Monday, 16 December 2013

IP ACCESS LISTS

 

An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects or you can say for each rule we have two conditions and that is Permit or Deny.
Types of Access Lists
There are two categories of access lists: numbered and named.
Numbered Access Lists:-
Numbered access lists are broken down into several ranges, each dedicated
to a specific protocol:
1–99 IP standard access list
100-199 IP extended access list
200-299 Protocol type-code access list
300-399 DECnet access list
400-499 XNS standard access list
500-599 XNS extended access list
600-699 Appletalk access list
700-799 48-bit MAC address access list
800-899 IPX standard access list
900-999 IPX extended access list
1000-1099 IPX SAP access list
1100-1199 Extended 48-bit MAC address access list
1200-1299 IPX summary address access list
1300-1999 IP standard access list (expanded range)
2000-2699 IP extended access list
Named Access Lists:-
Named access lists provide a bit more flexibility. Descriptive names can be
used to identify your access-lists. Additionally, individual lines can be
removed from a named access-list. However, like numbered lists, all new
entries are still added to the bottom of the access list.
There are two common types of named access lists:
• IP standard named access lists
• IP extended named access lists
Standard IP Access List
access-list [1-99] [permit | deny] [source address] [wildcard mask] [log]
Standard IP access-lists are based upon the source host or network IP address, and should be placed closest to the destination network.
Router(config)# access-list 10 deny 172.18.0.0 0.0.255.255 ( Just for an Example)
Router(config)# access-list 10 permit any
To apply Access Lists we have to configure the Access-Group on the Interface. Like wise we are taking the interface serial 0 as a refrence.
Router(config)# int s0
Router(config-if)# ip access-group 10 in
To view all IP access lists configured on the router:
Router# show ip access-list
To view what interface an access-list is configured on:
Router# show ip interface
Router# show running-config
Extended IP Access List
access-list [100-199] [permit | deny] [protocol] [source address] [wildcard
mask] [destination address] [wildcard mask] [operator [port]] [log]
Router(config)# access-list 101 permit tcp 172.18.0.0 0.0.255.255 host 172.16.10.10 eq 80
Router(config)# access-list 101 deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Router(config)# access-list 101 permit ip any any
*The above ip address is just taken for the example and dont have real environment existance.
The first line allows the 172.18.x.x network access only to port 80 on the web server. The second line blocks 172.18.x.x from accessing anything else on the 172.16.x.x network. The third line allows 172.18.x.x access to anything else.
To apply this access list, we would configure the following
Router(config)# int e0
Router(config-if)# ip access-group 101 in
Extended IP Access List Port Operators
In the preceding example, we identified TCP port 80 on a specific host use the following syntax:
Router(config)# access-list 101 permit tcp 172.18.0.0 0.0.255.255 host 172.16.10.10 eq 80
We accomplished this using an operator of eq, which is short for equals. Thus, we are identifying host 172.16.10.10 with a port that equals 80. We can use several other operators for port numbers:
  • eq Matches a specific port
  • gt Matches all ports greater than the port specified
  • lt Matches all ports less than the port specified
  • neq Matches all ports except for the port specified
  • range Match a specific inclusive range of ports

ICMP Access List
The specific ICMP port that a “ping” uses is echo. To block specific ICMP parameters, use an extended IP access list. On Router B, we would configure:

Router(config)# access-list 102 deny icmp 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255 echo
Router(config)# access-list 102 permit icmp 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Router(config)# access-list 102 permit ip any any

The first line blocks only ICMP echo requests (pings). The second line allows all other ICMP traffic. The third line allows all other IP traffic.

To apply the access lists on other router, you need to configure the follwing as:-
Router(config)# int e0
Router(config-if)# ip access-group 102 in

Named Access-Lists will be cover in the Next Session.

Visit Official Facebook Page:- https://www.facebook.com/Networksbaseline
Discussion Group:- https://www.facebook.com/groups/networksbaseline/
Follow me on facebook : https://www.facebook.com/cisco.core
Posted by at 6 comments:
Labels:

Thursday, 12 December 2013

Load Balancer ( F5- BIG IP and Cisco ACE)

 

Hi Guys, today i discuss about one of the hot topics of the Networking Field named as " Load Balancers"
There are numbers of vendors who are working on the Load Balancer's in which one of the big player is Cisco. They launched there Load Balancer with the name of ACE. Another vendor for the same is F5. They launched it as BIG IP Load Balancer.

Load balancing is a crucial element to any network that is required to maintain high availability while gracefully handling sudden spikes in traffic. In the event of a sudden increase in traffic, the load balancers prevent the web, application, and database servers from becoming overloaded by distributing the traffic evenly across servers. If a web server fails, the load balancers will divert any traffic away from that server, maintaining the availability of your website and applications.

Load Balancer Type

Round Robin

Round Robin load balancing takes all incoming connections and routes them one at a time, server by server in an equally distributed fashion with each server taking turns. If you have two servers, incoming connections will alternate between the two. If you have 4 servers, connections will be routed to server 1, server 2, server 3, and then server 4 before beginning the cycle again.

Least Connect

Least Connect load balancing will route incoming connections to the server with the lowest load on it. Connections are sent to each server depending on the total number of concurrent sessions on the servers. If you have two servers, the first with 24 sessions running and the second with 12 sessions running, then incoming connections will be routed to server 2 until the ratio of connections changes.

