More documents

Recommendations

Info

CHAPTER 28 ASA Firewall Configuration In this chapter, I will explain how to configure the most common features of an ASA firewall. Examples will be based on the ASA 5540, which uses the same commands as the entire ASA line. Most commands are the same on the PIX firewalls, but since they are no longer sold—with the exception of the Firewall Service Module (FWSM)—this chapter focuses on ASAs. There are slight differences among models. For example, the ASA 5505 base model cannot be run in failover or multicontext mode. The FWSM also operates differently in that it is a module and has no configurable physical interfaces. ASA stands for Adaptive Security Appliance. This name indicates that these devices are capable of being a firewall, a VPN device, and an IPS/IDS device. In this chapter, I will concentrate on the basics of firewall services. Configuring an ASA can be a bit confusing for people whose experience is with IOSbased devices. While there are similarities in the way the command-line interpreter works, there are some pretty interesting differences, too. One of my favorite features of the ASA and even the PIX firewalls is the fact that you can execute the show runningconfig command from within configuration mode. Recent versions of IOS allow similar functionality using the do command (do show run, for example) from within configuration mode, but using the command in the ASA is, in my opinion, more natural. NX- OS, the operating system for Cisco Nexus switches, implements this feature as well. Around the time the ASAs were released, Cisco revamped the Adaptive Security Device Manager (ASDM) software used to control its PIX firewalls and ASA appliances. For the first time, this software became a viable tool for configuring and managing a Cisco firewall. While many of the examples in this chapter can also be accomplished with the ASDM, I tend to be an old-school command-line kind of guy. This chapter deals with configuring ASAs using the command line, and does not cover the ASDM. The ASDM is a pretty great tool, however, and I encourage you to explore its use on your own. 469
Page 3:
Network Warrior
Page 6 and 7:
Network Warrior, Second Edition by
Page 8 and 9:
Configuring Trunks 42 IOS 42 CatOS
Page 10 and 11:
Nexus and HSRP 189 GLBP 189 Object
Page 12 and 13:
Bipolar Violation 362 CRC6 363 Erro
Page 14 and 15:
Configuring Contexts 486 Interfaces
Page 16 and 17:
Nonpriority Queue Too Large 624 Def
Page 18 and 19:
Environmental 729 Leadership and Me
Page 20 and 21:
I faced a very tough decision when
Page 22 and 23:
Using Code Examples This book is he
Page 24 and 25:
would not be published today. Her d
Page 27 and 28:
CHAPTER 1 What Is a Network Before
Page 29:
WAN A WAN is a network that is used
Page 32 and 33:
I was surprised to learn that there
Page 34 and 35:
equired. Collisions are also limite
Page 36 and 37:
Hubs have a lot of drawbacks, and m
Page 38 and 39:
destination MAC address and checks
Page 40 and 41:
Switch Types Cisco switches can be
Page 42 and 43:
Planning a Chassis-Based Switch Ins
Page 44 and 45:
Installing and removing modules Mod
Page 46 and 47:
How Autonegotiation Works First, le
Page 48 and 49:
Figure 3-2. Full duplex frames cons
Page 50 and 51:
Once you’ve set the speed, you ca
Page 52 and 53:
Figure 4-1. VLANs on a switch Figur
Page 54 and 55:
Another way to route between VLANs
Page 56 and 57:
There are a lot of options when cre
Page 58 and 59:
To create a VLAN, give the vlan com
Page 60 and 61:
1004 fddinet-default act/unsup 1005
Page 62 and 63:
This automatically puts us into int
Page 64 and 65:
How Trunks Work Figure 5-2 is a vis
Page 66 and 67:
Which Protocol to Use Why are there
Page 68 and 69:
The default mode for most Cisco swi
Page 70 and 71:
The output of show interface trunk
Page 72 and 73:
Switch-2# (enable)clear trunk 3/5 1
Page 75 and 76:
CHAPTER 6 VLAN Trunking Protocol In
Page 77 and 78:
Switches with mismatched VTP domain
Page 79 and 80:
Figure 6-3. Broadcast sent to all s
Page 81 and 82:
In larger, more dynamic environment
