I've seen quite a number of posts asking why VPN users are not able to access their network even though they have been successfully connected.
Let's try to troubleshoot what happens here. A very common VPN setup is to use 2 NICs and run Routing and Remote Access on one of them. The benefits of this would be that you can isolate VPN traffic and keeping it from overloading the NIC that handles the internal network traffic. One thing to note for is that the two NICs have to be assigned IPs from different networks or subnets. For example:
1st NIC (VPN): 192.168.1.2 /24
2nd NIC(internal network): 192.168.2.2 /24
(Don't worry if you don't understand the /24. It's called the slash notation for the subnet mask which is the equivalent of 255.255.255.0)
Through the initial RRAS setup, users will be able to connect to the VPN just fine and will be assigned an IP address of one of the networks. The problem arise when they try to connect to network resources on through the 2nd NIC (the other network). This is due to the fact that Windows doesn't know how to route the packets from the 192.168.1.0 network to 192.168.2.0 network.
You can tell Windows how to route traffic between the two NICs by configuring a static route with the "Route" command. Type "Route /?" at the Command Prompt for more information.
And as usual, I have a second way to accomplish the job by turning on Routing using RIP or OSPF and add the two NICs to it.
One thing that I see lacking from most Windows Administrators is the understanding of TCP/IP and network routing. I would recommend Windows Administrators to take CCNA anytime. Even though it might seem so remote from their daily tasks, one can walk away from a CCNA class with so much helpful information that makes their job much easier to do.
Monday, April 21, 2008
Monday, March 17, 2008
Switch Port Security
If you are working in a strict security environment then switch port security is a must. Configuring switch port security could become a tidious task. However, if you can control the environment when you setup the network, this little trick can help you save a lot of work.
Instead of configuring port security and manually enter MAC address for the port, you could plug all your hosts in then issue the following commands:
Switch(config)#int range f0/1-xx
Switch(config-if-range)#switchport port-security
Switch(config-if-range)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation restrict
Switch(config-if-range)#switchport port-security mac-address sticky
Switch(config-if-range)#end
The first command takes you to the interface range configuration mode; the next two turn on the port security and set a maximum number of mac addresses to 1. "Violation restrict" will not allow traffic for any host whose mac address is different than what the switch has learned for the port in question. After that, the "mac-address sticky" commands instruct the switch to learn the mac address dynamically and remembers it for the each port.
Instead of configuring port security and manually enter MAC address for the port, you could plug all your hosts in then issue the following commands:
Switch(config)#int range f0/1-xx
Switch(config-if-range)#switchport port-security
Switch(config-if-range)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation restrict
Switch(config-if-range)#switchport port-security mac-address sticky
Switch(config-if-range)#end
The first command takes you to the interface range configuration mode; the next two turn on the port security and set a maximum number of mac addresses to 1. "Violation restrict" will not allow traffic for any host whose mac address is different than what the switch has learned for the port in question. After that, the "mac-address sticky" commands instruct the switch to learn the mac address dynamically and remembers it for the each port.
Sunday, March 2, 2008
Basic Load Balancing
Load Balancing normally has two modes of operation: Per-Destination and Per-Packet.
Per destination load balancing means the router distributes the data packets based on the destination address. If you have two paths going to Host A & B on the same network then all packets for Host A will travel over the first path and all packets for Host B will travel over the second path. This will preserve the packet order which is very useful in certain applications; however, it could result in unequal usage of the network links as bandwidth & load are not taken into route calculation.
Per packet load balancing means the router sends one packet over the first path and second packet over the second path; all going to the same destination. Per packet load balancing guarantees equal load across all the links; however, the packets may arrive at the destination out of order because of different delay/bandwidth may exist on different paths.
