Wednesday, 29 April 2015

Ether Channel

Understanding

EtherChannel consists of individual Fast Ethernet or Gigabit Ethernet links bundled into a single logical link as shown in Figure 25-1. The EtherChannel provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 2 Gbps (Gigabit EtherChannel) between your switch and another switch or host.
Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces. All interfaces in each EtherChannel must be the same speed, and all must be configured as Layer 2 interfaces.
         The network device to which your switch is connected can impose its own limits on the number of interfaces in the EtherChannel. For Catalyst 2950 switches, the number of EtherChannels is limited to six with eight ports per EtherChannel.
          If a link within an EtherChannel fails, traffic previously carried over that failed link changes to the remaining links within the EtherChannel. A trap is sent for a failure, identifying the switch, the EtherChannel, and the failed link. Inbound broadcast and multicast packets on one link in an EtherChannel are blocked from returning on any other link of the EtherChannel.
Figure 25-1 Typical EtherChannel Configuration

Understanding Port-Channel Interfaces

When you create an EtherChannel for Layer 2 interfaces, a logical interface is dynamically created. You then manually assign an interface to the EtherChannel by using the channel-group interface configuration command as shown in Figure 25-2.
Each EtherChannel has a logical port-channel interface numbered from 1 to 6.
Figure 25-2 Relationship of Physical Ports, Logical Port Channels, and Channel Groups
After you configure an EtherChannel, configuration changes applied to the port-channel interface apply to all the physical interfaces assigned to the port-channel interface. Configuration changes applied to the physical interface affect only the interface where you apply the configuration. To change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel interface, for example, Spanning Tree Protocol (STP) commands or commands to configure a Layer 2 EtherChannel as a trunk.

Understanding the Port Aggregation Protocol

The Port Aggregation Protocol (PAgP) facilitates the automatic creation of EtherChannels by exchanging packets between Ethernet interfaces. By using PAgP, the switch learns the identity of partners capable of supporting PAgP and learns the capabilities of each interface. It then dynamically groups similarly configured interfaces into a single logical link (channel or aggregate port); these interfaces are grouped based on hardware, administrative, and port parameter constraints. For example, PAgP groups the interfaces with the same speed, duplex mode, native VLAN, VLAN range, and trunking status and type. After grouping the links into an EtherChannel, PAgP adds the group to the spanning tree as a single switch port.

PAgP Modes

Table 25-1 shows the user-configurable EtherChannel modes for the channel-group interface configuration command: onauto, and desirable. Switch interfaces exchange PAgP packets only with partner interfaces configured in the auto or desirable modes; interfaces configured in the on mode do not exchange PAgP packets.
Table 25-1 EtherChannel Modes 
Mode
Description
auto
Places an interface into a passive negotiating state, in which the interface responds to PAgP packets it receives but does not initiate PAgP packet negotiation. This setting minimizes the transmission of PAgP packets.
desirable
Places an interface into an active negotiating state, in which the interface initiates negotiations with other interfaces by sending PAgP packets.
on
Forces the interface to channel without PAgP. With the on mode, a usable EtherChannel exists only when an interface group in the on mode is connected to another interface group in the on mode.

Both the auto and desirable modes allow interfaces to negotiate with partner interfaces to determine if they can form an EtherChannel based on criteria such as interface speed and, for Layer 2 EtherChannels, trunking state and VLAN numbers.
Interfaces can form an EtherChannel when they are in different PAgP modes as long as the modes are compatible. For example:
An interface in desirable mode can form an EtherChannel with another interface that is in desirable or auto mode.
An interface in auto mode can form an EtherChannel with another interface in desirable mode.
An interface in auto mode cannot form an EtherChannel with another interface that is also in auto mode because neither interface initiates PAgP negotiation.
An interface in the on mode that is added to a port channel is forced to have the same characteristics as the already existing on mode interfaces in the channel.                 
                  If your switch is connected to a partner that is PAgP-capable, you can configure the switch interface for nonsilent operation by using the non-silentkeyword. If you do not specify non-silent with the auto or desirable mode, silent mode is assumed.
The silent mode is used when the switch is connected to a device that is not PAgP-capable and seldom, if ever, transmits packets. An example of a silent partner is a file server or a packet analyzer that is not generating traffic. In this case, running PAgP on a physical port connected to a silent partner prevents that switch port from ever becoming operational; however, the silent setting allows PAgP to operate, to attach the interface to a channel group, and to use the interface for transmission.

Physical Learners and Aggregate-Port Learners

Network devices are classified as PAgP physical learners or aggregate-port learners. A device is a physical learner if it learns addresses by physical ports and directs transmissions based on that learning. A device is an aggregate-port learner if it learns addresses by aggregate (logical) ports.
When a device and its partner are both aggregate-port learners, they learn the address on the logical port-channel. The device transmits packets to the source by using any of the interfaces in the EtherChannel. With aggregate-port learning, it is not important on which physical port the packet arrives.
The Catalyst 2950 switch uses source-MAC address distribution for a channel if it is connected to a physical learner even if the user configures destination-MAC address distribution.
These frame distribution mechanisms are possible for frame transmission:
Port selection based on the source-MAC address of the packet
Port selection based on the destination- MAC address of the packet
Catalyst 2950 switches support a maximum of eight ports to a PAgP group.

PAgP Interaction with Other Features

The Dynamic Trunking Protocol (DTP) and Cisco Discovery Protocol (CDP) send and receive packets over the physical interfaces in the EtherChannel. Trunk ports send and receive PAgP protocol data units (PDUs) on the lowest numbered VLAN.
STP sends packets over a single physical interface in the EtherChannel. Spanning tree regards the EtherChannel as one port.
PAgP sends and receives PAgP PDUs only from interfaces that are up and have PAgP enabled for auto or desirable modes.

Understanding Load Balancing and Forwarding Methods

EtherChannel balances the traffic load across the links in a channel by reducing part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel. EtherChannel load balancing can use either source-MAC or destination-MAC address forwarding.
With source-MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on the source-MAC address of the incoming packet. Therefore, to provide load balancing, packets from different hosts use different ports in the channel, but packets from the same host use the same port in the channel (and the MAC address learned by the switch does not change).
With destination-MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on the destination host's MAC address of the incoming packet. Therefore, packets to the same destination are forwarded over the same port, and packets to a different destination are sent on a different port in the channel. You configure the load balancing and forwarding method by using the port-channel load-balance global configuration command.
In Figure 25-3, an EtherChannel of four workstations communicates with a router. Because the router is a single-MAC-address device, source-based forwarding on the switch EtherChannel ensures that the switch uses all available bandwidth to the router. The router is configured for destination-based forwarding because the large number of workstations ensures that the traffic is evenly distributed from the router EtherChannel.
Use the option that provides the greatest variety in your configuration. For example, if the traffic on a channel is going only to a single MAC address, using the destination-MAC address always chooses the same link in the channel; using source addresses might result in better load balancing.
Figure 25-3      Load Distribution and Forwarding Methods 

Tuesday, 28 April 2015

Configure Access List (Cont.)

Including Comments About Entries in ACLs

You can use the remark command to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.
The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements.
For IP numbered standard or extended ACLs, use the access-list access-list number remark remark global configuration command to include a comment about an access list. To remove the remark, use the no form of this command.
In this example, the workstation belonging to Jones is allowed access, and the workstation belonging to Smith is not allowed access:

Switch(config)# access-list 1 remark Permit only Jones workstation through

Switch(config)# access-list 1 permit 171.69.2.88

Switch(config)# access-list 1 remark Do not allow Smith workstation through

Switch(config)# access-list 1 deny 171.69.3.13

For an entry in a named IP ACL, use the remark access-list global configuration command. To remove the remark, use the no form of this command.
In this example, the Jones subnet is not allowed to use outbound Telnet:

Switch(config)# ip access-list extended telnetting

Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out

Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet

Applying the ACL to an Interface or Terminal Line

After you create an ACL, you can apply it to one or more interfaces or terminal lines. ACLs can be applied on inbound interfaces. This section describes how to accomplish this task for both terminal lines and network interfaces. Note these guidelines:
When controlling access to a line, you must use a number. Numbered ACLs and MAC extended ACLs can be applied to lines.
When controlling access to an interface, you can use a name or number.
Set identical restrictions on all the virtual terminal lines because a user can attempt to connect to any of them.
If you apply an ACL to a management interface, the ACL only filters packets that are intended for the CPU, such as SNMP, Telnet, or Web traffic.
Beginning in privileged EXEC mode, follow these steps to restrict incoming connections between a virtual terminal line and the addresses in an ACL:

Command

Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

line [console | vty]line-number

Identify a specific line for configuration, and enter in-line configuration mode.

Enter console for the console terminal line. The console port is DCE.

Enter vty for a virtual terminal for remote console access.

The line-number is the first line number in a contiguous group that you want to configure when the line type is specified. The range is from 0 to 16.

Step 3 

access-classaccess-list-number {in}

Restrict incoming and outgoing connections between a particular virtual terminal line (into a device) and the addresses in an access list.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show running-config

Display the access list configuration.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.
Beginning in privileged EXEC mode, follow these steps to control access to a Layer 2 or management interface:

Command

Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Identify a specific interface for configuration and enter interface configuration mode.

The interface must be a Layer 2 or management interface or a management interface VLAN ID.

Step 3 

ip access-group {access-list-number | name} {in}

Control access to the specified interface.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show running-config

Display the access list configuration.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.
This example shows how to apply access list 2 on Gigabit Ethernet interface 0/3 to filter packets entering the interface:

Switch(config)# interface gigabitethernet0/3

Router(config-if)# ip access-group 2 in

For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch discards the packet.
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs for network security.

Displaying ACLs

You can display existing ACLs by using show commands.
Beginning in privileged EXEC mode, follow these steps to display access lists:

Command

Purpose

Step 1 

show access-lists[number | name]

Show information about all IP and MAC address access lists or about a specific access list (numbered or named).

Step 2 

show ip access-list[number | name]

Show information about all IP address access lists or about a specific IP ACL (numbered or named).
This example displays all standard and extended ACLs:
Switch# show access-lists

Standard IP access list 1

    permit 172.20.10.10

Standard IP ACL 10

    permit 12.12.12.12

Standard IP access list 12

    deny   1.3.3.2

Standard IP access list 32

    permit 172.20.20.20

Standard IP access list 34

    permit 10.24.35.56

    permit 23.45.56.34

Extended IP access list 120

Extended MAC access list mac1 

This example displays only IP standard and extended ACLs.

Switch# show ip access-lists

Standard IP access list 1

    permit 172.20.10.10

Standard IP access list 10

    permit 12.12.12.12

Standard IP access list 12

    deny   1.3.3.2

Standard IP access list 32

    permit 172.20.20.20

Standard IP access list 34

    permit 10.24.35.56

    permit 23.45.56.34

Extended IP access list 120

Displaying Access Groups

You use the ip access-group interface configuration command to apply ACLs to a Layer 3 interface. When IP is enabled on an interface, you can use theshow ip interface interface-id privileged EXEC command to view the input and output access lists on the interface, as well as other interface characteristics. If IP is not enabled on the interface, the access lists are not shown.
This example shows how to view all access groups configured for VLAN 1 and for Gigabit Ethernet interface 0/2:
Switch# show ip interface vlan 1

GigabitEthernet0/2 is up, line protocol is down

  Internet address is 10.20.30.1/16

  Broadcast address is 255.255.255.255

  Address determined by setup command

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is permit Any

  Inbound  access list is 13

<information truncated>
Switch# show ip interface fastethernet0/9

FastEthernet0/9 is down, line protocol is down

  Inbound  access list is ip1

The only way to ensure that you can view all configured access groups under all circumstances is to use the show running-config privileged EXEC command. To display the ACL configuration of a single interface, use the show running-config interface interface-id command.
This example shows how to display the ACL configuration of Gigabit Ethernet interface 0/1:

Switch# show running-config interface gigabitethernet0/1

Building configuration...

Current configuration :112 bytes

!

interface GigabitEthernet0/1

 ip access-group 11 in

 snmp trap link-status

 no cdp enable

end!

Examples for Compiling ACLs

For detailed information about compiling ACLs, refer to the Security Configuration Guide and the "IP Services" chapter of the Cisco IOS IP and IP Routing Configuration Guide for IOS Release 12.1.
Figure 23-2 shows a small networked office with a stack of Catalyst 2950 switches that are connected to a Cisco router. A host is connected to the network through the Internet using a WAN link.
Use switch ACLs to do these:
Create a standard ACL, and filter traffic from a specific Internet host with an address 172.20.128.64.
Create an extended ACL, and filter traffic to deny HTTP access to all Internet hosts but allow all other types of access.
Figure 23-2 Using Switch ACLs to Control Traffic
This example uses a standard ACL to allow access to a specific Internet host with the address 172.20.128.64.

