Sohail Akhtar

Service Provider General Tasks

2012-01-03T23:45:00.000-08:00

Virtual Switching System

2012-01-03T23:41:00.000-08:00

Enable the Hidden Administrator Account on Windows-7

2011-12-31T07:18:00.000-08:00

I was trying to install Mozilla Firefox on my laptop. When i try to install it shows me a mesage "install with Administrator account". I try to install with my account which is Administrator of Laptop but still it says "install with Administrator" and I stuck as i haven't use/seen any Administrator account. After that i search on google and came to know that it's hidden and not enable by default, so we have to enable this account on windowns-7 machine. Here we go :)

1. Go to Command Prompt

2. c:\> net user administrator /active:yes
The command completed successfully

3. The above line shows the successfull result.

4. Now you can use your Administrator account.

I hope this will be informative for you.

Cheers :)

Huawei Basic Commands

2011-12-25T17:24:00.000-08:00

Hi Everyone !

I don't have time to talk about the basic commands of huawei, i will talk about the details stuff of it. If one is use to with cisco so he/she will not face any problem in understanding Huawei. I got this site with having the basic commands for huawei. If you want to study so look at Mariusz Stola

I Hope this wil be informative for you !

Cheers :)

The SERDES Module on Subcard NP-3 1 is Failed

2011-12-25T17:13:00.000-08:00

I got this problem in our network on one of our NE40E. Before going to the troubleshooting section, I just need to go through the impact of th above problem on a system. Actually we have three groups of SERDES on NE40E i.e. 0,1 and 2 on the LPU. These SERDES are plot on sub-card 0 and 1. If we have problem on SERDES 0 it will not effet the services on SERDES 1 and like wise.

The problem cause can be identifed by checking the clock of SERDES module. The above problem can result because of:

1. Sub-card-1 not prooperly connected to LPU
2. Sub-card 1 is faulty
3. The Port is not configured correctly
4. The connector between the Sub-card and LPU is faulty
5. The optical module is faulty

Solution

1. We have to check wheather the sub-card ETH_xyz_abc_CARD is registere by using the following command.

display device pic-status

2. If it is registered, then we have to replace our optical module.

3. If Optical module is working normal then plug out from the existing sub-card and plug-in in another card. For Example from Sub-Card 0 to Sub-Card 1.

4. Now again verify by using the above command and collect the trap information.

display trapbuffer
terminal monitor

I hope this will be informative for you.

Long Time...............!

2011-09-13T23:15:00.000-07:00

Hi Everyone !!!!!!!!It has been long time that i am not in contact with blog because of my busy schedule. Although i have many stuff to post and many things are waiting in my mind and computer memory, soon i will be back :)Cheers :)

MPLS Configuration

2011-04-03T04:52:00.000-07:00

Make sure “ip cef” is running by using “show running” command

R2(config) # ip cef
R2(config) # mpls label protocol ldp

To make LDP router-id (using loopback address)

R2(config) # mpls ldp router-id loopback 0

Perform these steps on R3 and R4 ?

We will enable MPLS on those interface on which neighbor exists.

R2(config) # interface serial 1/1
R2(config-if) # mpls ip

R3(config) # interface serial 1/0
R3(config-if) # mpls ip

R4(config) # interface serial 1/0
R4(config-if) # mpls ip

Operations and Verify

R2 # show mpls ldp discovery
R2 # show mpls interfaces

R2 # show mpls ldp neighbors
Min label: 16
As 0-15 are reserved

R2# show mpls ldp discovery detail

R2# show ip route-------------------------Control Plane

R2# show ip cef----------------------------Data Plane

R2# show mpls ldp bindings-----------LIB

1. Here we will see one local binding and one remote binding as we have one neighbor so onw remote binding

2. For directly connected it will assign implicit Null label
e.g. 2.0.0.0-------imp-null

For 10.0.0.0------------Local Binding 22
and Remote binding 23

R3# show mpls ldp binding
10.0.0.0--------Local Binding 23
Remote Binding 22

R4# show mpls ldp binding

1. Local and Remote can be same on R4.
2. On R4 for network 2.0.0.0------Local Binding 18
--------Remote binding “imp null”
This imp null means that R3 state that 2.0.0.0 is my directly connected so if you want to send some traffic for this network so remove the label as to get rid of the double lookup.

This was just a window to the MPLS configuration. I Hope this will be informative for you.

Cheers :)

What is MPLS ?

2011-04-03T04:34:00.000-07:00

Here we go……! The very first blog from me on MPLS, I have a lot stuff to publish and write on many things but because of the hectic schedule I am unable to write things, anyway I will try to be regular now onwards. First let’s talk about what is this lovely term MPLS?? ? Anyone?? ? No Idea :( hmmm! Let me explain what this, “Multiprotocol Label Switching (MPLS) is a new forwarding mechanism in which packets are forwarded based on labels”. MPLS comes in to our life because of some problems in the traditional IP routing like:

1. Routing Lookup is performed on every hop (router)

2. When IP is carrying over ATM or Frame Relay so Layer-2 and Layer-3 topology many be different which results in the least best path or suboptimal path and link utilization.

3. At times data only goes through the primary link and not use the other link means we can’t do Traffic Engineering. In traditional IP routing we can do so by using PBR (Policy Based Routing) but that is strongly recommended not to use.
MPLS comes into our life and solve the Problems of traditional IP routing. MPLS is a layer 2.5 technology and it is called “Multiprotocol” because it supports forwarding of other protocol as well. If we can say that end of the day what MPLS will give us so we can say that “Optimization” and “Scalability”. Speed can never be in the definition of MPLS because now a day’s IP is also too fast because of the hardware enhancement.

Modes of Operation

1. MPLS use a 32-bit label field that is inserted between Layer-2 and Layer-3 header (Frame Mode).
2. MPLS over ATM use the ATM header as the label (Cell Mode).

MPLS Architecture

MPLS has two major components i.e. Control Plane and Data Plane

1. Control Plane: Exchange Layer-3 information and label
2. Data Plane: Forward packets based on Label

Let me briefly explain how the two planes behave when a packet comes to it:
a) When the incoming packet is IP based so request comes to RIB (control plane) which then consult FIB (data plane).
b) When the incoming packet is label so request comes to LIB (control plane) which then consult LFIB (data plane).
c) Outgoing packet doesn’t matter whether it is packet (IP) or label.

We can have total of four tables in MPLS, i.e. LIB, RIB, FIB and LFIB.

1. RIB (Routing Information Base)
2. LIB (Label Information Base)
3. FIB (Forwarding Information Base)
4. LFIB (Label Forwarding Information Base)

Label Format

MPLS uses 32-bit label field that contains the following information.
1. 20-bit Label
2. 3-bit experimental field and this is used for Quality of Service (QoS)
3. 1-bit bottom of stack indicator, this play role when we are using multiple label
4. 8-bit Time-to-live (TTL) field, when a packet is in a loop so it brings that out of that state.

Router Terminologies in MPLS Domain

1. Edge LSR (Label Switch Router), It can be either Egress LSR or Ingress LSR. The nature of the router depends on the flow of the data; a router can be Egress LSR or Ingress LSR at one time. For example data comes as IP based so the router which receive the IP packet is Ingress LSR at this point and forward the packet to the MPLS domain and on a router where this packet leaves the MPLS domain so that is Egress LSR. The duty of Edge LSR to received IP based packet and assign label and send to MPLS domain and vice versa.
2. LSR (Label Switch Router) which is in the MPLS domain and whose duty is to forward labeled packets means duty just include Label swapping and forwarding.

Label Switch Path (LSP)

LSP is the path which the packet follows forms the point where it enters the domain till it leaves the domain. LSP is unidirectional means from Router-A to Router-B we can have two LSP in opposite direction.
A very little and brief introduction to MPLS, I hope this will be informative for you. Soon you will get more blogs on it.

I Hope this will be informative for you !

Cheers :)

Quality of Service (QoS)

2011-02-15T02:46:00.000-08:00

Finally I am going to say something about Quality of Service (QoS). QoS is becoming the need of every network now a days and one should be aware of this technology and one have to implement this in his network in order to have smooth communication. In this part of QoS I will be talking about the following few concept and slowly we will be going in dept of QoS.

 Brief History
 QoS Requirement
 QoS Deploying Methods
 QoS Toolbelt

History

Best-Effort Model was based on first come and get, means whoever comes in so they will be assigned the bandwidth, then Integrated Services comes in and that was the first QoS application which uses RSVP to reserve bandwidth for our traffic. Differentiated Services was another application which was based on or gives services on per-hop basis to prioritized traffic, more flexible than Integrated Services as we don’t need to do reservation. After this MPLS/VPN QoS comes in, then Auto QoS then QoS for security, NBAR (Network Based Application Recognition) is used by QoS for security; I will discuss NBAR in detail later on in this QoS series.

QoS Requirement

We can have traffic in our network like DATA, VOICE or VEDIO; normally data is not that much important in comparison to Voice or Video and data is not that much bandwidth hungry like video. Voice is giving priority than all other traffic including video as we should have voice clear and a bit delay in video is acceptable. Now days we having video conferencing (Voice + Video):

There are four evils of your network:

Lack of Bandwidth is when you not sufficient bandwidth available in your network for data.

Packet Loss is when you lose your data traffic because of delay or jitter.

Delay means how long it takes a packet to reach from one point to another point, For example ITU said that for PSTN the delay (one side) can be < 150 ms.

Jitter is known as Delay Variation means one packet take 100 ms to reach from point-A to point-B and another packet take 130 ms, so the variation in the delay is called jitter. We can say that in this communication the jitter is 30 ms which results in packet loss.

QoS Deploying Methods

1. Command-Line Interface (CLI)
2. Modular QoS CLI (MQC)
3. Auto QoS
4. QoS Policy Manager (QPM)

QoS Toolbelt

1. Classification & Marking
2. Policing & Shaping
3. Congestion Avoidance
4. Congestion Management
5. Link Efficiency Tools

Study this site for more about the QoS in the coming posts.

I Hope this will be informative for you

Cheers :)

Resetting Netscreen Device (Juniper Firewall)

2011-01-31T21:14:00.000-08:00

While thinking to start working on juniper, when I picked up Juniper Firewall (Netscreen-50) I was unable to login using the default username and password i.e. Netscreen and Netscreen, Now I had to reset the device in order to get in and enjoy configuring Juniper Firewall but same time you will loss all your configuration. When I consult the Netscreen-50 manual, I got two ways which can be used to reset the firewall, let’s look at the both ways:

1. Using RESET Button

a) On you device near power switch there is a small pinhole which can be used to reset you device.

b) Use a small paper pin or any other narrow pin and insert that into this pinhole and push, while pushing the status of the LED will turn into AMBER

c) Now after releasing the status will turn into GREEN

d) Now wait for two to three seconds

e) After that insert the pin into pinhole again and press for five to six seconds when the status of LED turn into RED, release you pin

f) Now your device will resets into the default factory settings.

g) Now you can enter into your device using the default username (Netscreen) and password (Netscreen)

2. Using Device Serial Number

a) This just needs your device to connect using consol cable.

b) We can also reset our device using the device serial number, note down the serial number from the back of the device.

c) Enter the serial number at the login prompt like

Login: 000099991111 (example)
d) Again enter the same number at the password prompt

Password: 000099991111

!!! lost password reset/!! you ha ye initiated a command to reset the device to factory defaults, clearing ah current configuration, keys and settings. would you like to continue? y/in!

Enter Y

Again you will see the following message:

!! reconfirm lost password reset 111fyou continue, the entire configuration of the device will be erased. in addition, a permanent counter will be incremented to signify that this device has been reset. this is your last chance to cancel this command. if you proceed, the device will return to factory default configuration, which is: system ip: 192.188.1.1; username: netscreen;password' netscreen. would you like to continue? y/[n]

Enter Y

Now you can login using the default username and password. The device recovery feature is enable by default but we can disable it by using following command:

unset admin device-reset

I hope this will be informative for you.

Cheers :)

Low Heap Memory Size Configuring IPS using SDM

2011-01-10T03:59:00.000-08:00

To have a secure network we must be aware of the technologies which can really help us in securing our network, I was studying CCNA-Security last day and a task was about to perform on Cisco router, “Implementing Router Based IPS”. In my case I took 1841 series router and access through SDM. when I select IPS from the left panel I got the following message……….! Banggggg :(

“Your current Java memory heap size is less than 256MB, the amount required for IOS to run. To change the Java memory heap size, open the java control panel and enter -Xmx256m in the Java Applet Runtime Settings dialog. This dialog is in the Java tab, or in the Advance tab of the Java control panel. After you have changed the Java heap size, restart Cisco SDM”.

I consult Google and SDM help so got the solution, Its very simple just follow the following steps:

1. Select START, click on Control Panel

2. Double Click on JAVA

3. Click on ADVANCE tab, and Click on “Java Runtime” if you not able to see this then follow Step-4

4. Click on JAVA tab and click on “View” under “Java Applet Runtime Settings”

5. In the window under “Java Runtime Parameters” write down “-Xmx256m”.

6. Click OK

7. Click Apply and OK

8. Restart your SDM

9. Enjoy IPS Configuration :)

I hope this will be informative for you :)

3750 Switch Password Recovery

2010-12-11T23:08:00.000-08:00

While having a class of CCNP-SWITCH, i had to perform some labs using layer-3 switch, i used cisco-3750 for the lab, i found that two of the switches are password protected as we purchased that few days before so i had to recvoer the password. Connect the PC to the console port of the switch and if switch is power on, unplug the power and again plug power and press the mode button (it depends on series to series for how long you have to press mode button untill the light turn to green then release it, in 3750 you may required to press for around 15-seconds).

The switch should then give you this prompt

switch:

To initialize the flash file system, run the command

switch: flash_init

The switch will now print few messages about the flash memeory, now the next command will be the helper command.

switch: load_helper

Now we have to list the contents of our flash memory using folowing command.switch:

swith: dir flash:

This will display you the output somewhat like this as show below
The switch file system appears:

Directory of flash:
13 drwx 192 Mar 01 1993 22:30:48 c3750-ipservices-mz-122-25.SEB
11 -rwx 5825 Mar 01 1993 22:31:59 config.text
18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat
16128000 bytes total (10003456 bytes free)

Now rename the configuration file to be used later on.

switch: rename flash:config.text flash:oldconfig.text

To further boot the switch run the boot command, this will start the boot you are used to.

switch: boot

When the switch is booted up, you will realize that the configuration is lost But you are enabled on the switch now and we can recover our old configuration as we kept that in flash with different name.

To recover the old configuration:

Switch# rename flash:oldconfig.text flash:config.text

And now to replace the running configuration with the backup

Switch# copy flash:config.text running-config
Destination filename [running-config]?

Press enter, and you will have your old switch configuration back and you are enabled but remember to change your password now.

I hope this will be informative for you.

Cheers :)

Find Net-ID, Host-ID, Total Subnets

2010-12-08T04:01:00.000-08:00

Method # 1

Let suppose we have address 192.168.1.142/25

First Address: The first address in the block can be found by setting rightmost 32 – n bits to 0’s. Let’s take the address give above:
11000000 10101000 00000001 10001110
11000000 10101000 00000001 10000000 (as 32-25 = 7)

192.168.1.127 is the First Address

Last Address: The last address in the block can be found by setting rightmost 32 – n bits to 1’s. Let’s take the address given above:
11000000 10101000 00000001 10001110
11000000 10101000 00000001 11111110 (do 32 – n)

192.168.1.254 is the Last Address

Total Addresses: The number of address in the block can be found by using the formula 232-n, let’s look at this:
232-25 = 24 = 16

I hope this will be informative for you.

Cheers :)

NetMeeting in Windows XP?

2010-10-23T08:29:00.000-07:00

NetMeeting is an XP standard component and is hidden and you have to configure it manually to share any resources between two nodes, participate in virtual meetings, and share data over the internet or intranet.

Steps for configuration:

1. Go to the Start menu and select Run.
2. Type conf
3. After the NetMeeting configuration wizard starts, click Next.
4. Enter your personal details and click Next.
5. Select listing directory options and click Next.
6. Select your connection media (e.g. DSL) and click Next.
7. Configure the shortcut options to your liking and click Next.
8. Click Next to check and configure your speaker volume and again next to check your headphone.
9. Click Finish.

I Hope this will be informative for you !

Cheers :)

Lotus Domino Installation

2010-09-16T22:20:00.000-07:00

Lotus represents BRAND, Domino is SERVER and Notes is CLIENT. I got the chance in Sui Northern Gas to work on this mail server and I found this very good and powerful. I will share the installation process of the Lotus Domino (Server) and Lotus Notes (Client) and some other necessary information related to this, here we go :), In this article lets see the installation of Lotus Domino:

Installation

The Installation process is in Three Steps i.e. Installation, Setup and Run

1. Installation

Run the Setup (In my case 7.0.1), click Next, Again Next, Then Give Path like D:\Lotus\Domino\, click Next, You will get Four Option like

1. Domino Utility Server, Only Application
2. Messaging Server, Only Messages
3. Enterprise Server Both
4. Customize

Select the one which suit you or which is your requirement, here I want to mention that in Lotus Domino Notes we can also configure the chat server also named as “SameTime”.
In my case I select “Enterprise Server”, click Next and Finish.

2. Setup

After you done with Installation step, you will get an icon on desktop, Double Click to run setup (Lotus Domino Server) and Setup step starts:
Click Next, Select First Server (If it is first, in my case it is), Give Server name and Server Title.

Server Name: R&D
Server Title: Domino Server for R&D

Click Next, Give Org: Name and Org: Cert Password
Org Name: xyz
Org Cert Pass: 123456

Click on Customize and Give Country Code: PK, Click OK then Click Next and for Admin and Password Click the Option “Also Save a Local Copy of ID File”

Give Domino Name: XYZ, Click Next, Setup for Internet (Three Option will List)

1. HTTP
2. Internet Call
3. Directory Services (LDAP)

In my case I chose all three options, Now Click Next, Then Customize and select TCP/IP then R&D and then give name “R&D.XYZ.COM”. click Next and Setup

Now After Setup Complete so RUN the Lotus Domino and Your Installation is complete.

NOTE: I use word Local Copy of ID, so I will talk about the ID, a total of three ID’s are created During Installation of Lotus Domino namely Server ID, Cert ID, and Admin ID.

1. Server ID: It is used to Create Server / Authentication
2. Cert ID: Used for User/Group Creation
3. Admin ID: Administrator used for Administration Purpose

This is just the installation phase now a lot of configuration is required in the server to make it fully operational.

I Hope it will be informative for You !

Cheers :)

Configuring ALIAS on Cisco Routers

2010-08-28T00:33:00.000-07:00

If you are like me ;), you will hate typing in long commands again and again.... and again..... and again, here we have the solution for it. Instead of typing "show ip interface brief" all the time wouldn't it be nice to just type sib or any short cut you want. We can do it just by configuring an alias.

Let's take a closer look at the alias command. This command is used at Global Configuration mode, enter the alias and identify the level for which you specify the alias. Some example are given as under:

Use alias exec for Privileged Mode (Command you use at the Router#)

Use alias configure for Global Configuration Mode (Command you use at the Router(config)#)

Use alias interface for Interface Configuration Mode (Command you use at the Router(config-if)# prompt)

After specifying the privilege level, enter the alias you want to create and the command you want it to stand for.

"As far as I know, you can configure an alias to do anything that you can do at the command line. Of course, there's a catch: An alias can't move between modes, type in passwords, or do anything interactive for you". Reference: Click Here

Eamples (Alias):

1. Router(config) # alias exec sib show ip interface brief
2. Router(config) # alias exec sr show ip route
3. Router(config) # alias exec r show running
4. Router(config) # alias exec son show ip ospf neighbour

5. Router(config) # alias configure rr router rip
6. Router(config) # alias configure ro router ospf

7. Router(config) # alias interface ns no shutdown

Default Alias:

1. P for ping
2. h for help
3. u and un for undebug

So likewise we can configure different alias and make our life easy.

I Hope this will be informative for you.

Cheers :)

Advance WAN Configuration, Frame Relay

2010-08-15T12:42:00.000-07:00

While preparing for my CCIE (Routing & Switching), I am going through the detail concept of each topic, lets talk little bit about frame relay. The different terminology that are used in frame realy are as under:

Terminlogy

Permanent Virtual Circuti (PVC)
Data-Link Connection Identifier (DLCI)
Local Management Interface (LMI)
Network-to-Network Interface (NNI)
Local Access Rate / Committed Information Rate

Configuration

Base Config, W/Inverse-ARP
Manual Config, Sub-Interfaces
Hybrid Config Example
Verification
Frame-Relay Config, W/Inverse ARP

What this Inverse-ARP means, when Router-A sends request with DLCI 102 so the response of Router-B is positve that I available here so this response of Router-B is Inverse-ARP. Whenever configuration of frame relay is done so we can have any one of the following state by issuing a single command:

Router-B # Show frame-relay map

Status:

Active: This means that Local and Remote connection are working
InActive: This means that Local Connection is woring while Remote is not working
Deleted: Local Connection is not working while Remote is unknown
Let suppose Router-A say to Router-B that I want to reach DLCI 109 and in response Router-B say I am unaware of this DLCI so this is Deleted Status.
Lets look at the output on one router

Router-C#show frame-relay map

Serial1/0 (up): ip 172.16.1.3 dlci 301(0x12D,0x48D0), static,
broadcast,
CISCO, status defined, active
Serial1/0 (up): ip 172.16.1.1 dlci 301(0x12D,0x48D0), static,
broadcast,
CISCO, status defined, active

NOTE: In CCIE Lab and actual lab we have to turn off this INVERSE-ARP as it will dynamically find the DLCI and Traffice will send to those route to which we don’t want to send.

Frame Relay Configuration, Sub Interfaces

First Let me clear why we using sub-interfaces, why not single interfaces so there are couple of reason for it, 1st Reason is that we have two different subnets, 2nd Reason is Due to Split Horizon (“It states that don’t send traffic back on interface on which it arrives” for further deatil see Here), 3rd Reason is that look at the topology when LAN traffic of Router-B send to Router-A so it will send to Router-C and Routing loops will be created and split-horizon rules tells us not to do this, so we use sub-interfaces for this reason.

Look at the configuration below, but let me explain two commands that why I used that here:

Router-A (config) # interface serial 1/0
Router-A (config-if) # no frame-relay inverse-arp

We block to discover who is on other side

Router-A (config-if) # no arp frame-relay

This command states that one any onw try to access you, so don’t response
After configuration between Router-A and Router-B as Point-to-Point and Router-A and Router-C, Router-D as Multipoint so when we chek connectivity between Router-C and Router-D so it will not work as we have to do the DLCI mapping for them also.
Another most important thing is that at end of all configuraion The Router-D LAN traffice will be there in Router-A but not in Router-B and Router-C and it is because of split-horizon, so we have to turn off it manually (Traffice send from Router-D on interface serial 1/0.2)

Router-A(config)# interface serial 1/0.2
Router-A(config-subif)# no ip split-horizon eigrp 1

Router-C # show ip route

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.16.0.0/16 is a summary, 00:01:12, Null0
C 172.16.1.0/24 is directly connected, Serial1/0
D 10.0.0.0/8 [90/2681856] via 172.16.1.1, 00:00:12, Serial1/0
C 192.168.2.0/24 is directly connected, FastEthernet2/0
D 192.168.3.0/24 [90/2684416] via 172.16.1.1, 00:00:07, Serial1/0
The Router-D LAN route is shown as bold in the output.

Now lets look at the detail configuration on each router:

Frame-Relay Switch

hostname FRS
!
boot-start-marker
boot-end-marker
!

ip cef
!
frame-relay switching
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 64000
no fair-queue
frame-relay lmi-type cisco
frame-relay intf-type dce
frame-relay route 102 interface Serial1/1 201
frame-relay route 103 interface Serial1/2 301
frame-relay route 104 interface Serial1/3 401
!
interface Serial1/1
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 64000
frame-relay lmi-type cisco
frame-relay intf-type dce
frame-relay route 201 interface Serial1/0 102
!
interface Serial1/2
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 64000
frame-relay lmi-type cisco
frame-relay intf-type dce
frame-relay route 301 interface Serial1/0 103
!
interface Serial1/3
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 64000
frame-relay lmi-type cisco
frame-relay intf-type dce
frame-relay route 401 interface Serial1/0 104
!

Router-A CONFIGURATIONS
!
hostname A
!
ip cef
!
interface Serial1/0
no ip address
encapsulation frame-relay
serial restart-delay 0
no fair-queue
no arp frame-relay
no frame-relay inverse-arp
!
interface Serial1/0.1 point-to-point
ip address 10.1.1.1 255.255.255.0
frame-relay interface-dlci 102
!
interface Serial1/0.2 multipoint
ip address 172.16.1.1 255.255.255.0
no ip split-horizon eigrp 1
frame-relay map ip 172.16.1.3 104 broadcast
frame-relay map ip 172.16.1.2 103 broadcast
!
router eigrp 1
network 10.0.0.0
network 172.16.0.0
auto-summary
!

Router-C CONFIGURATIONS
!
hostname C
!
no aaa new-model
!
!
ip cef

interface Serial1/0
ip address 172.16.1.2 255.255.255.0
encapsulation frame-relay
serial restart-delay 0
clock rate 64000
no arp frame-relay
frame-relay map ip 172.16.1.3 301 broadcast
frame-relay map ip 172.16.1.1 301 broadcast
no frame-relay inverse-arp
frame-relay lmi-type cisco
!
interface FastEthernet2/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 1
network 172.16.0.0
network 192.168.2.0
auto-summary
!

I Hope this will be informative for You !

Cheers :)

Why 3550 and SMI v/s EMI

2010-08-13T11:49:00.000-07:00

Before I discuss difference between SMI and EMI ios on Cisco catalyst switch (3550), lets first talk about a big Question WHY 3350 switch ?

1. First Switch which can be a Router
2. Some other features support like Uplink Fast / Backbone Fast / Rapid STP
3. HUGE bandwidth optimization using Layer-2 and Layer-3 Etherchannel
4. Advance QoS Features

Models

1. 3550-24
2. 3550-48
3. 3550-12T
4. 3550-12G

3550-24 and 48 are either 10-Base, 100-Base or 1000-Base. While 3550-12T provides 10-ports of having speed either 10, 100 or 1000 Base while having 2-GBIC ports which is used for Fiber connectivity. On the other hand 3550-12G provides 10-GBIC ports and two Cat-5 ports of respective speed.

Now Lets talk about the ios that 3550 switch has, it will be either 3550-EMI IOS or 3550-SMI IOS so we should know the difference between these two so that we can decide which ios to go for:

The 3550 is either a Layer-2 or Layer-3 switch, which depends on the software version and feature set that you install. The naming conventions for 3550 images can be any one:

ipbase (Formerly SMI): Cisco IOS IP base image and device manager files. This image has Layer 2+ and basic Layer 3 routing (Static, RIP) features.

ipservices(Formerly EMI): Cisco IOS IP services image and device manager files. This image has Layer 2+ and full Layer 3 features.

ipbasek9: Cisco IOS IP base cryptographic image and device manager files. This image has the Kerberos, Secure Shell (SSH), Layer 2+, and basic Layer 3 routing features.

ipservicesk9: Cisco IOS IP services cryptographic image and device manager files. This image has the Kerberos, SSH, Layer 2+, and full Layer 3 features.

The differences between the two are:

SMI

The SMI image is essentially an L2-only image. However, SMI adds basic L3 functionality to the image. This L3 functionality includes static unicast routing, the Routing Information Protocol (RIP), and other features.

EMI

The EMI image is an L2 image in combination with a full L3 feature set. This feature set includes:
Interior Gateway Routing Protocol (IGRP) and Enhanced IGRP (EIGRP)
Open Shortest Path First (OSPF) Protocol
Border Gateway Protocol Version 4 (BGP4)
Hot Standby Router Protocol (HSRP)
Protocol Independent Multicast (PIM)
Other advanced services

I Hope this will be informative for you !

Cheers :)

Golden Rule of BGP

2010-08-10T00:22:00.000-07:00

BGP does not enable one AS to send traffic to a neighbor AS intending that the traffic take a different route from that taken by traffic originating in the neighbor AS. RFC 1711

While preparing for my CCIE, I came across with the above statement showed as Golden Rule of BGP but believe me I didn’t get what it means while reading for the first time, in fact after reading more than ten times I got a little bit, then after some help and consultancy I got the whole idea, let me explain what it means:

“This simply means that don’t tell a person how to work” means that we are not allowed suggesting other AS traffic to follow which path or another servide provider tell us what to do.

Cheers :)

Core Knowledge Questions Removed for CCIE R&S and Voice Lab Exams

2010-08-06T11:22:00.000-07:00

I am going to appear for CCIE (R&S) Bootcamp on 9th August 2010 in Corvit Lahore. Last Night i was looking on www.cisco.com. I was reading about CCIE, i came across with this statement "CCIE R&S and CCIE Voice Lab Exams, in all global locations, will no longer include the four open-ended Core Knowledge questions" for further detail consult reference links.

Reference:

www.cisco.com/web/learning/le3/ccie/index.htm

or

https://learningnetwork.cisco.com/docs/DOC-6484

Cheers :)

Configuring Cisco IOS Net Flow and NetFlow Data Export

2010-08-03T11:49:00.000-07:00

NetFlow is an application which works independently on internetworking devices and have no impact on other device operation. This application provides statistics of packet flowing through the cisco devices. There are some pre-requisities for configuring this application on cisco router:

1. Configuring IP Routing
2. CEF, Fast Switching or Distributed CEF any one should be configured
3. You have sufficient resources as this application consume more memory

Step-by-Step Procedure

1. Enable
2. Configure Terminal
3. IP flow-export [Destination Address] Optional
4. IP flow-export version 9
5. interface [interface type][interface number]
6. ip flow [ingress|egress]
7. exit
8. end

The Detail description of each step is discuss as under:

1. Eenter your desired password if prompt

My-Router > enable

2. Enter global configuration mode by entering following command

My-Router # configure terminal

3. Specify IP address or hostname of the workstation to which you want to send your NetFlow traffic. The workstation is running an application such as NetFlow Collection Engine (NFC). (Optional)

My-Router (config) # ip flow-export destination 192.168.1.1

4. Enable the export of information in NetFlow cache entries. The version 9 the export packet follow version 9 format. (Optional)

My-Router (config) # ip flow-export version 9

5. Specify the interface for which you want to enable NetFlow on

My-Router (config) # interface serial 2/0

6. Enable NetFlow on interface, Ingress (Capture traffic that is recieved by the interface), Egress (Capture traffic that is being transmitted by the interface)

My-Router (config) # interface serial 2/0
My-Router (config-if) # ip flow ingress | egress

7. Optional, now exit global configuration mode

My-Router (config) # exit
My-Router #

Verification:

To Verify that NetFlow is working properly, issue following command

1. show ip flow interface

This command display NetFlow configuration for an interface. The following is sample output from this command:

My-Router# show ip flow interface
Serial 2/0
ip flow ingress

2. show ip cache flow

This command use to verify that NetFlow is operational, and to display a summary of the NetFlow statistics. The following is sample output from this command:

My-Router# show ip cache flow

IP packet size distribution (1103746 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
35 active, 4061 inactive, 980 added
2921778 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-FTP 108 0.0 1133 40 2.4 1799.6 0.9
TCP-FTPD 108 0.0 1133 40 2.4 1799.6 0.9
TCP-WWW 54 0.0 1133 40 1.2 1799.6 0.8
TCP-SMTP 54 0.0 1133 40 1.2 1799.6 0.8
TCP-BGP 27 0.0 1133 40 0.6 1799.6 0.7
TCP-NNTP 27 0.0 1133 40 0.6 1799.6 0.7
TCP-other 297 0.0 1133 40 6.8 1799.7 0.8
UDP-TFTP 27 0.0 1133 28 0.6 1799.6 1.0
UDP-other 108 0.0 1417 28 3.1 1799.6 0.9
ICMP 135 0.0 1133 427 3.1 1799.6 0.8
Total: 945 0.0 1166 91 22.4 1799.6 0.8
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Et0/0 192.168.5.9 Et1/0.1 172.16.10.200 01 0000 0C01 51
Et0/0 10.10.1.1 Null 172.16.11.5 11 0043 0043 51
Et0/0 10.10.1.1 Null 172.16.11.5 11 0045 0045 51

3. show ip cache verbose flow

Use this command to verify that NetFlow is operational and to display a detailed summary of the NetFlow statistics. The following is sample output from this command:

My-Router # show ip cache verbose flow

IP packet size distribution (1130681 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
35 active, 4061 inactive, 980 added
2992518 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-FTP 108 0.0 1133 40 2.4 1799.6 0.9
TCP-FTPD 108 0.0 1133 40 2.4 1799.6 0.9
TCP-WWW 54 0.0 1133 40 1.2 1799.6 0.8
TCP-SMTP 54 0.0 1133 40 1.2 1799.6 0.8
TCP-BGP 27 0.0 1133 40 0.6 1799.6 0.7
TCP-NNTP 27 0.0 1133 40 0.6 1799.6 0.7
TCP-other 297 0.0 1133 40 6.6 1799.7 0.8
UDP-TFTP 27 0.0 1133 28 0.6 1799.6 1.0
UDP-other 108 0.0 1417 28 3.0 1799.6 0.9
ICMP 135 0.0 1133 427 3.0 1799.6 0.8
Total: 945 0.0 1166 91 21.9 1799.6 0.8
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
Et0/0 192.168.5.9 Et1/0.1 172.16.10.200 01 00 10 799
0000 /0 0 0C01 /0 0 0.0.0.0 28 1258.1
Et0/0 10.10.1.1 Null 172.16.11.5 11 00 10 799
0043 /0 0 0043 /0 0 0.0.0.0 28 1258.0
Et0/0 10.10.1.1 Null 172.16.11.5 11 00 10 799
0045 /0 0 0045 /0 0 0.0.0.0 28 1258.0
Et0/0 10.24.3.1 Et1/0.1 172.16.10.2 01 00 10 799
0000 /0 0 0800 /0 0 0.0.0.0 28 1258.1
Et0/0 10.10.1.1 Null 172.16.11.6 11 00 10 799
0044 /0 0 0044 /0 0 0.0.0.0 28 1258.1

ROUTE (642-902) Exam Topics

2010-04-28T00:27:00.000-07:00

Exam Topics

The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.

Implement an EIGRP based solution, given a network design and a set of requirements

Determine network resources needed for implementing EIGRP on a network
Create an EIGRP implementation plan
Create an EIGRP verification plan
Configure EIGRP routing
Verify EIGRP solution was implemented properly using show and debug commands
Document results of EIGRP implementation and verification

Implement a multi-area OSPF Network, given a network design and a set of requirements

Determine network resources needed for implementing OSPF on a network
Create an OSPF implementation plan
Create an OSPF verification plan
Configure OSPF routing
Verify OSPF solution was implemented properly using show and debug commands
Document results of OSPF implementation and verification plan

Implement an eBGP based solution, given a network design and a set of requirements

Determine network resources needed for implementing eBGP on a network
Create an eBGP implementation plan
Create an eBGP verification plan
Configure eBGP routing
Verify eBGP solution was implemented properly using show and debug commands
Document results of eBGP implementation and verification plan

Implement an IPv6 based solution, given a network design and a set of requirements

Determine network resources needed for implementing IPv6 on a network
Create an IPv6 implementation plan
Create an IPv6 verification plan
Configure IPv6 routing
Configure IPv6 interoperation with IPv4
Verify IPv6 solution was implemented properly using show and debug commands
Document results of IPv6 implementation and verification plan

Implement an IPv4 or IPv6 based redistribution solution, given a network design and a set of requirements

Create a redistribution implementation plan based upon the results of the redistribution analysis
Create a redistribution verification plan
Configure a redistribution solution
Verify that a redistribution was implemented
Document results of a redistribution implementation and verification plan
Identify the differences between implementing an IPv4 and IPv6 redistribution solution

Implement Layer 3 Path Control Solution

Create a Layer 3 path control implementation plan based upon the results of the redistribution analysis
Create a Layer 3 path control verification plan
Configure Layer 3 path control
Verify that a Layer 3 path control was implemented
Document results of a Layer 3 path control implementation and verification plan
Implement basic teleworker and branch services
Describe broadband technologies
Configure basic broadband connections
Describe basic VPN technologies
Configure GRE
Describe branch access technologies

Source: https://learningnetwork.cisco.com/docs/DOC-6565

I Hope it will Help You !

Cheers :)

CCNP Update: Changes in a Nutshell

2010-01-29T21:15:00.001-08:00

Okay, here's the scoop:

* CCNP will now be three exams, ROUTE, SWITCH, and TSHOOT

* Exam price will increase from $150.00 to $200.00 per exam

* ROUTE and TSHOOT courses (typically 1 week Cisco official courses) are now supplemented with e-learning material (nearly 8 hours for ROUTE and 9 hours for TSHOOT) which is exam material

* Classes / Exams are becoming even MORE real-world (TSHOOT class is 92% hands-on)

* New ROUTE and SWITCH exam is available in March, TSHOOT is available in April.

* BSCI exam can substitute for ROUTE or vice versa

* BCMSN exam can substitute for SWITCH or vice versa

* ONT and ISCW exams can substitute for TSHOOT until end of July (ONT/ICSW exams expire then...BSCI and BCMSN are no longer offered after July 31, however can substitute for ROUTE / SWITCH for their entire 3 year expiration period).

* New CCNP exams now prepare you more for the CCIE R&S

Reference: http://www.ciscoblog.com/

How to Change Microsoft IIS TCP Port Number

2009-12-17T08:37:00.000-08:00

A solution has been asked for “How to change TCP port number in Microsoft IIS (Web-Server)”, as he has installed Microsoft IIS and Apache and both were listening on port # 80, although it is simple but following are the steps for changing the TCP port number in Microsoft IIS.

1. Click Start, Administrative Tools

2. Click on Microsoft Internet Information Services (IIS)

3. Expand the Web-Server that you want and then expand the Web-Site in left Pane or double click the web-site and you will get the “Default Page” or Page that you created in right pane.

4. Right click on “Default Page” and choose “Properties”

5. Click “Web Site” tab.

6. Change the TCP Port number in the box (for multiple port settings, click on “Advance”)

7. Click “OK” to save the changes.

I Hope this will be informative for you!

Cheers

DMVPN for Hub & Spoke Topology

2009-11-20T10:56:00.000-08:00

A project has been started to configure VPN between head office and remote branches. This was done simply by configuring site-to-site VPN (See my Blog) between remote branch (Peshawar) and Faisalabad (next hope) as we (Peshawar hope) are using it as our next hope to reach head office. After the basic configuration of site-to-site VPN, we done with it and the communication were successful between two remote offices. The problem arises when Faisalabad configured VPN with another remote office (Abbotabad) now when they start communication with them by giving their peer address under crypto map as shown below, as the link established between the two sites, ping (communication) breaks between Peshawar and Faisalabad when again peer address of Peshawar was given here so communication breaks with the other remote offices.

Hub-Router (config) # crypto map VPN_MAP 10 ipsec-isakmp
Hub-Router (config-crypto-map) # set peer 130.13.x.x

Problem:

The main problem was that we had multiple sites which are using Faisalabad as their next hop, so it becomes HUB, now we required some method to configure VPN for HUB and SPOKE topology. After searching and goggling we came with the solution that DMVPN is the right choice for it.

Solution:

A Dynamic Multipoint Virtual Private Network (DMVPN) is an up gradation of the virtual private network (VPN) configuration process of Cisco IOS-based routers. What DMVPN does is that it prevents the need of configuration of pre-defined static peers in crypto-map and ISAKMP peer statement. An IPsec tunnel between two Cisco routers may be created on an as needed basis. Tunnels may be created between a spoke router and a hub router or between spokes.

DMVPN Spoke is configured with one or more hub IP addresses. DMVPN hub IP addresses are typically static. DMVPN spoke IP addresses may be static, or dynamic. The spoke router is configured with the hub's IP address and allowing the spoke to connect to hub when it is online. The hub router does not need to be configured with the IP addresses of the spoke routers. This allows many-spoke VPN routers to be deployed without the need to configure additional peers on the hub.

For ROUTING we use dynamic routing protocol between the spokes and the hub, as well as other spokes. We can have the choice of using EIGRP or OSPF routing protocols between them as it is used commonly now a days, one of the reason is scalability. We used EIGRP for our internal routing.

Configurations:

I suppose that you are familiar with GRE tunneling configuration and sit-to-site VPN configuration, if not then look at here my blogs for step wise configuration of GRE and VPN as I will be talking about the remaining configuration that are required for DMVPN.

HUB Configuration:

HUB-Router (config) # interface tunnel 0
HUB-Router (config) # ip nhrp authentication cisco120
HUB-Router (config) # ip nhrp map multicast dynamic
HUB-Router (config) # ip nhrp network-id 10
HUB-Router (config) # no ip split-horizon eigrp 100

There is a reason why we use “no ip split-horizon” on hub, see here

HUB-Router (config) # tunnel source fastethernet 0/0
HUB-Router (config) # tunnel mode gre multipoint
HUB-Router (config) # tunnel key 0

Tunnel key is used on Point-to-Point or Multipoint

HUB-Router (config) # tunnel protection ipsec profile Cisco

Spoke Configuration:

SPOKE -Router (config) # interface tunnel 0
SPOKE -Router (config) # ip nhrp authentication cisco120
SPOKE -Router (config) # ip nhrp map multicast dynamic

Note: We can choose either static ip address or multicast (broadcasting/multicasting), if we choose dynamic it means that learn the destination address that are from client registration on hub

SPOKE -Router (config) # ip nhrp map 172.16.2.1 221.120.x.x

The first is the destination tunnel address and second is the public address of destination.

SPOKE-Router (config) # ip nhrp map multicast 221.120.x.x
SPOKE -Router (config) # ip nhrp network-id 10
SPOKE -Router (config) # ip nhrp nhs 172.16.2.1

Where “nhs” is the next hope server address

SPOKE -Router (config) # tunnel source fastethernet 0/0
SPOKE -Router (config) # tunnel mode gre multipoint
SPOKE -Router (config) # tunnel protection ipsec profile Cisco

NHRP is next-hope resolution protocol; not a routing protocol but it make use of routing information. The most prominent feature of NHRP is that it avoids extra router hopes in an NBMA.

Commands:

You can further use the following command to verify and troubleshoot the configurations.

1. show crypto socket ("Display the crypto sockect between NHRP and IPSec)
2. show ip nhrp ("Display the next hope resolution protocol cache entries etc)
3. show ip route
4. show ip eigrp neighbor
5. show crypto ipsec sa ("Display the active channel)
6. show crypto engine connection active ("Display the total encrypted / decrypted SA)
7. show crypto isakmp sa ("Display isalmp security association state (SA)")

You can also do DEBUG for further understanding and logs

1. debug crypto ipsec
2. debig crypto isakmp
3. debug crypto engine
4. debug crypto socket

I hope this will be informative for you !

Cheers :)

Monitoring Network Interface Traffic / Resource

2009-11-14T06:53:00.000-08:00

MRTG can be use to monitor our Linux machine or any other machine network interfcae traffic or even we can monitor our network devices interface traffic like Routers, Switches etc.

MRTG configuration on Linux, to see the interface traffic flow in both in and out direction see my blog, Click here

We can use MRTG on routers and swithces also but for that we have to configure SNMP first and the client side configuration etc. see my blog on detail stpes of SNMP configuration on cisco router and switches, Click here

But we can make it very simple by using Bytemon to monitor network interface traffic, we will install bytemon on client machine and there we can identify the remote device IP Address or Hostname of which traffci we want to analyze, in my case i use my Backup Production Router IP-Address.

1. The following graph shows the overall protocol traffic on both in and out interfaces.

2. The following graph shows HTTP traffic Data.

3. The folowing show the traffic of interface "IN"

4. The following show the traffcie of "OUT" interface.

I Hope this will be informative for you !

Cheers :)

SNMP configuration on Cisco IOS for routers and switches

2009-11-14T04:43:00.000-08:00

Simple Network Management Protocol (SNMP) is a UDP-based network protocol. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.

An SNMP-managed network consists of three key components:

1. Managed device = Slave device
2. Agent = software which runs on Slave device
3. Network management system (NMS) = software which runs on Master

A Managed Device is a network node that implements an SNMP interface that allows unidirectional (read-only, ro) or bidirectional access to node-specific information.
Managed devices exchange node-specific information with the NMSs. Sometimes called network elements, the managed devices can be any type of device, including, but not limited to, routers, access servers, switches, bridges, hubs, IP telephones, computer hosts, and printers etc.

An Agent is a network-management software module that resides on a managed device. An agent has local knowledge of management information and translates that information to or from an SNMP specific form.

A Network Management System (NMS) executes applications that monitor and control managed devices or use Bytemon.

SNMP version available are v1, v2 and v3 with SNMPv3 being th most secure. Now a days either SNMPv2 or 3 is using. Following are the basic steps for the configuration of SNMP on cisco devices.

Configuration Stpes:

1. SNMP Community

In the following line CommunnityName is PUBLIC bydefault and its like a password between SNMP management system and the device, while RW means READ and WRITE permission while 10 specify the access-list that you already define on your system or to be defined right now.

PSW-DXX(config)#snmp-server community [CommunityName] RW 10
PSW-DXX(config)#access-list 10 permit 10.0.0.0

2. Chassi-ID Location and Contacts (Optional)

PSW-DXX(config)# snmp-server chassis-id cisco1841
PSW-DXX(config)# snmp-server location PSHsngpl
PSW-DXX(config)# snmp-server contact EngineerNetSysSohail

3. SNMP Trap Setup

Now that SNMP is enabled. It is important and more necessary to send alert messages also known as SNMP traps to the manager so the Network manager can be alerted. This is mostly the case of most of the SNMP Management/Monitoring system.

PSW-DXX(config)# snmp-server host 10.110.1.2 version ?
1 : Version1
2 : Version 2c
3 : Version 3

Note: If you use version 3 then it will ask for auth, noauth or priv(use the SNMPv3 authprov security level). I used SNMPv3 and it will now authenticate by either using v1/v2c community string and sets up the Management server to which the trap messages needs to be sent, The Community Name will be the one that you define above.

PSW-DXX(config)# snmp-server host 10.110.1.2 version 3 auth [CommunityName]

Also sets up the traps and the type of traps to be sent. Here Link up/down status and system reboot traps are sent to the management server.

PSW-DXX(config)# snmp-server enable traps snmp linkup linkdown coldstart warmstart

We can also configure a very good frriend of my and may be your also SYSLOG to monitor your device.

PSW-DXX(config)# snmp-server enable trap syslog

And we also use the following friend which will help us in finding who access with illegal community string.

PSW-DXX(config)# snmp-server trap authentication

I hope this will be informative for you!

Cheers

Cisco IOS Release 15.0

2009-10-31T23:28:00.000-07:00

Cisco release IOS 15.0 after a long time, its the major release after long time, The world's leading network infrastructure software, Cisco IOS, delivers transparent integration of technology innovations, business-critical services, and key hardware support.

Full Detail about the new release can be found here

Cisco also remove some features from 15.0 version like AppleTalk Phase I & II and Service Selection Gateway (SSG).

Key highlights of Release 15 M and T, illustrated in Figure 1 below, include the following:

• Feature inheritance from Cisco IOS Software Releases 12.4T and 12.4 Mainline1

• M (extended maintenance) releases every 20 months - allows customers to qualify/deploy/remain on releases longer with active bug fix support

• Standard maintenance 15 T releases - provides the latest features and hardware support before the next M release becomes available on Cisco.com2

• Rebuilds of Release 15 M and T releases for ongoing bug fixes

• Cisco IOS Software Release 15.0(1)M is the first release

Its Very important to have a product knowledge, so it will be helpfull to read it :)

Cheers

Booting XM Images on Non-XM 2600 Series Routers

2009-10-29T00:05:00.000-07:00

CCIE Preparation in progress and we fell that some of our routers are not able to fulfill our requirements like one of the limitation we can face and I personally faced that our 2600 series routers (2610, 2611, 2620 etc) lack the memory capacity to run the new IOS images, within CCIE (Routing & Switching) boot camp we can quote this problem that it doesn’t support OSPFv3 for IPv6. For us we are lucky that the old 2600 series platform is same as 2600xm series routers just with a bit difference of less processing power and memory capacity. What this means that 2600 series router can boot 2600XM images and therefore run IOS version that support OSPFv3. Now to accomplish this task we have to use “tftpdnld –r” command in rommon mode to boot an IOS image into RAM. As the image will be running from RAM, a TFTP download will be required every time the router is rebooted.

CONFIGURATIONS:

Following is the configuration of a 2610 router running the 12.2(15) T7 IP Plus image. While it does support IPv6 routing but it lacks OSPFv3 support which is our requirement in this case:

CCIE-Router-9 # show version

Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-J1S3-M), Version 12.2(15) T7, RELEASE SOFTWARE (fc2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc
Compiled Sat 09-Aug-03 07:18 by ccai
Image text-base: 0x80008098, data-base: 0x8195144C

ROM: System Bootstrap, Version 11.3(2) XA4, RELEASE SOFTWARE (fc1)

Router uptime is 5 hours, 8 minutes
System returned to ROM by power-on
System image file is "flash: c2600-j1s3-mz.122-15.T7.bin"

cisco 2610 (MPC860) processor (revision 0x202) with 59392K/6144K bytes of memory.
Processor board ID JAD03337409 (4221326695)
M860 processor: part number 0, mask 49
Bridging software
X.25 software, Version 3.0.0
TN3270 Emulation software
2 Ethernet/IEEE 802.3 interface(s)
4 Serial network interface(s)
32K bytes of non-volatile configuration memory
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2142 (will be 0x2102 at next reload)

CCIE-Router-9 # config terminal
Enter configuration commands, one per line. End with CNTL/Z.
CCIE-Router-9 (config) # ipv6 unicast-routing
CCIE-Router-9 (config) # ipv6 router ospf 1
CCIE-Router-9 (config) # interface e0/0
CCIE-Router-9 (config-if) # ipv6 ospf 1 area 0

% Invalid input detected at '^' marker.

CCIE-Router-9 (config-if) # exit
CCIE-Router-9 #

In order to boot the XM image we first have to boot the router into rommon mode. To do this reloads the router and press CTRL-BREAK as the router begins to boot.

CCIE-Router-9 # reload

System configuration has been modified. Save? [yes/no]: n
Proceed with reload? [confirm]

*Oct 1 10:59:13.751: %SYS-5-RELOAD: Reload requested by console.
System Bootstrap, Version 11.3(2) XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC: Home:SW:IOS:Specials for info
PC = 0xfff0a530, Vector = 0x500, SP = 0x680127b0
C2600 platform with 65536 Kbytes of main memory

PC = 0xfff0a530, Vector = 0x500, SP = 0x80004864

monitor: command "boot" aborted due to user interrupt

rommon 1 >

Setting ENVIRONMENT Varaibles:

1. Now next we have to set the environment variables for loading an IOS image via tftp.

rommon 1 > IP_ADDRESS=10.110.9.2
rommon 2 > IP_SUBNET_MASK=255.0.0.0
rommon 3 > DEFAULT_GATEWAY=10.110.9.102
rommon 4 > TFTP_SERVER=10.110.9.102
rommon 5 > TFTP_FILE=FileName.bin

2. Next, issue the "tftpdnld -r" command.

Note: The -r switch is required to instruct the router to load the image to RAM instead of writing it to flash.

rommon 6 > tftpdnld -r

IP_ADDRESS: 10.110.9.2
IP_SUBNET_MASK: 255.0.0.0
DEFAULT_GATEWAY: 10.110.9.102
TFTP_SERVER: 10.110.9.102
TFTP_FILE: FileName.bin

Receiving 2600xm.bin from 192.10.4.254!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!
File reception completed.

Program load complete, entry point: 0x80008000, size: 0x1176b34
Self decompressing the image: #######################################
############################################################ [OK]

Do show running-config, we can now see that the router has booted and is running IOS 12.2(15) T14 Enterprise Plus, which is only officially supported as a 2600XM image. Most importantly our 2610 router now has OSPFv3 support.

CCIE-Router-9 > enable
CCIE-Router-9 # configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

CCIE-Router-9 (config) # ipv6 unicast-routing
CCIE-Router-9 (config) # ipv6 router ospf 1
CCIE-Router-9 (config-rtr) # ?

area: OSPF area parameters
auto-cost: Calculate OSPF interface cost according to bandwidth
compatible: OSPF compatibility list
default: Set a command to its defaults
default-information: Distribution of default information
default-metric: Set metric of redistributed routes
discard-route: Enable or disable discard-route installation
distance: Administrative distance

CCIE-Router-9 (config) # interface e0/0

CCIE-Router-9 (config-if) #ipv6 ospf ?
<1-65535>: Process ID
cost: Interface cost
database-filter: Filter OSPF LSA during synchronization and flooding
dead-interval: Interval after which a neighbor is declared dead
demand-circuit: OSPF demand circuit
flood-reduction: OSPF Flood Reduction
hello-interval: Time between HELLO packets
mtu-ignore: Ignores the MTU in DBD packets
neighbor: OSPF neighbor
network: Network type
priority: Router priority
retransmit-interval: Time between retransmitting lost link state
advertisements
transmit-delay: Link state transmit delay

Note: The router may not or may display a warning that it is short on processor memory. Ensure to save your configuration early and often in order to avoid losing our work due to a router crash.

To store your router configuration automatically when you save your configuration using write command, consult my post here

Any comments and suggestion will be highly appreciated :)

I hope this will be informative for you !

Cheers :)

Cisco VPN Client for Windows 7

2009-10-25T21:28:00.000-07:00

We can say that October 2009 is the best month for cisco in terms of new introduction like IOS 15, ISR 2nd Generation and the new version of CCIE, Now a windows 7 user face many difficulties in terms of having third party softwares like cisco VPN client so it’s time for Windows 7 and MacOS Snow Leopard to have Cisco VPN Client and Cisco SSL AnyConnect VPN Client versions, available to download.

The Cisco AnyConnect VPN Client provides remote users with secure VPN connections to the Cisco ASA 5500 Series Adaptive Security Appliance using the Secure Socket Layer (SSL) protocol and the Datagram TLS (DTLS) protocol.

AnyConnect provides remote end users with the benefits of a Cisco SSL VPN client, and supports applications and functions unavailable to a clientless, browser-based SSL VPN connection. It runs on Microsoft Windows, Windows Mobile, Linux, and Mac OS X, and supports connections to IPv6 resources over an IPv4 network tunnel. We can configure the security appliance to uninstall AnyConnect from the endpoint after the connection terminates, or it can remain on the remote PC for future SSL VPN connections.

In addition to the Cisco Adaptive Security Appliance 5500 Series, Cisco IOS supports AnyConnect.

AnyConnect Client 2.4 runs on the following new platforms:

•Microsoft Windows 7 (32-bit and 64-bit). See "System Requirements."

•Mac OS X 10.6 and 10.6.1 (both 32-bit and 64-bit).

The following sections describe the new features in Release 2.4, For Detail visit this link AnyConnect

•Split DNS Fallback

•Trusted Network Detection

•Simple Certificate Enrollment Protocol (SCEP)

•Prompting Users to Select Authentication Certificate

•Scripting

•Proxy Support Enhancement

•CSD Integration

•PEM File Certificate Store

•FIPS and Additional Security in the New AnyConnect Local Policy

Setup SSH Server on Fedora

2009-10-19T07:10:00.000-07:00

SSH is installing by default on installation of Fedora operating system itself. In this post we will go through the basic setup of SSH server on Fedora Operating System.

Checking SSH server status

a. Using the service command to check the current status of the sshd

[root@myserver ~]# service sshd status
sshd is stopped

[root@myserver ~]#

b. Start SSH server

Start the sshd process using service command.

[root@myserver ~]# service sshd start

Starting sshd:.............................................[ OK ]

[root@myserver ~]#

Automatically start SSH server

By using chkconfig command we can make sure the automatic starting of ssh services when the system reboot. Before this use the following commands to make sure the current status and configuration of SSH services on this machine.

1.Use the following command to check the current status of the sshd
[root@myserver ~]# chkconfig –-list sshd

sshd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

[root@myserver ssh]#

2. Use chkconfig command to automatically start the sshd service for runlevel 3, 4 and 5.

[root@myserver ssh]# chkconfig --level 345 sshd on
[root@myserver ssh]#

3. Verify the change for shhd on runlevel 3, 4 and runlevel 5.

[root@myserver ssh]# chkconfig --list sshd

sshd 0:off 1:off 2:off 3:on 4:on 5:on 6:off

[root@myserver ssh]#

Basically we have done the basic setup process now we can proceed with the confirmation of the SSH services.

I hope this will be informative for you !

Cheers

Clear / Flush DNS Cache to Speed up Internet

2009-10-12T23:16:00.000-07:00

DNS (Domain Name Server) cache (A temporary computer memory stored the recent visit pages and help you in quick processing of your request) is stored by Windows (XP and Vista). This cache helps is faster opening of websites already visited on the computer. However, At times this cache becomes corrupted and needs to be cleared.

Clear / Flush Cache Steps

1. Click Start > Run

2. Type cmd and click OK.

3. In black window, type ipconfig /flushdns and press Enter key

You will see the confirmation message as show above in the picture, There is a space between the ipconfig and flushdns.

I hope this will be informative for you !

How to Block a Website on a Node

2009-10-12T22:52:00.000-07:00

If you want to block a web site from vewing on your windows machine, follow these steps to to get the required result.

Steps:

1. c:\WINDOWS\system32\drivers\etc

2. Open hosts file there and append the following line at the end

127.0.0.1 BlockSiteName.com

Note:Replace BlockSiteName with the website name that you want to block on your machine.

3. The go to start --> start --> run --> type

c:\> ipconfig \flushdns

There is a space between the ipconfig and flushdns, now the site will be block but rememberif any one know the ip address of the required site so he can access it still :(

I hope this will be informative for you !

Cheers :)

Linux: Proxy sshd(pam_unix) Authentication Failure

2009-10-11T06:50:00.000-07:00

While looking to my /var/log/message on Linux ( Squid Server, DHCP), i saw the error message shown as title of the post, so after a bit googling i find the solution that it is due to the direct login failure to the proxy server, so to turn off these messages and to avoid the problem we have to disable the direct login of the root account.

The sshd_config file is located at /etc/ssh/sshd_config and it is probably the most common place to find it. If not, we can search for it

# edit sshd_config file

What we want to do is edit this file. We need to uncomment and edit just one line inside this file, at least.

# Vi /etc/ssh/sshd_config

we should be viewing the contents of this file now. We're looking for

#PermitRootLogin yes

Just remove the hash sign (to uncomment the line, or enable it) and change the value to NO. It should look like this after the modifications:

PermitRootLogin no

To make the changes working we have to start the sshd services

# service sshd restart

Now everytime we try to login to our proxy we will using our ordinary user account and then we can substitute to root user.

I hope this will be informative for you !

Cheers :)

Squid Error: No running copy

2009-10-09T00:07:00.000-07:00

I saw this error while troubleshooting another problem on squid (DNS issue)

[root@pswproxy etc] # service squid status
squid (pid 3070 3068) is running...
squid: ERROR: No running copy

This is normally due to squid.pid file missing, since this file is present whenever squid is running, if this file is missing squid will not work. If it is deleted by mistake so still squid will be in running condition and will not work properly, so I found this article very useful. In my case I just restart the squid services and it starts working.

I hope this will be informative for you!

Cheers :)

Squid Error: Reply from unexpected source: 10.110.9.180 # 53, Expected 58.x.x.x # 53

2009-10-08T22:37:00.000-07:00

We got problem in our Proxy Server (Squid), we were unable to access internet, The first problem was so pathetic as we were able to ping our local servers that are in LAN but were not able to ping our DNS, after checking our cable and basic network configuration, we got the solution and now we can ping our DNS also, but again PROBLEM start here as we are now able to ping our DNS properly but when we try nslookup so it results in error shown as a subject of this blog. To find out what is the reason behind this error we had to pass from some basic steps to find it exists, let’s look at those steps?

1. First check that our request are reaching to the destination or not, if not so where the packets are dropped, use the following command

# mtr your-dns-ipaddress
or
# traceroute your-dns-ipaddress

2. Check /etc/resolve.conf, for proper DNS entry, the entry should be like

# vi /etc/resolve.conf
nameserver 58.x.x.x

# service network restart

The entry in my case was correct, so we try ping again and it was working but with nslookup the same result (error) was produced.

3. Now issue the following command to check for the proper / correct gateway:

# netstat –r
or
# route –n

The gateway was also perfectly right but still we were not able to do nslookup. Then we made a change in the /etc/resolve.conf file (change our DNS address to another, so it starts working but that was not a good solution as we are directed to use the original one)

After googling and help from my teacher (Nayyar Ahmad) we were at the opinion that TWO Reasons can subsist in this case:

1. Firewall between our machine and DNS and it is blocking port 53 as we can ping. We have communication channel between both just port#53 has problem.
2. DNS services are not running. As we can ping the machine but services are not running, we can check the services from following command

# service named status

Solution:

It was so simple, when we consult the system administrator of head office so they were not allowing our traffic when he added our dns address so everything was working normal.

I hope this will be informative for you!

Cheers :)

ICMP: Source Squench

2009-10-08T22:31:00.000-07:00

Source Quench is an ICMP based mechanism used by network devices to inform data sender that the packets can not be forwarded due to buffers overload. When the message is received by a TCP sender, that sender should decrease its send window to the respective destination in order to limit outgoing traffic.

Source Squench has been not consider now a days any more becoz of some reason: i.e

1. Source Squench message can lost in the way to sender.
2. Source Squencs carry very little information per packect say it only sense basci information regarding congestion.
3. Source Quench messages, like all ICMP messages, are expensive for a router to generate. This is bad because the congestion control mechanism could contribute additional congestion, if router processing resources become a bottleneck.
4. Source Squench can also cause Denial of Service.

In effect, ICMP Source Quench messages are almost never generated on the Internet today, and would be ignored almost everywhere if they still existed.

Tunneling SSH over HTTP

2009-10-07T00:42:00.000-07:00

At times we need to access certain files that we left at home, it is quite possible that some environments and ISPs have strict firewall rules that can make our life miserable and tough in a sense that they have disallow the use of SSH and allows you to use HTTP proxy. “It is possible to use that HTTP proxy as a transport for SSH.”

The purpose of this article is not to advocate breaking out of your environment’s firewall if you have a policy that expressly prevents that or outbound SSH access! Unfortunately in some case it is blocked without any real reason and at times they may allow you to use SSH. In some environments, however, the explicit denial of outbound SSH is required and for that reason we should respect the policy and not override that. I am not at all advocating breaking any rules unless you have permission, exception or proper orders from the people that should provide it.
This all we can done using Corkscrew, click on it and download the source for Corkscrew. Corkscrew is an HTTP-tunneling programming that does not require server-side modifications to work. It is also cross-platform and will work on most client systems.

Steps to Configure:

1. Download it from this source, click on source

2. To build Corkscrew, simply unpack the file and write below commands in the Corkscrew directory

. /configure
make
or make install

3. Using Corkscrew with SSH/OpenSSH are very simple just copy the resulting corkscrew application to somewhere in your ~/.ssh/config, and add:

Host somehost

Hostname somehost.example.com

ProxyCommand /home/user/bin/corkscrew proxy.example.com 8080 %h %p

Replace the hostname with the host you are attempting to SSH into, and replace “proxy.example.com” with the actual HTTP proxy. You may also need to replace the port (8080) if the proxy listens on an alternate port (i.e., port 3128 in the case of Squid). OpenSSH transparently converts the %h to the hostname to connect to (somehost.example.com) and the %p to the port to connect to (22, by default).

When this is done, we should be able to run ssh somehost and have the connection be established, just as if you were connecting directly. One thing to make sure that may be this does not work with all proxies, so it may be a little hit-and-miss, but it should work with Squid and Apache’s mod_proxy module as well as a few other popular implementations.

I hope this will be informative for you :)

Downloads with delta RPMs in Fedora-11

2009-09-29T22:59:00.000-07:00

Yesterday while doing some goggling I come across through “Delta RPM Packages” in Fedora 11, which is a great new feature: delta RPM updates. This feature creates delta RPM packages (.drpm) that are binary “patches” to the existing RPM packages. What this package does is that it downloads only the changes of the RPM as compare to the existing RPM instead of downloading the full RPM package.

Once the delta RPM is downloaded by the Presto plugin for yum, it will try to reconstruct a full RPM based on the contents of the previous RPM, plus the newly changed files from the delta RPM. Yum will then install the newly-created RPM.
Using Presto has its benefits and drawbacks. If we have a fast Internet connection or are using a local mirror, using Presto doesn’t make sense. It would be faster to download the full RPM package instead of downloading the changed parts and consuming CPU time to reconstruct the RPM to install. You can get detail information about Presto from Fedora Project, Click Here

If, however, we have a slow Internet connection using Presto makes sense: it will download smaller files which will save time, money and resources.
Presto will depends mostly on the update. If it is an update that introduce a single patch that affects only one or two files among multi-megabyte package then using Presto will make the download really fast, if it’s an upgraded version being provided and most files would likely change meaning that many files have changed and been downloaded.

To use Presto, All we need to do is install the yum-presto package, which contains the plugin for Presto:

# yum install yum-presto

Once this is done, we can call to yum using Presto with no further configuration on our part. If you don’t want to use it any more just we have to simply remove the yum-presto-package.

# rpm -e yum-presto

After this in next using yum will act as normal, NOTE: Presto is not the default in Fedora-11 but what look from the application is that it will be the default in Fedora-12.

I Hope this will be informative for you :)

How to Configure Linux as a Router

2009-09-27T23:47:00.000-07:00

It is not possible to purchase Network Router (like Cisco or Juniper) for communication between two different networks on a LAN, although we need router for that in any case, as Router is the device which is used for communication between two different networks. So we should go for economic solution so that it charge us less and also results in proper output.

This can be done by using Linux Machine as a Router, we have some simple steps to do it, using Network Address Translation (NAT).

1. Enable packet forwarding . Make it permanent by adding "net.ipv4.ip_forward = 1" to /etc/sysctl.conf

echo "1" > /proc/sys/net/ipv4/ip_forward

2. Enable iptables to handle NAT. ( eth0 is the public Interface )

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

3. Save iptables settings

# service iptables save

4. Done. Check by routing table by verifying "netstat -nr" and iptables rules by "iptables -L"

This is the simplest method and for iptables consult the one and only "GOOGLE".

I hope it will be informative for you :)

IP HourGlass Model

2009-09-11T02:49:00.000-07:00

"The Hourglass model is essentially the idea of funnelling all communications through some common, ubiquitous communications protocol. Prominent examples of this common protocol are Internet Protocol (IP) and Asynchronous Transfer Model (ATM) [1]"

The data that is created by an application needs to pass through the layer of the TCP/IP reference model to reach the destination. For Example, The application layer protocol used might be HTTP, FTP or TFTP. Every Application layer protocol is associated with a transport layer protocol depending on wheather it is connection-oriented or connection-less. The transport layer protocol in turn interacts with IP for routing the data packets. It is very important to understand that irrespective of the application layer protocol and the transport layer protocol the only protocol that is used for routing the data packets is IP. When the data transmission through the four layers is visualized it takes the shape of an hourglass and thus the model is called the IP Hourglass Model.

See Figure, When Source-A and Source-B interacts with HTTP so the request is forward to IP and Source-C interacts with IP using UDP and then IP forward or send the data to Network Interfaces say Ethernet or X.25 (creates on the basis of technology used) and then request is recieved by Destination-A, Destination-B and so on.

[1]: www.google.com

I hope this will be informative for You!

Some more Beginner Tips - CISCO

2009-09-09T23:21:00.000-07:00

When you work on the Cisco Router or Catalyst Switch console, it would be annoying to have the console or terminal (telnet/ssh) logs to pop in between your commands. This can be even more irritating when it is busy switch or a router spitting messages continuously.

We can log the messages to the console without interferring with your work in the console in Cisco IOS by logging synchronous.In Cisco IOS, logging synchronous can allow you to work along with the logs still logging to the console but without disturbing your work.
To do this

Consol:

Router(config)# line con 0
Router(config-line)# logging synchronous

AUX:

Router(config)# line aux 0
Router(config-line)# logging synchronous

Telnet/SSH:

Router(config)# line vty 0 4
Router(config-line)# logging synchronous

If your Router/Switch has more vty

Router(config)# line vty 5 15
Router(config-line)# logging synchronous

Description:

To add a description to an interface configuration, use the description interface configuration command. Use the no form of this command to remove the description.
The description command is meant solely as a comment to be put in the configuration to help you remember what certain interfaces are used for.
The following example shows how to add a description for a T1 interface:

Router(config)# interface serial 0
Router(config-if)# description T1 line to How2Pass - 128 Kb/s

The description "T1 line to How2Pass - 128 Kb/s" appears in the output of the following EXEC commands: show startup-config, show interfaces, and show running-config

I hope it will be informative for You :)

Description / Line Console 0 / Logging Synchronous

2009-09-09T23:09:00.000-07:00

I got an email today from one of my friend from india (we came to know about each other on cisco community on orkut :)

Mr. XYZ

"hi sohail,
how are u ?. I am fine and hope same for u. I have some problem in CCNA. so i am writing this mail..
what is the use of command
line console 0 and why we always should use 0 with this . if u will use this command in a router with a question mark
such as
Router(config) # line console ?
<0-4> first line number
Now this time it has five choices,we can use any number but the output is not coming as we want, I referred CCNA books but i could not get the answer. if it is necessary to use always 0 then why it gives five choices. I am not able to understand.

my second problem is
when i am typing some commands in router configuration mode I am getting some unwanted messages. how to remove these messages . mainly it is coming when we are typing in some commands. I got a answer that was use logging synchronous command, but i don't know how to use this command. and what will be the effect of that command we will get.

my third problem is
how to use description command and why ? "

Reply:

Ans # 1: Man u r getting it wrong, in router the console command is always <0-0>, this is just usaed to enable the console password and 0 menas the zero level and it is always 0 see attachement with mail, i have attached the router snap short for u, while configuring the passowrd so when u enter there an option is wheather to ask for it r not i mean
no logging OR logging

Ans # 2: We can log the messages to the console without interferring with your work in the console in Cisco IOS by logging synchronous.In Cisco IOS, logging synchronous can allow you to work along with the logs still logging to the console but without disturbing your work.
To do this
Consoole Port:
Router(config)# line con 0
Router(config-line)# logging synchronous
AUX port:
Router(config)# line aux 0
Router(config-line)# logging synchronous
for telent/ssh:
Router(config)# line vty 0 4
Router(config-line)# logging synchronous
If ur switch or router has many vty session
Router(config)# line vty 5 15
Router(config-line)# logging synchronous
or if you want to off then use NO with the commands.

Ans # 3:First why we use description, so description is used to remember the things in the future suppose in very large networks it is not possible all the interface and stuff that belong to whom, so better is to give some description to the interface etc to remember that.

How to use:

# interface serial 0
# description T1 Line to Head Office - 256 Kb/s

IPS Device Manager (IDM) with HTTPS / SSL / TLS

2009-09-07T00:23:00.000-07:00

Intrusion Prevention System (IPS), The device having the ability to detect and stop intruders in the network. IPS can be access through command Line (CLI) and also through web (GUI). The GUI used to access IPS is IDM.

IDM:

A GUI used to manage the IPS allowing a point-N' click way to manage the system. It can be access through web-browser. Different protcol can be used with IDM:

1. TLS / SSL / HTTPS
2. Remote Data Exchnage Protocol (RDEP)
3. Security Device Event Exchange (SDEE)
4. Extended Markup Language (XML)
5. Intrusion Detection Configuration (IDConf)

HTTPS is a secure version of HTTP, its a HTTP over SSL or TLS. TLS or SSL make sure that data send over HTTP is secure and is encrypted. SSL comes out first for secure transaction like banking operations and transactions so we have to use some secure protcol and that was SSL but it was used only for HTTP (web) while we need an alternate also for other than web traffice so TLS was in. TLS can be used for any traffic or any communication type.

When we communicate with IPS, we can use any one of the protocol (TLS, SSL, HTTPS). Once encrypted session is established we can use than any one of the two protocol (RDEP or SDEE) to send configuration using a secure method. Like RDEP is used to configure and then SDEE is used to report event or notify the target.

NOTE: XML created and allow that it can store data, a universal way to store data and information with text, like back in 2000's Microsoft declare that we will now use XML to store data, just like we have our Microsoft office with .x extension (.docx) so All information to sensor will send using XML.

System Requirements:
--> Windows 2000 or XP
--> Sun Sparc Solaris 2.8 or 2.9 or later
--> Red Hat Linux 9.0 w/Gnome or KDE

Browser:
--> Internet Explorer 6.0 or later
--> Netscape 7.1 or later
--> Mozilla 1.7 or later

Java Plug-in 1.5 or later

Login in to IPS using web browser like

https://10.1.1.10

Further detail of IPS configurations, Problmes solution will be discussed soon here.

I hope this wille informativ for You :)

Domain Policy Updation

2009-09-03T00:59:00.001-07:00

I was asked by an Network Manager in XYZ-Medical University in Peshawar about a problme in Domain controller that he was facing, he told me:

Network Manager Said:

I am trying to change the password options for my Domain Controller (on Windows Server-2003), like i want to make my password length say 5 character and second i want to remove the passowrd complexity like in windows server 2003 by default you have to give password a combination of character, numbers and special characters (@,# et) now i have done the necessary steps but still its not working, like still for new user, the system is asking for complex password.
So he request me to help me out in this :(

Solution:

After looking for some solution i got the answer and it was so simple, "Actually this is the problme in Windows Server-2003 whenever you make changes in "DOMAIN SECURIT POLICY" & "DOMAIN CONTROOLER SECURITY POLICY" so the changes will not effect until you update the group policy. The detail steps to do this is as under:

Start --> Administrative Tools --> Domain Security policy --> Account Policy --> Password Policy

Then here DISABLE the option "Password must meet the complexity requirement" and define size for "Password minimum Length". Here we have done with the definition now to make the chaages effect, lets look it:

Steps:

1. Go to command prompt
2. Run
3. cmd
4. c:\> gpupdate
or
c:\> gpupdate/force

and it will now work and the MIS Manager also done with the problem.

I hope it will be informative for you :)

Configuration of Cisco Catalyst Express-500 Switch

2009-08-31T00:56:00.000-07:00

In this document i will brielfy explain about the initial configuration / pocedure of Cisco Catalyst Express-500 series switches. The information in this document was created from the devices in a specific lab environment in my own office where i am working as i was asked to check this switch and try for all the configurations like VLAN, Ether-channel, Inter-Vlan Routing etc.

Now lets look at the steps to access the switch, Follow the steps in the same order as given to complete the configuration :)

1. Make sure to unplug all device from switch if connected

2. Power the switch

3. Wait for the SETUP LED to blink green

4. Press Setup, A switch port LED begins to blink green

5. When a switch port LED blinks green, connect your PC to that port (normally FastEthernet 0/1)

The LAN adapter of this PC (attached to the switch) must be configured to get the IP address via DHCP. The LEDs on the PC and the switchport blink green while the switch configures the connection (this takes around one minute)

6. Open a web browser, access your switch through IP and it should display the GUI, if not display then follow the followinf steps

a. Issue the ipconfig command in order to view the dynamic address allocation.

The switch configures its management address as the Default Gateway for the LAN adapter card of the PC.

Note: For Cisco IOS Software FY series releases, the management IP address is 10.0.0.1. For Cisco IOS Software SEG series releases, the IP address is 169.254.0.1: "Source is cisco.com for this note"

b. From the browser, go to the mentioned IP address. For example, http://10.0.0.1

7. Enter the Network Settings and Optional Settings (if required). Click Submit in order to save changes and finish the basic configuration.

8. Enter the configured User Name and Password in order to continue the configuration of the switch.

9. Then it will ask you for configuration of smart port, so just click on "no thanks"

10. In last it will display a prompt "Restart the switch with its current settings" and "Reset the switch to its factory default, and then restart the switch", so select the first option "Restart the switch with its current settings" and press "submit".

11. Close the web browser and reconfigure the LAN adapter with an IP address within the same subnet of the new management address of the switch.

12. When the switch restart, open a web browser and go to http://CE-500_Management_IP_Address, For example, http://172.16.100.100

I hope it will be informative for you :)

DMVPN - EIGRP, Disable Split-Horizon

2009-08-23T22:25:00.000-07:00

I was ask to tell the solution for the following question regarding DMVPN.

Q: I am deploying a DMVPN hub and spokes with mGRE tunnels protected by IPSEC. I activated EIGRP on it, and I noticed that on the spoke EIGRP
installs in its routing table only the route to the hub, while the spoke-to-spoke routes don't appear neither in the routing table, neither in the EIGRP topology. Nevertheless, the spokes communicate between them through the dynamic tunnels.
I couldn't find any Cisco document contemplating the issue. I wonder if this is the way it's supposed to work, or if I have to search for some misconfiguration.

Solution:

There are certain rules which we have to remember while configuring DMVPN with EIGRP, One of these rules is split horizon. The DMVPN hub tunnel interface serves multiple spokes. Also the tunnel ip address is on the same subnet as its spokes. When configuring a EIGRP AS you use the tunnel network id as a network you want to participate on with EIGRP.

Split Horizon was designed to not allow a router to advertise a route out the same interface in which the route was originally learned. This conflicts in the case of the tunnel interface because it needs to be able to make neighbors with the spokes on the same subnet and also re-advertise routes learned from one spoke to the next.

Again, If you dont disable split horizon on the tunnel interface you will only see the routes the hub itself is responsible for from a spoke router. This can be done by a single command under tunnel interface.
# no ip split-horizon eigrp 2

Now you can see all routes in the client routing table.

Cheers :)

GRE/IPSEC and IPSEC VPN tunnels

2009-08-18T06:07:00.000-07:00

GRE is used as a it provides pure tunneling see GRE for full information. To make secure the GRE tunneling we use GRE/IPSec or IPSec VPN tunnel, as it is one way of setting up private site-to-site connection by utilizing public network (the Internet). Since it is utilizing public network, there would be no need to have dedicated physical circuit to interconnect the sites, hence requiring low overhead to setup while maintain private and secure connection.

With site-to-site IPSec VPN, there is a IP routing in place to interconnect multiple subnet. This IP routing could be static routing or dynamic routing. In a small network where there is only one path connecting two sites, then static routing should be sufficient. When there are multiple paths connecting two sites, then dynamic routing (i.e. EIGRP, OSPF) should be used to have optimal connection just like i did for our office as we have multiple sites to connect and communicate so we used dynamic routing (EIGRP) although we use DMVPN (i will talk about it in next blogs).

Note that IPSec tunneling technology is only able to support static routes and basic IP interconnection. When there are more advance IP interconnections needed, such as running Novell IPX, dynamic routing, and load balancing between the sites, then IPSec tunneling itself is unable to support. For such advance IP interconnections, GRE tunneling is the choice. The downside of GRE tunneling is that GRE tunnel is less-secure tunnel compared to IPSec tunnel.

As we use dynamic routing and decided to use public network and also want to have a secure connection, so the workaround is to run GRE over IPSec. IPSec will then be encrypting the GRE tunnel securely and GRE tunnel will be providing the advance IP interconnection support. The Header will look like this (Rough sketch form me sorry for so simple :(

For the detail configuration of GRE and VPN look at my blogs.

I hope this will be informative for you.

Cheers :)

GRE Tunnels

2009-08-18T04:51:00.000-07:00

GRE stands for "Generic Routing Encapsulation". GRE is now industry tunneling method used to create a logical "TUNNEL" interface. It is designed to work with logical protocols, only GRE is completely non-secure as we have no concept of crypto-map. This makes a seperate network over the network, but now they add an IP header in the GRE header so makes it secure and provides a perfect tunneling. I will talk about GRE tunneling here, lets look at the configurations of GRE.

Run EIGRP on both sides

ReedWood(config) # router eigrp 1
ReedWood(config-router) # network 10.0.0.0
ReedWood(config-router) # network 41.0.0.0

PineWood(config) # router eigrp 1
PineWood(config-router) # network 10.0.0.0
PineWood(config-router) # network 41.0.0.0

Now to create tunnel on both side lets look at the configurations

ReedWood(config) # interface tunnel 0
# ip address 10.5.1.2 255.255.255.0
# tunnel source 0/0
# tunnel destination 41.95.110.2
# tunnel mode gre ip

PineWood(config) # interface tunnel 0
# ip address 10.5.1.1 255.255.255.0
# tunnel source 0/0
# tunnel destination 41.95.110.1
# tunnel mode gre ip

At this point for simplicty define static route on Router-A and check the connectivity

Router-A (config) # ip route 0.0.0.0 0.0.0.0

PineWood # show ip eigrp neighbor

It will shows you that the route is learned via Tunnel.

I Hope this will be informative for You !

Cheers :)

VPN Site-to-Site CLI Configuration

2009-08-12T06:50:00.000-07:00

We are going to configure site-to-site VPN (site-to-site) between head office (Lahore) and our regional office (Peshawar), so here i am going to briefly discuss VPN i.e

1. How VPN are established
2. Configuring IKE Phase-1 parameters
3. Configuring IKE Phase-2 parameters
4. Configuring Interesting Traffic
5. CLI configuration

Cisco Router Perspective of VPN Connection

1. The routers recieve traffic considered "WORTHY" of establishing a VPN connection.
2. IKE Phase-1 negotiated, security association (SA) established.
3. IKE Phase-2 negotiated, security association established.
4. Data tranmitted through IPSec tunnel.
5. Once transmission complete, IPSec tunnel turn down (If you configure Time).

**: After 24-hours it can re-negotiated session key
**: After certain amount of data can re-negotiate the key.

Configuration:

1. Set up ISKAMP Policy (IKE Phase-1)
2. Set up IPSec Transform set (IKE Phase-2)
3. Define Interesting Traffic
4. Set up Crypto Map
5. Assign Crypto Map to Interface

PSH-Router(config) # crypto isakmp policy 50
PSH-Router(config-isakmp) # authentication pre-share
PSH-Router(config-isakmp) # encryption aes 128
PSH-Router(config-isakmp) # group 2
PSH-Router(config-isakmp) # hash sha
PSH-Router(config-isakmp) # lifetime 5000
PSH-Router(config-isakmp) #exit

PSH-Router(config) # crypto isakmp key 0 cisco address 71.209.254.34

PSH-Router(config) # crypto ipsec transform-set DEMO esp-aes 128 esp-sha-hmac
PSH-Router(cfg-crypto-trans) #

PSH-Router(config) # ip access-list extended INT_TRAFFIC
PSH-Router(config-ext-nacl) # permit ip 172.30.0.0 0.0.255.255 192.168.1.0 0.0.0.255
PSH-Router(config-ext-nacl) # exit

Note: This is not Permit or Deny ACL, this means encrypt this traffic.

PSH-Router(config) # crypto map VPN_MAP 10 ipsec-isakmp
PSH-Router(config-crypto-map) # set peer 71.209.254.34
PSH-Router(config-crypto-map) # match address INT_TRAFFIC
PSH-Router(config-crypto-map) # set transform-set DEMO

PSH-Router(config) # interface fastethernet 0/1
PSH-Router(config-if) # crypto map VPN_MAP

Head office configuration:
And same configuration is required on the other side with just a bit of changes, lets c

Head-Office(config) # crypto isakmp policy 50
Head-Office(config-isakmp) # authentication pre-share
Head-Office(config-isakmp) # encryption aes 128
Head-Office(config-isakmp) # group 2
Head-Office(config-isakmp) # hash sha
Head-Office(config-isakmp) # lifetime 5000
Head-Office(config-isakmp) #exit

Head-Office(config) # crypto isakmp key 0 cisco address 130.13.140.129

Head-Office(config) # crypto ipsec transform-set DEMO esp-aes 128 esp-sha-hmac
Head-Office(cfg-crypto-trans) #

Head-Office(config) # ip access-list extended INT_TRAFFIC
Head-Office(config-ext-nacl) # permit ip 192.168.1.0 0.0.0.255 172.30.0.0 0.0.255.255
Head-Office(config-ext-nacl) # exit

Head-Office(config) # crypto map VPN_MAP 10 ipsec-isakmp
Head-Office(config-crypto-map) # set peer 130.13.140.129
Head-Office(config-crypto-map) # match address INT_TRAFFIC
Head-Office(config-crypto-map) # set transform-set DEMO

Head-Office(config) # interface fastethernet 0/4
Head-Office(config-if) # crypto map VPN_MAP

I used group-2 in my configuration, actually we have different diffie helmin groups like group-1 is less processor intensive but encryptio is weak (768-bit), group-2 is processor intensive but provides high bit encryption (1024-bit) and group-5 provides even more (1536-bit) encryption. so it depends on you which ever group you are using.

I hope this will be informative for You :)

Any suggestion and comments will be highly appreciated.

Cheers :)

Understanding the IOS File Name Convention

2009-08-11T23:36:00.000-07:00

As a network guy we should know about the naming convention of the IOS file name, which is usually similar to this form:

xxxx-yyy-ww.aaa-bb.bin

1. The xxxx is the platform, For example,

c1005 – For 1005 platform

c1600 – For 1600 platform

c1700 – For 1700, 1720, and 1750 platforms

c2500 – For 25xx, 3xxx, 5100, and AO (11.2 and later only) platforms

c2600 – For 2600 platform

c2800 – For Catalyst 2800 platform

c2900 – For 2910 and 2950 platforms

c3620 – For 3620 platform

c3640 – For 3640 platform

c4000 – For 4000 platform (11.2 and later only)

c4500 – For 4500 and 4700 platforms

2. The yyy is the feature set. For example,

b For Apple talk support

boot For boot image

c For CommServer lite (CiscoPro)

drag For IOS based diagnostic image

g For ISDN subset (SNMP, IP, Bridging, ISDN, PPP, IPX, and AppleTalk)

i For IP sebset (SNMP, IP, Bridging, WAN, Remote Node, and Terminal Services)

n For IPX support

q For asynchronous support

t For Telco return (12.0)

y For reduced IP (SNMP, IP RIP/IGRP/EIGRP, Bridging, ISDN, and PPP) (c1003 or c1004)

z For managed modems

40 For 40 bit encryption

50 For 50 bit encryption

3. The ww is for the format (where the IOS file runs in the router)

f For flash

m For RAM

r For ROM

l For the image will be relocated at run time

The file might also be compressed. The following letters denote the compression type,

z For zip compression

x For mzip compression

w For “STAC” compression

aaa-bb represent the version of the IOS. It is usually read like this “Version aa.a(bb)”. The last part of the IOS file name might contain letters like T (new feature release identifier), S (individual release number), or XR (modular packages).

Add a login banner to your Cisco router

2009-08-10T03:19:00.000-07:00

I seen many people who just use banner for some welcome messages and stuff like that but we can use it in many usefull manners say like when i telnet or ssh so it should display me some warning message like "Unauthorized Access prohibited", say may be we want to display password if we changed that and let want the second shift administrator to know about it etc or we can also use it like to display the hostname, domain name etc so here is a small view of it, have a look :)

The syntax of banner is as follow:

PSH-DXX (config) # banner motd {char} {banner text} {char}

where {char} is a special delimeter character that does not exist in the {banner text}. Everything contained between the first and second {char} characters, including carriage returns, is interpreted as the banner message. For example,
PSH-DXX (config)# banner motd #

******************************************
* Unauthorized access prohibited
******************************************
#

OR we can have this in some more detail like as shoen

PSH-DXX (config)# banner motd #

-------------------------------------------
Unauhorized Access Prohibited
-------------------------------------------
You have access $(hostname).$(domain)
You are accessing line $(line)
-------------------------------------------
Unauhorized Access Prohibited
-------------------------------------------
The output of the banner is as:

I hope it will be informative for you :)

openssl command-line program

2009-08-09T22:29:00.000-07:00

The openssl command can be used to create digests of a file, which can be used to verify that a file has not been tampered with:

$ echo "test file"> foo.txt

$ openssl dgst -md5 foo.txt

MD5(foo.txt)= b05403212c66bdc8ccc597fedf6cd5fe
$ openssl dgst -sha1 foo.txt

SHA1(foo.txt)= 0181d93fee60b818e3f92e470ea97a2aff4ca56a

To view the other message digests that can be used, look at the output of openssl list-message-digest-commands.

You can also use openssl to encrypt files. To view the list of available ciphers, use openssl list-cipher-commands. Once you’ve chosen a cipher to use, you can encrypt the file using the following commands:
$ openssl enc -aes-256-cbc -salt -in foo.txt -out foo.enc

enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
$ file foo.enc

foo.enc: data
$ cat foo.enc

Salted__yvi{!e????i"Yt?;(Ѱ e% $ openssl enc -d -aes-256-cbc -in foo.enc

enter aes-256-cbc decryption password:
test file

In the above example, the file foo.txt was encrypted using 256-bit AES in CBC mode, the encrypted copy being saved as the file foo.enc. Looking at the contents of the file provide gibberish. Decrypting the file is done using the -d option, however keep in mind that not only do you need to remember the password, you also need to know the cipher used.

I hope it will help You :)

Periodical Configuration Save of Cisco Devices

2009-08-08T04:18:00.000-07:00

Periodical configuration save of Cisco devices can be done from inside the device by using a combination of "kron" and "archive" commands. As we had no routine of taking backup of our router but yesterday after a long search now i have successfully configured all stuff like backup, monitoring my router through Nipper (see my full blog on it, click Nipper), Now i will take my backup and will save at remote place :).

Define the location of your configuration save apart from the default Flash location. Based on your IOS support, this can be a HTTP, HTTPS, FTP, or TFTP path. I am taking the backup using tftp.

The following commands is used to enable archive and define the path, while third command is used that when ever someone copy configuration to NVRAM so it will take backup also.

PSW-DXX (config) # archive
PSW-DXX (config-archive)# path tftp://10.110.1.22/
PSW-DXX(config-archive) # write-memory

If you want to suppress the display of password information in configuration log files, use the hidekeys command in configuration change logger configuration mode. or To allow the display of password information in configuration log files, use the no form of this command

PSW-DXX (config)# archive
PSW-DXX (config-archive)# log config
PSW-DXX (config-archive-log-cfg)# hidekeys or no hidekeys
PSW-DXX (config-archive-log-cfg)# exit

To enable the logging of configuration changes, use the logging enable command in configuration change logger configuration mode. To disable the logging of configuration changes, use the no form of this command.

PSW-DXX (config-archive-log-cfg)# logging enable
or
PSW-DXX (config-archive-log-cfg)# no logging enable

To specify the maximum number of entries retained in the configuration log, use the logging size command in configuration change logger configuration mode. By default value is 100. To reset the default value, use the no form of this command.

PSW-DXX (config-archive-log-cfg)# logging size 200

2. KRON

Define the policy list for the scheduler. The following is calling the "write config" command which will trigger the copy over network from the above:

PSW-DXX (config) # kron policy-list backup-config
PSW-DXX (config-kron-policy) # cli write memory

Define the schedule of the policy. The following example is for ten minutes past evening, everyday:

PSW-DXX (config) # kron occurrence daily-config-backup at 05:10 recurring
PSW-DXX (config-kron-occurrence) # policy-list backup-config

Note: Every time the "write memory" command is issued, the device will trigger a network copy to the path specified above.

I hope this will be informative for you. :)

Cheers :)

Audit your Cisco router's security with Nipper

2009-08-07T23:43:00.000-07:00

While recently googling on a net, I learned about Nipper. Although there are many security tools that i studied which is used to perform security audits of network devices, but i found Nipper unique, so i configure this on our office (SNGPL) production router.

What is Nipper (Network Infrastructure Parser), Nipper is an open source network devices security auditing tool. One benefit of being open source is that it’s free :)Previously known as CiscoParse, Nipper isn’t especially polished, but it is very functional. It was easy to install and easy to use.

Even more impressive :) is that it works with many different types of network devices (and not just Cisco). Here’s a list of compatible network devices that Nipper can audit:

Cisco switches (IOS)
Cisco routers (IOS)
Cisco firewalls (PIX, ASA, FWSM)
Cisco Catalyst switches (NMP, CatOS, IOS)
Cisco Content Service Switches (CSS)
Juniper NetScreen Firewalls (ScreenOS)

How to use NIPPER ?

Nipper supports a lot of devices and provides many options, so I here i can’t possibly demonstrate all those options. what i do is to show you the basic demonstration. For our example, we’ll use Nipper to audit a Cisco router that has only the default configuration.

To begin, I took a Cisco 1841 router. First, download Nipper from SourceForge.net it’s available for both Windows and Linux. Extract it to a folder on your local PC; let’s call it C:\nipper as i have done like this.

Next, obtain a text version of the router’s configuration file. Telnet or SSH to the router, use the show running-configuration command, copy and paste the output into Notepad, and save it to your local PC in the aforementioned C:\nipper directory.

Alternatively, you can use a TFTP server and copy the configuration to your local PC. For example, I tried this using Tftpd32.exe, and it was both quick and easy. Use the following command to copy the file if some one don't know how to do :)

PSW-DXX # copy startup-config tftp:
Address or name of Remote Host: 10.110.1.22
Destination filename[startup-config] yes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! OK :)

Once you have the running configuration that you want to audit on your PC, go to the Windows command prompt, and CD into the Nipper directory. Run the following, as shown in Figure A:

C:\nipper> nipper --ios-router --input=startup-config.txt --output=audit.html

The system will immediately return you to the command prompt without providing any information. But don’t worry — it worked.

Next, open a Web browser and enter this URL: c:\nipper\audit.html. This will take you to the security report. Figure B offers a screenshot of the audit.

What does Nipper tell you?

Scrolling through this report, you’ll see that Nipper provides security audit information such as:

1. A software version that has vulnerabilities and the reference numbers for those vulnerabilities
2. Recommendations to disable services that might cause others to be able to access the router
3. Commands that you need to enable to secure the router
For our example, Nipper told us that we need to do the following:

a): Upgrade the router’s IOS needs to prevent vulnerability to a Telnet remote DoS attack and a TCP listener DoS attack.
b): Configure the service tcp-keepalives-in command to help prevent a DoS attack.
c): Configure timeouts on consoles to prevent anyone from gaining access to the router from a Telnet or console session.
d): Configure the HTTP service as secure with HTTPS, and enable authentication.
Enable logging.

In addition to several other recommendations, Nipper provided a summary of the device’s configuration — what services are turned on or off, status of the lines, status of the interfaces, DNS, time zone, and more. Check out the actual report from our example.

Considering that it’s so small, simple, and free, Nipper is an amazingly powerful network device security auditing tool. For help with Nipper, run the C:\nipper\nipper -help command at the command prompt after you’ve downloaded, extracted, run the program.

I hope it will be informative for you as i found it very useful :)

Enjoy!

10 commands you should master when working with the Cisco IOS

2009-08-07T22:02:00.000-07:00

The Cisco IOS provides thousands of commands, and configuring it can be challenging. Here are 10 commands that we should need to know while using the Cisco IOS.

1: " ? " (Help):

The "?", It may seem entirely too obvious that you should know how to type ? to ask for help when using the Cisco IOS. However, the Cisco IOS is completely different from other operating systems when it comes to using the question mark (help key). As the IOS is a command-line operating system with thousands of possible commands and parameters, using the ? can save our day.

We can use the command in many ways. First, use it when you don’t know what command to type. For example, type ? at the command line for a list of all possible commands. we can also use ? when we don’t know what a command’s next parameter should be. For example, you might type show ip ? If the router requires no other parameters for the command, the router will offer cr (carrige return) means it is the only available option. Finally, use ? to see all commands that start with a particular letter. For example, show c? will return a list of commands that start with the letter c.

2: show running-configuration

The show running-config command shows the router, switch, or firewall’s current configuration. The running-configuration is the config that is in the router’s memory. You change this config when you make changes to the router. Keep in mind that config is not saved until you do a copy running-configuration startup-configuration. The shortcut for this command is sh run.

3: Save Configuration

This command will save the configuration that is currently being modified (in RAM), also known as the running-configuration, to the nonvolatile RAM (NVRAM). If the power is lost, the NVRAM will preserve this configuration. In other words, if you edit the router’s configuration, don’t use this command and reboot the router–those changes will be lost (if you want to do so). This command can be abbreviated copy run start. The copy command can also be used to copy the running or startup configuration from the router to a TFTP server in case something happens to the router.

Router # copy running-configuration startup-configuration

4: show interface

The show interface command displays the status of the router’s interfaces. Among other things, this output provides the following:

Interface status (up/down)
Protocol status on the interface
Utilization
Bandwidth
Errors
Delay
MTU

This command is essential for troubleshooting a router or switch. It can also be used by specifying a certain interface, like sh int fa0/0.

Router # show interface

or for specific interface

Router # show interface fastethernet 0/0

5: show ip interface

Even more popular than show interface are show ip interface and show ip interface brief. The show ip interface command provides tons of useful information about the configuration and status of the IP protocol and its services, on all interfaces. The show ip interface brief command provides a quick status of the interfaces on the router, including their IP address, Layer 2 status, and Layer 3 status.

6: config terminal, enable, interface, and router

Cisco routers have different modes where only certain things can be shown or certain things can be changed. Being able to move between these modes is critical to successfully configuring the router.

For example, when logging in, you start off at the user mode (where the prompt looks like >). From there, you type enable to move to privileged mode (where the prompt looks like #). In privileged mode, you can show anything but not make changes. Next, type config terminal (or config t) to go to global configuration mode (where the prompt looks like router(config)# ). From here, you can change global parameters. To change a parameter on an interface (like the IP address), go to interface configuration mode with the interface command (where the prompt looks like router(config-if)#). Also from the global configuration mode, you can go into router configuration using the router {protocol} command. To exit from a mode, type exit.

Router >

Router >enable.............Router #

Router # configure terminal ......... Router (config) #

Router (config) # interface fasethernet 0/0

Router (config-if) #

7: no shutdown

The no shutdown command enables an interface (brings it up). This command must be used in interface configuration mode. It is useful for new interfaces and for troubleshooting. When you’re having trouble with an interface, you may want to try a shut and no shut. Of course, to bring the interface down, reverse the command and just say shutdown. This command can be abbreviated no shut.

8: show ip route

The show ip route command is used to show the router’s routing table. This is the list of all networks that the router can reach, their metric (the router’s preference for them), and how to get there. This command can be abbreviated sh ip route and can have parameters after it, like shiproospf for all OSPF routers. To clear the routing table of all routes, you do clear ip route *. To clear it of just one route, do clear ip route 1.1.1.1 for clearing out that particular network.

Router # show ip route

9: show version

The show version command gives you the router’s configuration register (essentially, the router’s firmware settings for booting up), the last time the router was booted, the version of the IOS, the name of the IOS file, the model of the router, and the router’s amount of RAM and Flash. This command can be abbreviated shver.

10: debug

The debug command has many options and does not work by itself. It provides detailed debugging output on a certain application, protocol, or service. For example, debug ip route will tell you every time a router is added to or removed from the router.

Router # debug interface serial 0/1/0

I hope it will be informative for you :)

Cisco HDLC (Why called Cisco HDLC ?)

2009-08-06T23:48:00.000-07:00

High-level Data Link Control, a layer-2 (data-link layer) transmission protocol. The HDLC protocol embeds information in a data frame that allows devices to control data flow and correct errors. For any HDLC communications session, one station is designated primary and the other secondary. A session can use one of the following connection modes, which determine how the primary and secondary stations interact.

Normal unbalanced: The secondary station responds only to the primary station.

Asynchronous: The secondary station can initiate a message.

Asynchronous balanced: Both stations send and receive over its part of a duplex line. This mode is used for X.25 packet-switching networks.

The Link Access Procedure-Balanced (LAP-B) and Link Access Procedure D-channel (LAP-D) protocols are subsets of HDLC.

Q: Now question comes why it is called cisco HDLC? because cisco added some very important features like:

1. Keepalive Mechanism

2. Added serial link address resolution protocol (SLARP), It is used for the purpose of auto-installation like when router boot up so to fine the TFTP server, get the configuration including IP address etc.

I hope it will be informative for you!

3. Added STAC compression, Its a good one but very processor heavy.

4. Performance Increase (7 - 12 Byte), The header size is increase and this is the beauty of HDLC and works efficiently across WAN.

I Hope this will be informative for You!

Error: %SNMP-3-DVR_DUP_REGN_ERR: Attempt for dupe

2009-08-06T23:07:00.000-07:00

ERROR:

SEC 8:000049: Jan 31 22:25:00.760:
%SNMP-3-DVR_DUP_REGN_ERR: Attempt for dupe
regn with SNMP by driver having ifIndex 709 and ifDescr Tunnel0
-Traceback= 204128 204230 92DB90 92DF6C B2CF8C BBF368 BC00C8 1C4EFC 1C5524

1C60B8 1C655C 2EC5CC

Cisco IOS Release 12.4(13b) is a rebuild release for Cisco IOS Release 12.4(13). The caveats (warning) in this section are resolved in Cisco IOS Release 12.4(13b) but may be open in previous Cisco IOS releases.

The following information is provided for each caveat (warning):

•Symptoms—A description of what is observed when the caveat occurs.

•Conditions—The conditions under which the caveat has been known to occur.

•Workaround—Solutions, if available, to counteract the caveat.

Basic System Services
•CSCeb20967

Symptoms: A Route Switch Processor (RSP) may reload unexpectedly when a bus error with an invalid memory address occurs while packets are placed into a hold queue.

[1] "Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.0 S, 12.1(14)E4, or 12.2 S when the following sequence of events occurs:

1. A packet is switched via Cisco Express Forwarding (CEF).

2. The egress interface has queueing/shaping configured.

3. The egress interface is congested, causing the packet to be placed into the hold queue."

Symptoms: The following SNMP error message and tracebacks are seen:

SEC 8:000049: Jan 31 22:25:00.760:
%SNMP-3-DVR_DUP_REGN_ERR: Attempt for dupe
regn with SNMP by driver having ifIndex 709 and ifDescr Tunnel0
-Traceback= 204128 204230 92DB90 92DF6C B2CF8C BBF368 BC00C8 1C4EFC 1C5524

1C60B8 1C655C 2EC5CC

Conditions: This symptom was see when new interfaces were added (or existing interfaces like tunnel come up) after bootup, or when new or existing interfaces come up after RPR+ switchover when running Cisco IOS Release 12.0(32)S6. Also, this symptom occurs if the snmp ifindex persist command is configured on the router.

Further Problem Description: Though customer traffic is not affected, this symptom does impact the SNMP stats and other SNMP data for both the original and the new interface. Usually the message is from the standby RP, so once that standby RP becomes active, the data from SNMP polls of these interfaces would not be accurate.

[1] www.cisco.com/en/US/docs/ios/12_4/release/notes

Virtual Links

2009-08-03T00:04:00.000-07:00

Yesterday I was thinking of writing something related to OSPF so something crossed my mind and on that very moment I start to write about it, so here we go that is “VIRTUAL LINKS”.
Suppose we have a complicated network and we use OSPF as our IGP and we configure different areas in it, I assume that the reader of virtual link must know how to configure multiple area OSPF and what is the concept behind it, I will talk directly about the virtual link, what is it, how it works, and what is the purpose of virtual links.

When an area is not directly connected to area 0 (backbone area) so it can’t communicate, a concept is used for it and that is called Virtual Links make able the area to communicate. See figure a, we have two routers namely R1 and R2, The fastethernet of R1 is configured under area 0, link between R2 and R1 is configured under area 1 and R2 fastethernet is configured under area2, now the LAN of R2 will not be able to communicated to R1 as it is not directly connected to R1 so we have to configure Virtual Link between R1 and R2 so what it will do is that the area 0 will be expand logically to R2 covering area 1 with it, now from R2 point of view there will two areas area 0 and area 2.

1: In the figure, Area 2 is not directly connected to Area 0 so we have to create a transit link on Area 1 to make able the communication between Area 2 and Area 0.
2: Here the Area 0 expand logically
3: After Virtual the R2 becomes Area Boarder Router (ABR).

NOTE: If a router connects two areas but none of the area is Area 0 so the router will never be ABR.

Conditions for Virtual Links

1: Link between two routers when made so one of the router must be part of back-bone area (Area 0).
R1-------R2-------> Link can be configured
If we another router R3 connected to router R2
R2------R3------> Can’t configure link as non of the router is directly connected to area 0.
2: When link is made between two routers, so one area must be common between them like
R1-----R2 (Area 1 is common)
R1-----R3 (Nothing is common)

NOTE: For Virtual Link both he condition must be satisfied.

OSPF Configuration

A(config) # router ospf 1
A(config) # network 2.0.0.0 0.255.255.255 area 2
A(config) # network 200.100.100.0 0.0.0.255 area 2

B(config) # router ospf 1
B(config) # network 2.0.0.0 0.255.255.255 area 2
B(config) # network 3.0.0.0 0.255.255.255 area 1
B(config) # network 200.100.150.0 0.0.0.255 area 1

C(config) # router ospf 1
C(config) # network 3.0.0.0 0.255.255.255 area 1
C(config) # network 200.100.200.0 0.0.0.255 area 0

Virtual Link Configuration

B(config) # router ospf 1
B(config) # area 1 virtual-link 200.100.200.100

C(config) # router ospf 1
C(config) # area 1 virtual-link 200.100.150.100

Now check your Router-A routing table , the Router-C route will be there by using following command.

A # show ip route

GUI Root Login Problem in Fedora-11

2009-08-01T06:55:00.000-07:00

For the first time when i download Fedora-11 from the internet that was for "Live User" so after installation i try to login as a root from GUI so i was unable as it show "Unable to Authenticate User" so i thought may be it is not allowed for live user, but yesterday i installed the full version of Fedora-11 but still i was unable to login as root through GUI although i can from terminal so after some goggling i found that Fedora-11 by default doesn't allow someone to login as root through GUI. Instead you have to login as a normal user and become root through your terminal. However many users still want to login as root like me. Don't forget that once you login as root its easier to damage your system so don't do the following unless you are sure what you are doing.
Before doing any change just take backup of the file

$ cp /etc/pam.d/gdm /root

Step # 1

$ su -c 'gedit /etc/pam.d/gdm'

or

$ su

$ vi /etc/pam.d/gdm

Here in this file find the following line,

auth required pam_succeed_if.so user != root quiet

either delete or comment it better comment it

#auth required pam_succeed_if.so user != root quiet

Save the file and logout.

Step # 2

Do the same for /etc/pam.d/gdm-password

$ su -c 'gedit /etc/pam.d/gdm-password'

or

$ su

$ vi /etc/pam.d/gdm-password

Here in this file find the following line,

auth required pam_succeed_if.so user != root quiet

either delete or comment it better comment it

#auth required pam_succeed_if.so user != root quiet

Save the file and logout.

After this i was able to login successfully as a root through GUI.

How to Enable TELNET in Windows Vista

2009-07-30T02:31:00.000-07:00

I was trying Dynagen Simulator in Windows Vista one day, so when i try to telnet Router-1 so i got an error so after that i went to GOOGLE and got with the method of enabling telnet in windows vista, here is the steps:

1: Start
2: Control Panel
3: Programs and Features
4: Click "Turn Windows Features on or off"
5: Then check "Telnet Client" and Press OK, see the figure

Windows Vista will think for sometime and then you can use TELENT in windows vista.

I hope it will be informative for you.

Cheers

MRTG, SNMP Configuration on SQUID

2009-07-25T08:15:00.000-07:00

We re-install RHEL on our Proxy server as we have two sata 160 GB hard drive each. we also did RAID-1 configuration on it. Now after successfull configuration of Squid we have to install MRTG and SARG for report generation, i will talk about MRTG here in detail. so first thing is to check that wheather our web services is running or not, if not so we have to start the services.

[root@pswproxy ~]# service httpd start

After entering this command i got an error that unable to identify fully qualified domain name, so it means we have to identify the fully qualified domain name

[root@pswproxy ~]# vi /etc/httpd/conf/httpd.conf

Uncomment this line and put your FQDN: ServerName pswbackupproxy:80

Now restart the web services it will work

[root@pswproxy ~]# service httpd restart

Now to install and configure MRTG we have to install and configure SNMP, if you have SNMP install then move to Step #5 directly, lets look

Step # 1 : Check SNMP server Status

To check wheather SNMP is install or not use following RPM query command:

[root@pswproxy ~]# rpm -qa | grep snmp

In my case it was already install, following are the rpm that are install on my machine
net-snmp-libs-5.1.2-11.EL4.11
net-snmp-5.1.2-11.EL4.11
php-snmp-4.3.9-3.22.9
net-snmp-libs-5.1.2-11.EL4.11
net-snmp-utils-5.1.2-11.EL4.11
net-snmp-devel-5.1.2-11.EL4.11
net-snmp-perl-5.1.2-11.EL4.11

If its not install on your machine then use the following command if you have Fedora repositray

[root@pswproxy ~]# yum install net-snmp-utils net-snmp

or If you have RHEL the use the following command

[root@pswproxy ~]# up2date -v -i net-snmp-utils net-snmp

Step # 2 : Check status of snmp server

Check 'ps' comamnd to find out wheather snmp is running or not

[root@pswproxy ~]# ps -aux | grep snmp

Make sure snmpd service starts automatically, when linux comes online

[root@pswproxy ~]# chkconfig --add snmpd

Step # 3 : Make sure snmp server configured properly

Run snmpwalk utility to request for tree of information about network entity. In other words query snmp server for your IP address (assigned to eth0, eth1, lo etc):

[root@pswproxy ~]# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

If you can see your IP address then please proceed to step 4; else you have to configure snmp server as follows (by default RHEL and RH 8/9 are not configured for snmp server for security reason) and in my case it was also not configured so lets look at the detail steps:

SNMP Configuration:

1: Edit file /etc/snmp/snmpd.conf using text editor:

[root@pswproxy ~]# vi /etc/snmp/snmpd.conf

Change/Modify line(s) as follows, Find following Line:

com2sec notConfigUser default public

Replace with (make sure you replace 192.168.0.0/24 replace with your network IPs) following lines:

com2sec local localhost public
com2sec mynetwork 192.168.0.0/24 public

Scroll down a bit and Find Lines:

group notConfigGroup v1 notConfigUser
group notConfigGroup v2c notConfigUser

Replace with:

group MyRWGroup v1 local
group MyRWGroup v2c local
group MyRWGroup usm local
group MyROGroup v1 mynetwork
group MyROGroup v2c mynetwork
group MyROGroup usm mynetwork

Again scroll down bit and locate following line, Find line:

view systemview included system

Replace with:

view all included .1 80

Again scroll down bit and change, Find line:

access notConfigGroup "" any noauth exact systemview none none

Replace with:

access MyROGroup "" any noauth exact all none none
access MyRWGroup "" any noauth exact all all none

Scroll down bit and change, Find lines:

syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root (configure /etc/snmp/snmp.local.conf)

Replace with:

syslocation Linux (RH3_UP2), Home Linux Router.
syscontact Vivek G Gite

Start your snmp server and test it:

(a) Make sure when linux comes up snmpd always starts:

[root@pswproxy ~]# chkconfig snmpd on

(b) Make sure service start whenever Linux comes up (after reboot):

[root@pswproxy ~]# service snmpd start

(c) Finally test your snmp server:

[root@pswproxy ~]# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

Step # 4 : Install MRTG if not Installed

Mrtg software may install during initial installation, you can verify if MRTG installed or not with following RPM command:

[root@pswproxy ~]# rpm -qa | grep mrtg

In my case it was installed as the following shown,
mrtg-2.10.15-2a

if it is not installedon your mcahine then use any of the following command depend on your repository

For Linux User
[root@pswproxy ~]# up2date -v -i mrtg

For Fedora user
[root@pswproxy ~]# yum install mrtg

Step # 5 : MRTG Configuration

(a) Create document root to store mrtg graphs/html pages:
[root@pswproxy ~]# mkdir -p /var/www/html/mymrtg/

(b) Run any one of the following cfgmaker command to create mrtg configuration file:
[root@pswproxy ~]#cfgmaker --global 'WorkDir: /var/www/html/mymrtg' --output
/etc/mrtg/mymrtg.cfg public@localhost

OR (make sure your FQDN resolves, in following example i'm using rh9.test.com which is my router FQDN address)

[root@pswproxy ~]# cfgmaker --global 'WorkDir: /var/www/html/mymrtg' --output /etc/mrtg/mymrtg1.cfg public@rh9.test.com

(c) Create default index page for your MRTG configuration:

[root@pswproxy ~]# indexmaker --output=/var/www/html/mymrtg/index.html /etc/mrtg/mymrtg.cfg

(d) Copy all tiny png files to your mrtg path,

[root@pswproxy ~]# cp -av /var/www/html/mrtg/*.png /var/www/html/mymrtg/

Step # 6 First test mrtg, run of mrtg

(a) Run mrtg command from command line with your configuration file:

[root@pswbackupproxy /]# mrtg /etc/mrtg/mymrtg.cfg

I got an Error but after a little search i found the solution see below
-----------------------------------------------------------------------
ERROR: Mrtg will most likely not work properly when the environment
variable LANG is set to UTF-8. Please run mrtg in an environment
where this is not the case. Try the following command to start:

env LANG=C /usr/bin/mrtg /etc/mrtg/mymrtg.cfg
-----------------------------------------------------------------------

[root@pswproxy /]# env LANG=C /usr/bin/mrtg /etc/mrtg/mymrtg.cfg

NOTE: Avoid The Warning, you will see it for teh first time

Rateup WARNING: /usr/bin/rateup could not read the primary log file for localhost_2
Rateup WARNING: /usr/bin/rateup The backup log file for localhost_2 was invalid as well
Rateup WARNING: /usr/bin/rateup Can't remove localhost_2.old updating log file
Rateup WARNING: /usr/bin/rateup Can't rename localhost_2.log to localhost_2.old updating log file

Step # 7 Create crontab entry so that mrtg graph / images get generated every 5 minutes

(a) Login as a root user or login as a mrtg user and type following command:

[root@pswproxy /]# crontab -e

(b) Add mrtg cron job entry to configuration file (append following line to it):

*/5 * * * * /usr/bin/mrtg /etc/mrtg/mymrtg.cfg --logging /var/log/mrtg.log

Save file and you are done with MRTG config issues :)

Step # 8 Block ports 161 & 162 at firewall

You do not want to give access to everyone to your snmp server for security reasons. SNMP server uses UDP 161, 162 ports for communication. Use Linux IPTABLES firewall to restrict access to SNMP server

(a) Allow outgoing SNMP server request from your Linux computer. This is useful when you query remote host/router (replace SERVER IO with your real IP):

SERVER="xxx.xxx.xxx.xxx"
[root@pswproxy /]# iptables -A OUTPUT -p udp -s $10.110.9.116 --sport 1024:65535 -d 0/0 --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT
[root@pswproxy /]# iptables -A INPUT -p udp -s 0/0 --sport 161:162 -d $SERVER --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

(b )Allow incoming SNMP client request via iptables. This is useful when you wish to accept queries for rest of the world (replace SERVER IP with your real IP):

SERVER="xxx.xxx.xxx.xxx"
[root@pswproxy /]# iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $SERVER --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT
[root@pswproxy /]# iptables -A OUTPUT -p udp -s $SERVER --sport 161:162 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Change Server with your IP address

FOR IMAGE:

You can see the SNGPL monogram if you want to place your own so you just have to make change in the "index.html"

[root@pswbackupproxy ~]# cd /var/www/html/mymrtg/
[root@pswbackupproxy ~]# ls
[root@pswbackupproxy ~]#
index.html localhost_2.log localhost_2-week.png mrtg-m.png
localhost_2-day.png localhost_2-month.png localhost_2-year.png mrtg-r.png
localhost_2.html localhost_2.old mrtg-l.png sngpllogo.jpg

[root@pswbackupproxy mymrtg]# vi index.html

In first Figur The Whole while in secodn figure its for the specific interface like Ethernet 1 (outgoing Traffic)

I hope it will be informative for you people.

CHEERS

Broadcasting Stuck Our Network

2009-07-24T22:57:00.000-07:00

Yesterday we planned to have a backup of our Proxy Server (Squid) while to reconfigure the original one because we face space shortage while SARG (Squid Analysis Report Generator) updates to be saved on the drive. we done with backup proxy server on RHEL-4, everything done normally the configurations, copy the files like dhcpd.conf, squid.conf, iptables to the backup and bring on a network and then we turn off the master server and check the internet connectivity and security so everything goes smoothly. After a while complaints comes from different departments that our system got stucked and then start and then stucked............! but the shocking moment was our Operations department complaint that BILLING SERVER (AIX-Server) also get stucked and all users were bussy in data entry.....ooooooooops ?

After that i checked our Head Office router using ping and it shows the link up, down, up down, then i checked our router so same problem..................!

After searching and finding we came to know that by mistake at time when we bring the backup proxy on a network we plug-in another connection to switch with the backup port of the radio room and then backup proxy link was already connected to switch, so two connection of the router and that cable are drop into hub in radio room so loops were created and stuck our network.

Configuration Lost While Password Recovering

2009-07-24T22:12:00.000-07:00

I was asked to troubleshoot a problem in IMSciences network, actually they were unable to connect to Islamabad HEC office (Vedio Confencing) and they also need to send the vedio trafic and voice traffic using one interface on router (3800-series) so after some research i have done with the problem and sloved for it. Actually i done with some VLAN configuration, Define some static Routes, enable routing, use sub interfaces and i was successfull to ping the destination.

Then the person who called me for the problem solution told me about the mistake of MS student who is working there as a internee while recovering password. IMSciences lost their startup configurations and face trouble both by the institute and the student as they get disconnected from the network, now they were unable to do the configuration, any how they ship the router back to PTCL for configurations.

So here i am going to tell you about the step that you must take care of while recovering your router password.

1: Boot your router and interrupt the boot sequence by performing a break sequence using Ctrl+Break key combination.

2: Change the configuration register to turn on bit 6 (0x2142)

rommon> confreg 0x2142
You must reset or power cycle for new config to take effect

3: Reload the router, type reset
The router will reload and ask if you want to enter setup mode, so your answer will be NO

4: Enter Privileged mode

Router > enable
Router #

NOTE: Now this is the step where you to take care many people just change the password and copy the configuration to startup configuration and here they make a mistake as you over-write the whole (original) configurations. so the correct sequence is:

5: Copy the startup-configuration to running-configuration

Router # copy startup-config running-config

6: change the password

Router # config terminal
Router (config) # enable secret cisco

7: Reset the configuration register to the default value

Router (config) # config-register 0x2102

8: save your configurations

Router # copy running-config startup-config

9: Relaod your router

Cheers

Routing to ISP

2009-07-22T01:57:00.000-07:00

Back on 20th July 2009 when i was giving my ISCW paper so i got this lab and i done with that so here i am sharing my experience with you people. Lab was about a firm having an existing enterprise network that is made up exclusively of routers that are using EIGRP as the IGP protocol. Its network is up and operating normally, as part of its network expansion XYZ has decided to connect to the internet by broadband cable ISP.

TASK: To enable this connection by use of the information below.
Connection Encapsulation: PPP
Connection Type: PPPoE client
Connection Authentication: None
Connection MTU: 1492 Bytes
Address: Dynamically assigned by the ISP
Outbound Interface: E0/0

Note: Routing to the ISP, Manually configured default route

Router-3 (config) #interface ethernet 0/0
Router-3 (config-if) #pppoe enable
Router-3 (config-if) #pppoe-client dial-pool-number 1
Router-3 (config-if) #no shutdown
Router-3 (config-if) #exit
Router-3 (config-if) #interface dialer 1
Router-3 (config-if) #encapsulation ppp
Router-3 (config-if) #ip mtu 1492
Router-3 (config-if) #dialer pool 1
Router-3 (config-if) #ip address negotiated
Router-3 (config-if) #exit

Router-3 (config-if) #ip route 0.0.0.0 0.0.0.0 dialer 1
Router-3 (config-if) #exit

Router-3 # copy running startup

Then you have to check the connectivity by ping the IP given to you, if it is successful then you have done otherwise there is something wrong with your confogurations.

Hope it will be informative for you.

Chheers

Inter-Vlan Routing

2009-07-21T23:32:00.000-07:00

Virtual LANs (VLANs) offer a method of dividing one physical network into multiple broadcast domains. Through VLAN we can get a sort of security like different VLAN members can not communicate with each other by default and we can do so if we allowed them to communicate and here we reduce broadcast domain. VLAN needs when we want to divide our clients so that it can not communicate with each other, one of the method is to connect them with separate switch so it will not communicate while in case of same switch all ports are member of VLAN 1 by default and members in same VLAN can communicate with each other but its not the healthy one solution so CISCO made life easy by describing the concept of VLAN where we can group our clients, so logically it will shows like they are connected to different switch and physically will be connected to same switch, now at times we want to communicate between these different VLAN’s so we can accomplish this task through three different methods namely Router on a Stick, Switch Virtual Interface (SVI) and Multi-Layer Switch (MLS). Here I am going to explain about the two methods.

1. Multi-Layer Switch (MLS)

Following steps should be taken in order to communicate between different VLAN’s. I took 3560 Cisco catalyst switch, two pc’s.

A): Take Cisco Catalyst 3560 switch and connect two pc to it, in my case I connect one pc to Fast Ethernet 0/1 and Fast Ethernet 0/2.

B): Create two VLAN namely VLAN-2 and VLAN-3.

ML-Switch (config) #vlan 2
ML-Switch (config-vlan) #
ML-Switch (config) #vlan 3
ML-Switch (config-vlan) #

C): NOTE: If we assign IP address now and later we make the interface member of VLAN so it will not allowed us to do so, the correct way is to assign the interface to the correct VLAN and then assign IP address to that interface and also assign addresses to the PC also.

ML-Switch (config-if) #interface fastethernet 0/1
ML-Switch (config-if) #switchport mode access
ML-Switch (config-if) #switchport access vlan 2

ML-Switch (config-if) #interface fastethernet 0/2
ML-Switch (config-if) #switchport mode access
ML-Switch (config-if) #switchport access vlan 3

The following command will tell the switch that you are no more switchport, now we can assign ip address to it.

ML-Switch (config-if) #interface fastethernet 0/1
ML-Switch (config-if) #no switchport
ML-Switch (config-if) #ip address 10.1.1.2 255.0.0.0
ML-Switch (config-if) #no shutdown

ML-Switch (config-if) #interface fastethernet 0/2
ML-Switch (config-if) #no switchport
ML-Switch (config-if) #ip address 20.1.1.2 255.0.0.0
ML-Switch (config-if) #no shutdown

Now to enable routing on the switch we have the following command.

ML-Switch (config-if) # ip routing

Make sure to give the switch interfaces addresses as a gateway on your pc’s, Now to check the communication between these two different VLAN,

PC_1 > ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:

Reply from 20.1.1.1: bytes=32 time=62ms TTL=127
Reply from 20.1.1.1: bytes=32 time=62ms TTL=127
Reply from 20.1.1.1: bytes=32 time=62ms TTL=127
Reply from 20.1.1.1: bytes=32 time=62ms TTL=127

Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 62ms, Maximum = 62ms, Average = 62ms

2. Router on a Stick

In this method we will need a router and switch (can be layer-2 switch) and two pc.

A): Connect router fastethernet 0/0 to switch fastethernet 0/1, PC-1 to switch fastethernet 0/2 and PC-2 to switch fastethernet 0/3.

B): Create two VLAN on switch and assign the interface to that VLAN.

Switch (config) #vlan 2
Switch (config-vlan) #
Switch (config) #vlan 3
Switch (config-vlan) #
Switch (config-if) #interface fastethernet 0/2
Switch (config-if) #switchport mode access
Switch (config-if) #switchport access vlan 2

Switch (config-if) #interface fastethernet 0/3
Switch (config-if) #switchport mode access
Switch (config-if) #switchport access vlan 3

C): Assign IP address on PC and Router fastethernet (I will be defining two sub-interfaces on router).

PC-1 IP address: 10.1.1.1
PC-2 IP address: 20.1.1.1

Router (config) #interface fastEthernet 0/0
Router (config-if) #no shutdown
Router (config-if) #exit

We will be defining trunk link between switch and router as multiple VLAN information will be moving through this link and for trunk link we have to define encapsulation, in this case we have layer-2 (2950) switch where we have only dot1q encapsulation available. And also remember to assign the sub-interface addresses as a gateway on your PC.

Note: If we trying to assign IP address on sub-interface on router before identifying to which VLAN it is associated and without assigning encapsulation you will get an error like

“% configuring IP routing on a LAN sub-interface is only allowed if that
Sub-interface is already configured as part of an IEEE 802.10, IEEE 802.1Q,
or ISL VLAN”.

Router (config) #interface fastEthernet 0/0.2
Router (config-subif) #encapsulation dot1Q 2
Router (config-subif) #ip address 10.1.1.2 255.0.0.0
Router (config-subif) #no shutdown

Router (config) #interface fastEthernet 0/0.3
Router (config-subif) #encapsulation dot1Q 3
Router (config-subif) #ip address 20.1.1.2 255.0.0.0
Router (config-subif) #no shutdown

Now to communicate between these two different VLAN’s we have to configure trunk link so configuration on switch are as:

Switch (config-if) #switchport mode trunk
Switch (config-if) #switchport trunk allowed vlan 2, 3

Now check the communication

PC-2>ping 10.1.1.1

Pinging 10.1.1.1 with 32 bytes of data:

Reply from 10.1.1.1: bytes=32 time=188ms TTL=127
Reply from 10.1.1.1: bytes=32 time=125ms TTL=127
Reply from 10.1.1.1: bytes=32 time=124ms TTL=127
Reply from 10.1.1.1: bytes=32 time=121ms TTL=127

Ping statistics for 10.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 121ms, Maximum = 188ms, Average = 139ms

I hope it will be informative for you.

Thank You for Reading

UPSMON Plus For Linux

2009-07-15T02:31:00.000-07:00

we have windows xp in our office and have UPSMON Plus installed on our computer so its easy to install the software and configure the values, as i am using Linux from last one year but not regularly but from last two months i am full addicted to Fedora and doing work in it so i think of to install the UPSMON on Fedora, Following are the steps used to install UPSMON on Fedora, lets look

UPSMON Parameters:

UPSMON Plus has three parameters, PM1、PM2 and PM3.

1. PM1: COMPORT => ttyS0 (COM1 of UNIX) or ttyS1 (COM2 of UNIX), It must include the path when you appoint the parameter PM1 (Ex: /dev/ttyS0) Please be noted that PM1 must be appointed.

2. PM2: It is for setting the breakout delay time default: 60 sec. If PM2 don’t be appointed, the breakout delay time will be 60 seconds.

3. PM3: It is for setting the UPS shutdown delay time default: 60 sec. If PM3 don’t be appointed, the UPS shutdown delay time will be 60 seconds.

./upsmon /dev/ttyS0 300 60

Installation Steps must use ROOT as Login:

4. Copy upsmon.tar to /etc directory.

5. use “tar xvf upsmon.tar “ to install software. It will create UPSMON directory now change directory to UPSMON

[sohail@fedora ~]$ cd /etc/upsmon
[sohail@fedora upsmon]$

6. Test UPSMON by using command

[sohail@fedora upsmon]$ ./upsmon /dev/ttyS0 300 60
NOTE: ./upsmon must be included when you uses this command

7. Means: ./upsmon COM1 300 seconds AC fail count and 60 seconds UPS shutdown delay. You will see UPS CONNECT OR NO CONNECT UPS in tty1. If it didn’t connect UPS, you can use the commend “kill PID” to delete the process of UPSMON.

Then, use command ./upsmon /dev/ttyS1 300 60. Means: ./upsmon COM2 300 seconds AC fail count and 60 seconds UPS shutdown delay. If it still doesn’t connect, please check the CABLE、 PC and UPS are all be connected correctly.

8. After the connection confirmed, please edit the system setup file rc.local under /etc/rc.d/rc.local and add the following commend to edit rc.local:

/etc/upsmon/upsmon /dev/ttyS0 300 60
or
/etc/upsmon/upsmon /dev/ttyS1 300 60
The system will execute upsmon after restart the computer.

9. You can see the situation of UPS if you use the commend ./upsdisp under directory /etc/upsmon (“./upsmon” must be included when you use this commend)

10. Use CTRL-C, you can exit UPSDISP.

11. The UPS Event Log file save to: /etc/upsmon/PCMYYMM.log.
(PS.The YY is year and the MM is month.)

Hope it will be informative for you.

Thanking You

Dead Peer Detection - Default And "On-Demand"

2009-07-14T01:36:00.000-07:00

I was preparing for ISCW paper and question appear in front of me and i was unable to identify what he is asking about as i saw the DPD term for the first time, question was

Q: What are the default parameters when configuration backup IPSec VPN with Cisco IOS Release 12.2(8)T or Later?

Ans: DPD Hello messages are sent every 10 seconds if the router has traffic to send

After this i google the DPD term and i came to know about the following information about DPD.

With all things Cisco, we just have to have a keepalive, and with our IPSec peers, that keepalive is Dead Peer Detection.

I feel silly telling you what the DPD does, since if any networking feature has a "the name is the recipe" name, it's this one! As with any keepalive, there are a few basics we need to know....

The CCNP exams generally aren't IOS-version specific, certainly not like the CCIE exams are, but we should know that DPD was introduced with IOS version 12.3(7)T. Older IOS versions do not use DPD, obviously, and you may run into routers with earlier IOS versions out in the field.

According to Cisco's website, the following devices support DPD:

* The Cisco VPN 3000 concentrator
* Cisco PIX firewalls
* Cisco VPN client
* Easy VPN Remote
* Easy VPN Server

DPD can run in two different ways, the default setting and "on-demand". The default setting is much like the routing protocol hellos we've studied in the past. According to Cisco's website, the router will send a DPD Hello every 10 seconds "unless the router receives a hello message from the peer".

As with routing protocols, the drawback of the regularly-scheduled hello packet is that it results in more packets to be processed - and in this case, encrypted and decrypted. That's why DPD offers an on-demand configuration where a router will send a DPD Hello only in advance of sending traffic to a peer.

The second keepalive method is simply the keepalive method of the routing protocol you're using over the VPN. Of course, that timer depends on whether you're running RIP, OSPF, or EIGRP.

DPD can also be used as a mechanism to detect IPSec GRE tunnel failures.

Hope it will be informative.

IPS, IDS

2009-07-13T05:16:00.000-07:00

IPS

IPS can detect misuse, abuse, and unauthorized access to networked resources and respond before network security can be compromised.

IDS

IDS can detect misuse, abuse, and authorized access to networked resources but can only respond after an attack is detected.

IPS and IDS

Both IPS and IDS systems provide real-time monitoring that involves packet capture and analysis of network packets.

Excel Files in Fedora-11

2009-07-06T01:02:00.000-07:00

I am new to Linux (Using Fedora-11) world but YUM rocks, it helped me alot as today i was looking to open an excel file in fedora when i opened so "Package required not found" although i was able to open doc, ppt files so after a short googling i found this command very useful and install many packages like OpenOffice.org Clac, OpenOffice.org Draw, OpenOffice.org Writer, OpenOffice.org Impress, OpenOffice.org Writer, OpenOffice.org Project Management ect.

[root@fedora sohail] # yum groupinstall "office/Productivity"

Happy Using OpenOffice.org

Cheers

Configuring T1 & E1 Interfaces

2009-07-04T04:28:00.000-07:00

Wide Area Network (WAN) provide the mechanism for connecting remote site together and connecting your Local Area Network (LAN) to the internet through a connection to an ISP.There are a variety of physical transports, T1/E1 connections are common means of transport. T1 circuit are generally used in domestic application while E1 circuits are widely deployed internationally. E1/T1 circuits are relatively inexpensive investment because they allow remote sites to share corporate resources at other location and thus eliminate the need of redundant equipment at multiple locations.

Configuring E1/T1 WAN applications includes six steps.

1: Configuring the physical interface (Ethernet and WAN Interface)
2: Configuring the Layer-2 protocol(s)
3: Bind the physical and virtual (Layer-2) interface
4: Create access-lists and policies (Including NAT)
5: Apply the policies to interface
6: Configuring the routing information (Either static or Dynamic (RIP, OSFP etc))

Physical Interface Configurations (T1, E1 and Ethernet)

To enable the appropriate interface, first we have to configure from global configuration prompt. For example, enter the following command to activate the interface configuration mode for the first T1 interface on a T1 module inserted in slot 1:

Head_Office > enable
Head_Office # configure terminal
Head_Office (config) # interface t1 1/1
Head_Office (config-t1 1/1) #

All interface are disable by default and must be activated using the no shutdown command. Interfaces will not be able to pass data until this command is entered.

Configuring T1 Interface

There are four main settings to consider when configuring T1 network interface namely Line coding (Coding), framing formate (framing), active channel (tdm-group), and clock source (clock source) must be all configured to match the circuit supplied by your network provider. By default all secure Router T1 interfaces are configured for ESF (framing esf), B8ZS (coding b8zs) and to recover clocking from the network circuit (clock source line). Generally the line coding, framing format, and clock source default values will be the correct ones for your application and should not be changed.
Each configured T1 interface must have the active channels specified using the tdm-group command because there are no default TDM groups defined. The active channels are entered as a single number representing 1 of the 24 T1 channel timeslots or as a contiguous group of channels. Following are the commands used for T1 configuration:

Head_Office # configure terminal
Head_Office (config) # interface t1 1/1
Head_Office (config-t1 1/1) #tdm-group 1 timeslots 1-24
Head_Office (config-t1 1/1) # no shutdown
Head_Office (config-t1 1/1) # exit

Configuring E1 Interfaces

There are four main settings to consider when configuring E1 network interface namely Line coding (Coding), framing formate (framing), active channel (tdm-group), and clock source (clock source) must be all configured to match the circuit supplied by your network provider. By default all secure Router E1 interfaces are configured for standard multi-frame without the optional CRC4 error correction (no framing crc4), and to recover clocking from the network circuit (clock source line). Generally the line coding, framing format, and clock source default values will be the correct ones for your application and should not be changed.

Each configured E1 interface must have the active channels specified using the tdm-group command because there are no default TDM groups defined. The active channels are entered as a single number representing 1 of the 31 E1 channel timeslots or as a contiguous group of channels. Following are the commands used for T1 configuration:

Head_Office # configure terminal
Head_Office (config) # interface e1 1/1
Head_Office (config-t1 1/1) #tdm-group 1 timeslots 1-31
Head_Office (config-t1 1/1) # no shutdown
Head_Office (config-t1 1/1) # exit

Configuring Ethernet Interfaces

Standard Ethernet configurations generally contains an IP address, a speed and duplex settings. By default, all secure Router Ethernet interfaces are configured to auto-detect the speed (as 10 or 100 Mbps) and are set to full-duplex. For most cases, these settings should suffice and will not be changed from the default state.
The following example commands configure an IP address of (10.10.x.x/24) and activates teh interface foe the eth 0/1 interface:

Head_Office (config) # interface eth 0/1
Head_Office (config-eth 0/1) # ip address 10.10.x.x 255.255.255.0
Head_Office (config-eth 0/1) # no shutdown
Head_Office (config-eth 0/1) # exit

Configuring Layer-2 Protocols (Frame-Relay, PPP, HDLC)

There are two main settings to consider when configuring Frame Relay interfaces. The interface type and signalling type must be configures to match the specification supplied on frame relay circuit by your network provider. Frame-relay interfaces have a sub-interfaces component for each PVC which must also be configured. Each frame-relay sub-interfaces contains a DLCI (Data Link Connection Identifier) and IP address because there are no default DLCI or IP address defined. Each PVC should also have a configured committed burst value (frame-relay bc) which is equivalent to the committed information rate (CIR) given to you by your network provider. PVC will also have a negotiated burst rate (frame-relay be) which is equivalent to the excess information rate (EIR) given to you by your network provider. Both CIR and EIR should be defined by you and your service provider at time of signing the service agreement.

NOTE: To know the appropriate EIR you should know the CIR and Physical bandwidth of both local and remote side. A general rule to the provision of burst value with the remote side CIR and configure the EIR with the difference between CIR and the actual physical bandwidth at the location. The committed burst value plus the EIR should not be greater than the physical bandwidth.

Head_Office (config) # interface fr 2.16
Head_Office (config-fr 2.16) # no shutdown
Head_Office (config-fr 2.16) # exit

Head_Office (config) # interface fr 2.16
Head_Office (config-fr 2.16) # frame-relay interface-dlci 16
Head_Office (config-fr 2.16) # frame-relay bc 768000
Head_Office (config-fr 2.16) # frame-relay be 768000
Head_Office (config-fr 2.16) # ip address 192.168.72.1/30
Head_Office (config-fr 2.16) # no shutdown
Head_Office (config-fr 2.16) # exit

Multilink Frame Relay Operation
Multilink Frame Relay operation increase bandwidth on your frame-relay service by aggregating multiple physical links into a single logical bundle. All the physical links in a multilink bundle are treated as a single entity by the system, allowing each PVC on he connection to dynamically share the total bandwidth of the bundle.
Physical links can be dynamically added and removed from the logical bundle, so a failure on one physical link does not halt the overall operation of the bundle. since all PVC have access to the entire bundle bandwidth, failure of a single physical connection in the bundle does not decrease the efficiency.

Multilink Frame Relay requires minimal configuration in your router, you first enable multilink operation on the frame relay interface (not sub-interface) and then bind the multiple physical interface to the single Frame Relay interface. For Example

Head_Office (config) # interface fr 1
Head_Office (config-fr 1) # frame-relay multilink
Head_Office (config-fr 1) # no shutdown

Now bind multiple physical interfaces tot he same multilink Frame Relay interface

Head_Office (config) # bind 1 t1 3/1 fr 1
Head_Office (config) # bind 2 t1 3/2 fr 1
Head_Office (config) # bind 3 t1 3/3 fr 1

Configuring PPP Interface

There are two settings to consider when configuring PPP interface, IP address and MTU. There are no IP address by default so we have to assign IP address and by default MTU is 1500 Bytes which works for many applications.

Head_Office (config) # interface ppp 1
Head_Office (config-ppp 1) # ip add 172.22.15.2/30
Head_Office (config-ppp 1) # no shutdown
Head_Office (config-ppp 1) # exit

Now for Multilink PPP Operation, first we have to enable this on the PPP interface and then bind the multiple physical interfaces tot he single PPP interface. Before configuration two things are kept in mind, PPP multilink fragmentation command at global configuration mode used for the fragmentation process which evenly divides the data among all the links in the bundle with a minimum packet size of 96 bytes and second command ppp multilink interleave command at global configuration mode used with streaming protocol to reduce delay by giving priority to packets identified as high priority. The command specify the configuration parameter required for multilink PPP interface:

Head_Office (config) # interface ppp 1
Head_Office (config-ppp 1) # interface ppp 1
Head_Office (config-ppp 1) # ppp multilink
Head_Office (config-ppp 1) # no shutdown

Now to bind multiple physical interface to the same multilink PPP interface:

Head_Office (config) # bind 1 t1 3/1 1 PPP 1
Head_Office (config) # bind 2 t1 3/2 2 PPP 1
Head_Office (config) # bind 3 t1 3/3 3 PPP 1

Binding Physical and Virtual Interface

Virtual interface must be bound to physical interface to create a WAN interface where Layer-2 signalling occurs. Use the bind command to connect the physical and virtual interfaces.

Following command listing depicts three bind to a multilink Frame Relay interface and a single bind to a PPP interface. Each bind has a unique label identifier (1 through 4)

Head_Office (config) # bind 1 t1 3/1 1 fr 1
Head_Office (config) # bind 2 t1 3/2 2 fr 1
Head_Office (config) # bind 3 t1 3/3 2 fr 1
Head_Office (config) # bind 4 t1 3/8 4 PPP 1

Now also define ACL and define routing of your own choice or as directed you to do so.

Hope it will be informative for you.

Thank You for reading!

G-Talk for Fedora

2009-06-30T03:51:00.000-07:00

I love to do work in Fedora although i am not a Linux professional but i am trying for learning and working in it as i am Network Engineer by Profession, I was looking for gtalk for my fedora i consult my teacher Nayyar Ahmad (He is RHCE, http://nayyares.blogspot.com) so he advice me to download pidgen and use it if you don't have just click here pidgen and you can download it, for me it was so simple as in Fedora-11 it is there by default.

Now configuration of Pidgen comes in so again i found sir Nayyar Ahmad blog very useful so here you can find the detail information.

Cheers

OSPF over IPv6

2009-06-26T02:39:00.000-07:00

Why we need IPv6? There were some limitation in IPv4 i.e. Major Limitation was address space shortage and Minor linitation was Packet fragmentation (The default size is 1500 bytes, if a packet size is more than 1500-bytes so the packet is fragmentaed and again the packets are reassembaled at the other side. So the first and short term solution was to slow down the consumption by using DCHP server, NAT etc and another to introduces new routed protocl (long term solution) to which they called Ipng (IP next generation) and later on after developing they called it IPv6. For example, In Japan IPv6 in almost fully implemented.
Now we can assign IPv6 address on routers, pc just like IPv4, and we can also run different routing protocol on this, in this blog I will talk about OSPF over IPv6.
We have two routers and configure IPv6 addresses as show under on both routers and also the detail configuration steps of assif-gning IPv6 addresses on routers.

Router_1 serial 0/1 2001:0:0:2::1/64
Router_1 Fastethernet 0/0 2001:0:0:1::1/64
Router_2 serial 0/1 2001:0:0:2::2/64
Router_2 Fastethernet 0/0 2001:0:0:3::1/64

First of all we have to enable IPv6 on routers as by default IPv4 is enable, so to enable IPv6 we have

Router_1 (config) # ipv6 unicast-routing

Now to assing address on each interace on Router_1, the detail steps are as folllow

Router_1 (config) # interface serial 0/0
Router_1 (config-if) # ipv6 address 2001:0:0:2::1/64
Router_1 (config-if) # no shutdown
Router_1 (config) # interface fastethernet 0/0
Router_1 (config-if) # ipv6 address 2001:0:0:1::1/64
Router_1 (config-if) # no shutdown

To assing address on each interace on Router_2, the detail steps are as folllow

Router_2 (config) # interface serial 0/0
Router_2 (config-if) # ipv6 address 2001:0:0:2::2/64
Router_2 (config-if) # no shutdown
Router_2 (config) # interface fastethernet 0/0
Router_2 (config-if) # ipv6 address 2001:0:0:3::1/64
Router_2 (config-if) # no shutdown

Now to see the routing table of Router_1, we have the command

Router_1 # show ipv6 route---------------------------output shown in the figure.

Now to run OSPF on both router to ping each other fastethernet IP as they are different network ID, so

Router_1 (config) # interface serial 0/1
Router_1 (config-if) # ipv6 ospf 1 area 0

Note ./.OSPF v3-4-NORTRID: OSPF v3 process 1 could not pick a router-id, please configure manually

So remember one thing that to configure ospf on IPv6 and there is no IPv4 on that router so it will not take router id bydefault so we have to configure router-id manually and that router-id will be 32-bit ipv4 formate ip. So to configure router-id manually we have

Router_1 (config) # ipv6 router ospf 1
Router_1 (config-rtr) # router-id 10.1.1.1

Router_1 (config) # interface serial 0/1
Router_1 (config-if) # ipv6 ospf 1 area 0
Router_1 (config) # interface fastethernet 0/0
Router_1 (config-if) # ipv6 ospf 1 area 0

Do the same configurations on Router_2 as we did above just with different router-id say 20.1.1.1 for Router_2. Now see the roputiong table of Router_1, so the Router_2 fastethernet route is learened via ospf, see the figure show by red boxes.

IPv6 is difficult to remember so there is a concept of Mapping, we can map an IP against a text, say in my case I have map the Router_2 fastethernet ip with name of “lhrip” see the command for it on the figure shown with green boxes.

Router_1 (config) # ipv6 host lhrip 2001:0:0:3::1
Router_1 (config) # ping lhrip

The output of the ping command can be seen from the figure, output is show and highlighted by green boxes.

I hope it will be informative for you.

Thank you for reading.

Network Administrator post in Sui Gas

2009-06-25T04:42:00.000-07:00

Back in January 2009, one day i opened Sui Northern Gas web page and i saw "New Posts", i got happy and as i opened the link there they advertised some posts of Network Administrator, System Administrator, Engineers and some Management Staff on career basis, my interest was in "Network Administrator", so i applied for the post and submit all the relevant information. In march 2009 i received call from the head office that you have to appear for written test of Network Administrator conducted by NTS (National Testing Service) on Saturday, 4th April 2009, Test Time is 1:00 PM at ICMS Hayatabad. It was computer based test so we get the result at that time and i scored 61 marks in that test. Later on, In June 2009 i received an email from HR that you have to appeared for an interview on June 23, 2009. That was the happiest moment for me as i got a chance to prove my skills in front of them and will get this job INSHALLAH. Thee interview was in Head Office (Lahore, Pakistan) and its almost 500 km far from my home. on June 22nd night i was too excited about the interview and i was busy in preparing my self like collecting my all documents, degrees, certificates, also got with a suit and prepared my self to be there for interview. The interview timing were 09:00 am Sharpe (they have mention in the interview letter).

22nd June: In the morning when i get up......! opss i was not feeling well really as i feel vomiting, headache and also got problem in my stomach, anyway i prepared my self and went for my class (CCNP i am teaching from 10:00 to 12:00) and then i went for Bus and start my journey, on the way i did vomiting three times, felt so pain in my head and backbone but i said i will go and i reached Lahore at 11:00 pm in the night, i just took some water and green tea and went to bed for rest.

23rd June: In the morning the conditions were the same, but i took bath and took my documents and other stuff and went for interview when i reached office the time was 08:35 am and they told us to wait in the basement. we all guys (came for interview) were waiting there and at 09:30 a female and a male came with pen, stapler in hands and call one by one and checked their documents and send a group of around fifteen people to floor 5th for interview, It was 12:00 o'clock when our group turn comes, when my turn come they call my name

Person: SOHAIL
Me: Yes i am
Person: Please come
Me: ok

I entered the room and there were just three people in the panel, they said sit.

Question # 1: so sohail what are you doing?
Me: I am currently doing job, am working as a Instructor in NSIT and working in the same organization on contract basis.

Question # 2: When is your contract expires? (Ohhh Bullshit Question)
Me: In August 2009

Question # 3: Ok, how u relate your experience with this post?
Me: As i have done my Honour Graduation in Information Technology, have done with different international certifications like CCAN, CCNP, CCSP (SNPA), JNCIA-EX and also done with course work of MCSE, Orcale (DBA, 8i) and currently studying CCIE (Routing and Switiching) and in July i will get my two certification JNCIS and JNCIA-ER also and am working from last one and half year in the same field and as i am currently working in the same organization and so i am aware of the network etc.

Question # 4: what are the devices in Regional Office?
Me: Router 2600 series, switches 3550, 3560 etc.

They Said Thanks...........and i went out, now when i came out all the students were screaming and said is this is an interview, like in these two or three question how can they judge a student that whether he/she have sufficient knowledge or not, because from all students they ask just these two or three question, even not a single technical question although the job is pure technical.

One surprising thing is that in all areas like Engineering, Management etc they have call students who have marks more than 60, only in IT post they have call people who have scored till 50, because all those for which they have announce this post scored less that 60 marks, Thats what i think?.

In interview from Engineers they ask OK what do you think about Pakistan present situation, what do you think about the 20-20 cricket, do you watch etc.......They will select great Engineers.

And Pakistan says that we haver no Talent, we are backward country, if the case is like this they will be like this in future also.

Regards

Object ACL

2009-06-18T05:49:00.000-07:00

There are many types of ACL (Access Control List) like Standard, Extended, Time-Based, Named-Based etc; here I will talk about Object Access Control List (OACL). Object ACL is used to create object of ACL like for thousand of ACL we can create one object and likewise we can have many objects and we can call all those object in one object (Just Like we do in programming). For example we have source01 (Nayyar, Ahmad, Superman) and source02 (Sohail, Akhtar, Mastermind) and we have source03 in which we call both these objects.

According to the topology we have an inside router on which security level is 100 and outside router on which security level is 0 because we have to keep security level high on our inside so that no one from outside can access (as traffic is not allowed by default from low security level to high security level) our router and in the way we have PixFirewall-515 to filter traffic, now make secondary interface on inside and outside router and assign IP address to it, so here we go:

Inside-Router (config) # interface fasethernet 0/0
Inside-Router (config-if) # ip address 192.168.1.3 255.255.255.0 secondary
Inside-Router (config-if) # ip address 192.168.1.4 255.255.255.0 secondary
Inside-Router (config-if) # ip address 192.168.1.5 255.255.255.0 secondary

Outside-Router (config) # interface fasethernet 0/0
Outside-Router (config-if) # ip address 10.1.1.3 255.0.0.0 secondary
Outside-Router (config-if) # ip address 10.1.1.4 255.0.0.0 secondary
Outside-Router (config-if) # ip address 10.1.1.5 255.0.0.0 secondary

Defining Objects-----------------------For Source

PixFirewall-515 (config) # object-group network s1
PixFirewall-515 (config) # network-object host 192.168.1.2
PixFirewall-515 (config) # network-object host 192.168.1.3

PixFirewall-515 (config) # object-group network s2
PixFirewall-515 (config) # network-object host 192.168.1.4
PixFirewall-515 (config) # network-object host 192.168.1.5

Now calling both objects within another object

PixFirewall-515 (config) # object-group network s3
PixFirewall-515 (config) # group s1
PixFirewall-515 (config) # group s2

Defining Objects-------------------For Destination

PixFirewall-515 (config) # object-group network D1
PixFirewall-515 (config) # network-object host 10.1.1.2
PixFirewall-515 (config) # network-object host 10.1.1.3

PixFirewall-515 (config) # object-group network D2
PixFirewall-515 (config) # network-object host 10.1.1.4
PixFirewall-515 (config) # network-object host 10.1.1.5

Access-List to all Objects:

PixFirewall-515 (config) # access-list 105 permit tcp object s1 object D1 eq 23
PixFirewall-515 (config) # access-list 105 permit tcp object s3 object D2 eq www

In the first ACL only members of object s1 is allowed while in second they have
allowed object s3 which itself calls both the s1 and s2 object.

Lest remove 192.168.1.2 from access-list like

PixFirewall-515 (config) # object-group network 1
PixFirewall-515 (config) # no network-object host 192.168.1.2

Now ping outside address using 192.168.1.2 as a source address so it will not ping because it is removed from the object, again add in the group and ping then it will work properly.

PixFirewall-515 (config) # object-group network 1
PixFirewall-515 (config) # network-object host 192.168.1.2

I hope it will be informative.
Cheers

STP v/s RSTP

2009-06-17T07:32:00.000-07:00

Spanning Tree Protocol (STP) is used to avoid layer-2 loops or switching loops. Some of the terminologies used in spanning tree protocol are Root Bridge-RB (It is normally the powerful switch on the network means with high processor, high memory etc), Non-Root Bridge-NRB (switches other than root bridge are called NRB), Designated Port-DP (The port which transmit best BPDU and ports of root bridge are always designated port because it turns into forwarding state) and Root Port-RP (the port which receive best BPDU)both are also called Forwarding Ports, and Non-Designated-NDP Port also called Blocking Port. There election of RB and NRB is done on the basis of priority and MAC address collectively called Bridge ID. There are certain conditions for the election, i.e. One Root Bridge / Network, One Designated Port / Segment ( Root Bridge ID, Path Cost to the Root, Sender Bridge ID (SBID), Port ID (PID)), One Root Port / Non-Root Bridge( Path Cost to the Root, Sender Bridge ID (SBID), Port ID (PID)).

RSTP (Rapid Spanning Tree Protocol) on the other hand is an 802.1w IEEE standard and is backward compatible with 802.1D (STP) on per port basis. RSTP is fast from STP because here the convergence is done by each link or done on link by link basis. We have different Port States ( Discarding, Learning, Forwarding), Port Roles ( Root-Port, Designated , Backup, Alternate), Port Types( Edge Port, Non-Edge Ports) and Link Types ( Shared Links, Point-to-Point).
Now the question arises that whether to use STP or RSTP in our networks, so look at the following configurations and the output then we can conclude which to use and why?

STP Configuration

Its enable by default now look at the first figure that Fast Ethernet 0/2 on MLS 1 is down to see the result I am going to shutdown Fast Ethernet 0/3 and let’s see how much time Fast Ethernet 0/2 took to get up and see the packets that are dropped in the mean while. Look at the Figure A and see before and after shutting down the Fast Ethernet 0/3 and in the mean while the packets that are dropped are show by black circle and then communications starts so here communication is almost 97 Percent.

RSTP Configuration

Now to enable RSTP on all switches just we have to enter a single command. i.e.
MLS-0(config) # spanning-tree mode rapid-pvst
MLS-1(config) # spanning-tree mode rapid-pvst
MLS-2(config) # spanning-tree mode rapid-pvst

Now look at the second figure that Fast Ethernet 0/3 on MLS 1 is down, to see the result I am going to shutdown Fast Ethernet 0/2 and see how much time Fast Ethernet 0/3 took to get up and see now how much packets are dropped in the mean while. Look at the Figure A and see before and after shutting down the Fast Ethernet 0/2 and in the mean while the packets that are dropped are show by black circle and then communications starts so here communication is almost 99 Percent which is consider perfect as 1% is negligible.

Conclusion

So we came to conclusion that RSTP is better to implement on our network as we will not face data loss that we can face in STP.

Hope it will be informative for you. Thank You for Visiting.

Linux PC on Network

2009-06-17T03:49:00.000-07:00

Back in 2008 when i was unable to bring my PC (Linux OS) on a network, i was thinking of how to connect it to the internet or bring on a network or how to install messenger or any other software because i was completely unaware of this as i am not a Linux guy as i am network guy but i am trying to for the learning of Linux, here are the few steps or few changes required in the files thne we can bring our pc on a network and can enjoy internet may be it will help some one who really don't know how to bring pc on network. There are certain file in which we have to make changes (for CLI users) like:
/etc/sysconfig/network
/etc/sysconfig/network-script/ifcfg-eth0
/etc/resolve.conf

Step # 1: vi /etc/sysconfig/network

In this file just define the gateway like
NETWORKING=yes
HOSTNAME=myserver.proxy
GATEWAY=192.168.1.1

Step # 2: vi /etc/sysconfig/network-script/ifcfg-eth0

In this file we just have to define our IP address
DEVICE=eth0
BOOTPROTO=static
BROADCAST=10.255.255.255
HWADDR=00:1A:64:6D:3F:9C
IPADDR=10.x.x.x
NETMASK=255.0.0.0
NETWORK=10.0.0.0
ONBOOT=yes
TYPE=Ethernet
GATEWAY=192.168.1.2

Step # 3: vi /etc/resolve.conf

In this file you have to give your DNS and Preferred DNS ip address
nameserver 10.x.x.x
nameserver 10.x.x.x

Thos who want to make it graphically jsut with one command, just enter following command:

[root@myserver ~]# netconfig

you will be promting a window as you seen, If you are running DHCP server on you network then just check [*] USe Dynamic... here we go your system is now on a network. Yu can check by following command

[root@myserver ~]# ifconfig
eth0
HWaddr 00:10:C6:9F:42:62
inet addr:10.110.10.2
Bcast:10.255.255.255
Mask:255.0.0.0

Here we go, hopefully it will be informative.
Enjoy

Eclipse on Linux

2009-06-12T04:24:00.000-07:00

To install eclipse on liux (or any other operating system) it will ask for java runtime so before installing Eclipse first we have to istall jre on Linux machine the detail steps are as follow.

To install jre on Linux (self-extracting) file Follow these instructions:
1. If you are login with another user (other than root), At the terminal, Type
su
2. Enter the root password.
3. Change path to the directory in which you want to install, like I install in /usr/java,
cd /usr/java/
To make the file executable change the permission by following command,
chmod a+x jre-6u-linux-i586.bin
4. Verify that you have permission to execute the file. Type
ls -l
see Figure "A"

5. To start the installation process Type,
./jre-6u-linux-i586.bin
this displays a binary license agreement. Go through the agreement. Press the spacebar to display the next page. At the end, enter yes to proceed with the installation. see Figure "B"

6. Java is installed into its own directory. In this case, it have installed in the /usr/java/jre-6u14-linux-i586 directory. When the installation has completed, you will see the word Done. see figure "C"

7. Java is installed in jre-6u14-linux-i586 sub-directory under the current directory. In this case, Java is installed in the /usr/java/jre-6u14-linux-i586 directory. Verify that the jre-6u14-linux-i586 sub-directory is listed under the current directory. Type:
ls see Figure "D"
The installation is now complete.

To install the Linux RPM (self-extracting) file Follow these instructions:
1. Change to the directory in which you want to install. I have installed in /usr/java/ directory,
cd /usr/java
Change the permission of the file you downloaded to be executable. Type:
chmod a+x jre-6u14-linux-i586-rpm.bin

2. Start the installation process. Type:
./ jre-6u14-linux-i586-rpm.bin
This displays a binary license agreement. Read through the agreement. Press the spacebar to display the next page. At the end, enter yes to proceed with the installation.

3. The installation file creates jre-6u14-linux-i586-rpm file in the current directory. see figure "E".

4. Run the RPM command at the terminal to install the packages for confirmation sometime it will display you a message “already installed”.
rpm -iv jre-6u14-linux-i586-rpm

5. Java is installed in jre-6u14-linux-i586-rpm sub-directory under the current directory. In this case, Java is installed in the /usr/java/jre-6u14-linux-i586-rpm directory. Verify that the jre-6u14-linux-i586-rpm sub-directory is listed under the current directory. Type:
ls see Figure "F".
The installation is now complete. The version number can be different depends on the version number you have downloaded.

Enable and Configure
Mozilla 1.4 and later
1. Go to the plugins sub-directory under the Mozilla installation directory
cd usr/lib/Mozilla-1.4/plugins
2. In the current directory, create a symbolic link to Java ns7/libjavaplugin_oji.so file Type:
ln -s /plugin/i386/ns7/libjavaplugin_oji.so
Example:
o If Mozilla is installed in this directory:
/usr/lib/mozilla-1.4/
o and if the Java is installed at this directory:
/usr/java/jre 6u14
o Then type at the terminal to go to the browser plug-in directory:
cd /usr/lib/mozilla-1.4/plugins
o Enter the following command to create a symbolic link to the Java Plug-in for the Mozilla browser.
ln -s /usr/java/jre 6u14/plugin/i386/ns7
/libjavaplugin_oji.so.
3. Start Mozilla browser or restart it if it is already running. Note that if you have other Mozilla components (ie: Messenger, Composer, etc) running, you will need to restart them as well.
4. Go to Edit > Preferences. Under Advanced category > Select Enable Java

Eclipse Installation
1. First step is to direct the path where we want to install the application like in my case i have install in
cd /usr/eclipse
2. Second step is to decompree and then extract the data so one command for both is
tar zxvf eclipse-jee-ganymede-SR2-linux-gtk.tar
3. Now its ready to use just go to that directory where you have install like i have done
cd /usr/eclipse/eclipse
and then enter now enter the following command
./eclipse

Trunk Port in Depth

2009-06-01T01:32:00.000-07:00

Trunk port is a port which carries multiple VLAN information (traffic). Two types of encapsulation are available i.e. ISL and Dot1q. On certain switches only Dot1q is available it depends on which series of switch are you using. There is difference between these two some of the features are:
ISL: It’s a Proprietary Protocol and frame is encapsulated (double Tagging) with a total size of 30 bytes (26 Bytes Header and 4-bytes Tail) and is done on the whole frame, it’s a protocol independent means frame is encapsulated and have no concern with internal data and support PVST (per VLAN spanning Tree) and have no use in VoIP environment. 10 bits is kept reserved so we can create VLAN up to 1024 and we can configure from 2 to 1001 as VLAN 1 and VLAN 2-5 are reserved.
DOT1Q: It’s a non-proprietary protocol and a small tagged is attached to a side of frame of size 4-bytes. It’s a protocol dependent and has support for VoIP and there is three bits space reserved for PRI (priority) used to give preference to whom and not to who called dot1p acts as a class of service. 12 bits are kept reserved so the range of VLAN goes up to 4096. DOT1Q also support Native VLAN (Native VLAN is untagged VLAN means if there is any traffic comes from switch-A which is untagged so it will be received by VLAN on the other side which is declared as a Native VLAN and it is recommended that keep same VLAN as a Native on both side.

Negotiation: If there are two switches with both the encapsulation available on both side so the negotiation will be done on ISL and Trunk port will be established, if there is ISL and DOT1Q on one side and ISL only on the other side so negotiation will be done using DOT1Q and Trunk Port will be established.
Now to start with the Lab makes sure that the switches are Zero Meter and for that enter the following command:

Switch-A # show vtp status
VTP Version : 2
Configuration Revision : 5
Maximum VLANs supported locally : 1005
Number of existing VLANs : 10
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x77 0xA2 0x57 0xB9 0xDB 0x6E 0xC4 0x8C
If you can see the revision number it is 5, so to bring the switch to zero meters we have to delete all VLAN but remember by deleting VLAN the revision number will still 5 as there is a Database maintaining with the name of “VLAN.dat” so we have to delete that also.

Switch-A # delete flash: vlan.dat
Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [Confirm]

Switch-A # write erase
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]

Switch-A # show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 10
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x77 0xA2 0x57 0xB9 0xDB 0x6E 0xC4 0x8C

Repeate all these commands on both switches and then give the following command.

Switch-A # show interface trunk

Port Mode Encapsulation Status Native vlan
Fa0/1 desirable 802.1q trunking 1
Fa0/2 desirable 802.1q trunking 1
Fa0/3 desirable 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/1 1-1005
Fa0/2 1-1005
Fa0/3 1-1005

Port Vlans allowed and active in management domain
Fa0/1 1,1002,1003,1004,1005
Fa0/2 1,1002,1003,1004,1005
Fa0/3 1,1002,1003,1004,1005

Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,1002,1003,1004,1005
Fa0/2 1,1002,1003,1004,1005
Fa0/3 1,1002,1003,1004,1005

If you notice the mode which is desirable, we can have three conditions for the trunk port i.e. The mode can be desirable desirable, desirable auto and auto auto. so Trunk prot will be established between desirable desirable and desirbale auto while no trunk port between auto auto because when port is in auto mode so it waits for the DTP to recieve so both ports will be waiting for the DTP and no trunk port will be established. In the above case all states are desirable, lets see all three cases.
To change the mode give the following command.

switch-A(config) # interface fastethernet 0/2
switch-A(config-if) # switchport mode dynamic auto

switch-A # show interface trunk

Port Mode Encapsulation Status Native vlan
Fa0/1 desirable 802.1q trunking 1
Fa0/2 auto 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/1 1-1005
Fa0/2 1-1005
Fa0/3 1-1005

Port Vlans allowed and active in management domain
Fa0/1 1,1002,1003,1004,1005
Fa0/2 1,1002,1003,1004,1005
Fa0/3 1,1002,1003,1004,1005

Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,1002,1003,1004,1005
Fa0/2 1,1002,1003,1004,1005
Fa0/3 1,1002,1003,1004,1005

Now you can see that when we made the state auto for 0/3 interfae on both side so no trunk link is established. The method shown above is the dynamic method.

The Static method for trunk port is to shutdown the DTP packet first, lets try for the 0/3 interface. The correct sequence is as follow:

switch-A (config) # interface fastethernet 0/3
switch-A (config) # shutdown
switch-A (config) # switchport nonegotiate
switch-A (config) # switchport mode trunk
switch-A (config) # no shutdown

Now give the command as follow to see the result

switch-A # show interface trunk

Port Mode Encapsulation Status Native vlan
Fa0/1 desirable 802.1q trunking 1
Fa0/2 auto 802.1q trunking 1
Fa0/3 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/1 1-1005
Fa0/2 1-1005
Fa0/3 1-1005

Port Vlans allowed and active in management domain
Fa0/1 1,1002,1003,1004,1005
Fa0/2 1,1002,1003,1004,1005
Fa0/3 1,1002,1003,1004,1005

Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,1002,1003,1004,1005
Fa0/2 1,1002,1003,1004,1005
Fa0/3 1,1002,1003,1004,1005

If you can see the above output so the 0/3 shows state is ON means that trunk port is configured manually.

This is just a window to the trunk port configurations.

Hope it will be informative for you.

IOS Recovery

2009-05-08T05:09:00.000-07:00

Last night while preparing routers for CCNP rack I was upgrading Cisco 2600 routers to support security, so I download 12.4 version ios and install on a router while installing I erase the existing ios and after erasing completion the router suddenly prompt “not enough memory” ………….Ohhhhhhhh. I reload the router, so it gives me prompt
Rommon >
Now no existing ios and stuck in this mode so after a short search “xmodem” command crossed my mind. Here are the steps to recover router ios.
Step # 1: Rommon > xmodem c2600-advsecurity9-mz.124-1a.bin
Now you will get message “Ready to receive the file”, after that follow step # 2
Step # 2: On Hyper-Terminal go to “Transfer” tab and select “Send File” so you will get another window as shown in the figure # a. Select the location of the IOS and then select “xmodem” from the drop down box and select receive.
Step#3: After this you will get the third window as shown in the figure # b. Select the path in the sending box where the image is placed, in my case the path and the image name is as given.
Sending: D:\tftp ok\ c2600-advsecurity9-mz.124-1a.bin
After that the receiving will be start, as shown in Figure # b.
I am hopeful this will be informative for you.
Enjoy!

IPv6 Tunneling

2009-03-30T09:03:00.000-07:00

I was practicing IPv6 in home by using Cisco 7200 series router so I think of a lab that if we have IPv6 enabled router on both side and I want to communicate them by using IPv4 cloud so what will be the procedure for it, so after studying books (Data Communication by Behrouz A. Forouzan and TCP/IP Routing by Jeff Doyle), I found that one of the method used for it is tunneling. The tunnel can be of four type’s i.e.
 Router to Router
 Host to Router
 Host to Host
 Router to Host
My Lab is between Router to Router. A tunnel is configured between Cisco routers by creating tunnel interface in the routers that border the IPv6 and IPv4 networks. IPv6 subnets are defined on both side and IPv6 dynamic protocol is in used RIPng, BGP or OSPFv3, in our lab we used RIPng. A tunnel is configured between these two IPv6 enable routers to communicate through IPv4 cloud.
I took just two 7200 series router and performed this lab. So here are the steps and configuration of the Lab.

Router_A (config) # ipv6 unicast-routing

Router_A (config) # interface serial 1/0
Router_A (config) # ip address 1.1.1.1
Router_A (config) # no shutdown
Router_A (config) # keepalive
Router_A (config) # clock rate 64000

Router_A (config) # interface FastEthernet 0/0
Router_A (config) # ipv6 enable
Router_A (config) # ipv6 address 2001:0:0:1:: 1/64
Router_A (config) # ipv6 rip 1 enable

Now to define Tunnel Interface on Router_A

Router_A (config) # interface Tunnel 0
Router_A (config) # ipv6 address 2001:0:0:5:: 1/64
Router_A (config) # tunnel source serial 1/0
Router_A (config) # tunnel destination 1.1.1.2
Router_A (config) # tunnel mode ipv6ip
Router_A (config) # ipv6 rip 1 enable

Now the configurations on the other side are as under

Router_B (config) # ipv6 unicast-routing

Router_B (config) # interface serial 1/0
Router_B (config) # ip address 1.1.1.2
Router_B (config) # no shutdown
Router_B (config) # keepalive

Router_B (config) # interface FastEthernet 0/0
Router_B (config) # ipv6 enable
Router_B (config) # ipv6 address 2001:0:0:3:: 1/64
Router_B (config) # ipv6 rip 1 enable

Now to define Tunnel Interface on Router_B

Router_B (config) # interface Tunnel 0
Router_B (config) # ipv6 address 2001:0:0:5:: 2/64
Router_B (config) # tunnel source serial 1/0
Router_B (config) # tunnel destination 1.1.1.1
Router_B (config) # tunnel mode ipv6ip
Router_B (config) # ipv6 rip 1 enable

Now to check the communication that whether the two router are communicating with each other using IPv4 cloud or not, we can check this by Ping or Traceroute

Router_A# Ping ipv6 2001:0:0:3:: 1
OUTPUT:

Types escape sequence to abort.
Sending 5, 100-byte ICMP echos to 2001:0:0:3:: 1, timeout in 2 seconds:
!!!!!
Success rate is 100 percent <5/5>, round-trip min/avg/max = 12/58/188 ms

Router_A# Traceroute
OUTPUT:

Types escape sequence to abort.

Tracing the route to 2001:0:0:3:: 1

1 2001:0:0:3:: 1 56 msec 48 msec 72 msec

The detail output can also be seen from the figure attached.

Hope it will be informative for you.

Configuring Cisco Router as a DHCP Server

2009-03-02T08:18:00.001-08:00

Thank GOD, atlast i have done it.....lolz. I was trying from last couple of days to configure cisco router as a DHCP server but there were some problems but anyway today i have done with that. Here is the step wise configuration of the Lab, may be it will help someone. so here we go!

Note: connect the devices as shown in the figure

The configuration on cisco router to be DHCP server as follow:

SERVER(config)# interface fasethernet 0/0
SERVER(config-if)# ip address 192.168.1.1 255.255.255.0
SERVER(config-if)# no shutdown
SERVER(config-if)# exit

SERVER(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.99
SERVER(config)# ip dhcp pool mypool
SERVER(config)# network 192.168.1.0 255.255.255.0
SERVER(config)# default-router 192.168.1.1
SERVER(config)# dns-server 192.168.1.1

Now the configuration on the client side is just simple

CLIENT_1(config)# do show ip interface brief
CLIENT_1(config)#interface fastethernet 0/0
CLIENT_1(config-if)# ip address dhcp
CLIENT_1(config-if)# no shutdown

Now wait for the log message on console, if not seen don't worry after a while CLIENT_1 should obtained ip from DHCP Server.

CLIENT_1# show ip interface brief
CLIENT_1# ping 192.168.1.1

You can check the DHCP bindings by a command

CLIENT_1# show ip dhcp bindings

The output of my lab for this bindings command is as follow:
IP address Client-ID/ Lease expiration Type
Hardware address
192.168.1.100 0001.4303.C501 -- Automatic
192.168.1.101 0004.9A66.B101 -- Automatic
192.168.1.102 000A.41D2.1543 -- Automatic

The same commands are on CLIENT_2 as we did on CLIENT_1. For pc just check the option (ip configuration......DHCP).

Enjoy it!

Configuring Router to run SDM

2009-03-01T09:27:00.000-08:00

Cisco Router and Security Device Manager (SDM) is an graphical, Web-based device management tool supported on Cisco 830 series through Cisco 7301 routers. SDM provides smart wizards and advanced configuration support for LAN and WAN configurations, NAT, Firewall Policy, Intrusion Prevention (IPS), IPSec virtual private network (VPN), Easy VPN Client and Server configurations, Digital Certificates, and Quality of Service (QoS) Policy features.

You can download SDM free of cost from Cisco site.
www.cisco.com/go/sdm

Follow the steps below to configure a router to run SDM.

Step 1:
Connect to your router using Telnet, SSH or via console.
Enter the global configuration mode using the command:

Router>enable

Router#conf terminal

Router(config)#

Step 2 :
Enable the router's HTTP/HTTPS server, using the following Cisco IOS commands:

Router(config)# ip http server

Router(config)# ip http secure-server

Router(config)# ip http authentication local

Note:- HTTPS is enabled only for crypto enabled IOS images.

Step 3:
Create a user with privilege level 15.

Router(config)# username cisco privilege 15 password 0 cisco

Note:- Replace cisco and cisco with the username and password that you want to configure.

Step 4:
Configure SSH and Telnet for local login and privilege level 15:

Router(config)# line vty 0 4

Router(config-line)# privilege level 15

Router(config-line)# login local

Router(config-line)# transport input telnet

Router(config-line)# transport input telnet ssh

Router(config-line)# exit

Step 5: (Optional) Enable local logging to support the log monitoring function:

Router(config)# logging buffered 51200 warning

How to take backup of Registry

2009-02-11T10:22:00.000-08:00

That day a student put question on orkut wants to know about the method used to take backup of registry, so here we go, Follow these steps to get backup of registry.

Backup:

1. Select Start
2. Run
3. regedit and press ok
4. File then Export
5. Name the File and save where you want

Restore Backup:

1. Select Start
2. Run
3. regedit and Enter
4. File then Import
5. Select the backup file that you saved at backup time.

Router Password Recovery

2009-02-04T07:36:00.000-08:00

1. Turn off the power and again on to start the device.

2. Now bring device into ROM monitor mode. It can be done by using BREAK key or sequence might be CTRL-BREAK or CTRL-D or another combination, it varies by system to system.

3. At the > prompt, type o (it’s not zero) to record the current value of configuration register (or it can be 0x2102 or 0x102).
> o

4. Type o/r 0x2142 to tell the router to boot from Flash without loading configuration in NVRAM (Startup-Configuration) at the next reload.

5. Type i to have the router reboot, the router ignores the configuration in NVRAM.

6. Now the router run the setup dialog, type no or press Ctrl-C to skip the initial setup dialog.

7. Type enable at the line mode to enter into the privilege mode

Router > enable

8. Copy the startup-configuration to running-configuration by using command

Router# copy startup-configuration running-configuration

Note: Do not type configure terminal, if you did so you over write the configuration stored in NVRAM.

9. View the configuration by giving command given below.

Router# show running-configuration

View the configuration, Line password, vty and Enable Password while an encrypted password need to be changed.

10. Enter Configuration mode and change the enable, line and vty password.

Router# configure terminal
Router (config) #

11. No shutdown all the interfaces that you are using.

12. Type config-register 0x2102 to return router to normal operation at next reload.

13. Exit configuration by Ctrl-Z

Router (config) # press Ctrl-Z
Router #

14. Save your changes by command given below.

Router# copy running-configuration startup-configuration

15. Reload the router to verify the password.

wildcard Mask

2009-02-03T11:03:00.000-08:00

Wildcard mask is very different from subnet mask.

The values for subnet mask can be 128,192,224,240,248,252,254 and 255.

On the other hand, wild card mask values are: 127,63,31,15,7,3,1 and 0.

The tip out here is that simply subtract subnet mask value from 255.

In ACLS and OSPF network statements, we use wild card mask, 127 will be: 011111111 which means match the first bit and ignore the other 7.

Cisco Catalyst Switch Password Recovery

2009-02-02T08:50:00.000-08:00

Introduction

Password recovery procedure for the Cisco Catalyst 2900XL, 3500XL, 2950, and 3550 series switches.

Step-by-Step Procedure

1. Attach a terminal or PC with terminal emulation (for example, Hyper Terminal) to the console port of the switch. Use the following terminal settings:
Bits per second (baud): 9600
Data bits: 8
Parity: None
Stop bits: 1
Flow Control: Xon/Xoff

2. Unplug the power cable.

3. Hold down the mode button located on the left side of the front panel, while reconnecting the power cable to the switch.

For 2900/3500XL and 3550 Series switches: release the mode button after the LED above Port 1x goes out.
Note: LED position may vary slightly depending on the model.
Catalyst 3524XL See Figure No: 1

For 2950 Series switches: release the mode button after the STAT LED goes out.
Note: LED position may vary slightly depending on the model.
Catalyst 2950-24 See Figure No: 2

The following instructions appear:
The system has been interrupted prior to initializing the
flash filesystem. The following commands will initialize
the flash filesystem, and finish loading the operating
system software:
flash_init
load_helper
boot
switch(config)#

!--- This output is from a 3500XL switch. Output from a 2900XL, 2950 or 3550 will vary slightly.

• Issue the flash_init command.

Switch# flash_init

Initializing Flash...
flashfs[0]: 143 files, 4 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 3612672
flashfs[0]: Bytes used: 2729472
flashfs[0]: Bytes available: 883200
flashfs[0]: flashfs fsck took 86 seconds
....done Initializing Flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4

switch(config)#

!--- This output is from a 2900XL switch. Output from a 3500XL, 3550 or 2950 will vary slightly.

• Issue the load_helper command.

Switch# load_helper

• Issue the dir flash: command.

!--- Make sure to type a colon ":" after the dir flash.

The switch file system is displayed:

Switch# dir flash:

Directory of flash:/
2 -rwx 1803357 c3500xl-c3h2s-mz.120-5.WC7.bin

!--- This is the current version of software.

4 -rwx 1131 config.text

!--- This is the configuration file.

5 -rwx 109 info
6 -rwx 389 env_vars
7 drwx 640 html
18 -rwx 109 info.ver
403968 bytes available (3208704 bytes used)
switch:

!--- This output is from a 3500XL switch. Output from a 2900XL, 2950 or 3550 will vary slightly.

• Type rename flash:config.text flash:config.old to rename the configuration file.

Switch# rename flash:config.text flash:config.old

switch#

!--- The config.text file contains the password definition.

• Issue the boot command to boot the system.

Switch# boot

Loading "flash:c3500xl-c3h2s-mz.120-5.WC7.bin"...#####################
######################################################################
######################################################################
File "flash:c3500xl-c3h2s-mz.120-5.WC7.bin" uncompressed and installed, entry po
int: 0x3000
executing...

!--- Output truncated.
!--- This output is from a 3500XL switch. Output from a 2900XL, 2950 or 3550 will vary slightly.

• Enter "n" at the prompt to start the Setup program.
--- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Continue with configuration dialog? [yes/no]: n

!--- Type "n" for no.

Press RETURN to get started.

!--- press Return or Enter.

Switch>

!--- The Switch> prompt is displayed.

• At the switch prompt type en to enter enable mode.

Switch>enable

Switch#
• Type rename flash:config.old flash:config.text to rename the configuration file with its original name.
Switch# rename flash:config.old flash:config.text
Destination filename [config.text]

!--- Press Return or Enter.

Switch#

• Copy the configuration file into memory:

Switch# copy flash:config.text system:running-config

Destination filename [running-config]?

!--- Press Return or Enter.

1131 bytes copied in 0.760 secs
Switch#
The configuration file is now reloaded.
• Change the password:
Switch# configure terminal

Switch(config)# no enable secret

!--- This step is necessary if the switch had an enable secret password.

Switch(config)# enable password Cisco

Switch#(config)#^Z

!--- Control/Z.

• Write the running configuration to the configuration file with the write memory command:

Switch# write memory
Building configuration...
[OK]
Switch#

Erase IOS from Router

2009-01-30T10:37:00.000-08:00

Last day i check my router flash with the following command and i saw two ios in my flash:

Router_A(Config)# Show Flash
Output:

1 15689KB c2600_Ios_imzc200.bin
2 15689KB Copy_ios_2600

Now i think of removing the second ios from my router flash memory, so when i enter the following command

Router_A(Config)# Erase Flash:Copy_ios_2600

so this result in error, if i just give

Router_A(Config)# Erase Flash:

so it will erase the whole flash which i don't want, so after a short search i got my answer, so the command used for this is

Router_A(Config)# Delete Flash:Copy_ios_2600

Lets Never Stop Falling in Love

2009-01-29T08:45:00.001-08:00

Let's Never Stop Falling in Love

I wish a falling star could fall forever
And sparkle through the clouds and stormy weather
And in the darkness of the night
The star would shine a glimmering light
And hover above our love

Please hold me close and whisper that you love me
And promise that your dreams are only of me
When you are near, everything’s clear
Earth is a beautiful heaven
Always I hope that we follow the star
And be forever floating above

I know a falling star can’t fall forever
But let’s never stop falling in love

When you are near, everything’s clear
Earth is a beautiful heaven
Always I hope that we shine like the star
And be forever floating above

I know a falling star can’t fall forever
And let’s never stop falling in love
No let’s never stop falling in love

LiStEn....

2009-01-29T08:44:00.001-08:00

LISTEN

Have you ever just listened?
To the rain falling.
To the bees buzzing.
To the raidiators humming.
Just listen one time.
You'll be amazed at what you hear.
Your heart beating.
Your lungs breathing.
Listen to yourself.
And always stay true.
Listen to what your heart wants.
Then to what your head knows.
Listen to yourself.
And always stay true.

Something I am trying to do now-a-days. Something that if we do not do when needed life long regrets come into being. Something that's a blessing if we ponder. Something that is Hikkma. Something that is everything..
Something called "Listening"

poetry...

2009-01-26T10:53:00.000-08:00

ABC......

2009-01-26T06:48:00.000-08:00

Patch Pannel

2009-01-23T10:25:00.000-08:00

.htaccess Based Authentication On Subdirectories

2009-01-23T10:16:00.001-08:00

.htaccess files provides a way to make configuration changes on a per-directory basis. A file, containing one or more configuration directives, is placed in a particular document directory, and the directives apply to that directory, and all subdirectories thereof.

Note: we can call our .htaccess file something else, we can change the name of the file using the AccessFileName directive. For example, if you would rather call the file .config then you can put the following in your server configuration file:

$ vi /etc/httpd/conf/httpd.conf

In the file find out AccessFileName it will be .htaccess by default as show below so change it to any name that you want.

AccessFileName .htaccess

What you can put in these files is determined by the AllowOverride directive. This directive specifies, in categories, what directives will be honored if they are found in a .htaccess file. If a directive is permitted in a .htaccess file, the documentation for that directive will contain an Override section, specifying what value must be in AllowOverride in order for that directive to be permitted.

Here I assume that your DocumentRoot directory is /var/www/html but if you have VirtualHost configuration or even Apache is configured on some other root directory then you can adjust this according to your situation.

Note: I took three dummy directores test-dir1, test-dir2 and nsit.

1 Creating Directory:

$ cd /var/www/html

$ mkdir test-dir1

$ mkdir test-dir2

$ mkdir nsit

2 Test HTML File Creation:

Creating html file in first directory.

$ cd /var/www/html/test-dir1

$ cat > index.htm

I am unable to write the source code here as it not accepted so just make a test page with a single line "Test Page".

Creating html file in second directory.

$ cd /var/ www/html/test-dir2

$ cat > index.htm

I am unable to write the source code here as it not accepted so just make a test page with a single line "Test Page".

Creating html file in third directory.

$ cd /var/www/html/nsit

$ cat > index.htm

I am unable to write the source code here as it not accepted so just make a test page with a single line "Test Page".

3 Browsing Test Pages:

Now you can browse and test, whether the pages are available or not, by opening any web browser and access either through local host or through IP address, i will go for both and to access through IP we have to make a little change in the httpd.conf file and then we can access through IP, given is the line we include int the file.

ServerAdmin root@10.110.1.9

http://localhost/test-dir1/

This will display the first directory test page, and

http://localhost/test-dir2/

will display the second test page in test-dir2.

http://localhost/test-dir2/

will display the third test page in nsit.

OR

http://10.110.1.9/nsit

it should display the nsit page.

http://10.110.1.9/test-dir1

it should display the nsit page.

http://10.110.1.9/test-dir2

it should display the nsit page.

If you are able to see all three pages, it means that we are almost done with the work.

4 .htaccess File Creation:

$ cd /var/www/html/test-dir1

$ vi .htaccess

Write the following lines into this file:

AuthName "Authorized Users Only."

AuthType Basic

AuthUserFile /etc/httpd/conf/.htpasswd

require user testusr

Now I will explain, what magic lines we have written in this file:

AuthName parameter just defines the title of the password entry box when the user logs in, while the AuthType tells the server what sort of processing is in use, and Basic is the most common and perfectly adequate for almost any purpose. AuthUserFile is used to define the .htpasswd file location, this files contains the password of the user who is going to be authenticate in .htaccess file. require user is used to identify the trusted user, if there are more than one trusted user, then you can specify their names in a space saparated list.

Now to make test-dir2 protected by .htaccess, we need to copy it from test-dir1 to test-dir2 and nsit with the following command:

$ cp /var/www/html/test-dir1/.htaccess /var/www/html/test-dir2/

$ cp /var/www/html/test-dir1/.htaccess /var/www/html/nsit/

5 User Creation:

Here we will create a test user to check our .htaccess

$ adduser sohail

$ passwd sohail

6 Telling Apache About Users:

Now we have to inform Apache about the user and its password, but before going into this step there is a social duty on me i.e. to explain both RPM and source Apache installation difference. :) If you have installed Apache from RPM then it will install all related commands in your /usr/local/bin, so no problems, you can give htpasswd command anywhere in your system, but if you have installed Apache from source then you have to find the Apache bin directory to execute the htpasswd command. In this HowTo I will give both ways, here it is:

$ htpasswd -c /etc/httpd/conf/.htpasswd sohail

The above command will work if you have htpasswd in your /usr/local/bin and it happens if you install Apache from RPM. /etc/httpd/conf/.htpasswd is the location of file that will contain the authenticated/trusted user password.

OR

$ cd /apache/bin/

$ ./htpasswd -c /etc/httpd/conf/.htpasswd sohail

The above commands correct if you have installed Apache from the sources, $ cd /apache/bin can be adjusted according to your system, as maybe you have installed it somewhere else.

7 .htpasswd File Permission:

We need to set the file permission of the .htpasswd file and make the apache user the owner of this file.

$ chown apache.apache /etc/httpd/conf/.htpasswd

8 Editing httpd.conf:

Now we have to edit the httpd.conf, as Apache needs to be informed about .htaccess, here we will change AllowOverride All | none to Authconfig, now there are two cases, one if you are hosting just one site and other if you are having VirtualHost, here is the First Case:

In this case you, we have only one Directory tag in httpd.conf file as we are hosting just one site, so we will edit the tag for /var/www/html.

Directory "/var/www/html"
AllowOverride AuthConfig
Order allow,deny
Allow from all
/Directory

Now for second case, when we have several sites hosted, i.e. VirtualHost:

VirtualHost www.cbtcandy.org
DocumentRoot /var/www/html/cbtcandy
ServerName www.google.com
Directory /var/www/html/google

AllowOverride AuthConfig
Order allow,deny
Allow from all
Options -Indexes
/Directory
/VirtualHost

NOTE:I am not using less than and greater than sign (<, >) with the code above as not here html code is not accepted, so pardon for that.

9 Restarting Apache:

Now you have to restart the Apache server to reload the configuration.

For RPM based system:

$ service httpd restart

For source based system, adjust your Apache's bin directory path.

$ /apache/bin/apachectl restart

10 Testing:

Now everything is ready to be tested, again open your favourite browser and try to open the following links:

http://localhost/test-dir1/

and

http://localhost/test-dir2/

and

http://localhost/nsit

OR

http://10.110.1.9/test-dir1

and

http://10.110.1.9/test-dir2

and

http://10.110.1.9/nsit

Note: When you browse these linksyou will be asked for the username and password, once you provide them it will take you to the test page. But once you log in to one directory it will not require the username and password for the other test directory, as Apache will not ask for the username and password again and again for directories equal in level or subdirectories. So once you are authenticated the child and parallel directories are open to use. But if you still want to check them then use links text based browser, that is what I do for checking them.

CCIE Rack

2009-01-22T11:55:00.001-08:00

Server Room

2009-01-22T09:42:00.000-08:00

ComPlEtE RaCk

2009-01-22T09:40:00.000-08:00

CCNA: Career Changer Chef to Tech!

2009-01-20T19:07:00.000-08:00

Lucky Day......December 31st 2008

2009-01-19T11:09:00.000-08:00

I was looking for a job in Peshawar, one day when I was moving to perform Juma prayer so as I turn in a street in abdara chowk Peshawar, a man give me an advertisement in my hand that he was suppose to distribute among students and shows different course like (CCNA, Oracle, firewall, Peach Tree etc), when I saw I was supposed to throw because all the courses like (CCNA, CCNP, PixFirewall) I have done with and I was looking for a job not to learn more courses, but my friend (Khushdil) with me told me to give it to me so after two minutes I realize that why should I not apply to this institute (Comdex System) as a teacher of Cisco Courses I was thinking and the day ends.
After two days I was sitting in my home and suddenly saw that advertisement on a table I took that and call the head of that institute (Mr. Arif) and said that I want to offer my services as a Cisco Teacher in your institute so he said me to bring your CV and meet me….now can u imagine I said I am not free so can I send it tomorrow to you through e-mail. Now on the very next day my Aunty Passed Away (Very Shocking Movement for me), so I spend almost three days there, on the fourth day I send my CV to him. Now after one day he call me to meet and I went, so the discussion was good and he said that I will offer you 40% of each student fee and when there is a class I will tell you, again I was so depressed and went home.
The very Luck day that was December 31st, 2008 he call me to start CCNA class at 01:00 clock and on December 31st , 2008 the lucky day for me I start my career for the first time as a Professional.
Now I am enjoying my professional career and have more that two classes and finished a crash course to a student and also to one of my friend.

My Reloaded Ideal Teacher

2009-01-19T10:35:00.000-08:00