Introduction to access-lists part 1

Today I would like to take some time and talk about security. I want to discuss access-lists, extended access-lists, reflexive access-lists, and CBAC or content based access control. Learning how to properly use access-lists is so crucial to becoming a good network administrator. They are vital to securing your network and as you progress with your studies you will find that access-lists are used quite extensively in routing, QoS, and other important things.

Replace a running config without reloading

The new Cisco IOS 12.4 train has many new features that any engineer will find useful; one of the features that fix a pain point for me is the new config options available in 12.4. Have you ever been in a situation where an entered configuration does not work as expected? Now usually you have to back out the configuration one command at a time and hope for the best. Sometimes you may even reach a point where you can not completely remove a configuration without reloading the device, this is the case sometimes when trying to remove sub interfaces. Now if this is a data center or work environment then you may not be able to reload the router.

Working a lot!

I have been working a lot lately, we are in the proccess of designing a new data center with all the ifs ands and buts included in that ordeal. I am in the proccess of writing several write ups. On spanning tree:

1. “load balancing spanning tree using different trunks”
2. BGP implementation and design considerations.
3. IGP routing protocol deep dive.

Encrypting GRE tunnels

In our Last article we looked at creating GRE tunnels between networks to allow non routable traffic to pass between remote offices.� GRE tunnels are a great solution however the traffic passing inside these tunnels is not encrypted and thus could be intercepted by unauthorized parties. In this article we are going to look at tunneling GRE inside of IPSEC. This will allow us to get the benefits of GRE and the security of IPSEC.

Create a GRE tunnel between endpoints

Many time it is necessary to link a remote office to your main site and today we have many technologies to accomplish this task. We have IPSEC tunnels, IP-IN-IP tunnels, and GRE or Generic Routing Encapsulation Tunnels.

Each type of connectivity offers advantages and disadvantages. Some of these tunnels can even be overlaid on top of one another. For instance IPSEC can be used in a transport mode, which allows you to use the encryption with other tunnels or protocols. For this article we are going to discuss GRE tunnels. GRE is unique as tunneling technologies go in that is started out as a proprietary protocol developed by Cisco and later adopted as a standard. GRE was invented as a way of encapsulating non routable protocols in IP which is a routable protocol. In this way protocols such as multicast (this include OSPF, EIGRP), and other protocols like IPX could be tunneled across routable links.

Cisco 3750 Switches now include a time domain reflectometer!

How many time have�you wanted to know how long a cable run was? Now if you are running cisco 3750 switches you can find out by issuing the following commands you can see how long that cable run really is.

Switch# test cable-diagnostics tdr interface gigabitethernet0/2

TDR test started on interface Gi0/2



A TDR test can take a few seconds to run on an interface. Use "show cable-diagnostics tdr" to read the TDR results.



Switch#show cable-diagnostics tdr interface gigabitEthernet 0/2

TDR test last run on: Dec 10 09:05:10



         Interface Speed Local pair Pair length Remote pair Pair status 

         --------- ------ ---------- ------------ ------------ ---------- 

         Gi0/2 auto Pair A   22 +/- 4 m N/A Open 

           Pair B    21 +/- 4 m N/A Open 

           Pair C    5 +/- 4 m N/A Open 

           Pair D    20 +/- 4 m N/A Open 

Checkpoint —> juniper VPN

Recently at work we had a remote site go down. The site was on an ancient pix 506e vpn firewall router. We were in the proccess of switching to a different vpn solution. because of this we had a new Juniper ssg20 firewall device on site.

Now I thought this would be an easy job, configure the Juniper to connect to our checkpoint r55 box the same as the pix had done before! Man was I surprised to realize that the Juniper did not like the r55. The r55 sends proxy id’s through the tunnel for every device connecting. Now the interesting this is that the r55 uses the supernet for the address requesting access through the vpn. On the cisco pix and asa devices, this does not much matter. So for instance if you hav 10.0.0.0/24, 172.16.2.0/23 and 192.168.0.0/24 on 1 side all trying to access a remote site through the Juniper, the checkpoint send the juniper proxy id’s for each of those networks. Now like I said the cisco determines what traffic matches the tunnel with access-lists and doesn’t much care what the proxy ID says. The juniper on the other hand does! If it sees a proxy id for say a host that is not part of the tunnel, it will tear down the tunnel!!!!

Cisco 3640 and wic-1adsl speed problems

I recently decided to plug my wic-1adsl card into a 3640 router because my 2620 had a power supply failure. I noticed that the cisco 3640 ran very slow, and speed tests topped out at 2.6mbps downlink speeds. For a while I couldn’t figure out why a router that is faster with more memory would run slower than my 2620 router. I later discovered the reason for the slowness was because of a bandwidth limit on the nm-1fe1r2w card I was using to give me wic slots.

Video tutorial on IPV6

You can download or watch the full video at IPV6<embed bgcolor="#FFFFFF"

liveplasma.com

I found a really cool site that displays related content in a visual way, so if for instance you type in an Artist name like Pinback, it will show all related artists in a very cool visual way, very similar to some of the visual displays for Digg.com