Internetworks offers a comprehensive collection of articles and tutorials on computer networks, covering basic to advanced concepts such as data link layer, network layer, network security, and more. It’s a great starting point for beginners and a useful reference for advanced learners. A+ N+ CCNA CCNP CCIE
by Edgar C Francis
EtherChannel technology allows us to bundle multiple physical links into one logical link. It is used to increase the bandwidth and provide redundancy between multiple layer 2 / layer 3 interfaces. Layer 2 EtherChannel operates on the data link layer, but layer 3 EtherChannel operates at the network layer, allowing it to route traffic. Ether-channel load balances traffic over all the links in the bundle. We can use a maximum 8 physical interfaces to configure the bundle into a single logical link.
Note:- when we configure the port channel (layer 3) we must configure No switchport command before using the command port-channel. if we do not configure no switchport command. the port channel will be the default layer 2 channel and we can not change it. To avoid this, configure no switchport command.
let's see the configuration of layer 3 EtherChannel:-
Topology:-
Goal: configure layer 3 port-channel verify with show commands and configure routing verify with ping.
configure the topology as per the diagram
configure the IP addresses as per the topology
configure portchannel
verify port-channel
configure routing EIGRP
configure IP on VLAN 1
verify with show commands.
ping
IOU1(config)#interface range ethernet 0/0-3 IOU1(config-if-range)#no switchport
IOU1(config-if-range)#channel-group 10 mode on Creating a port-channel interface Port-channel 10 IOU1(config-if-range)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel10, changed state to up
IOU1#show etherchannel port-channel
Channel-group listing:
---------------------- Group: 10 ----------
Port-channels in the group:
--------------------------- Port-channel: Po10 ------------ Age of the Port-channel
= 0d:00h:29m:12s Logical slot/port =
16/0 Number of ports = 4 GC =
0x00000000 HotStandBy port = null Passive port list =
Et0/0 Et0/1 Et0/2 Et0/3 Port state =
Port-channel L3-Ag Ag-Inuse Protocol
= - Port security =
Disabled Ports in the Port-channel: Index Load Port
EC state No of bits ------+------+------+------------------+----------- 0 00
Et0/0 On 0 0 00
Et0/1 On 0 0 00
Et0/2 On 0 0 00
Et0/3 On 0 Time since last port bundled: 0d:00h:29m:12s Et0/3
IOU2#show etherchannel
Channel-group listing:
---------------------- Group: 10 ---------- Group state = L3 Ports: 4 Maxports =
4 Port-channels: 1 Max Port-channels = 1 Protocol: - Minimum Links: 0
%LINK-3-UPDOWN: Interface Vlan1, changed state to up \%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
IOU2#ping 10.1.1.1 source 20.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2
seconds: Packet sent with a source address of 20.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =
1/2/6 ms
IOU2#traceroute 10.1.1.1 Type escape sequence to abort. Tracing the route to 10.1.1.1 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.10.1 1
msec 5 msec 0 msec
Higher level Data Link Control Protocol HDLC is a Cisco
proprietary WAN protocol that provides reliable delivery of data frames over a
network or communication link. HDLC does not support authentication like PPP. HDLC is the default protocol on serial links.
PPP Point-to-Point Protocol is used in serial links, ethernet, frame Relay,
atm, etc. PPP is a standard protocol that supports authentication, compression & error
correction. PPP is not enabled by default we need to configure this on the serial link.
Password Authentication Protocol PAP provides a simple and easiest method for a remote node
simply to establish and develop its identity. PAP is done only upon initial link establishment. PAP is not a strong
authentication protocol because the username and password are sent across the link in clear
text. PPP PAP supports almost all the network products in the market
today and on different systems. but PAP has some disadvantages like a security risk because username are sent in clear text meaning that they can be easily
accessed. PPP PAP offers no protection against replay attacks.
Challenge Handshake Authentication Protocol CHAP is an encrypted authentication method that is
required to verify the identity of the peer. Once the
PPP link establishment phase is complete. the local router sends a unique
"challenge" message to the remote node. the remote node responds with
a value (MD5) the local router checks the response against its own calculation
of the expected hash value. clear text username MD5 hashed password and also CHAP has the replay protection.
Goal: first we configure CHAP authentication between router-1 and router-2, second we configure PAP between router-2 and router-3. in extra, we configure routing between routers.
Configure the topology as per the diagram
Configure the IP addresses as per the topology
make sure interfaces and the default line protocol are UP
Configure PPP on serial 5/0
Configure CHAP authentication between router-1 and router-2 Serial link 5/0
verify with show commands before and after applying CHAP
Configure PAP authentication between router-2 and router-3
verify with show commands before and after results.
*Aug 28 17:44:41.883: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.2.1 (Serial5/1) is up: new adjacency
Site-A-R-#show ip interface brief Interface
IP-Address OK? Method
Status Protocol FastEthernet0/0
10.1.1.1 YES manual up up Serial5/0
192.168.1.1 YES manual up up
Headoffice-R-#show ip interface brief Interface
IP-Address OK? Method
Status Protocol Serial5/0
192.168.1.2 YES manual up up Serial5/1
192.168.2.1 YES manual up up
Site-A-R-#show interfaces serial 5/0
Serial5/0 is up, line protocol is up
Hardware is M4T
Internet address is
192.168.1.1/24
MTU 1500 bytes, BW
1544 Kbit, DLY 20000 usec,
reliability
255/255, txload 1/255, rxload 1/255
Encapsulation HDLC,
crc 16, loopback not set
Keepalive set (10
sec)
Restart-Delay is 0
secs
Last input 00:00:04,
output 00:00:01, output hang never
Last clearing of
"show interface" counters never
Input queue:
0/75/0/0 (size/max/drops/flushes); Total output drops: 0
*Aug 28 17:52:18.371: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.2 (Serial5/0) is down: interface down *Aug 28 17:52:21.099: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial5/0, changed state to down *Aug 28 17:54:43.275: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Serial5/0, changed state to up *Aug 28 17:54:44.035: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1:
Neighbor 192.168.1.2 (Serial5/0) is up: new adjacency
Headoffice-R-(config)#interface serial 5/0 Headoffice-R-(config-if)#encapsulation PPP Headoffice-R-(config-if)#PPP authentication chap Headoffice-R-(config-if)#exit
*Aug 28 17:53:15.747: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Serial5/0, changed state to up *Aug 28 17:53:16.727: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1:
Neighbor 192.168.1.1 (Serial5/0) is up: new adjacency
Site-A-R-# show interface serial 5/0 Serial5/0 is up, line protocol is up Hardware is M4T Internet address is
192.168.1.1/24 MTU 1500 bytes, BW
1544 Kbit, DLY 20000 usec, reliability
255/255, txload 1/255, rxload 1/255 Encapsulation PPP,
LCP Open Open: IPCP, CDPCP,
crc 16, loopback not set Keepalive set (10
sec) Restart-Delay is 0
secs Last input 00:00:01,
output 00:00:00, output hang never Last clearing of
"show interface" counters 00:02:55 Input queue:
0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy:
weighted fair Output queue:
0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/1/256 (active/max
active/max total) Reserved
Conversations 0/0 (allocated/max allocated) Available
Bandwidth 1158 kilobits/sec 5 minute input rate
0 bits/sec, 0 packets/sec 5 minute output rate
0 bits/sec, 0 packets/sec 179 packets
input, 5542 bytes, 0 no buffer Received 0
broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0
CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 177 packets
output, 4729 bytes, 0 underruns 0 output errors,
0 collisions, 30 interface resets 0 output buffer
failures, 0 output buffers swapped out 30 carrier
transitions DCD=up DSR=up
DTR=up RTS=up CTS=up
How to configure the DHCP server on a Cisco ASA device?
DHCP (Dynamic Host Configuration Protocol) servers provide all the basic information the client wants to operate on the network, including DNS address, Default Gateway, IP addresses, and subnet. masks and many more.
In this blog, we configure the Cisco ASA firewall to act as
a DHCP (Dynamic Host Configuration Protocol) server. DHCP simplifies the
process of IP address assignment in your network. In this scenario, we’ll set
up the ASA to provide IP addresses to internal LANs using different DHCP
scopes.
let's see the configuration:
Topology:-
configure the topology as per the diagram
configure the IP addresses on ASA and configure security
configure DHCP server on ASA
verify the configuration with show commands and ping.
ciscoasa(config)# interface gigabitEthernet 0
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
Management VLAN is a VLAN that is used for Managing and
monitoring network devices like routers, switches, and other devices from a remote location by using protocols such as telnet, SSH, SNMP,syslog, etc. The purpose of the management VLAN is to configure
designated the VLAN for configuration purposes. Cisco recommends not to use
VLAN 1 and not to use any VLAN that carries user data traffic as management
VLAN. Normally the Management VLAN is VLAN1, but you can use any VLAN as a
management VLAN. Once you configure the Management VLAN for administration, the
data plane traffic and management traffic will be isolated this reduces the
interference, and also with this VLAN security will be enhanced for management
traffic.
