Cisco Routers

Cisco routers provide access to applications and services, and integrate technologies

IP Phone - Cisco

IP phone takes full advantage of converged voice and data networks, while retaining the convenience and user-friendliness you expect from a business phone...

WAN - Cisco Systems

Transform your WAN to deliver high-performance, highly secure, and reliable services to unite campus, data center, and branch networks.

EtherChannel - Cisco Systems

EtherChannel provides incremental trunk speeds between Fast Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet. EtherChannel combines multiple Fast ...

Looking Toward the Future - Cisco Systems

Looking Toward the Future by Vint Cerf. The Internet Corporation for Assigned Names and Numbers (ICANN) was formed 9 years ago....

Pages

Thursday, June 9, 2016

ISP redundancy site design diagram example

Free example service level agreement (SLA) for your business.
Solution 1
Redundant site (ISP MTG, ISP True Tower)
  • Customer has link connected to ISP at either MTG or TTW site.
  • International & Domestic Gatway is primary at MTG and backup is TTW.
  • International & Domestic Gatway at MTG consists of multiple providers
    •  International Link >> TIG, IIG, VSNL
    •  Domestic Link >> CAT-NIX, TIG-NIX, TOT-NIX and TI
  • Some of Internaltional & Domestic provider has backup root
    • TIG >> Primary link/site is at MTG and backup is at TTW (both International and Domestic as well)
  • Equipment which installed International & Domestic link is redundant Hardware for instance CPU, FAN Tray, Power Supply, Port/Interface etc. and maintenace contract also.
  • Incase of MTG, primary site is down then the backup site is automatically take over
  • UPS system & Generator backup for both site (MTG and True Tower)
Solution 2
Redundant ISP(Primary) , TI (Backup)
  • Customer’s traffic normally flow via ISP 
  • In case of ISP’s Domestic is totally down then Customer’s Domestic traffic automatically flow via TI instead
  • In case of ISP’s International is totally down then Customer’s International traffic automatically flow via TI instead
  • In case of both ISP’s Domestic and International are totally down then Customer’s traffic automatically flow via TI instead as well 
Service Level Agreement

1. Guaranteed service level

1.1 Availability
The guaranteed availability of the services of the agreement is 99.7% in any calendar month, after which the service availability is classified as “reduced availability”. If the availability of the service falls below 99% in any calendar month then there is “excessive downtime” 

1.2 Network latency
If the average network latency in any calendar month for domestic Internet traffic exceeds 50 ms. or for international traffic exceeds 350 ms. then this is a case of reduced availability. If the average network latency in any calendar month for domestic Internet traffic exceeds 80 ms. or for international traffic exceeds 500 ms. then there is excessive latency downtime.

1.3 Packet loss
If the average packet loss in any calendar month for domestic Internet traffic exceeds 1% or for international traffic exceeds 3% then this is a case of reduced availability. If average packet loss in any calendar month for domestic Internet traffic exceeds 2% or for international traffic exceeds 5% then there is excessive packet loss downtime.

2. Service level credits

2.1 Reduced availability
In case of reduced availability, ISP will credit designated service fees components up to the equivalent of the service fees during the number of days in the calendar month that the provided service level did not meet the guaranteed service levels.

2.2 Excessive downtime
In case of excessive downtime, ISP will credit designated service fees components up to 10% for every day that the provided service level did not meet the guaranteed service levels, with a maximum of the total service charge for that month.

2.3 Force mature
ISP has committed, where possible, to redundant systems and/or providers of services that are delivers to its customers. In case of service interruptions that are outside the influence of ISP, ISP reserves the right to adjust the service level credits to the level of the service credits that it receives from its suppliers, whom ISP has no control over. ISP will go through reasonable endeavors to claim any damages of its clients at its providers.
3. Service delivery information

3.1 Statistics
On request and for certain connection types, ISP can activate bandwidth utilization statistics (MRTG) that can be made available to the customer through a web interface. These statistics can provide the customer with a global indication about his bandwidth utilization. The statistics cannot be used to determine the actual service level delivered by ISP since this depends on many factors one of which is the condition and throughput of the customer premises equipment, which is outside the area of control of ISP.

3.2 SMS alert
Instead of pager alert, ISP can alert the customer by SMS. Customer agrees in that case with the non-priority that SMS services have on the network of mobile providers and will not hold ISP liable for any delays in the notification.

