Tuesday, September 5, 2017

Cisco swicthport statistics

While diagnosing your network because of performance issues, if you do determine that the network is not meeting technical expectations, you should isolate the source of the problem and diagnose the problem on that device. Whireshark is a cool tool to find out the root cause of a network performance issue. So, if i were to answer to the following question : which tool among many comes into your mind to pinpoint the root cause of a network performance issues ? I would have given the following answer : WIRESHARK.

Wednesday, August 30, 2017

Cisco Features navigator

Hi,

Have you ever asked yourself the following question : how could i know if my Cisco device can support a certain specific feature ?

Let say it this way : if you are given a Cisco device that you are not familiar with, how will you know which features does it support ? OR, if you are about to deploy a certain IT solution, how would you know which Cisco device you should buy to accomplish your deployment tasks and more ?

Check out the following video to learn what you should use and how you should use it before ordering a Cisco device :

Friday, August 25, 2017

Main steps of troubleshooting network issues

The main steps of troubleshooting are :
  • problem report (the first step is receiving the complaint from a user or from a monitoring tool (using a monitoring tool, we may detect a situation that could become a tshoot issue and resolve that situation before it impacts users : that is called proactive maintenance))
  • diagnosis
  •  resolve the problem
The first step toward resolving an issue after it's reported, is : clearly define the issue. Diagnosing the reported problem allows to clearly define it. Note that we have to diagnose because most often the end user's report may not have enough information to allow us to resolve the issue.

Monday, August 21, 2017

Right way to configure default route in a router

The process of sending a lot of ARP requests can consume a big percentage of  a router's CPU resources. 

One Configuration that cause a router to send a lot of ARP requests is having a default-route configured that points to an ethernet interface ((config)#ip route 0.0.0.0 0.0.0.0 f0/1) instead of the next hop address ((config)#ip route 0.0.0.0 0.0.0.0 20.1.1.1).

 When configured with an exit interface, the router instead of sending ARP request for MAC address of a next-hop address, it will send ARP request for the MAC address of the destination IP address
in each packet. That result in an excessive number of ARP requests which will cause a spike of the CPU.

Before jumping into a router and start troubleshooting it, we need to know that it's the router that is causing a poor network performance. Click here to read our blog post on how to detect the root cause of a network performance issues.

A router could be the root cause of your network performance. That is a fact. But we should not ignore that applications, servers, user's client can also be the root cause of our network performance. Click here to learn how to identify the source of your network performance.

_____________________________________

Detect the source of your network performace issues


A network performance might be operating at a level that is disturbing productivity and at a level
that is bellow its normal level of operation. As a network administrator, you need to determine
what is the origine of the performance issue or what is network component causing the the poor performance. It could be a switch, a router, the user's client, the server or the application.

How will you know the root cause of your network performace issue ? The answer is by using : WIRESHARK.

With WIRESHARK, you can look into what is really happeing in the wire.
With the help of WIRESHARK you can analyse protocols and identify exactly the root cause of you network performance issues. Don't hesitate to contact us, we offer training on how to set and use WIRESHARK and how to analyse prorocols  >> Here is our contacts if you wish to be part of our next WIRESHARK class

CCNP-TSHOOT teaches how to diagnose/troubleshoot Cisco routers and switches. Of course,  before jumping into your Cisco routers or switches, you should first of all know the root cause of the poor performance issues of your network.

>> Here is our contacts if you wish to be part of our next WIRESHARK class
>> Here is our contact if you wish to attend CCNP-tshoot class





Sunday, July 9, 2017

How to configure NIC TEAMING in a system having Windows server 2008

Hi 

NIC teaming is not something included with Windows Server 2008 or Windows Server 2008 R2. However, even if it can not be configured using server 2008 operating system, you can still take advantage of this feature if the network adapter supports it. Network adapters built by vendors such as Intel, Broadcom and HP can support it (please consult your network adapter documentation)

The following link redirects to a youtube video of "Rob Waggoner", showing how to configure an INTEL network adapter that supports NIC TEAMING >> Video Right here

Note that NIC teaming is supported on Windows server 2012. To know How to configure it, check it out  >> right here

------------------------------Please feel free to leave an honest comment. It will be appreciated. Thanks.

Sunday, May 28, 2017

how to : Cisco ASA same security level + ACLs








By default, interfaces on the same security level can not communicate with each other. Allowing communication between same security interfaces let's traffic flow freely between all same security interface without access-lists.

To enable interfaces on the same-security level so that they can communicate with each  other, enter the following command :
(config)#same-security-traffic permit inter-interface

But the question i have nerver asked myself is : what if we have 2 interfaces with the same security level and each having ACLs applied to each? Will the traffic still flow freely after typing the above command ? The answer is :

If you have "same-security-traffic permit inter-interface" configured and have 2 interfaces with same
"security-level" value and you have "access-list" configured on both interfaces then the ACLs will handle the decision of what traffic is allowed and what is not.

I found this answer right here, when i got this challenge of same-security level and ACLs.

Hope this will also help you.


