Just another Cisco blog
Archive for January, 2010
Lock and Key ACLs
Jan 14th
A coworker recently came to me for help with an issue. We have a server sitting behind a router at one of our remote sites. Certain people need RDP access to this server, but we do not want it open to the world, this seems like an ideal scenario for Lock and Key access lists. Lock and Key ACLs are a way to permit temporary access to a resource. Static ACLs either allow or deny, they can create temporary openings to suit a specific need. In our example it will be a telnet server behind a router. Here’s the topology:
Here we see a host on one side of R1 (Fa0/0) and a server on the other side (Fa1/0). In this example we want very limited access to Telnet on that server. Here’s our config:
interface FastEthernet0/0 description To Host ip address 192.168.1.1 255.255.255.0 ip access-group Telnet in ! interface FastEthernet1/0 description To Server ip address 192.168.2.1 255.255.255.0 ! ip access-list extended Telnet dynamic allow_telnet permit tcp any host 192.168.2.2 eq telnet deny tcp any host 192.168.2.2 eq telnet permit ip any any ! username allow password 0 allow username allow autocommand access-enable host timeout 10 |
Private VLAN Tutorial
Jan 12th
Today we’ll go over Private VLANs (PVLANs) in Cisco IOS. PVLANs segregate VLANs even further than normal, they are basically VLANs inside of VLANs. The ports share a subnet, but can be prevented from communicating. They use different port types:
Promiscuous ports – These will be the “open ports” of the PVLANs, they can communicate with all other ports.
Community ports – These ports can communicate with other community ports and promiscuous ports.
Isolated ports – These can ONLY communicate with promiscuous ports.
There are different uses for PVLANs. They are used by service providers to allow customer security while sharing a single subnet. Another use could be for DMZ hosts in an enterprise environment. If one host is compromised its ability to inflict damage to the other hosts will be severely limited. That’s the scenario we’ll be using today. This is our topology:
Playing With EEM
Jan 5th
Yesterday someone asked me how to periodically save the running config using an EEM (Embedded Event Manager) applet. I’d never used EEM before (I’m terrified of code), but I decided to do some research to see how it could be done. It was surprisingly easy. Here’s what EEM is according to Cisco:
Embedded Event Manager (EEM) is a powerful and flexible subsystem in Cisco IOS that provides real-time network event detection and onboard automation. Using EEM, customers can adapt the behavior of their network devices to align with their business needs.
This applet was needed so the work done by his helpdesk team would be written to the config. They are given very limited access and are unable to execute the “wr” command. The first thing I gave him was this:
event manager applet WR_CONFIG event syslog pattern ".*%SYS-5-CONFIG_I.*" action 1.1 cli command "enable" action 1.2 cli command "wr" action 1.3 syslog msg "Config changed by user, new config has been written" |
Useful IOS Commands
Jan 4th
My “Show Run Variations” post sparked an interesting thread on Networking-Forum. I thought it would be nice to make a post with as many useful/little known commands as I can find. I might make a separate page for this depending on how much I can come up with and how frequently updates would be needed. Here we go:
show ip nbar protocol-discovery stats bit-rate top-n 10 |
This command will show you the top 10 protocols (that NBAR can see) on your router. I use this in an alias called “traffic”. You will also need “ip nbar protocol-discovery” enabled on interfaces you want to see statistics for.
show processes cpu sort |
This command will show the sorted CPU usage of all processes running on the router. You could also use “show proc cpu history” to see some ASCII graphs of CPU utilization.
reload in 5 |
Recent Comments