 = 1) and R1 would calculate the OSPF metric for its F0/0 interface (100,000,000 / 100,000,000 = 1). Based on this information from R1’s perspective, the OSPF metric to the network off of R2’s F0/1 interface is 2.

 

It is very important to note that the bandwidth that OSPF is using in its metric calculations is based on the configured interface bandwidth using the bandwidth interface configuration mode command. The bandwidth that is configured with the bandwidth command does not have to match the physical bandwidth of the interface, and does not affect the physical bandwidth of the network. If the network administrator changed the bandwidth of R2’s F0/1 interface to 50 Mbps (bandwidth 50000) the metric for the OSPF route would change on R1, specifically, it would change to 3 (100,000,000 / 50,000,000) = 2 + 1 (R1’s F0/0 OSPF metric) = 3.

 

Another common issue that is found by network engineers in modern networks is that the reference bandwidth used in the OSPF metric calculation is rather small with the availability of 1, 10 and 100 gigabit interfaces. From the perspective of the OSPF metric, an interface with a bandwidth of 100 Mbps (1) has the same metric as one with a bandwidth of 100 Gbps (1) (The OSPF metric calculation only uses whole numbers). To remedy this, it is possible to change the reference bandwidth that the OSPF process is using for metric calculation. To change this, use the auto-cost reference-bandwidth reference-bandwidth command,

Where reference-bandwidth is set in Mbps (i.e. the default is 100). Make note that the reference bandwidth must be changed on ALL of the devices in the OSPF network.

 

To make this a little clearer, Figure 3 shows the same network using up-to-date interface bandwidths and a higher reference bandwidth:

OSPF-Reference-Bandwidth-Example.jpg

Figure 3 – OSPF Reference Bandwidth Example

 

Using these bandwidths, the OSPF metric to the network off of R2’s F0/1 interface would be calculated as follows:

R1’s F0/0 interface – 100,000,000,000 / 100,000,000 = 1,000

R2’s F0/1 interface – 100,000,000,000 / 10,000,000,000 = 10

R1’s routing table will have an entry for R2’s F0/1 network with a metric of 1010.


Most of the time when routing protocols are implemented on small simple network topologies, they work without much additional configuration. When working on networks that are larger, the complexity of the routing protocol configuration can increase; this complexity and the size of the topology can make troubleshooting very complex as well. The OSPF metric is very simple to calculate and allows even novice engineers the ability to easily trace how traffic should pass through a network. Take the time to memorize how these metrics are calculated and future troubleshooting will become easier even on complex networks.

---From http://www.petri.co.il/ospf-metrics-troubleshooting.htm

More Related OSPF Tips:

How to Fix OSPF Split Area with GRE Tunnel?

How to Configure OSPF on Cisco Routers?

How to Configure OSPF in a Single Area?

How to Troubleshoot OSPF?

OSPF, How to Configure OSPF in the Cisco IOS?

 

Read more

Cisco Cut as Data-center Business Shifts

January 23 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco News

Software-defined-networking threat leads to J.P. Morgan downgrade

Cisco Systems could feel the impact of a new trend that expands the role of software in data center networks — and it could come much sooner than expected, an analyst said.

 Cisco-Cut-as-Data-center-Business-Shifts.jpg

J.P. Morgan downgraded Cisco to underweight, or sell, from neutral based on what analyst Rod Hall described as a more rapid adoption of software-defined-networking.

 

The move came following a strong run-up on Cisco’s shares, which have surged 25% since its last earnings report in mid-November. Cisco was trading down a fraction at $20.92 by mid-day Thursday.

 

Known simply as SDN, the new technology allows businesses to rely less heavily on networking hardware, using software systems used to run data centers. There’s been a debate on the potential impact of the trend, which some analysts say could hurt Cisco’s core hardware business in the long-term by turning data center switches into commodities.

In his note, Hall said he had earlier assumed that the impact of software-defined networking “would be gradual and would, therefore, not lead to a rapid decline in the unit price of an ethernet switch.” He now sees the impact from the shift to SDN coming earlier.

 

“Since then, we have become more convinced that SDN impacts are likely to come sooner and that those impacts will occur more rapidly when they begin,” he wrote.

In fact, Hall now projects that the “data center-oriented switching market could be reduced by as much as 33% by 2015 by technology shifts that are in motion.”

 

In his same note, Hall upgraded Cisco rival Juniper Networks. He noted that the company recently outlined its own SDN strategy at a recent conference, but said investors “should continue to discount Juniper’s data center opportunity until the company has results to show for their plans.” He based his upgrade on optimism around the company’s optical and router business.