Tuesday, June 7, 2016

How to plan LAN/WAN Network Refresh Project: End-of-Life equipment

Basic requirements: Framing, Value Drivers, Deliverables, Definition of Success and Project plan phase 1-5 for example
Network Refresh Project
Network Refresh Framing Document
  • Domestic sites with end of life equipment 
    • LAN edge switches
    • WAN routers
    • Equipment that has been in service for 5-7 years
    • Backup power supplies
  • Telecom closet assessment/audit
  • Power over Ethernet capabilities
  • Sites with appropriate infrastructure to support power requirements
  • Deployment of a standard architecture across all sites including equipment and protocols
  • Compliance with security standards
  • Removal of end of life equipment
  • Self containing rack units for sites without a telecom closet
  • Capitalized labor for remote offices that cannot be serviced by field team
Network Refresh Value Drivers
  • Reliability of the infrastructure supporting business critical applications and processes.
    • Reduced network downtime
    • Reduced MTTR
    • Increased redundancy
    • Decreased latency, higher bandwidth
  • Increased consistency and standardization of the WAN/LAN network.
    • Reduced cost of operating infrastructure
    • Reduced variance/variability in network infrastructure
  • Network readiness and scalability to support future IT initiatives and business needs
    • Video Conferencing, IPT, PoE support
  • Cost Avoidance/Savings
    • Mitigation of costs associated with increased equipment failures
    • Reduction in hardware and maintenance costs
    • Consolidation of hardware
  • Alignment with Enterprise Architecture roadmap 
Key Business Deliverables
  • Network Infrastructure – Upgraded LAN switches with PoE capability 
  • Increased bandwidth – Ability to accommodate additional traffic and support applications such as IPT and Video Conferencing.
  • Higher reliability/redundancy – Reduction of downtime and business incidents related to the LAN infrastructure
  • PoE capabilities – Ability to support IPT infrastructure
  • Reduced complexity of the LAN infrastructure – Reduction in overall cost of maintaining the LAN environment
Definition of Success
Vision of Success:  What does success look like with the Future/Desired state?
Full replacement of all End of Support Network switches and routers, resulting in a more reliable and supportable network, that is prepared to meet the future business and IT needs of the company.
Critical Success Factors:  What factors will ensure that the vision of success is met?
  • Incident Free deployments (No Business/Safety Incidents as a result of swapping out equipment.)
  • Project Schedule and Milestones completed on time.
  • Project completed within budget.
  • Infrastructure in Telecom closets is capable of supporting the new devices.
Success Metrics
  • Results:  Project completed on schedule, within budget, and resulting in a more reliable and supportable network.  
  • Business Incident Avoidance:
  • Financial Measures:

Phase 1
  • Gather information about the current network and understand business constraints 
Phase 2
  • Identify, Develop, and Select Alternatives:
  • Identified alternatives
  • Gather pricing on each alternative
  • Conduct Technical Reviews of each alternative
  • Develop selection criteria and weights to select an alternative
  • Complete high level design 
  • Complete the business requirement with project team and stakeholder
Phase3
  • Design VLAN
  • Design IP Address For LAN, Server, Network Device, etc…
  • Design and support documentation 
  • Request approval to implement the system
Phase 4
  • Wire Fiber Optic Cable, Wire CAT6 LAN Cable
  • Install Network Device, Install Set Up Network Device
  • Testing & Tuning system, Install Monitoring tool
Phase 5
  • Review development, implementation and benefits of the LAN improvement project.
  • Training, Documentation, 
Close out project: Let's plan....

catalyst 4506 replacement guide

Brief Description: Replacement of 5513 due to numerous problems which led to network degradation.  A new 4500 will take its place.
Action / description Who What is deliverable? Status
1 Prep                
1.1 Assign IP address Local-IT Fri 7 Sep 2007 (116.40.193.5 for testing and change it back to 116.40.193.4 when we completed configuration ) DONE
1.2 Drawing Regional
1.3 Pre-configure and connect to network Local-IT Monday, September 10, 2007  inform to Regional DONE
1.4 Configuration Regional Tuesday, September 11, 2007
1.5 Prepare CEMS Change Regional Tuesday, September 11, 2007 DONE
1.6 Outage announcement Local-IT Tuesday, September 11, 2007 DONE
1.7 Testing the switch before cutover Regional Friday, September 14, 2007 DONE
2 Actual Cutover Saturday, September 15, 2007
08:30 a.m. to 05:00 pm
2.1 Cabling Local-IT 8:30 am – 01:00 pm.
2.2 Physical Replace the switch Local-IT 01:00  pm – 03:00 pm.
2.3 Testing
2.3.1 Soft Test
2.3.2 Physical Test (end user point signal check)        
Regional
Local-IT
03:00 pm – 05:00 pm.
3 Post Install      
3.1 Documentation Regional
3.2 Config revisions Regional
3.3 CEMS enrollment Regional
Note: All times shown here is Bangkok Time.


