Let’s talk [tag]audit[/tag]ing for a bit. It’s important to have an outside person look over your [tag]configuration[/tag]s every so often to be sure you didn’t do something stupid, so, every quarter or so (mostly so), I bring in someone to…wait a minute. It would cost about $3000 for someone to do that, and the company surely isn’t going to pay for that. The wonderful people from “The Internet” know this, though, and have released a whole bunch of tools to audit gear like that. One of those is called [tag]Nipper[/tag].

Let’s set up a scenario. You have a single [tag]router[/tag] that terminates your T1 to the Internet for your company. You serve your own website and email, but you’d like to be as secure as possible and use ACLs on the router to lock stuff down. Your router has two interfaces – S0/0 for the T1 and F0/0 for the LAN connectivity. Here’s a simple configuration showing the interfaces and an ACL to let you host your stuff.

We all have limited budgets these days. Long gone are the days of unlimited resources and uncontrollable expansion of the network, so it’s important that any network dude or dudette pay attention to the open-source world. Below is a list of stuff I use at the office and at home to monitor, trend, and alert the network. All this stuff is free and runs on Linux to save even more cash.

I assume you take every word I say to heart and that you’ve been using Dynamips/Dynagen for a few days now, right? Good. That’s a start, but let’s break down a simple lab to make sure everyone’s on the same page. I run my labs on Linux most of the time, so you’ll see my commands for that platform. You’re a smart one, so you can figure out what to do on Windows. :)

I’ve run across articles for these apps a thousand times, so I thought I’d get in on the action. Dynamips and dynagen are a pair of apps that make simulating Cisco routers very easy. I use them constantly at the office (and even at home on the couch) to try out new configs and even new IOS versions.

Dynamips is the brains behind the operation. It was written to simulate Cisco 7200s for testing, but, eventually, it came to support several platforms, including 3600s, 3700s, and 2600s. You can use it to simulate a whole series of routers that are directly connected together through their interfaces, through virtual switches, or even connected to real interfaces on your box to pass traffic out through the real network. It uses real ]IOS images, so you can run whatever you can download. The problem with it is that it’s very complicated to use; if you did a fully-populated 7206, your command line would be 5 lines long and not make a lot of sense.

I had an article a few weeks ago about the Cisco CSM, which is a load-balancer module for the 6500 series switches. This thing is a pretty good device, but monitoring the connections to each VIP and RIP is not very straightforward. If you have an SNMP monitoring system like Cacti or MRTG, you need to know the OID to monitor, but it doesn’t work like anything else in the world.

We’ve done some tracking with HSRP in other articles, but there are lots and lots of ways to use object tracking on an HSRP device. In our example network, we tracked the interface, and, if it went down, we decremented the standby priority. What if just the line protocol goes down? How about if the BGP peer on the other end stops sending you routes? If you don’t know that object tracking is the answer, you didn’t read the title.

I like [tag]layer-3[/tag] [tag]switch[/tag]es. They give some great flexibility and bang-for-the buck, but most people overlook one issue with these things that can cause security problems. Most people configure the [tag]VLAN[/tag]s, put an IP on the VLAN interfaces, and put it in production, but the packets don’t actually flow the way they think they do.

Let’s check an example. Here’s what the proverbial you had in mind when you plugged your web server, management server, and firewall into your 3750.