Page 83 and 84:
3750-IOS(config)#vtp mode client S
Page 85 and 86:
IOS VTP pruning is enabled with the
Page 87:
NX-OS NX-OS does not support VTP pr
Page 90 and 91:
Figure 7-1. EtherChannel on IOS and
Page 92 and 93:
• The source and destination port
Page 94 and 95:
The only solutions for this problem
Page 96 and 97:
Switch-2-CatOS: (enable)sho channel
Page 98 and 99:
Port-channel: Po1 ------------ Age
Page 100 and 101:
Input flow-control is off, output f
Page 102 and 103:
Figure 7-6. VSS MEC versus Nexus vP
Page 104 and 105:
Technically, you could bond port ch
Page 106 and 107:
5 Po14 up success success 3-7,9 6 P
Page 108 and 109:
The computer on Switch A sends out
Page 110 and 111:
The numbers on the left side of the
Page 112 and 113:
0 input packets with dribble condit
Page 114 and 115:
Preventing Loops with Spanning Tree
Page 116 and 117:
Figure 8-4. BPDU format Every port
Page 118 and 119:
Root ID Priority 24577 Address 0009
Page 120 and 121:
Here is the same command as seen on
Page 122 and 123:
To disable PortFast on an interface
Page 124 and 125:
UplinkFast should be configured onl
Page 126 and 127:
If BackboneFast is used, it must be
Page 128 and 129:
Figure 8-9. Unidirectional link pro
Page 130 and 131:
Designing to Prevent Spanning Tree
Page 132 and 133:
outer. Router is the term I will ge
Page 134 and 135:
When a packet arrives at a router,
Page 136 and 137:
Gateway of last resort is 11.0.0.1
Page 138 and 139:
Subnet Subnets are indented under t
Page 140 and 141:
Supernet (Group of Major Networks)
Page 142 and 143:
Now I’ll assign a different inter
Page 145 and 146:
CHAPTER 10 Routing Protocols A rout
Page 147 and 148:
There may be more than one type of
Page 149 and 150:
Metrics and Protocol Types The job
Page 151 and 152:
Figure 10-6. OSPF uses bandwidth to
Page 153 and 154:
Looking at Table 10-1, you can see
Page 155 and 156:
is learned on one permanent virtual
Page 157 and 158:
By default, no interfaces are inclu
Page 159 and 160:
• Updates in RIPv2 are sent using
Page 161 and 162:
As with all IGPs, you list the inte
Page 163 and 164:
D 192.168.3.0/24 [90/2195456] via 1
Page 165 and 166:
Autonomous System External (ASE) LS
Page 167 and 168:
outers are assumed to be connected
Page 169 and 170:
OSPF Router with ID (192.168.1.116)
Page 171 and 172:
Dampening enabled. 2687 history pat
Page 173 and 174:
CHAPTER 11 Redistribution Redistrib
Page 175 and 176:
Regardless of which protocol you re
Page 177 and 178:
Gateway of last resort is not set C
Page 179 and 180:
Here are the arguments required for
Page 181 and 182:
If you do not specify a default met
Page 183 and 184:
outer ospf 100 redistribute eigrp 1
Page 185 and 186:
autonomous systems using the same r
Page 187 and 188:
P 10.10.10.0/24, 1 successors, FD i
Page 189 and 190:
Gateway of last resort is not set 5
Page 191 and 192:
Gateway of last resort is not set 5
Page 193 and 194:
CHAPTER 12 Tunnels A tunnel is a me
Page 195 and 196:
Figure 12-1. Simple network Given t
Page 197 and 198:
Keepalive not set Tunnel source 10.
Page 199 and 200:
To prove that the tunnel is running
Page 201 and 202:
Router D: interface Loopback0 ip ad
Page 203 and 204:
down the tunnel. Unfortunately, it
Page 205:
PIX firewalls also support the keyw
Page 208 and 209:
The details of Cisco’s HSRP can b
Page 210 and 211:
To enable this behavior, you must c
Page 212 and 213:
On each router, we have added the s
Page 214 and 215:
Figure 13-5. HSRP limitations Metro
Page 216 and 217:
of 1,024 GLBP groups per router int
Page 218 and 219:
Weighting is used both for load dis
Page 220 and 221:
Another nice GLBP command is show g
Page 222 and 223:
If we wanted GLBP to enable the for
Page 224 and 225:
metric route-type tag Match metric
Page 226 and 227:
We used to be able to do AND operat
Page 228 and 229:
simply provides the best path to th
Page 230 and 231:
Policy routing overrides the routin
Page 233 and 234:
CHAPTER 15 Switching Algorithms in
Page 235 and 236:
Process Switching The original meth
Page 237 and 238:
a. Is the destination reachable b.
