Enable Layer3 on a Cisco Switch

This is what worked for me on a Cisco WS-C2960-24PS-L switch:

First you need to change the sdm prefer from dafult to lanbase-routing.
The lanbase-routing template supports IPv4 unicast routes for configuring static routing SVIs.
Static routing is supported only on switched virtual interfaces (SVIs) and not on physical interfaces. The switch does not support routing protocols.

conf t
sdm prefer lanbase-routing
end
wr
reload 

Then you have to enable ip routing:

conf t
ip routing

Then you can add the static routes you like.

Configure CISCO Catalyst 2960 ports to monitoring/mirroring mode

This will send all traffic that comes on the 0/1-0/9 ports to the Ga0/1 interface:

switch>enable
switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

switch(config)#monitor session 1 source interface fastEthernet 0/1
switch(config)#monitor session 1 source interface fastEthernet 0/2
switch(config)#monitor session 1 source interface fastEthernet 0/3
switch(config)#monitor session 1 source interface fastEthernet 0/4
switch(config)#monitor session 1 source interface fastEthernet 0/5
switch(config)#monitor session 1 source interface fastEthernet 0/6
switch(config)#monitor session 1 source interface fastEthernet 0/7
switch(config)#monitor session 1 source interface fastEthernet 0/8

switch(config)#monitor session 1 destination interface gigabitEthernet 0/1

Show info:

switch#show monitor session 1
Session 1
---------
Type    : Local Session
Source Ports :
 Both: Fa0/1-8
Destination Ports : Gi0/1
 Encapsulation : Native
  Ingress : Disabled

And now we can capture this traffic:

# tcpdump -i eth0 -n

NetFLOW over IPSEC VPN

I had the following NetFlow configuration on my router:

 ip flow-cache timeout active 1
 ip flow-export source FastEthernet0/1.1
 ip flow-export version 5
 ip flow-export destination 10.39.30.5 9996
!
interface FastEthernet0/0.2
 ip flow ingress
interface FastEthernet0/1.12
 ip flow ingress
interface FastEthernet0/1.40
 ip flow ingress

Witch worked fine on my other routers. But in this particular case, the NetFLOW server was only accecible through an IPSEC VPN and the flows weren't getting there.

The solution to this was to use "Flexible Netflow" configuration. This allows for the NetFlow export to be sent down the standard IPSEC VPN tunnel.

An example of the NetFlow config is as follows:

flow exporter FLOW_EXPORTER
 destination 10.39.30.5
 source FastEthernet0/1.1
 output-features
 transport udp 9996
 export-protocol netflow-v5
!
!
flow monitor FLOW_MONITOR
 record netflow-original
 exporter FLOW_EXPORTER
 cache timeout active 1
!
interface FastEthernet0/0.2
ip flow monitor FLOW_MONITOR input
!
interface FastEthernet0/1.12
ip flow monitor FLOW_MONITOR input
!
interface FastEthernet0/1.40
ip flow monitor FLOW_MONITOR input
!

VPN Ports

PPTP:
To allow PPTP tunnel maintenance traffic, open TCP 1723.
To allow PPTP tunneled data to pass through router, open Protocol ID 47.

L2TP over IPSec
To allow Internet Key Exchange (IKE), open UDP 500.
To allow IPSec Network Address Translation (NAT-T) open UDP 4500.
To allow L2TP traffic, open UDP 1701.

OpenVPN:

OpenVPN uses port 1194 udp and tcp:

Here’s the Cisco access list: (gre=Protocol ID 47, pptp=1723, isakmp=500, non500-isakmp=4500):

permit gre any any
permit tcp any any eq 1194
permit udp any any eq 1194
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 5500
permit tcp any any eq 1723
permit udp any any eq 1701

Block P2P Traffic on a Cisco IOS Router using NBAR

In the following example, we'll use NBAR to block P2P traffic on our router's Gigabit interface.

