There is a way to reduce the overhead involved in modifying ACL by using the Cisco IOS feature of resequencing.

In the following example in a Cisco router there is an access-list name ITKE

ASW2-02#sho access-lists ITKE

Extended IP access list ITKE

1 permit ip host 192.168.1.1 host 10.1.0.1

2 permit ip host 192.168.1.2 host 10.1.0.2

ASW2-02#

From the example if we need to add one more deny statement for the host 192.168.1, it’s not possible to add a statement without deleting the current access list and create a new one. But the power of resequence allows you to assign a new set of sequence numbers to current access list as demonstrated below using the IOS command “ip access-list resequence”

ASW2-02#configure t

ASW2-02(config)#ip access-list resequence ITKE ?

<1-2147483647>  Starting Sequence Number

ASW2-02(config)#ip access-list resequence ITKE 10 10

This starts the first entry with a sequence number of 10 and increments all new lines by 10. The result is as shown below

ASW2-02#sho ip access-lists ITKE

Extended IP access list ITKE

10 permit ip host 192.168.1.1 host 10.1.0.1

20 permit ip host 192.168.1.2 host 10.1.0.2

ASW2-02#

By resequencing the ACL now it’s easy to inserts a new ACL with a sequence number of 15 which would fall between the existing entries in the ITKE access list.

Private VLAN (PVLANS) are really just sub-VLAN inside a VLAN, they basically allows you to split the VLAN domain into multiple isolated subdomains. When it comes to inter-VLAN routing we need a Layer 3 device to forward packets. The same analogy applies to Private VLAN (PVLANS). They need layer 3 devices such as Cisco Router or Cisco Multilayer Switch.

To make things much simpler, consider a Network environment in which the service provider need to connects servers belonging to different customers to the Internet. These servers must all be able to reach their first-hop router, but for security reasons, servers belonging to one customer must not be able to communicate with servers belonging to another. An obvious design solution for these requirements is to place each customer’s servers in a separate VLAN, which also requires the assignment of a separate IP subnet per customer (even if they have only one server).

By creating separate VLANs not only wastes the VLAN IDs but also IP addresses as well. To overcome this Private VLAN (PVLANS) were introduced as a more elegant alternative, allowing multiple devices to reside in the same IP subnet, yet remain isolated from one another at layer two.

In upcoming post we see what terminologies are used in Private VLAN (PVANS) and how they are distinguished.

As we all know by default there are no limitations on the size of password length in a Cisco router. Sometimes this may leads to a security risk. You can also configure a password with a single character in a Cisco Router.

Cisco Systems introduced a command to force the minimum length of password starting with an IOS version 12.3 (1). By default the length should be 6 characters, but you can change the default length.

To configure the minimum password length in your Cisco Router, use the following commands.

ITKERouter01#configure terminal
ITKERouter01 (config)#security passwords min-length 8

After entering the above command if you try to configure the enable secret to itke as shown the below, following error message will be displayed in your Cisco Router

 ITKERouter01 (config)#enable secret itke

 % Password too short – must be at least 8 characters. Password configuration failed
 ITKERouter01 (config)#

Even if you try to configure the local username and password you find the same error.

ITKERouter01 (config)#username yasir secret cisco

 % Password too short – must be at least 8 characters. Password configuration failed
 ITKERouter01 (config)#

I would recommed you to enable this feautre in your Cisco Router for better security.

There is a cool handy way to know TTY sessions established in any Cisco Router or a Cisco Switch. By using this feature you can know the number of active telnet sessions from the prompt itself.

Normally whenever you log to any Cisco Router or Switch you will find this menu

ITKE-AS01#

By using the “prompt” command you can see the difference

You might be wondering how come this is possible, ok now let me show you how to enable this feature in a Cisco Router or a Cisco Switch,

Log in to your Cisco Device and use the following command “prompt %h:%n%p”

ITKE-AS01#config t

ITKE-AS01 (config)# prompt %h:%n%p
ITKE-AS01 (config)# exit

In the example I have used three escape sequences to set the prompt name to the hostname (%h), followed by the command number (%n) and then followed by the appropriate prompt character for the current command mode (%p).