 

The analysis of SDNs echoes the view of IDC, which put out its own report in December predicting that the worldwide market for software-defined networking would grow from $360 million in 2013 to $3.7 billion by 2016.

 

To be sure, Cisco is responding to the trend, and Hall noted the tech giant’s recent acquisitions of SDN-focused firms that he says “show that management is spending significant time on the area.”

In fact, the market doesn’t appear to be too worried just yet. Cisco shares have gained roughly 7% this year, and have risen 25% over the last two months, partly on expectations that it will benefit from an expected wave of corporate IT spending.

 

Still, Hall said Cisco “has the most at stake” with the software-defined networking trend, and “is the most exposed to the downside if SDN triggers networking commoditization.”

---Cisco PR news from marketwatch.com

More Cisco News you can visit: http://blog.router-switch.com/category/news/

Read more

How to Configure DHCP on Cisco 851 or 871 Router?

January 21 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Routers

Basically DHCP is a mechanism which assigns IP addresses to computers dynamically. Usually DHCP is a service running on a server machine in the network in order to assign dynamic IP addresses to hosts. All Cisco 800 series models have the ability to work as DHCP servers, thus assigning addresses to the internal LAN hosts. Without a DHCP server in the network, you would have to assign IP addresses manually to each host. These manually assigned addresses are also called “static IP addresses”.

 

In this post we will show you how to configure a Cisco 851 or 871 router to work as DHCP server. The same configuration applies for other 800 series models as well.

Router> enable

 

Router# config t

 

! define an IP address pool name and range
Router(config)# ip dhcp pool LANPOOL

 

! define a network range for the addresses that will be assigned
Router(dhcp-config)# network 192.168.1.0 255.255.255.0

 

! define a dns name to assign to clients
Router(dhcp-config)# domain-name mycompany.com

 

! define a default gateway for the clients
Router(dhcp-config)# default-router 192.168.1.1

 

! define the dns server for the clients
Router(dhcp-config)# dns-server 100.100.100.1

 

! define a WINS server if you have one
Router(dhcp-config)# netbios-name-server 192.168.1.2
Router(dhcp-config)# exit

 

!The following addresses will not be given out to clients
Router(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10

---Reference from networkstraining.com

More Related DHCP Guides:

How to Configure DHCP on a Cisco Router or Cisco Switch?

How to Configure VoIP on a Cisco 871 Router?

How to Configure DHCP Snooping in a Cisco Catalyst Switch?

How to Configure DHCP Snooping?

Read more

How to Set Up a Cisco ASA 5505 with a Wireless Router?

January 17 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

This walk-through on setting up a Cisco ASA 5505 firewall with a wireless router focuses on things you might encounter when doing the setup at home.

 

This piece focuses on common things you might encounter at home like not having a static IP from your ISP or utilizing your current wireless router. Here we’ll go over what you need to do at a high level, which should work with any wireless router.

 

The firewall setup can seem a little daunting, especially because you will most likely lose your Internet access while you’re doing it. Remember there are only four basic things you need to configure to get Internet access.

  1. You should configure the inside and outside interfaces.
  2. You need a default route that tells your devices where to go.
  3. You need to configure Port Address Translation (PAT). This is what allows you to only have one IP address from your ISP, but you can have several devices connected on your internal network in a many-to-one configuration.
  4. You need access rules that open ports so your devices can browse web pages, download from FTP sites, etc.

 

Initial Setup and Configuration of Interfaces

  1. Connect the network cable from the modem to port 0 (default outside port) on the ASA.
  2. Connect your computer to one of the other ports on the ASA, which should be on the inside network by default. Ports 6 and 7 are Power over Ethernet (PoE) ports; I recommend reserving those ports for any devices that can use PoE.
  3. Open a browser on your computer and go to 192.168.1.1, which is the default address for connecting to the ASA.
  4. Click Run ASDM. (Another option is to click Run Startup Wizard and do this entire configuration in the wizard.)
  5. Log in. There are no passwords configured yet, so just leave that blank.
  6. Click Configuration at the top.
  7. Click Device Setup.
  8. Click Interfaces.
  9. Edit the Inside Interface.
  10. Make sure it is enabled.
  11. Specify the internal address you want to use. By default this is 192.168.1.1, which you can leave it at.  This will indicate that you are using the 192.168.1.0/24 network as your inside network.
  12. Click OK.
  13. Edit the Outside Interface.
  14. Choose DHCP. If you happen to have a fixed IP at home, please use that. Many ISPs require you to have a business account to get a static IP, though.
  15. Make sure the interface is enabled.
  16. Put a check mark next to the option Obtain Default Route Using DHCP. This saves you the step of configuring a static route, and it saves you the hassle of having to change the static route every time your IP changes.
  17. Click OK.
  18. Put a check next to Enable Traffic Between Two Or More Interfaces Which Are Configured With The Same Security Levels and next to Enable Traffic Between Two Or More Hosts Connected To The Same Interface.

