Tuesday, 18 December 2012

NEW CCNA / CCNP DataCentre

Cisco Announces New CCNA Data Center and CCNP Data Center Certifications
  • CCNA Data Center will be valid for 3 Years
  • Mainly focus on 
  • Foundation DC concept
  • Unified Fabric
  • Unified Computing 
  • No Pre-requisite 
  • Basic Routing and Switching  
  • Configuring and Tshoot Vlan and Basic router 
  • DC architecture 
  • DC Security 
  • Ip addressing
  • I/O technologies  (FCoE, VIFs)
  • Storage networking 
  • Basic Nexus Family and configuration
  • WAAS and Load balancing ACE
  • 2 Exams to pass 
    • 640-991 Introducing Cisco Datacenter Networking 
    • 640-916 Introducing Cisco Datacenter Technologies  
  •  Exams are valid for three years
  • Further information can be found at CCNA Datacentre

Saturday, 7 July 2012

DNS Changer 9th July 2012 DNS Malware

DNS which is abbreviated as Domain name service which converts your webpage name and map it to an IP address of the server and helps forwarding traffic.

A group of crooks manage to infect millions of computers around the world with the Malware called DNS changer that changed victim computers DNS entry pointing towards hackers rouge/ dodgy DNS Servers.

This malware didn’t effect victim browsing, it just diverted users traffic via there pool of DNS servers which takes them to the website where they want to go like Google or youtube but now and then they manage to divert the traffic to malicious or fraudulent websites and exploit the victim computers, and some times manage to stop you get any antivirus updates.

FBI mange to track those hacker dodgy DNS servers and before shutting them down FBI move those services on legitimate clean servers as infected computers would have lost Internet access.

These interim DNS servers were suppose to be down by March 2012 but due to heavy rate of infection they postponed and those servers will be shutting down on 9th of July 2012.

The Federal Bureau of Investigation will shut down Internet servers that it temporarily set up to support those affected by malicious software, called DNS Changer. Turning off those servers will knock all those still infected offline

Rough estimate is there are more the 1/2 a Million users still infected with DNS changer malware

FBI Website have a list of DNS Servers that are going down on Monday 9th of July 2012

Rogue DNS Servers through through through through through through

To check if you are infected check your computer DNS address by issuing a command IPCONFIG /ALL

However there is another way on to check if your DNS is rouge or not check the below mentioned FBI site.



Friday, 29 June 2012

HP procurve Port Security

Port Security allows you to configure each switch port with a unique list of MAC addresses of devices that are authorized to access the network through that port.

This will enable individual ports to detect, prevent, and log attempts by unauthorized devices trying to communicate through the switch port.

Just to clarify one important point here before we dive into the configuration part of it, this feature (port security) will not prevent intruders from receiving broadcast and multicast traffic.

Planning is the first Key step.

Before we go ahead we need to get answer to the following questions

  1. Which ports need lockout?
  2. Which devices are authorized per port?
  3. What security actions do you want?
  4. How you want to be informed about it

To view port security you need :-

show port-security

To disable port security on any port :-

no port-security

To check for intrusion flags on any port, issue the following command and you will see Yes next to port.

ProCurve(config)# show interfaces brief

One important point to understand how HP port security works as it is slightly different from Cisco default way of applying port security.

On HP Procurve if intruder is detected on the port with port security enabled, then switch will do the following:-

  • Send SNMP trap
  • Sets the port’s alert flag
  • Disables the port.

If you re-enable the port without resetting the port’s alert flag, then port comes up and will block traffic from unauthorized devices it detects

If the port detects another intruder with different MAC address, It will send another SNMP trap, but will not disable the port unless you first reset the port’s intrusion flag. (In case of Cisco it keep on error disable them)

Point to be noted :- until unless you reset the intrusion flag on the port

port-security 40 clear-intrusion-flag

Now issue show int brief command and you will see no Intrusion Alert in found in interface 40

To look at intrusion log issue the following common

show port-security intrusion-log

This port security will enable the port to continue passing traffic for authorized devices while you take the time to locate and eliminate the intruder. Otherwise the presence of an intruder could cause the switch to repeatedly disable the port. (As in the case of Cisco default port security)

Setting up port security

Learn-Mode Static. This example configures port 40 to automatically  accept the first device it detects as the only authorized device for that port. (in Cisco world we say it MAC address Sticky)

We will also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port.

ProCurve(config)# port-security 40 learn-mode static action send-disable

Specify manual address

ProCurve(config)# port-security 40 learn-mode static mac-address 0c0019-123456 action send-disable

Specify 2 MAC addresses

ProCurve(config)# port-security 40 learn-mode static address-limit 2 mac-address 111110-7aec00 0078c0-883100 action send-alarm

show port-security 40

Last but not the least point Intrusion Log lists the 20 most recently detected security violation attempts, regardless of whether the alert flags for these attempts have been reset. This gives you a history of past intrusion attempts

Thursday, 21 June 2012

Make TCP faster

Interesting post I have come across couple of days back.

