Monday 16 December 2013

IP ACCESS LISTS

 

An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects or you can say for each rule we have two conditions and that is Permit or Deny.
Types of Access Lists
There are two categories of access lists: numbered and named.
Numbered Access Lists:-
Numbered access lists are broken down into several ranges, each dedicated
to a specific protocol:
1–99 IP standard access list
100-199 IP extended access list
200-299 Protocol type-code access list
300-399 DECnet access list
400-499 XNS standard access list
500-599 XNS extended access list
600-699 Appletalk access list
700-799 48-bit MAC address access list
800-899 IPX standard access list
900-999 IPX extended access list
1000-1099 IPX SAP access list
1100-1199 Extended 48-bit MAC address access list
1200-1299 IPX summary address access list
1300-1999 IP standard access list (expanded range)
2000-2699 IP extended access list
Named Access Lists:-
Named access lists provide a bit more flexibility. Descriptive names can be
used to identify your access-lists. Additionally, individual lines can be
removed from a named access-list. However, like numbered lists, all new
entries are still added to the bottom of the access list.
There are two common types of named access lists:
• IP standard named access lists
• IP extended named access lists
Standard IP Access List
access-list [1-99] [permit | deny] [source address] [wildcard mask] [log]
Standard IP access-lists are based upon the source host or network IP address, and should be placed closest to the destination network.
Router(config)# access-list 10 deny 172.18.0.0 0.0.255.255 ( Just for an Example)
Router(config)# access-list 10 permit any
To apply Access Lists we have to configure the Access-Group on the Interface. Like wise we are taking the interface serial 0 as a refrence.
Router(config)# int s0
Router(config-if)# ip access-group 10 in
To view all IP access lists configured on the router:
Router# show ip access-list
To view what interface an access-list is configured on:
Router# show ip interface
Router# show running-config
Extended IP Access List
access-list [100-199] [permit | deny] [protocol] [source address] [wildcard
mask] [destination address] [wildcard mask] [operator [port]] [log]
Router(config)# access-list 101 permit tcp 172.18.0.0 0.0.255.255 host 172.16.10.10 eq 80
Router(config)# access-list 101 deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Router(config)# access-list 101 permit ip any any
*The above ip address is just taken for the example and dont have real environment existance.
The first line allows the 172.18.x.x network access only to port 80 on the web server. The second line blocks 172.18.x.x from accessing anything else on the 172.16.x.x network. The third line allows 172.18.x.x access to anything else.
To apply this access list, we would configure the following
Router(config)# int e0
Router(config-if)# ip access-group 101 in
Extended IP Access List Port Operators
In the preceding example, we identified TCP port 80 on a specific host use the following syntax:
Router(config)# access-list 101 permit tcp 172.18.0.0 0.0.255.255 host 172.16.10.10 eq 80
We accomplished this using an operator of eq, which is short for equals. Thus, we are identifying host 172.16.10.10 with a port that equals 80. We can use several other operators for port numbers:
  • eq Matches a specific port
  • gt Matches all ports greater than the port specified
  • lt Matches all ports less than the port specified
  • neq Matches all ports except for the port specified
  • range Match a specific inclusive range of ports

ICMP Access List
The specific ICMP port that a “ping” uses is echo. To block specific ICMP parameters, use an extended IP access list. On Router B, we would configure:

Router(config)# access-list 102 deny icmp 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255 echo
Router(config)# access-list 102 permit icmp 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Router(config)# access-list 102 permit ip any any

The first line blocks only ICMP echo requests (pings). The second line allows all other ICMP traffic. The third line allows all other IP traffic.

To apply the access lists on other router, you need to configure the follwing as:-
Router(config)# int e0
Router(config-if)# ip access-group 102 in

Named Access-Lists will be cover in the Next Session.

Visit Official Facebook Page:- https://www.facebook.com/Networksbaseline
Discussion Group:- https://www.facebook.com/groups/networksbaseline/
Follow me on facebook : https://www.facebook.com/cisco.core
Posted by at 6 comments:
Labels:

Thursday 12 December 2013

Load Balancer ( F5- BIG IP and Cisco ACE)

 

Hi Guys, today i discuss about one of the hot topics of the Networking Field named as " Load Balancers"
There are numbers of vendors who are working on the Load Balancer's in which one of the big player is Cisco. They launched there Load Balancer with the name of ACE. Another vendor for the same is F5. They launched it as BIG IP Load Balancer.

Load balancing is a crucial element to any network that is required to maintain high availability while gracefully handling sudden spikes in traffic. In the event of a sudden increase in traffic, the load balancers prevent the web, application, and database servers from becoming overloaded by distributing the traffic evenly across servers. If a web server fails, the load balancers will divert any traffic away from that server, maintaining the availability of your website and applications.