Per destination load balancing is enable by the command:
Router# config t
Router(config)# interface Ethernet 0
Router(config-if)# no ip route-cache
Now the router CPU will look at every single packet and spread them across the different path available in the routing table for the destination. This is not recommended on low end server as it could crash the router because the CPU must do all the processing and might not be able to handle it. To enable fast switching, use the following commands:
Router# config t
Router(config)# interface Ethernet 0
Router(config-if)# ip route-cache
Newer switching schemes such as Cisco Express Forwarding (CEF) allow you to do per packet and per destination load balancing more quickly but it does imply that extra resources will be needed to maintain it.
Per destination load balancing means the router distributes the data packets based on the destination address. If you have two paths going to Host A & B on the same network then all packets for Host A will travel over the first path and all packets for Host B will travel over the second path. This will preserve the packet order which is very useful in certain applications; however, it could result in unequal usage of the network links as bandwidth & load are not taken into route calculation.
Per packet load balancing means the router sends one packet over the first path and second packet over the second path; all going to the same destination. Per packet load balancing guarantees equal load across all the links; however, the packets may arrive at the destination out of order because of different delay/bandwidth may exist on different paths.
Per destination load balancing is enable by the command:
Router# config t
Router(config)# interface Ethernet 0
Router(config-if)# no ip route-cache
Now the router CPU will look at every single packet and spread them across the different path available in the routing table for the destination. This is not recommended on low end server as it could crash the router because the CPU must do all the processing and might not be able to handle it. To enable fast switching, use the following commands:
Router# config t
Router(config)# interface Ethernet 0
Router(config-if)# ip route-cache
Newer switching schemes such as Cisco Express Forwarding (CEF) allow you to do per packet and per destination load balancing more quickly but it does imply that extra resources will be needed to maintain it.
Thursday, February 28, 2008
Reload
Working remotely with routers & switches you don't have the flexibility to reset the devices at will when things go wrong unless you can control power distribution to the devices.
This is where the Reload command comes in handy. Before making changes to the configuration, you can enter:
Reload in 10
which will reload the device in 10 minutes. Once the command is entered, you can proceed with the configuration changes. If things go wrong and you lost connectivity to the device, try back in about 10 minutes since the device will get reloaded with the original startup-configuration and restore connectivity.
Once you confirm that your new configuration is working properly, you can issue the command:
Reload cancel
to cancel the reload. I find this trick to be very useful when I have to telnet or SSH to a remote device and hopefully you too.
This is where the Reload command comes in handy. Before making changes to the configuration, you can enter:
Reload in 10
which will reload the device in 10 minutes. Once the command is entered, you can proceed with the configuration changes. If things go wrong and you lost connectivity to the device, try back in about 10 minutes since the device will get reloaded with the original startup-configuration and restore connectivity.
Once you confirm that your new configuration is working properly, you can issue the command:
Reload cancel
to cancel the reload. I find this trick to be very useful when I have to telnet or SSH to a remote device and hopefully you too.
Monday, February 25, 2008
Add Redundancy With Backup Command
You can add redundancy to your network and make you network more resilient with the Backup command. What this command does is specify an interface which will act as a back up in case the primary interface fails.
Let's take a look at the following configurations:
On RouterA:
Configure terminal
Interface f0/0
Ip address 192.168.1.1 255.255.255.0
no shutdown
Interface f0/1
Ip address 192.168.2.1 255.255.255.0
no shutdown
Backup interface f0/0
Exit
Router eigrp 20
network 192.168.1.0
network 192.168.2.0
On RouterB:
Configure terminal
Interface f0/0
Ip address 192.168.2.2 255.255.255.0
no shutdown
Interface f0/1
Ip address 192.168.2.2 255.255.255.0
no shutdown
Backup interface f0/0
Interface loop 0
Ip add 192.168.8.1 255.255.255.0
Exit
Router eigrp 20
network 192.168.1.0
network 192.168.2.0
network 192.168.8.0
With these configurations loaded, both Fa0/1's will change to up/up while Fa0/0's will go into standby mode and monitor the activities on Fa0/1. In the event that Fa0/1 goes down, Fa0/0 will switch to active mode and establish neighbor relationship with the connected interface and complete the failover.
