LAN Design

Designing a network can be a challenging task, and involves more than just connecting computers together.
A network requires many features in order to be scalable and manageable. To design reliable, scalable  networks, network designers must realize that each of the major components of a network has distinct design requirements. Even a network that consists of only fifty nodes can pose complex problems that lead to unpredictable results. Attempting to design and build networks that contain thousands of nodes can pose even more complex problems.The first step in designing a LAN is to establish and document the goals of the design. These goals are particular to each organization or situation. However, the following requirements tend to show up in most network designs:
•Functionality
-The network must work. That is, it must allow users to meet their job requirements.
The network must provide user-to-user and user-to-application connectivity with reasonable speed and reliability.
•Scalability
-The network must be able to grow. That is, the initial design should grow without any major changes to the overall design.
•Adaptability
-The network must be designed with an eye toward future technologies, and it should include no element that would limit implementation of new technologies as they become available.
•Manageability
-The network should be designed to facilitate network monitoring and management to ensure ongoing stability of operation

LAN Trobleshooting

https://supportforums.cisco.com/document/9879326/basic-steps-troubleshoot-layer-2-lan-issue

Introduction

This document will explain you initial layer 2 troubleshooting steps with some helpful IOS command.

Approaching Steps:

Check for physical interface  problems like duplex mismatch. By default, each Cisco Switch port uses  Ethernet auto-negotiation to determine the speed and duplex setting  (whether it can be half or Full).These switches can set their duplex  setting with “duplex” interface subcommand and their speed with the  “Speed” interface subcommand.

A duplex mismatch usually does not bring link down; it just creates suboptimal performance.

Duplex mismatch might be caused due to hard-coding one side of  the link to full duplex but leaving other side to auto negotiates. You  would suspect a duplex mismatch if you saw collision on a full-duplex  link because a full-duplex link should never have collisions. Half  duplex on both sides will show some error.

IMP IOS Command: “Show interface”

Example

R1#sh int fa0/0

FastEthernet0/0 is up, line protocol is up

Hardware is Gt96k FE, address is c000.3710.0000 (bia c000.3710.0000)

MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Half-duplex, 10Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:33, output 00:00:00, output hang never

Last clearing of “show interface” counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

5 packets input, 1765 bytes

Received 5 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog

0 input packets with dribble condition detected

22 packets output, 2785 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

 

Watch for some of the errors like

Runts: Runts are frames smaller than 64bytes

CRC error: This is CRC called cyclic redundancy checksum value does not match one calculated by switch or router etc.

Collisions: Look for collisions on a full-duplex interface or excessive collision on a half-duplex interface.

Late collision on a half-duplex interface: This is occurs after first 64 bytes of a frame.

Frames: frame error has a CRC error.

There is another helpful command display interface statistics is “show controllers fa0/0″.This will have very give you very long output but you can find the no of frames with bad frame check, CRC error, Collision, late collision and its own interface auto negotiation status, speed duplex capability as well as its neighbor.

Also read “Configuring and Troubleshooting Ethernet 10/100/1000Mb Half/Full Duplex Auto-Negotiation” document for more information.

No Connectivity between Switches

1) Check for interface shut down using “show ip interface” command”.

Here is example below:

R1#show ip interface fa0/0

FastEthernet0/0 is up, line protocol is up

Internet protocol processing disabled

R1#

 

If an interface shows and UP/UP means physical and logical connection has been made. If it is showing Up/down, you have some l2 troubleshooting to do. An interface status of err-disable could be caused by many different problem .common problem can be security violation or detection of a unidirectional link.
When a port is error disabled, it is effectively shut down and no traffic is sent or received on that port. The port LED is set to the color orange. You can check using “show interface status err-disabled” command on your device.

This example shows how to display the error disabled state of interfaces:

switch# show interface status err-disabled

 

———————————————————————–

Port Name Status Reason

———————————————————————–

Eth114/1/27 — down BPDUGuard errDisable

Eth114/1/28 — down BPDUGuard errDisable

Eth114/1/29 — down BPDUGuard errDisable

Eth114/1/30 — down BPDUGuard errDisable

Eth114/1/31 — down BPDUGuard errDisable

Eth114/1/32 — down BPDUGuard errDisable

Eth114/1/33 — down BPDUGuard errDisable

Eth114/1/34 — down BPDUGuard errDisable

–More–

switch#

 

2) Verify your trunk links and ether channel if configure using following command:

Useful command:

“Show interface trunk”
“Show etherchannel summary”

Here is a document for “Troubleshooting Switch Port and Interface Problems”

Lack of reachability to devices in same VLAN

1) Eliminate Layer 1 issue using “show ip interface “command.

R1#show ip interface fa0/0

FastEthernet0/0 is up, line protocol is up

Internet protocol processing disabled

R1#

 

2) Verify VLAN exist on the Switch using “Show VLAN “command.

SW#sh vlan

 

VLAN Name                             Status   Ports

—- ——————————– ——— ——————————-

1   default                                  active   Fa1/0, Fa1/1, Fa1/2, Fa1/3

Fa1/4, Fa1/5, Fa1/6, Fa1/7

Fa1/8, Fa1/9, Fa1/10, Fa1/11

Fa1/12, Fa1/13, Fa1/14, Fa1/15

2   cisco_test                             active

1002 fddi-default                     act/unsup

1003 token-ring-default           act/unsup

1004 fddinet-default                act/unsup

1005 trnet-default                    act/unsup

 

VLAN Type SAID       MTU   Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

—- —– ———- —– —— —— ——– —- ——– —— ——

1   enet 100001           1500 –     –     –       –   –       1002   1003

2   enet 100002           1500 –     –     –       –   –        0     0

1002 fddi 101002       1500 –     –     –       –   –       1     1003

1003 tr   101003         1500 1005   0     –       –   srb     1     1002

1004 fdnet 101004     1500 –     –     1       ibm –       0     0

1005 trnet 101005      1500 –     –     1       ibm –       0     0

SW#

 

3) Verify that the interface is assigned to the correct VLAN using “show interface switchport” command.

sw#show interfaces switchport fa1/15

Switchport: Enabled

Administrative Mode: static access

Operational Mode: static access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: Disabled

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Trunking VLANs Enabled: ALL

Trunking VLANs Active: 1

Protected: false

Priority for untagged frames: 0

Override vlan tag priority: FALSE

Voice VLAN: none

Appliance trust: none

 

If it is not in correct VLAN assign port into correct VLAN using following steps:

Conf t

Int fa1/15

Switchport access vlan 2

 

4) Verify that VLAN is allowed on trunk port using “show interface trunk” command.

sw#show interfaces trunk

 

Port      Mode         Encapsulation  Status        Native vlan

Fa1/15    on           802.1q         trunking      1

 

Port      Vlans allowed on trunk

Fa1/15    1-2,1002-1005

 

Port      Vlans allowed and active in management domain

Fa1/15    1-2

 

Port      Vlans in spanning tree forwarding state and not pruned

Fa1/15    none

sw#

 

5) You can also use the Layer 2 traceroute utility to identifies the Layer 2 path that a packet takes from a source device to a destination device using “traceroute mac [interface type interface_number] source_mac_address [interface type interface_number] destination_mac_address [vlan vlan_id] [detail]” command.

Intermittent reachability to devices in same VLAN

1) Check for spanning-tree problems such as BPDU floods or flapping mac address.
Spanning-tree issues are possible in a network that has not been properly configured. One common STP problem is a change in Root Bridge. If Root Bridge is not properly configured a change in root can cause a flood of BPDUs and affect network connectivity. Another Known symptom of loop is flapping of MAC address.A port configuraed with loop guard or root guard put in an inconsistence state if it receive superior BPDU can be verify using “ show spanning-tree inconsistent  port”

Some IOS useful command:
‘Show spanning-tree”
‘Show spanning-tree detail:
‘Show spanning-tree root”
“Show mac-address-table”
Here is another document you would like to look into it “Troubleshooting LAN Switching Environments”

Some Spanning-tree related troubleshooting docs:
“Troubleshooting STP on Catalyst Switches Running Cisco IOS System Software”
“Spanning Tree Loop Troubleshooting and Safeguards”
“Spanning Tree Protection”

Finding IP address connected to a cisco switch port

If you don’t know IP address of devices present on specific VLAN and wanted to track end device IP address please try following steps:

Steps 1: ping to broadcast IP address of subnet from your L3 device(Gateway)

For example: I have following connectivity.R1 connected to Sw1 and Sw1 to Sw2.Host H1 and H2 are connected to SW2.

R1–SW1–SW2—H1
|–H2

R1 is default gateway having L3 address. Please find below IP address for each device

R1..1.1.1.1/24

H1..1.1.1.2/24

H2.1.1.1.3/24

So for subnet 1.1.1.0/24 broadcast IP is 1.1.1.255

Let’s ping to 1.1.1.255 from your router. All hosts present to that LAN segment will reply as you can see below and your ARP table will get flood with IP address and respective mac-address on L3 device.

ping  1.1.1.255

 

Sending 1000, 100-byte ICMP Echos to 1.1.1.255, timeout is 2 seconds:

 

……..

 

Reply to request 8 from 1.1.1.2, 28 ms

 

Reply to request 9 from 1.1.1.3, 64 ms

 

Step2: then Check arp entries using “show arp” command on L3 device and it will show you mac-address associate with IP address.

 

R1#sh ip arp

 

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

 

Internet  1.1.1.1                 –   c000.2498.0000  ARPA   Vlan2

 

Internet  1.1.1.2                 0   c003.2498.0000  ARPA   Vlan2

 

From above table you can see host 1.1.1.2 machine mac-address is c003.2498.0000

Step3: Now check mac learned from specific port as shown below:

R1#sh mac address c003.2498.0000

 

Destination Address  Address Type  VLAN  Destination Port

 

——————-  ————  —-  ——————–

 

c003.2498.0000          Dynamic       2     FastEthernet1/1

 

Step4: Then use CDP (Cisco discovery protocol) to check what device connected to port on which you learn mac –address.

In our scenario we have learned Mac-address from F1/1; we need to check CDP detail for fa1/1.

R1#sh cdp ne fa1/1 detail

 

————————-

 

Device ID: SW1.lab.local

 

Once you find connected device, login into it and again use “sh mac address c003.2498.0000” command and “sh cdp ne fa1/1 detail” command till you find your actual end port to which your host is connected.The above method is useful when you CDP enable on your all switches and your end host responds to broadcast message.

The above point has written through discussion .
Please feel free to add your expertise experience into this document to make it helpful for beginners

sw#show interfaces trunk

 

Port      Mode         Encapsulation  Status        Native vlan

Fa1/15    on           802.1q         trunking      1

 

Port      Vlans allowed on trunk

Fa1/15    1-2,1002-1005

 

Port      Vlans allowed and active in management domain

Fa1/15    1-2

 

Port      Vlans in spanning tree forwarding state and not pruned

Fa1/15    none

sw#

 

 

https://supportforums.cisco.com/document/9879326/basic-steps-troubleshoot-layer-2-lan-issue

STP Operation

STP Operation

Task

Prerequisites

Before you configure STP, select a switch to be the root of the spanning tree. This switch does not need to be the most powerful switch, but choose the most centralized switch on the network. All data flow across the network is from the perspective of this switch. Also, choose the least disturbed switch in the network. The backbone switches often serve as the spanning tree root because these switches typically do not connect to end stations. Also, moves and changes within the network are less likely to affect these switches.

After you decide on the root switch, set the appropriate variables to designate the switch as the root switch. The only variable that you must set is the bridge priority. If the switch has a bridge priority that is lower than all the other switches, the other switches automatically select the switch as the root switch.

Clients (end stations) on Switch Ports

You can also issue the set spantree portfast command, on a per-port basis. When you enable the portfast variable on a port, the port immediately switches from blocking mode to forwarding mode. Enablement of portfast helps to prevent timeouts on clients who use Novell Netware or use DHCP in order to obtain an IP address. However, do not use this command when you have switch-to-switch connection. In this case, the command can result in a loop. The 30- to 60-second delay that occurs during the transition from blocking to forwarding mode prevents a temporal loop condition in the network when you connect two switches.

Leave most other STP variables at their default values.

Rules of Operation

This section lists rules for how STP works. When the switches first come up, they start the root switch selection process. Each switch transmits a BPDU to the directly connected switch on a per-VLAN basis.

As the BPDU goes out through the network, each switch compares the BPDU that the switch sends to the BPDU that the switch receives from the neighbors. The switches then agree on which switch is the root switch. The switch with the lowest bridge ID in the network wins this election process.

Note: Remember that one root switch is identified per-VLAN. After the root switch identification, the switches adhere to these rules:

  • STP Rule 1—All ports of the root switch must be in forwarding mode.Note: In some corner cases, which involve self-looped ports, there is an exception to this rule.

    Next, each switch determines the best path to get to the root. The switches determine this path by a comparison of the information in all the BPDUs that the switches receive on all ports. The switch uses the port with the least amount of information in the BPDU in order to get to the root switch; the port with the least amount of information in the BPDU is the root port. After a switch determines the root port, the switch proceeds to rule 2.

  • STP Rule 2—The root port must be set to forwarding mode.In addition, the switches on each LAN segment communicate with each other to determine which switch is best to use in order to move data from that segment to the root bridge. This switch is called the designated switch.
  • STP Rule 3—In a single LAN segment, the port of the designated switch that connects to that LAN segment must be placed in forwarding mode.
  • STP Rule 4—All the other ports in all the switches (VLAN-specific) must be placed in blocking mode. The rule only applies to ports that connect to other bridges or switches. STP does not affect ports that connect to workstations or PCs. These ports remain forwarded.Note: The addition or removal of VLANs when STP runs in per-VLAN spanning tree (PVST / PVST+) mode triggers spanning tree recalculation for that VLAN instance and the traffic is disrupted only for that VLAN. The other VLAN parts of a trunk link can forward traffic normally. The addition or removal of VLANs for a Multiple Spanning Tree (MST) instance that exists triggers spanning tree recalculation for that instance and traffic is disrupted for all the VLAN parts of that MST instance.

Note: By default, spanning tree runs on every port. The spanning tree feature cannot be turned off in switches on a per-port basis. Although it is not recommended, you can turn off STP on a per-VLAN basis, or globally on the switch. Extreme care should be taken whenever you disable spanning tree because this creates Layer 2 loops within the network.

Step-by-Step Instructions

Complete these steps:

  1. Issue the show version command in order to display the software version that the switch runs.Note: All switches run the same software version.
    Switch-15> (enable)show version
    WS-C5505 Software, Version McpSW: 4.2(1) NmpSW: 4.2(1)
    Copyright (c) 1995-1998 by Cisco Systems
    NMP S/W compiled on Sep  8 1998, 10:30:21
    MCP S/W compiled on Sep 08 1998, 10:26:29
    
    System Bootstrap Version: 5.1(2)
    
    Hardware Version: 1.0  Model: WS-C5505  Serial #: 066509927
    
    Mod Port Model      Serial #  Versions
    --- ---- ---------- --------- ----------------------------------------
    1   0    WS-X5530   008676033 Hw : 2.3
    Fw : 5.1(2)
    Fw1: 4.4(1)
    Sw : 4.2(1)

    In this scenario, Switch 15 is the best choice for the root switch of the network for all the VLANs because Switch 15 is the backbone switch.

  2. Issue the set spantree root vlan_id command in order to set the priority of the switch to 8192 for the VLAN or VLANs that the vlan_id specifies.Note: The default priority for switches is 32768. When you set the priority with this command, you force the selection of Switch 15 as the root switch because Switch 15 has the lowest priority.
    Switch-15> (enable)set spantree root 1
    VLAN 1 bridge priority set to 8192.
    VLAN 1 bridge max aging time set to 20.
    VLAN 1 bridge hello time set to 2.
    VLAN 1 bridge forward delay set to 15.
    Switch is now the root switch for active VLAN 1.
    Switch-15> (enable) 
    
    Switch-15> (enable)set spantree root 200
    VLAN 200 bridge priority set to 8192.
    VLAN 200 bridge max aging time set to 20.
    VLAN 200 bridge hello time set to 2.
    VLAN 200 bridge forward delay set to 15.
    Switch is now the root switch for active VLAN 200.
    Switch-15> (enable) 
    
    Switch-15> (enable)set spantree root 201
    VLAN 201 bridge priority set to 8192.
    VLAN 201 bridge max aging time set to 20.
    VLAN 201 bridge hello time set to 2.
    VLAN 201 bridge forward delay set to 15.
    Switch is now the root switch for active VLAN 201.
    Switch-15> (enable)
    
    Switch-15> (enable)set spantree root 202
    VLAN 202 bridge priority set to 8192.
    VLAN 202 bridge max aging time set to 20.
    VLAN 202 bridge hello time set to 2.
    VLAN 202 bridge forward delay set to 15.
    Switch is now the root switch for active VLAN 202.
    Switch-15> 
    
    Switch-15> (enable)set spantree root 203
    VLAN 203 bridge priority set to 8192.
    VLAN 203 bridge max aging time set to 20.
    VLAN 203 bridge hello time set to 2.
    VLAN 203 bridge forward delay set to 15.
    Switch is now the root switch for active VLAN 203.
    Switch-15> 
    
    Switch-15> (enable)set spantree root 204
    VLAN 204 bridge priority set to 8192.
    VLAN 204 bridge max aging time set to 20.
    VLAN 204 bridge hello time set to 2.
    VLAN 204 bridge forward delay set to 15.
    Switch is now the root switch for active VLAN 204.
    Switch-15> (enable)

    The shorter version of the command has the same effect, as this example shows:

    Switch-15> (enable)set spantree root 1,200-204 
    VLANs 1,200-204 bridge priority set to 8189.
    VLANs 1,200-204 bridge max aging time set to 20.
    VLANs 1,200-204 bridge hello time set to 2.
    VLANs 1,200-204 bridge forward delay set to 15.
    Switch is now the root switch for active VLANs 1,200-204.
    Switch-15> (enable)

    The set spantree priority command provides a third method to specify the root switch:

    Switch-15> (enable)set spantree priority 8192 1
    Spantree 1 bridge priority set to 8192.
    Switch-15> (enable)

    Note: In this scenario, all the switches started with cleared configurations. Therefore, all the switches started with a bridge priority of 32768. If you are not certain that all the switches in your network have a priority that is greater than 8192, set the priority of your desired root bridge to 1.

  3. Issue the set spantree portfast mod_num/port_num enable command in order to configure the PortFast setting on Switches 12, 13, 14, 16, and 17.Note: Only configure this setting on ports that connect to workstations or PCs. Do not enable PortFast on any port that connects to another switch.

    This example only configures Switch 12. You can configure other switches in the same way. Switch 12 has these port connections:

    • Port 2/1 connects to Switch 13.
    • Port 2/2 connects to Switch 15.
    • Port 2/3 connects to Switch 16.
    • Ports 3/1 through 3/24 connect to PCs.
    • Ports 4/1 through 4/24 connect to UNIX workstations.

    With this information as a basis, issue the set spantree portfast command on ports 3/1 through 3/24 and on ports 4/1 through 4/24:

    Switch-12> (enable)set spantree portfast 3/1-24 enable
    
    Warning: Spantree port fast start should only be enabled on ports connected
    to a single host.  Connecting hubs, concentrators, switches, bridges, etc. to
    a fast start port can cause temporary spanning-tree loops.  Use with caution.
    
    Spantree ports 3/1-24 fast start enabled.
    Switch-12> (enable) 
    
    Switch-12> (enable)set spantree portfast 4/1-24 enable
    
    Warning: Spantree port fast start should only be enabled on ports connected
    to a single host.  Connecting hubs, concentrators, switches, bridges, etc. to
    a fast start port can cause temporary spanning-tree loops.  Use with caution.
    
    Spantree ports 4/1-24 fast start enabled.
    Switch-12> (enable)
  4. Issue the show spantree vlan_id command in order to verify that Switch 15 is the root of all the appropriate VLANs.From the output from this command, compare the MAC address of the switch that is the root switch to the MAC address of the switch from which you issued the command. If the addresses match, the switch that you are in is the root switch of the VLAN. A root port that is 1/0 also indicates that you are at the root switch. This is the sample command output:
    Switch-15> (enable)show spantree 1
    VLAN 1
    spanning-tree enabled
    spanning-tree type          ieee
    
    Designated Root             00-10-0d-b1-78-00
    
    !--- This is the MAC address of the root switch for VLAN 1.
    
    Designated Root Priority    8192
    Designated Root Cost        0
    Designated Root Port        1/0
    Root Max Age   20 sec    Hello Time 2  sec   Forward Delay 15 sec
    
    Bridge ID MAC ADDR          00-10-0d-b1-78-00
    Bridge ID Priority          8192
    Bridge Max Age 20 sec    Hello Time 2  sec   Forward Delay 15 sec

    This output shows that Switch 15 is the designated root on the spanning tree for VLAN 1. The MAC address of the designated root switch, 00-10-0d-b1-78-00, is the same as the bridge ID MAC address of Switch 15, 00-10-0d-b1-78-00. Another indicator that this switch is the designated root is that the designated root port is 1/0.

    In this output from Switch 12, the switch recognizes Switch 15 as the Designated Root for VLAN 1:

    Switch-12> (enable)show spantree 1
    VLAN 1
    spanning-tree enabled
    spanning-tree type          IEEEDesignated Root             00-10-0d-b1-78-00
    
    !--- This is the MAC address of the root switch for VLAN 1.
    
    Designated Root Priority    8192
    Designated Root Cost        19
    Designated Root Port        2/3
    Root Max Age   20 sec    Hello Time 2  sec   Forward Delay 15 sec
    
    Bridge ID MAC ADDR          00-10-0d-b2-8c-00
    Bridge ID Priority          32768
    Bridge Max Age 20 sec    Hello Time 2  sec   Forward Delay 15 sec

    Note: The output of the show spantree vlan_id command for the other switches and VLANs can also indicate that Switch 15 is the designated root for all VLANs.

http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/5234-5.html

STP

Spanning-Tree Protocol (STP) prevents loops from being formed when switches or bridges are interconnected via multiple paths. Spanning-Tree Protocol implements the 802.1D IEEE algorithm by exchanging BPDU messages with other switches to detect loops, and then removes the loop by shutting down selected bridge interfaces. This algorithm guarantees that there is one and only one active path between two network devices

http://www.cisco.com/c/en/us/tech/lan-switching/spanning-tree-protocol/index.html

Description of the Technology

With STP, the key is for all the switches in the network to elect a root bridge that becomes the focal point in the network. All other decisions in the network, such as which port to block and which port to put in forwarding mode, are made from the perspective of this root bridge. A switched environment, which is different from a bridge environment, most likely deals with multiple VLANs. When you implement a root bridge in a switching network, you usually refer to the root bridge as the root switch. Each VLAN must have its own root bridge because each VLAN is a separate broadcast domain. The roots for the different VLANs can all reside in a single switch or in various switches.

Note: The selection of the root switch for a particular VLAN is very important. You can choose the root switch, or you can let the switches decide, which is risky. If you do not control the root selection process, there can be suboptimal paths in your network.

All the switches exchange information for use in the root switch selection and for subsequent configuration of the network. Bridge protocol data units (BPDUs) carry this information. Each switch compares the parameters in the BPDU that the switch sends to a neighbor with the parameters in the BPDU that the switch receives from the neighbor.

In the STP root selection process, less is better. If Switch A advertises a root ID that is a lower number than the root ID that Switch B advertises, the information from Switch A is better. Switch B stops the advertisement of its root ID, and accepts the root ID of Switch A.

http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/5234-5.html

Extended ACL

Extended ACLs

Extended ACLs were introduced in Cisco IOS Software Release 8.3. Extended ACLs control traffic by the comparison of the source and destination addresses of the IP packets to the addresses configured in the ACL.

This is the command syntax format of extended ACLs. Lines are wrapped here for spacing considerations.

IP

access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} protocol source source-wildcard destination destination-wildcard [precedence precedence]
[tos tos] [log|log-input] [time-range time-range-name]

ICMP

access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} icmp source source-wildcard destination destination-wildcard
[icmp-type [icmp-code] |icmp-message]
[precedence precedence] [tos tos] [log|log-input]
[time-range time-range-name]

TCP

access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} tcp source source-wildcard [operator [port]]
destination destination-wildcard [operator [port]]
[established] [precedence precedence] [tos tos]
[log|log-input] [time-range time-range-name]

UDP

access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} udp source source-wildcard [operator [port]]
destination destination-wildcard [operator [port]]
[precedence precedence] [tos tos] [log|log-input]
[time-range time-range-name]

In all software releases, the access-list-number can be 100 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs begin to use additional numbers (2000 to 2699). These additional numbers are referred to as expanded IP ACLs. Cisco IOS Software Release 11.2 added the ability to use list name in extended ACLs.

The value of 0.0.0.0/255.255.255.255 can be specified as any. After the ACL is defined, it must be applied to the interface (inbound or outbound). In early software releases, out was the default when a keyword out or in was not specified. The direction must be specified in later software releases.

interface <interface>
ip access-group {number|name} {in|out}

This extended ACL is used to permit traffic on the 10.1.1.x network (inside) and to receive ping responses from the outside while it prevents unsolicited pings from people outside, permitting all other traffic.

interface Ethernet0/1
ip address 172.16.1.2 255.255.255.0
ip access-group 101 in
access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo
access-list 101 permit ip any 10.1.1.0 0.0.0.255

Note: Some applications such as network management require pings for a keepalive function. If this is the case, you might wish to limit blocking inbound pings or be more granular in permitted/denied IPs.

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

ACL

Cisco provides basic traffic filtering capabilities with access control lists (also referred to as access lists). Access lists can be configured for all routed network protocols (IP, AppleTalk, and so on) to filter the packets of those protocols as the packets pass through a router.

You can configure access lists at your router to control access to a network: access lists can prevent certain traffic from entering or exiting a network.

What Access Lists Do

Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router’s interfaces. Your router examines each packet to determine whether to forward or drop the packet, on the basis of the criteria you specified within the access lists.

Access list criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information. Note that sophisticated users can sometimes successfully evade or fool basic access lists because no authentication is required.
Why You Should Configure Access Lists

There are many reasons to configure access lists; for example, you can use access lists to restrict contents of routing updates or to provide traffic flow control. One of the most important reasons to configure access lists is to provide security for your network, which is the focus of this chapter.

You should use access lists to provide a basic level of security for accessing your network. If you do not configure access lists on your router, all packets passing through the router could be allowed onto all parts of your network.

Access lists can allow one host to access a part of your network and prevent another host from accessing the same area. In Figure 14, host A is allowed to access the Human Resources network, and host B is prevented from accessing the Human Resources network.

When to Configure Access Lists

Access lists should be used in “firewall” routers, which are often positioned between your internal network and an external network such as the Internet. You can also use access lists on a router positioned between two parts of your network, to control traffic entering or exiting a specific part of your internal network.

To provide the security benefits of access lists, you should at a minimum configure access lists on border routers—routers situated at the edges of your networks. This provides a basic buffer from the outside network, or from a less controlled area of your own network into a more sensitive area of your network.

On these routers, you should configure access lists for each network protocol configured on the router interfaces. You can configure access lists so that inbound traffic or outbound traffic or both are filtered on an interface.

Access lists must be defined on a per-protocol basis. In other words, you should define access lists for every protocol enabled on an interface if you want to control traffic flow for that protocol.

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacls.html

ICMP

Karena IP tidak mempunyai mekanisme untuk pengiriman error dan control messages, ia menggunakan ICMP untuk mengirim dan menerima error dan control message ke host-host dalam jaringan.

