Cisco IOS

The company Cisco is known to almost everyone in the field of active elements. A large part of their devices is equipped with a unified operating system called IOS (Internetwork Operating System), which offers a wide range of configuration and management options. In this first part of a series of articles on IOS, I will cover a general description of IOS, how to use it, and the very important show command, which is used to display information.

In the second part of the articles about the operating system of Cisco active elements, I will briefly describe the switches and then the procedures for upgrading the IOS and the related backup of the IOS and configuration.

In the continuation of the description of the Cisco Switch operating system, I will focus on probably the most used area, setting parameters for ports and interfaces. From basic properties, through the use of VLANs, IP address settings to port security using Port security. The description is only brief and there are practical examples at the end.

In the next part of the description of Cisco IOS, I will focus on methods to delete the existing configuration of the switch and thus bring it to the default state. The second part describes the procedure for recovering the password if we forget the original one.

The next part of the Cisco IOS description is dedicated to summarizing the individual options for connecting to the switch so that it can be configured. This is not only a description of the options, but also information about configuring these properties and securing access.

This part of the Cisco IOS series is just a list of basic features that I think are good to set up on a new switch. Most of the features have been covered in previous episodes, so they are only briefly listed here.

Another description of the Cisco IOS operating system this time focuses on the important, and practically necessary, area of ​​virtual local networks, i.e. VLANs. I covered the theory in an earlier article, so now this is a practical description of VLAN configuration. Also mentioned are the Dynamic Trunk Protocol (DTP) for automatic trunk negotiation and the useful VLAN Trunking Protocol (VTP) for configuring a VLAN in one place and automatically distributing it to other switches.

The next part of the series about Cisco IOS is a bit more theoretical and deals with the subject of Access Control List, i.e. ACL. We can say that it is about controlling or identifying access to some object. I start with a more general description and division of ACLs, and continue with the more widespread IP ACLs and the slightly less used MAC ACLs. The article also shows the configuration of Standard, Extended and Named ACL on Cisco devices and their application on a Port or L3 interface.

Another, largely theoretical, part of the description of Cisco IOS is devoted to the topic of loops in the network (i.e. non-tree topology). First, I mention the disadvantages and, conversely, the advantages that loops bring us. Subsequently, I describe the solution of related problems using the Spanning Tree Protocol (STP). And in the end, PVSTP configuration using IOS commands is described.

This article directly follows on from the previous part, where the STP protocol and PVSTP configuration were described in general. In this work, there is a much more concise description, mainly focused on configuration, of the two newer versions of STP, that is, RSTP and MSTP. It also describes my practical experience of switching to RSTP. And there is a small mention of Flex Link.

The article is devoted to the IEEE 802.1x protocol and its practical implementation. It is a useful, relatively simple and several years old protocol that is starting to be implemented more and more. A number of other services are based on it. Dot1x is used for access control at the edge of the network (on the port). I briefly described the basic implementation on a Cisco switch, the greater part of the article is devoted to the configuration of the MS version of the RADIUS server (IAS) and finally to the configuration of the client.

In the previous part, you could find a description of the IEEE 802.1x protocol and its basic configuration (only allowing user access to the port) both on the Cisco Switch and on the Microsoft IAS server (i.e. RADIUS) and the Windows client. This part goes on to describe the configuration of other interesting options. The most interesting thing is probably the possibility of assigning a port to certain VLANs according to user authentication and its inclusion in a group in AD or allowing access (to a certain part of the network) to a user who has not passed authentication.

This time, a more practical part that deals with DHCP services. As a main service, Catalysty offers us the possibility to operate a DHCP server. I won't go into the considerations of deploying such a DHCP server in live traffic, but at least it is a useful feature for various testing and labs. Another useful and frequently used function is the DHCP Relay Agent, i.e. forwarding DHCP requests to the server. And the interesting security function DHCP Snooping is definitely worth noting.

The article provides some advice on how to perform everyday operations more easily and quickly. Tips cover areas covered in previous volumes, and either bring something I've additionally learned or been advised by readers, or simply highlight something previously covered.

If we have more active elements in the network, a number of operations need to be automated as much as possible. One of the operations that is good to perform regularly is a configuration backup. A newer feature in Cisco IOS is configuration archives and the archive function. Using it, we can (automatedly) save, organize and manage configuration archives, return to older configurations (rollback), log configuration changes and manage (backup and upgrade) IOS images (image). This is definitely an interesting and useful feature.

HSRP is a Cisco protocol that is useful and easy to configure. It is used to ensure high availability in the network using the redundancy of routers (gateways). Just as STP solves the redundancy of paths in the network (and we need to double the link), so HSRP solves the redundancy of the first hop at Layer 3 OSI (we need to double the router). The article does not discuss the theory of HSRP, but focuses on its practical significance and description of the (basic but sufficient) configuration. Other protocols are also briefly mentioned - IRDP, VRRP and GLBP.