Detail Description: Before the Cutover:
- Pre-configure the 4500 switch.  Ports should be on vlan 15(116.40.193.0/24).  Must follow NST guides.
- Assign 116.40.193.5 as MNGT IP.
- Test DHCP of PC when connected to the port
- Burn in test.

Cutover:
- Shutdown 5513.
- Clear out un-necessary cables on the cabinet.
- Mount the 4500
- Check connectivity with the core switch.
- Try getting IP address from DHCP server

Impact: - No Network Connectivity to Floor 15. Users are asked to move to other floors during the activity.

Resources Impacted:  THBKKSL4-5513

Thursday, July 17, 2014

Configuration examples Route Map and Policy-Based Routing

This article will show how to use Policy-Based Routing to different default routes are used based on the source of the ip address. Let me show you the diagram and the configuration step. The example below should cover basic route-map configuration.
The previous diagram illustrates the structure of Route Map and Policy-Based Routing
IP Address Assignment:
  • VLAN 10  Management Vlan       IP address: 146.10.50.xx/24
  • VLAN 20  Server Vlan                 IP address: 146.20.50.xx/24
  • VLAN 30  Wireless Lan VIP        IP address: 146.30.50.xx/24
  • VLAN 31  Wireless Lan Visitor    IP address: 146.30.50.xx/24
  • VLAN 40  Workstation Vlan         IP address: 146.40.50.xx/24
Step 1 - Defining an ACL
Create a simple ACL:
  SGHQSL1-4506(config)#ip access-list extended WVIP
  SGHQSL1-4506(config-ext-nacl)# permit ip host 146.30.50.31 any
  SGHQSL1-4506(config-ext-nacl)# permit ip host 146.30.50.32 any
  SGHQSL1-4506(config)#ip access-list extended WVISITOR
  SGHQSL1-4506(config-ext-nacl)# permit ip 146.31.50.65 any

Step 2 - Creating a route-map
To create a route-map, go into route-map configuration mode, like this:
  SGHQSL1-4506(config)#route-map InternetWVISITOR permit 5
  SGHQSL1-4506(config-route-map) #match ip address WVISITOR
  SGHQSL1-4506(config-route-map) #set ip next-hop 146.10.50.15 
  SGHQSL1-4506(config)#route-map InternetWVIP permit 10
  SGHQSL1-4506(config-route-map) #match ip address WVIP
  SGHQSL1-4506(config-route-map) #set ip next-hop 146.10.50.12 
In this example, this will match all the traffic permitted through access-list WVIP change the next-hop to 146.10.050.12 and all the traffice permitted through access-list WVISITOR change the next-hop to 146.10.50.15

Step 3 - Applying the route-map to the interface
Next, you need to apply this policy/route-map to the interface where the traffic is coming in.
  SGHQSL1-4506(config)#interface Vlan30
  SGHQSL1-4506(config-if)#ip policy route-map InternetWVIP
  SGHQSL1-4506(config)#interface Vlan31
  SGHQSL1-4506(config-if)#ip policy route-map InternetWVISITOR

Some helpful commands to monitor and verify the access list, route-map and ip policy.
SGHQSL1-4506#sh ip policy
Interface      Route map
Vlan30         InternetWVIP
Vlan31         InternetWVISITOR
SGHQSL1-4506#sh route-map
route-map InternetWVIP, permit, sequence 10
  Match clauses:
    ip address (access-lists): VIP
  Set clauses:
    ip next-hop 146.10.50.12
  Policy routing matches: 17846460 packets, 2246593826 bytes
route-map InternetWVISITOR, permit, sequence 10
  Match clauses:
    ip address (access-lists): wlan
  Set clauses:
    ip next-hop 146.10.50.15
  Policy routing matches: 2450155 packets, 322873006 bytes

SGHQSL1-4506#sh access-lists WVIP
Extended IP access list WVIP
    10 permit ip host 146.30.50.31 any
    20 permit ip host 146.30.50.32 any (278 matches)
SGHQSL1-4506#sh access-lists WVISITOR
Extended IP access list WVISITOR
    10 permit ip 146.31.50.65 0.0.0.255 any (2470017 matches)
Note: The traffic that does not match the policy uses the default route configured in the core switch.

Friday, January 3, 2014

SNMP Version 3 Concepts, Configuration and Perform snmpwalk

This should give you an idea of how SNMPv3 works and how to configure it on your Cisco devices.

configure the SNMP v3
SNMP Concepts
SNMP is a protocol that operates at the application layer; it uses the default UDP port 161 for general SNMP messages and UDP port 162 for SNMP trap messages and it defines a method of communication between various networking devices and a central manager for use with the monitoring and management of these devices.

