- Execute “wr” command before implementing AAA.
- Take running-configuration backup after that.
- Open 3 sessions of the same device on which you want to implement AAA.
- Then start executing all AAA commands as per the template made.
- Then open one more session of the same device and test Authentication & Authorization.
- If everything goes fine, then again execute “wr” command to save the running-configuration.
Wednesday, November 25, 2009
Important Instruction while deploying AAA
Important Instruction while deploying AAA
Essential Cisco Load balancer configuration commands
Generating configuration....
boot system image:c6ace-t1k9-mz.3.0.0_A1_2.bin
shared-vlan-hostid 1
access-list out_in line 10 extended permit ip any any
access-list out_in line 20 extended permit icmp any any
interface vlan 700
ip address 7.7.7.8 255.255.255.0
no shutdown
ft interface vlan 100
ip address 1.1.1.1 255.255.255.252
peer ip address 1.1.1.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 100
ft group 2
peer 1
priority 150
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 5.5.5.10
context test
allocate-interface vlan 200
allocate-interface vlan 300
context c1
context c2
context c3
context c4
context c5
context c6
context c77
ft group 1
peer 1
priority 210
associate-context test
inservice
username admin password 5 $1$faXJEFBj$TJR1Nx7sLPTi5BZ97v08c/ role Admin domain default-domain
username www password 5 $1$UZIiwUk7$QMVYN1JASaycabrHkhGcS/ role Admin domain default-domain
switch/Admin# ### END LOG - DATE: 070306, TIME: 150510 ###
boot system image:c6ace-t1k9-mz.3.0.0_A1_2.bin
shared-vlan-hostid 1
access-list out_in line 10 extended permit ip any any
access-list out_in line 20 extended permit icmp any any
interface vlan 700
ip address 7.7.7.8 255.255.255.0
no shutdown
ft interface vlan 100
ip address 1.1.1.1 255.255.255.252
peer ip address 1.1.1.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 100
ft group 2
peer 1
priority 150
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 5.5.5.10
context test
allocate-interface vlan 200
allocate-interface vlan 300
context c1
context c2
context c3
context c4
context c5
context c6
context c77
ft group 1
peer 1
priority 210
associate-context test
inservice
username admin password 5 $1$faXJEFBj$TJR1Nx7sLPTi5BZ97v08c/ role Admin domain default-domain
username www password 5 $1$UZIiwUk7$QMVYN1JASaycabrHkhGcS/ role Admin domain default-domain
switch/Admin# ### END LOG - DATE: 070306, TIME: 150510 ###
Air is Single Collision and Broadcast domain.
The set of computers where no two computers can send data simultaneously are said to be in same collision domain. As in the above paragraph explained air acts as the medium of single collision domain. We can say “that air acts like single collision domain for sound waves.”
One more interesting property of single collision domain is that an intentional unicast is made broadcast by the medium, as we see in the case discussed.
When we say “Gentlemen, may I have the attention please”, by prefixing gentlemen we make our speech a broadcast sound traffic. Sound wave reaches every person in same fashion. Conclusion is that Air is a single broadcast and single collision domain for sound waves.
Monday, November 23, 2009
SNMP V3 configuration
SSHv3 ( Devices with advance services image)
snmp-server view testview interfaces included
snmp-server view testview chassis included
snmp-server view testview internet included
snmp-server view testview system included
snmp-server group test v3 auth read testview
snmp-server user testuser test v3 auth md5 testkey priv des56 testdeskey access 20
Telnetv3 ( Devices with IP base image)
snmp-server view testview interfaces included
snmp-server view testview chassis included
snmp-server view testview system included
snmp-server view testview internet included
snmp-server group test v3 auth read testview
snmp-server user testuser test v3 auth md5 testkey access 20
snmp-server view testview interfaces included
snmp-server view testview chassis included
snmp-server view testview internet included
snmp-server view testview system included
snmp-server group test v3 auth read testview
snmp-server user testuser test v3 auth md5 testkey priv des56 testdeskey access 20
Telnetv3 ( Devices with IP base image)