Load Balancer Type

Round Robin

Round Robin load balancing takes all incoming connections and routes them one at a time, server by server in an equally distributed fashion with each server taking turns. If you have two servers, incoming connections will alternate between the two. If you have 4 servers, connections will be routed to server 1, server 2, server 3, and then server 4 before beginning the cycle again.

Least Connect

Least Connect load balancing will route incoming connections to the server with the lowest load on it. Connections are sent to each server depending on the total number of concurrent sessions on the servers. If you have two servers, the first with 24 sessions running and the second with 12 sessions running, then incoming connections will be routed to server 2 until the ratio of connections changes.

Load Balancer Persistence

None

None is the default, determining routing only according to Load Balancer Type.

SSL Sticky

SSL Sticky will route all traffic for an SSL session to the same destination after the initial connection establishes the session. Note that this persistence only works for SSL traffic and load balancing for other types of traffic will not work when this is set.

Source Address

Source Address persistence will cause all traffic from a given source address to be routed to the same destination host after the initial connection.

You can study further the F5 load Balancer named as " BIG IP" as follows:-
F5 Load Balancer PDF

Another Load Balancer of the Cisco Named as ACE is as follows:
Cisco ACE Load Balancer Guide PDF
Posted by at No comments:

Subnetting Basics-1

A subnetwork, or subnet, is a logically visible subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting.

The process of subnetting involves the separation of the network and subnet portion of an address from the host identifier. This is performed by a bitwise AND operation between the IP address and the (sub)network mask. The result yields the network address or prefix, and the remainder is the host identifier.

Determining the network prefix

An IPv4 network mask consists of 32 bits, a sequence of ones (1) followed by a block of 0s. The trailing block of zeros (0) designates that part as being the host identifier.
The following example shows the separation of the network prefix and the host identifier from an address (192.168.5.130) and its associated /24 network mask (255.255.255.0). The operation is visualized in a table using binary address formats.

Determining the network prefix

An IPv4 network mask consists of 32 bits, a sequence of ones (1) followed by a block of 0s. The trailing block of zeros (0) designates that part as being the host identifier.
The following example shows the separation of the network prefix and the host identifier from an address (192.168.5.130) and its associated /24 network mask (255.255.255.0). The operation is visualized in a table using binary address formats.
Binary formDot-decimal notation
IP address11000000.10101000.00000101.10000010192.168.5.130
Subnet mask11111111.11111111.11111111.00000000255.255.255.0
Network prefix11000000.10101000.00000101.00000000192.168.5.0
Host part00000000.00000000.00000000.100000100.0.0.130
The mathematical operation for calculating the network prefix is the bitwise AND of IP address and subnet mask. The result of the operation yields the network prefix 192.168.5.0 and the host number 130.

Subnetting

Subnetting is the process of designating some high-order bits from the host part and grouping them with the network mask to form the subnet mask. This divides a network into smaller subnets. The following diagram modifies the example by moving 2 bits from the host part to the subnet mask to form four smaller subnets one quarter the previous size:
Binary formDot-decimal notation
IP address11000000.10101000.00000101.10000010192.168.5.130
Subnet mask11111111.11111111.11111111.11000000255.255.255.192
Network prefix11000000.10101000.00000101.10000000192.168.5.128
Host part00000000.00000000.00000000.000000100.0.0.2
Prefix sizeNetwork maskAvailable
subnets		Usable hosts
per subnet		Total
usable hosts
/24255.255.255.01254254
/25255.255.255.1282126252
/26255.255.255.192462248
/27255.255.255.224830240
/28255.255.255.2401614224
/29255.255.255.248326192
/30255.255.255.252642128
/31255.255.255.2541282 *256
 
 
Posted by at No comments:
Labels:

Tuesday 10 December 2013

CCNA Stuff

LECTT
Cisco.Networking.Academy.Program( FLASH CARDS)


CCNA Reference Texts



Visit Official Facebook Page:- https://www.facebook.com/Networksbaseline
Discussion Group:- https://www.facebook.com/groups/networksbaseline/

* All the data showing above is from the Internet and no file is hosted there on the Blogs. Please share if any of the link is showing error or not Opening.
Posted by at 10 comments:
Labels:

Simulators

Download

Mac OS X

Linux

 
Posted by at No comments:

CISCO IOS IMAGES and Shortcuts

Posted by at 1 comment:

Monday 9 December 2013

Floating Static route

A floating static route is a static route with an administrative distance higher than that of the routing protocol in use. In this way, the floating static route will only appear in the routing table if the dynamically learned route is lost.

Actually it is a backup for the Dynamic routing protocol route.

