My Cisco Lab
I decided to get my own Cisco equipment to practice with after receiving a switch (thanks to Jon Nistor at TorIX). It would help in making me become more proficient in what I love to do, that is networking. So far, for my own Cisco lab, I have three devices to work with – 3524 switch, 2501 router, and a 2503 router. I’m still looking to get more equipment, better if it has the IOS 12.4 which has the SDM (Security Device Manager) as well, though not really necessary.
Also, I found out a couple days ago that there’s this really good resource website which actually provides free access to Cisco equipment for training purposes. The site is PacketLife.net. Lab equipment and other costs are provided or sponsored by the site’s owner, commercial sponsors, and voluntary contributions by the community members. I know of a few sites that allow you to use their equipment but for a fee, so hearing about this site was fantastic. Members can schedule to use 1 of 3 blocks of equipment that they have one session at a time.
I’ll be using that site as well from time to time when I need to work with more equipment than what I have.
Tour of the TorIX
I had a chance to have a tour of the Toronto Internet Exchange, also known as the TorIX, at 151 Front Street West thanks to Board Director and current TorIX President Jon Nistor last Friday, January 20th, 2012. Interestingly, Jon started his involvement with the TorIX when he was working way back with Primus Canada about ten years ago, which is where I am currently working.
Now, what is the TorIX exactly?
The TorIX is an entity designed to act as a junction between multiple points of Internet presence. Here, members are able to directly connect with one another in order to exchange local Internet traffic. [TorIX]
It was first started within the RACO facility about twelve years ago in 1999. After a few years, it was then within Switch and Data, and currently it is within Equinix. The TorIX, using a three-switch design, is located in three areas at 151 Front – two are in the Equinix colocation and one is in the Cologix colocation. The two (of the 7 or 8) Equinix areas being used are on the 7th floor, and Cologix is in the 6th floor where the core equipment and the main TorIX switch Cisco Nexus 7000 are located.
Some TorIX members have their own colocation facility within 151 Front, others colocate in the Equinix facility within 151 Front, and others are located outside of 151 Front. The bigger Equinix room on the 7th floor has about 8 to 9 peers there. In the smaller Equinix room, you will find the PRI switch there and some other peers. Teleglobe, who acts as a carrier for some peers like from Netherlands or Italy, and another carrier Level 3 (formerly Global Crossing) also colocates in that room. Some of those that colocate in the Equinix facility do not necessarily have their actual servers in the location; it is only their transport equipment and multiplexers there, like for example Google, as they have their own data centre somewhere else. CBC and Toronto Hydro are examples of some peers that are located outside 151 Front.
Peering at the TorIX would be cheaper than having to peer directly with each of the ISPs or hosting companies. The cost involved in peering at the TorIX only includes the cost incurred with a peering member’s telco provider, and the last mile connection between the member’s facility and the switch (install + yearly fee). This could be $1,200/year for some smaller company peers, or be something like $60,000/year for peers that want more bandwidth or faster speed. This would be tons cheaper as you would have the opportunity to get connected with many peers through this Internet Exchange.
TorIX members can choose whomever they want to peer with, and configure their own equipment to establish the peering sessions. On the other hand, there are also some others that just use the routeservers if they want to get all routes without individually setting up peering with the TorIX members. This wouldn’t really be all routes, but more like 80% of the routes.
For ten years, the TorIX has been using donated equipment, but now all the equipment are purchased with support contracts – just in case anything doesn’t work as it should, or needs replacement parts. Speaking of which, thanks go out to Jon for giving me a Cisco Catalyst 3524 switch from the spare stock pile, which led me to decide to get my own equipment for my home lab to practice with. I really need to get going in pursuing my Cisco certifications.
The TorIX currently has 7 Board of Directors and 3 Operations persons who all help run the ToriX in a volunteer capacity. Volunteering with TorIX would be great, in my opinion, so I would want to help out in some way, as it would be a good learning experience as well. They have monthly meetings, take part in conferences, have projects from time to time (like the current NTP server project with CIRA), and others.
Adding a Switch Port Interface to a VLAN
In an internet data centre, clients can set up a colocation where they can run their servers for access with the internet. In my job, what I would do is configure the Cisco Catalyst switch 3750 for new colocation clients. It is pretty simple. I check for a free port, assign this to the client, then assign them to a VLAN.
Here’s a configuration sample of how it would go:
colo.switch#show run int fa 1/0/11
Current configuration : 36 bytes
Enter configuration commands, one per line. End with CNTL/Z.
colo.switch(config)#int fa 1/0/11
colo.switch(config-if)#desc ClientNum – ClientName – VLAN 311
colo.switch(config-if)#switchport access vlan 311
% Access VLAN does not exist. Creating vlan 311
colo.switch(config-if)#storm-control broadcast level pps 10k 9k
colo.switch(config-if)#storm-control multicast level pps 10k 9k
colo.switch(config-if)#storm-control unicast level pps 10k 9k
colo.switch(config-if)#switchport mode access
colo.switch#show run int fa 1/0/11
Current configuration : 298 bytes
description ClientNum – ClientName – VLAN 311
switchport access vlan 311
switchport mode access
storm-control broadcast level pps 10k 9k
storm-control multicast level pps 10k 9k
storm-control unicast level pps 10k 9k
colo.switch#copy run start
Destination filename [startup-config]?