 

Those 18 steps take care of the first two basic things I spoke about before: configuring your interfaces and setting up a default route. Now to configure PAT and the access rules.

 

Configure PAT

  1. Click Firewall while still under the Configuration tab.
  2. Click NAT Rules.
  3. Click Add.
  4. Click Add Dynamic Rule.
  5. For the original source you can just leave it set at Any (or you can specify the inside network).
  6. For the translated interface put the outside interface.
  7. Click OK.

 

Configure Access Rules

You’ll most likely want to allow HTTP/HTTPS traffic on your ASA. Make sure you add rules for the inside and the outside to permit these, along with any other protocols that might be necessary such as FTP, ICMP, etc.  Use Figure A as a reference for the kind of configuration you may need.

Figure A

Configure-access-rules.png

 

Configure Your Wireless Router to Act like an Access Point

This covers setting up the ASA, but you still want to be able to use your wireless router to connect all your laptops, printers, Rokus, etc. The easiest way (though not the only way) to do this is to configure your wireless router to act just as an access point (AP).

 

In general, you’ll want to disconnect the network cable from the WAN, or outside, port on the AP. Then connect to the management interface of your AP, most likely via a browser while your computer is connected to the AP. Some newer APs have an option to just put a check next to AP Mode and it will do it automatically. However, if you don’t have that option, just make sure you turn off DHCP (use the ASA as your DHCP server) and configure the LAN settings to be on the same network as your ASA.

 

In my example, you might configure the AP with an IP of 192.168.1.15, a subnet mask of 255.255.255.0, and then the default gateway should be the IP address of the ASA. Now connect one of the LAN, or inside, ports to one of the inside ports on the Cisco ASA (ports 1-7). You may need to reboot the AP, but now you should be able to connect wirelessly and have Internet access through the firewall.

 

Resource from http://www.techrepublic.com written by Lauren Malhoit

More Related Tips of Cisco ASA 5505:

Cisco Guide: Migration of Cisco PIX 500 Series to Cisco ASA 5500 Series

New Cisco ASA Clustering Feature Enables 320 Gbps Firewall

Example Show: How to Configure a Cisco ASA 5540 for Video Conferencing for Polycom Device?

How to Configure Dual ISP on Cisco ASA 5505?

VLAN Sub-Interfaces on Cisco ASA 5500 Firewall Configuration

How to Configure Cisco ASA 5505 Firewall?

Read more

Cisco IOS Order of Operation

January 16 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Here we found information on the order of operation of the different features on an interface and the packet traverses the IOS software from Cisco.com, which may not suitable for every case table. Anyway, check it whether is suitable or not.

Inside-to-Outside Outside-to-Inside

  • If IPSec then check input access list
  • decryption – for CET (Cisco Encryption Technology) or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • policy routing
  • routing
  • redirect to web cache
  • NAT inside to outside (local to global translation)
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect (Context-based Access Control (CBAC))
  • TCP intercept
  • encryption
  • Queueing
  • If IPSec then check input access list
  • decryption – for CET or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • NAT outside to inside (global to local translation)
  • policy routing
  • routing
  • redirect to web cache
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect CBAC
  • TCP intercept
  • encryption
  • Queueing

All right, the above we delivered is the “official version”. But there are others that were provided by some professional network engineers are pretty complete.

See the following for a larger diagram.

cisco-ios-order-operations001.jpg

More notes: Some variations in feature ordering may occur in specific router platforms, IOS software releases, and switching paths (i.e. CEF versus process-switched).