To change the Administrative Distance of a static route to 250:

RouterA(config)# ip route 172.18.0.0 255.255.0.0 172.17.1.2 250

Static routes will only remain in the routing table as long as the interface connecting to the next-hop router is up. To ensure a static route remains permantly in the routing table, even if the next-hop interface is down:

RouterA(config)# ip route 172.18.0.0 255.255.0.0 172.17.1.2 permanent

Static routes can additionally be used to discard traffic to specific networks, by directing that traffic to a virtual null interface:

RouterA(config)# ip route 10.0.0.0 255.0.0.0 null0

For Further Studies please check the following Links:-

Basic Video to understand the Floating Static route further, Please visit the Following Youtube Link
http://www.youtube.com/watch?v=jNN4Xt59pJ8

Showing Floating Static route in a Design
http://mp3king.froggypwns.com/Tcm%20266%20Hassan%20Marzouk/Lab%20manual/Pdf/Lab%203%5B1%5D.6.4.pdf

Sample Configuration PDF's
http://www.cisco.com/image/gif/paws/10212/5.pdf


Please let me know if there is any other query regarding the Floating static route we will have a discussion on the same.
Visit Official Facebook Page:- https://www.facebook.com/Networksbaseline
Discussion Group:- https://www.facebook.com/groups/networksbaseline/

Thanks/Admin
Posted by at 1 comment:
Labels:

Static Route

What is Static route and how it is configured ??

Hello Everybody, We are discussing about the Staic route and routing and here is the topic called "What is Static route and how it is Configured?"

Let's start with the Static route

Static route
Manually Configured route from Source to destination is called Static routing.

Uses of Static route
Static routing can be used to define an exit point from a router when no other routes are avaliable or necessary. This is called a default route
Static routing can be used for small networks that require only one or two routes. This is often more efficient since a link is not being wasted by exchanging dynamic routing information.
Static routing is often used in complementary with dynamic routing to provide a failsafe backup in the event that a dynamic route is unavaliable.
Static routing is often used to help transfer routing information from one routing protocol to another (routing redistribution).
 
Configuring Static route with Example
To configure a static route to network 10.10.20.0/24, pointing to a next-hop router with the IP address of 192.168.100.1, type: (Note that this example is written in the Cisco IOS command line syntax and will only work on certain Cisco routers)

WAY-1
Destination network10.10.20.0
subnet255.255.255.0
next-hop192.168.100.1
Router(config)# ip route 10.10.20.0 255.255.255.0 192.168.100.1

WAY-2
The other option is to define a static route with reference to the outgoing interface which is connected to the next hop towards the destination network.
Destination network10.10.20.0
subnet255.255.255.0
next-hopSerial interface 0/0 (local exit)
Router(config)# ip route 10.10.20.0 255.255.255.0 Serial 0/0

Hope it clears a little bit about static routing. We will further discuss on the same.


Visit Official Facebook Page:- https://www.facebook.com/Networksbaseline
Discussion Group:- https://www.facebook.com/groups/networksbaseline/

Thanks/Admin
Posted by at 2 comments:
Labels:

Static Routing ( with Exit Interface or with Next Hop IP Address)

Hello Everybody,

This is one of the Intersting topic and need to understand the Concept of Static routing with Exit Interface and with Next hop IP address.

Let's Start with the two cases we are taking as below:-

1) If you configured static route pointed to next hop IP address, for every destination forwarding router requires only L2 address of next hop IP address to rewrite the L2 frame.
Example: ip route 2.2.2.0 255.255.255.0 10.1.1.2
For routing packet to destination address 2.2.2.2, router requires L2 mac address of 10.1.1.2.

2) If you configured static route point to outgoing interface, forwarding router assume destination address is directly connected to that interface and router will try to find the L2 address of the destination by sending ARP request out of the interface to the destination address in case of Ethernet or looking for a static/dynamic map entry in the mapping table in case of frame-relay.
Example: ip route 2.2.2.0 255.255.255.0 fa0/0
For routing packet to the destination address 2.2.2.2, router assumes host 2.2.2.2 is directly connected to the interface fa0/0 and it requires L2 mac address for 2.2.2.2.

In general, interfaces can be point to point or multi-point. The above mentioned conditions work differently in scenarios of Point to point and multipoint interface.

In point to point interface, by definition two devices are directly connected, so in case if you configure static route pointing to outgoing interface or next hop IP address does not make a difference, router uses L2 address of next hop IP address of interface for routing packet to every destination address.

In multipoint interface, by definition interface can have multiple devices connected to it. So as mention above in point number two, if you configure static route point to next-hop, router need L3 to L2 resolution for each destination prefixes. Ethernet is an example of multi-point interfaces whereas Frame-relay and ATM can be multi-point interface or point to point depending on the configuration.

Visit Official Facebook Page:- https://www.facebook.com/Networksbaseline
Discussion Group:- https://www.facebook.com/groups/networksbaseline/
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)