Check out my new YouTube Channel!
Enjoy!
https://www.youtube.com/watch?v=rArpte4x6iI
Tuesday, September 12, 2017
Saturday, October 26, 2013
Network Address Protocol (NAT) Doing it on my Mini-Lab
Experimenting with NAT
The great thing about labs is you can do anything you please. Of course with caution and sobriety. (I can even see myself on the monitor taking the picture) I experimented with my Cisco 2611XM and an internet provider to test on how to use the Network Address Translation (NAT). I thought it is difficult but it turned out to be so easy.
I even tested my NAT if it is working and indeed, it is. (And, I can see myself again in the monitor taking the picture, hahaha!). It is the benefit of taking some practice to really master the technology. And making this technology available to everybody is something that I really want to do.
Watch out for next tutorial on this technology and I hope this will be helpful to you. I'll see you next time.
Melvin Arceo, ECE, CCNA
Thursday, October 24, 2013
How to Implement Basic Cisco Switch Port Security: Part 1
Basic Cisco Switch Port Security: Part 1
In a world where hackers and crackers are getting more and more aggressive than ever before, securing your network infrastructure is a necessity. Security measures like restricting physical access to your network is very valuable.
Port-security is one of the basic security being implemented to a switch particularly in Cisco. Though basic, its value is great than having no security at all. It is particularly necessary especially in places where interface ports are just around the place where people can simply plug their devices and go on with their own businesses.
There are also instances where employees of companies bring their own hubs and replace their host with those hubs and connect even more hosts and unwittingly damage the network and stop their whole production. Port-security is a front-line measure of preventing unknown hosts from connecting to your network so making these measure known to you is very useful.
In this tutorial, I will be demonstrating how port-security is implemented in the simplest way possible, again using Cisco Packet Tracer. If you still don't know how to setup a basic network please see my previous tutorial on how to setup a "Basic Switched Network using Cisco Packet Tracer.
Here is the step-by-step tutorial of how it is implemented:
First, setup the network as seen in the illustration above. Four hosts and a switch at the center. Also, supply the indicated IP addresses and Subnet Masks on the respective hosts. If you still don't know how to set up this network, see my previous tutorial entitled: "Basic Switched Network using Cisco Packet Tracer". Click on the switch and you will see a window popping-up and choose the "CLI" tab to see the interface shown above.
Next, get into the CLI of the switch and you will see "Switch>" prompt. This prompt is called the user exec mode. In this mode, limited commands and processes are present so we need to turn to another mode which is the privilege exec mode. How do we do this?
1. To turn to privilege exec mode of the switch, simply supply the command on the user exec mode "enable" then hit enter.
2. From the figure, after the "enable" command, you will notice the "Switch#" prompt appearing. This means you are in the privilege exec mode. And, enter commands that will configure and affect the whole switch, you need to go to the global configuration mode. To get to the global configuration mode, supply the "configure terminal" command on the privilege exec mode then hit enter.
3. Next is we need to go to the interface(s) of the switch. There are two ways to do this. We can go to interfaces one-by-one or altogether. To go to the interfaces one-by-one, for example in fastethernet 0/1, supply the command on the global configuration mode, interface fastethernet 0/1. If you want to go to the next interface, same command will be used but instead of using 0/1, you should use 0/2, 0/3, 0/4 and so on. Another way of getting into these interfaces altogether, use the command: interface range fastethernet 0/1 - 4
4. Notice that your prompt changed to "Switch(config-if-range)#" means you are now inside the fastethernet 0/1 - 0/4 interfaces. Next, use the command switchport mode access making all the affected interfaces an access port. An access port is a port that is connected to any hosts but not another switch or router.
5. Next we turn on the port-security. How do we do that? Simply supply the command switchport port-security. This is like telling your switch to turn on its security measures.
6. After turning on the port-security, you can tell the switch that in its ports, they can have only one host per port by issuing the command switchport port-security maximum 1. Therefore, if there are two host connected to one port, say using a hub, the switch will be notified of that and take the necessary action.
7. You can also tell the switch that if someone violated the restriction of a maximum of one host per port is allowed, shutdown that port or interface. You can do this by issuing the command: switchport port-security violation shutdown. This will automatically shut the port down and they can never use that port again, unless you as a network administrator will put it up again.
From PC0, you can test your network if it is working. By clicking the PC0 and going to Desktop and choosing Command prompt, you will see the window shown above. By pinging, the different host from PC0 you will see that your network is working properly.