snmp-server view testview interfaces included
snmp-server view testview chassis included
snmp-server view testview system included
snmp-server view testview internet included
snmp-server group test v3 auth read testview
snmp-server user testuser test v3 auth md5 testkey access 20
SSH error due to RSA key corruption
1. Check mapping of key with host name(if problem is coming after changing host name.)
rashid#sh crypto key mypubkey rsa
% Key pair was generated at: 12:09:33 GMT May 22 2008
Key name: test.rashid.com
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00CD2B16 8FEFDD6A
B24D0C25 854195B3 296B153A 6EE8D003 2247E99D CF552355 70FC4C19 EE3A4116
D0B812F6 4DA6EC7A D58B3D97 EE08AC7C 6D319202 5ECB32F4 C3020301 0001
% Key pair was generated at: 12:09:33 GMT May 22 2008
Key name: test.rashid.com
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C53C94 A3A0F4E0
35F5922B 8440B5FC D5809A67 F57A1C36 1F39060B 46A22DF0 0A9B3CD4 7A859AE1
F2A5E67A 5245F9F0 3920EAE5 9C1B74A5 2F40C596 54E4C461 BC8494E8 04B88A96
4A49BC7C 5A1B19ED 8413F6B3 3136BAF8 9316350A 4D54B6E8 C5020301 0001
rashid#
2. Deleting the existing rsa key with following command.
(config)#no crypto key zeroize rsa
3. Re-generate the crypto key and login with SSH.
rashid#sh crypto key mypubkey rsa
% Key pair was generated at: 12:09:33 GMT May 22 2008
Key name: test.rashid.com
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00CD2B16 8FEFDD6A
B24D0C25 854195B3 296B153A 6EE8D003 2247E99D CF552355 70FC4C19 EE3A4116
D0B812F6 4DA6EC7A D58B3D97 EE08AC7C 6D319202 5ECB32F4 C3020301 0001
% Key pair was generated at: 12:09:33 GMT May 22 2008
Key name: test.rashid.com
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C53C94 A3A0F4E0
35F5922B 8440B5FC D5809A67 F57A1C36 1F39060B 46A22DF0 0A9B3CD4 7A859AE1
F2A5E67A 5245F9F0 3920EAE5 9C1B74A5 2F40C596 54E4C461 BC8494E8 04B88A96
4A49BC7C 5A1B19ED 8413F6B3 3136BAF8 9316350A 4D54B6E8 C5020301 0001
rashid#
2. Deleting the existing rsa key with following command.
(config)#no crypto key zeroize rsa
3. Re-generate the crypto key and login with SSH.
Thursday, November 19, 2009
MRTG configuration codes
MRTG is an open source tool for basic network monitoring. We can plot network link utilization and CPU performance.
This post is intended for a detailed overview of MRTG configuration on Windows server and adding/managing new devices.
It is quite simple but there are small pieces to put in place. This require high manageability. Here it goes:
Step1. Install MRTG and Perl from Internet. (one time installation)
This can be downloaded freely from Internet. Go to google.com and download the latest one and install in default directory.
Step2. Build the configuration. (each time to add a device)
This step is to add any device in MRTG. Assuming that the devices are reachable from the MRTG server and SNMP port 161 is reachable, we can configure the configuration file. For this purpose i recommend creation of file directory as following.
C:\mrtgdata
conf
output
device1
device2
...
CPU
The configuration code for generating configuration file is :
perl cfgmaker <snmpstring>@192.168.2.2 --global "WorkDir: C:\mrtgdata\output\link\<hostname>" --output c:\mrtgdata\config\<hostname>.cfg
To run this code go to cmd and navigate to C:\mrtg\bin. This code will generate the link utilization HTML files. Make sure bandwidth commands are set on devices, otherwise the utilization value will not be exact.
perl C:\mrtg-2.17.4\mrtg-2.17.4\bin\mrtg C:\mrtgdata\config\<hostname>.cfg
For CPU/Memory/Other utilization:
Please refer individual MIB Values for specific device types. For Cisco devices following link is helpful:
http://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/15215-collect-cpu-util-snmp.html
There are varieties of other Parameters which can be monitored: http://www.net-snmp.org/wiki/index.php/TUT:MRTG
An example CPU and Memory Utilization Code could be as following: (Ref: http://www.satsignal.eu/mrtg/performance_howto.php)
We can make one cumulative file and one path for all the CPU and Memory output files.
Workdir: C:\mrtgdata\output\cpu
This post is intended for a detailed overview of MRTG configuration on Windows server and adding/managing new devices.
It is quite simple but there are small pieces to put in place. This require high manageability. Here it goes:
Step1. Install MRTG and Perl from Internet. (one time installation)
This can be downloaded freely from Internet. Go to google.com and download the latest one and install in default directory.
