Cisco Tips & Tricks

October 27, 2008

Compute an access-list to match even or odd networks

Filed under: Access-lists, ccie, IP Routing, Router, security, Technology and Software — ciscotips @ 10:16 pm

One of my old student who is preparing for CCNP asked me on how to write an access-list for permitting/denying even or odd networks. So I am just pasting my email reply to him

Here is a simple tip to write an access-list for even or odd networks.

Lets say we are asked to permit all odd or permit all even for ?

We’ll play the game with last octet or I should say the least significant bit of last octet.

-If it is 0, the IP address will be Even

-If it is 1, the IP address will be Odd = – odd =  – odd =   even =   even

FOR Even Networks

The IP address will be

With the wild card mask as

254 = 11111110

Here, 0 means DO CARE of the last bit in IP address (must be ZERO)

Hence ACL will be

access-list 1 permit

For Odd Networks

The IP address will be

With the wild card mask as

254 = 11111110

Here, 0 means DO CARE of the last bit in IP address (must be ONE)

Hence ACL will be

access-list 1 permit



January 31, 2008

Cisco Open source tools

Filed under: cisco, IP Routing, security, Switching, Technology and Software — ciscotips @ 3:13 am

I came across a great resource, Cisco-centric Open Source Community (COSI). COSI is an Internet-based community that develops free Cisco tools and makes them available for download from its Web site. There are almost 50 utilities available for download. The scripts and utilities all include documentation, and the community has developed all of these tools to work with Cisco IOS routers, switches, firewalls, or CiscoWorks management software.

COSI’s Web site also offers other advantages. Clicking the link to download a script takes you to a community download page, which also features discussion forums for questions and support of these tools. It’s important to remember that Cisco’s Technical Assistance Center (TAC) doesn’t support these tools, so you must count on your own skills and the help of others in the community.

A tradeoff: These tools are not ideal for new Cisco IOS users or anyone who doesn’t have some Linux experience. Many of these tools help automate more advanced Cisco admin tasks when administering a midsize to large Cisco network

April 28, 2007

Why port Security?

Filed under: cisco, security, Switching — ciscotips @ 10:02 pm

Port security can be the best method of security incase you do not have a physical control of your devices in the location. Port security will only let group of address/addresses to access the switch securing your network from physical attacks.

Secured ports restrict a port to a user-defined group of stations. When you assign secure addresses to a secure port, the switch does not forward any packets with source addresses outside the defined group of addresses. If you define the address table of a secure port to contain only one address, the workstation or server attached to that port is guaranteed the full bandwidth of the port. As part of securing the port, you can also define the size of the address table for the port.

Command to enable port security

In config mode, use following command to enable port security

switchport port-security

To define allowed mac-addrresses

switchport port-security maximum max_addrs

To set security violation

switchport port-security violation {shutdown | restrict | protect}

November 29, 2006

Access Violations

Filed under: Access-lists, cisco, security — ciscotips @ 10:54 pm

The cool feature of access lists allow monitoring / logging  ACL violations and it can be used to characterize traffic associated with network attacks, by logging the suspect traffic. By using the log keyword at the end of the acl you can do logging

Access-list 120   deny ip  any any log

This option causes logging of the IP addresses and port numbers associated with packets matching an access list entry. Newer versions of IOS also provide the log-input keyword, which adds information about the interface from which the packet was received, and the MAC address of the host that sent it. Either option causes an informational logging message about the matching packet to be sent to the console (by default). The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

This logging mechanism may drop some messages if either too many messages or more than one message in 1 second need to be displayed. This prevents the router from crashing due to too many logging packets. Therefore, the logging facility cannot be treated as an accurate source of information in terms of number of matches to an access list.

A more accurate tracking tool is accounting on the interface:

ip accounting [access-violations] [output-packets]

To display IP access violations use the following command:

show ip accounting access-violations

which shows information about packets that failed access lists and were not routed.

June 16, 2006

WiFi Security Standards & Best Practices

Filed under: Router, security, wifi — ciscotips @ 2:20 pm

Ramneek Khurana sent me following post for Wifi Best practices.

Latest Wifi security standards WPA2

In 2004, the Wi-Fi Alliance introduced Wi-Fi Protected Access 2 (WPA2™), the second generation of WPA security. Like WPA, WPA2 provides enterprise and home Wi-Fi users with a high level of assurance that their data will remain protected and that only authorized users can access their wireless networks. WPA2 is based on the final IEEE 802.11i amendment to the 802.11 standard ratified in June 2004. WPA2 uses the Advanced Encryption Standard (AES) for data encryption and is eligible for FIPS (Federal Information Processing Standards) 140-2 compliance.WPA2 supports IEEE 802.1X/EAP authentication or PSK technology. It also includes a new advanced encryption mechanism using the Counter-Mode/CBC-MAC Protocol (CCMP) called the Advanced Encryption Standard (AES).