Internet Control Message Protocol (ICMP) adalah salah satu protokol inti dari keluarga protokol internet. ICMP utamanya digunakan oleh sistem operasi komputer jaringan untuk mengirim pesan kesalahan yang menyatakan, sebagai contoh, bahwa komputer tujuan tidak bisa dijangkau.

ICMP berbeda tujuan dengan TCP dan UDP dalam hal ICMP tidak digunakan secara langsung oleh aplikasi jaringan milik pengguna. salah satu pengecualian adalah aplikasi ping yang mengirim pesan ICMP Echo Request (dan menerima Echo Reply) untuk menentukan apakah komputer tujuan dapat dijangkau dan berapa lama paket yang dikirimkan dibalas oleh komputer tujuan.

Internet Control Message Protocol (ICmP) adalah bagian dari keluarga protokol Internet dan didefinisikan di dalam RFC 792. Pesan-pesan ICMP umumnya dibuat sebagai jawaban atas kesalahan di datagram IP (seperti yang dispesifikasikan di RFC1122) atau untuk kegunaan pelacakan atau routing.

Versi ICMP ini juga dikenal sebagai ICMPv4, yang merupakan bagian dari Internet Protocol versi 4. Sedangkan versi terkini yaitu ICMPv6.

Sekilas Intermediate TCP/IP

3-WAY HANDSHAKE adalah prosesnya pembuakaaan koneksi TCP (Transmission control). Metode dari tujuan ini adalah dapat melakukan sinkronisasi terhadap nomor urut dan nomor acknowledgement yang dikirimkan kedua pihak dan saling bertukar ukuran TCP Window. Host pertama mengirimkan sebuah segmen TCP dengan flag SYN kepada host kedua merespon dengan mengirimnya segmen yang berisi acknowledgen dan juga SYN yang dari host pertama tadi, dan selanjutnya akan mulai saling bertukar kats dengan host yang kedua. Proses handshaking ini complete dengan adanya di tandai kedua client yang menerima acknowledgements dari koneksi dan keduanya dapat saling mengirim data.

UDP(User Datagram Protokol) adalah transport protocol seperti adanya TCP, akan tetapi UDP lebih cepat dengan dibandingkannya TCP dan mendukung komunikasi yang tidak andal, gtanpa koneksi antara hos-host didalam jaringan yang menggunakan TCP.setiap adanya proses di tandainya dengan nomor logical port.
PORT dalam sebuah port di dalam mekanisme yang diizinkan adanya computer untuk mendukung beberapa sesi computer dengan computer yang lainya, port ini dapat diidentifikasikan aplikasi dan juga layanan menggunakan koneksi dalam jaringan TCP?IP. port ini dalam dikenali dengan angka 16-bit disebut dengan Port Number diklafikasikam dengan jenis protocol transport, total maksimum jumlah port untuk setiap protokolnya transport digunakan dengan 65536 buah.

Dari penomorannya, port UDP dan TCP dapat dibagi tiga jenis :
1. Well-known Port berkisar antara 0 hingga 255 tapi diperlebar untuk mendukung anatar 0 hingga 1023 ditetapkan oleh internet Assigned Number Authority(IANA). Untuk digunakannya layanan yang bakal dimasa depan dan didefinisikan dalam RFC 1060.
2.Registered Port vndor-vendor computer atau jaringan yang berbeda untuk mendukung aplikasi dan system operasi yang dibuatnya. Range registered port berkisar dari 1024 hingga 65536 dan digunakan atau dilepaskan sesuai keutuhan.

SOCKET komunikasi yang memungkinkan adanya pertukaran data antara program atau proses baik dalam satu mesin maupun antar mesin, jika menggunakan pipes biasanya adalah dapat dilakukannya komunikasi antar proses/program melalui jaringan berbasis yang TCP/IP. Komunikasi socket terutama diciptakan untuk tujuan menjembatani komunikasi antara dua buah program yang dijalankan pada mesin yang berbeda. Kelebihan lain dari socket adalah mampu menangani banyak klien sekaligus.