Ingress Features

Egress Features

1. Virtual Reassembly *

1. Output IOS IPS Inspection

2. IP Traffic Export (RITE)

2. Output WCCP Redirect

3. QoS Policy Propagation through BGP (QPPB)

3. NM-CIDS

4. Ingress Flexible NetFlow *

4. NAT Inside-to-Outside or NAT Enable *

5. Network Based Application Recognition (NBAR)

5. Network Based Application Recognition (NBAR)

6. Input QoS Classification

6. BGP Policy Accounting

7. Ingress NetFlow *

7. Lawful Intercept

8. Lawful Intercept

8. Check crytpo map ACL and mark for encryption

9. IOS IPS Inspection (inbound)

9. Output QoS Classification

10. Input Stateful Packet Inspection (IOS FW) *

10. Output ACL check (if not marked for encryption)

11. Check reverse crypto map ACL

11. Crypto outbound ACL check (if marked for encryption)

12. Input ACL (unless existing NetFlow record was found)

12. Output Flexible Packet Matching (FPM)

13. Input Flexible Packet Matching (FPM)

13. DoS Tracker

14. IPsec Decryption (if encrypted)

14. Output Stateful Packet Inspection (IOS FW) *

15. Crypto inbound ACL check (if packet had been encrypted)

15. TCP Intercept

16. Unicast RPF check

16. Output QoS Marking

17. Input QoS Marking

17. Output Policing (CAR)

18. Input Policing (CAR)

18. Output MAC/Precedence Accounting

19. Input MAC/Precedence Accounting

19. IPsec Encryption

20. NAT Outside-to-Inside *

20. Output ACL check (if encrypted)

21. Policy Routing

21. Egress NetFlow *

22. Input WCCP Redirect

22. Egress Flexible NetFlow *

 

23. Egress RITE

 

24. Output Queuing (CBWFQ, LLQ, WRED)

* A note about virtual-reassembly


Virtual-reassembly causes the router to internally reassemble fragmented packets. It is enabled when an interface is configured with NAT, CBAC, or “ip virtual reassembly”. Operations above marked with a * will process the reassembled version of a packet. All other operations process the individual fragments. After virtual reassembly is complete, the router forwards the original fragments, albeit in proper order. This behavior is very different from PIX/ASA/FWSM and ACE which forward the reassembled packet.

 

Thus, even if virtual-reassembly is turned on, ACLs used for input access-groups and QoS still need to be aware of how ACLs interact with fragments

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800949b8.shtml

 

Routing Features

1. Routing table lookup (if packet isn’t marked with a PBR next-hop) 2. tcp adjust-mss

NOTE: Order of Operation for IOS 12.3(8)T and Later

IOS-Order-of-Operation002.jpg

---Reference from http://etherealmind.com/cisco-ios-order-of-operation/

More Notes: A Related Best Cisco Book

Router Security Strategies: Securing IP Network Traffic Planes

router-security-strategies-securing-ip-network-traffic-plan.jpg

Router Security Strategies: Securing IP Network Traffic Planes provides a comprehensive approach to understand and implement IP traffic plane separation and protection on IP routers. This book details the distinct traffic planes of IP networks and the advanced techniques necessary to operationally secure them. This includes the data, control, management, and services planes that provide the infrastructure for IP networking. 

 

The first section provides a brief overview of the essential components of the Internet Protocol and IP networking. At the end of this section, you will understand the fundamental principles of defense in depth and breadth security as applied to IP traffic planes. Techniques to secure the IP data plane, IP control plane, IP management plane, and IP services plane are covered in detail in the second section.

 

The final section provides case studies from both the enterprise network and the service provider network perspectives. In this way, the individual IP traffic plane security techniques reviewed in the second section of the book are brought together to help you create an integrated, comprehensive defense in depth and breadth security architecture.

 

“Understanding and securing IP traffic planes are critical to the overall security posture of the IP infrastructure.  The techniques detailed in this book provide protection and instrumentation enabling operators to understand and defend against attacks. As the vulnerability economy continues to mature, it is critical for both vendors and network providers to collaboratively deliver these protections to the IP infrastructure.”

–Russell Smoak, Director, Technical Services, Security Intelligence Engineering, Cisco

 

Gregg Schudel, CCIE No. 9591, joined Cisco in 2000 as a consulting system engineer supporting the U.S. service provider organization. Gregg focuses on IP core network security architectures and technology for interexchange carriers and web services providers.

 

David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a consulting system engineer supporting the service provider organization. David focuses on IP core and edge architectures including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry.