8. Using the Command prompt, ping the other host by issuing a command PC>ping 192.168.1.2 and also 192.168.1.3, 192.168.1.1. And you will see that it is really working.
9. To see that the network is really working, you will see the reply from these hosts as seen in the figure.
Our job is done here, because we have are already configured the port-security. Now is the time to experiment a little bit on this network if our security measure is working. How do we do that?
10. First, we disconnect the PC0 from the switch and connect the hub to interface Fa0/4 (Fastethernet 0/4) as shown in the figure.
11. From the hub, connect the PC0 and another host and name it PC4 (in the figure, it is named PC5, it is an typo-error). Now, it is a clear violation of our security measure that only 1 host should be connected to a single port. It is now time to test our security.
12. You may also see from the switch point-of-view that the port is up and running and ready to use, it may not have seen the violation, yet.
It is very obvious that we have a security violation as shown in the figure. From PC4 we will ping the other host, in this example, the 192.168.1.2
13. Issue a ping command from PC4 "ping 192.168.1.2"
14. A reply from 192.168.1.2 is seen in the figure, meaning the switch has recognized this host as 1 host on its port.
15. Now, let's try to use PC0 and ping any host by using ping 192.168.1.2 or any other host besides PC4.
16. And, as expected, "Request Time Out" is seen. This clearly shows that the switch has recognized that in the interface fa0/4, there are two hosts present using a hub. And it is a clear violation of the restriction. In this case we are successful in configuring the port-security of the switch.
17. The figure clearly shows that the port is already down as indicated by red lights on the ports of the switch and the hub.
18. From the switch perspective, you can also verify that this interface is down. From the privilege exec mode, supply the command: show ip interface brief then press enter.
19. You will see the output of different interfaces, actually all 24 of them. But our concern is the Fastethernet 0/4 where the shutdown occurred. If you look at its status, it says "down". That is because of the violation made on the port.
Is there a way to put the down interface back up?
Yes there is! And as a network administrator, you have this advantage of personnel coming up to you apologizing that they don't know that there is security on that port and they're the one who put those down and that you don't have to find it yourself because they're already the one telling you that.
The question is how you put that up?
20. On the privilege exec mode, we go to the global configuration mode by issuing the command: configure terminal.
21. From the global configuration mode, go the interface that was shutdown, in this case the fastethernet 0/4. Supply the command: interface fastethernet 0/4.
22. Because of the violation on fastethernet 0/4, this interface was shutdown. But what we're going to do, is to manually shut it down before is get it back up. We do that by issuing the command: shutdown.
23. Then, on the same interface, turn the interface on its up state by issuing the command: no shutdown.
24. You will notice that the interface fastethernet 0/4 is already up and ready to be used again as can be seen by a notification given by the switch.
25. And the port or fa0/4 in the topology changed it color from red to green indicating that the port or interface is already up.
But, if this topology is not changed and the hub is still there connected with two or more hosts, the switch will again recognize the violation and the port will be shut down again and again until you change the topology.
I hope that this has been helpful for you, and I will see you next time!.
Created by: Engr. Melvin Arceo, ECE, CCNA
In a world where hackers and crackers are getting more and more aggressive than ever before, securing your network infrastructure is a necessity. Security measures like restricting physical access to your network is very valuable.
Port-security is one of the basic security being implemented to a switch particularly in Cisco. Though basic, its value is great than having no security at all. It is particularly necessary especially in places where interface ports are just around the place where people can simply plug their devices and go on with their own businesses.
There are also instances where employees of companies bring their own hubs and replace their host with those hubs and connect even more hosts and unwittingly damage the network and stop their whole production. Port-security is a front-line measure of preventing unknown hosts from connecting to your network so making these measure known to you is very useful.
In this tutorial, I will be demonstrating how port-security is implemented in the simplest way possible, again using Cisco Packet Tracer. If you still don't know how to setup a basic network please see my previous tutorial on how to setup a "Basic Switched Network using Cisco Packet Tracer.
Here is the step-by-step tutorial of how it is implemented:
First, setup the network as seen in the illustration above. Four hosts and a switch at the center. Also, supply the indicated IP addresses and Subnet Masks on the respective hosts. If you still don't know how to set up this network, see my previous tutorial entitled: "Basic Switched Network using Cisco Packet Tracer". Click on the switch and you will see a window popping-up and choose the "CLI" tab to see the interface shown above.