Let’s see the configuration for better understanding.
A Cisco ASA firewall is a barrier between LAN and WAN
networks (trusted and untrusted networks), we configure the firewall in the
forwarding path of the network so each packet has to be checked by our firewall.
Cisco ASA firewall offers several ways to connect and interact. The Administrative user can access the ASA using Telnet, Secure
Shell SSH, and ASDM.
Cisco ASA supports In-band management and Out-band management.
In-band management ASA uses the same data network that
carries regular user traffic and protocols like Telnet, SSH, or HTTPS over
the same network interfaces that handle user traffic. Inband management uses the same transit path as user traffic. (data plane + management plane)
you can see the data plane traffic (normal traffic) and management plane ( Telnet, SSH, and ASDM traffic) using the same transit path. it can be any interface fast ethernet, gigabyte ethernet serial interface, or loopback but not a dedicated management interface.
Now this kind of topology has advantages and disadvantages. It's easy to configure because of the existing
network infrastructure and no need for separate dedicated management
interfaces. Disadvantages are a security risk, dependent on network availability
and shared resources.
Out-band management
Out-band management Cisco ASA offers a dedicated management
interface separate from regular data interfaces. The administrator uses a dedicated management
physical port on the ASA to access the device and this interface is only used for outbound management purposes.
Out-band management isolates management
traffic from normal data traffic. The console port and management physical port
both are out-band management.
let's see the configuration of all the methods to access the ASA firewall,
in the first lab, we are going to configure the Talent
in the second lab, we are going to configure the Secure Shell
in the third lab, we are going to configure a dedicated management interface
in the fourth lab, we are going to configure the ASDM
First lab topology:-
configure the topology as per the diagram
configure the IP addresses as per the topology
configure the zone inside and outside
enable telnet because by default telnet is disabled on ASA
configure router-1 to act as a PC for verification.
R1#telnet 192.168.1.1 /source-interface fastEthernet 0/0 Trying 192.168.1.1 ... Open
User Access Verification Password:
ciscoasa> enable Password:
ciscoasa# show interface ip brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0 192.168.1.1 YES manual up up GigabitEthernet1 12.12.12.1 YES manual up up GigabitEthernet2 unassigned YES unset administratively down up GigabitEthernet3 unassigned YES unset administratively down up ciscoasa# ciscoasa# exit Logoff
[Connection to 192.168.1.1 closed by foreign host] R1# R1#
ZBF (Zone Based Firewall) is the stateful firewall that is available
on Cisco IOS routers, introduced in 2006. ZBF supports deep packet inspection
just like an ASA. ZBF works based on the concept of security zones. You can
name the zones whatever you want. In ZBF we don’t assign access-list to the interface. We create zones and the interface will be configured to the
different zones (one interface can only be a member of one zone) and security
policies will be assigned. The default policy is to block all the traffic unless
we explicitly allow it.
Zone-Based Model:
Interfaces are assigned to zones, and inspection policy is applied to traffic
moving between these zones.
Flexible
Configuration: Allows for more granular control of traffic based on zones
rather than just interfaces.
Stateful Inspection:
Maintains the state of active sessions and inspects traffic accordingly.
Successor to CBAC:
ZBF is considered the successor
to Context-Based Access Control (CBAC), offering enhanced security features.
let's see the configuration on ZBF:-
Topology:-
Goal:
configure the topology as per the topology
assign IP addresses as per the topology
configure EIGRP 100 and advertise all the interfaces
configure router-2 for ZBF.
configure zones INSIDE for LAN and OUTSIDE zone for internet
configure ACL extended
allow PC 2 to ping server 30.1.1.11
allow telnet from INSIDE
leave rest for the default
verify the configurations telnet, ping, and show commands.
