The following use cross-over
switch <-> Switch (dce to dce)
switch<-> Hub
PC <-> PC (dte to dte)
PC <-> Router (dte to dte)
Router<->Router (via ethernet)
Straight-through
Switch<->PC
Switch<->Router
roll over is for console access switches , routers etc
This wont transfer data,
Sunday, November 21, 2010
Saturday, November 20, 2010
Manual package removal in Ubuntu(Linux)
consider you want to remove cheese package at ubuntu.
Check ls -l /var/lib/dpkg/info/cheese.list exists or not
then check files at /var/lib/dpkg/info/cheese.list then manually remove all of them.
Then backup /var/lib/dpkg/status file
which contain all info about all packages.
then manually edit and remove cheese package at /var/lib/dpkg/status file
Then save it
then run
apt-get -f install
Done that 's it
Note : this step is when automatically removal failed or when package corrupted and unable to remove
Check ls -l /var/lib/dpkg/info/cheese.list exists or not
then check files at /var/lib/dpkg/info/cheese.list then manually remove all of them.
Then backup /var/lib/dpkg/status file
which contain all info about all packages.
then manually edit and remove cheese package at /var/lib/dpkg/status file
Then save it
then run
apt-get -f install
Done that 's it
Note : this step is when automatically removal failed or when package corrupted and unable to remove
Wednesday, November 17, 2010
Access List
1 ) standard and extended access list can apply wild card mask
ex : access-list 101 permit ip 192.168.32.0 0.0.7.255
access-list 10 permit 192.168.146.0 0.0.1.255
You guys may be noticed that no " ip "word at access-list 10 ( standard acl ) any idea?
Because standard acl can't apply protocol based filtering
at extended acl we can use permit tcp, permit udp , permit ip etc.
2 ) example for extended acl
permit traffic from one network to other network
#access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255
another one this from from specific host to another
# access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq telnet
remember protocols
tcp , upd , ip
and at eq : telnet , domain ( for dns )
one sample one to deny icmp to one network
# access-list 102 deny icmp any host 2.2.2.2
3 ) apply acl close to source.
4 ) points for edit acl
trick 1: don't edit like this
no access-list 101 permit ip host 1.1.1.1 host 2.2.2.2
this will remove all access-list 101
so use below method
Method 1
create ip access-list first itself
# ip access-list extended test
(config-ext-nacl ) # permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255
# permit tcp host 2.2.2.2 host 3.3.3.3
this will give
sh accces-list
in exact order
then to edit simply type
# ip access-list extended test
then use
# no permit tcp host 2.2.2.2 host 3.3.3.3
and
to add simply add new rules ( rember those rules will be added at bottom of present rules )
method 2
if we already add acl like this
# access-list 101 permit tcp any any
# access-list 101 permit udp any any
# access-list 101 permit icmp any any
so
check sh access-list
10 permit tcp any any
20 permit udp any any
30 permit icmp any any
this is in increasing order 10, 20, 30
this is the order they added
so to edit
# ip access-list extended 101
5 deny tcp any any eq telnet
then check
sh access-list
5 deny tcp permit any any eq telnet
10
20
30
etc
so what about if it is standard acl
see
# access-list 2 permit 172.16.1.2
# access-list 2 permit 172.16.1.10
# access-list 2 permit 172.16.1.11
we know order is based on first entered. This means accesslist check based on first entered rule first
so 10 ( seq num ) for 172.16.1.2
20 for 172.16.1.10
30 for 172.16.1.11
but sh access-list
30 172.16.1.11
20 172.16.1.10
10 172.16.1.2
this is in the decreasing order of ip addres
note
cisco ios adds entry by decreasing order of ip address , not by sequence number
we can check this by
adding new entries
# ip access-list standard 2
# 25 per 172.16.1.7
# 15 172.16.1.16
as per sequence number
sh acces-list should be
30
25
20
15
10
BUt it wont, it will be like decreasing order of ip addrres
so
15 per 172.16.1.16
30 per 172.16.1.11
20 per 172.16.1.10
next case : see sh access-list
10 per 192.168.100.0
15 per 10.10.10.0 wild card 0.0.0.255
19 per 200.10.1.1 wildcard 0.0.0.255
why?
because fixed ips given priorities than wild card.
we
can check this via
# ip access-list standard 2
18 permit 172.22.1.1
so
sh access-list
10 per 192.168.100.0
18 per 172.22.1.1
15 per
19 per
to remove accesslist from interface
int f0/0
no ip access-group < acl > in /out
ex : access-list 101 permit ip 192.168.32.0 0.0.7.255
access-list 10 permit 192.168.146.0 0.0.1.255
You guys may be noticed that no " ip "word at access-list 10 ( standard acl ) any idea?
Because standard acl can't apply protocol based filtering
at extended acl we can use permit tcp, permit udp , permit ip etc.