SNMP Versions
There are three different versions of SNMP that can be configured:

  • SNMPv1 - This was the original version of SNMP; SNMPv1 utilizes a community based security mechanism.
  • SNMPv2c - This was created to update a number of little things within SNMPv1; SNMPv2c utilizes a community based security mechanism.
  • SNMPv3 - This was developed to provide a much higher level of security then was provided by either previous version. A couple different security features are implemented within the SNMPv3 standard; these include:
    - Message integrity
    - Authentication
    - Encryption
Configuring SNMPv3 is an improvement over  v2c or v1 with added security features such priv (DES, 3DES, AES) and auth (md5 , sha).

I created username nagios password stal1148 on the network device (130.30.230.1) for test SNMP V3 on the Nagios monitoring system.

SNMP V3
Here is an example using SNMP version 3:
CC-CSW-A01(config)#snmp-server group cisconetwork v3 ?
  auth    group using the authNoPriv Security Level
  noauth  group using the noAuthNoPriv Security Level
  priv    group using SNMPv3 authPriv security level
CC-CSW-A01(config)#snmp-server group cisconetwork v3 pri
CC-CSW-A01(config)#snmp-server group cisconetwork v3 priv ?
  access   specify an access-list associated with this group
  context  specify a context to associate these views for the group
  match    context name match criteria
  notify   specify a notify view for the group
  read     specify a read view for the group
  write    specify a write view for the group
  <cr>
CC-CSW-A01(config)#snmp-server group cisconetwork v3 priv ?
  access   specify an access-list associated with this group
  context  specify a context to associate these views for the group
  match    context name match criteria
  notify   specify a notify view for the group
  read     specify a read view for the group
  write    specify a write view for the group
  <cr>

Verifying SNMP Version 3:
Perform this task to verify the SNMPv3 configuration. The show commands can be entered in any order.
CC-CSW-A01#show running-config | incl snmp
CC-CSW-A01#show snmp group
CC-CSW-A01#show snmp user
CC-CSW-A01#show snmp engineID
CC-CSW-A01#show snmp sessions
CC-CSW-A01#show snmp trap

To test from the CLI on the Nagios monitoring system :
Test Monitor CPU:
[root@NAGIOS libexec]# ./check_snmp_load.pl -v -H 130.30.230.1 -l nagios -x stal1148 -T splat -w 95 -c 100
Alarm at 60 + 5
SNMPv3 login
SNMPv3 AuthNoPriv login : nagios, md5
Checking OID : 1.3.6.1.4.1.2620.1.6.7.2.2.0
OID returned 0
CPU used 0.0% (<95) : OK .........

Test Monitor Disk Space:
[root@FRNAGIOS libexec]# ./check_snmp_storage.pl -v -H 130.30.230.1 -l nagios -x stal1148 -m / -w 80 -c 90
Alarm at 60
SNMPv3 login
SNMPv3 AuthNoPriv login : nagios, md5
Filter : /
OID : 1.3.6.1.2.1.25.2.3.1.3.102, Desc : Swap Space
OID : 1.3.6.1.2.1.25.2.3.1.3.3, Desc : /opt
   Name : /opt, Index : 3
OID : 1.3.6.1.2.1.25.2.3.1.3.101, Desc : Real Memory .........

Test Monitor Interface:
[root@NAGIOS libexec]# ./check_snmp_int.pl -v -H 130.30.230.1 -l nagios -x stal1148 -n eth1 -k -w 0,0 -c 0,0 -B -r -t 60
Alarm at 60 + 5
SNMPv3 AuthNoPriv login : nagios, md5
Filter : eth1
OID : 1.3.6.1.2.1.2.2.1.2.1, Desc : lo
OID : 1.3.6.1.2.1.2.2.1.2.14, Desc : eth13
OID : 1.3.6.1.2.1.2.2.1.2.20, Desc : eth11.2054 .........

Configuring SNMPv3 versus SNMPv2c is highly recommended due the increased security capabilities. Now stop using the insecure SNMPv1 and SNMPv2c on your production networks!

Wednesday, January 1, 2014

Guideline for Approving Vendor and Example Of Compare Vendor Spreadsheet

Guideline for request a new vendor or purchase/upgrade new hardware/software with a new vendor. I guide you through a highly effective, tried and tested method which simplifies the process and ultimately helps you make the right choice. There’re main reasons to show why you select some sources in order to support. The vendor status can be approved, unapproved, or inactive if you do not have sufficient reasons. I have presented 3 cases shared and typically help the customers as the following sample:
Process Impacted
To upgrade lease line link for Site A – Site B connection from 2Mbps to 10Mbps with Verizon MPLS
Nature and description of Exception
  1. Thailand use Verizon MPLS @ 2Mbps for point-to-point between Site A and Site B.
  2. Verizon MPLS is biggest Telecom service provider in Thailand (state enterprise company).
  3. Verizon MPLS has provided the good service performance from the past experience.
Justification
  1. We select to upgrade this link with Verizon (current vendor) since Verizon is only one Telecom service provider in Thailand and have their own infrastructure in Singapore for MPLS connection.
  2. Upgrade MPLS with current vendor will not impact much in technical change and testing. Also expect for less operation problems for ongoing support.