Always keep in mind when configuring a switch port that there are no existing configurations there that you would be overwriting by mistake. This is why the show run int fa 1/0/xx is important as it would display the existing running-configuration.
When you’re done with your configurations and have verified them correct, be sure to save them to the memory by using the command copy run start.
This post just shows a sample of configuring a switch port to a VLAN. Of course, this is not all that needs to be done for the client as they wouldn’t have access yet to and from the internet. The next step would be assigning them IP addresses and configuring the routes. More of that in another post.
Cisco PIX Firewall Basics
Firewalls are essential components of an effective information security infrastructure. At its most basic level, a firewall is a hardware or software that filters traffic between your network and the Internet. The firewall (hardware) I am most familiar in using is the Cisco PIX (Private Internet eXchange) Firewall. It was one of the first products in the IP firewall and NAT appliance market segments.
PIX firewalls include the following security and network services features:
- Network Address Translation (NAT) or Port Address Translation (PAT)
- Content filtering
- URL filtering
- IPsec VPN
- DHCP client/server
- PPPoE support
- Advanced security services for multimedia applications including Voice over IP (VoIP), H.323, SIP, Skinny
Managing the firewall can be done through its integrated web-based management interface called PIX Device Manager (PDM), command-line interface (CLI), Telnet, Secure Shell (SSH), console port, SNMP, and syslog.
Here are 10 steps to ensure your PIX Firewall is as secure as it can be:
- Password protect it
- Know your access-lists
- Log denials and errors
- Use SSH in place of Telnet
- Understand the ASA
- Enable optional security
- Keep the PIX OS and PDM patched
- Back up your configuration
- Use secure encryption
- Know your network
Read more in detail here: Cisco PIX Firewall: Lock it down in 10 steps
Most PIX Firewall models optionally support multiple outside or perimeter networks (also known as demilitarized zones (DMZs)). Connections between the networks can be controlled by the PIX Firewall.
A Demilitarized zone (DMZ) is the most common and secure firewall topology, often referred to as a screened subnet. A DMZ creates a secure space between your Internet and your network. It will typically contain the following:
- Web server
- Mail server
- Application gateway
- E-commerce systems (It should contain only your front-end systems. Your back-end systems should be on your internal network.)
In 2005, Cisco introduced the newer Adaptive Security Appliance (ASA) firewall that inherited much of PIX features, and in 2008 announced the PIX end-of-sale. I actually just found out about their discontinuity of the PIX firewall as I was doing some research for this blog post. However, the PIX technology is still sold in a blade, the FireWall Services Module (FWSM), for the Cisco Catalyst 6500 switch series and the 7600 Router series.
Photo Credit: fzurell
Cisco IOS 10 Basic Commands That Should Be Mastered
David Davis wrote in TechRepublic about the ten commands that a Cisco professional or network administrator should know when using the Cisco IOS in routers, switches, and firewalls. This is a good reminder for me, and I’m glad to know that I have embedded all of it in my brain already.
Below is the list he made plus my comments on what I think about each item.
1. The “?”
This is the most helpful command ever. There are thousands of possible commands in the Cisco IOS and this is definitely useful when you don’t know or can’t remember the command to type, or the parameter that should come next.
2. show running-configuration (sh run)
If you want to check the current configuration of the router, switch, or firewall, this is what is used.
3. copy running-configuration startup-configuration (copy run start)
This command will save your current configuration, which is in the RAM, to the nonvolatile RAM (NVRAM). You can also use the copy command to copy to the TFTP server. If you must turn off your router, do not forget to use this command unless you don’t want to save the configuration changes you made.
4. show interface (sh int)
For troubleshooting, this command is used to check the status of the router’s interfaces.
5. show ip interface (sh ip int)
Much useful information about the configuration and status of the IP protocol and its services, on all interfaces are displayed with this command. Alternatively, you can add brief at the end of the command to get a shorter quick status.
6. config terminal, enable, interface, and router (conf t, en, int, router)
These are used to enter different modes in configuring the router.
7. no shutdown (no shut)
This is used to enable an interface, and also useful for troubleshooting when used with shut (to bring down interface then up).
8. show ip route (sh ip ro)
To check the routing table, use this command.
9. show version (sh ver)
This will display the router’s firmware settings, the last time the router was booted, the version of the IOS, the name of the IOS file, the model of the router, and the router’s amount of RAM and Flash.
This is helpful in troubleshooting. The debug command is used with other commands like for example, debug ip route.
Alright. That should be pretty simple to remember. Commands, stay in my brain please, thank you.
Photo Credit: dontthink.feel