Pass any IT exam for sure!
IT Certification Study Guide share & Training Preparation Ebooks free download
Configuring Cisco to work with a Windows NLB Cluster
Aug 16th
Introduction
To ensure high availability of critical network applications, the Operations team uses Microsoft’s Network Load Balancer or NLB. NLB allows load balancing between servers without a dedicated stand alone box. To achieve this Microsoft performs some network hacks which require configuration on the network side.
NLB can work in two modes, unicast and multicast. Unicast is the default operation mode due to compatibility. In this mode the switch will have a common unicast mac-address. Since dynamic CAM entries cannot exist for two ports the switch floods all traffic going to a NLB host.
With multicast mode turned on the NLB uses a shared multicast mac-address with a unicast IP address. This mode works better with a Cisco network but has two drawback Due to this inconsistency with a unicast ip address and a multicast mac-address the router will refuse to learn the ARP for the IP address. In addition the switch cannot determine the membership ports in the multicast stream the traffic is still flooded to all hosts., although being a multicast mac-address has a lesser effect on the CPU of flooded hosts.
Fortunately we can create both static ARP entries and static CAM entries to allow the NLB hosts to behave correctly. More >
Popularity: 3% [?]
Configuration Management using Solarwinds TFTP Engine
Aug 16th
Option Explicit
Dim TransferEngine
Dim Transfer
Dim Results
Dim BackupPath
Dim FS
Dim Folder1
On Error Resume Next
' Create file system object
Set FS = CreateObject("Scripting.FileSystemObject")
' Generate backup folder path using today's date
BackupPath = "C:\Config_Backup\" & Year(Date) & "-" & Month(Date) & "-" & Day(Date)
' Create folder
More >
Popularity: 3% [?]
Cisco original encryption algorithm in reverse
Aug 16th
Below is a php script (thanks for all the help Steve) that takes a password and encrypts it with the encryption algorithm. However a key is used, as to where to start in the translate table. This key is the first two bytes of the encrypted password. I am not sure how this key is generated, but there are only 26 values in the translate table.
The script was tested and it does generate the proper encryption, but there’s still a bunch of debugging code in the script.
I posted this because I thought it was interesting, and I’ve been messing around with Perl. It looks like the encryption was “easily” reversed. You can see it is a larger encrypted password, two hex digits, per one character of input, and prefixed with a two byte key. So you could create encrypted passwords, and xor the encrypted password (minus the key) with the password and generate the translate table values. So with some intuitive guessing it looks like it was right there. More >
Popularity: 3% [?]
Cisco VPN Client ISAKMP Transform Set List
Aug 16th
Overview
After trying to set up remote access IPSec VPN on my ASA5540, I was unable to connect using the Cisco VPN Client. After running debug crypto isakmp 255, I found that there were a total of 14 ISAKMP transform set configurations that the client will try before giving up. Please keep in mind that this list is for IPSec remote access only.
This is a list of possible configurations:
| Transform # | Encryption | Hashing | Group | Authentication |
|---|---|---|---|---|
| 1 | AES-256 | SHA1 | Group 2 | xauth |
| 2 | AES-256 | MD5 | Group 2 | xauth |
| 3 | AES-256 | SHA1 | Group 2 | PSK |
| 4 | AES-256 | MD5 | Group 2 | PSK |
| 5 | AES-128 | SHA1 | Group 2 | xauth |
| 6 | AES-128 | MD5 | Group 2 | xauth |
| 7 | AES-128 | SHA1 | Group 2 | PSK |
| 8 | AES-128 | MD5 | Group 2 | PSK |
| 9 | 3DES | SHA1 | Group 2 | xauth |
| 10 | 3DES | MD5 | Group 2 | xauth |
| 11 | 3DES | SHA1 | Group 2 | PSK |
| 12 | 3DES | MD5 | Group 2 | PSK |
| 13 | DES | MD5 | Group 2 | xauth |
| 14 | DES | MD5 | Group 2 | PSK |
Popularity: 3% [?]
Cisco PPTP VPDN server
Aug 16th
Using a Cisco ISR as a PPTP VPN Endpoint
A typical setup is for port 1723 (PPTP) to be forwarded through to an internal server which then acts as the VPN endpoint, here security policies can be applied from the server and so forth. But what happens if the VPN Server is offline or has failed? What if your staff or you still require remote access for fault correction? Below i will attempt to explain the pros and configurational examples of using a Cisco ISR as the VPN endpoint.
I will write the relevant config first, then explain each section below….
aaa new-model
aaa authorization network default group radius local aaa authentication ppp default group radius local More >
Popularity: 3% [?]
Bring down an interface when IP SLA fails
Aug 16th
eltrboricv We want f0/0 to be down when there is SLA failure:
The idea is to use backup interfaces in a way that when one interface is up, the other will be up, and once the interface is down the other will be also down. To do this we will use 3 interface: Tunnel interface Loopback interface and the f0/0 interface. The backup of the tunnel will be the loopback, and the backup of the loopback will be the tunnel. so when the tunnel is down the loopback is up, but when the loopback ip up, f0/0 is down because its the backup interface of the loopback.