Friday, May 26, 2017

How to identify what is blocking your traffic to pass through Cisco ASA



The packet-tracer comman can be used in privilege EXEC mode to generate packet against a firewall's current configurations.
It allows administrator to inject a virtual packet into the ASA and track the flow from ingress to egress, along the way, the packet is evaluated agains flow and route lookup, ACLs, protocol inspection, NAT, and IDS

If the traffic you are trying to get forwarded by an ASA from one of its interface to another of its interface is not working then "packet-tracer" tool can help you pinpoint exactly what in ASA is blocking your traffic to be forwarded. The power of this utility comes from the ability to simulate real-word traffic by specifying source and destination addresses with protocol and port information

The following link is an interesting  YOUTUBE video that  show how to use this tool using ASDM : Click Right Here To Access The Video

Wednesday, May 17, 2017

How to configure Cisco ASA interface Redundancy

By default, each physical ASA interface operates independently of any other interface. When an interface is down, the ASA can not send or receive any data through it. To keep an ASA interface up and active all the time, you can configure a logical interface having a pair of physical interfaces set aside for the same function and connected to the same network and only one is active at any given time, the other stays in a standby state. The pair physical interfaces must be the same type

Thursday, April 20, 2017

Static inside NAT On Cisco ASA

Static inside NAT creates permanent, fixed translations between a local address and a global address even after reboots and have no idle timer leading to expiration

Because static translation always stays active, hosts from less secure networks can initiate communications to  the statically translated local hosts, as long as the access list rules on the ASA permit such traffic

Recall that the following pieces of information are required every time you want to configure NAT on Cisco ASA :
  •  original source IP address (and port) in the packet
  • interface where the original packet enters the ASA (ingress interface)
  • interface where the packet will exit the ASA (egress interface)
  •  translated address (and, optionally, port) to insert into the packet

Tuesday, April 18, 2017

Cisco objects group Vs simple access-list

Let's use a configuration example to illustrate the difference betwwen "object group" and "simple ACL" configuration. In this example,  "simple access-list" have been used first and later "object group". At the end of this post, we will clarify the difference.

Tasks :

The example is about restricting several hosts having the following respective ip addresses 10.1.1.4, 10.1.1.78 and 10.1.1.89, located on the inside network  from accessing several web servers (209.165.201.29,  209.165.201.16 and  209.165.201.78) . All other traffic is allowed.


Friday, March 31, 2017

ACLs (interface access rules) on Cisco ASA



With Cisco ASA, because all traffic from a higher security level to the lower security level is allowed by default, ACL enables us to either allow traffic from the lower security level interfaces OR restrict traffic from the higher security level interface

Before configuring interface access control in your ASA you need to answer the following question :  which hosts are allowed to communicate with each other, using which specific applications through the ASA

Things to know:

  • if a packet arrives at an ASA's interface, it either must match expected definition from an existing session (existing session are kept in a state stable or session table) or will be compared against the inbound interface security policy applied to that interface. 

Tuesday, March 28, 2017

PAT (port address translation) on Cisco ASA - nat | global commands


For an ASA to perform translations, 4 pieces of information are required (if of the following 4 parameters are missing, the ASA will not perform address translation) :
  • original source IP address (and port) in the packet
  • interface where the original packet enters the ASA (ingress interface)
  • interface where the packet will exit the ASA (egress interface)
  • translated address (and, optionally, port) to insert into the packet

Friday, March 24, 2017

Cisco interface's statistics : explained


  • Overruns : number of times that the device was incapable of handing received data to a hardware buffer because the input rate exceeded the device capability to handle the data
  • underruns : number of times that the transmitter ran faster than the device could handle

Monday, March 20, 2017

How to configure SSH on Cisco IOS

1-configure a hostname
(config)#hostname Jrter1
2-configure a domain name
(config)#ip domain-name jni.local

Disable TELNET! Cisco finds 0-Day affecting over 300 Network Switch Models



How to BLOCK URL (HTTP and HTTPS) using Cisco

I have been asked days ago on how to block URL using Cisco specifically HTTPS traffic.
Here is what i have found : the Cisco ASA 5500 series Content security and Control Security Services Modules (CSC-SSM).


This Cisco ASA CSC-SSM provides :
  • antivirus
  • antispyware
  • file blocking
  • anti-spam
  • anti-phishing
  • URL blocking
  • URL filtering
  • content filtering

Friday, March 17, 2017

Setting up NIC teaming for Windows Server 2012*/2012 R2*/2016*

NIC TEAMING is a Windows feature that enables administrators to join multiple network adapters into a single entity for performance enhancement or fault tolerance purpose.

Hyper-v VMs can also take advantage of NIC TEAMING but they are limited to TEAMS of only 2 as oppposed to the host operating system which can have teams of up to 64 NICs

Wednesday, March 15, 2017

FREE tutorial to master subnetting !!!

Binary and hexadecimal numbers are a complete mystery for many of us. Often we don't find it really interesting because on the internet there are plenty of "subnet" or "binary" calculators where you can easily calculate from decimal to binary to hexadecimal or the other way around, without knowing how the exact calculations works.

This is no problem when you are not configuring or designing networks on a daily basis, but it will be a problem as soon as you take a networking exam, so it's best to know how to do these calculations off the top of your head.

Tuesday, March 14, 2017

Great links for those who want to practice before their exam ...

Hey, while i was browsing today, i saw the following interesting links for those who want to practice before their exam :

ICND1 V3.0
ICND2 V3.0
CCNP ROUTE V2.0 
CCNP SWITCH V2.0 
CCNP TSHOOT V2.0

"Practice Makes Perfect" .................................

How Does a host dynamically figure out its IPv6's INTERFACE-ID ?

An IPv6 has 128 bits : 8 groups of 16 bits and 4-digit Hexadecimal numbers.

Monday, March 13, 2017

Etherchannel between a Cisco switch and a SERVER

If you have ever been wondering how the server side of configuration looks like. I find this Cisco link very interesting

Why i love the "(config)#ip access-list" command rather than the "(config)#access-list" command

The (config)#ip access-list...... command uses sequence numbers. Each line in a LIST has a sequence number which can be used to squeeze additional lines in between other lines or easely remove lines in a LIST without deleting the whole ACL

How to configure a Cisco device to remotely access it ?

What i am about to list are the basic of what is needed to access a Cisco device remotely. A Cisco device has to have 3 of the following settings for it to be managed remotely :
  • an IP address
  • The privilege mode has to have a password
  • the vty port has to be configured