  • Understand the operation of IP networks and routers
  • Learn about the many threat models facing IP networks, Layer 2 Ethernet switching environments, and IPsec and MPLS VPN services
  • Learn how to segment and protect each IP traffic plane by applying defense in depth and breadth principles
  • Use security techniques such as ACLs, rate limiting, IP Options filtering, uRPF, QoS, RTBH, QPPB, and many others to protect the data plane of IP and switched Ethernet networks
  • Secure the IP control plane with rACL, CoPP, GTSM, MD5, BGP and ICMP techniques and Layer 2 switched Ethernet-specific techniques
  • Protect the IP management plane with password management, SNMP, SSH, NTP, AAA, as well as other VPN management, out-of-band management, and remote access management techniques
  • Secure the IP services plane using recoloring, IP fragmentation control, MPLS label control, and other traffic classification and process control techniques

 This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Note: More Reviews about this book you can see ciscopress.com

More Related Tips:

What’s the Order of Operations for Cisco IOS?

More Cisco and Networking Tips you can referto http://blog.router-switch.com/

Read more

How to Set Up PAT (Port Address Translation) in the Cisco IOS?

January 14 2013 , Written by Cisco & Cisco Router, Network Switch

PAT (Port Address Translation) is a special kind of Network Address Translation (NAT). It can provide an excellent solution for a company that has multiple systems that need to access the Internet but that has only a few public IP addresses. Let's take a look at the distinctions between NAT and PAT and see how they are typically used. Then, we will show you how to configure PAT on a Cisco router.

Understanding PAT and NAT

It is helpful to describe what NAT does in general before discussing PAT. NAT was designed to be a solution to the lack of public IP addresses available on the Internet. The basic concept of NAT is that it allows inside/internal hosts to use the private address spaces (10/8, 172.16/12, and 192.168/16 networks—see RFC1918), go through the internal interface of a router running NAT, and then have the internal addresses translated to the router's public IP address on the external interface that connects to the Internet.

If you dig into NAT a little deeper, you will discover that there are really three ways to configure it. From these configurations, you can perform a variety of functions. The three configurations are:

PAT
PAT is commonly known as “NAT overload” (or sometimes just “overload”). In this configuration, you have multiple clients on your inside network wanting to access an outside network (usually the Internet). You have few public IP addresses, many more than the number of clients, so you have to “overload” that real Internet IP address. In other words, you are mapping many inside clients to a single Internet IP address (many to one). For an illustration of PAT, see Figure as follows.

PAT.gif

Pooled NAT
Pooled NAT is similar to PAT except you have the luxury of having a one-to-one mapping of addresses. In other words, you have just as many inside network clients as you do outside network IP addresses. You tell the NAT router the pool of IP addresses that are available, and each client receives its own IP addresses when it requests a NAT translation. The client does not get the same address each time it requests a translation; it merely gets the next available address from the pool. In the article "Set up NAT using the Cisco IOS", which explained how to configure Pooled NAT. For an illustration of Pooled NAT, see the following Figure.

how-to-configure-Pooled-NAT.gif

Static NAT
Static NAT is the simplest form of NAT. The most likely example is a mail server on the inside of a private network. The private network connects to the public Internet. In between the two networks, a router performs NAT. For a dedicated server, like a mail server, you would want a static (not changing) IP address. This way, every time someone on the Internet sends e-mail to the mail server, that server has the same public IP address. For an illustration of Static NAT

Static-NAT.gif

You can perform a variety of functions with these three configurations. For the purpose of this article, we will focus on configuring PAT.

Configuring PAT
To configure PAT/NAT correctly the first time, you need to understand the Cisco NAT terminology and how your IP networks/addresses map to each of the entities listed below:

  • Inside Local—This is the local IP address of a private host on your network (e.g., a workstation's IP address).
  • Inside Global—This is the public IP address that the outside network sees as the IP address of your local host.
  • Outside Local—This is the local IP address from the private network, which your local host sees as the IP address of the remote host.
  • Outside Global—This is the public IP address of the remote host (e.g., the IP address of the remote Web server that a workstation is connecting to).


You'll configure your Cisco router using seven commands. Let's assume that your Internet service provider gave you a 30-bit network containing two public IP addresses. This configuration would allow one address for your router and one address for your internal clients and devices. The first command you'll execute will tell the router which public IP address you want to use for PAT:
ip nat pool mypool 63.63.63.2 63.63.63.2 prefix 30

This command configures a pool (range) of IP addresses to use for your translation. In this case, we want only one address in our pool, which we will overload. We do this by assigning the same IP address (63.63.63.2) for the start and end of the pool.

The next command will tell your router which IP addresses it is allowed to translate:
access-list 1 permit 10.10.10.0 0.0.0.255

It's not a good idea to put “permit any” in the access list, even though you will occasionally see that as a recommendation in some sample configurations.

