Vyacheslav Gapon – personal blog, manuals, articles, notes, development
On the test I will configure IP Unnumbered on Cisco Catalyst 6509E with firmware 12.2(33)SXJ7, on other switches the setup is similar.
IP Unnumbered is useful, for example, when it is necessary to divide a large network into several VLANs and use the same IP addresses and also to issue white IPs in any VLAN using one gateway.
Connect to the terminal device through the console, telnet or SSH.
I will give an example of setting up IGMP snooping on Cisco, there was a Cisco WS-C2960-24TT-L switch at hand.
First of all, let’s switch to configuration mode:
enable configure t
For the test, I sketched a Cisco Catalyst 6509-E automatic backup configuration script.
Actually the script itself:
#!/bin/bash
# Backup CISCO config
(
sleep 5
echo "user"
sleep 4
echo "password"
sleep 4
echo "copy running-config tftp:"
sleep 2
echo "192.168.1.4"
sleep 2
echo "cisco.cfg"
sleep 6
echo "exit"
) | telnet 192.168.1.5
mv /srv/tftp/cisco.cfg /backups/devices/cisco/`date +%Y-%m-%d`_cisco.cfg
find /backups/devices/cisco/ -type f -mtime +30 -exec rm {} \;
Add the contents of the script, for example, to the backup_cisco.sh file and add it to cron, adding the following line to the /etc/crontab file:
0 2 * * * root /backups/scripts/backup_cisco.sh > /dev/null 2>&1
The file can be opened for example in the text editor nano (Ctrl+X to exit, y/n to save or cancel changes):
sudo nano /etc/crontab
The script connects via telnet to 192.168.1.5 and copies the configuration to the tftp server 192.168.1.4, then the file is moved to a convenient directory for storage.
The last line in the script deletes files older than 30 days.
How to start the tftp server, see my articles: Installing and Configuring a TFTP Server in Ubuntu or Starting a TFTP server in Windows.
See also: Using and configuring CRON.
For the test I will configure ports on Cisco Catalyst 6509-E.
I’ll give an example of setting Access of the port (the traffic goes only over one specified vlan without a tag):
interface GigabitEthernet1/1 description TEXT switchport switchport access vlan 226 switchport mode access no shutdown
Now I’ll give an example of setting Trunk of the port (traffic goes through one or several vlan with a tag only):
interface GigabitEthernet1/2 description TEXT switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 207,228 switchport mode trunk no shutdown
And the third option, Hybrid port (traffic goes only on one vlan without a tag and on one or several vlan with a tag):
interface GigabitEthernet1/3 description TEXT switchport switchport trunk encapsulation dot1q switchport trunk native vlan 226 switchport trunk allowed vlan 207,226 switchport mode trunk no shutdown
To specify parameters for several ports at once:
interface range GigabitEthernet1/1-24
We prohibit automatic switching of the port to access or trunk mode:
interface range GigabitEthernet1/1-24 switchport nonegotiate exit
See also my article – Configuring link aggregation on the Cisco Catalyst 6500
On the test, I configure DHCP Snooping on the Cisco Catalyst 6509-E to block third-party DHCP servers, on the other Cisco switches, the configuration is basically the same.
After connecting to the device immediately go to the configuration mode:
enable configure
Continue reading “Blocking third-party DHCP on Cisco via DHCP Snooping”
Connect to the Cisco switch and go into elevated privilege mode:
enable
Now go into the configuration mode:
configure terminal
Enable HTTP:
ip http server ip http authentication local
If necessary, you can disable HTTP and HTTPS as follows:
no ip http server no ip http secure-server
Add a user if it does not exist:
username NAME privilege 15 secret PASSWORD
If you want to allow HTTP access to only certain IPs, then let’s see what rules there are on the switch:
exit show access-list show ip access-lists configure terminal
If there is no necessary rule, then we will create:
access-list 10 permit 192.168.1.22 access-list 10 permit 192.168.3.10
See my article – Restricting access to the Cisco Catalyst 6500 management
Apply the rule to HTTP:
ip http access-class 10
To cancel it is possible so:
no ip http access-class 10
If you need to specify the maximum number of connection attempts:
ip admission max-login-attempts 5 show ip admission configuration
Leave their configuration mode and save the configuration:
exit write
See also:
Configuring Cisco devices
Suppose we connected a third-party module to the first SFP port, we’ll look at the information about it:
show idprom int GigabitEthernet 1/1
In my case, on the Cisco Catalyst 6509-E, very many ports with third-party SFP modules after some time they turned off and in the logs information was written that the module was not supported.
Now go into the configuration mode:
enable config t
And we will make sure that the interfaces are not disabled when third-party SFP modules are enabled by entering the following commands:
service unsupported-transceiver no errdisable detect cause sfp-config-mismatch no errdisable detect cause gbic-invalid
After that, everything worked well.
See also:
Configure Cisco Catalyst 6509-E
Let’s say we have a collector running like I wrote in this article – Installing and using flow-tools
Now connect to the Cisco switch, for the test, I connect to the Cisco Catalyst 6509-E.