Load Balancer Persistence

None

None is the default, determining routing only according to Load Balancer Type.

SSL Sticky

SSL Sticky will route all traffic for an SSL session to the same destination after the initial connection establishes the session. Note that this persistence only works for SSL traffic and load balancing for other types of traffic will not work when this is set.

Source Address

Source Address persistence will cause all traffic from a given source address to be routed to the same destination host after the initial connection.

You can study further the F5 load Balancer named as " BIG IP" as follows:-
F5 Load Balancer PDF

Another Load Balancer of the Cisco Named as ACE is as follows:
Cisco ACE Load Balancer Guide PDF
Posted by at No comments:

Subnetting Basics-1

A subnetwork, or subnet, is a logically visible subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting.

The process of subnetting involves the separation of the network and subnet portion of an address from the host identifier. This is performed by a bitwise AND operation between the IP address and the (sub)network mask. The result yields the network address or prefix, and the remainder is the host identifier.

Determining the network prefix

An IPv4 network mask consists of 32 bits, a sequence of ones (1) followed by a block of 0s. The trailing block of zeros (0) designates that part as being the host identifier.
The following example shows the separation of the network prefix and the host identifier from an address (192.168.5.130) and its associated /24 network mask (255.255.255.0). The operation is visualized in a table using binary address formats.

Determining the network prefix

An IPv4 network mask consists of 32 bits, a sequence of ones (1) followed by a block of 0s. The trailing block of zeros (0) designates that part as being the host identifier.
The following example shows the separation of the network prefix and the host identifier from an address (192.168.5.130) and its associated /24 network mask (255.255.255.0). The operation is visualized in a table using binary address formats.
Binary formDot-decimal notation
IP address11000000.10101000.00000101.10000010192.168.5.130
Subnet mask11111111.11111111.11111111.00000000255.255.255.0
Network prefix11000000.10101000.00000101.00000000192.168.5.0
Host part00000000.00000000.00000000.100000100.0.0.130
The mathematical operation for calculating the network prefix is the bitwise AND of IP address and subnet mask. The result of the operation yields the network prefix 192.168.5.0 and the host number 130.

Subnetting

Subnetting is the process of designating some high-order bits from the host part and grouping them with the network mask to form the subnet mask. This divides a network into smaller subnets. The following diagram modifies the example by moving 2 bits from the host part to the subnet mask to form four smaller subnets one quarter the previous size:
Binary formDot-decimal notation
IP address11000000.10101000.00000101.10000010192.168.5.130
Subnet mask11111111.11111111.11111111.11000000255.255.255.192
Network prefix11000000.10101000.00000101.10000000192.168.5.128
Host part00000000.00000000.00000000.000000100.0.0.2
Prefix sizeNetwork maskAvailable
subnets		Usable hosts
per subnet		Total
usable hosts
/24255.255.255.01254254
/25255.255.255.1282126252
/26255.255.255.192462248
/27255.255.255.224830240
/28255.255.255.2401614224
/29255.255.255.248326192
/30255.255.255.252642128
/31255.255.255.2541282 *256
 
 
Posted by at No comments:
Labels:

Tuesday, 10 December 2013

CCNA Stuff

LECTT
Cisco.Networking.Academy.Program( FLASH CARDS)


CCNA Reference Texts



Visit Official Facebook Page:- https://www.facebook.com/Networksbaseline
Discussion Group:- https://www.facebook.com/groups/networksbaseline/

* All the data showing above is from the Internet and no file is hosted there on the Blogs. Please share if any of the link is showing error or not Opening.
Posted by at 10 comments:
Labels:

Simulators

Download

Mac OS X

Linux

 
Posted by at No comments:

CISCO IOS IMAGES and Shortcuts

Posted by at 1 comment:

Monday, 9 December 2013

Floating Static route

A floating static route is a static route with an administrative distance higher than that of the routing protocol in use. In this way, the floating static route will only appear in the routing table if the dynamically learned route is lost.

Actually it is a backup for the Dynamic routing protocol route.

To change the Administrative Distance of a static route to 250:

RouterA(config)# ip route 172.18.0.0 255.255.0.0 172.17.1.2 250

Static routes will only remain in the routing table as long as the interface connecting to the next-hop router is up. To ensure a static route remains permantly in the routing table, even if the next-hop interface is down:

RouterA(config)# ip route 172.18.0.0 255.255.0.0 172.17.1.2 permanent

Static routes can additionally be used to discard traffic to specific networks, by directing that traffic to a virtual null interface:

RouterA(config)# ip route 10.0.0.0 255.0.0.0 null0

For Further Studies please check the following Links:-

Basic Video to understand the Floating Static route further, Please visit the Following Youtube Link
http://www.youtube.com/watch?v=jNN4Xt59pJ8

Showing Floating Static route in a Design
http://mp3king.froggypwns.com/Tcm%20266%20Hassan%20Marzouk/Lab%20manual/Pdf/Lab%203%5B1%5D.6.4.pdf

Sample Configuration PDF's
http://www.cisco.com/image/gif/paws/10212/5.pdf


Please let me know if there is any other query regarding the Floating static route we will have a discussion on the same.
Visit Official Facebook Page:- https://www.facebook.com/Networksbaseline
Discussion Group:- https://www.facebook.com/groups/networksbaseline/

Thanks/Admin
Posted by at 1 comment:
Labels:
Subscribe to: Posts (Atom)