You can see the difference in the hostname after applying the “prompt %h:%n%p” command.

ITKE-AS01:1#sho users

    Line       User       Host(s)              Idle       Location

*  1 vty 0     yasir      idle                 00:00:00 10.0.0.5

  Interface      User        Mode                     Idle     Peer Address

ITKE-AS01:1#

As the number of TTY session increases you can see the incremental change in the hostname with the sequence number as displayed below.

Example with two TTY sessions

ITKE-AS01:2#sho users

    Line       User       Host(s)              Idle       Location

   1 vty 0     yasir      idle                 00:00:23 10.0.0.5

*  2 vty 1     itkeuser      idle                 00:00:00 10.0.0.5

  Interface      User        Mode                     Idle     Peer Address

ITKE-AS01:2#

Example with three TTY sessions

ITKE-AS01:3#sho users

    Line       User       Host(s)              Idle       Location

   1 vty 0     yasir      idle                 00:01:14 10.0.0.5

   2 vty 1     itkeuser      idle           00:00:50 10.0.0.6

*  3 vty 2     itkeadmin   idle         00:00:00 10.0.0.7

  Interface      User        Mode                     Idle     Peer Address

ITKE-AS01:3#

Example with four TTY sessions

ITKE-AS01:4#sho users

    Line       User       Host(s)              Idle       Location

   1 vty 0     yasir      idle                 00:01:43 10.0.0.5

   2 vty 1     itkeuser      idle            00:01:20 10.0.0.6

   3 vty 2     itkeadmin   idle            00:00:29 10.0.0.7

*  4 vty 3     yasir      idle                 00:00:00 10.0.0.5

  Interface      User        Mode                     Idle     Peer Address

ITKE-AS01:4#

I you want to disable the TTY display enter the “no prompt” command as shown below.
ITKE-AS01:4#config t
ITKE-AS01:4 (config)# no prompt

Following are the prompt Variables available for the “prompt” command.

We all know the importance of SSH, and it is one of most used method for remote access of Cisco Devices either it might be a Cisco Router or a Cisco Switch. Most of the Network Engineers I come across say it is so complicated to either enable or disable the SSH in Cisco Devices.

 If you simply try to use “no commands” used to enable SSH it will not work. Here is the tip to disable the SSH in either Cisco Router or Cisco Switches.

 Commands used to enable SSH in a Cisco Device

ITKE-AS1(config)#ip domain-name itke.com

ITKE-AS1(config)#crypto key generate rsa general-keys modulus 512

The name for the keys will be: ITKE-AS1.itke.com

% The key modulus size is 512 bits

% Generating 512 bit RSA keys, keys will be non-exportable…[OK]

ITKE-AS1(config)#

ITKE-AS1(config)#aaa new-model

ITKE-AS1(config)#aaa authentication login default local

ITKE-AS1(config)#aaa authentication exec default local

Commands used to disable SSH in a Cisco Device

Do notice if you use the command “no crypto key generate rsa” it will not work rather the device will suggest you to use the ‘crypto key zeroize rsa’ command, amazing isn’t it

ITKE-AS1(config)#no crypto key generate rsa

% Use ‘crypto key zeroize rsa’ to delete signature keys.

ITKE-AS1(config)#crypto key zeroize rsa

% All RSA keys will be removed.

% All router certs issued using these keys will

will also be removed.

Do you really want to remove these keys? [yes/no]: yes

ITKE-AS1(config)#

PuTTY doesn’t need any introduction as its one of the widely used for remote console utility. PuTTY is an SSH and telnet client.

In day to day operational activities we do telnet or SSH to our Cisco routers or Switches, at times we need to backup a running or startup config or   a Cisco router or a switch or even some times we need to capture the terminal session logs for technical information etc.  This is can be easily done by using the PuTTY client.

I will show you how to capture a text using PuTTY client.

Once you have established a remote session with a Cisco router or a Switch, follow the following steps

Step 1: Right Click on the menu bar and select “Change Settings”

Step 2: Click logging under the icon Session.

Step 3: Then select “All Session Output”.

Step 4: Select the location using the browse button and enter the desired file name and click apply.

These steps will create the log file in the specified location and it will log everything you did in that particular telnet or SSH session.