Step2. Build the configuration. (each time to add a device)
This step is to add any device in MRTG. Assuming that the devices are reachable from the MRTG server and SNMP port 161 is reachable, we can configure the configuration file. For this purpose i recommend creation of file directory as following.
C:\mrtgdata
conf
output
device1
device2
...
CPU
The configuration code for generating configuration file is :
To run this code go to cmd and navigate to C:\mrtg\bin. This code will generate the link utilization HTML files. Make sure bandwidth commands are set on devices, otherwise the utilization value will not be exact.
For CPU/Memory/Other utilization:
#--------------------------------------------------------------- # PC Narvik - Memory #--------------------------------------------------------------- Target[Narvik-mem]: 1.3.6.1.4.1.9600.1.1.2.19.0&1.3.6.1.4.1.9600.1.1.2.2.0:public@127.0.0.1 * 1024 MaxBytes[Narvik-mem]: 8000000000 Options[Narvik-mem]: integer, gauge, nopercent, growright, unknaszero YLegend[Narvik-mem]: Memory ShortLegend[Narvik-mem]: B LegendI[Narvik-mem]: Used LegendO[Narvik-mem]: Avail Legend1[Narvik-mem]: Memory committed Legend2[Narvik-mem]: Memory available Title[Narvik-mem]: Narvik Memory PageTop[Narvik-mem]: <H2>PC Narvik - Memory</H2> #--------------------------------------------------------------- # PC Narvik - CPU load, dual-core CPU #--------------------------------------------------------------- Target[Narvik-CPU]: 1.3.6.1.4.1.9600.1.1.5.1.5.1.48&1.3.6.1.4.1.9600.1.1.5.1.5.1.49:public@narvik MaxBytes[Narvik-CPU]: 100 YLegend[Narvik-CPU]: CPU % ShortLegend[Narvik-CPU]: % LegendI[Narvik-CPU]: CPU 1 LegendO[Narvik-CPU]: CPU 2 Legend1[Narvik-CPU]: CPU 1 usage Legend2[Narvik-CPU]: CPU 2 usage Options[Narvik-CPU]: integer, gauge, nopercent, growright, unknaszero Title[Narvik-CPU]: Narvik CPU PageTop[Narvik-CPU]: <H2>PC Narvik - CPU load</H2>
# If PC Narvik were a single-core CPU, use two instances of object 48, as MRTG requires that # you have two variables returned. You may also want to prevent display of the second output # line by adding the "no-ouput" option (noo) to the Options line:
Target[Narvik-CPU]: 1.3.6.1.4.1.9600.1.1.5.1.5.1.48&1.3.6.1.4.1.9600.1.1.5.1.5.1.48:public@narvik Options[Narvik-CPU]: integer, gauge, nopercent, growright, noo
# I found that on a lower-spec PC (Bacchus), returning the CPU twice caused an artificially # high value to be returned for the second call (presumably the CPU busy processing the first # request?!), so I actually changed to using the SNMP value: Maximum Number of Process Contexts # i.e. .1.3.6.1.2.1.25.1.7.0 (check this on your system using GetIF), which returns integer 0.
Target[Bacchus-CPU]: 1.3.6.1.4.1.9600.1.1.5.1.5.1.48&1.3.6.1.2.1.25.1.7.0:public@192.168.0.4
Zero-day flaw found in web encryption
A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt web pages, has been made public.
Security researchers Marsh Ray and Steve Dispensa unveiled the TLS (Transport Layer Security) flaw on Wednesday, following the disclosure of separate, but similar, security findings. TLS and its predecessor, SSL (Secure Sockets Layer), are typically used by online retailers and banks to provide security for web transactions.
More on : http://news.zdnet.co.uk/security/0,1000000189,39860592,00.htm
Inside Microsoft's biggest datacentre
Microsoft opened the doors to its Chicago datacentre in October. In its first phase, the ground floor of the facility is designed to hold up to 56 containers, each filled with anywhere from 1,800 to 2,500 servers.
More on : http://news.zdnet.co.uk/hardware/0,1000000091,39860590-1,00.htm
More on : http://news.zdnet.co.uk/hardware/0,1000000091,39860590-1,00.htm
Wednesday, November 18, 2009
A brief overview of subneting IP Addressing (VLSM)
A brief overview of subneting IP Addressing (VLSM)
IP was created as a way to hide the complexity of physical addressing by creating a virtual addressing scheme that is independent of the underlying network. IP does not ensure that data is delivered to the
application in the appropriate order; that responsibility is left to upper-layer protocols such as
Note: IP is a connectionless, Network-layer protocol.