Process Impacted
Provide the country wide WAN network service to 12 remote offices around Thailand
Nature and description of Exception
  1. Thailand network infrastructure is provided by a few number of major telecommunication vendors and they own different license depend on technology type of service and coverage area, for example True(Telecom service provider) is expertise on land-line service in Bangkok and nearby cities, True(Telecom service provider) also expand to other major cites too.
  2. Since Our company use the main links from True both HQ office and brach and our company strong require for the highest network availability and True(Telecom service provider) can establish with their partner in the area that True(Telecom service provider) has no service.
  3. True(Telecom service provider) is selected for a single point of contact for our company Wan network service   
Justification
  1. True(Telecom service provider) is selected because True(Telecom service provider) is the strongest and critical service vendor in Bangkok and our company gateway is in Bangkok area
  2. Even True(Telecom service provider) has no service in some cities but True(Telecom service provider) can make a good partner with other telecommunication vendors and there is no single vendor who can provide WAN service to all cities in Thailand
  3. Thailand network is in the migration process, may be change to other technology and also change IT service group, changing to other vendor will create high impact to business unit operation level.

Process Impacted
Maintenance service contract to 40 CISCO network equipments and they are critical impact to our company (Thailand) business operation
Nature and description of Exception
  1. Our company apply for a global contract with CISCO and only recommended CISCO device can be use in our company IT infrastructure, purchase price and conditions are agreed from the corporate level.
  2. In Thailand, CISCO recommend for Datacraft (as CISCO’s gold partner distributor) and Datacraft is a big-regional firm in Asia-pacific.
  3. Among of other CISCO’s partner & distributor, Datacraft is better in sale support relation and service performance from the past performance, and I see no critical point to select & compare for new vendor under same global price and service condition (cost is already fixed)
Justification
  1. Since our company (Thailand) is applied for the regional price so only comparative point is vendor service performance and Datacraft did not show any critical poor service performance from the past

Use this template to create a list of vendors for your business.
EXMAPLE COMPARE VENDOR SPREADSHEET
EXAMPLE OF COMPARE VENDOR SPREADSHEET

Saturday, November 16, 2013

How to find specific mac address or IP address in a Cisco Switch port

Trick and tip for network admin you should know when you work on enterprice switch. These commands will help you to work faster. If you know the IP address of the device then try to ping it from within the switch. If the device is pingable, then do a simple sh ip arp command. This command will show the MAC address of the device. 

TB-CS-4506#
TB-CS-4506#ping 142.30.15.254                                                        ## Step 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.30.15.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

TB-CS-4506#
TB-CS-4506#sh ip arp 142.30.15.254                                                ## Step 2
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  142.30.15.254         140   18ef.63dc.aacd  ARPA   Vlan20

Then, do the show mac-address command on the switch. This will show the interface (or IP) to which it is connected to a port or through which it is learned.

TB-CS-4506# 
TB-CS-4506#sh mac address-table address 18ef.63dc.aacd         ## Step 3
          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  20    18ef.63dc.aacd    DYNAMIC     Gi2/0/5
Total Mac Addresses for this criterion: 1
TB-CS-4506#

This indicate the the device is connected to port GigabitEthernet2/0/5. There you can find the device.

Cisco Switch Command

Note: You can use the below command to check the ip address of devices on different subnet
"ping ip" then "show ip arp | include <mac address>" or "show cdp neighbors detail | begin <mac address>"
 

How to configure SNMP cisco and basic commands for Snmpwalk

This article will guide your through the steps to enable SNMP in Cisco Routers and Switches including how to apply security as the configuration of the underlying devices. This is to make the devices more secure same as international companies worldwide practice.