Now go into the configuration mode:
enable configure terminal
Enable NetFlow:
mls netflow
Specify NetFlow parameters, collector address, port and version:
mls flow ip interface-full mls nde sender version 5 ip flow-export version 5 ip flow-export destination 192.168.1.25 555 ip flow-cache timeout active 1
Suppose you need to collect statistics from the interface vlan 995:
interface vlan 995 ip route-cache flow exit
Done, the statistics should be sent to the collector (via the vlan interface which is closer to the collector (if there are several), and not from which statistics are collected, respectively, on the collector, you need to specify the IP correctly).
To cancel execute the commands:
interface vlan 995 no ip route-cache flow exit
An example of viewing the age of records:
show mls netflow aging show mls netflow table-contention detailed
You can also set the MLS aging time (default is 300 seconds), in the range 32 – 4092 seconds:
show mls netflow aging
mls aging normal 300
mls aging {fast [threshold {1-128} | time {1-128}] | long 64-1920 | normal 32-4092}
Viewing the installed mask:
show mls netflow flowmask
View collected statistics:
show mls netflow ip nowrap
On the test, I will configure the Cisco Catalyst WS-C3750-48TS-S.
And so, all ports are configured as access, except for the first Gigabit uplink port, it is configured as a trunk and the Internet on the client vlan with the tag comes to it.
We need all the ports on this switch to not see each other and see only the first gigabit ulink port.
To do this, connect to the switch and go into the configuration mode:
enable configure terminal
Then, we issue the switchport protected command for all access ports:
interface range fastEthernet 1/0/1-48 switchport protected interface range gigabitEthernet 1/0/2-4 switchport protected exit exit
Save the configuration:
write
Apparently interface gigabitEthernet 1/0/1 we did not touch.
Now the ports on which the switchport protected command is registered do not see the other ports on which this command is also registered, they see only the ports where it is not registered, that is, in our case the first gigabit ulink port, and it sees all the ports with the command and without.
Information about ports can be viewed by the command:
show interfaces NAME switchport
View full configuration:
show running-config
See also:
Port isolation on Huawei switches
Port isolation on the ZyXEL MES-3528 switch
On the test I use the Cisco Catalyst 6509-E switch.
Suppose we need to block access to users to a certain site, a network node, or for example a social network VKontakte.
First, we know the range of IP addresses on which the site is located, for example, we search VKontakte on bgp.he.net, here is for example the list of subnets for one of the AS belonging to VKontakte “http://bgp.he.net/AS47541#_prefixes”.
And create an extended ACL for example with the name BLOCKSOCIAL:
ip access-list extended BLOCKSOCIAL deny ip any 87.240.128.0 0.0.63.255 deny ip any 93.186.224.0 0.0.7.255 deny ip any 93.186.232.0 0.0.7.255 deny ip any 95.142.192.0 0.0.15.255 deny ip any 95.213.0.0 0.0.63.255 deny ip any 185.29.130.0 0.0.0.255 deny ip any 185.32.248.0 0.0.3.255 permit ip any any exit
The rule above indicates that you want to block traffic to the specified networks coming from all (any) sources.
You can specify as a source a specific network or for example one address to deny access to another address:
deny ip host 192.168.5.1 host 192.168.11.54
The line “permit ip any any” should be necessary at the end.
Instead of a subnet mask, you need to specify the Wildcard, for example, for the mask /24, specify 0.0.0.255, for /22 – 0.0.3.255, etc., you can look at and count on any IP calculator.
/17 – 0.0.127.255
/18 – 0.0.63.255
/19 – 0.0.31.255
/20 – 0.0.15.255
/21 – 0.0.7.255
/22 – 0.0.3.255
/23 – 0.0.1.255
/24 – 0.0.0.255
If you want to block more sites, we’ll add the addresses to the same ACL, since only one can be applied to the ACL interface.
Apply the created ACL to the port looking towards the clients:
interface GigabitEthernet1/1 ip access-group BLOCKSOCIAL in
Or, to write less only to the server’s server port on the Internet, if there is one:
interface TenGigabitEthernet3/2 ip access-group BLOCKSOCIAL in
You can cancel the ACL interface as follows:
no ip access-group BLOCKSOCIAL in
Delete the ACL like this:
no ip access-list extended BLOCKSOCIAL
If you block sites on the port from the server to the clients, then in the ACL rule we will change the addresses in the following places:
ip access-list extended BLOCKSOCIAL deny ip 87.240.128.0 0.0.63.255 any deny ip 93.186.224.0 0.0.7.255 any deny ip 93.186.232.0 0.0.7.255 any deny ip 95.142.192.0 0.0.15.255 any deny ip 95.213.0.0 0.0.63.255 any deny ip 185.29.130.0 0.0.0.255 any deny ip 185.32.248.0 0.0.3.255 any deny ip host 192.168.5.1 any permit ip any any exit
See also my articles:
Blocking social networks on Mikrotik routers
Blocking social networks using iptables