An IP address is 32 bits long. The bits can be broken down into four bytes. Each byte is expressed in decimal form and separated from other bytes by a dot (that is, x.x.x.x). This is called dotted-decimal format. Each bit within a byte carries a binary weight (starting from left to right) of 128, 64, 32, 16, 8, 4, 2, 1. If you add up these values, you get a range of 0–255 for each byte.
For example, one byte can be translated from binary format to decimal format as follows:
128 64 32 16 8 4 2 1
0 1 0 1 1 0 0 1 = 0 + 64 + 0 + 32 + 16 + 0 + 0 + 1 = 113
IP addressing has been broken down into five separate classes based on the number of maximum hosts required by the network.
IP Address Classes
Class A 0 Network Host
Class B 10 Network Host
Class C 110 Network Host
Class D 1110 Multicast Address
Class E 1111 Reserved
You can see from above figure that each address class contains a network portion and a host portion. The network portion identifies the data link that is in common with all the devices attached to that network. The host portion uniquely identifies an end device connected to the network.
IP Address Classes
| Class | Decimal Value
| Purpose | Max, Hosts |
| Class A | 0–127 | Large organizations | 16,777,214 |
| Class B | 128–191 | Medium-sized Organizations | 65,543 |
| Class C | 192–223 | Small organizations | 254 |
| Class D | 224–247 | Multicast addresses | n/a |
| Class E | 248–255 | Experimental | n/a |
Private IP Addresses
Private address space is not recognized by the Internet and can be used by anyone for use within a private network. Public address space, on the other hand, is a unique address that is assigned to a company. Within Classes A, B, and C the following ranges have been defined as private.
Starting Address Ending Address
10.0.0.0 10.255.255.255
172.16.0.0 172.31.255.255
192.168.0.0 192.168.255.255
Address Masks
The network mask is used in conjunction with an IP address to delineate the network portion of an IP address from the host portion. Each major network address within its designated class has a standard network mask:
Address Class Network Mask
Class A 255.0.0.0
Class B 255.255.0.0
Class C 255.255.255.0
A major network address can be further divided into smaller networks by using a technique called subneting. When a major network is subnetted, the address can be broken into three parts:
1. The network portion
2. The subnet portion
3. The host portion
When a network mask is varied into further subnets like this, it is commonly referred to as a Variable Length Subnet Mask (VLSM).
Cisco often represents the subnet mask by identifying the number of bits used as the mask. For example, 192.174.10.0/30 would represent network 192.174.10.0 255.255.255.252. The value of 30 represents the number of bits used for the network portion of the address; in binary format, 30 would be
255.255.255.252 = 11111111.11111111.11111111.11111100 = 30
Let’s look at another example. Given the following 170.130.0.0/21, what is the subnet mask?
21 = 11111111.11111111.11111100.00000000
The network address and mask are
170.130.0.0 255.255.248.0.
Let’s say that we want to determine the network address, the broadcast address, and the available addresses that
Correspond with the given IP address:
150.34.74.53 255.255.240.0
1. Convert the IP address and its address mask into binary format.
150.34.74.53 = 10010110 00100010 010 01010 00110101
255.255.240.0 = 11111111 11111111 11110000 00000000
2. Perform a logical
A logical
0 and 0 = 0
0 and 1 = 0
1 and 0 = 0
1 and 1 = 1
So,
Host Address: 10010110 00100010 01001010 00110101
Mask: 11111111 11111111 11110000 00000000
Logical
3. Convert the results of the logical
10010110 00100010 01000000 00000000 = 50.34.64.0
4. Calculate the broadcast address.
Remember that the network mask is used to delineate the network portion of an IP address from the host portion. Mask bits are set to 1 if the corresponding bit in the IP address should be considered part of the network address and 0 if part of the host address.
150.34.74.53 = 10010110 00100010 0100 1010 00110101
255.255.240.0 = 11111111 11111111 1111 0000 00000000
Network Bits Host Bits
To determine the broadcast address, we need to replace each bit available within the host portion of the IP address with a value of 1.