Stack is an interesting technology that allows some fixed Cisco switches to be combined into one unit that has a common configuration and management and also increases reliability. This essentially creates one new large switch that owns all the ports. To create a basic stack, you just need to connect the individual switches using a special cable, and everything else should be done automatically. Still, it's good to know what's going on and how it works. And also know a few configuration commands, mainly from the IOS upgrade area, because all switches must have the same version.

This article logically follows on from the description of VLANs. Consider that we have divided our LAN into VLANs (subnets), thereby limiting broadcast domains, segmenting the network, and gaining other benefits. But now we would need at least (or just) some VLANs to be able to communicate with each other. So we need to route between individual VLANs, this is called inter-VLAN routing. This article describes how to operate such routing and how to restrict it using an Access Control List (ACL).

If we are downloading a file from the network or browsing a web page, we don't even notice the many problems that occur during the transfer. These are, for example, various delays in packet delivery or delivery in a different order than the transmission. The communication protocol handles these problems and corrects everything. The problem occurs with operations where we need the result immediately, such as VoIP and streaming audio/video. Then these problems will manifest themselves in the failure of video and audio. The technology that solves these problems is called Quality of Service.

This section of Quality of Service articles focusing on Cisco focuses on the first action we need to take when applying QoS. This involves examining the traffic and classifying it into classes - classification and then marking each packet with that class - marking.

In the last episode we dealt with sorting traffic into classes. We also covered the Modular QoS CLI, which is used to configure most QoS features on Cisco IOS. The commands for the properties that will be covered in this article were also briefly mentioned. These are bandwidth management - Traffic Rate Management, i.e. setting the maximum rate that a certain traffic (for example, a user) can consume. We will use the method of policing (rate limiting) and shaping.

In this section we will focus on the area of Congestion Management. Different queues are used for this purpose. In practice, it means that we can define a certain bandwidth for some communication, i.e. guarantee the bandwidth. And possibly to ensure express clearance (i.e. low latency) - to prioritize traffic. In the second part I will only lightly mention a similar area, Congestion Avoidance, which is solved by intelligent dropping.

The configurations that were described in the previous parts were primarily intended for routers, although they can also be used (sometimes in a more limited form) on switches. In this article, I'll cover the special commands and configurations designed for switches. Due to the principle of operation, when a switch often connects end clients, it needs to handle different operations than a router.

The last part of the series on Quality of Service focuses on simple practical examples. For those who have read the previous parts, it shows more complex configurations. But it is also suitable for those who have not read the previous articles. In my opinion, we can configure various properties without knowing the principle by which they will be implemented. The biggest focus is on the various options for limiting the speed (throughput) of the port.

Internet Protocol (IP) is used for data communication in switched computer networks that use TCP/IP. It is the most widely used protocol on the Internet and on LANs. The first major version is now referred to as IPv4 and is still the majority version in use. Its main disadvantage is that addresses are 32 bits in size. Therefore, a new version of IPv6 has been created, which brings a number of advantages, but the main difference is that the addresses are 128 bits large. IPv6 is now being deployed globally.

Multicast is a method of efficiently communicating from one sender to multiple receivers. An example is Internet radio (and by comparison, regular radio), where there is one source and many receivers receiving the same data at the same time. In practice, this is often handled by making individual connections for each receiver. So the server is heavily loaded and part of the network infrastructure is unnecessarily overloaded with the transmission of duplicate data. With multicast, we deliver information simultaneously to a group of recipients in the most efficient way so that the message travels only once through each network node, with copies being made only when the paths to the recipients are split. This paper explains the general principle of multicast and then discusses the Internet Group Management Protocol (IGMP) and the Protocol Independent Multicast (PIM) routing protocol in all its variants.

This series is about routing, i.e. routing in computer networks. The individual descriptions are generally valid, but are presented here with a focus on Cisco products and with a description of configuration in Cisco IOS. This first part discusses the basic breakdown of routing protocols and category descriptions. It describes basic terms and shows general IOS configuration commands. It also covers Policy Based Routing, address summarization, filtering, and path redistribution.

The second part on routing, focusing on Cisco device configurations, covers Cisco's proprietary Enhanced Interior Gateway Routing Protocol (EIGRP).

The third part on routing, focusing on Cisco device configurations, focuses on perhaps the most widely used standardized protocol for intra-AS routing, Open Shortest Path First (OSPF).

The fourth part on routing, focusing on Cisco device configurations, discusses a competing protocol to OSPF, the standardized Intermediate System to Intermediate System (IS-IS).