Sounds like good practical solution to me , Lets see how much time it take for industry to listen to Googles advice and get on with this.


Tuesday, 8 May 2012

Difference between VLSM and Subnetting

Hi everyone, One of the most freqeuntly asked question this week is explained below.

Classless Inter-Domain Routing. is also called supernetting

CIDR was first introduced in 1993 by RFC 1517, 1518, 1519, and 1520, and later deployed in 1994.

It's an IP addressing scheme that replaced the older system based on classes A, B, and C. 

The main purpose of CIDR is aggregate route it is also known as supernetting or summarization.when you have to represent three /24

For example you have four C class subnets

we can add 4 routes on the router or we summarize all of them and add a CIDR route whihc is. /22 and covers all the above 4 routes.

CIDR addresses reduce the size of routing tables.

one more way to explain this is CIDR is  prefix-based standard for the interpretation of IP addresses. It facilitates routing by allowing blocks of addresses to be grouped into single routing table entries as we have seen above . These groups, commonly called CIDR blocks, share an initial sequence of bits in the binary representation of their IP addresses.


Variable-Length Subnet Masking (VLSM) or Subnetting is used to better utilize address space. Subnets divide a single network into smaller pieces. 

This is done by borrwing bits from the host portion of the address to create a sub network.

Take the class C network The default network mask is, and the last octet contain the host portion of the address. 

To use this address space more efficiently because we dont need all the 254 hosts , we could borrow 3 bits of the last octet for the subnet to make subnets and divide number of hosts equally in each subnetwork.

One point to note is that in subnetting once the subnet mask has been chosen, the number of hosts on each subnet is fixed but you can always further chop it down.I dont wana go in more detail as it is already compex and dont want to make more complex for you. 

Using variable-length subnet masks improves on subnet masking and avoid vaisting . VLSM is similar to traditional fixed-length subnet masking in that it also allows a network to be subdivided into smaller pieces. The major difference between the two is that VLSM allows different subnets to have subnet masks of different lengths. For the example above, a department with 20 servers can be allocated a subnet mask of 27 bits. This allows the subnet to have up to 30 usable hosts on it. 


CIDR = Make one of 6 Network = route summarization
VLSM= Make 6 of 1 Network

This is the best I can explain

Monday, 30 April 2012

Cisco Show Interface Explained

Hi every one, I hope every one if fine and enjoying good Health, for last couple of weeks a lot of people asked me if I can explain each and every line of output from Cisco one important command when we start troubleshooting any thing which is 

Show interface  Gi0/10

Output from the command above is explained each output one by one. 
GigabitEthernet0/10 is up,

Indicates whether the interface hardware is currently active and if it has been taken down by an administrator. "Disabled" indicates the router has received errors in a keep alive interval and some time you have port security setup you will see error disbaled

line protocol is up (connected)

This indicates whether the software processes that handle the line protocol believe the interface is usable (that is, whether keepalives are successful)

Hardware is Gigabit Ethernet, address is 0022.0d50.2d32 (bia 0022.0d50.2d32)

Hardware type and Ethernet address.

MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

Maximum Transmission Unit of the interface.
Bandwidth of the interface in kilobits per second.
Delay of the interface in microseconds.

 reliability 255/255, txload 1/255, rxload 1/255

Reliability of the interface 255/255 is 100% reliability , calculated on average over 5 minutes.
Load on the interface 255/255 is completely saturated link it is also calculated on average over 5 minutes

Encapsulation ARPA, loopback not set
Encapsulation method assigned to interface.

Keepalive not set
Indicates whether keepalives are set or not.

Full-duplex, 1000Mb/s, link type is auto, media type is 1000BaseSX SFP
Duplex setting of the interface if the interface is full Duplex , in the example above I have media type of SFP fiber interface module

ARP type: ARPA, ARP Timeout 04:00:00
Type of Address Resolution Protocol assigned.

  Last input 00:00:00, output 00:00:03, output hang never

Number of hours, minutes, and seconds since the last packet was successfully received by an interface, it is Useful for knowing when an interface failed.

Number of hours, minutes, and seconds since the last packet was successfully transmitted by an interface

Number of hours, minutes, and seconds since the interface was last reset because of a transmission that took too long. 

When the number of hours in any of the "last" fields exceeds 24 hours, the number of days and hours is printed. If that field overflows, asterisks are printed.

Last clearing of "show interface" counters never

Time at which the counters that measure cumulative statistics like number of bytes transmitted and received 
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Number of packets in output and input queues. Each number is followed by a slash, the maximum size of the queue, and the number of packets dropped due to a full queue or saturation.

  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
5 minute input rate 14000 bits/sec, 15 packets/sec
5 minute output rate 4000 bits/sec, 4 packets/sec

Mentions Hardware Queue which is First in First out everytime  
Average number of bits and packets transmitted per second in the last 5 minutes.
you can even guess the transmit speed of the interface as well from the 5 minutes output , if you dont have acces to NMS

71618919 packets input, 21731123446 bytes, 0 no buffer

Total number of error-free packets received by the system 

Number of received packets discarded because there was no buffer space in the main system

Received 57218887 broadcasts (26378769 multicasts)
Total number of broadcast or multicast packets received by the interface.

0 runts, 0 giants, 0 throttles

This is quiet important this tells us Runts are the number of packets that are discarded because they are smaller than the medium's minimum packet size. i.e any Ethernet packet that is less than 64 bytes is considered a runt.

Number of packets that are discarded because they exceed the medium's maximum packet size. For example, any Ethernet packet that is greater than 1,518 bytes is considered a giant

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

Cyclic redundancy checksum generated by the originating LAN station or far-end device does not match the checksum calculated from the data received. 

On a LAN, this usually indicates noise or transmission problems on the LAN interface or the LAN bus itself. A high number of CRCs is usually the result of collisions or a station transmitting bad data or Bad data cabling or any EMI.
Number of times the receiver hardware was unable to hand received data to a hardware buffer because the input rate exceeded the receiver's ability to handle the data.#

Number of received packets ignored by the interface because the interface hardware ran low on internal buffers. These buffers are different than the system buffers mentioned previously in the buffer description. Broadcast storms and bursts of noise can cause the ignored count to be increased.

0 watchdog, 26378769 multicast, 0 pause input
0 input packets with dribble condition detected

Dribble bit error indicates that a frame is slightly too long however router accepts this frame

9667499 packets output, 1711527019 bytes, 0 underruns

Number of times that the transmitter has been running faster than the router can handle. This may never be reported on some interfaces.

0 output errors, 0 collisions, 1 interface resets

Sum of all errors that prevented the final transmission of datagrams out of the interface being examined. 

Number of messages transmitted due to an Ethernet collision. This is usually the result of an overextended LAN 

A packet that collides is counted only once in output packets.

0 babbles, 0 late collision, 0 deferred

The transmit jabber timer expired.

Number of late collisions. Late collision happens when a collision occurs after transmitting the preamble.

Deferred indicates that the chip had to defer while ready to transmit a frame because the carrier was asserted.

0 lost carrier, 0 no carrier, 0 PAUSE output

Number of times the carrier was lost during transmission.
Number of times the carrier was not present during the transmission.

 0 output buffer failures, 0 output buffers swapped out

Number of failed buffers and number of buffers swapped out. 

Source :- Cisco.com

Friday, 27 April 2012

Router on Stick or Inter Vlan Routing


 Router-on-a-stick or (inter vlan routing) is used to describe a setup that consists of a router and switch connected using one Ethernet link configured as an 802.1q trunk link.

In this configuration, a switch is configured with multiple VLANs and trunk port from switch is connected to router or any Layer 3 device Fast Ethernet interface and that router performs all routing between
the different networks or VLANs or subnets.

we already know each vlan = to Subnets = Networks.

There are a lot of practical implementations but it has some drawbacks like all inter-vlan traffic will pass through only on Fast etherenet interface which may lead to congestion on the network.

In the example below we will see how to configure a Cisco router and
switch in order to create a trunk link between them and have the
router route packets between your VLANs

SW1# configure terminal
SW1(config)# interface vlan1
SW1(config-if)# description Accounts
SW1(config-if)# ip address
SW1(config-if)# exit
SW1(config)# interface vlan2
SW1(config-if)# description HR
SW1(config-if)# ip address

SW1# configure terminal
SW1(config)# interface Fa0/24
SW1(config-if)# description Trunk-to-Router
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk

R1# configure terminal
R1(config)# interface Fa0/1
R1(config-if)# no ip address
R1(config-if)# duplex auto
R1(config-if)# speed auto
R1(config-if)# interface fa0/1.1
R1(config-subif)# description Accounts
R1(config-subif)# encapsulation dot1q 1
R1(config-subif)# ip address

R1(config-subif)# interface Fa0/1.2
R1(config-subif)# description HR
R1(config-subif)# encapsulation dot1q 2
R1(config-subif)# ip address
Encapsulation dot1q 2 command defines 802.1q encapsulation and sets
the subinterface to VLAN 2