How to setup access list for a Cisco VLAN

We can use VLAN ACL (also called VLAN map) to provide packet filtering for all types of traffic that are bridged within a VLAN or routed into or out of the VLAN. Unlike Router ACL, VACL is not defined by a direction (input or output). When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against this VACL.

In order to configure and apply a VACL (VLAN access map), we define the standard or extended access list to be used in VACL.

access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
access-list 100 permit ip 10.0.3.0 0.0.0.255 any
access-list 120 permit ip any any 

Configuring default VLAN in Cisco switch

After connecting a switch to your network, it will be useful if the network administrator can login remotely into it to do troubleshooting, check logging and so on.

The easiest way to manage your switch remotely over the network is to configure an IP address for the default VLAN.

interface Vlan1
ip address 10.2.6.85 255.255.255.0

ip default-gateway 10.1.1.1

The purpose of default gateway configured is to enable network communication from another network to the switch. If communication is only limited to the same network, no default gateway setting is needed.

How Computer resolves hostname

On a TCP/IP network, name resolution has to occur whenever the host name such as www.canon.com.sg is used to connect to a computer and not the IP addresses. This has to occur so that the IP address can be resolved to the hardware address for TCP/IP based communication to occur. Basically there are several different name resolution mechanisms, however, the following two are the two methods are generally used in today's network environment.

1. DNS (Domain Name System)
2. Hosts file

DNS is a distributed, hierarchical naming system that is used on the network to resolve fully qualified domain names (FQDNs) to IP addresses. In the case of resolving host name with a DNS server, devices on the network are configured such that it will enquire DNS server for host name resolution.

How to limit access from network host to a Cisco device

Sometime you may like to limit only certain IP address to access your Cisco router / switch by using telnet. You may implement it by configuring the access list and apply it to the line vty 0 4 line.

access-list 5 permit 10.0.0.1
access-list 5 permit 10.0.0.2
access-list 5 permit 192.168.3.1
access-list 5 permit 192.168.0.1
access-list 5 deny any
!
line con 0
line vty 0 4
access-class 5 in
login

Default VLAN

The default VLAN on all switches is VLAN 1.

By default, all ports in a Cisco switch belong to VLAN 1. With all ports in the same VLAN (in this case VLAN 1), all ports can communicate with each other without going through a router.

However, if you change the VLAN assignment for a switch port to another VLAN, that switch port will not be able to communicate with the rest of the devices on other ports. In this case, you will need a router to route packet from one network to another network.

How to encrypt Cisco Password

One of the way to secure a Cisco router / switch is to encrypt password in it.

In order to encrypt passwords that are saved in the Cisco devices configuration file, you may use the “service password-encryption” global configuration command.


This command should be used as a simple cipher to prevent unauthorized users from viewing the passwords in router / switch configuration file. It is not against someone who obtains a copy of the router / switch configuration file as some software instantly can decode any passwords encrypted with the MD5 encryption scheme.

Workgroup vs. Domain in Windows 2003 environment

There are two modes of operation in Windows 2003 environment. Basically a computer can work as workgroup computer or domain computer. Most home and small business environments will be Workgroup, and most enterprise businesses will run in domain mode.

Basically when you install Windows 2003 server, by default it is a workgroup computer. Workgroup environment is suitable for a limited number of computers (usually no more than 10 computers) in close proximity. However, if the number of computer is huge, it is advisable to join individual computer into domain.

In Workgroup environment, each computer store ID and password locally. There is no centralized management in this case. A user needs a user account on each computer that he/she requires access. This means, if a user needs to access to several computers in the network, each of this computer will need to have the ID and password of the user store locally. It is not an easy task for administrator if there are many computers need to be managed and configured. It may take up a lot of time to just setting up account in various PCs for a new user. Changes to user accounts, such as changing a user’s password or adding a new user account, must be made on each computer in the workgroup. As a result, passwords can become out of synchronization, if changed happened on one computer and not others.

Quick fix to solve network connectivity problem in vmware guest virtual machine

This is a quick fix to vmware network virtualization.

Sometime while using vmware, your guest virtual machine may face the problem with network connectivity. I have this problem with two of my virtual machines the other day. Only one of the virtual machines is able to connect to the network. (By the way, both are created using same image) After trouble shooting for a while (such as changing the physical address of Ethernet, restarting it, or changing the network type to bridge or host-only networking and so on), I decided to add in an extra network interface to one of the virtual machine. After that I removed the existing Ethernet interface from it. Surprisingly these steps solved my problem.

Cisco Static Route

In my previous post on Static route configuration, I have touched on some basic of static route configuration. In this post, I will show you more details on how to configure static routing in Cisco devices.

IP routing is enabled on Cisco routers by default. If it has been previously disabled on your router, you can turn it on in config mode with the command ip routing.

Router0(config)#ip routing
Router0(config)#ctrl-Z

For routers to send or forward packets to networks that are not directly connected, they must know the path to reach the destination network. This information can be manually configured in router by network administrator -- the use of static routes. The router can also learn routes information by using a dynamic routing protocol. Anyway, static route is much easier to be configured. However, it provides very little fault tolerance or ability to discover new routes as the network changes.

As mentioned in my previous post, static routes are hard-coded on a router or switch. They tell the network device exactly where to send traffic, no matter what. It is a very quick and effective way to route data from one subnet to another subnet although it does not scale well in large network.