WPA2 Security Advantage

When compared with the IEEE 802.11 security standard using 40-bit WEP with no dynamic keying, TKIP and AES make it far more difficult-if not impossible-for a would-be intruder to break into a Wi-Fi network. By greatly expanding the size of keys and number of keys in use, creating an integrity checking mechanism, using a strong encryption cipher; and imposing replay protection, AES and TKIP greatly increase the strength and complexity of wireless encryption. Together with the IEEE 802.1X/EAP mutual authentication framework, TKIP and AES magnify the complexity and difficulty involved in decoding data on a Wi-Fi network—making the Wi-Fi network secure.

AP side configs for WPA2


interface Dot11Radio0


encryption mode ciphers aes-ccm

Wifi Aps management security best practices

1.)     Disable the wifi management via radio interfaces, management should be allowed only via Ethernet interface on AP.

2.)     Apply VTY filters to make sure the management interfaces are accessible only via management VLANs
3.)     Disable the http/https service on AP.  

June 7, 2006

How to block skype

Filed under: Access-lists, QOS, Router, security — ciscotips @ 4:36 am

On April 4th 2006, Cisco released IOS version 12.4 (4) T. Cisco introduced much awaited Skype classification in NBAR . So now with simple policy you can block skype. Skype can be blocked in a similar way as we use to block kazza,limewire and other p2p applications.


NBAR configuration to drop Skype packets

class−map match−any p2p
match protocol skype

policy−map block−p2p
class p2p

int FastEthernet0
description PIX−facing interface
service−policy input block−p2p

If you are unsure about the bandwidth eating applications being used in your organisation. you can access the interface connected to the Internet and configure following command

ip nbar protocol-discovery.

This will enable nbar discovery on your router.

Use following command:-

show ip nbar protocol-discovery stats bit-rate top-n 10

it will show you top 10 bandwidth eating applications being used by the users. Now you will be able to block/restrict traffic with appropriate QoS policy.

we can also use ip nbar port-map command to look for the protocol or protocol name, using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned) port numbers.

Usage as per cisco:-
ip nbar port-map protocol-name [tcp | udp] port-number

Up to 16 ports can be specified with this command. Port number values can range from 0 to 65535

June 4, 2006

Anti-spoofing rules for Internet routers

Filed under: Access-lists, Router, security, Technology and Software — ciscotips @ 12:41 am

As per my experience we should always try to use seperate internet routers for internet services in comparison to our company intranet routers for intranet. Exceptions are always there but it will be considered as a bad design, if we are using single router for internet and intranet traffic. Assuming we are using a seperante internet routers. Here are some anti-spoofing tips.

1)Always create a set of access-lists which deny’s access to your company’s private ipaddress & local host range from internet:-

access-list extended antispoofing
deny ip any
deny ip any
deny ip any
deny ip any

2)Create anti-spoofing rule for the public IP block associated with this internet connection

Continuing with anti-spoofing access-list, add following
deny ip x.x.x.x any

3)Deny access of all ip addresses to external/serial interface of router.

Continuing with anti-spoofing access-list, add following
deny ip any host x.x.x.x

4) deny icmp and don’t forget to add permit any any statement at the end of anti-spoofing aaccess-list.

Continuing with anti-spoofing access-list, add following
deny icmp any any echo
permit ip any any

5)Apply anti-spoofing access-list to public interface (where ur internet is terminating)


interface Serial0
ip access-group antispoofing in

After applying anti spoofing rules , make sure logging is enabled and disable all eroneous services as follows:-

logging buffered informational
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone

service password-encryption
no service dhcp
no service tcp-small-servers
no service udp-small-servers
no ip unreachables
no cdp run
no ip source-route
no ip finger
ip subnet-zero
no ip source-route
no ip finger
no ip http server

Secure your SNMP and telnet access by using access-list. Only allow telnet/SNMP access through one or two trusted servers.

May 3, 2006

Testing Remote Authentication of Users on Wireless Network

Filed under: cisco, Router, security, wifi — ciscotips @ 6:18 pm

I am not a Wireless guy but found a beautiful tip for you  wireless geeks. 

One of the greatest challenges in supporting a large wireless network is testing authentication from a remote access point. Asking a user to retry a login multiple times can be time consuming and frustrating.

To solve this problem, you can use the test aaa group command to test both RADIUS and TACACS authentication using a user ID and password combination from the access point:

AP#test aaa group ? radius Test list of all Radius hosts tacacs+ Test list of all Tacacs+ hosts While this isn’t exactly like a connecting user, it can verify a critical piece of the login. Here are some examples using the command.

AP#test aaa group radius <domain>\<userid>

<goodpassword> new

Trying to authenticate with Servergroup radius User successfully authenticated

AP#test aaa group radius <domain>\<userid>

<badpassword> new

Trying to authenticate with Servergroup radius User rejected

Blog at