Next, get into the CLI of the switch and you will see "Switch>" prompt. This prompt is called the user exec mode. In this mode, limited commands and processes are present so we need to turn to another mode which is the privilege exec mode. How do we do this?
1. To turn to privilege exec mode of the switch, simply supply the command on the user exec mode "enable" then hit enter.
2. From the figure, after the "enable" command, you will notice the "Switch#" prompt appearing. This means you are in the privilege exec mode. And, enter commands that will configure and affect the whole switch, you need to go to the global configuration mode. To get to the global configuration mode, supply the "configure terminal" command on the privilege exec mode then hit enter.
3. Next is we need to go to the interface(s) of the switch. There are two ways to do this. We can go to interfaces one-by-one or altogether. To go to the interfaces one-by-one, for example in fastethernet 0/1, supply the command on the global configuration mode, interface fastethernet 0/1. If you want to go to the next interface, same command will be used but instead of using 0/1, you should use 0/2, 0/3, 0/4 and so on. Another way of getting into these interfaces altogether, use the command: interface range fastethernet 0/1 - 4
4. Notice that your prompt changed to "Switch(config-if-range)#" means you are now inside the fastethernet 0/1 - 0/4 interfaces. Next, use the command switchport mode access making all the affected interfaces an access port. An access port is a port that is connected to any hosts but not another switch or router.
5. Next we turn on the port-security. How do we do that? Simply supply the command switchport port-security. This is like telling your switch to turn on its security measures.
6. After turning on the port-security, you can tell the switch that in its ports, they can have only one host per port by issuing the command switchport port-security maximum 1. Therefore, if there are two host connected to one port, say using a hub, the switch will be notified of that and take the necessary action.
7. You can also tell the switch that if someone violated the restriction of a maximum of one host per port is allowed, shutdown that port or interface. You can do this by issuing the command: switchport port-security violation shutdown. This will automatically shut the port down and they can never use that port again, unless you as a network administrator will put it up again.
From PC0, you can test your network if it is working. By clicking the PC0 and going to Desktop and choosing Command prompt, you will see the window shown above. By pinging, the different host from PC0 you will see that your network is working properly.
8. Using the Command prompt, ping the other host by issuing a command PC>ping 192.168.1.2 and also 192.168.1.3, 192.168.1.1. And you will see that it is really working.
9. To see that the network is really working, you will see the reply from these hosts as seen in the figure.
Our job is done here, because we have are already configured the port-security. Now is the time to experiment a little bit on this network if our security measure is working. How do we do that?
10. First, we disconnect the PC0 from the switch and connect the hub to interface Fa0/4 (Fastethernet 0/4) as shown in the figure.
11. From the hub, connect the PC0 and another host and name it PC4 (in the figure, it is named PC5, it is an typo-error). Now, it is a clear violation of our security measure that only 1 host should be connected to a single port. It is now time to test our security.
12. You may also see from the switch point-of-view that the port is up and running and ready to use, it may not have seen the violation, yet.
It is very obvious that we have a security violation as shown in the figure. From PC4 we will ping the other host, in this example, the 192.168.1.2
13. Issue a ping command from PC4 "ping 192.168.1.2"
14. A reply from 192.168.1.2 is seen in the figure, meaning the switch has recognized this host as 1 host on its port.
15. Now, let's try to use PC0 and ping any host by using ping 192.168.1.2 or any other host besides PC4.
16. And, as expected, "Request Time Out" is seen. This clearly shows that the switch has recognized that in the interface fa0/4, there are two hosts present using a hub. And it is a clear violation of the restriction. In this case we are successful in configuring the port-security of the switch.
17. The figure clearly shows that the port is already down as indicated by red lights on the ports of the switch and the hub.
18. From the switch perspective, you can also verify that this interface is down. From the privilege exec mode, supply the command: show ip interface brief then press enter.
19. You will see the output of different interfaces, actually all 24 of them. But our concern is the Fastethernet 0/4 where the shutdown occurred. If you look at its status, it says "down". That is because of the violation made on the port.
Is there a way to put the down interface back up?
Yes there is! And as a network administrator, you have this advantage of personnel coming up to you apologizing that they don't know that there is security on that port and they're the one who put those down and that you don't have to find it yourself because they're already the one telling you that.
