jpudasaini

Here is another tutorial running Cisco ASAv on GNS3 using Qemu. For Configure GNS3 In My case I have used ASAv952-204.qcow2 Go  to the GNS3>Edit>Preferences>QEMU>Qemu VMs>New Follow on screen procedure.  Don't forget to enable kvm and memory allocation.  Now you can see I can run ASAv 9.5.2 Blank Password.

This time lets have tutorial on Cisco XR 9k series router image running on the GNS3. Please don't ask for the XR image. Your are smart enough to get it. My system configuration: Ubuntu 16.04 GNS3 1.4 RAM 8Gig i7 processor Used XR Image iosxrv-k9-demo-6.0.1.qcow2 This image is VIRL extracted image. You need to convert this image into QEMU image, follow this link I strongly recommend you to run it on the Linux system. Now you have converted image, then go to the GNS3>Edit>Preferences>QEMU>Qemu VMs>New then follow the onscreen procedure. Setting for QEMU XR Image. RAM:- 4Gig CPU:- 1 Adapters at lest 4.  -enable-kvm Here you can see I can run the XR on my system. Interface is up and system is already booted.  I have run 3 XR router  here is my system RAM CPU usages. RP/0/0/CPU0:XR3(config)#int gi0/0/0/0 RP/0/0/CPU0:XR3(config-if)#ip add 192.168.13.2 255.255.255.252 RP/0/0/CPU0:XR3(config-if)#co

Somebody ask me to run Cisco EPIC VPN lab test provide by the Cisco. I just try it done but Anyconnect client doesn't seems to work on ubuntu system. The error message was How to resolved the issue??  First of all install the following packages. sudo apt-get install lib32z1 lib32ncurses5 Then try to install the AnyConnect client, if its still show the same error message. Used below command.... sudo apt-get install network-manager-openconnect Reload the changes using this command.... sudo systemctl daemon-reload Now AnyConnect should be installed. 

EoMPLS is point to point L2 VPN services which is used to transport all Ethernet frame received on particular Ethernet or VLAN,  its also called Any Transport over MPLS(ATOM) means this technology can connect like Frame-Relay, PPP, Ethernet,ATM etc. IOS used c7200-adventerprisek9-mz.151-4.M Logical Topology   Make sure MPLS with IGP  is confugure as shown in a diagram. I'm not going to configure MPLS here. This tutorial only show how to configure xconnect tunnel peer with other side customer faces interface in our network diagram we interconnect PE1 fa1/0 with PE2 fa0/0 interfaces. Config of PE1 PE1#sh run Building configuration... Current configuration : 1337 bytes ! upgrade fpd auto version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname PE1 ! ip cef interface Loopback0  ip address 2.2.2.2 255.255.255.255  ip ospf network point-to-point  ip ospf 1 area 0 ! interface FastEthernet0/0  ip ad

It's been a long time I'm away from blogging due to some R&D on the network with Juniper boxes. On this tutorial I'm going to configure very basic MPLS VPN configuration in GNS3. After that we go for EoMPLS configuration. This is the logical topology for this tutorial.   Here I only post the configuration file from PE other router configuration is almost same. Here is the points should be remember. 1. Make sure IGP with MPLS is configure on PE,P, it shouldn't be configure on customer facing interface. 2. Make sure all loopback interface is reachable.  3. Configure VRF with RD and RT, then applied it on right interface. 4. Configure MP-BGP on PE and peer it. 5. Make sure to redistribute the CE IGP protocol into the BGP and vice versa. Below command can be copy paste into your router. Before that make sure you had make change necessary things. Config from PE1 PE1#sh run Building configuration... Current configuration : 2126 bytes ! versi

I can see in my network any customer can communicate to any one on the same VLAN. Basically when ever any unknown packets ingress into the switch. Switch found no record in CAM table, so that frame flood every port of the respected VLAN, except the frame received port. Such a communication can very dangerous for the service provider and its customer. Because any one can sniff or send information to other customer in same VLAN.  Broadcast packet also flooded into the network that can bottleneck our network. The way to protect such a bottleneck of the network we can configure switch port as protected port thus no port can directly communicated in a same broadcast domain. Command: interface fa0/2 switchchport mode access switchport access vlan 30 switchport protected This way we can protect the user in same VLAN. Protected port only be configured in edge port not the trunk port or L3 connected port. Now the protected port prevent any unicast, broadcast or multicast packet e

