Introduction With this article, we will look at the basic commands used within Cisco IOS to configure OSPF. Basic Configuration To initially configure OSPF, at a minimum, you must configure three things – process ID, router ID, and the network. Process ID – Defines the OSPF process ID that OSPF will run under. This is … Read more
Introduction First of all, what is a route leak? A route leak is the propagation of routing announcement(s) beyond their intended scope – RFC7908 Within this article we will look at 2 methods of route leaking within an MPLS environment – static routes and route maps. To demonstrate both methods we will look at 2 … Read more
Introduction Within this article we will walk through the various steps required in configuring MPLS. NOTE This article does not look to explain the various terms and concepts of MPLS, for details around these please see Getting to Know MPLS. Overview Within our example we will have 2 customers COSTA and STARBUCKS. Each customer consisting … Read more
Introduction Cisco Express Forwarding (CEF) is a packet-switching technique used within Cisco routers. The main purpose of CEF is to optimize the forwarding of packets and increase the packet switching speed. History Prior to CEF there were 2 methods for packet-switching – Process- Switching and Fast-Switching. Process-Switching The first method, process-switching is the oldest and … Read more
In order to adjust the MSS of your traffic on a vRouter, also known as MSS clamping, a policy route is defined. Once the policy route is created it is then assigned to the outside interface. MSS Clamping is typically used for IPSEC based traffic to ensure that traffic does not exceed the MTU of … Read more
Within this article we will show you how to create an IPSEC site to site VPN from a Vyatta vRouter into the AWS cloud. Due to the nature of AWS VPNs, explained further on a tunnel based VPN will be created. The main difference with a route based VPN is that a tunnel interface (VTI) … Read more
Within this article we will show you how to create a firewall policy for a Brocade Vyatta router. Firewalls policies are created much like any other device, using a combination such source IP , destination IP etc etc. Once created it is then applied to an interface. Group Types There are 3 types of groups they are … Read more
Issue When using the WebUI you may experience random disconnects.. Solution This is due to a bug VSE-7850. This is fixed within 6.6R4. The other work around is to disable the WebUI and make all configuration changes via the CLI.
Purpose The purpose of this document is to explain the various steps required in configuring a remote access VPN on a Vyatta appliance. Vyatta Configuration The Vyatta configuration steps are pretty straight forward. You enable the outside interface with IPSEC, the IP pool, along with the secret passphrase and usernames and passwords, then your good … Read more
Introduction Within this article we will look at the various way to configure NAT on a Vyatta appliance. To configure NAT source and destination rules are defined using the ‘set nat source’ and ‘set nat destination’ commands. The source rules relate to the translation of the source address, and the destination rules relate to the … Read more
Issue When trying to access the GUI you may observe the following error, Username or password is incorrect.Failed to parse server data. Solution This is due to a bug with VSE 6.5 R2. Which is caused by the Vyatta Appliance not having an interface named ‘eth0’ present. To resolve this, Edit the file ’/config/config.boot’ via … Read more
In order to secure management access you will need to A) enable the firewall and B) create a firewall policy and assign this to your management interface. Enable Firewall First of all enable the firewall. set firewall set firewall state-policy related action accept set firewall state-policy established action accept set firewall state-policy invalid action drop … Read more
Within this article we will show the necessary steps required to build a site to site IPSEC VPN. The following example consists of the following encryption domain: Local Remote Peer 2.2.2.2 1.1.1.1 Endpoint 192.168.3.0/24 172.16.0.0/16 NAT First of all 2 NAT rules are configured to ensure the traffic is not NAT`d. set nat source rule … Read more
Flow accounting provides the ability to display statistics on your network traffic. And is defined on a per interface basis. Below shows you a quick summary on how to enable flow accounting and also how to view the statistics. Enable First of all flow accounting is enabled on each of the interfaces. [email protected]# set system … Read more
Introduction DMVPN (Dynamic Multipoint Virtual Private Network) is a feature within the Cisco IOS based router family which provides the ability to dynamically build IPSEC tunneling between peers based on an evolved iteration of hub and spoke tunneling. DMVPN uses a combination of the following technologies : Multipoint GRE (mGRE) Next-Hop Resolution Protocol (NHRP) Dynamic … Read more
Below shows the configuration for one side of a Site to Site VPN between 2 Cisco routers using pre-shared keys. router(config)# crypto isakmp enable Phase 1 router(config)# crypto isakmp policy 10 router(config-isakmp)# authenticaton pre-share router(config-isakmp)# encryption [?] router(config-isakmp)# group [?] router(config-isakmp)# hash [?] router(config-isakmp)# lifetime 86400 router(config)# crypto isakmp identity address router(config)# cryption isakmp [key] … Read more