The question is how you put that up?
20. On the privilege exec mode, we go to the global configuration mode by issuing the command: configure terminal.
21. From the global configuration mode, go the interface that was shutdown, in this case the fastethernet 0/4. Supply the command: interface fastethernet 0/4.
22. Because of the violation on fastethernet 0/4, this interface was shutdown. But what we're going to do, is to manually shut it down before is get it back up. We do that by issuing the command: shutdown.
23. Then, on the same interface, turn the interface on its up state by issuing the command: no shutdown.
24. You will notice that the interface fastethernet 0/4 is already up and ready to be used again as can be seen by a notification given by the switch.
25. And the port or fa0/4 in the topology changed it color from red to green indicating that the port or interface is already up.
But, if this topology is not changed and the hub is still there connected with two or more hosts, the switch will again recognize the violation and the port will be shut down again and again until you change the topology.
I hope that this has been helpful for you, and I will see you next time!.
Created by: Engr. Melvin Arceo, ECE, CCNA
Wednesday, October 23, 2013
Basic Switched Networking Using Packet Tracer
Basic Switched Network
Using Cisco Packet Tracer is the most convenient way (I think) of showing you how to setup a basic switched network. Here, I will be demonstrating how to use the Cisco Packet Tracer and at the same time the setup of topology and configuration of the network.
Step-by-step starts here:
For the simplicity of the explanation we will be using steps with as pointed by number in the illustration. After opening the Cisco Packet Tracer,
1. Click on the switch icon as indicated
2. The specific-component section will appear for different types of switches. In this case I chose the Cisco 2960 switch. Click on the 2960 switch.
3. After choosing the 2960 switch, click on the white space called the logical area to place the 2960 switch as shown in the figure.
After placing the switch at the center of the logical area, the next step will be:
4. Click on the End Device as shown in the figure.
5. Again, the specific-component section will appear and choose the Generic Host (PC-PT) by clicking.
6. After choosing the Generic Host, click on the logical space as shown in the illustration, to place the Generic Host.
7. Repeat the same process (step 5) and place it on the other side of the logical space. Now, we have the complete set of components for the network.
8. Click on the Connections as indicated in the figure.
9. Then the specific-component section will appear then click the straight-thru cable as indicated.
10. Click on PC1. You will see a selection of port you would want to connect the straight-thru cable.
11. Select the Fastethernet0 as indicated in the illustration.
! - shows the change in the icon, indicating that the straight-thru cable is chosen
12. After choosing Fastethernet on PC1, drag the straight-thru line going to the 2960 switch, then click. Choose the appropriate interface, in this example the Fastethernet 0/1.
13. Repeat step 11 and this time with PC2.
14. Repeat step 12 and choose the appropriate interface of the switch. In our example, it's Fastethernet 0/2
Now, we have completed our topology. We are now ready to configure the two hosts for them to communicate.
15. Click on PC1 and a window will appear as shown.
16. Click on the Desktop tab.
17. As shown in the illustration, click on IP configuration.
19. The Subnet Mask of 255.255.255.0 as shown in the illustration.
20. Repeat step 15, click on PC2 and a window will pop-up to configure PC2.
21. On the window, click on Desktop.
22. Repeat step 17 and click on the IP configuration icon.
23. Again, for PC2, supply an IP address 192.168.1.2
24. And the Subnet Mask of 255.255.255.0
Now, it's time to try whether these two hosts, PC1 and PC2 can reach each other. And one of the best way to test it, is to use Command prompt.
25. Click on the command prompt of PC2
26. Enter in the command line, PING 192.168.1.1
27. And sure enough, PC1 replied as can be seen in the illustration which indicates that these two host can communicate with each other.
This is just the basics of networking using a switch and there is more to it. Making the first steps will surely ignite your curiosity to deeper knowledge of networking.
I hope this has been helpful for you! I will see you next time!
Created by: Engr. Melvin Arceo, ECE, CCNA
Tuesday, October 22, 2013
TOP ECE Review Center: Giving out FREE Seminars for Students and Professionals
TOP ECE Review Center, a premier review center in the Philippines is giving out FREE seminars for students and professionals who are interested in the field of networking. Virtual Private Networking which is a very popular networking technology and an emerging technology of IPv6 will be delivered by top network engineers of the country from a top communications company, SMART Communications.
It's a free seminar, so register now!
Subscribe to:
Comments (Atom)