Cisco Routers

Cisco routers provide access to applications and services, and integrate technologies

IP Phone - Cisco

IP phone takes full advantage of converged voice and data networks, while retaining the convenience and user-friendliness you expect from a business phone...

WAN - Cisco Systems

Transform your WAN to deliver high-performance, highly secure, and reliable services to unite campus, data center, and branch networks.

EtherChannel - Cisco Systems

EtherChannel provides incremental trunk speeds between Fast Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet. EtherChannel combines multiple Fast ...

Looking Toward the Future - Cisco Systems

Looking Toward the Future by Vint Cerf. The Internet Corporation for Assigned Names and Numbers (ICANN) was formed 9 years ago....

Pages

Saturday, June 8, 2013

Configure Netflow For Cisco Router Switch IOS - Example


What we will get benefit when we enable netflow feature are real-time monitoring of host behaviors and traffic analysis to identify threats, extensive network performance reports including top talkers, interface utilization, exporter tracking, etc. I have screenshot for your carification.
NetFlow Collection on Cisco IOS
Below is how to set up step by step on Cisco router or Cisco switch;
  • Enabling NetFlow
    Enter global configuration mode on Cisco router or Cisco switch, and issue the following commands for each interface on which you want to enable NetFlow:
         #interface {interface} {interface_number}
         #ip route-cache flow
  • Enabling the exports of these flows
    Enter global configuration mode on Cisco router or Cisco switch, and issue the following commands by use the IP address of your NetFlow Collector and configured listening port. UDP port 9995 is used for example.
         # ip flow-export version 5
         # ip flow-export destination <ip_address> 9995
         # ip flow-export source Loopback0
  • Turning off NetFlow
    Issue the following commands in global configuration mode to stop exporting NetFlow data:
         #interface {interface} {interface_number}
         #no ip route-cache flow
    This will disable NetFlow export on the specified interface. Repeat the commands for each interface on which you need to disable NetFlow.
  • Diagnosis
    In enable mode you can see current NetFlow configuration and state by looking at the output from
         #sh ip flow export Shows the current NetFlow configuration
         #show ip cache flow and sh ip cache verbose flow These commands summarize the active flows and give an indication of how much NetFlow data the device is exporting

    Note: When access lists are used, all cisco routers or cisco switch must log failed network access attempts.
packet netflow analyzer
A Sample Device Configuration
The following is a set of commands issued on a router to enable NetFlow version 5
!
interface Loopback0
 ip address 172.30.203.253 255.255.255.255
 no ip redirects
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
!
!
interface FastEthernet0/1/0
 description LINE:USHQ-VzBPIP,SPEED:8000000,GOLDCAR:256k,DEST:VzB_PERouter
 bandwidth 8000
 ip address 172.30.0.86 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache cef
 ip route-cache flow
 no ip mroute-cache
 load-interval 30
 duplex full
 speed 100
 no mop enabled
!
interface FastEthernet0/1/1
 description Local Network segment for THHQ
 ip address 172.30.0.86 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
!
ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination 172.30.46.195 9995
ip flow-export destination 172.30.46.71 2055
!
!
access-list 30 permit 172.30.46.195
access-list 30 permit 172.30.46.71
access-list 30 deny   any log
!
SolarWinds NetFlow Analyzer
 

Monday, June 3, 2013

ACS group tacacs+ and RADIUS-LOGIN configuration example

TACACS+ consists of three services: authentication, authorization, and accounting. Authentication is the action of determining who the user is and whether he or she is allowed access to the switch. Authorization is the action of determining what the user is allowed to do on the system. Accounting is the action of collecting data related to resource usage and now TACACS+ is in the part of the new CCNA Security certification exam.

Below configuration were created to provide you a basic understanding of AAA; that of which is commonly used in production networks for authentication, authorization and accounting.

Step 1: Create a backup user account
INHQRL2-3845(config)# dcth privilege 15 password datakrub!