(first, configure the IP addresses on PC-1 and PC-2 inside the zone)
PC1> ip 10.1.1.10 255.0.0.0 10.1.1.1 Checking for duplicate address... PC1 : 10.1.1.10 255.0.0.0 gateway 10.1.1.1
PC1> show ip NAME : PC1[1] IP/MASK : 10.1.1.10/8 GATEWAY : 10.1.1.1 DNS : MAC : 00:50:79:66:68:00 LPORT : 10026 RHOST:PORT : 127.0.0.1:10027 MTU: : 1500
PC2> ip 10.1.1.11 255.0.0.0 10.1.1.1 Checking for duplicate address... PC1 : 10.1.1.11 255.0.0.0 gateway 10.1.1.1
PC2> show ip NAME : PC2[1] IP/MASK : 10.1.1.11/8 GATEWAY : 10.1.1.1 DNS : MAC : 00:50:79:66:68:01 LPORT : 10028 RHOST:PORT : 127.0.0.1:10029 MTU: : 1500
PC1> ping 10.1.1.11 84 bytes from 10.1.1.11 icmp_seq=1 ttl=64 time=0.583 ms 84 bytes from 10.1.1.11 icmp_seq=2 ttl=64 time=0.495 ms 84 bytes from 10.1.1.11 icmp_seq=3 ttl=64 time=0.511 ms 84 bytes from 10.1.1.11 icmp_seq=4 ttl=64 time=0.780 ms 84 bytes from 10.1.1.11 icmp_seq=5 ttl=64 time=0.759 ms
Configure the IP addresses between the routers and LAN interfaces
verify the connectivity with ping from PC-1 to server-1
PC1> show ip NAME : PC1[1] IP/MASK : 10.1.1.10/8 GATEWAY : 10.1.1.1
PC1> ping 30.1.1.10 84 bytes from 30.1.1.10 icmp_seq=1 ttl=61 time=115.597 ms 84 bytes from 30.1.1.10 icmp_seq=2 ttl=61 time=94.468 ms 84 bytes from 30.1.1.10 icmp_seq=3 ttl=61 time=94.519 ms 84 bytes from 30.1.1.10 icmp_seq=4 ttl=61 time=78.793 ms 84 bytes from 30.1.1.10 icmp_seq=5 ttl=61 time=78.209 ms
As you can see the connectivity is good, now configure the telnet config on router-1 and router-2 for testing do not configure the login password.
R2(config)#interface serial 4/0 R2(config-if)#zone-member security INSIDE R2(config-if)#exit
R2(config)#interface serial 4/1 R2(config-if)#zone-member security OUTSIDE R2(config-if)#exit
the default policy is to block all the traffic unless we explicitly allow it. so now configure ACL and permit 10.1.1.11 to ping and permit 10.1.1.1 for telnet.
R1#telnet 30.1.1.1 telnet /source-interface fastEthernet 0/0 Trying 30.1.1.1 ... Open R3> R3> R3> R3>show ip interface br Interface IP-Address OK? Method Status Protocol FastEthernet0/0 30.1.1.1 YES manual up up Serial4/1 192.168.2.2 YES manual up up
as you can see router-1 can access router-3 remotely with telnet, because we allow it
from the above output, you see that PC-1 can not ping servers because we didn't allow it. we allow PC-2 10.1.1.11 too ping any network
PC2> show ip NAME : PC2[1] IP/MASK : 10.1.1.11/8 GATEWAY : 10.1.1.1
PC2> ping 30.1.1.11 84 bytes from 30.1.1.11 icmp_seq=1 ttl=61 time=127.289 ms 84 bytes from 30.1.1.11 icmp_seq=2 ttl=61 time=94.466 ms 84 bytes from 30.1.1.11 icmp_seq=3 ttl=61 time=94.540 ms 84 bytes from 30.1.1.11 icmp_seq=4 ttl=61 time=93.967 ms 84 bytes from 30.1.1.11 icmp_seq=5 ttl=61 time=94.784 ms
TACACS+ RADIUS and Diameter
is a protocol to provide a centralized management system for AAA Authentication,
Authorization, and Accounting. An ACS (Access Control Server) supports RADIUS
and TACACS+ protocols and is commonly used in enterprise environments. TACACS+,
RADIUS, and Diameter have some
key differences. (if you are not familiar with AAA please click here )
Types of AAA
Protocols
Terminal access
controller access-control system plus (TACACS+)
Remote authentication dial-in user service (RADIUS)
Diameter
TACACS+ (Terminal Access Controller Access Control System)
is an enhancement to TACACS developed by Cisco. Which means TACACS+ is Cisco's
proprietary protocol. TACACS+ is mainly used for device administration using ACS
(Access Control Server).
TACACS+ is used for the communication between the client and the Cisco ACS server. TACACS+
is a reliable protocol because it uses TCP port 49 for communication and the
TACACS+ communication is encrypted means all the packets is encrypted. TACACS+ provides
more control over accounting and authorization. TACACS+ combines
authentication and authorization in one step.
