Tuesday 26 January 2010

Cisco Announced Changes in CCNP Exam





Cisco has taken out almost most every topic from ONT and ISCW and then added Troubleshooting exam as NEW CCIE also include 2 Hours of CCIE Trublshooting LAB that focuses on routing and switching with a few other topics.


Thease chnages have Greater emphasis on troubleshooting ….. this revision will result in 3 Exam replacing old 4 Exams

# 642-902 Route
Implementing Cisco IP Routing
120 Minutes Exam
Fee 200 $

# 642-813 Switch
Implementing Cisco Switched Network
120 Minutes Exam
Fee 200 $


# 642-832 TSHOOT
Troubleshooting and maintaining Cisco IP Networks
120 Minutes Exam
Fee 200 $


Additional Switching topics includes
  • PVST and 802.1W RSTP
  • Network Monitoring in High avilability
  • Integrating WLAN

Additional Routing topics includes

  • EIGRP across HDLC , FrameRelay, MPLS, VPN, and MPLS virtual Circuit
  • Implement Alternative Path control
  • Implement IPV 6




ONT and ISCW will be retired as on 31st of July So good NEWS is if you finish CCNP before July 31st, your ISCW and ONT count.

If You cannot finish then your ISCW and ONT exams don't consider for your CCNP Certification






Special Beta Offer for CCNP TSHOOT Exam

New CCNP TSHOOT certification exam will first be available as a beta exam; candidates can register and take the beta (#643-832) from February 16 through March 26, 2010. To encourage beta testers, Cisco will provide the TSHOOT beta exam free of charge to the first 150 candidates who complete it. (Use the promo code TSBETA when registering)

So guys What you think.... ???



Some helpful Links

https://learningnetwork.cisco.com/docs/DOC-6550

http://tools.cisco.com/cmn/jsp/index.jsp?id=96573&redir=YES&userid=%28none%29

Wednesday 20 January 2010

Authenticating VPN user from Active Directory




Hi Guys Today we are going to discuss how to setup Remote access
VPN connection between Remote Clients / Mobile Users / Cisco VPN
Clients ... (its same names) and ASA 5500 by authenticating Users
Against Active directory using MS 2003 IAS server (which is MS
RADIUS server)


IPSEC is configured in this example with these considerations

Cryptomap is applied on outside interface of ASA Appliance

Xauth (extended Authentication) of VPN clients will be happening against RADIUS (which would be ISA server Windows 2003)


DNS (1.1.1.11) and Windows 2003 IAS server (1.1.1.10) is sitting Inside



Here we go

interface Ethernet0
nameif outside
security-level 0
ip address 10.10.10.10 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 1.1.1.1 255.255.255.0


name-server 1.1.1.11

domain-name itpeoplerworld.com


#Create pool of Addresses for assignment of ip addresses
dynamically to remote VPN clients

ip local pool vpnclient 1.1.1.200-1.1.1.250


Nat (inside) 1 0.0.0.0 0.0.0.0

Global (ouside) x.y.z.a (

This depends upon your scenario)


# Appropriate Route inside and Route outside statements depending
upon the network Layout.


# Now create AAA server group named "VPN" and mention RADIUS and
add MS 20003 IAS server as a member of this "VPN" group and mention
Security Key as well which is "Cisco" in our case


aaa-server vpn protocol radius
aaa-server vpn host 1.1.1.10
key cisco

#Now create VPN user policy and specify DNS IP address and domain
name

group-policy VPNPOLICY internal
group-policy VPNPOLICY attributes
dns-server vlaue 1.1.1.11
default-domain value itpeopleworld.com


# As specif VPN config PHASE 2 Configuration mentioning Encryption
type , Hash Algorithm

crypto ipsec transform-set myset esp-des esp-md5-hmac


# Dynamic Crypto map

crypto dynamic-map mydmap 10 set transform-set myset


# Enable RRI (reverse routre injection)

crypto dynamic-map mydmap 10 set reverse-route

# Binding map to ISAKMP

crypto map maymap 10 ipsec-isakmp dynamic mydmap



# Now specifying Interface to whihc cryptomap is attached to

Crypto map mymap interface outside



# ISAKMP PHASE 1 config is as under


isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000


#Create a new tunnel Group as Security appliance provides default
tunnel group for remote access whihc is (defaultRAGroup) but here
we will use our own group

tunnel-group mygroup general-attributes
address-pool vpnclient
authentication-server-group vpn (remember be case sensitive)
default-group-policy VPNPOLICY


# Enter Preshare key to configure authetication poilyc


tunnel-group mygroup ipsec-attributes
preshare key xyz




**********************************

Now Go on VPN client appliaction

start > Program> Cisco VPN client

click New to create new Connection


Under host give outside interface ip address whihc is 10.10.10.10
in our case

Under authentication tab , Select group authentication radio button

Name = mygroup
password =xyz

Thats It and now you need to connect and it will ask for One more
Username and password whihc would be your IAS MS windows 2003
Server has in it


Microsoft Windows 2003 Server with IAS Configuration

Complete these steps to configure the Microsoft Windows 2003 server
with IAS.

first you need to install IAS server from Control panel and ADD/
Remove Program

Select Administrative Tools > Internet Authentication Service now
right click on RADIUS Client to add a new RADIUS client.

Give name and IP address of 1.1.1.1 and select Client-Vendor to RADIUS
Standard, and shared secret is Cisco.



Go to Remote Access Policies, R.C (right click) on Connections to
Other Access Servers, and select Properties.Endure Grant Remote
Access Permissions is selected.


Click Edit Profile and check



under Authentication tab, check Unencrypted authentication (PAP,
SPAP), MS-CHAP, and MS-CHAP-v2.

under Encryption tab, ensure that the option for No Encryption is
selected.



Go in Administrative Tools > Computer Management > System Tools >
Local Users and Groups, R.C on Users and select New Users to add a
user into the local computer account.

I hope I don’t need to mention how to create a user .... If you feel
that you need this type of help ...... then go to Learn windows for
extreme Dumps’.com .. thanks For visiting ...


One thing i would suggest to check On Users screen under General
tab, ensure that the option for Password Never Expired is selected

Under Dial-in tab, select the option for Allow access



Here is one way to test either ASA is communicating with IAS Server
or not


test aaa authentication radius host 10.1.1.10

It will ask for username and password ..... give username and password that you just created on IAS server


And one last thing
dont forget

Debug Crypto ISAKMP
For troubleshooting

Tuesday 19 January 2010

Cisco CCIE Mobile Labs Save Time and Expense



CISCO CCIE R&S and SECURITY



Mobile labs for Cisco CCIE
Routing and Switching and CCIE Security lab exams provide a more convenient testing alternative to extensive travel for individuals in countries without permanent testing facilities.

Upcoming mobile labs are planned for

Chicago, January 25-29;

Moscow, February 8-12;

Riyadh, Saudi Arabia, March 6-10;

Johannesburg, South Africa, April 19-23



Cisco has introduced the mobile lab program to provide candidates greater access to Lab testing while greatly reducing travel time and expenses.

Mobile CCIE Labs provide a convenient and cost-effective method for candidates to test for CCIE Routing and Switching and CCIE Security in areas which do not have permanent lab locations.

Saturday 16 January 2010

IPS (Intrustion Prevention Ssytem) Compaison



Network Intrusion prevention system can detect and block attacks and can act as a Patched shield for Information System.

As Network IPS Market continues to mature and evolve that had considered the IDS Intrusion detection System several years ago.

Most vendors in market issue Vulnerability facing IPS signatures with in 24 Hours of patch release, which is habitually faster than an enterprise's ability to patch system before it gets too late. So finally for this reason IPS signatures never really go away and ability of IPS boxes to maintain Wire speed with large signature database or a list is Critical.

I am considering IPS products on the basis of true IPS feature which are as under

Perform Packet normalization and inspection As in Cisco normalization engine collects fragment of TCP packets and assemble them prior to inspection

Wire speed performance when running inline mode, and don’t cause performance Bottleneck

Can perform Multiple actions upon data packet streams such as anomaly analysis, signature analysis, scanning and behaviour analysis

Not only reset the abnormal sessions but also drop them

Rate limiting capability and QoS up to some extent (Optional)


Here we go with Comparison; I am not going to be prejudiced during my comparison


Check Point software

Well established Security Company well known due to its Firewall products IPS-1 Sensor appliances (ranging in price from $7,000 to $115,000 and in-line performance from 50Mbps to 2000Mbp)


Strength

IPS-1 can be considered by the customers that are already running checkpoint devices or already have relation with vendor, or due to smart defence system (that provides intrusion prevention capabilities that are integrated into Check Point products. SmartDefense also helps to minimize threats by providing defences that can be used before vendor supplied patches become available or are fully installed throughout a network)


Checkpoint is committed to add some more resources in R&D of IPS to produce better and advanced product in the market in next couple of years.

Appliance Operating system is the dame as used in Check point Firewalls and it is fast and powerful

In April 2009 Checkpoint has purchased Nokia Security Appliances which can give good future patch in IPS appliances market


Weakness

IPS-1 cannot work with Other Check point appliances in single SmartCenter Console


Checkpoint strategy for IPS is unclear

IPS-1 Deployments across the glob is limited





Cisco Systems

Cisco has different flavours of IPS ranging from stand alone appliance and IDS services Module Switch Blade, Cisco has also introduced add-in hardware module for ASA series firewall and software based IPS within IOS based routers. After the acquisition of Ironport in Mid 2007 and Protego Networks , Cisco now has Email , Web and behaviour analysis products that can be used with IPS Products.



Strengths.

Cisco offers a Wide range of intrusion prevention choices.

Cisco has Global support and broad geographic hold.

Has recently introduces Free IPS manager Express can monitor upto 5 Devices

Risk rating feature can be adjusted based upon alert factors.

Cisco is one of the Top 5 vendors according to market share in 2008


Weekness

Cisco IPS Device manager console is not as good as comparison to the most leading IPS products (though SM-MARS can adress some short comings but an expensive option)

Risk Rating feature need experienced administrator to tune.

Though Cisco has made lot of improvement in signature quality during last 12 months but it is still an issue.


Juniper Networks

Juniper has good history in Security products based on Netscreen acquisition in 2002. Its Intrustion Prevention (IDP) appliance has four models running on Linux kernel. IPS is also available in ISG firewall and SRX. Current challenge with Juniper is to migrate all products using ScreenOS and linux to JUNOS


Strengths.

It is one of the Top 5 vendors according to market share in 2008

Satisfied Customers, and outstanding post sales support.

Juniper IDP support highest number of virtual IPS instances.


Juniper console and NSM are considered competitive.



Weakness.

During past couple of years IDP has less visibility in market, because juniper had made advances in different fields basically focused on competing with Cisco.

JUNOS operating system need to maintain a low rate of vulnerabilities on all products

JUNOS don’t have reputable feeds with Web Security gateways and Email Security.



McAfee IntruShield

McAfee is well known Security brand, it has made considerable investment in Hardware Security Products. Recently Intrushield Product is renamed as McAfee Network Security Platform. However McAfee has recently acquired Secure Computing.

Strength

High throughput making it an ideal product for Enterprise Network

Preferred product for the Companies already running Mcafee Security Products like ePO, NAC

One of the Top 5 Vendors in the Market producing IPS appliances

Weakness

Well-known Due to Host based Security Products.

Acquisition of Secure Computing may divert some Resources





...................... To be continued

Friday 8 January 2010

Solarwinds Certified Professional

Network Management Certification

Solarwinds Certified Professional

Solarwinds Launched network management certification called SCP Solarwinds Certified Professional covering 5 Main topics.

Network Management Fundamentals


Use and explain network management protocols (e.g. SNMP, SNMP Traps, Syslog, ICMP, NetFlow, etc.)



Leverage MIBs, OIDs, and WMI performance counters to diagnose and troubleshoot network problems


Network Management Planning


Translate business requirements into monitoring needs, thresholds, and Orion NPM configurations

Design a reporting system that meets the needs of the various stakeholders


Determine monitoring scope and impact on the network

Determine the impact of network topology on monitoring

Network Management Operations


Network Fault and Performance Troubleshooting


Orion NPM Administration



Well Guys I have given the exam and passed It , dont underestimate the exam .. 77 Questions but its not as easy as pie and try to cover every expect of NPM as you can .... Dont forget to go through geek videos

Remeber difference between SNMP 1 and 2 is Get bulk as SNMP V 2 is scaleable

Calculate Bandwidth with octated given on interface like sampeling shows there are 44000,000 octates in 5 minutes you have to calculate bandwidth ....
44000,000 * 8 = 352,000,000 bits / (60*5) = 1173,333 bps
1,173,333 / 1024 = 1,146 Kbps
1146/1024 = 1.12 Mbps

don't cramm it..............

UDP port 514

Account limitations and view limitation by filters

SNMP port 161 and 162

guys dont forget to have a look on UnDP geek speak there a loads of question on this

Interface is showing … More than 100 % utilization so you have to customize the bandwidth of interface

Some cisco commands ... how to configure SNMP ..... why NMS can get SNMP Trap .....but cannot poll data.

Most of the time ... the questions end up with ICMP being blocked by firewalls

Due to some recent chnages ... network started responding slow ...


Some report generation related questions ... remeber where t geenrate reportrs

how to setup View limitation filters

what things we can setup in ssytem Manager .

due to huge sys logs message DB size in increasing so u have to delte unwanted logs

Due to budget constarint you cannot upgrade hardware what you would doo ... I sleecetd to chnage less frequent polling intreval

SSH is the most secure ...

Port 69 is for TFTP is any firewall blocks ... it means you NMS cannot do something related to IOS upadtes .

Remember 443 port is for HTTPS based access

Have a look on transform Undp



I have Just received this Mug and certificate .... Its good



.............................................................................................To Be Continued as soon as keep reminding any other tips i will update it



BREAKING PASSWORD OF CISCO ROUTERS WITHOUT LOOSING THE REST OF THE CONFIGURATION

BREAKING PASSWORD OF CISCO ROUTERS WITHOUT LOOSING THE REST OF THE CONFIGURATION




Step-1 :
Switch off the router and then switch it on after some time , within the first few seonds of booting press the CTRL+Break Keys
The router will enter the ROM Monitor mode .

Rommon1>

Step-2: In the ROM Monitor mode change the configuration Register to 0x2142 to ignore the Startup Configuration file upon booting

Rommon1>confreg 0x2142

Rommon2>b(For initiating the boot sequence)

On Booting the router will enter the Setup mode .
Would you like to enter the initial configuration guidelines (yes/no):

Step-3:
Dont select any option (Yes or No) , just skip the setup mode by pressing CTRL+C.The router will now enter the User Exec mode

Router>

Step-4:
Enter the privilige mode and copy the startup configuration file to the RAM(Running-Config)

Router>enable

Router#copy startup-config running-config

Step-5:
Change the enable/enable secret or whatever password you want to change and then the configuration to the NVRAM

Router(config)#enable secret Cisco

Router#wr

Step-6:
Dont forget to change the config-register value to the default

Router(config)#config-register 0x2102


The procedure is quite useful in case someone has lost the password and wants to break it without affecting the rest of the configuration .

Saturday 2 January 2010

Some Life Lesson, HAPPY NEW YEAR ..... All the best

                           The Mayonnaise Jar   

   
When things in your life seem, almost too much to handle,
 When 24 Hours in a day is not enough,
 Remember the mayonnaise jar and 2 cups of coffee.

 A professor stood before his philosophy class
 And had some items in front of him.
 When the class began, wordlessly,
 He picked up a very large and empty mayonnaise jar
 and proceeded to fill it with golf balls.

 He then asked the students, if the jar was full.
 They agreed that it was.

 The professor then picked up a box of pebbles and poured
 them into the jar. He shook the jar lightly.
 The pebbles rolled into the open areas between the golf balls.

 He then asked the students again if the jar was full. They agreed it was.

 The professor next picked up a box of sand and poured it into the jar.
 Of course, the sand filled up everything else.
 He asked once more if the jar was full. The students responded with a unanimous 'yes.'

 The professor then produced  two cups of coffee from under the table and poured the entire contents into the jar,
effectively filling the empty space between the sand.  The students laughed.

  
'Now,' said the professor,   as the laughter subsided,

   
'I want you to recognize that this jar represents your life.

   
The golf balls are the important things - family, children, health, Friends and Favorite passions. Things that if everything else was lost and only they remained, Your life would still be full.

   
The pebbles are the other things that matter like your job, house and car.

   
The sand is everything else --The small stuff.

 'If you put the sand into the jar first,'  He continued, 'there is no room for  the pebbles or the golf balls.The same goes for life..

 If you spend all your time and energy on the small stuff, you will never have room for the things that are important to you.


   
So...

Pay attention to the things that are critical to your happiness.

   
Play With your children.Take time to get medical checkups.

   
Take your partner out to dinner.

   
There will always be time to clean the house and fix the disposal.

'Take care of the golf balls first --
 The things that really matter.
 
Set your priorities. The rest is just sand.'

One of the students raised her hand and inquired what the coffee represented.

 The professor smiled... 'I'm glad you asked'.

 It just goes to show you that no matter how full your life  may seem,
 there's always room for a couple of cups of coffee with  a friend!!

 Please share this with other "Golf Balls"