2013年10月28日星期一

How to configure ”Saving VLAN” on Cisco 2960

Saving VLAN Configuration
The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database (vlan.dat file). If the VTP mode is transparent, they are also saved in the switch running configuration file. You can enter the copy running-config startup-config privileged EXEC command to save the configuration in the startup configuration file. To display the VLAN configuration, enter the show vlan privileged EXEC command.

When you save VLAN and VTP information (including extended-range VLAN configuration information) in the startup configuration file and reboot the switch, the switch configuration is selected as follows:
If the VTP mode is transparent in the startup configuration, and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file, the VLAN database is ignored (cleared), and the VTP and VLAN configurations in the startup configuration file are used. The VLAN database revision number remains unchanged in the VLAN database.
If the VTP mode or domain name in the startup configuration does not match the VLAN database, the domain name and VTP mode and configuration for the first 1005 VLANs use the VLAN database information.
If VTP mode is server, the domain name and VLAN configuration for the first 1005 VLANs use the VLAN database information
Catalyst 2960 and 2960-S switches are the leading fixed-configuration Layer 2 edge access switches, 2960 is FE access switch while 2960-S most ports are GE. The Catalyst 2960-S Series Switches are stackable switches and support POE+ function. 3Anetwork.com keeps stock for most 2960 and 2960-S LAN base switches. Among all Cisco Catalyst 2960 switches, WS-C2960-24TT-L and WS-C2960-24TC-L are best selling models. Among all Cisco Catalyst 2960S switches, WS-C2960S-24TS-L and WS-C2960S-48TS-L are best selling models. 3Anetwork.com offers best Cisco 2960 Price, Cisco 2960S (2960-S) Price, ship to worldwide.


2013年10月8日星期二

Security configuration of the cisco routers

1 modify the default password!
According to the survey, 80% breach ws-c3750x-24t-e of security incidents were caused by weak password.The network has the most extensive default router password list. You can be sure of in some places, someone will know your birthday. SecurityStats.com website maintenance, adetailed list of available / unavailable password, a password and reliability test.
2 IP directed broadcast (IP Directed Broadcast)
Your server is very obedient. Let it do what it can do, and no matter who issued instructions.The Smurf attack is a denial of service attack. In this attack, an attacker using a source address spoofing to network broadcast address to send you a "ICMP echo" request. This requires responded to the broadcast request all hosts. This will at least reduce the performance of your network.
Reference the router information file you, know how to close the IP direct broadcast. For example, "Central (config) #no IP source-route this directive" will IP directed broadcastaddress Cisco router.
3 if possible, shut down the router HTTP settings
As the Cisco technical note briefly explains, identification protocol used by HTTP is equivalent to the entire network to send a non encrypted password. However, unfortunately,the HTTP protocol is not a valid provisions for verification or one-time password password.
Although this is not encrypted passwords for you from a remote location (such as home) to set your router may be very convenient, but, you can do things others can still be. Especially if you are using the default password! If you have remote management router, you mustensure that the use of SNMPv3 and above version of the protocol, because it supports morestrict password.
4 block ICMP Ping request
The main purpose of Ping is currently being used by the host recognition. Therefore, Ping is usually used before the cooperative attack larger reconnaissance activities. By eliminating the response ability of the remote user receives Ping requests, you can easily avoid thescanning activity neglected or defense for those looking for easy targets for "script kiddies"(script kiddies).
5 to prevent the IP source address spoofing
In the Cisco router, we can use the following two methods:
A at the boundary of the network, the implementation of IP source address spoofing filtering
Stop one of the most simple and effective method for IP source address spoofing is by using the inward at the border router access list, limit the packet network in downstream is inallowable address range, is not in the allowed range of data will be deleted. At the same time,in order to trace the attacker, you can use the log record is deleted data.
B, the use of reverse address to send
Use access control lists to do IP restriction in the lower reaches of the entrance, is the IP address based on the downstream section. But in the upstream of the entrance, into the dataIP address range is sometimes difficult to determine. In the scope of the filter can not be determined, a feasible method is the use of reverse address to send (Unicast Reverse PathForwarding).
Reverse address transmission is a new version of the IOS Cisco router properties provide,referred to as uRPF.
The work principle of uRPF is: when a router receives a packet in an interface, it will search for CEF (Cisco Express Forward) list, verify the existence of the receiving interface between the source address in the specified routing, namely reverse lookup path, verify itsauthenticity, if there is no such the path passes the packet to delete.
Compared to the access control list, uRPF has many advantages, such as: spend less CPU resource, can adapt to the dynamic change of router routing table (because the CEF tablewill follow the dynamic routing table and update), so less maintenance, less influence on the performance of router.
URPF is based on the interface configuration, configuration commands are as follows:
IP CEF (config) #
(config-if) IP verify unicast reverse-path #

Note: the implementation of uRPF, CEF must be a global open WS-C2960S-24TD-L , and is enabled in theconfiguration interface.

2013年10月7日星期一

Two useful skills of the Cisco switch

In the process of debugging, maintenance of Cisco switch ws-c3750x-24s-e, there are always some problems do not know how to solve, here are some problem-solving experience, share with yours.
1, Don't use the DNS server to resolve the host name
What do you mean, when we are debugging switch, inevitably the wrong command, such as multi typed a letter or small typed a letter, originally thought that the exchange opportunity thecommand error, but then a strange thing happened, the system is not prompt us tocommand error, but the a connection (is this command is executed the same), as shown below: 3550#beijing.
That is to say, Cisco switches will think incorrect command for the host name, and try to resolve it by querying the DNS server. If this switch is arranged on the DNS server, progresswill be faster, if there is no DNS server, the schedule can be called a slow, how to avoid this situation? Type the following command: 3550#conf T. executes the command, type thecommand when any error, to do connected to the Cisco switch is not a long time.
2, Know why the switch port is on-off state
As a network administrator, we carry on the switch to a new service access time, a free portis the first to find Cisco switch above, business configuration necessary to it, and finally thecable connected, but will switch the cable more cases.
With the naked eye is difficult to immediately put the free port accurately identified (if not careful the wrong, can cause a network failure), so we are logged on to the switch, the corresponding command to view, the command is as follows: 3550#show inter. this timeexchange opportunities are shown detailed information each of the ports, including the port of on-off state, but the way is still too slow.
Some experience in the use of cisco switch ws-c2960g-8tc-l have shared with yours, hope can help your to solve the problem of using the cisco switch.



2013年10月3日星期四

Model introduction of the Cisco products

Naming of the switch is beginning of “WS” is fixed, ws-c3750x-24s-e then the next letter has two kinds :C and X, the C represents the curing switches or chassis, the X is the representative of themodule. For example, WS-C3750-24TS-S this model, we should know that it is the CISCO switch. Curing switch 3750 series, 24 Ethernet port, TS said S said Ethernet port +SFP port is behind the Standard Version, the corresponding model is E, which belongs to the enhanced or enterprise edition. If WS-X6748-SFP, WS or on behalf of the switching equipment, X module, 6 Series 6000, 7 represents the 7 generation products, 48 said the 48Port, SFP port type (SFP is a mini interface module)
The Cisco switch has the following series:
Series 1900: 1924
2900 series: 2924, 2924M
2950 series: 2950-24, 2950G-24/48, 2950C-24, 2950T-24, 2950SX-24/48
2960 series: 2960-24/48TT-L, 296024/48TC-L
Series 3500, 3524, 3548: 3508G
3550 series: 3550-24-SMI/EMI, 3550-48-SMI/EMI, 3550-12G/T
3560 series: 3560-24/48 with G
3750 series: 3750-24/48-TS-S, 3750-24/48-TS-E 3750G-24/48-TS-S, 3750G-24/48-TS-E,3750G-12S
4000 series: 4003, 4006
4500 series: 4503, 4506, 4507R
6000 Series: 6006, 6009 ws-c2960g-8tc-l
6500 series: 6506, 6509, 6513
More information, please view: http://www.3anetwork.com