Monthly Archives: December 2012

Adding a Guest VLAN to a network (and blocking access to other networks)

Posted on by
Reply

To be configured on switch, first create vlan (L2/L3)

(in config mode)

!
vlan 99
name Guest_LAN
!
interface Vlan99
description Guest VLAN
ip address 192.168.99.1 255.255.255.0

!

Create DHCP pool for Guest network

!
ip dhcp pool GUEST_LAN
network 192.168.99.0 255.255.255.0
dns-server 8.8.8.8 198.153.192.1
default-router 192.168.99.1

!

Exclude hosts if required, e.g.

!

ip dhcp excluded-address 192.168.99.1 192.168.99.10

!

Configure required ports for guest VLAN e.g 25 to 48

!
interface range GigabitEthernet1/0/25-48
description Guest User VLAN
switchport access vlan 99
spanning-tree portfast
!

We now need to prevent users from the Guest VLAN from accessing other networks (if required) so we need to first create an extended access list and then apply it to the Guest VLAN interface. We will call this guest-in for this example and we will block access to the networks below.

!
ip access-list extended guest-in
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
!

And that is the basic plumbing done for you Guest VLAN. Your router will also need a route to this network and access-list(s) configured.

 

Logging Cisco Login Attempts

Posted on by
Reply

Specifiy a syslog server on the router

Router(config)#logging a.b.c.d
Enable notification logging on the router
Router(config)#logging trap notifications

Enable logging for successfull and unsuccessfull login attempts

Router(config)#login on-success log
Router(config)#login on-failure log

You can also block login attempts to the device if numbers of failure occures during a specific amount of time (eg, block for 120 sec if 3 failure attempts within the 60 sec)

Router(config)#login block-for 120 attempts 3 within 60

If you like you can change the source address that will be shown on the syslog server

Router(config)#logging source-interface FastEthernet0/0

You can enable a specific amount of delay in seconds between logins to the router

Router(config)#login delay 5

If you would like to send a log of all changes that have been made on the router configuration to the syslog server as well, you need to do these steps:

!## Enter archive configuration mode

Router(config)# archive
!## Enter the configuration change logger mode
Router(config-archive)# log config
!## Enable logging for configuration change
Router(config-archive-log-config)# logging enable
!## Change the loggin queue size (Optional)
Router(config-archive-log-config)# logging size 200
!## Hide passwords from being sent to syslog in clear text (Optional)
Router(config-archive-log-config)# hidekeys
!## Send logs to syslog server
Router(config-archive-log-config)# notify syslog
Router(config-archive-log-config)# end