Page 239 and 240:
The drawbacks of this implementatio
Page 241 and 242:
The term trie comes from the word r
Page 243 and 244:
IP fast switching on the same inter
Page 245 and 246:
CEF 30 ****************************
Page 247 and 248:
CHAPTER 16 Multilayer Switches Swit
Page 249 and 250:
Ethernet ports on routers tend to b
Page 251 and 252:
Queueing strategy: fifo Output queu
Page 253 and 254:
Another way to get to the MSFC is w
Page 255:
A quick word is in order about choo
Page 258 and 259:
Figure 17-1. Individual versus inte
Page 260 and 261:
Because it controls the crossbar fa
Page 262 and 263:
Figure 17-3. Cisco 6509 backplanes
Page 264 and 265:
the standard 6500 chassis (40 Gbps
Page 266 and 267:
Supervisor-720 This model represent
Page 268 and 269:
etween the different buses. Specifi
Page 270 and 271:
CSM for load-balancing needs, but t
Page 272 and 273:
Interface Vlan30 "inside", is up, l
Page 274 and 275:
Intrusion Detection System modules.
Page 276 and 277:
MSFC for Layer-3 functionality, the
Page 278 and 279:
Queueing strategy: fifo Output queu
Page 280 and 281:
Figure 17-9. VSS layout including P
Page 282 and 283:
If you change your mind, just negat
Page 284 and 285:
We can see the status of the VSS cl
Page 286 and 287:
activity interval and global aging
Page 288 and 289:
To reboot only the active switch an
Page 291 and 292:
CHAPTER 18 Cisco Nexus At the time
Page 293 and 294:
6509 and 6509E had side-to-side air
Page 295 and 296:
ports. When mounting switches in ra
Page 297 and 298:
Figure 18-6. Nexus 5010 with power
Page 299 and 300:
Figure 18-8. Nexus 2148 FEX with po
Page 301 and 302:
dhcp Enable/Disable DHCP Snooping d
Page 303 and 304:
No more write memory Cisco has been
Page 305 and 306:
on commands with big outputs, like
Page 307 and 308:
Scalability The Nexus 7000 chassis
Page 309 and 310:
The downside is that it makes the c
Page 311 and 312:
Next, I’ll allocate all 32 ports
Page 313 and 314:
Once I’m connected to the VDC, it
Page 315 and 316:
NX-7K-1-Cozy(config-if)# rate-mode
Page 317 and 318:
Figure 18-15. FEXs attached in cros
Page 319 and 320:
The FEX associate command is what d
Page 321 and 322:
Figure 18-17. Traditional spanning
Page 323 and 324:
And the vPC peer keepalive: NX-7K-2
Page 325 and 326:
Port Mode 1 access access Native Vl
Page 327 and 328:
Imagine two Nexus 5010s, with large
Page 329 and 330:
NX-5K-2(config-sync-sp)# sync-peers
Page 331 and 332:
Here it says that it verified local
Page 333 and 334:
spanning-tree port type edge trunk
Page 335 and 336:
NX-5K-1# config sync NX-5K-1(config
Page 337 and 338:
Name: GAD !Command: Checkpoint cmd
Page 339 and 340:
tell it that we’re using the mana
Page 341 and 342:
Install is in progress, please wait
Page 343 and 344:
CHAPTER 19 Catalyst 3750 Features T
Page 345 and 346:
As it says, I need to reboot, so I
Page 347 and 348:
You create macros are created with
Page 349 and 350:
An easier way to see where macros h
Page 351 and 352:
Storm Control Storm control prevent
Page 353 and 354:
Additionally, the latest releases o
Page 355 and 356:
that this is measured every 200 ms,
Page 357 and 358:
Protect When a violation occurs, th
Page 359 and 360:
3750(config)#monitor session 1 des
Page 361 and 362:
3750(config)#no monitor session S
Page 363 and 364:
command. The options are cos and tr
Page 365 and 366:
The interface’s configuration wil
Page 367 and 368:
CHAPTER 20 Telecom Nomenclature The
Page 369 and 370:
Digital refers to a signal that has
Page 371 and 372:
CSU/DSU CSU stands for Channel Serv
Page 373 and 374:
Designator Transmission rate Voice
Page 375 and 376:
Figure 20-4. Different propagation
Page 377 and 378:
POTS POTS is short for the clever p
Page 379:
T-carrier T-carrier is the generic
Page 382 and 383:
T1s are full-duplex links. Voice T1
Page 384 and 385:
This allows for some interesting er
Page 386 and 387:
Figure 21-4. One-channel sample T1s
Page 388 and 389:
Performance Monitoring CSU/DSUs con
Page 390 and 391:
though again, they are described fo
Page 392 and 393:
Watch out for assumptions. Router D
Page 394 and 395:
Not all models of CSU/DSU have all
Page 396 and 397:
Figure 21-13. Integrated CSU/DSU lo
Page 398 and 399:
Hardware revision is 0.112, Softwar
Page 400 and 401:
(ninety-six 15-minute intervals), a
Page 402 and 403:
clocking, framing, and encoding, wh
Page 404 and 405:
sends a FEOOF signal back to the so
Page 406 and 407:
You show the status of the interfac
Page 408 and 409:
However, because this is a channeli
Page 410 and 411:
Here, we can see the individual ser
Page 413 and 414:
CHAPTER 23 Frame Relay Frame Relay
Page 415 and 416:
dell-see). These DLCIs (and your da
Page 417 and 418:
Figure 23-4. Frame Relay CIR and DE
Page 419 and 420:
Figure 23-7. Six-node fully meshed
Page 421 and 422:
ansi q933a Congestion Avoidance in
Page 423 and 424:
out pkts dropped 0 out bytes droppe
Page 425 and 426:
Router-B(config)#int s0/0 Router-B(
Page 427 and 428:
Local IP addresses mapped to remote
Page 429 and 430:
Figure 23-12. Three-node Frame Rela
Page 431 and 432:
00:33:05: Serial0/0(in): Status, my
Page 433:
Serial0/0.102 (up): point-to-point
Page 436 and 437:
Because entire packets are prefixed
Page 438 and 439:
So how do the branches communicate
Page 440 and 441:
encapsulation ppp auto qos voip tru
Page 442 and 443:
Wildcard Masks Wildcard masks (also
Page 444 and 445: Reflexive access lists, covered lat
Page 446 and 447: Here’s an actual example from a P
Page 448 and 449: access-list Inbound permit icmp any
Page 450 and 451: access-list Inbound line 8 permit i
Page 452 and 453: Or using named access lists: ip acc
Page 454 and 455: able to communicate only with the d
Page 456 and 457: to contain a permit appletalk inste
Page 458 and 459: Figure 25-4. Simple access list app
Page 460 and 461: Reflexive access lists can only be
Page 463 and 464: CHAPTER 26 Authentication in Cisco
Page 465 and 466: NX-OS switches work a little differ
Page 467 and 468: If you specify a command or menu th
Page 469 and 470: e used when minimal security is des
Page 471 and 472: CHAP CHAP is more secure than PAP b
Page 473 and 474: Two-way authentication. As with PAP
Page 475 and 476: Hostname ISP ! username Bob-01 pass
Page 477 and 478: Nexus switches seem to be more gear
Page 479 and 480: Creating Method Lists A method list
Page 481 and 482: If you’re relying on external ser
Page 483: interface Serial0/0/0:0 no ip addre
Page 486 and 487: high level of security, but like yo
Page 488 and 489: term referring to a zone created be
Page 490 and 491: Figure 27-2. DMZ connecting to a ve
Page 492 and 493: Figure 27-4 shows a simplified layo
Page 496 and 497: Contexts Many ASAs can be divided i
Page 498 and 499: Figure 28-1. ASA interface security
Page 500 and 501: FileServer. Using the name command,
Page 502 and 503: considering firewalls. With the obj
Page 504 and 505: [GAD@someserver GAD]$telnet mail.my
Page 506 and 507: active failover also being possible
Page 508 and 509: The Classifier When there are multi
Page 510 and 511: A better way to configure this scen
Page 512 and 513: Configuring Contexts ASA firewalls
Page 514 and 515: GAD-Tech default GigabitEthernet0/0
Page 516 and 517: The write mem command saves only th