Step 2: Enabling AAA
INHQRL2-3845(config)# aaa new-model

Step 3: Configuring the TACACS+ servers
INHQRL2-3845(config)# tacacs-server host 10.1.50.101 key cisco12345

Step 4: Define the AAA method lists
INHQRL2-3845(config)# aaa authentication login default group tacacs+ local
INHQRL2-3845(config)# aaa authorization exec default group tacacs+ local

Step 5: Enforcing AAA authentication on terminal lines
INHQRL2-3845(config)# line console 0
INHQRL2-3845(config-line)# login authentication default
INHQRL2-3845(config)# line vty 0 15
INHQRL2-3845(config-line)# login authentication default


The following snipped are from the TACACS+ authentication configuration on cisco devices.
Example 1: Group tacacs+ enable
!
username dcth privilege 15 password datakrub!
!
enable secret g8:ugvl 
!
ip telnet source-interface lo 0
!
line con 0
password dcth!
login local
!
line vty 0 4
password dcth!
login local
!
!
!
aaa new-model
!
aaa authentication login vty group tacacs+ local
aaa authorization exec vty group tacacs+ none
aaa authorization commands 0 vty group tacacs+ local
aaa authorization commands 1 vty group tacacs+ local
aaa authorization commands 7 vty group tacacs+ local
aaa authorization commands 15 vty group tacacs+ local
!
aaa authentication login console group tacacs+ local
aaa authorization exec console group tacacs+ none
aaa authorization commands 1 console group tacacs+ local
aaa authorization commands 7 console group tacacs+ local
aaa authorization commands 15 console group tacacs+ local
!
aaa authentication enable default group tacacs+ enable
!
aaa accounting exec vty start-stop group tacacs+
aaa accounting commands 1 vty start-stop group tacacs+
aaa accounting commands 7 vty start-stop group tacacs+
aaa accounting commands 15 vty start-stop group tacacs+
aaa accounting exec console start-stop group tacacs+
aaa accounting commands 1 console start-stop group tacacs+
aaa accounting commands 7 console start-stop group tacacs+
aaa accounting commands 15 console start-stop group tacacs+
!
aaa authorization console
aaa authorization config-commands
!
!
!
ip tacacs source-interface Loopback 0
!
!
tacacs-server host 10.1.50.101
tacacs-server key cisco12345
!
!
!
!
!
line con 0
 authorization exec console
 authorization command 1 console
 authorization command 7 console
 authorization command 15 console
 accounting commands 1 console
 accounting commands 7 console
 accounting commands 15 console
 accounting exec console
 logging synchronous
 login authentication console
line vty 0 4
 authorization commands 1 vty
 authorization commands 7 vty
 authorization commands 15 vty
 authorization exec vty
 accounting commands 1 vty
 accounting commands 7 vty
 accounting commands 15 vty
 accounting exec vty
 logging synchronous
 login authentication vty
!
!
Cisco Secure ACS and Active Directory
 
RADIUS and TACACS+ server
Example 2: ACS group tacacs+  and RADIUS-LOGIN group enable
!
enable secret 5 $1$azKE$exucFBdjapkq2aspUIS7M0
!
aaa new-model
!
aaa authentication login ACS group tacacs+ enable
aaa authentication login RADIUS-LOGIN group radius
aaa authentication enable default group tacacs+ enable
aaa authentication ppp RADIUS-LOGIN group radius
aaa authorization console
aaa authorization config-commands
aaa authorization exec ACS group tacacs+ if-authenticated
aaa authorization commands 0 ACS group tacacs+ if-authenticated
aaa authorization commands 1 ACS group tacacs+ if-authenticated
aaa authorization commands 15 ACS group tacacs+ if-authenticated
aaa accounting update newinfo
aaa accounting exec ACS start-stop group tacacs+
aaa accounting commands 0 ACS start-stop group tacacs+
aaa accounting commands 1 ACS start-stop group tacacs+
aaa accounting commands 15 ACS start-stop group tacacs+
aaa accounting connection ACS start-stop group tacacs+
!
ip ssh source-interface Loopback0
!
ip tacacs source-interface Loopback0
!
access-list 20 permit 156.32.0.0 0.1.255.255
access-list 20 permit 156.34.0.0 0.7.255.255
access-list 20 permit 156.42.0.0 0.7.255.255
access-list 20 permit 156.50.0.0 0.3.255.255
access-list 20 permit 156.54.0.0 0.1.255.255
access-list 20 permit 156.56.0.0 0.0.255.255
access-list 20 permit 146.171.0.0 0.0.255.255
access-list 20 permit 149.65.0.0 0.0.255.255
access-list 20 permit 189.103.13.0 0.0.0.255
access-list 20 permit 156.52.71.192 0.0.0.63
access-list 20 permit 156.52.9.192 0.0.0.63
access-list 20 deny   any log
!
!
tacacs-server host 156.52.197.26
tacacs-server host 156.52.8.16
tacacs-server timeout 10
tacacs-server directed-request
tacacs-server key 7 06031D344F4B1GG606041B08
!
!
line con 0
 access-class 20 in
 timeout login response 15
 password 7 040A3757062A1F7459160B1956035C57
 logging synchronous
 transport preferred none
 stopbits 1
line vty 0 4
 access-class 20 in
 timeout login response 15
 password 7 124839461B005F3E7A242A26773D7240
logging synchronous
 transport preferred none
 transport input telnet
!
!
**********************************************************************************************
WARNING TO UNAUTHORIZED USERS:
This system is for use by authorized users only. Any individual using this system,
by such use, acknowledges and consents to the right of the company to monitor,
access, use, and disclose anyinformation generated, received, or stored on the
systems, and waives any right of privacy or expectation of privacy on the part of
that individual in connection with his or her use of this system.
**********************************************************************************************
Username: boylaser
Enter PASSCODE: *