Cisco SNMP Agent
 
Here's an example:
  1. Telnet to the switch/router
    C:\Users\LAX>telnet THHQCE7-3845
  2. Enter the Enable mode
    THHQCE7-3845> enable
    Password:
    THHQCE7-3845#
  3. Enter Config Mode
    THHQCE7-3845# configure terminal
  4. Use the command below to add a Read-Only an Read write community string
    THHQCE7-3845(config)# snmp-server community 14all3$$ RO
    THHQCE7-3845(config)# snmp-server community gds4chv1 RW
Configuration Examples for snmp-server setting:
   snmp-server community 14all3$$ RO 30
   snmp-server community gds4chv1 RW 10
   snmp-server community mrtg RO 1300
   snmp-server community VBCCrep0rting RO 1333
   snmp-server ifindex persist
   snmp-server trap-source Loopback0
   snmp-server location THHQCE7-3845: Facility-Code THHQ, Offshore (Thailand) Ltd, Bangkok7th floor, Building BB, 123 Vibhavadi Road, Jatujak, Bangkok 10900
   snmp-server contact network operations 66-6428 xxxx
   snmp-server enable traps tty
   snmp-server enable traps config
   snmp-server host 172.20.71.201 Voyence  config
   snmp-server host 172.20.3.35 Voyence  config
   snmp-server host 172.20.71.201 config
   snmp-server host 172.20.9.201 config

Next, I highly recommend to configure SNMP in order to make it secure. If you want to secure the communication between network monitoring tool (WhatsUp, Solarwinds, Nagios) and the switches/routers you'll have to use SNMPv3.

ACL SNMP setting example;
   !<----- ACL 10 for Read Write, ACL 30 for Read Only
   !
   ! ACL 10 – SNMP READ WRITE
   !
   no access-list 10
   access-list 10 permit 172.27.124.18 log
   access-list 10 permit 136.171.124.18 log
   access-list 10 permit 172.20.71.200 log
   access-list 10 permit 172.20.9.200 log
   access-list 10 permit 172.20.50.21 log
   access-list 10 permit 172.20.46.70 log
   access-list 10 deny any log
   !
   !
   ! ACL 30 – SNMP READ ONLY
   !
   no access-list 30
   access-list 30 permit 172.20.46.89 log
   access-list 30 permit 172.20.46.114 log
   access-list 30 permit 172.20.50.22 log
   access-list 30 permit 172.20.32.5 log
   access-list 30 permit 172.20.46.5 log
   access-list 30 permit 172.20.46.6 log
   access-list 30 permit 172.20.46.8  log
   access-list 30 deny any log
   !


Testing:
   To test the new configuration use snmpwalk on your linux server running your network monitoring tools

   [root@ARNAG libexec]#snmpwalk -v 2c -c COMMUNITYSTRING IPADDRESS
   [root@ARNAG libexec]# snmpwalk -v2c -c Savvi148 172.20.1.35
   SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C2960S Software (C2960S-         UNIVERSALK9-M), Version 12.2(55)SE7, RELEASE SOFTWARE (fc1)
   Technical Support: http://www.cisco.com/techsupport
   Copyright (c) 1986-2013 by Cisco Systems, Inc.
   Compiled Mon 28-Jan-13 10:28 by prod_rel_team
   SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.1208
   DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (209528058) 24 days, 6:01:20.58
   SNMPv2-MIB::sysContact.0 = STRING:
   SNMPv2-MIB::sysName.0 = STRING: THHQSL2-2960S
   SNMPv2-MIB::sysLocation.0 = STRING:
   SNMPv2-MIB::sysServices.0 = INTEGER: 6
   SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
   SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::enterprises.9.7.129
   SNMPv2-MIB::sysORID.2 = OID: SNMPv2-SMI::enterprises.9.7.115
   SNMPv2-MIB::sysORID.3 = OID: SNMPv2-SMI::enterprises.9.7.265
   SNMPv2-MIB::sysORID.4 = OID: SNMPv2-SMI::enterprises.9.7.112
   SNMPv2-MIB::sysORID.5 = OID: SNMPv2-SMI::enterprises.9.7.106
   SNMPv2-MIB::sysORID.6 = OID: SNMPv2-SMI::enterprises.9.7.47
   SNMPv2-MIB::sysORID.7 = OID: SNMPv2-SMI::enterprises.9.7.122
   SNMPv2-MIB::sysORID.8 = OID: SNMPv2-SMI::enterprises.9.7.135
   SNMPv2-MIB::sysORID.9 = OID: SNMPv2-SMI::enterprises.9.7.43
   SNMPv2-MIB::sysORID.10 = OID: SNMPv2-SMI::enterprises.9.7.37

These are the command to check Input/Output Discard and Input/Outpu Errors :
   [root@ARNAG libexec]#snmpwalk -Ofn -v 1 -c Savvi148 172.30.1.20 1.3.6.1.2.1.2.2.1.19
         "ifOutDiscards"  "1.3.6.1.2.1.2.2.1.19"
   [root@ARNAG libexec]#snmpwalk -Ofn -v 1 -c Savvi148 172.30.1.20 1.3.6.1.2.1.2.2.1.13
         "ifInDiscards"  "1.3.6.1.2.1.2.2.1.13"
   [root@ARNAG libexec]#snmpwalk -v2c -c Savvi148 172.20.1.20 .iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry
            1 . 3  .  6  .    1      .   2    .   1     .     2        .      2    .    1     . 13
         .iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifInDiscards
         .iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifInErrors
         .iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOutDiscards
         .iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOutErrors

Cisco SNMP


Saturday, June 8, 2013

Configure Netflow For Cisco Router Switch IOS - Example


What we will get benefit when we enable netflow feature are real-time monitoring of host behaviors and traffic analysis to identify threats, extensive network performance reports including top talkers, interface utilization, exporter tracking, etc. I have screenshot for your carification.
NetFlow Collection on Cisco IOS
Below is how to set up step by step on Cisco router or Cisco switch;
  • Enabling NetFlow
    Enter global configuration mode on Cisco router or Cisco switch, and issue the following commands for each interface on which you want to enable NetFlow:
         #interface {interface} {interface_number}
         #ip route-cache flow
  • Enabling the exports of these flows
    Enter global configuration mode on Cisco router or Cisco switch, and issue the following commands by use the IP address of your NetFlow Collector and configured listening port. UDP port 9995 is used for example.
         # ip flow-export version 5
         # ip flow-export destination <ip_address> 9995
         # ip flow-export source Loopback0
  • Turning off NetFlow
    Issue the following commands in global configuration mode to stop exporting NetFlow data:
         #interface {interface} {interface_number}
         #no ip route-cache flow
    This will disable NetFlow export on the specified interface. Repeat the commands for each interface on which you need to disable NetFlow.
  • Diagnosis
    In enable mode you can see current NetFlow configuration and state by looking at the output from
         #sh ip flow export Shows the current NetFlow configuration
         #show ip cache flow and sh ip cache verbose flow These commands summarize the active flows and give an indication of how much NetFlow data the device is exporting

    Note: When access lists are used, all cisco routers or cisco switch must log failed network access attempts.
packet netflow analyzer
A Sample Device Configuration
The following is a set of commands issued on a router to enable NetFlow version 5
!
interface Loopback0
 ip address 172.30.203.253 255.255.255.255
 no ip redirects
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
!
!
interface FastEthernet0/1/0
 description LINE:USHQ-VzBPIP,SPEED:8000000,GOLDCAR:256k,DEST:VzB_PERouter
 bandwidth 8000
 ip address 172.30.0.86 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache cef
 ip route-cache flow
 no ip mroute-cache
 load-interval 30
 duplex full
 speed 100
 no mop enabled
!
interface FastEthernet0/1/1
 description Local Network segment for THHQ
 ip address 172.30.0.86 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
!
ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination 172.30.46.195 9995
ip flow-export destination 172.30.46.71 2055
!
!
access-list 30 permit 172.30.46.195
access-list 30 permit 172.30.46.71
access-list 30 deny   any log
!
SolarWinds NetFlow Analyzer
 

Monday, June 3, 2013

ACS group tacacs+ and RADIUS-LOGIN configuration example

TACACS+ consists of three services: authentication, authorization, and accounting. Authentication is the action of determining who the user is and whether he or she is allowed access to the switch. Authorization is the action of determining what the user is allowed to do on the system. Accounting is the action of collecting data related to resource usage and now TACACS+ is in the part of the new CCNA Security certification exam.

Below configuration were created to provide you a basic understanding of AAA; that of which is commonly used in production networks for authentication, authorization and accounting.

Step 1: Create a backup user account
INHQRL2-3845(config)# dcth privilege 15 password datakrub!

Step 2: Enabling AAA
INHQRL2-3845(config)# aaa new-model

Step 3: Configuring the TACACS+ servers
INHQRL2-3845(config)# tacacs-server host 10.1.50.101 key cisco12345

Step 4: Define the AAA method lists
INHQRL2-3845(config)# aaa authentication login default group tacacs+ local
INHQRL2-3845(config)# aaa authorization exec default group tacacs+ local

Step 5: Enforcing AAA authentication on terminal lines
INHQRL2-3845(config)# line console 0
INHQRL2-3845(config-line)# login authentication default
INHQRL2-3845(config)# line vty 0 15
INHQRL2-3845(config-line)# login authentication default


