Category Archives: Cisco

Blocking social networks on Cisco

On the test I use the Cisco Catalyst 6509-E switch.
Suppose we need to block access to users to a certain site, a network node, or for example a social network VKontakte.

First, we know the range of IP addresses on which the site is located, for example, we search VKontakte on bgp.he.net, here is for example the list of subnets for one of the AS belonging to VKontakte “http://bgp.he.net/AS47541#_prefixes”.

And create an extended ACL for example with the name BLOCKSOCIAL:

ip access-list extended BLOCKSOCIAL
deny ip any 87.240.128.0 0.0.63.255
deny ip any 93.186.224.0 0.0.7.255
deny ip any 93.186.232.0 0.0.7.255
deny ip any 95.142.192.0 0.0.15.255
deny ip any 95.213.0.0 0.0.63.255
deny ip any 185.29.130.0 0.0.0.255
deny ip any 185.32.248.0 0.0.3.255
permit ip any any
exit

The rule above indicates that you want to block traffic to the specified networks coming from all (any) sources.
You can specify as a source a specific network or for example one address to deny access to another address:

deny ip host 192.168.5.1 host 192.168.11.54

The line “permit ip any any” should be necessary at the end.

Instead of a subnet mask, you need to specify the Wildcard, for example, for the mask /24, specify 0.0.0.255, for /22 – 0.0.3.255, etc., you can look at and count on any IP calculator.
/17 – 0.0.127.255
/18 – 0.0.63.255
/19 – 0.0.31.255
/20 – 0.0.15.255
/21 – 0.0.7.255
/22 – 0.0.3.255
/23 – 0.0.1.255
/24 – 0.0.0.255

If you want to block more sites, we’ll add the addresses to the same ACL, since only one can be applied to the ACL interface.

Apply the created ACL to the port looking towards the clients:

interface GigabitEthernet1/1
ip access-group BLOCKSOCIAL in

Or, to write less only to the server’s server port on the Internet, if there is one:

interface TenGigabitEthernet3/2
ip access-group BLOCKSOCIAL in

You can cancel the ACL interface as follows:

no ip access-group BLOCKSOCIAL in

Delete the ACL like this:

no ip access-list extended BLOCKSOCIAL

If you block sites on the port from the server to the clients, then in the ACL rule we will change the addresses in the following places:

ip access-list extended BLOCKSOCIAL
deny ip 87.240.128.0 0.0.63.255 any
deny ip 93.186.224.0 0.0.7.255 any
deny ip 93.186.232.0 0.0.7.255 any
deny ip 95.142.192.0 0.0.15.255 any
deny ip 95.213.0.0 0.0.63.255 any
deny ip 185.29.130.0 0.0.0.255 any
deny ip 185.32.248.0 0.0.3.255 any
deny ip host 192.168.5.1 any
permit ip any any
exit

See also my articles:
Blocking social networks on Mikrotik routers
Blocking social networks using iptables

Configuring link aggregation on the Cisco Catalyst 6500

For the test, I will configure the aggregation on the Cisco Catalyst 6509-E.

Suppose I configured the first port as I need, I registered the necessary VLANs, now with the last commands we add the port to the aggregation channel:

interface GigabitEthernet1/7
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 111,144-190
switchport mode trunk
no cdp enable
lacp rate fast
channel-protocol lacp
channel-group 1 mode active

The second port should be configured in the same way and add the last commands to the aggregation channel as well:

interface GigabitEthernet1/8
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 111,144-190
switchport mode trunk
no cdp enable
lacp rate fast
channel-protocol lacp
channel-group 1 mode active

After the above commands, the Port-channel1 interface was automatically created, use the description command to add a note and enable it:

interface Port-channel1
description GPON OLT link aggregation
no shutdown

The port aggregation configuration is completed, you can connect to them.
I note that it is better to configure aggregation with a pair of links, since a non-pair link is usually less load.
Personally, I prefer not to use channel aggregation, but to use 10Gb/s and 40Gb/s links.

If you need to delete several VLANs, then it is enough to delete them on Port-channel1 (on the ports included in the aggregation, they are deleted automatically):

interface Port-channel1
switchport trunk allowed vlan remove 180-190

An example of viewing various information about aggregation:

show lacp 1 internal
show etherchannel 1 detail
show etherchannel summary
show etherchannel load-balance
show interfaces gi1/7
show interfaces gi1/8
show ip int brief
show cdp neighbor
show lldp neighbor
show interfaces status err-disabled

See also my articles:
Solution “Port is not compatible with aggregators in channel 1 and cannot attach to them”
Configuring link aggregation on Huawei SmartAX MA5600

The solution to the error “IP overlaps with VlanXXX. VlanXXX: incorrect IP address assignment”

It was necessary to replace the L3 switch of HP with Cisco once and after a similar switch configuration Cisco noticed an error:

172.16.63.0 overlaps with Vlan111
Vlan121: incorrect IP address assignment

As it turned out the network Vlan111 172.16.0.0/18 was ending at 172.16.63.254, it crossed with Vlan121 172.16.63.0/24.

The HP 5800 switch was configured before that and he did not say anything about it, and Cisco refused to accept the command.

Therefore, since IP addresses were used little in the Vlan111 172.16.0.0/18 network, the problem was solved by reducing the mask to 172.16.0.0/19.

After that, the IP address was successfully registered to the Vlan121 interface.

Done.

Connecting SFP-RJ45 Modules to the Cisco 6500

It took a couple of days ago to the Cisco Catalyst 6509-E in which there were modules only with SFP ports to connect a few links with RJ45.

Since RJ45 links are small, it was more economical to use SFP-RJ45 modules, so they were ordered.
I connected them to the ports WS-X6724-SFP, but nothing was displayed in the logs.

Let’s write commands so that Cisco does not disable ports when inserting unsupported modules:

service unsupported-transceiver
no errdisable detect cause sfp-config-mismatch
no errdisable detect cause gbic-invalid

I note that the ports WS-X6724-SFP in my case work only at 1Gb speed, so the link will not naturally rise to 100Mb or 10MB, although the Foxgate SFP-RJ45 modules that we had and support 10/100/1000.

In confirmation of this I checked the commands:

configure t
interface gigabitEthernet 1/1
speed ?

What was the opportunity to specify the speed of the port only in 1000.

See also:
Configure Cisco Catalyst 6509-E

Configuring DHCP relay on Cisco

On the test, I’ll take the Cisco Catalyst 6509-E switch and configure it to forward DHCP packets to the DHCP server.
The switch is configured as L3 with assigned IP addresses in each VLAN.

Connect to the switch through the console or telnet and go to the configuration mode:

enable
configure t

Let’s assume the DHCP server address is 192.168.11.1 and we want to configure the transfer of DHCP broadcast packets to it on VLAN 100, for this we execute the commands:

interface Vlan100
ip helper-address 192.168.11.1
exit

Exit the configuration mode and save the configuration:

exit
write

Done.