Sometime I need to analyze network traffic from remote switch. Thus RSPAN is life saver. Go to the site and capturing the packets and analyze the packets is very time consuming. So here a small tutorial which explain how to configure packets with RSPAN. SW1(This is the remote switch, Which is the source for our packets.) sw1(config)#vlan 444 sw1(config-vlan)#remote-span sw1(config)#monitor session 1 source interface Fa1/0/1 - 16 sw1(config)#monitor session 1 destination remote vlan 444 SW2(The destination switch where you going sniff the packets send my remote switch on case sw1.) sw2(config)#vlan 444 sw2(config-vlan)#name RSPAN_VLAN sw2(config-vlan)#remote-span sw2(config)#monitor session 1 destination interface Gi0/17 sw2(config)#monitor session 1 source remote vlan 444 Now you can capture remote packets in port 17. All these tutorial tested on cisco 3750 switch.

All these tasks have been done in production environment. I upgraded almost 50 switch IOS in production environment. In my case I don't removed working IOS from the 2950 switch. You may encounter low flash memory during the up-gradation of the new IOS. If that happen do see at the bottom of this tutorial where I had mention how to recover some more space for IOS up-gradation. Step1: Fist of all create tftp server in one of the updated IOS switch. sw2(config)#tftp-server c2950-i6k2l2q4-mz.121-22.EA14.bin Step2: Then go to the remote switch where you want to upgrade IOS with new version. sw1#copy tftp: flash: Address or name of remote host [100.100.255.47]? Source filename [100.100.255.47]? c2950-i6k2l2q4-mz.121-22.EA14.bin Destination filename [c2950-i6k2l2q4-mz.121-22.EA14.bin]? Accessing tftp://100.100.255.47/c2950-i6k2l2q4-mz.121-22.EA14.bin... Loading c2950-i6k2l2q4-mz.121-22.EA14.bin from 100.100.255.47 (via Vlan2): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Power of the switch. Hold down the mode button located on the left side of the front panel, reconnect the power cable to the switch. After few seconds you can see   switch: prompt:  then release the Mode button when the Status (STAT) LED goes out. (When you release the Mode button, the SYST LED blinks amber). 1. The following instructions appear:   The system has been interrupted prior to initializing the    flash filesystem.  The following commands will initialize    the flash filesystem, and finish loading the operating    system software:        flash_init        load_helper        boot    switch: 2. Now follow the following command switch: flash_init switch: dir flash switch: rename flash:config.text flash:config.old switch: boot 3. Enter "n" at the prompt to start the setup program --- System Configuration Dialog ---    At any point you may enter a question mark '?' for help.    Use ctrl-c to abort configuration dialog at any prompt.  

To reset password of  2970 Switch, power off the switch and press MODE button then power it on, take a look at the SYS led when it glows green leave the mode button. To recover the password click here . Now your are in switch: prompt mode. switch: flash_init switch: dir flash: switch: delete flash:config.text switch: delete  flash:vlan.dat   Now your switch has been reset, you can reconfigure the switch. 

Recently I encounter Cisco switch 3750 reload puts it into switch: prompt. I try every possible troubleshoot but wherever switch reload its automatically boot to recovery mode. This is happen because manually boot process is enable to yes. test-sw4#sh boot BOOT path-list:       flash:/c2950-i6k2l2q4-mz.121-22.EA12 Config file:          flash:/config.text Private Config file:  flash:/private-config.text Enable Break:         no Manual Boot:          yes *************Output Omitted**************** To set switch to boot automatically, we have to issue no boot command in global configuration mode. test-sw4(config)#no boot manual ?   <cr> test-sw4(config)#no boot manual test-sw4(config)#end test-sw4#wr Building configuration... [OK] test-sw4# Verify the command. test-sw4#sh boot BOOT path-list:       flash:/c2950-i6k2l2q4-mz.121-22.EA12 Config file:          flash:/config.text Private Config file:  flash:/private-config.text Enable Break:         no Manu

In this lab we learn to configure access server. For this lab we are going to use Cisco 2511 router. Before configure the access server make sure you have connect console cable to the router and you can access the router. Access_Server#sh ver Cisco Internetwork Operating System Software IOS (tm) 3000 Software (IGS-J-L), Version 11.0(18), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1997 by cisco Systems, Inc. Compiled Mon 01-Dec-97 17:59 by jaturner Image text-base: 0x03034C58, data-base: 0x00001000 Access_Server uptime is 3 hours, 45 minutes System restarted by power-on System image file is "flash:igs-j-l.110-18", booted via flash cisco 2511 (68030) processor (revision M) with 14336K/2048K bytes of memory. Processor board ID 10355024, with hardware revision 00000000 Bridging software. SuperLAT software copyright 1990 by Meridian Technology Corp).  --More-- Command reference hostname Access_Server ! enable secret 5 (deleted) ! username cisco privilege