So, the broadcast address of the network for the host 150.34.74.53 is
150.34.79.255 = 10010110 00100010 0100 1111 11111111
Network Bits Host Bits
Summary:
Given the IP address and address mask: 150.34.74.53 255.255.240.0, we have determined the following:
Network Address = 150.34.64.0
Broadcast Address = 150.34.79.255
Available Addresses = 150.34.64.1–150.34.79.254 (for a total of 4,078 hosts)
Analog Binary example
Perfection of a system depends on its efficiency to produce the expected output. This is true in all aspects. However the very natural tendency of human being do not make him to achieve 100%. To achieve 100% a person needs to devote 200% of effort, which is in 100% cases not feasible. Here we get the importance of team. A team can achieve 100% without individual's 100% contribution. Person to person, 10%, 30%, 65%,...and collectively sometimes it exceeds 100%, and we say wow, superb, lets clap for the outstanding team.
When we work we are always driven by some digital objectives. By digital i mean we are having finite set of deliverables, lets say to score beyond 5% more than last quarter, or to get 99% quorum etc. Digital objectives are to be achieved by analog actions. Analog actions are not finite, like pressing a switch - pressing on/off. Analog actions are more complicated than digital objectives. By analog i mean we are having infinite ways to achieve finite deliverables. We need to streamline our analog thoughts and actions to perfectly map into digital deliverables and hence to produce a binary result. Binary Result!!!....yes, it is win/loss, profit/loss, done/not done. The transition from follower to a leader depends on how much you digitize yourself. When you think and do always in binary and achieve binary results, you are a perfect leader. Refer below diagram
Analog Actions ------> Digital Deliverables -----> Binary Results
However it is not very easy. People most of the times struggle finding way to transform their Analog actions into Digital deliverables. And when managers ask the binary questions the system crashes. Blue screen with system dumping physical memory appears on the scene...quite often. Analog actions are to be taken, digital deliverables has to met and binary result has to be achieved positively.
In this sense a person has to be a perfect A/D convertor. More the precision in digital outputs more degree of match in deliverables and more close to binary results...
When we work we are always driven by some digital objectives. By digital i mean we are having finite set of deliverables, lets say to score beyond 5% more than last quarter, or to get 99% quorum etc. Digital objectives are to be achieved by analog actions. Analog actions are not finite, like pressing a switch - pressing on/off. Analog actions are more complicated than digital objectives. By analog i mean we are having infinite ways to achieve finite deliverables. We need to streamline our analog thoughts and actions to perfectly map into digital deliverables and hence to produce a binary result. Binary Result!!!....yes, it is win/loss, profit/loss, done/not done. The transition from follower to a leader depends on how much you digitize yourself. When you think and do always in binary and achieve binary results, you are a perfect leader. Refer below diagram
Analog Actions ------> Digital Deliverables -----> Binary Results
However it is not very easy. People most of the times struggle finding way to transform their Analog actions into Digital deliverables. And when managers ask the binary questions the system crashes. Blue screen with system dumping physical memory appears on the scene...quite often. Analog actions are to be taken, digital deliverables has to met and binary result has to be achieved positively.
In this sense a person has to be a perfect A/D convertor. More the precision in digital outputs more degree of match in deliverables and more close to binary results...
Port Mirroring
Switches make network troubleshooting a bit more difficult because not all traffic is sent to every port like in an older network hub. Switching traffic improves speed because bandwidth is reserved only for connections on that port and security is generally better because it takes more than a simple freeware network sniffer like Wireshark to snoop traffic on that segment.
To work around this for troubleshooting and analysis, either a network hardware mirror, most often called a tap, or a mirror (sometimes called a span) on the switch is required. Most business-class switches have this feature and cisco includes it on all of its switches.
Configuration
Configure a mirror on port 1 like this.
My_Switch(config)#monitor session 1 source interface Fa0/1 both
My_Switch(config)#monitor session 1 destination interface Fa0/10
The both option on the command tells the switch to send both transmit and receive packets to the destination port. Once a switchport is configured as a destination mirror port, the port will not accept traffic. A sniffer cannot transmit data, it can only listen.
More than one mirror
Cisco Switches actually allow you create more than one mirror, although the number of allowed mirrors depends on the model of Cisco switch. To create a second mirror, just designate a second mirror session.
My_Switch(config)#monitor session 2 source interface Fa0/2 both
My_Switch(config)#monitor session 2 destination interface Fa0/11
Cisco’s syntax also allows you to specify multiple sources to a single port or a single source to multiple destinations. This is handy when setting up Intrusion Detection Systems that monitor the network.