The next command is:
ip nat inside source list 1 pool mypool overload

This command puts the pool definition and the access list together. In other words, it tells the router what will be translated to what. The overload keyword turns this into a PAT configuration. If you left out overload, you would be able to translate only one IP address at a time, so only one client could use the Internet at a time.

Next, you need to tell PAT/NAT what interfaces are the inside network and what interfaces are the outside network. Here's an example:
interface ethernet 0
ip nat inside
interface serial 0
ip nat outside

With these commands, your PAT configuration is finished. You have told the Cisco IOS you are translating your network A into a single IP address from network B, that network A is on the ethernet 0 interface and network B is on the serial 0 interface, and that you want to allow the inside network to overload the single IP address on the outside network.

Finally, verify that NAT works. This can be as simple as doing a ping command from your inside local host to an outside global host. If the ping succeeds, chances are you have everything configured correctly. You can also use the following Cisco IOS commands to confirm and troubleshoot:
show ip nat translations [verbose]
show ip nat statistics

With the translations command, you should see the translation that was created from your ping test. But watch out: The translations will disappear after their time-out expires. If you have configured overload, these time-outs are configurable by traffic type.

NOTE: You should now understand the differences between PAT, Pooled NAT, and Static NAT, and you should be able to do a basic PAT configuration with the Cisco IOS. For more information, check out the links below.

 

Resource from Techrepublic.com

More Related Networking, NAT, PAT Info:

How to Set up NAT Using the Cisco IOS?

How to Configure NAT in Cisco IOS?

Read more

Cisco ASA 5505 Dual ISP Backup

January 11 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Many small and medium sized businesses are requiring backup paths for their Internet connections while attempting to keep costs at a minimum.  The Cisco ASA 5505 provides a feature called Dual ISP Backup where a company can utilize their main ISP and in the case of an outage, they can utilized a more cost effective solution such as DSL/Cable Internet.  This solution does require a Security Plus license.

 

Let’s assume that a customer is  assigned a static public IP address of 100.100.100.100 from their primary ISP and another static public IP address of 200.200.200.200 from their DSL/Cable provider.   Ethernet 0/0 will connect to the primary ISP and will be assigned to any VLAN you choose, which in this case will be VLAN2.  Ethernet 0/1 will be connected to the customer LAN and will be assigned VLAN1.  Ethernet 0/2 will connect to the DSL/Cable provider and will reside in VLAN3.

ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/1
ASA5505(config-if)# switchport access vlan 1
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/2
ASA5505(config-if)# switchport access vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 192.168.100.1 255.255.255.0
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 100.100.100.100 255.255.255.0
ASA5505(config-if)# backup interface vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 3
ASA5505(config-if)# nameif backupisp
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 200.200.200.200 255.255.255.0
ASA5505(config-if)# no shutdown

 

Next, we will create our SLA statements which will track the availability of our primary ISP link.  The commands are as follows:

sla monitor 10
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
frequency 3
sla monitor schedule 1 life forever start-time now
track 1 rtr 10 reachability

 

We are sending 3 ICMP packets to 4.2.2.2 which will be 3 seconds apart.  One active ICMP reply will keep the primary link online.  The sla monitor statement tells the ASA to begin monitoring the primary link.  The track 1 statement tells the ASA we are tracking sla statement 10 and using ICMP reachability as the mechanism.

 

Next, our static route default route statements can be edited to ensure the primary ISP route will follow the sla and the DSL/Cable link will become active in the event of a primary failure.  We do that with the following statements:

route outside 0.0.0.0 0.0.0.0 69.167.65.177 1 track 1
route backupisp 0.0.0.0 0.0.0.0 216.27.149.1 254

 

You can test the functionality by unplugging the primary ISP link from the ASA.

 

This solution comes in handy for smaller businesses who require redundant Internet connectivity at a price point.  Cisco also has excellent documentation located on their website at

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

---Resource from ciscocentral.com.au

More Cisco Firewall Tips:

How to Configure Dual ISP on Cisco ASA 5505?

Example Show: How to Configure a Cisco ASA 5540 for Video Conferencing for Polycom Device?

Cisco Released Cisco ASA Software 9.0

Cisco Guide: Migration of Cisco PIX 500 Series to Cisco ASA 5500 Series

How to Configure Cisco ASA 5505 Firewall?

Read more

Best Cisco CCNA Books for Your CCNA Study

January 8 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Certification - CCNA - CCNP - CCIE

Recommended-Cisco-CCNA-Books01.jpg

Well the first book we would have to recommend would be non-other than the Cisco Press Official CCNA Certification Library which includes the ICND1 and ICND2 Official certification guides. This is a must have for every candidate that is perusing the CCNA and it is highly recommended that every candidate reads these books prior to attempting to do any labs provided by the Free CCNA Workbook.

