Monday, 15 October 2012

Vlan Maps

Using Vlan Maps

Vlan Maps are used to filter or redirect traffic in a Vlan , giving you more granular control over the traffic . 


Steps needed to configure a Vlan Map

  1. Determine what do you want to accomplish : It is vital to know what do you want to achieve prior the configuration , that can save you lots of headaches in the actual implementation. 
  2.  Write an access list : What kind of access list you will use it depends on what do you want to do. The most common are the Ip access lists , if you want to match just the source ip address a standard access list is sufficient , for protocol filtering use an extended access list. Keep in mind that the access list permits the traffic you want to manipulate.
  3. Create a Vlan Map : This is where you will use your access list to match the traffic you want to handle , and set an action for that traffic. Keep in mind that the Vlan Map works similar with route maps and access lists , by default it discards traffic that has not match so be sure to allow the traffic that needs to traverse your vlan.
  4. Apply the Vlan Map to a Vlan : Here you can apply your Vlan Map to one or a list of vlans . The Vlan Map will not work unless applied to a vlan.


Scenario

Your Company policy states that telnet traffic should not be allowed on vlan 10 for security purposes , all other traffic should be allowed.

Here you get to configure a vlan map to meet the requirements :


(step 1) Objectives : telnet traffic should be restricted for all hosts in vlan 10.
so we need an extended access list to match telnet traffic
a vlan map name : we will name it "NO_TELNET
we must ensure that other traffic will be allowed 
we will apply our vlan map to vlan 10

(step 2) Implementation : 

SwitchABC(config)#access-list 101 permit tcp any any eq telnet
// here we created an access list that permits the traffic we want to filter
SwitchABC(config)#vlan access-map NO_TELNET 10
// we have created the vlan map
SwitchABC(config-access-map)#match ip address 101
// we are using the access list we created before
SwitchABC(config-access-map)#action drop
// anything that matches the access list will be dropped 
SwitchABC(config-access-map)#vlan access-map NO_TELNET  20
SwitchABC(config-access-map)#action forward
// if there is no match statement anything matches and based on the action we have set all other traffic will be allowed.
SwitchABC(config-access-map)#exit
SwitchABC(config)#vlan filter NO_TELNET vlan-list 10
// now we have applied the vlan map to the vlan 10. And our job is done :)
 
 


Saturday, 13 October 2012

Basic DHCP Configuration


DHCP is the dominant way of providing end user devices with the information required to connect to your network.

In small or midsize environments DHCP is usually provided through the ISR Router.

Steps needed to deploy DHCP

  1. Define which addresses are going to be excluded. 
  2. Statically configure addresses on Servers and to any device that needs a specific IP address. 
  3. Configure your Router as DHCP relay if a DHCP Server is used or enable the DHCP Service on your router to act as a DHCP Server.

Configuring a DHCP Relay Agent

 

In case your network has a dedicated platform that provides DHCP services , you should configure on the interface that is the default gateway the command : ip helper-address address

If your DHCP Server has the 192.168.33.1 address then you should type :

Router(config-if)# ip helper-address 192.168.33.1 
 

Configuring a DHCP Server on a Cisco Router

 -----------------------------------------------------------------------------

Router(config)# ip dhcp excluded-address 10.1.1.1 10.1.1.9 
 // excludes the addresses 10.1.1.1 - 10.1.1.9 from being assigned to hosts.
Router(config)# ip dhcp pool DHCP1
// Creates a DHCP Pool named DHCP1 
Router(dhcp-config)# network 10.1.1.0 255.255.255.0 
// Defines the Network that is going to be used to provide addresses , here it will use the 10.1.1.0 /24 subnet .
Router(dhcp-config)#default-router 10.1.1.1 
// The default gateway is 10.1.1.1 
Router(dhcp-config)#dns-server 4.2.2.2 
// DNS Server is 4.2.2.2

-------------------------------------------------------------------------------

The previous commands have this effect : 
  • addresses 10.1.1.1 - .9 are not assigned to hosts
  • The network range is 10.1.1.0 /24
  • The Gateway is 10.1.1.1
  • DNS server is 4.2.2.2


 Caution : In order for the DHCP Service to operate you should have configured the interface with an address from the 10.1.1.0 /24 subnet usually the default gateway address 10.1.1.1 /24