To verify this, from RouterA you can ping 192.168.8.1 with the repeat parameter:
Ping 192.168.8.1 repeat 10000
This command will ping 192.168.8.1 10k times. While it's pinging, unplug the cable to Fa0/1. you will see that the link go down, the ping will fail and then within seconds Fa0/0 will be up and resume the active role and the pinging will resume as nothing has happened. If the link on Fa0/1 becomes active again, Fa0/0 will switch back to standby mode.
This is a quick and easy way to add redundancy to your network. There are other techniques that you can use to add redundancy to your network to include both layer 2 and layer 3 redundancies which I will discuss at another opportunity.
Let's take a look at the following configurations:
On RouterA:
Configure terminal
Interface f0/0
Ip address 192.168.1.1 255.255.255.0
no shutdown
Interface f0/1
Ip address 192.168.2.1 255.255.255.0
no shutdown
Backup interface f0/0
Exit
Router eigrp 20
network 192.168.1.0
network 192.168.2.0
On RouterB:
Configure terminal
Interface f0/0
Ip address 192.168.2.2 255.255.255.0
no shutdown
Interface f0/1
Ip address 192.168.2.2 255.255.255.0
no shutdown
Backup interface f0/0
Interface loop 0
Ip add 192.168.8.1 255.255.255.0
Exit
Router eigrp 20
network 192.168.1.0
network 192.168.2.0
network 192.168.8.0
With these configurations loaded, both Fa0/1's will change to up/up while Fa0/0's will go into standby mode and monitor the activities on Fa0/1. In the event that Fa0/1 goes down, Fa0/0 will switch to active mode and establish neighbor relationship with the connected interface and complete the failover.
To verify this, from RouterA you can ping 192.168.8.1 with the repeat parameter:
Ping 192.168.8.1 repeat 10000
This command will ping 192.168.8.1 10k times. While it's pinging, unplug the cable to Fa0/1. you will see that the link go down, the ping will fail and then within seconds Fa0/0 will be up and resume the active role and the pinging will resume as nothing has happened. If the link on Fa0/1 becomes active again, Fa0/0 will switch back to standby mode.
This is a quick and easy way to add redundancy to your network. There are other techniques that you can use to add redundancy to your network to include both layer 2 and layer 3 redundancies which I will discuss at another opportunity.
Friday, February 22, 2008
Keyboard Shortcuts
If you use CLI to manage your Cisco routers & switches then you should to get familiarized with the keyboard shortcuts as the can save you a lot of time & typings.
Here's the shortcut list:
Here's the shortcut list:
- Ctrl+B: Moves back one character at a time
- EscB: Moves back one word at a time
- Ctrl+A: Moves to the start of a line
- Ctrl+F: Moves forward one character at a time
- Esc+F: Moves forward one word at a time
- Ctrl+E: Moves to the end of a line
- Delete: Erases the character to the left of the cursor
- Backspace: Erases the character to the left of the cursor
- Ctrl+D: Deletes the character at the cursor
- Ctrl+K: Deletes all characters from the cursor to the end of the line
- Ctrl+U: Deletes all characters from the cursor to the beginning of the line
- Ctrl+X: Deletes all characters from the cursor to the beginning of the line
- Ctrl+W: Deletes the word to the left of the cursor
- Esc+D: Deletes from the cursor to the end of a word
If none of these commands work, enhanced editing may be turned off. You can turn on enhanced editing issuing the command at the privileged command prompt:
Router# terminal editing
Wednesday, February 13, 2008
Stop Logging Messages From Interrupting Your Work
One of the things that I find really annoying with the Cisco devices is that when I am configuring a router or a switch, the console messages keep popping up all over the places and interfere with my work. Although this doesn't cause any typo error but it's really difficult to see what you have typed. Luckily, we can control the logging message behavior.