The fifth installment on routing, focusing on Cisco device configurations, covers a routing protocol that is designed for routing between ASes and is used for the entire Internet, the Border Gateway Protocol (BGP).

In the previous parts of the series on routing (mainly from the perspective of Cisco elements) I briefly described the characteristics of the main routing protocols. In this latest installment, I attempt a brief tabular comparison of the main features. This is not intended for decision making when choosing a suitable routing protocol, but rather for the overview needed for the Cisco test.

Sometimes a situation may arise when we want to limit communication between some clients within the same subnet (VLANS). For example, so that clients cannot communicate with each other, but can communicate on the Internet. A technology called Private VLAN will serve us well for this. Alternatively, the simpler Protected Ports mechanism. Finally, I mention the mechanism that blocks unknown unicasts or multicasts.

An Access Control List (ACL) is a list of rules that control or identify traffic on an object (such as a port or VLAN). A VLAN map is an extension based on an ACL that restricts traffic within a VLAN. In addition, it covers all traffic, that is, switched and routed traffic. This article describes the principle, use, and configuration of VLAN maps.

EtherChannel is a technology for link aggregation (or port bundling) on switches, routers, and servers. It allows multiple physical Ethernet ports/links to be combined into a single logical link, which provides fault tolerance and increases speed (load balancing). EtherChannel can be configured manually or by using Cisco's proprietary Port Aggregation Protocol (PAgP) or the standardized Link Aggregation Control Protocol (LACP). This technology is used between switches, but it can also be used for server connections, here referred to as NIC Teaming or Bonding.

This article only summarizes basic information about the most common types of attacks on switches. The information it provides can be found in many places, so I am including it here for completeness. MAC flooding, ARP spoofing, VLAN hopping attacks are described and methods to defend against them on Cisco switches are mentioned. A defense method called Dynamic ARP Inspection is also discussed.

When a router or L3 switch is forwarding packets (routing), it uses one of the methods called Router Switching Path, which determines how fast it can work. Some of these methods are Process Switching, Fast Switching, and Cisco Express Forwarding. The article briefly mentions these methods and also describes related terms such as CAM table, FIB, ARP, as well as switch, MLS and router. Some of these terms are described in more detail in earlier articles.

This article describes a very useful, and simple to configure feature that copies all traffic from one (or more) switch port to another. This is useful when we need to analyze network traffic of a device, when we want to connect an IDS/IPS system to the network, or in some other cases.

In this part of the Cisco IOS configuration series, we look at securing access to the switch's command line (CLI), i.e. IOS. We will primarily deal with authentication on the switch against MS Active Directory (with the help of a RADIUS server), but we will also look at other options. A simple description of this issue was already in the 5 part.

This article contains various additional information regarding Quality of Service (very briefly) that I needed when I was preparing for the Cisco 642-845 test. Besides the minor additions, it talks about Link Efficiency Management, QoS pre-classification, Control Plane Policing, Cisco Router and Security Device Manager, and the addition of Auto QoS.

I am placing this short article in the Cisco IOS category, even though it is about Cisco Nexus switches and thus NX-OS. It is an extension of EtherChannel (or PortChannel or Link Aggregation), i.e. aggregating (bundling) multiple ports into one virtual port. Normally, in aggregation, the ports must be located on a single physical switch or stack. The vPC technology allows the ports to be on two different Nexus switches.

A brief overview of the configuration of some of the security features that secure communication on the switch ports. We'll start by mentioning Traffic Storm Control, take a brief look at DHCP Snooping, and then discuss the features that take advantage of this feature. However, we will focus more on situations where static IP addresses are used instead of DHCP. We will mention Port Security, IP Source Guard (IPSG) and Dynamic ARP Inspection (DAI).

In the last article, we discussed the security features that secure communication on Cisco IOS switch ports. In this article, we'll look at the same thing, but for the Cisco Nexus. We won't be discussing the actual security methods, just the configuration and changes from IOS.

Combining multiple switches into a single logical unit has a number of advantages. It simplifies the configuration and topology of the network. We can get rid of some protocols like HSRP/VRRP and partially STP (by using Multichassis EtherChannel). On the access switches, the (HW) StackWise technology is used. Higher-end Catalyst 9000 switches, designed for the distribution layer (distribution) or the core (core), have the new StackWise Virtual technology. However, this is very similar to the older Virtual Switching System. StackWise Virtual allows us to combine two physical switches into one logical switch. It is supported on certain series and models of Catalyst 9000 switches.

The new Cisco Catalyst 9000 family switches feature IOS XE and use a common image. If they are operating in the recommended Install Mode, a new upgrade process is available to upgrade to a new version or install patches. The method is the same for a single switch, multiple switches connected by StackWise, or a StackWise Virtual cluster. In the latter case, the In-Service Software Upgrades (ISSU) feature can be used.