Remote Access Dial-In User Service (RADIUS) is the IEFT standard
protocol. The RADIUS protocol is used for communication between any vendor (cisco
or non-cisco) AAA client and ACS server. If you are using multiple vendors
devices then you can use RADIUS. In RADIUS communication is faster but a bit less
reliable uses UDP port 1645/1812 for authentication and 1646/1813 for
accounting. In a single process authentication and authorization can be done. RADIUS
key with MD5 is used to hide the user password.
The Diameter protocol is a AAA protocol that works
with Long-Term Evolution (LTE) and multimedia networks. Diameter is an advanced
Authentication, Authorization, and Accounting (AAA) protocol that evolved from
the earlier RADIUS protocol. It’s part of the application layer protocols in
the Internet protocol suite.
let's see the configuration of the AAA TACACS+ and RADIUS server:
Topology:-
Goal: TACACS+
configure the topology as per the diagram
configure the IP addresses as per the topology
configure dynamic routing between the network
configure AAA authentication and key internet same for both (router and server)
What is AAA Authentication, Authorization, and Accounting?
Authentication,
Authorization, and Accounting (AAA) is a standard-based framework that provides
a set of security services. Which device or computer is permitted to use the
network resources with the help of AAA authentication and what they are allowed to do
means use the internet or access CLI with telnet or SSH through AAA authorization
and AAA accounting captures all the information about that particular user means
time and date and what actions user performed while accessing the network. AAA combined
process is essential for our network security, AAA helps us to ensure that only
authorized users can access network resources and AAA also records the actions
performed by the user in the network.
Authentication-
Authentication is the process by which AAA identifies the user,
a user wants permission to use the network resource and AAA authentication
asks for some credentials such as username and password, USB key, or fingerprint. Now
AAA system verifies these credentials against a database to identify the
authenticated user. If the user-provided
credentials match with the AAA database credentials the user is authenticated
and if the credentials do not match then the user can not use the network resources. You
can use the local database for AAA authentication on route or a switch but for big
organizations, you must use an external server such as the ACS server. Authentication is a must for network access or device access.
Authorization
An authenticated user gained access after the authentication
process now AAA authorization means what resources that particular
user is allowed to access and what action the user can perform. For example, if a
member of the IT team's junior network engineer wants to access the router and configure
some routing configuration but this user should not access all these resources the administrator can create a view and allow show commands and ping commands
only in that view. Now the junior network engineer is only authorized to
perform show commands and ping commands. The administrator can use
authorization methods how the user is authorized for network resources through the local
database or ACS server.
Accounting
AAA accounting monitors and captures user activity, while the
user is logged in to the network. Accounting collects information on how long the user
is active in the network, the data the user sends or receives, the IP address, the URI
they used, and the different services the user accessed. Accounting is very useful
for analyzing user activity.
AAA implementation
AAA implementation can be done by using the local database on devices such as routers or switches. We can also implement AAA with an
external server like an ACS access control server. If you have a small number of
devices then you can use the local database on the router but if you have a big
organization then use an external server such as ACS.
Let’s take the overview of both methods:
Local database
Local database- we
can implement an AAA local database on a router or a switch. We should create user
authentication for each user, then configure AAA authorization to assign privilege
levels for each user to define what this user is authorized for and what commands
this user can execute on the device. After that configure AAA accounting for
the device to log user activities like login time and the commands users execute.
ACS Server
External server ACS is the most common method used for AAA
implementation in the network. First authentication- a user or device like a printer sends an authentication request to the ACS server, ACS holds the user credentials
and compares them to the database. Second authorization ACS server provides
information about the network and what resources the user can access. Third accounting
ACS server records user actions and generates reports.
Types of
AAA Protocols
Remote
authentication dial-in user service (RADIUS)
Terminal
access controller access-control system plus (TACACS+)
Diameter
(in the next blog we will see AAA protocols and the ACS server)
Let's see the configuration of the AAA Local database:
Topology:
Goal:
configure the IP addresses as per the topology
ensure the reachability between the PC and router
configure AAA authentication with local database
configure AAA authentication list name (internet)
configure login authentication on console and line vty
verify the authentication from PC
Router(config)#interface gigabitEthernet 0/0 Router(config-if)#ip address 10.1.1.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#username admin password admin Router(config)#aaa new-model Router(config)#aaa authentication login internet local Router(config)#line console 0 Router(config-line)#login authentication internet Router(config-line)#exit Router(config)#line vty 0 4 Router(config-line)#login authentication internet Router(config-line)#exit Router(config)#end Router#exit Router con0 is now available
User Access Verification Username: admin Password: Router>enable Router#show aaa sessions Total sessions since last
reload: 3