 

Recommended-Cisco-CCNA-Books02.jpg
When I started getting into Cisco Networking back in 2004, one of the books I read at the time was Tom Lammel’s CCNA book, this guy writes his books in such a way that they are easy to understand and less confusing than that of the Cisco Press Official Certification Library. Detailed explanations and an easy to follow page structure.

Recommended-Cisco-CCNA-Books03.jpg

说明: http://www.assoc-amazon.com/e/ir?t=a11917-453-20&l=as2&o=1&a=0789737140
If you are looking for CCNA practice exam questions than look no further. This book written by none other than the legendary Jeremy Cioara. This book is all about practice questions. Hundreds of questions with answers and explanations. Highly recommended to test your knowledge and readiness for the CCNA Exam.

 

More Related Reading:

Top Cisco Certification Books

Core Topics Covered on the CCNA Exam

Best Path for Getting Your CCNA Certification

10 Questions Help You Prepare CCNA 640-802 Exam

Read more

The New Generation of Cisco Aironet Access Points

January 2 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Wireless - Cisco Wireless AP

Second-Generation 802.11n Access Points

Video promises life-like remote communications. Cloud computing promises agility and reduced costs. Tablets and smartphones promise new employee and customer engagement. Overall, technology tantalizes consumers and businesses alike with the promise of transformation. But the reality of an IT manager is more complicated. There is a high rate of change in the mobility and networking industry, making it difficult for yesterday’s networks to adapt. And as mobility becomes a user imperative, new use cases with conflicting security and technical requirements emerge.

 

To address these needs, Cisco has evolved the previous line of access points (the Cisco Aironet 1040, 1140, 1260, and 3500 Series) by offering a new line of second generation 802.11n access points—the Cisco Aironet 3600, 2600, and 1600 Seriesthat can extend spectrum intelligence, antenna density, and client acceleration to new price points in the mainstream.

 

The second-generation Cisco Aironet access point portfolio is designed for a broad range of requirements for best-in-class, mission-critical, and enterprise-class service to provide industry-leading performance for secure and reliable wireless connections.

 

Whether you require entry-level wireless connectivity for a small enterprise, missioncritical coverage at thousands of locations, or best-in-class performance with future proof expansion for emerging technologies such as 802.11ac, you can rely on Cisco’s broad portfolio of access points to meet the needs of specific industries, business types, and topologies.

 

The Cisco Aironet Access Points come in standalone or controller-based models to support the unique requirements for scale and mobility services. Controllers reduce overall operational expenses by simplifying network deployment, operations, and management. They allow network administrators to remotely configure and monitor several access points to thousands of access points in a simple and efficient way. A controller is required to support voice, location services, guest access, and advanced security. Controller-based access points also support Cisco OfficeExtend for secure remote teleworking and enterprise wireless mesh, which allows access points to dynamically establish wireless connections in hard-to-connect locations.

 

A wireless network with standalone access points offers a low-cost, entry-level solution that does not require a controller. It is ideal for small-scale networks with less than 10 access points, and offers base-level wireless functionality with the flexibility to scale and add services over time by adding a controller.

 

Cisco Aironet 3600 Series: Best in Class

Figure1. Cisco Aironet 3600 Series Access Points

Cisco-Aironet-3600-Series-Access-Points.jpg

The Cisco Aironet 3600 Series Access Point (Figure 1) delivers the highest level of 802.11n performance, with expansion capability for emerging technologies such as 802.11ac. The 3600 Series offers better coverage and security in dense-client, high bandwidth networks that utilize applications such as HD video and virtual desktop infrastructure (VDI).

Highest 802.11n performance with Cisco CleanAir technology for a self-healing, self-optimizing wireless network

The industry’s first 4 x 4 multiple-input multiple-output (MIMO) access point with three spatial streams

Future-proof modularity, providing flexible upgrades and add-on options for 802.11ac or Wireless Security and Spectrum Intelligence (WSSI) Module and other future technologies

Cisco ClientLink 2.0, optimizing performance for tablets, smartphones, and laptops and all 802.11n one-, two-, and three-spatial stream devices, as well as legacy 802.11a/g clients

Standard 802.3af Power over Ethernet (PoE)

The 3600i model has integrated antennas for typical office deployments

 

The 3600e model is for RF-challenging indoor environments and requires external dual-band antennas. (For more information about antennas, visit: Antenna Product Portfolio for Cisco Aironet 802.11n Access Points.)