• Create a class-map to match the protocols to be blocked.
• Create a policy-map to specify what should be done with the traffic.
• Apply the policy to the user-facing (incoming) interface.

conf t
!--- IP CEF should be enabled at first to block P2P traffic.
!--- P2P traffic cannot be blocked when IPC CEF is disabled.
ip cef
!
!--- Configure the class map named p2p to match the P2P protocols
!--- to be blocked with this class map p2p.
class-map match-any p2p
!--- Mention the P2P protocols to be blocked in order to block the
!--- P2P traffic flow between the required networks. edonkey,
!--- fasttrack, gnutella, kazaa2, skype are some of the P2P
!--- protocols used for P2P traffic flow. This example
!--- blocks these protocols.
!
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
!
!
!--- Here the policy map named SDM-QoS-Policy is created, and the
!--- configured class map p2p is attached to this policy map.
!--- Drop is the command to block the P2P traffic.
!
policy-map SDM-QoS-Policy
class p2p
drop
!
!--- Use the inferface where you wich to block the P2P traffic
interface GigabitEthernet 0/1
!
!--- The command ip nbar protocol-discovery enables NBAR
!--- protocol discovery on this interface where the QoS
!--- policy configured is being used.
ip nbar protocol-discovery
!
!--- Use the service-policy command to attach a policy map to
!--- an input interface so that the interface uses this policy map.
service-policy input SDM-QoS-Policy
!
end
!
!--- Save the current configuration
wr

And that's it.
You can ensure the policy is working with the command:

show policy-map

However if your version of IOS is older than 12.2(13)T, you will need some extra steps. This process relies on setting the DSCP field in the incoming packets, and then dropping those packets on the outbound interface. In the following example, we'll block P2P using the DSCP field.

• Create a class-map to match the protocols to be blocked.
• Create a policy-map to specify what should be done with the traffic.
• Create an access-list to block packets with the DSCP field set to 1.
• Apply the policy to the user-facing (incoming) interface.
• Apply the blocking access-list to the outbound interface.

conf t
!--- IP CEF should be enabled at first to block P2P traffic.
!--- P2P traffic cannot be blocked when IPC CEF is disabled.
ip cef
!
!--- Configure the class map named p2p to match the P2P protocols
!--- to be blocked with this class map p2p.
!
class-map match-any P2P
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
!
!
policy-map P2P
class P2P
set ip dscp 1
!
!--- Block all traffic with the DSCP field set to 1.
!
access-list 100 deny ip any any dscp 1
access-list 100 permit ip any any
!
interface GigabitEthernet0/1
service-policy input P2P
!
interface POS1/1
ip access-group 100 out

Cisco - Set default route per interface

If you want to set a different default exit route for your clients and servers you can use route-maps to achieve this, using policy-based routing.
With the following configuration the servers from the 10.39.30.0/24 network will use the default gateway 10.39.30.254 but the clients will use 172.18.254.254 as default gateway:

interface GigabitEthernet0/1.1
description Servers Network
encapsulation dot1Q 1 native
ip address 10.39.30.253 255.255.254.0
!
interface GigabitEthernet0/1.2012
description Clients Network
encapsulation dot1Q 2012
ip address 172.18.254.253 255.255.0.0
ip policy route-map lanhop
!
!
ip route 0.0.0.0 0.0.0.0 10.39.30.254
!
! -- This sets the default GW
!
access-list 100 permit ip 172.18.0.0 0.0.255.255 any
!
! -- This matches the entire 172.18.0.0/16 network
!
route-map lanhop permit 10
match ip address 100
set ip default next-hop 172.18.254.254
!
! -- This sets the default GW for the IPs matched by the previous acl.