The following snipped are from the TACACS+ authentication configuration on cisco devices.
Example 1: Group tacacs+ enable
!
username dcth privilege 15 password datakrub!
!
enable secret g8:ugvl 
!
ip telnet source-interface lo 0
!
line con 0
password dcth!
login local
!
line vty 0 4
password dcth!
login local
!
!
!
aaa new-model
!
aaa authentication login vty group tacacs+ local
aaa authorization exec vty group tacacs+ none
aaa authorization commands 0 vty group tacacs+ local
aaa authorization commands 1 vty group tacacs+ local
aaa authorization commands 7 vty group tacacs+ local
aaa authorization commands 15 vty group tacacs+ local
!
aaa authentication login console group tacacs+ local
aaa authorization exec console group tacacs+ none
aaa authorization commands 1 console group tacacs+ local
aaa authorization commands 7 console group tacacs+ local
aaa authorization commands 15 console group tacacs+ local
!
aaa authentication enable default group tacacs+ enable
!
aaa accounting exec vty start-stop group tacacs+
aaa accounting commands 1 vty start-stop group tacacs+
aaa accounting commands 7 vty start-stop group tacacs+
aaa accounting commands 15 vty start-stop group tacacs+
aaa accounting exec console start-stop group tacacs+
aaa accounting commands 1 console start-stop group tacacs+
aaa accounting commands 7 console start-stop group tacacs+
aaa accounting commands 15 console start-stop group tacacs+
!
aaa authorization console
aaa authorization config-commands
!
!
!
ip tacacs source-interface Loopback 0
!
!
tacacs-server host 10.1.50.101
tacacs-server key cisco12345
!
!
!
!
!
line con 0
 authorization exec console
 authorization command 1 console
 authorization command 7 console
 authorization command 15 console
 accounting commands 1 console
 accounting commands 7 console
 accounting commands 15 console
 accounting exec console
 logging synchronous
 login authentication console
line vty 0 4
 authorization commands 1 vty
 authorization commands 7 vty
 authorization commands 15 vty
 authorization exec vty
 accounting commands 1 vty
 accounting commands 7 vty
 accounting commands 15 vty
 accounting exec vty
 logging synchronous
 login authentication vty
!
!
Cisco Secure ACS and Active Directory
 
RADIUS and TACACS+ server
Example 2: ACS group tacacs+  and RADIUS-LOGIN group enable
!
enable secret 5 $1$azKE$exucFBdjapkq2aspUIS7M0
!
aaa new-model
!
aaa authentication login ACS group tacacs+ enable
aaa authentication login RADIUS-LOGIN group radius
aaa authentication enable default group tacacs+ enable
aaa authentication ppp RADIUS-LOGIN group radius
aaa authorization console
aaa authorization config-commands
aaa authorization exec ACS group tacacs+ if-authenticated
aaa authorization commands 0 ACS group tacacs+ if-authenticated
aaa authorization commands 1 ACS group tacacs+ if-authenticated
aaa authorization commands 15 ACS group tacacs+ if-authenticated
aaa accounting update newinfo
aaa accounting exec ACS start-stop group tacacs+
aaa accounting commands 0 ACS start-stop group tacacs+
aaa accounting commands 1 ACS start-stop group tacacs+
aaa accounting commands 15 ACS start-stop group tacacs+
aaa accounting connection ACS start-stop group tacacs+
!
ip ssh source-interface Loopback0
!
ip tacacs source-interface Loopback0
!
access-list 20 permit 156.32.0.0 0.1.255.255
access-list 20 permit 156.34.0.0 0.7.255.255
access-list 20 permit 156.42.0.0 0.7.255.255
access-list 20 permit 156.50.0.0 0.3.255.255
access-list 20 permit 156.54.0.0 0.1.255.255
access-list 20 permit 156.56.0.0 0.0.255.255
access-list 20 permit 146.171.0.0 0.0.255.255
access-list 20 permit 149.65.0.0 0.0.255.255
access-list 20 permit 189.103.13.0 0.0.0.255
access-list 20 permit 156.52.71.192 0.0.0.63
access-list 20 permit 156.52.9.192 0.0.0.63
access-list 20 deny   any log
!
!
tacacs-server host 156.52.197.26
tacacs-server host 156.52.8.16
tacacs-server timeout 10
tacacs-server directed-request
tacacs-server key 7 06031D344F4B1GG606041B08
!
!
line con 0
 access-class 20 in
 timeout login response 15
 password 7 040A3757062A1F7459160B1956035C57
 logging synchronous
 transport preferred none
 stopbits 1
line vty 0 4
 access-class 20 in
 timeout login response 15
 password 7 124839461B005F3E7A242A26773D7240
logging synchronous
 transport preferred none
 transport input telnet
!
!
**********************************************************************************************
WARNING TO UNAUTHORIZED USERS:
This system is for use by authorized users only. Any individual using this system,
by such use, acknowledges and consents to the right of the company to monitor,
access, use, and disclose anyinformation generated, received, or stored on the
systems, and waives any right of privacy or expectation of privacy on the part of
that individual in connection with his or her use of this system.
**********************************************************************************************
Username: boylaser
Enter PASSCODE: *


You could now configure TACACS+ server for system authentication