 

Cisco Aironet 2600 Series: Mission-Critical

Figure2. Cisco Aironet 2600 Series Access Points

Cisco-Aironet-2600-Series-Access-Points.jpg

The Cisco Aironet 2600 Series Access Point (Figure 2) is bring-your-own-device (BYOD)-optimized for connectivity to any client device. Second only to the Cisco Aironet 3600 Series in performance and features, the Cisco Aironet 2600 Series sets the new standard for enterprise wireless technology. This mission-critical access point delivers Cisco’s RF excellence features such as Cisco CleanAir and ClientLink 2.0 technology for any small, medium-sized, and large enterprise network.

Delivers the most advanced features in its class, with great performance, functionality, and reliability at a great price

Includes 802.11n-based 3 x 4 MIMO, with three spatial streams

Includes Cisco CleanAir, ClientLink 2.0, and VideoStream technologies, to help ensure an interference-free, high-speed wireless application experience

Standard 802.3af PoE

The 2600i model has integrated antennas for typical office deployments

The 2600e model is for RF challenging indoor environments and requires external dual-band antennas. (For more information about antennas, visit: Antenna Product Portfolio for Cisco Aironet 802.11n Access Points.)

 

Cisco Aironet 1600 Series: Enterprise Class

Figure3. Cisco Aironet 1600 Series Access Points

Cisco Aironet 1600 Series Access Points

The Cisco Aironet 1600 Series is an entry-level, enterprise-class 802.11n-based access point designed to address the wireless connectivity needs of small and midsize enterprise networks.

With at least six times the throughput of existing 802.11a/g networks, the 1600 Series offers the performance advantage of 802.11n enterprise-class performance with 3 x 3 MIMO technology with two spatial streams

Provides efficient wireless coverage through Clean Air Express* client acceleration for entry level networks that have a mixed legacy and non-legacy client base

(*planned for future support)

Standard 802.3af PoE

The 1600i model has integrated antennas for typical office deployments

The 1600e model is for RF-challenging indoor environments and requires external dual-band antennas. (For more information about antennas, visit: Antenna Product Portfolio for Cisco Aironet 802.11n Access Points.)

 

The Cisco Advantage

Cisco has true enterprise-class RF technology designed to maximize 802.11n performance. Cisco technologies such as CleanAir, ClientLink 2.0, and VideoStream, plus optimized access point radios and antennas, improve performance regardless of where client devices are located. All Cisco Aironet 802.11n access points support:

A limited lifetime hardware warranty

5- or 10-unit Eco-Pack bundles with a single, easy-to-open carton that streamlines the staging and installation process and reduces packaging waste by 50 percent

Mounting brackets that can be easily retrofitted to existing Cisco legacy access points to minimize migration cost and time

The benefits of deploying Cisco Aironet access points with a Cisco Unified Wireless Network extend from investment protection and future-proofing to better scalability and reliability of the enterprise network. For more details, visit: www.cisco.com/go/wireless.

 

Cisco Aironet 600 Series OfficeExtend Access Point

Figure4. Cisco Aironet 600 Series OfficeExtend Access Point

Cisco-Aironet-600-Series-OfficeExtend-Access-Point.jpg

Purposely designed for the teleworking environment, Cisco Aironet 600 Series Office Extend Access Points (Figure 4) deliver always-on, secure access to networked business services from the remote home office. The access point connects to the home’s broadband Internet access and establishes a secure tunnel to the corporate network so that remote employees can access data, voice, video, and cloud services for a mobility experience consistent with that at the corporate office.

802.11n access points for reliable, secure teleworking

Zero-touch deployment at the home office speeds setup time

Dual-band support uses all available spectrum to help avoid congestion caused by home devices

Supports corporate and personal network activity with traffic segmentation

 

Table 1 compares the features of new Cisco Aironet 802.11n access points.

Table1. Cisco Aironet 802.11n Access Point Comparison Chart

 Cisco-Aironet-802.11n-Access-Point-Comparison-Chart1.jpg

Cisco-Aironet-802.11n-Access-Point-Comparison-Chart2.jpg

Reference PDF from http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10981/at_a_glance_c45-636090.pdf

More Cisco Aironet Access Point Info and Tips:

What You Should Pay Attention to Cisco Aironet Access Point While Purchasing?

Antenna Product Portfolio for Cisco Aironet 802.11n Access Points

General Questions Help You Realize Cisco Aironet 1250 Series Access Point

Read more