NOTE:
This is a sample configuration for policy-based routing using the set ip default next-hop and set ip next-hop commands:

• The set ip default next-hop command verifies the existence of the destination IP address in the routing table, and… if the destination IP address exists, the command does not policy route the packet, but forwards the packet based on the routing table. if the destination IP address does not exist, the command policy routes the packet by sending it to the specified next hop.
• The set ip next-hop command verifies the existence of the next hop specified, and… if the next hop exists in the routing table, then the command policy routes the packet to the next hop. if the next hop does not exist in the routing table, the command uses the normal routing table to forward the packet.

How to configure multiple Cisco switch ports at the same time

To configure multiple switchports at the same time we use the interface range configuration command.
Example:

Switch(config)#interface range fastethernet0/1 – 20
Switch(config-if-range)#speed 100
Switch(config-if-range)#duplex full

The previous example will hardcode the speed and duplex settings on switchports 1 to 20. But this could well have been assinging them all to the same vlan.

We can even define multiple ranges.
Example:

Switch(config)#interface range fastethernet0/1 – 4 , fastethernet0/10 – 15

Notice the spaces between the ranges.

The interface range command works with vlan, port-channel, fastethernet and gigabitethernet interfaces.

Creating and editing Cisco Extended access lists

Extended ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to specify different types of traffic such as ICMP, TCP, UDP, etc. Needless to say, it is very grangular and allows you to be very specific. If you intend to create a packet filtering firewall to protect your network it is an Extended ACL that you will need to create.

Here you have a few examples of how to interact with extended access lists:

To create a new extended acl:

router#conf t
router(config)#ip access-list extended 199
router(config)#10 permit tcp any any
router(config)#20 permit udp any any
router(config)#30 deny ip any any

Display the current rules:

router#show access-list 199
Extended IP access list 199
10 permit tcp any any
20 permit udp any any
30 deny ip any any

Add a new rule:

router#conf t
router(config)#ip access-list extended 199
router(config-ext-nacl)#21 permit gre any any
router(config-ext-nacl)#exit
router(config)#exit

router#show access-list 199
Extended IP access list 199
10 permit tcp any any
20 permit udp any any
21 permit gre any any
30 deny ip any any

Rearrange the rules numbering:

router#ip access-list resequence 199 10 10
router#show access-list 199
Extended IP access list 199
10 permit tcp any any
20 permit udp any any
30 permit gre any any
40 deny ip any any

Cisco Aironet SSID with Radius

Here you have a sample configuration:

aaa group server radius rad_eap
server 1.1.2.13 auth-port 1645 acct-port 1646
!
aaa group server radius rad_acct
server 1.1.2.13 auth-port 1645 acct-port 1646
aaa authentication login eap_methods group rad_eap
dot11 ssid example-ssid
vlan 29
authentication network-eap eap_methods
authentication open eap eap_methods
authentication key-management wpa
accounting rad_acct
interface Dot11Radio0
encryption vlan 1 mode ciphers tkip
ssid example-ssid
radius-server attribute 32 include-in-access-req format %h
radius-server host 1.1.2.13 auth-port 1645 acct-port 1646 key radius-pwd
radius-server host 1.1.2.13 auth-port 1812 acct-port 1813 key radius-pwd
radius-server vsa send accounting

You don't need the radius-server host 1.1.2.13 auth-port 1812 acct-port 1813 key radius-pwd line.
Radius can use 1812 and 1813 or 1645 and 1646. So the rest of the config is refering to 1645 and 1646 in my example. If your radius server uses 1812 and 1813 you will also need to change the previous lines in the aaa group commands and then ditch the 1645 and 1646 references.

NOTE: If the AP is not sending the ssid information to the radius server try adding this to your AP configuration:

radius-server vsa send

Sources:

• http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
• http://wiki.freeradius.org/Cisco
• http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg61079.html
• http://www.experts-exchange.com/Hardware/Networking_Hardware/Wireless/Access_Points/802.11_Wireless/Q_24652704.html
• http://www.experts-exchange.com/Networking/Wireless/Standards/802.11x/Q_26617108.html