Reflective access-lists allows the router to pass “established” tcp traffic that has been previously allowed via another ACL. Due to routers to not having (by default) a state table, this ensures that you do not have to create additional access list entries to allow the return traffic of a permitted tcp session. (config)# ip access-list … Read more
In a worst case scenario someone could gain access to your router, clear the boot image and config. This would result in a lengthy down time and a lot stress. Cisco have tried to address this but the use of the following commands which prevents the clearing of your config and boot image (config) # … Read more
Below shows a number of commands that you can use for securing your Cisco router. Block Denied Logins – Useful for delaying denied logins when someone is trying to brute force your router. (config)# login block-for [seconds] attempts [attempts] within [seconds] Quiet Login – Allows you to still login once the router has blocked login … Read more
CLI Views allow your to to create sub administrator within your Cisco device. This can also be thought of as an extension to privilege levels, giving you further granularity over what your users are allowed to do. Creating views Below shows you the commands required to create a view mode. In all the examples we … Read more
TACACS+ (Terminal Access Controller Access-Control System Plus) is a Cisco proprietary protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. TACACS+ uses port tcp 49 and provides separate authentication, authorization and accounting services. Below shows you the general steps involved, First of all … Read more
SDM (Security Device Manager) allows you to configure and manage your router via the use of a GUI. Please find the steps below : Download the SDM-Vxx.zip file from Cisco’s website. Ensure that you have the sdmconfig*.cfg file within your routers flash for your version of router. You can confirm this by using the command … Read more
Below shows you the steps on how to create a tunnel interface on a Cisco router with the inclusion of OSPF based commands so that Dynamic routing updates can be sent across the link to the remote peer. interface Tunnel0ip address [IP] [Mask]ip ospf network point-to-pointip ospf mtu-ignoretunnel source FastEthernet0/0tunnel destination [remote peer ip]
Below shows you how to enable SSH on your router using a username of “mr” and a password of “bean”, allowing access from the fa0/0 interface. Router(config)#ip ssh source-interface fastEthernet 0/0Router(config)#ip ssh authentication-retries 3Router(config)#ip ssh version 2 Router(config)#ip domain-name local.netRouter(config)#crypto key generate rsa modulus 768Router(config)#username mr password 7 bean Router(config)#line vty 0 15Router(config-line)# transport input … Read more
Below gives you an example of how to create a named Access-List, router(config)#ip access-list extended OUTSIDE_INrouter(config-ext-nacl)#permit ip any any
You will need to have already set your interfaces to inside and outside using the commands, ip nat ouside ip nat inside Once done you can add the command below. This would allow the IP 10.8.8.8 to be accessed on port 23 via the IP address of the interface fa 0/0 using port 2333. ip … Read more
Below are a few steps to set up basic security on a router, Banner Set Banner. (config)#banner motd Passwords Set Secret enable password. (config)#enable secret <password> Set Line terminal passwords. (config)#line <terminal> <number>(config-line)#password <password>(config-line)#login Line Timeout On VTY set timout out (config-line)#exec-timeout <min> Copy the Config changes #(config) Copy running-config startup-config
A DTE (Date Terminating Equipment) cable is the normal cable you should use. Being DTE you should expect the other end to provide clocking.A DCE (Data Communication Equipment) means that this device must provide the clocking on the wire. If your device is the DCE, you must provide clocking using the clock rate command.
Use the following commands to dictate which interface should be defined as the inside and outside. (config)access-list 1 permit 10.10.0.0 0.0.0.255 (config)#ip nat inside source list 1 interface FastEthernet0/0 overload Show/Debug Commands show ip nat translations debug ip nat no debug all
Below shows you a basic access-list configuration. R3>enableR3#configure terminalR3(config)#access-list 56 permit 192.12.10.3R3(config)#access-list 56 deny 192.12.10.0 0.0.0.255R3(config)#access-list 56 permit anyR3(config)#interface serial 0R3(config-if)#ip access-group 56 inR3(config-if)#exitR3(config)#exit
You will need to first install the flash module into the device. Then run the following commands via the console port (rommon), to check your systems resources for the install. rommon 1 > devrommon 2 > meminfo Then to copy it from your tftp server… rommon 3 > IP_ADDRESS=192.168.4.1 rommon 4 > IP_SUBNET_MASK=255.255.255.0 rommon 5 … Read more
Want to become a networking expert?
Here is our hand-picked selection of the best courses you can find online:
Cisco CCNA 200-301 Certification Gold Bootcamp
Complete Cyber Security Course – Network Security
Internet Security Deep Dive course
Python Pro Bootcamp
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial