Wednesday, 21 December 2011
show run sec class-map
show run sec policy-map
sh run sec router
sh run sec crypto
sh run inc ip access-group
sh run inc ip local
sh run inc ip policy
sh run inc service-policy
sh run inc ip access-group
sh run inc vlan filter
Friday, 16 December 2011
Mind that ISL trunk will not work between Cisco and HP because it is Cisco proprietary protocol. The trunk between a Cisco and HP Procurve switch must be 802.1q I rarely see ISL in use these days, and I personally consider 802.1q the preferred method of encapsulation if for no other reason than its interoperability.
Once you have configured all of the required VLANs (I hope I don’t need to explain how to configure VLANS) now configure the trunk on the Cisco switch in fa0/48 is our trunk port connected to HP ProCurve using the following commands:
Cisco3560(config)# interface fa0/48
Cisco3560(config-if)#switchport mode trunk
Cisco3560(config-if)# switchport trunk allow vlan 1,2,3
In this example I am using three VLANS Vlan 1 , 2, and 3
Here interface Fa0/48 is the trunk port on the Cisco switch.
Procurve switches, can have a VLAN either tagged or untagged on any particular port as shown in the configuration below.
Now we have enabled trunk interface between HP and Cisco for Vlan 2 only, trunk will not carry any traffic a part from Vlan 2 in order to allow Vlan 3 traffic on Trunk we need to setup port 48 in HP switch as tagged port for Vlan 3 (Clear as MUD.. !!!!)
Key point you have to setup uplink port 48 in our case on HP as tagged port for all the vlan that will pass through the trunk.
Now test connectivity between two hosts that are in the same VLAN i.e Vlan 2 , but on different switches. As you have learnt, configuration of 802.1q trunks between Cisco and HP Procurve switches is not a rocket science . if its not working double check the config and every thing should be fine.
Thursday, 15 December 2011
I am sharing here some terminologies and command differences , I hope they would be helpful
HP aggregated interfaces are called trunks and Cisco it is EtherChannel.
The confusion arises because term trunk is used differently in Cisco and HP. In Cisco trunk is an interface that is configured to support 802.1Q (VLAN). which is configured to support multiple VLANs is called a trunk however in HP Prociurve operating system, an interface that supports multiple VLANs is tagged.
Remeber these guidelines
An “access port” on Cisco is an “untagged port” on HP ProCurve.
A “trunk port” on Cisco is a “tagged port” on HP ProCurve.
A “port channel” on Cisco is called a “trunk” on HP ProCurve.
A Cisco "Access port" is "untagged" in HP Procurve
Trunking from the ProCurve side is meant to aggregate multiple ports together, while on Cisco it is meant to transport multiple VLANs over one port.
Link aggregation on the Cisco side is called “channeling"
*****Some main Hints and Tips******
Pay attention to multi-VLAN ports.
Make sure that the native VLAN on the Cisco trunk is the untagged VLAN on the ProCurve tagged port.
Ensure that the same VLANs are allowed and configured on both sides.
Remember that, unlike with Cisco, BPDUs (spanning tree, LLDP, and LACP) are not attached to the untagged port or any VLAN on HP ProCurve
To combine Cisco and HP ProCurve spanning tree networks, MSTP can be run on the Cisco devices, or PVST Cisco networks can be combined with MSTP HP ProCurve networks, I am running PVST on Cisco network and I added couple of HP Procurves with RSTP and didn't caused any problem, make sure you modify the priority at HP or cisco as per requirement.
Cisco supports Hot Standby Router Protocol (HSRP), and HP ProCurve supports Virtual Router Redundancy Protocol (VRRP), during migration ensure that both cores are from the same
vendor, whether HP ProCurve or Cisco. If you replace one core, replace the other at the same time.
Finally Routing Protocol HP doesn't support Cisco proprietary routing protocols.
There are some minor differences to consider between the two different OSPF implementations:
- Cisco OSPF is enabled with network statements globally.
- HP ProCurve OSPF is enabled within the VLAN context.
- There are redistribution differences.
- HP ProCurve is always non-broadcast multiple access (NBMA).
- Cisco uses the highest loopback IP address for router ID, while HP ProCurve devices typically use the lowest.
- With HP ProCurve, the loopback is always /32 mask.
- With HP ProCurve, the OSPF link cost is “1” by default.
Tuesday, 6 December 2011
I and my friends have recently gone though some interviews processes, last night we thought to share our experience to help others.
Below are top tough interview questions that you may face, there is no obvious right answers that is aimed to highlight your abilities and strengths.
1. Describe your self.
It is definitely not an invitation to give your life history they are not interested in this. You should aim to describe the kind of person you are in a couple of minutes at most. Concentrate on positive qualities, and link them to the key responsibilities of the job you're applying for.
2.What do you enjoy most in your current job?
It is tricky question he actually wants to know what you don’t link in this job. The key is that you like everything about your job. Pick some part of current job that matches new job for which you are interviewed fro.
3. What do you feel you can bring to this job?
This is another question that gives you a chance to shine. You need to link your past experience or skills to the requirements of the job. Pick up to three key strong points in your favour that are relevant to this job.
4. What is your biggest weakness?
Huummm!!! it is hard and very easy at the same time depending if you are prepared for it or not, I always answer 'I'm useless at getting round to household jobs - changing light bulbs and fixing leaky taps. Avoid giving any weakness like I don’t like taking OrdersJ. Then why you are here start your own business.
5. What is your goal or what you want to do in next 5 years time?
Explain your career aligned with the role you are applying for, don’t tell about your dreams :)
6. Why you think you are the right Candidate for the role? Being on harsh end it can be asked as Convince me to hire you.
This question need some preparation and company research, interviewer is looking for any one candidate who have same goals as the company have.
7. Tell me about how you work as part of a team?
Employer want to know how well you work as a part of team , explain you can work on your own or with any one else , you are a self starter , good time management skills .
Wednesday, 16 November 2011
There is a lot of confusion among the networkers what is the main difference between Cat 5 E and Cat 6 cables.
Cat5e cable run near gigabit speed (With any above normal noise or substandard equipment you can see performance drop), it just cannot be "certified" for this use. Howevre Cat 6 cable is designed especially for gigabit use, and is certified to operate at said speed despite of some noise and abnormalities.
Main difference between Cat 5e and Cat 6 cable is transmission performance and available bandwidth as Cat 5 support 100 MHZ and Cat 6 Support 200 MHZ
These will provide better signal-to-noise ratio, allowing higher reliability for current applications and higher data rates for bandwidth intensive applications.
When implementing Cat 6 make sure you are using appropriate connectors to achieve best performance.
I have learnt from difference resources there is not standard for Cat6 cabling however there is approved standard for Cat 6 cabling which is ANSI/TIA-568-B.2-1
There is one new standard for Cat 6A which will support 10 Gbps and can support up to 500 MHZ.
Thursday, 3 November 2011
Thursday, 13 October 2011
Stop unwanted social networking websites in 3 simple steps
1. Create a class-map to match
class-map match-any SOCIAL_NETWORK
match protocol http host "www.youtube.com"
match protocol http host "www.facebook.com"
match protocol http host "www.twitter.com"
match protocol http host "*facebook*"
match protocol secure-http host "www.youtube.com"
match protocol secure-http host "www.facebook.com"
match protocol secure-http host "www.twitter.com"
match protocol secure-http host "*facebook*"
2. Create a policy-map to instruct what to do with the traffic.
3. Apply the policy on teh required interface
service-policy output DROP_SOCIAL_NET
Wednesday, 21 September 2011
As my company is looking to deploy the wireless solution and I have been struggling for last couple of months to get my head round with the terms and different architecture / Solution that are vendor specific, but what you need to look for to avoid any confusion during the stage of evaluation or POC.
There are many wireless vendors in the market, leaving you with a tough decision which ones to recommend and which are ideal for higher end, enterprise-wide solutions that can support VOIP , Video and all those new technologies.
Soooo what we need to look for In wireless solution Ok !! here we go stick with three main things ... that we need in wireless solution once you stick with them start learning the terms i will mention at the end of the post. then you are good to go with any vendor and discus what they offer you .
The main challenges in wireless are
- Capacity (how many users can connect)
- Throughput (how much speed you can offer to all the active users)
As per existing market roughly all access points support all set of frequencies the main are 2.4 Ghz and 5 Ghz to memorize i use to draw it something like that
2.4 Ghz = B , G , N
However 5 GHZ gives you A with 54 Mbps and N 300/450 Mbps
Key point :- 2.4 has 3 x non mapping channels like 3 lane motorway and 5 Ghz have 20 non mapping channels how ever some vendors use 9 out of those 20 channels , however some even use 16 channels , so you must look for 5 ghz support in your network.
Key point :- when you go and buy for any wireless product and if it says it support ABGN then it supports 5 GHZ if it says B,G,N yes , It supports N but it supports N on 2.4 Ghz , (remember 3 Lane motorway no future proofing)
Now lets discuss about wireless Architecture.
- Single channel Approach
- AP controller based
single channel one speak other just shut up result in Less bandwidth , Only One channel , and No interference as there is only one channel .
AP / Controller based , I am not going to comment, you have to ask vendor supporting this if you have 100 Devices going through the controller how it will share the bandwidth ? , what effect it will make if you enable WPA2 , i.e if 1 have 2 controllers and 100 AP's and every AP have 10 users how much bandwidth it can practically give to each user with WPA2 enabled (we don't forget about security in wireless), if it is sufficient for your existing and future VIOP and video we don't have any problem.
Distributed approach , I would just like to say intelligent AP have every functionality happening on the AP , built in encryption engine and i would say it can easily tick all your boxes about coverage , Capacity and throughput
Now come to the first thing (HUH what we were doing above then !!!! Cmon it was just theory real work starts here)
Survey. - when doing survey you need to very clear what SNR (Signal to Noise ratio) you want to live with , dont let the Vendor or surveyor trick you saying this area is covered see you can see the signal , yes but what is the dBM here mind that - 80 dBm will be dead for you you cannot communicate , there are couple of papers suggesting stick with -70 dBm and some say 76 Depending upon your requirement .
Key point:- Here is one more trick while you are doing survey do the survey for 2.4 and 5 both dont get robbed again . 5 GHZ wave is differnt then 2.4 so it have more impact if it hit something. i.e 2.4 covergage with -70 dBM need 10 AP's however it will not give same cover on 5 Ghz.
Some AP have 2 antennas one feeding you 2.4 and other 5 ghz normally known as dual band AP.
Look for Licences cost for controller with regards to AP count.
One last point if wireless vendor say its 300 Mbps it is not 300 Mbps full duplex , It is just marketing figure , your Ethernet LAN is 100 Mbps full duplex which will make it 200 Mbps .
Wednesday, 7 September 2011
even in the name of some intelligence agencies.
In recent update from MoZilla Firefox it have blocked any certificate signed by DigitNotar.
Microsoft have also released an update 2607712 permanently moving all five DigiNotar's root certificates to the Certificate Revokation List whihc provides protection to all Windows versions.
DigiNotar Root CA
DigiNotar Root CA G2
Thursday, 25 August 2011
You are the Cisco Network Designer in Cisco.com. Which statement is correct regarding NBARand NetFlow?
A. NBAR examines data in Layers 1 and 4.
B. NBAR examines data in Layers 3 and 4.
C. NetFlow examines data in Layers 3 and 4.
D. NBAR examines data in Layers 2 through 4.
Answer is C
Netflow works between 3 and 4
Layer Flexible Netflow workd from Layer 2 to 7 inspect payload
NBAR works 3 to 7
Friday, 12 August 2011
There is a biggest confusing in the datasheets to understand Forwarding , Switching, Backplane and Switching fabric Internally to a switch.
A specialized hardware is needed to move frames between ports.This specific part can be called backplane or in some cases we talk of switching fabric.
When the forwarding capabilities of a backplane or switching fabric are greater then the sum of speeds of all ports (counted twice one for tx and one rx direction) / full duplex we call the switching fabric non blocking
Traffic between a pair of ports is not influenced by what traffic is exchanged on all other ports.The forwarding rate is expressed in packet per seconds and expresses how many packets per second are needed to reach a certain traffic volume (throughpout)
Clearly forwarding rate depends on frame size.
Ideally a backplane switching fabric should be non blocking for every frame size including the smallest ones (64 bytes in ethernet standard) but in reality most devices can be non blocking for an average size of 400 bytes.
bandwidth is the speed of traffic.
to convert between forwarding rate and used bandwidth we need to take in account some specific aspects of ethernet: with this kind of calculation using frames of minimum size 64 bytes you need 1488000 frames per second and per direction to fill a Gigabit ethernet port.
Be aware that all figures you see sum tx and rx directions so if a switch has 100 Mpps (Million Pkts per second) capability this accounts for a certain number of GE ports at 1 Gbps full duplex.
In almost all switches (Cisco and non-Cisco) the switching limitation is actually NOT bandwidth, its Mpps (mega packets per second).
So the answer actually depends mostly on what your traffic looks like. Worst-case is VOIP traffic which consists of 100byte packets, best case is file transfers using full 1500 byte packets.
Sunday, 31 July 2011
Legal, Regulations, Compliance, and Investigations
Council of Europe (CoE) Convention on Cybe rcrime:
If the organization is exchanging data with European entities, it may need to adhere to the Safe harbor
safe harbor framework how any entity that is going to move Private data to and from Europe must provide protection
Civil law deals with wrongs against individuals or companies that result in damages or loss. This is referred to as tort law. no Jail sentence
Criminal law when an individuals conduct violates the government laws / Jail sentence
Administrative/regulatory law deals with regulatory standards that regulate performance and conduct
Intellectual property laws do not necessarily look at who is right or wrong, but rather how a company can protect what it rightfully owns from unauthorized duplication or use,
Trade Secret = competitive value or advantage (formula for Drink)
Copyright= rights for authors(unauthorized copying and distribution of a work)
Trademark= protect a word,name, symbol (identifiable packaging, “trade dress.”)
Patent= (usually valid for 20 years from the date of approval)
international trademark law efforts and international registration are overseen by the World Intellectual Property Organization (WIPO), an agency of the United Nations
Similar to trademarks, international patents are overseen by the WIPO
Digital Millennium Copyright Act (DMCA), which makes it illegal to create products that circumvent copyright protection mechanisms.
Federal Privacy Act of 1974, it has enacted new laws, Gramm-Leach-Bliley Act of 1999
Federal Privacy Act If an agency collects data on a person, that person has the right to receive a report outlining data collected about him if it is requested ialso gives individuals the right to review records about themselves, to find out if these records have been disclosed, and to request corrections or amendments of these records)
Sarbanes-Oxley Act (SOX) law governs accounting practices,
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act of 1999 (GLBA) requires financial institutions to develop privacy notices and give their customers option to share the data with other companies.
1994 U.S. Communications Assistance for Law Enforcement Act all communications carriers to make wiretaps possible
Computer Fraud and Abuse Act,1986, 1996
- access to federal Govt computers to access classified info
- access to financial institution computers or any computer
- unauthorised access to Govt computer
- knowing access of a protected computer without authorization with intend to Fraud
- causing the transmission of Program/ Information and Code from a computer without owners authorization
- trafficking of computer password for fraud
- transmission of communication containing threats
The Federal Privacy Act of 1974
Government agencies can maintain personnel information only if it is necessary to accomplish the agency’s purpose.
The Privacy Act dictates that an agency cannot disclose this information without written Permission from the individual however there are some exceptions.
1996 U.S Economic and Protection of Proprietary Information Act Industrial and corporate Espionage
1980 Organization for Economic Cooperation and Development (OECD) Guidelines
Deals with data collection limitations, the quality of data, specifications of the purpose for data collection, limitations of data use, participation by the individual on whom the data is being collected, and accountability of the data controller
how much capital banks need to put aside to guard against the types of financial and operational risks banks face
1987 U.S. Computer Security Act federal government agencies to conduct security-related training, to identify sensitive systems, and to develop a security plan for those sensitive systems
Computer Security Act of 1987 identify computers with sensitive information.
American citizens are protected by the Fourth Amendment against unlawful search and seizure
Payment Card Industry Data Security Standards (PCI DSS)
any entity that processes, transmits, stores, or accepts credit card data PCI DSS is a private-sector industry initiative. It is not a law and failure to comply may lead to revocation of merchant status or a fine
PCI DSS main areas
- Build and Maintain a Secure Network,
- Protect Cardholder Data,
- Maintain a Vulnerability Management Program,
- Implement Strong Access Control Measures,
- Regularly Monitor and Test Networks,
- Maintain an Information Security Policy
Economic Espionage Act of 1996
1991, U.S. Federal Sentencing Guidelines were developed to provide judges with courses of action in dealing with white collar crimes max fine up to 290 Million $
Employee Privacy Issues
manager can listen your conversation with customer but not your personal conversation
Government regulations SOX, HIPAA, GLBA, BASEL
Self-regulation Payment Card Industry (PCI)
Individual user Passwords, encryption, awareness
Downstream liability when two companies work to gather they must ensure proper protection for each other so if virus effect one company other wil get effected and will finally Sue upstream company.
event is a negative occurrence that can be observed, verified, and documented, whereas an incident is a series of events that negatively affects the company and/or impacts its security posture.
incident response policy should be managed by Legal Department
Three types of incident response team
virtual team members have other jobs slower response
permanent team which is dedicated strictly to incident response
hybrid team some are permanent members and some are called when needed
Main goal of incident handling is to contain and mitigate any damage caused by an incident and to prevent any further damage.
Steps to Incident Responce
Triage : initial screening of the reported event either it is False positive
Investigation:- proper collection of relevant data
honeypots can introduce liability issues and be used to attack other internal targets
Steps of Forensic Investigation
exigent circumstances when law enforcement quickly seize the evidents to avoid destruction for some one
Most of the time, computer-related documents are considered hearsay, meaning the evidence is secondhand evidence
The life cycle of evidence includes
Collection and identification
Storage, preservation, and transportation
Presentation in court
Return of the evidence to the victim or owner
Oral evidence is not considered best evidence because there is no firsthand reliable proof
evidence should be authentic , complete , sufficient and reliable
Dumpster diving is unethical, but it’s not illegal.
Trespassing is illegal,
Emanation = Tempest
Some things may not be illegal, but that does not necessarily mean they are ethical
Red box simulated the tones of coins being deposited into a pay phone
Black Box method to manipulate line voltage to enable people to call toll-free lines.
Blue Box ' that enabled people to make free long-distance phone calls,
Generally Accepted System Security Principles (GASSP) are security-oriented principles and do not specifically cover viruses or worms
ISC2 Code of Ethics
Code of Ethics Preamble:
- Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
- Therefore, strict adherence to this Code is a condition of certification.
Code of Ethics Canons:
- Protect society, the commonwealth, and the infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession
Business attack = competitive intelligence to get trade secret
Intelligence attack = Military
Financing Attack = Bank Fraud
Corroborative Evidence supporting evidence is used to help prove an idea or a point, however It cannot stand on its own i.e Torn clothes, 911 call recording
computer fraudsters hold a position of trust
exclusionary rule mentions that evidence must be gathered legally
incident handling Contain and repair any damage caused by an event
Memory Dump gives an State of the Machine.
Circumstantial evidence = inference of information from other, intermediate, relevant facts. Secondary evidence = copy of evidence or oral description
Conclusive evidence = overrides all other evidence
GIASP Generally Accepted Information Security Principles
Computer security supports the mission of the organization
Computer security is an integral element of sound management
Computer security should be cost-effective
Systems owners have security responsibilities outside their own organization
Computer security responsibilities and accountability should be made explicit
Computer security requires a comprehensive and integrated approach
Computer security should be periodically reassessed
Computer security is constrained by societal factors