My_Switch(config)#monitor session 2 source interface Fa0/2 both
My_Switch(config)#monitor session 2 destination interface Fa0/11
My_Switch(config)#monitor session 2 destination interface Fa0/12
In some cases, looking at the traffic for just one port is not good enough or the number of mirrors needed exceeds the number of mirrors that the switch is capable of. In that case, Cisco switches allow you to create a vlan mirror that grabs traffic from the entire vlan or vlans and sends it to a destination port for monitoring.
My_Switch(config)#monitor session 1 source vlan 33 rx
My_Switch(config)# monitor session 1 destination interface Gi1/1
Specifying both in the source command would create duplicate packets as packets go in and out of the vlan, so only specify receive or transmit with the tx or rx options. The both option would look like a network echo from a sniffer perspective.
Show command
The Show Monitor command summarizes all of the configured mirrors on the entire switch.
My_Switch>show monitor
Session 1
———
Type : Local Session
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/1
Source VLANs:
RX Only: None
TX Only: None
Both: None
Source RSPAN VLAN: None
Destination Ports: Fa0/10
Encapsulation: Native
Filter VLANs: None
Dest RSPAN VLAN: None
Session 2
———
Type : Local Session
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/2
Source VLANs:
RX Only: None
TX Only: None
Both: None
Source RSPAN VLAN: None
Destination Ports: Fa0/11
Encapsulation: Native
Filter VLANs: None
Dest RSPAN VLAN: None
Mirrors can be disabled two ways:
My_Switch(config)#monitor session 1
This command will only remove session 1.
My_Switch(config)#no monitor
The no monitor command will remove all monitors on the switch.
Method of firewall policy segregation Using Microsoft excel sheet for host and subnet based firewall rules “1234 Rule”.
Abstract:
Firewalls in general use access-list tables for packet flow control. Managing firewall rules and optimizing is a critical part of firewall operation. Once in production system while we do policy fine tuning we want to segregate host based and subnet based policies. This segregation is required in order to see whether any duplicity of policy exist or the traffic flow permitted/denied is as per designed data flow or not. Most commonly we export all the rules in an excel spreadsheet and do some data analysis on the values like clubbing, filtering or cut-copy-paste of rules. One of the tasks involves segregating host to host, host to subnet, subnet to host and subnet to subnet policies. This paper gives a mathematical method to calculate the desired result.
Introduction:
For any enterprise or
The count should come in following fashion with the lines of rules segregated in excel sheet.
| | | Destination | |
| Source | | Subnet | Host |
| Subnet | subnet to subnet | subnet to host | |
| Host | host to subnet | host to host | |
1234 Rule:
This rule makes use of a binomial expression using two variables. Variables in place are the binary values 0 and 1 which we choose suitably for identifying subnet or host. A 0 is used to identify subnet whereas 1 is used to identify a host. There will be four possible outcomes in that case.
| Source | Destination | Rule combination |
| 0 | 0 | subnet to subnet |
| 0 | 1 | subnet to host |
| 1 | 0 | host to subnet |
| 1 | 1 | host to host |
Further to uniquely identify the lines in excel sheet for these four conditions following equation is proposed,
Cell value = x + (3) ^y
Where x is the source bit and y is the destination bit. This equation in two variables produces four unique values 1, 2, 3 and 4 for four different possible combinations of source and destination bits.
| Source | Destination | cell value = x + (3)^y |
| 0 | 0 | 1 |
| 0 | 1 | 3 |
| 1 | 0 | 2 |
| 1 | 1 | 4 |
This formula when generate these numbers can be used as an identifier to sort the subnet to subnet (1), subnet to host (3), host to subnet (2) and host to host policies (4).
Prior to applying the formula source and destination fields need to be marked. This can be achieved using “IF” condition in excel sheet. For example if the column “H” contains the source field we can put the formula,
Cell value =IF(H:H="host", 1, 0)
and similarly if destination is in column “J”, we can have,
Cell value =IF(J:J="host", 1, 0)
These formulae will generate a series of 0s and 1s along with the policies rows, and will be input to the values for x and y.
Conclusion:
The paper discusses a convenient method to segregate the policy lines for subnet to subnet, subnet to host, host to subnet and host to host based policy rules. The formula “Cell value = x + (3) ^y” however can be used for more different requirements where we need similar kind of result for two different variables having binary options. Since this formula results in decimal equivalents of 1, 2, 3, and 4 values, the name given to is 1234 rule.
Subscribe to:
Posts (Atom)