You could now configure TACACS+ server for system authentication

Sunday, June 2, 2013

Show interface link Catalyst 4500, 6500, 3750, 2960

The "show interfaces link" command is supported in Catalyst 4500 Series only, this command displays how long a cable has been disconnected from an interface and you can add the modifier known like “include” with the keyword “weeks” #sh int link | inc week, you will have more ports released for future connection..

As we know this command is not supported in Catalyst 6500 series, 3750 series and 2960 series but you can use the "sh int | i ther|rial|link|Vlan|ast input" and "sh int gi 0/1 | inc ast input" command that will display the down time for each port instead. Here are an example:

Show interface link 6500, 3750, 2960
CN-CSW-A01#sh int | i ther|rial|link|Vlan|ast input
......
GigabitEthernet1/0/29 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is d057.4c25.f61d (bia d057.4c25.f61d)
  Last input never, output 00:00:01, output hang never
GigabitEthernet1/0/30 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is d057.4c25.f61e (bia d057.4c25.f61e)
  Last input never, output 00:00:00, output hang never
GigabitEthernet1/0/31 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is d057.4c25.f61f (bia d057.4c25.f61f)
  Last input never, output 00:00:04, output hang never
GigabitEthernet1/0/32 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is d057.4c25.f620 (bia d057.4c25.f620)
  Last input never, output 00:00:04, output hang never
GigabitEthernet1/0/33 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is d057.4c25.f621 (bia d057.4c25.f621)
  Last input never, output 00:00:09, output hang never
GigabitEthernet1/0/34 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is d057.4c25.f622 (bia d057.4c25.f622)
  Last input never, output 00:00:09, output hang never
GigabitEthernet1/0/35 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is d057.4c25.f623 (bia d057.4c25.f623)
  Last input 00:00:04, output 00:00:00, output hang never
GigabitEthernet1/0/36 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is d057.4c25.f624 (bia d057.4c25.f624)
  Last input 00:00:22, output 00:00:00, output hang never
GigabitEthernet1/0/37 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is d057.4c25.f625 (bia d057.4c25.f625)
  Last input 00:00:18, output 00:00:00, output hang never

Command sh int gi 0/1 | inc ast input
CN-ASW-B02# sh int gi 0/1 | inc ast input
  Last input 18w3d, output 18w3d, output hang never
CN-ASW-B02# sh int gi 0/2 | inc ast input
  Last input 19w4d, output 19w4d, output hang never
CN-ASW-B02# sh int gi 0/3 | inc ast input
  Last input 8w0d, output 7w6d, output hang never
CN-ASW-B02# sh int gi 0/4 | inc ast input
  Last input 00:00:29, output 00:00:05, output hang never
CN-ASW-B02# sh int gi 0/5 | inc ast input
  Last input 18w3d, output 18w3d, output hang never
CN-ASW-B02# sh int gi 0/6 | inc ast input
  Last input 12w0d, output 12w0d, output hang never
CN-ASW-B02# sh int gi 0/7 | inc ast input
  Last input 1d01h, output 1d01h, output hang never
CN-ASW-B02# sh int gi 0/8 | inc ast input
  Last input 00:00:35, output 00:00:04, output hang never

You could now do a show show interface link to see the the down time for each port, a port was last used and plan for future connection.