Page 518 and 519: is usually the standby when the pai
Page 520 and 521: ASA failover works so well that dev
Page 522 and 523: Once failover is successfully confi
Page 524 and 525: When I first heard the term active/
Page 526 and 527: Failover User Group configuration m
Page 528 and 529: NAT Commands A few commands are use
Page 530 and 531: dangerous, but because the outside
Page 532 and 533: networks that need Internet access
Page 534 and 535: 0 - System Unusable 1 - Take Immedi
Page 536 and 537: TCP out 10.120.37.15:80 in LAB-PC:1
Page 538 and 539: that there are even more wireless s
Page 540 and 541: There are a few methods for securin
Page 542 and 543: convenience and paranoia. And yes,
Page 544 and 545:
wep mandatory command makes it mand
Page 546 and 547:
378073 packets output, 532095123 by
Page 549 and 550:
CHAPTER 30 VoIP Voice over IP (VoIP
Page 551 and 552:
In telephony terms, the control com
Page 553 and 554:
(VAD), a feature that lowers or eli
Page 555 and 556:
Processors (DSP). DSPs are speciali
Page 557 and 558:
computational delay. The way to res
Page 559 and 560:
If you’re building a VoIP solutio
Page 561 and 562:
Figure 30-3. Cisco IP phone and wor
Page 563 and 564:
Now, I’ll apply my policy map to
Page 565 and 566:
R1-PBX(config)#telephony-service s
Page 567 and 568:
Since this is a PBX, when you pick
Page 569 and 570:
R1-PBX(config)#voice-port 0/1/0 R1-
Page 571 and 572:
R1-PBX(config-ephone-dn)# call-forw
Page 573 and 574:
Phones are referenced by their MAC
Page 575 and 576:
Phone 2 ephone 2 description Lauren
Page 577 and 578:
This, by the way, is why I didn’t
Page 579 and 580:
Apologies are in order to all my in
Page 581 and 582:
5. Default dial peer 0 My examples
Page 583 and 584:
Figure 30-6. Two offices using SIP
Page 585 and 586:
Notice that the SIP servers are ref
Page 587 and 588:
If you’ve decided to actually app
Page 589 and 590:
peer’s match. My MWI dial peer is
Page 591 and 592:
Remember when I said I’d broken M
Page 593 and 594:
R1-PBX(config-dial-peer)# destinati
Page 595 and 596:
It’s also a great tool to use whe
Page 597 and 598:
*Feb 3 01:17:07.740: //-1/xxxxxxxxx
Page 599 and 600:
CHAPTER 31 Introduction to QoS Qual
Page 601 and 602:
1,500,000 bits per second. When the
Page 603 and 604:
In a nutshell, any traffic that can
Page 605 and 606:
IP precedence goes way back to the
Page 607 and 608:
Knowing that a value of 160 in the
Page 609 and 610:
Figure 31-7. Traffic policing versu
Page 611 and 612:
Figure 31-11. Too many bits in buff
Page 613 and 614:
Now, say someone else starts a simi
Page 615 and 616:
CHAPTER 32 Designing QoS Designing
Page 617 and 618:
• ---to be determined--- • Ever
Page 619 and 620:
WAN links should never be built wit
Page 621 and 622:
Call Manager, the voice gateways, a
Page 623 and 624:
On newer versions of IOS, you can s
Page 625 and 626:
I’ve made this mistake so you won
Page 627 and 628:
Service-policy output: Provider-Out
Page 629 and 630:
Figure 32-2. Frame Relay mismatched
Page 631 and 632:
Table 32-1. Traffic-shaping values
Page 633 and 634:
CHAPTER 33 The Congested Network A
Page 635 and 636:
The link is saturated, but only in
Page 637 and 638:
So, let’s take a look at the othe
Page 639:
Building B. In this case, the only
Page 642 and 643:
The service-policy statement maps t
Page 644 and 645:
interface# command. This command pr
Page 646 and 647:
Match: any Queueing Flow Based Fair
Page 648 and 649:
Now, let’s take another look at t
Page 650 and 651:
traffic, the other queues never get
Page 652 and 653:
Default Queue Too Small The size of
Page 654 and 655:
Requirements Documents One of the t
Page 656 and 657:
• Do all interfaces need to be gi
Page 658 and 659:
Figure 35-2. Core switch hardware d
Page 660 and 661:
Figure 35-5. IP address layout shee
Page 662 and 663:
Figure 35-7. Power and BTU values f
Page 664 and 665:
lax - Los Angeles 1 - It’s the fi
Page 666 and 667:
Figure 35-8. Typical three-tiered c
Page 668 and 669:
Figure 35-10. Collapsed-core networ
Page 670 and 671:
special applications residing on th
Page 672 and 673:
Remote management is often accompli
Page 674 and 675:
Figure 35-16. Matching last octet o
Page 676 and 677:
3. Private Address Space The Intern
Page 678 and 679:
Assuming Company B would like its e
Page 680 and 681:
Figure 36-3. Correct and incorrect
Page 682 and 683:
324578 network entries using 392739
Page 684 and 685:
Figure 36-5. Subnetting an existing
Page 686 and 687:
In the first edition of this book,
Page 688 and 689:
The exception to these rules for me
Page 690 and 691:
The second rule astounds many peopl
Page 692 and 693:
In practice, here’s what the Figu
Page 694 and 695:
Figure 36-16. Subnet worksheet step
Page 697 and 698:
CHAPTER 37 IPv6 You’ve no doubt h
Page 699 and 700:
Expanded addressing capabilities IP
Page 701 and 702:
Subnet Masks Masking IPv6 addresses
Page 703 and 704:
inet addr:192.168.1.200 Bcast:192.1
Page 705 and 706:
as much as perceived security throu
Page 707 and 708:
connect devices just by telling the
Page 709 and 710:
fascinating has happened. First, le
Page 711 and 712:
!!!!! Success rate is 100 percent (
Page 713 and 714:
tempted to write 0:0:0:0::0/0 to ma
Page 715 and 716:
CHAPTER 38 Network Time Protocol Th
Page 717 and 718:
NTP Design NTP is often not designe
Page 719 and 720:
To find publicly available Internet
Page 721 and 722:
loopfilter state is 'CTRL' (Normal
Page 723 and 724:
CHAPTER 39 Failures Outright failur
Page 725 and 726:
supervisor to get connectivity to t
Page 727 and 728:
identified as such as quickly as po
Page 729 and 730:
Isolate the Problem Problems are of
Page 731 and 732:
CHAPTER 40 GAD’s Maxims Over the
Page 733 and 734:
work to implement. The plan is perf
Page 735 and 736:
Long-term thinking is the only way
Page 737 and 738:
Equipment costs Hardware, cabling,
Page 739:
If, on the other hand, you know wha
Page 742 and 743:
experience. Networking professional
Page 744 and 745:
ecause that was what they understoo
Page 746 and 747:
I’ve had the pleasure of working
Page 748 and 749:
I once had a boss whose rule for th
Page 750 and 751:
experience.” My hope is that you
Page 752 and 753:
that causes the site to become unav
Page 754 and 755:
fact that you have friends indicate
Page 756 and 757:
Leadership and Mentoring In my expe
Page 758 and 759:
alarm indication signal (AIS), 366
Page 760 and 761:
call quality, VoIP and, 524 call-fo
Page 762 and 763:
functionality, 581 QoS and, 577 swi
Page 764 and 765:
VSL support, 256 VSS support, 240 E
Page 766 and 767:
group radius method, 454, 456 group
Page 768 and 769:
outer configuration, 679-688 subnet
Page 770 and 771:
CatOS versus IOS, 249-253 configuri
Page 772 and 773:
administrative distance, 107, 126 b
Page 774 and 775:
about, 573-577 Catalyst 3750 suppor
Page 776 and 777:
RTP streams, 524 RTR (Response Time
Page 778 and 779:
show spantree command, 92 show span
Page 780 and 781:
Cisco routers and, 207 defined, 11,
Page 782 and 783:
vlan command, 35 vlan database comm
Page 785:
About the Author Gary A. Donahue is
show all

Table of Contents

Create successful ePaper yourself

Table of Contents

Create successful ePaper yourself

Delete template?

Save as template?