Lets configure this:
interface Tunnel99 no ip address tunnel source Loopback98 tunnel destination 1.1.1.1 backup interface lo 99 ! interface Loopback98 no ip address ! interface Loopback99 no ip address backup interface FastEthernet0/0 More >
Popularity: 3% [?]
Basic PPPoE
Aug 16th
Simple PPPoE configuration for a DSL modem. This config assumes a dynamic IP setup. The last line shows an example of how to port forward.
The pvc is usually 0/35 but it might be 0/34. It also depends on your country. PVC 8/35 is reported to work for a signapore ISP.
PVC 8/35 is reported to work for Australian ISPs.
vpdn enable ! vpdn-group pppoe request-dialin protocol pppoe ! interface ATM0/0 no ip address no atm ilmi-keepalive dsl operating-mode auto pvc 0/35 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip nat inside duplex auto speed auto ! interface Dialer1 ip address negotiated ip mtu 1492 ip nat outside encapsulation ppp dialer pool 1 dialer watch-group 1 dialer-group 1 ppp chap hostname paulius ppp chap password 0 passwordpassword ppp pap sent-username paulius password 0 passwordpassword ! ip nat inside source list 1 interface Dialer1 overload ip nat inside source static tcp 10.0.0.10 80 interface Dialer1 80
Popularity: 3% [?]
Advanced ping checker
Aug 16th
A fancy script to ping a list of ipv4/ipv6 addresses and return some very basic troubleshooting (show ip route, sh ip arp) if the pings fail
Building the script
=Building the script=
<pre>
tclsh
proc pingthem { args } {
#allows for lists, strings, multiple args, etc.
set interface { }
foreach subargs $args {
foreach i $subargs {
#Checks for shortcuts and names of interfaces... allows for some tricky tricks
if [regexp -nocase "lo|po|et|s|vi|tu|fa|gi" $i] {
set interface "source $i"
continue
} elseif [regexp -nocase "x" $i] {
set interface { }
continue
} elseif [regexp -nocase "help" $i] {
puts "ping script hotness! jp.senior aught gmail.com (sartan) 5/19/2009"
puts "Usage: pingthem \[source interface\] <ips> \[moresources\] \[moreips\] or pingthem help (to get this message)"
puts "Source interface may be specified by simply adding a source interface before the list of IPs"
More >
Popularity: 3% [?]
ASA and PIX using http inspection to filter URLs and Hosts in HTTP
Aug 16th
With ASA/PIX OS release 7.2, the inspection engines now can utilize regular expression lists for filtering.
In the following example, HTTP URL filtering for hosts/domains and URL content with regexes is shown. The example denies HTTP requests to host 136.3.9.2 that contain the strings “/cd/” or “/show/” in the URL.
!-- regex for the show URI string regex SHOW ".*/[Ss][Hh][Oo][Ww]/.*" !-- regex for the cd URI string regex CD ".*/[Cc][Dd]/.*" !-- regex for destinatinon host, can be a domain name also regex HOST "136.3.9.2" !-- now the host regex is used in a class map !-- multiple regexes can be matched in class map !-- note the "match-any", meaning that one match is sufficient class-map type regex match-any CM_DOMAINS match regex HOST !-- the URI string regexes are combined together in a class map !-- note the "match-any", meaning that one match is sufficient class-map type regex match-any CM_FORBIDDENURI match regex SHOW match regex CD !-- now the host and the uri class map are combined !-- note the "match-all", meaning that both conitions must match !-- so the host and either one of the two URI regexes class-map type inspect http match-all CM_H_BADREQUEST match request header host regex class CM_DOMAINS match request uri regex class CM_FORBIDDENURI !-- now the last class-map is used in a policy map !-- where the action is defined (reject and log) policy-map type inspect http PM_DENYBADHTTP parameters class CM_H_BADREQUEST reset log !-- the last step: the policy is applied to the default policy !-- by stating it as an additional parameter to the inspect http command policy-map global_policy class inspection_default inspect http PM_DENYBADHTTP ! service-policy global_policy global
Popularity: 4% [?]
ASA Asymmetric Routing
Aug 16th
If you’re having issues with Cisco ASA and asymmetrical routing this should save you the night.
This new feature is called TCP State Bypass and is available on from ASA v8.2(1).
inside: 10.1.1.0/24 ASA (default gw): 10.1.1.254 secondary gateway on the inside zone: 10.1.1.3 Host behind the secondary gateway: 10.0.0.113
Things to do:
- Enable same security traffic intra interface (Permits communication in and out of the same interface).
same-security-traffic permit intra-interface - NO NAT ACL
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 host 10.0.0.113 log - Apply the NON NAT ACL
nat (inside) 0 access-list nonat - Add the static route
route inside 10.0.0.113 255.255.255.255 10.1.1.3 1 - Add the STATE BYPASS ACL
access-list state_bypass extended permit tcp 10.1.1.0 255.255.255.0 host 10.0.0.113 log - Create the STATE BYPASS CLASS MAP
class-map state_bypass
match access-list state_bypass More >
Popularity: 4% [?]
Recent Comments