Configuring netflow – top talkers, etc

Configuring netflow – top talkers, etc Netflow can be configured in internal or external interface.  ip flow-cache entries 2000 ip flow-cache timeout active 30 <On interface:  eg int g0/0> ip flow ingress ip flow egress (or) ip route-cache flow ip flow-top-talkers top 50 sort by  (Note: This means sort by bytes – command is correct.) cache-timeout 600000 To query netflow:  sh ip flow top-talkers Typical output:  Router#sh ip flow top-talkers

Problem: Switchports will not go into voice VLAN no matter what you do: -ISL

Problem:  Switchports will not go into voice VLAN no matter what you do: Very old switches: IOS ™ C2900XL Software (C2900XL-C3H2S-M) . Eg 2924. To enable phones to work, need to trunk the switchports, and because they are so old, they are encapsulating in ISL. Need to add this code for each port:switchport trunk encapsulation dot1q switchport mode trunk switchport voice vlan X

Using an ACL to prevent internet access for a specific host

Using an ACL to prevent internet access for a specific host. (RFC 1819 addresses)   A reminder:  Extended ACL should be put as close to the source of traffic as possible. Hence, if you are trying to block a host from getting to the internet, the internal interface is where the ACL should be applied.     Extended IP access list block-xp-inet 10 permit ip any 10.0.0.0 0.255.255.255 (6208743 matches) (Three private network ranges, known as RFC1819 addresses) 20 permit ip any 172.16.0.0 0.15.255.255 (38084001 matches) 30 permit ip any 192.168.0.0 0.0.255.255 (39679 matches) 40 deny ip (host ip)  0.0.0.1 any (276 matches) (Blocks the individual hosts:  As there were two, we used two addresses which would be in the a /31 range:  0-1 1-2 3-4 4-5 5-6 6-7 8-9 10-11 12-13 etc) 50 permit ip any any (25393344 matches) 60 deny ip any any log (Shows how the access list is working)

SSH access on Cisco routers and switches

4 things needed for ssh   – Device name – Domain name – RSA Crypto Key – If you copy a config from one router to another, you will need to regenerate the RSA keys, otherwise you will lock yourself out of the router. – Enable SSH   no ip http server no ip http secure-server ! hostname “Test” ! ip domain name test.net ! crypto key gen rsa 1024 ! ip ssh version 2 ! line vty 0 15 transport input ssh transport output ssh

Finding a rogue DHCP server

Find a machine which has an address from the rogue DHCP server. Ask the user to browse to the gateway address.  That might tell you what it is. On the Windows machine run arp –a from the command prompt, to find the MAC address of the dhcp server. Find the port with that MAC and shut the rogue DHCP  down. If you can’t get access to a user machine, create a secondary IP in the same VLAN as the user (usually the production vlan) in the same range as the rogue DHCP server.  eg, if the server is 192.168.1.1, create secondary IP of 192.168.1.55, for example. Ping 192.168.1.255 and then run sh arp.  You will probably find the server. Then on the switch find the port and shut it down.