To disable, use:
Router(config)# no logging console
or if you prefer to see what's going on with the router/switch then use the "logging synchronous" command:
Router(config)# line console 0
Router(config-line)# logging synchronous
Router(config)# line vt 0 4
Router(config-line)# logging synchronous
It would be nice if these were taken into consideration and set as default options when the IOS is built but it's not the case so until they change it, you will have to either put up with it or do a little extra work to change the default behavior.
To disable, use:
Router(config)# no logging console
or if you prefer to see what's going on with the router/switch then use the "logging synchronous" command:
Router(config)# line console 0
Router(config-line)# logging synchronous
Router(config)# line vt 0 4
Router(config-line)# logging synchronous
It would be nice if these were taken into consideration and set as default options when the IOS is built but it's not the case so until they change it, you will have to either put up with it or do a little extra work to change the default behavior.
Monday, January 28, 2008
Configure DHCP on a Cisco Router or Switch
When it comes to configuring DHCP, you have a number of ways to do it. You can run DHCP service on a Windows or a Linux box or as most networking professionals prefer, run it on an existing router or a switch.
The advantage of this is that you can leverage existing hardware, provide DHCP locally at each site and reduce the dependency on the WAN link.
To configure DHCP on a Cisco router or switch, follow these steps:
1. Configure an IP address on the router's Ethernet port
Router(config)# interface e0/0
Router(config-if)#ip address 172.16.1.1 255.255.255.0
Router(config-if)# no shut
2. Create a DHCP IP address pool for the IP addresses you want to use.
Router(config)# ip dhcp pool dhcppoolname
3. Specify the network and subnet for the addresses you want to use from the pool.
Router(dhcp-config)# network 172.16.1.0 255.255.255.0
4. Specify the DNS domain name for the clients.
Router(dhcp-config)#domain-name yourdomain.com
5.Specify the DNS server.
Router(dhcp-config)#dns-server 172.16.1.2
6. Specify the defaut router (or default gateway)
Router(dhcp-config)#default-router 172.16.1.1
7. Specify the lease duration.
Router(dhcp-config)#lease 7
8. Let's say that you've decided that all IP addresses between .30 and .40 will be used for static IP devices such as mail servers and database servers and you don't want them to be available in the DHCP pool, you can exclude them using "exclude-address" command:
Router(config)#ip dhcp excluded-address 172.16.1.30 172.16.1.40
Now any device that requires an DHCP address on the 172.16.1.0 network will be able to send a DHCP request to 172.16.1.1.
The advantage of this is that you can leverage existing hardware, provide DHCP locally at each site and reduce the dependency on the WAN link.
To configure DHCP on a Cisco router or switch, follow these steps:
1. Configure an IP address on the router's Ethernet port
Router(config)# interface e0/0
Router(config-if)#ip address 172.16.1.1 255.255.255.0
Router(config-if)# no shut
2. Create a DHCP IP address pool for the IP addresses you want to use.
Router(config)# ip dhcp pool dhcppoolname
3. Specify the network and subnet for the addresses you want to use from the pool.
Router(dhcp-config)# network 172.16.1.0 255.255.255.0
4. Specify the DNS domain name for the clients.
Router(dhcp-config)#domain-name yourdomain.com
5.Specify the DNS server.
Router(dhcp-config)#dns-server 172.16.1.2
6. Specify the defaut router (or default gateway)
Router(dhcp-config)#default-router 172.16.1.1
7. Specify the lease duration.
Router(dhcp-config)#lease 7
8. Let's say that you've decided that all IP addresses between .30 and .40 will be used for static IP devices such as mail servers and database servers and you don't want them to be available in the DHCP pool, you can exclude them using "exclude-address" command:
Router(config)#ip dhcp excluded-address 172.16.1.30 172.16.1.40
Now any device that requires an DHCP address on the 172.16.1.0 network will be able to send a DHCP request to 172.16.1.1.
Subscribe to:
Comments (Atom)