2 ) example for extended acl
permit traffic from one network to other network
#access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255
another one this from from specific host to another
# access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq telnet
remember protocols
tcp , upd , ip
and at eq : telnet , domain ( for dns )
one sample one to deny icmp to one network
# access-list 102 deny icmp any host 2.2.2.2
3 ) apply acl close to source.
4 ) points for edit acl
trick 1: don't edit like this
no access-list 101 permit ip host 1.1.1.1 host 2.2.2.2
this will remove all access-list 101
so use below method
Method 1
create ip access-list first itself
# ip access-list extended test
(config-ext-nacl ) # permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255
# permit tcp host 2.2.2.2 host 3.3.3.3
this will give
sh accces-list
in exact order
then to edit simply type
# ip access-list extended test
then use
# no permit tcp host 2.2.2.2 host 3.3.3.3
and
to add simply add new rules ( rember those rules will be added at bottom of present rules )
method 2
if we already add acl like this
# access-list 101 permit tcp any any
# access-list 101 permit udp any any
# access-list 101 permit icmp any any
so
check sh access-list
10 permit tcp any any
20 permit udp any any
30 permit icmp any any
this is in increasing order 10, 20, 30
this is the order they added
so to edit
# ip access-list extended 101
5 deny tcp any any eq telnet
then check
sh access-list
5 deny tcp permit any any eq telnet
10
20
30
etc
so what about if it is standard acl
see
# access-list 2 permit 172.16.1.2
# access-list 2 permit 172.16.1.10
# access-list 2 permit 172.16.1.11
we know order is based on first entered. This means accesslist check based on first entered rule first
so 10 ( seq num ) for 172.16.1.2
20 for 172.16.1.10
30 for 172.16.1.11
but sh access-list
30 172.16.1.11
20 172.16.1.10
10 172.16.1.2
this is in the decreasing order of ip addres
note
cisco ios adds entry by decreasing order of ip address , not by sequence number
we can check this by
adding new entries
# ip access-list standard 2
# 25 per 172.16.1.7
# 15 172.16.1.16
as per sequence number
sh acces-list should be
30
25
20
15
10
BUt it wont, it will be like decreasing order of ip addrres
so
15 per 172.16.1.16
30 per 172.16.1.11
20 per 172.16.1.10
next case : see sh access-list
10 per 192.168.100.0
15 per 10.10.10.0 wild card 0.0.0.255
19 per 200.10.1.1 wildcard 0.0.0.255
why?
because fixed ips given priorities than wild card.
we
can check this via
# ip access-list standard 2
18 permit 172.22.1.1
so
sh access-list
10 per 192.168.100.0
18 per 172.22.1.1
15 per
19 per
to remove accesslist from interface
int f0/0
no ip access-group < acl > in /out
Dynamic ACL
Also known as Lock & key.
Depend on telnet , authentication , extended acl.
This is commonly used when we need to give acess for one user ( based on authentication )
Configuration first need enable telnet on router
so
#Username harry password 0 harry
# line vty 0 4
# login local ( this command causes this username should be used )
GIving telnet access to user is similar to giving key of your Home or office to outside guy.
If you don't trust that user very much , you can use below 2 option
option 1 ) time out for that specified user only
# username harry autocommand access-enable timeout host timeout 10
option 2 ) set timeout for all telnet users
#line vty 0 4
# login local
# autocommand access-enable host timeout 10
note : timeout 10 means 10 min
Remember in next steps while defining we can specify timeout , this timeout can override above timeout setting
The above configurations can be summarised as telnet access and entering that user based on acess-enable
For this we need to permit telnet traffic at router
so
# access-list 120 permit tcp any host < ip of interface router > eq telnet
so user entered router via access-enable function
next we define accesslist that user can control ip ranges after entering router.
# access-list 120 dynamic testlist timeout 15 permit ip 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255
note here timeout is 15 min this override above set time out of 10 min
Then important part
applying acl
#int f0/0
#ip access-group 120 in
Depend on telnet , authentication , extended acl.
This is commonly used when we need to give acess for one user ( based on authentication )
Configuration first need enable telnet on router
so
#Username harry password 0 harry
# line vty 0 4
# login local ( this command causes this username should be used )
GIving telnet access to user is similar to giving key of your Home or office to outside guy.
If you don't trust that user very much , you can use below 2 option
option 1 ) time out for that specified user only
# username harry autocommand access-enable timeout host timeout 10
option 2 ) set timeout for all telnet users
#line vty 0 4
# login local
# autocommand access-enable host timeout 10
note : timeout 10 means 10 min
Remember in next steps while defining we can specify timeout , this timeout can override above timeout setting
The above configurations can be summarised as telnet access and entering that user based on acess-enable
For this we need to permit telnet traffic at router
so
# access-list 120 permit tcp any host < ip of interface router > eq telnet
so user entered router via access-enable function
next we define accesslist that user can control ip ranges after entering router.
# access-list 120 dynamic testlist timeout 15 permit ip 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255
note here timeout is 15 min this override above set time out of 10 min
Then important part
applying acl
#int f0/0
#ip access-group 120 in
Subscribe to:
Posts (Atom)