Switch(config)# access-list 6 permit 172.20.128.64 0.0.0.0

Switch(config)# end

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# ip access-group 6 in

This example uses an extended ACL to deny traffic from port 80 (HTTP). It permits all other types of traffic.
Switch(config)# access-list 106 deny tcp any any eq 80

Switch(config)# access-list 106 permit ip any any

Switch(config)# interface gigabitethernet0/2

Switch(config-if)# ip access-group 106 in

Numbered ACL Examples

This example shows that the switch accepts addresses on network 36.0.0.0 subnets and denies all packets coming from 56.0.0.0 subnets. The ACL is then applied to packets entering Gigabit Ethernet interface 0/1.
Switch(config)# access-list 2 permit 36.0.0.0 0.255.255.255

Switch(config)# access-list 2 deny 56.0.0.0 0.255.255.255

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# ip access-group 2 in

Extended ACL Examples

In this example of using an extended ACL, you have a network connected to the Internet, and you want any host on the network to be able to form TCP Telnet and SMTP connections to any host on the Internet.

Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 23

Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 25

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# ip access-group 102 in

SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same port numbers are used throughout the life of the connection. Mail packets coming in from the Internet have a destination port of 25. Because the secure system behind the switch always accepts mail connections on port 25, the incoming services are controlled.

Named ACL Example

The Marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits any other IP traffic.

Switch(config)# ip access-list extended marketing_group

Switch(config-ext-nacl)# permit tcp any 171.69.0.0 0.0.255.255 eq telnet

Switch(config-ext-nacl)# deny tcp any any

Switch(config-ext-nacl)# permit ip any any 

The ACLs are applied to permit Gigabit Ethernet port 0/1, which is configured as a Layer 2 port, with the Marketing_group ACL applied to incoming traffic.

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# ip access-group marketing_group in

...

Commented IP ACL Entry Examples

In this example of a numbered ACL, the workstation belonging to Jones is allowed access, and the workstation belonging to Smith is not allowed access:

Switch(config)# access-list 1 remark Permit only Jones workstation through

Switch(config)# access-list 1 permit 171.69.2.88

Switch(config)# access-list 1 remark Do not allow Smith workstation through

Switch(config)# access-list 1 deny 171.69.3.13

In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the Web:

Switch(config)# access-list 100 remark Do not allow Winter to browse the web

Switch(config)# access-list 100 deny host 171.69.3.85 any eq www

Switch(config)# access-list 100 remark Do not allow Smith to browse the web

Switch(config)# access-list 100 deny host 171.69.3.13 any eq www

In this example of a named ACL, the Jones subnet is not allowed access:

Switch(config)# ip access-list standard prevention

Switch(config-std-nacl)# remark Do not allow Jones subnet through

Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.255

In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet:

Switch(config)# ip access-list extended telnetting

Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out

Switch(config-ext-nacl)# deny tcp 171.69.0.0 0.0.255.255 any eq telnet

Creating Named MAC Extended ACLs

You can filter Layer 2 traffic on a physical Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named access lists.
For more information about the supported non-IP protocols in the mac access-list extended command, refer to the Catalyst 2950 Desktop Switch Command Reference for this release.
Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL:

Command

Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

mac access-list extended name

Define an extended MAC access list by using a name.

Step 3 

{deny | permit} {any | host source MAC address} {any |host destination MAC address} [aarp | amber | appletalk |dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp]

In extended MAC access-list configuration mode, specify to permit or deny any source MAC address or a specific host source MAC address and any destination MAC address.

(Optional) You can also enter these options:

aarp | amber | appletalk | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp—(a non-IP protocol).

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show access-lists [number | name]

Show the access list configuration.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.
Use the no mac access-list extended name global configuration command to delete the entire ACL. You can also delete individual ACEs from named MAC extended ACLs.
This example shows how to create and display an access list named mac1, denying only EtherType DECnet Phase IV traffic, but permitting all other types of traffic.

Switch(config)# mac access-list extended mac1

Switch(config-ext-macl)# deny any any decnet-iv

Switch(config-ext-macl)# permit any any

Switch(config-ext-macl)# end

Switch # show access-list

Extended MAC access list mac1

    deny   any any decnet-iv 

    permit any any 

Creating MAC Access Groups

Beginning in privileged EXEC mode, follow these steps to create MAC access groups:

Command

Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Identify a specific interface for configuration, and enter interface configuration mode.

The interface must be a Layer 2 interface.

Step 3 

mac access-group {name} {in}

Control access to the specified interface.

Step 4 s

show mac access-group

Display the MAC ACLs applied to the interface.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show mac-access group

Display the ACL configuration.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.
This example shows how to apply ACL 2 on Gigabit Ethernet interface 0/1 to filter packets entering the interface:

Switch(config)# interface gigabitethernet0/1

Router(config-if)# mac access-group 2 in

For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch discards the packet. The MAC ACL applies to both IP as well as non-IP packets.

When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs as a means of network security.