Monitor IP Traffic With Your Cisco Switch

Here are a couple ways you can monitor traffic with a Cisco Switch. Monitoring traffic is like a packet capture.

Monitor Session VLAN access maps Monitor Session can be done on just about all Cisco switches however there is a limit to the number of monitor session you can use at any given moment. The number behind the session, in this example 1, represents the session number and must match for both source and destination interfaces. Plug your laptop into any source port and start sniffing packets with wireshark.org

monitor session 1 source interface fastethernet 0/2 monitor session 1 destination interface fastethernet 0/3

VLAN Access maps

VLAN access maps are pretty cool. They allow for more granular control over your packet capture and take place at wire speed. VLAN Access maps also don't hit the switches CPU near as hard as monitor sessions.

Here are the commands to use.. further down I'll explain the commands more in depth. In this example we WON'T cpature SSH traffic from certain hosts but will monitor everything else.

vlan access-map part1 5 match ip address MONEY action forward

vlan access-map part1 10 match ip address EVERYTHINGELSE action forward capture

vlan filter part1 vlan-list 1-5,9-10

ip access-list extended MONEY permit tcp host 10.90.12.24 host 10.90.24.7 eq ssh permit tcp host 10.90.12.24 host 10.90.24.5 eq ssh permit tcp host 10.70.24.7 host 10.90.24.24 eq ssh permit tcp host 10.70.224.5 host 10.90.27.24 eq ssh permit tcp 192.168.20.0 0.0.0.255 host 10.91.4.7 eq ssh ip access-list extended EVERYTHINGELSE permit ip any any

# vlan 999 # remote-span # interface vlan 999 # exit # vlan filter FILTER vlan-list 999 # interface gi9/32 # switchport access vlan 999

How to use this VLAN access map to sniff or monitor network traffic

The part1 used below is just an index or name for this packet capture. The VLAN Access map will act upon "part1″ in ascending order based on the number next to the index "part1″. Since "5″ is the lowest number the access map will action forward the packets based on which packets match access list MONEY.

vlan access-map part1 5 match ip address MONEY action forward

Now vlan access map part1 is going to act on number "10″ since it is the next highest number after"5″ used in this access map. The switch will forward and capture the packets which match the packets identified in access list EVERYTHINGELSE. The packets from the previous ACL have already been forwarded (because they got forwarded at sequence #5) therefore they will not be captured.

vlan access-map part1 10 match ip address EVERYTHINGELSE action forward capture

vlan filter part1 vlan-list 1-5,9-10 (these are the VLANs which carry the traffic you want to sniff / capture / monitor) ip access-list extended MONEY (this is traffic you DON'T want to monitor) permit tcp host 10.90.12.24 host 10.90.24.7 eq ssh now apply the VACL filter to your RSPAN vlan

# vlan 999 # remote-span # interface vlan 999 # exit # vlan filter FILTER vlan-list 999

Now put your IPS interface into the RSPAN vlan

# interface gi9/32 # switchport access vlan 999

NOW of course plug your Cisco IPS, SNORT, Wireshark or whatever monitoring device you have into interface gi9/32 and let the packet capture being.

http://analysisandreview.com/cisco/how-to-configure-a-packet-capture-in-the-cisco-asa/ Article Source: http://EzineArticles.com/?expert=Kim_Lung

Cisco DHCP Configuration

Dynamic Host Configuration Protocol (DHCP) is a protocol used by networked devices to obtain information required to operate on an Internet Protocol network.

When a DHCP client is first switched on, it sends a broadcast packet on the network with a DHCP request. If there is a DHCP server exists in the network, this request will be picked up by the DHCP server. The DHCP server will allocate an IP address to the PC, from one of the pools of addresses it managed.
 
DHCP clients use a broadcast packet to find a DHCP server, so if a client is on one side of a router, and the server on the other, normally these broadcast packets will be filtered out. Many routers today include support for DHCP- forwarding, but it is not enabled by default.
 
Many system administrators do not realize that DHCP service can be enabled in Cisco devices. In this article, we will show the method on configuring DHCP on a Cisco router.
 
Router1, a Cisco router with an IP address of 10.0.0.110 (/24), will be configured as DHCP server. it will be configured to hand out IP addresses in the range from 10.0.0.1 through 10.0.0.254. It will also provide the information identifying itself as the default gateway and DNS server. Our local domain name will be ChengSoonGiap.com.
 
First of all, enter the configuration mode in Router1.
 
Router1#config t
 
By default, the Cisco IOS DHCP server and relay agent features are enabled on your router. To re-enable these features if they are disabled, use the following command in global configuration mode:
 
Router1(config)# service dhcp
 
In the case that you may like to reserve few addresses, you are able to tell the router to do so. In the following example, we will exclude address from 10.0.0.110 to 10.0.0.120 and from 10.0.0.200 to 10.0.0.254.
 
Router1(config)#ip dhcp excluded-address 10.0.0.110 10.0.0.120
Router1(config)#ip dhcp excluded-address 10.0.0.200 10.0.0.254
 
The next step is to create a DHCP pool. In the following example, we created a DHCP pool named "LAN".
 
Router1(config)#ip dhcp pool LAN
 
After DHCP pool is created, we will define the IP address pool. This is the IP address space which will be assigned to users automatically by Cisco router.
 
Router1(DHCP-config)#network 10.10.0.0 255.255.255.0
 
Other options for DHCP can be added after this step.
 
Router1(DHCP-config)#default-router 10.0.0.100
Router1(DHCP-config)#dns-server 10.0.0.105 10.0.0.106
Router1(DHCP-config)#domain-name ChengSoonGiap.com
Router1(DHCP-config)#
Router1(DHCP-config)#exit
 
If the interface of the router is not set yet, following is the configuration for it.
 
Router1(config)#
Router1(config)#interface f0/0
Router1(config-if)#IP address 10.0.0.100 255.255.255.0
Router1(config-if)#
Router1(config-if)#end
Router1#
Router1#copy run start
 
It is possible to create multiple DHCP pools in the router configuration. By using the current DHCP pool as reference, create another DHCP pool using the network/mask and gateway that you plan to be assigned to hosts connected to another interface. The router will be able to determine which DHCP pool to be used based on which interface the client DHCP discover packet it received.

How to: Cisco 2600 Router's Password Recovery

As you might already know, the configuration register value is the key player in password recovery. This is due to the fact that the configuration register value controls the boot sequence. The part that matters in the configuration register here is the sixth bit. When this bit is off, the router look into the NVRAM for the configuration. If the bit is on, the router neglects the contents of NVRAM and acts as if there is no (startup-config). So, to get things going when you have forgotten the password, or a previous administrator does not give you the password due to lack of documentation, you can bypass this problem.

Go through the following steps carefully:

1. Interrupt the router booting operation. This is done by pressing (Ctrl+Break) key simultaneously as soon as you turn on the router. This step will get you to the ROM monitor mode (rommon).

You will have the following:

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
PC = 0xfff0a530, Vector = 0x500, SP = 0x680127b0
C2600 platform with 32768 Kbytes of main memory
PC = 0xfff0a530, Vector = 0x500, SP = 0x80004374 monitor:
command "boot" aborted due to user interrupt

rommon 1 >

The (rommon 1 >) prompt is for the ROM monitor mode.

2. Now you should change the value of the configuration register in order to make the router neglect the contents of the NVRAM in the next boot up. This is achieved using the following command:

rommon 1 > confreg 0x2142

This command will change the sixth bit (originally the configuration register is 0x2102) to one. By doing so, the router will act as new in the next boot.

3. Perform a restart to the router using the following command:

rommon 1 > reset

4. The router now will restart and ask you if you want to use the setup mode and of course you will say no. Now, in order not to loose the configuration that you already have in the router, you should go to the USER privileged mode and perform:

Router#copy start run

This will get you back your old configuration but with one exception, you already are in the privileged mode without having to know the password..!!!!

Now you put a new password or passwords if you may:

Router(config)#enable secret blabla

And you can also put new console and telnet passwords if you like.

5. To get things going back to normal, change the value of the configuration register to its original form (0x2102) using the following global configuration command:

Router(config)#config-register 0x2102

6. Now you should save the configuration including the new passwords that you know:

Router#copy run start

7. Now reload and you are good to go:

Router#reload

What we have done in these steps is that we by passed the original configuration that has the unknown password, and then we got to the privileged mode without the need to know the password. And then we loaded the old configuration so we don’t loose it and imposed a new password and saved things back to the NVRAM. And then we got back to the original boot sequence. A piece of cake, isn’t it??

http://www.certificationist.com/
http://www.mohammedalani.com/
Article Source: http://EzineArticles.com/?expert=Mohammed_Alani

DDR Configuration

DDR Legacy Concepts and Configuration

Step 1: Routing Packets Out the Interface to be Dialed

ip route 192.168.0.0 255.255.255.0 10.0.0.1

Step 2: Determining the Subset of the Packets That Trigger the Dialing Process

access-list 101 permit tcp any host 192.168.0.1 eq 80

! all ip packets being considered interesting
dialer-list 1 protocol ip permit

! all packets to the web servers consider interesting
dialer-list 2 protocol ip list 101

interface bri 0
encapsulation ppp
ip address 10.0.0.2 255.255.255.0

! Use this one if all ip is considered interesting
dialer-group 1

! or use next statement to trigger for web to server ! if you type the next command, it would replace the dialer-group 1
! command; only one dialer-group is allowed per interface
dialer-group 2

Step 3: Dialing (Signaling)

One site:
=========
interface bri 0
encapsulation ppp
dialer string 818186666 <- the phone number that is to be used to signal a connection
ip address 10.0.0.2 255.255.255.0
! Use this one if all ip is considered interesting
dialer-group 1

Multi sites:
============
interface bri 0
encapsulation ppp
ip address 10.0.0.2 255.255.255.0
! Use this one if all ip is considered interesting
dialer map ip 192.168.0.1 broadcast name KL 1800111111
dialer map ip 192.168.0.2 broadcast name Sing 1899933488
dialer-group 1

VLAN

1. Create and name two VLANs
Switch_A#vlan database
Switch_A(vlan)#vlan 2 name VLAN2
Switch_A(vlan)#vlan 3 name VLAN3

2. Assign ports to VLAN 2
Switch_A#configure terminal
Switch_A(config)#interface fastethernet 0/2
Switch_A(config-if)#switchport mode access
Switch_A(config-if)#switchport access vlan 2

Telnet sessions

1. Suspend the current Telnet session: Ctrl-Shift-6 x
• enter
2. show sessions: Reveals all sessions are in used.
3. To Resume the previouly suspended telnet session:
• Type the number of the session shown on show sessions

CDP

1. show cdp interface
2. show cdp neighbors
3. show cdp neighbors detail
4. debug cdp packets
5. undebug all
6. show cdp traffic
7. clear cdp counters