Just another Cisco blog
Posts tagged Tutorial
Cisco IOS Firewall Tutorial
Jan 25th
Awhile ago a friend asked me for a write up on IOS Firewall/CBAC. At the time I hadn’t felt like writing about it as I don’t use it much, but I recently had to configure it, so I thought I may as well take a break from Juniper posts and do the article.
The IOS Firewall uses CBAC (Context-Based Access Control) to inspect traffic flows at the upper layers. CBAC will inspect the outgoing traffic while maintaining stateful intformation for each session. It will then open pinholes in the firewall/incoming ACL to allow appropriate traffic back in. Something I forgot to point out, CBAC can be very CPU intensive, your traffic. Keep that in mind before and do some testing before deploying it on your network. Here’s the topology:
We have our router running IOS firewall, its WAN connection is on Fa0/1 out to the internet, and its LAN connection is on Fa0/0, which connects to some servers and workstations. Let’s configure the firewall:
Basic JUNOS Configuration
Jan 20th
Today we’ll go over a very basic JUNOS configuration, we will configure the hostname, user account, IP addresses and a default route. The purpose of this article is to provide a look and feel for JUNOS.
First let’s login and take care of the basics:
root> configure [edit] root# set system host-name Olive1 [edit] root# set system login user colby class super-user authentication plain-text-password New password: Retype new password: [edit] root# commit and-quit commit complete Exiting configuration mode |
This is a simple config, we enter configuration mode, we set the hostname of the router then we configure a user named “colby” in the “super-user” class. “Super-user” is a pre-defined class in JUNOS, this class has full control of the router.
Anyone familiar with IOS can see that this is pretty different. The commands all start with “set” and they can be quite a bit longer. Let’s take a look at the hierarchical view of what we just did:
system {
host-name Olive1;
login {
user colby {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$IKhmMCbo$XNAWMDS"; ## SECRET-DATA
}
}
}
} |
Definitely not what I’m used to, but not so bad. Now we’ll configure the same thing with multiple commands from the hierarchy:
Lock and Key ACLs
Jan 14th
A coworker recently came to me for help with an issue. We have a server sitting behind a router at one of our remote sites. Certain people need RDP access to this server, but we do not want it open to the world, this seems like an ideal scenario for Lock and Key access lists. Lock and Key ACLs are a way to permit temporary access to a resource. Static ACLs either allow or deny, they can create temporary openings to suit a specific need. In our example it will be a telnet server behind a router. Here’s the topology:
Here we see a host on one side of R1 (Fa0/0) and a server on the other side (Fa1/0). In this example we want very limited access to Telnet on that server. Here’s our config:
interface FastEthernet0/0 description To Host ip address 192.168.1.1 255.255.255.0 ip access-group Telnet in ! interface FastEthernet1/0 description To Server ip address 192.168.2.1 255.255.255.0 ! ip access-list extended Telnet dynamic allow_telnet permit tcp any host 192.168.2.2 eq telnet deny tcp any host 192.168.2.2 eq telnet permit ip any any ! username allow password 0 allow username allow autocommand access-enable host timeout 10 |
Private VLAN Tutorial
Jan 12th
Today we’ll go over Private VLANs (PVLANs) in Cisco IOS. PVLANs segregate VLANs even further than normal, they are basically VLANs inside of VLANs. The ports share a subnet, but can be prevented from communicating. They use different port types:
Promiscuous ports – These will be the “open ports” of the PVLANs, they can communicate with all other ports.
Community ports – These ports can communicate with other community ports and promiscuous ports.
Isolated ports – These can ONLY communicate with promiscuous ports.
There are different uses for PVLANs. They are used by service providers to allow customer security while sharing a single subnet. Another use could be for DMZ hosts in an enterprise environment. If one host is compromised its ability to inflict damage to the other hosts will be severely limited. That’s the scenario we’ll be using today. This is our topology:
