Thursday 31 December 2009

VOICE VLAN






First To Understand Voice VLAN


The voice VLAN feature enables you to configure a switch port ports to carry voice traffic from IP phone. When the switch is connected to a Cisco IP Phone, the phone sends voice traffic with Layer 3 IP precedence that give voice a priority on Data. Because the sound quality can be compromised if Data is being sent unevenly. and you need to configure a switch to trust the priority assigned by Cisco IP phone


The Cisco IP Phone contains an integrated 10/100 switch as shown below







So Connectivity would be something like this

Port 1 connects to the PoE Switch
Port 2 (access port) connects to a PC or other device.


Configuration and Tuning


After connectvity You need to configure an access port attached with Cisco IP Phone to carry voice through One VLAN and data traffic from another VLAN So here comes in play Cisco Discovery Protocol (CDP) packets that instruct an attached phone to send voice traffic to the switch in appropriate LAN  with IP Precedence priority Vlaue 


Default Layer 3 IP Precedence Value for Voice is 5 and 3 for Control  traffic
 

Note that Voice VLAN is only supported on access ports and not on trunk ports, though this configuration is allowed and no error is shown.


you must be careful that Voice Vlan exist on the Switch (by issuing th following Command in Exec Mode SHOW VLAN )before setting up the port for IP Phone.  I hope no one pops up and ask how to create Voice Vlan ... :)

You need to enable QoS on the switch ( mls qos ) and configure the port trust by entering (mls qos trust cos) so Switch interface will trust the CoS attached in Header 



IP Phone and a device attached to the phone cannot communicate if they are in the same VLAN and subnet but use different frame types because traffic in the same subnet is not routed 


So the final config will look like as Below :- 




Switch_A # config t

Switch_A(config)# interface gi 0/1
 

Switch_A(config-if)# mls qos trust cos         (Enable QOS and Trust the Value of CoS)

Switch_A(config-if)# switchport voice vlan dot1q





Friday 18 December 2009

Network Management system


What is the Best NMS , What NMS to Go with , Which NMS is Best for my Organization ???????????



These are the questions wrecking your head when your organization decide to buy or move to any other NMS , here are some information I will put in and keep on updating it .

First and Foremost There is no specific network monitoring tool which can be said to be the best.. Hahaha I know what you guys are thinking at teh moemnt .

Most of them are preety good and provide you with the information you need on day to day basis.It actually depends upon what you are looking for in a monitoring tool like
  • COST ($$$$$) you are willing to pay
For a small network, you would do well with a small tool and even with open source, but for a bigger network you would naturally go for higher-end products.

  • Easy to use
Easy to use and can extract the reports or information you are looking for

Concord, HPOV, Unicenter TNG, Tivoli and SOlarwinds are some of the good tools that I have worked with.


Here are Some Pre Purchase checklist of NMS Applications , Normally these are the areas where NMS Vendors trick us ....

  • Root Cause Analysis
True Root cause analysis Means that your NMS is capable to Look through 1000 of events and point out the main cause of the problem . I.e if one router interface is the reasone of whole site failure then NMS should point out this interface is the main reasone that we cannot see any other device in remote office.Event corelation , component monitoring for critical arams are the key fac tors that help in adding real Root cause analysis capability in the NMS

Inorder to do root cause analysis NMS must have collected sufficient data about the networj beaviours and see which Devices are dependent on whihc one. Finally deviation or anomaty can help in proper root acuse analysis .
  • SNMP Capable..
Most NMS claim that there appliaction is SNMP capable. they dont mention they are only offering simple SNMP GET requests which only ask a network device to return the current value of a (OID), such as "Packets out" i.e 12000 and of corse you cannot do much with this information However Real NMS produces appropriate information by processiong values from IOD like Bandwidth utilization Normally using forula to calculate this

(Total Octates IN + total Octates OUT) * 8 / 1024 = Bandwidth

So be sure to check the whole process how NMS works with OID's and dont get screwed ... :) by puchasing only SNMP get based NMS




Q. Does ASA support SNMPv3?

A. Yes. Cisco ASA Software Release 8.2 supports Simple Network Management Protocol (SNMP) version 3, the newest version of SNMP, and adds authentication and privacy options in order to secure protocol operations.

Ref:- Cisco.com

Tuesday 29 September 2009

DOS ATTACK

DOS and DDOS.... !

DOS or distributed denial-of-service attack is an attempt to make Computer or Any network resource unavailable to its intended users

To block and DoS attack, it is best to block the traffic as close to the source that is generating the attack As a solution we normally create ACL if the Port and IP address of attacking device is Known to us.

However Cisco PIX or ASA TCP Intercept feature can help protect resources from DoS attacks. This enables us to configure the maximum number simultanious allowed connectiones for the specific Resource and Limit the number of embryonic connections to any critical server.

Howvere Embryonic connections are connections that have not completed the TCP three-way handshake. whihc is also the type of a DOS attack

Here are some common types of DOS attack

  • ICMP Flood
  • SYN Flood
  • Tear Drop Attack
  • WIN NUKE
  • Distributed Denial of Service Attack (hardest to block)
A wide range of programs are used to launch DoS-attacks well it is considered as the easeast to launch and difficult to block.

If the embryonic connection limit is reached, the PIX Firewall responds to every SYN packet sent to the server with a SYN+ACK, and does not pass the SYN packet to the internal server.If the PIX/ ASA does not get an ACK back from the server, it aggressively times out that embryonic connection. threshold is defined as son as it is reached Firewall dont alow any trrafic to pass through


Cisco ASA uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets

The PIX/ASA also supports TCP normalization where you specify criteria that identify abnormal packets, which the security appliance drops when they are detected. This feature uses Modular Policy Framework, so that implementing TCP normalization consists of

  • Identifying traffic
  • Specifying the TCP normalization criteria
  • Activating TCP normalization on an interface.


Thursday 3 September 2009

Unidirectional Link

Unidirectional Link Detection Protocol



Hi guys I have an interesting issue this week. I just Move My core Switch from one Location to another and for no apparent reason some users within the network reported connection issues to hosts , Half of the newtork went down and then all of a sudden connection restored but quickly lost again.


Remember the network was having 2 x Core and then two distribution switches and all the access switches had a resiliance connectivity and are running STP, HSRP, VTP. I was able to access one of the core switches and connectivity to other core was intermitent A very quick trip to the distribution point andconsole cable connection into the core switches revealed the issue.

The two switches 6500 has 2 x 1Gb EtherChannel configured on either end, connected by fibre connections. One side of the connection reported that both links were active in the Etherchannel. The other side had one link as down and the logs showing that the connection had left the EtherChannel.


The exact reason for this is still unknown but this type of issue occurs, where one side sees the link as up but the other sees it as down, is called a unidrectional Link failure. To solve the matter immediately , I shut down the faulty link at the end replace GBIC . As soon as this was done
everything returned back to normal operations and timed out pings came back to replies.

This highlighted an issue with the Etherchannel configuration on the switches however.


I have an advise from network forums to use a mode of desirable on either side of an Etherchannel connection, rather than forcing the Etherchannel up. The on mode forces a port to join an Etherchannel without any sort of Etherchannel protocol negotiation taking place. Using the desirable keyword instead of the on keyword means that the switch uses the Port Aggregation Protocol (PAgP). When using PAgP the switch learns of partner interfaces on other switches that support PAgP and dynamically groups its interfaces into an Etherchannel.



In the situation I mentioned above this happened when an interfaces from the etherchannel stopped seeing PAgP packet (when we were moving our core Switch) . and it is quiet possible for one switch to move the interface into stand-alone mode and pass traffic across a broken link, as it was still seeing this link as up. In order to help in these type of sitations Cisco developed the Unidirectional Link Dection protocol.

UDLD is a Layer 2 (L2) protocol that works with the Layer 1 (L1) mechanisms to determine the physical status of a link. At Layer 1, auto-negotiation takes care of physical signaling and fault detection. UDLD performs tasks that auto-negotiation cannot perform, such as detecting the identities of neighbors and shutting down misconnected ports. When you enable both auto-negotiation and UDLD, Layer 1 and Layer 2 detections work together to prevent physical and logical unidirectional connections and the malfunctioning of other protocols.

By enabling UDLD in aggressive mode when a port on a bidirectional link that has a UDLD neighbor relationship established stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor. After eight failed retries, the port is disabled, whihc avoids loops in the newtork inorder to prevent spanning tree loops, nonaggressive UDLD is fast enough to shut down a unidirectional link before a blocking port transitions to the forwarding state (with default spanning tree parameters).

here are commands to enable UDLD

SWA(config)#int fas0/1
SWA(config-if)#udld port

To configure aggressive mode only one more keyword is required

SWA(config-if)#int fas0/1
SWA(config-if)#udld port aggressive


IN cisco 6500 series switch periodically transmits UDLD packets to neighbor devices, If the packets are echoed back within a specific time frame and they are lacking a specific acknowledgment (echo), the link is flagged as unidirectional and the LAN port is shut down. Devices on both ends of the link must support UDLD in order for the protocol to successfully identify and disable unidirectional links. By Default UDLD is locally disabled on copper LAN ports

Sunday 30 August 2009

Excel shortcut


Hi Guys ... Here are some Really Important Excel Shortcuts , too speed up your Work in day to day office work

SELECTION

  • Column Ctrl + space
  • Row Shift + space
  • Entire worksheet Ctrl + A
NEVIGATE CELL

  • Right Tab
  • Start of worksheet Ctrl + Home
  • End of worksheet Ctrl + End
  • Start of row Home
  • Up/down one screen Page Up/ Down
STANDARD ACTION
  • Activate menus F10
  • Save Ctrl + S
  • Print Ctrl + P
  • New workbook Ctrl + N
  • Open Ctrl + O
  • Copy Ctrl + C
  • Cut Ctrl + X
  • Paste Ctrl + V


COPY DATA AND RANGE

  • Select current range Ctrl + *
  • Move to range border Ctrl + arrow
  • Move up Shift + Enter
  • Move left Shift + Tab
  • Fill down Ctrl + D
  • Fill right Ctrl + R
  • Copy formula above Ctrl + '
  • Copy value above Ctrl+ "


EDIT ACTION AND COMPLETE ACTION

  • Edit cell F2
  • Insert Ctrl + +
  • Delete Ctrl + -
  • Repeat last action F4
  • Today’s date Ctrl + ;
  • Chart selected data F11
  • Format cells Ctrl + 1
  • General Ctrl + Shift + ~
  • Currency Ctrl + Shift + $
  • Percentage Ctrl + Shift + %
  • Date (d, m, y) Ctrl + Shift + #

Friday 14 August 2009

Cisco IOS/ CatOS

Hi Guys ..!! Its Quiet possible you join an organization with fairly big Network, and after some time you decide to roll out some advanced configuration and you dig deep on network plateform and finally come across some switches having set based IOS , commanly known as CatOS. Now there comes another problem for you and need to get rid of this mix and match IOS stuff and you need to figure out What are the points you need to get though to the higher mangement , Or you finally end up googling CatOS to IOS configs , because 80% of Network Guys are use to IOS commands. Here are some Points that will definaly help you out to Overcome Cat OS Fear, ... )



  • Cisco has Announced CatOS as EOS (So down the road you will not find Critical Bug Fixes)
  • Configuration Changes in Cat OS are written to NVRAM immediately after changes are made - No Write Mem is required (Dont be shocked , And beleive me this will lead to some thing really ....... )

  • All type of Configurations in CatOs are done Via "Set" command Sequence, executed from the enable mode prompt

  • Clear Command will erase a particular command

Here are some examples of CatOs and IOS commands

reset system ---- reload

set system name ---- hostname

set boot system flash ---- boot system flash

show config ---- show run


Below is a useful link for IOS to CatOS Command translation and there is a tool available on Cisco Website whihc can help you to translate whole config into IOS

http://www.cisco.com/en/US/customer/...800c8441.shtml

:( but you need Login on Cisco

Best of Luck
Thanks for reading

Sunday 28 June 2009

FireFox Memory Leak ..!!! (slow system Performance)




Hi Friends One Very Important System Performance Tip..... to maintain Memory leak. Memory Leak is an unintentional memory consumption or utilization by any program specifically when program fails to release memory when no longer needed

I keep noticing for quite some time that some of the Firefox threads consume lot of memory spaces whihc are not required and slow down your system Performance. This is a known memory leak, and the Mozilla haven't gone around to fixing it for whatever reason (definately they knows better then me:). Any way there no reason that Firefox takes uo 90,000 K in memory,


Sooo My Dear friends here is how i Fix the solution of Firefox Memory Leak and avoid firefox to take over all resources

1. Open a Explorer (firefox) Type "about:config" without quotes into the address bar and hit enter a warning message click i will be care full and promise!!!

2. Right-click on the page, select New, and select Integer. In the dialog prompt type:

browser.cache.memory.capacity

3. Click OK. Another dialog prompt will appear to Enter the value. This is where you decide how much memory to allocate to Firefox.

4. This depends on how much RAM on your computer but I don’t want to allocate too less like 8 MB I tried couple of them on Windows Vista and 16 MB seems good to me enter this value into the dialog prompt:

16384

(However if you want to double that you can go for 32768.)

4. Click OK to close the dialog box, and better to restart......Hope everything will be fine


Have a nice Day
See u Soon

Wednesday 27 May 2009

QOS



Quality of Services

The hottest issue now a days in converged network with different type of application and specially mission critical applications is resources and the top one is bandwidth. So traffic engineering mechanism which has the ability to provide different priorities to different application data is known as Qos

Before implementing Qos we need to undergo some steps

1. Network Audit

2. Find out Application Requirement

3. Classify Traffic depending upon

Requirement analysis (how much delay can be bared for email, Voice)

Make group of identical application but keeping in mind don’t make group per application like put Ftp / Web traffic in single group if you don’t do so you will come up with more granular policies and Cisco suggest not less than 4 classes and more than 11 (if you have 4 Classes then its small network that don’t need QOS deployment)

There are Three Main Models of QoS Deployment

1. Best Effort

2. Integrated Service (IntServ)

Like reserving a private resource from point A to B its for really sensitive traffic , for Example RSVP

Request is send to every router between Point A to B for bandwidth reservation for Continuous data

stream (guaranteed Bandwidth)

DISADVANTAGE no one else can use this bandwidth for other purpose and cannot scale well and another disadvantage is if any device in middle don’t support RSVP so the Chain of End to End QOS will be nightmare

3. Differentiated Services (DIFF SERV)

Differentiate traffic depending upon Marking on packet and its the best model to use for the network and scalable for enterprise network

MQC Modular QoS CLI

Allow you to define all your Policies in global config Mode Steps

Step 1:-

Clear Class Map (defining what To match)

specify type of traffic like HTTP traffic ,FTP , HTTPS

Step 2:-

Policy Map what we need to do that we match like allocate Bandwidth

(bandwidth or percentage)or Resource to this class we defined in step 1

Step 3 :-

Attaching this Policy MAp to the physical interface using Service Policy command

CISCO Auto QoS

Only ..!!!! One Command to configure QoS ... ya its Easy to Use

It analyze current config Bandwidth information on interface and finally configure best practice

Cisco QoS configure Cisco has another thing to make it easy for your network Its auto Qos Discovery...... and it discover your network application and consider critical application Like VOIP Citrix ad finally deploy policy .... But One Point Not every automated procedure is 100% perfect.... Remember it :)

Well guys you can configure Wizard based Qos using SDM on new cisco 2800 series routers


QoS_RTR#config t

QoS_RTR(config)#Class-map MATCH-FTP

##match all will match all command in this class and match any will match any one of the command by default is match all

QoS_RTR(Config-cmap)#match protocol ftp

##it will take a bit time because it use Cisco NBAR and Nbar is a bit processor intensive. that’s it its your class map you can view newly created class map using

#show class-map

sooo remember here we have 1 class but Cisco Says not less than 4 and more than 11 ....:) now get ready for policy map.... for allocating resource. you can put more than 200 classes under a single policy map....:)

#Policy-map policy1

#class MATCH-FTP

(You can add up to 256 classes here sooo lot of room don’t worry to run out of it )

# police 36000

#class class-default

#police 15000

Now if traffic is more than 36 Kbps it will drop the access traffic.. Now it will limit FTP traffic to 36 Kbps however rest of traffic that is under class default will be policed at 15000 .. but where .... that’s the point now we need to apply this all here is the last step you need to take bind this one on the interface .

Remember rule of thumb you can define only one policy per interface per direction ... hummm

int e0/1

service-policy input policy1

how ever need on the other way around

service-policy outbound policy1

show policy-map interface

Will show you interface Qos statistics

Monday 4 May 2009

Designing Enterprise Network


To deliver best network design you need to know how to execute conceptual network infrastructure that will support the customers need that achieves effective performance , scalability and reliability

Effective Seven steps techniques are used to design the enterprise Network Infrastructure



  1. First and foremost part is to Determine application and Data Requirement like bandwidth need , nature of traffic , Qos Needs , Unicast / Multicast and busty nature of traffic
    Factors to be considered when analyzing Data Traffic Requirements i.e Kbps per active users , Peek Load , Peek timing , Data , video Voice
  2. After determining type of Traffic Need to design Logical Network i.e Mentioning Vlans , Subnets and determine number of subnets for effective performance and better routing
  3. Physical design identification of components to be used in the physical lay out i.e Transmission media inter conncetivity between stacks of network , Fiber types Keeping in mind Residency and STP stuff as well
  4. Selection of Devices a bit debatable issue which vendor to use depending upon there ability , and future needs , as i am Cisco Guy i will choose Cisco as you can get Wirelss to Voip products from Cisco and under single umbrella unified communication infrastructure from a single vendor no mix and mach technology and when you are going to upgrade you find out that vendor don't interact with this ... however selection of Products is tough task depending upon budget and limits as well i.e Select a software option that meet specified needs
  5. Its time to do some binary word :) I love it .... Selecting IP addressing strategy and numbering good planing Good routing as will help your route summarizing so borrow some time for this and perform it in well mannered way . Selection of Routing Protocol is done
  6. Edge Distribution Module Designing including connectivity Core and WAN modules.
Whole design stuff is based upon business Need whihc should be clarified before you carry out any work and must address 4 main factors
  1. Cost
  2. Performance
  3. Scalability
  4. Availability
If management want to compromise on availability no Backup fibers no STP easy Setup that all depends .. what is their need.


Better Information Gathering results in Better Design and Better and Easily scalable Network .... So Start with better information gathering and brain storming ;)

Thursday 2 April 2009

Comparison beteween 5510 Base / Security Plus




Cisco ASA 5510 License Comparison

Base License

50,000 Maximum Firewall Connections

5×10/100 Integrated Network Interfaces

50 Maximum VLANs Support

No High Availability (fail over) supported Supports

No Security Contexts (Virtual Firewalls)

No Support for VPN / VPN Load Balancing

Security Plus License

130,000 Maximum Firewall Connections

2×10/100/1000 and 3×10/100 Integrated Network Interfaces

100 Maximum VLANs

Active/Active
and Active/Standby fail over

Supports 2 Virtual Firewalls (included) and 5 maximum.

General Features
Firewall throughput is 300 Mbps and VPN throughput is 170 Mbps , Can accommodate 1 x SSM

Monday 16 March 2009

Upgrade Cisco Router / Switch IOS

One you install and configure any router and switch , its not done for effecient and safer network it is important to keep on upgrading an IOS , as oerating system is open to vulnerabilities which is required to be fixed by patches or ios updates

Latest version of IOS can be downloaded from cisco website with appropriate CCO login.

Setup TFTP server it means you can ping tftp server from your router/ switch hardware.

#write mem
To save the config from running to startup
#Copy flash: tftp
Source filename [full file name of ios]
Address or name of remote host [ip address of server]
Destination filename

#Copy tftp flash:
mention the name of new ios file on tftp

verify by issueing
# Show flash:
this will show you newly copied IOS file in the flash , if we have less file on flash we need to delete the old ios file .

#boot system flash:/

#reload

sh ver

thats all

Friday 13 February 2009

Spanning tree Protocol




SPANNING TREE



Spanning tree protocol is Layer 2 protocol that ensures the loop free topology, it is based in angorithum invented by Radia Perlam.


Some of the main Points to cram about STP are as under (soon i will add some Cisco related troubleshooting commands and PVST stuff............)



  • STP 802.1d was created to prevent loops in the network, and it is Industry standard protocol.

  • All the switches running STP use to send Probes into the network, which are known as “BRIDGE PROTOCOL DATA UNIT” (BPDUS) to discover loops, however these BPDUs also help to elect the ROOT BRIDGE, which is the core switch in the network.

  • In redundant network running STP switches find the best path to reach the root bridge elected, and then block rest of the redundant links.

  • BPDU packets are sent every 2 seconds , from every active ports of switch to detect the redundancy and link failure , this BPDU packet contains 2 major fields Mac Address and Priority , Which helps to elect the root Bridge

  • Priority field in BPDU can contain value from 0 to 61440 , but the default value is 32768 and lower is better

In order to break a tie between switches having default priority value i.e 32768 , is the point where MAC address kicks in , and lower the MAC address the higher the priority , if lower the MAC address then older the switch will be ............. (hope not got confused ;) ... so we cannot make older switch the root bridge ... so we need to configure root bridge with smaller priority value so the election will be on the basis of Priority not MAC address .


Three Port types in STP

Root Port : this is used reach the root bridge .... remember Root bridge don’t have any root port


Designated port : forwarding port but other end should be locked


Blocking/ Non Designated Port: its the blocked port by STP


STP find the best path by selecting the cost of links i.e cost of 100 Mbps is 19 if link cost ties then bridge id will break the tie

Bridge ID = Priority + Mac address

Per VLAN Spanning Tree

All modern Cisco Switches Run PVST , which runs one instance of Spanning tree per vlan

One root bridge for each VLAN which helps to load balance more effectively

Tuesday 13 January 2009

Windows Shortcut Keys ...


Windows Shortcut Keys.............


In order to navigate faster on the computer, shortcut keys are very important to be known by the users , this will decrease the working time and improves the efficiency of the user specially the time to grab the mouse, point it out and finally click or double click ..................... Believe it or not ... but you should give it a try, however it will also help to give a professional impression ;)

F1: Help

ALT+ENTER: opens property of selected item

ALT+TAB: Switch between open programs

ALT+F4: Quit program

SHIFT+DELETE: Delete item permanently

CTRL+ESC: Open Start menu

CTRL+ S: Save Open Document

CTRL + P: Print Selected Document

CTRL + F: Search in the opened file

CTRL + F2: see preview of document

F2: Rename any object selected

SHIFT Key: Press and hold shift key when inserting the CD-Rom to bypass the automatic run.

Windows Logo key +R: run dialog box

Windows Logo key +M: Minimise every windows opened

Windows Logo key +F: Open search option

Windows Logo key +E: Open My computer

Windows Logo key +K: Lockdown the computer