Here is the procedure how to run your Cisco Router as DHCP server. A small topology how to configure DHCP server in Cisco Router. Now use the following command to configure the Router running as DHCP server. Then verify from the PC connected to that interface. You can copy following command  and paste into your Router ******output omitted ******** ! ! ! ! ip dhcp excluded-address 192.168.10.1 ! ip dhcp pool test  network 192.168.10.0 255.255.255.0  default-router 192.168.10.1  dns-server 8.8.8.8 ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0  ip address 192.168.10.1 255.255.255.0

Dear blog reader, few days back I have face a huge DNS Amplification/Reflection attack from Mikrotik (MT) router. The Attack has been organized from different source to different destination.  This attack also has been seen in different vendor router like d-link di-1705b, Buffalo,AirLive, Cisco(Cisco Systems, Inc. Firmware: 4608) The Attack is possible because of MT router apply following tcp and udp packet filter destination port 53.  IP>firewall>filter rules chain=input action=drop protocol=udp in-interface=ether1-WAN dst-port=53 chain=input action=drop protocol=tcp in-interface=ether1-WAN dst-port=53 Same rule can be maintain for other router to block and disable resolver. Please Note: in-interface should be your WAN port. How to check your IP is used as open resolver Linux command #dig -t A jpudasaini.com.np @8.8.8.8 Note: Replace 8.8.8.8 with your IP address

You may think why we may need RSTP. Go back my previous blog post where I wrote how STP work and its port state . Now we are going to talk about RSTP. Lets learn about it and you may know why we need it. Recall my previous theory, as we already know STP is created very long time ago and STP have below problem to converge the link. 1. Listening : 15s of listening for BPDUs. Switch sends/receives BPDUs on this state 2. Learning : 15s of Learning MAC Address, populate switch CAM table 3. Forwarding : Port is Forwarding Traffic 4. Blocking : Switch will wait up to 20s before moving a block port into listening phase, because this the time where switch wait if the primary link may came live. STP port state take minimum 30s to maximum 50s to link up. This is the port process which have to pass every switch when boots up or converge time. STP downtime is the biggest problem for todays Network. STP have problems but also we have solution ! Port Fast : Port fast disable Spanni

Hello! Frens, here is another article about STP, in this article I try to explain switch port status and how we  recognize ports status as well as Root ID and Bridge ID, What MAC address STP take to elect the Root Bridge. Hope this article is useful to understand Spanning Tree Protocol and at last I try to explain why we need RSTP. I'll post another article about RSTP in coming days. As I already explain in my previous article about STP Root Bridge election, now we can see S1 have lowest MAC address wins the Root Bridge, let’s verified and check the status of the switches ports. Look at the picture above we can see, from the VLAN001, which have Root ID and Bridge ID, Root ID have all information about the Root Bridge, that mean S2 knows that is the Root Bridge and out port is Fa1/1, which is Root Port and directly connected to the RB. Root Bridge has priority of 32769, MAC is 000D.BD2D.6BD9, and cost is 19 to reach the Root. Bridge ID is information about

All modern Cisco switch support PVST. As name indicates what per VLAN Spanning Tree does is add a VLAN number to the priority of the BPDU headers. e.g., the default priority is 32768; if you run VLAN 10 on your switch then new priority would be 32778. The result of this is you have one Root Bridge per VLAN. If your network has multiple VLAN then you have multiple Root Bridge per VLAN. In that case if you don't change anything, by default same switch will elected as Root Bridge for every single VLAN number. From the diagram above we have VLAN 10 and 20 running on Switches which are trunked each other. We have two VLAN here that means we have two completely separate network of Spanning Tree running. Now the trunk link has run both VLAN 10 & 20. We already discuss by default priority is 32678, and then new priority would be 326778 for VLAN 10 and 32688 for VLAN 20. If that so then it’s all tied and VLAN 10 only communicate with VLAN 10 and VLAN 20 only Communicated it

Per-VLAN Spanning Tree Concepts Let’s began with how Spanning tree work in enterprise network. From the figure we can identified who will be the root bridge and config to choose who will be the root bridge in our network. Let’s start with default state of Spanning tree. A real world Spanning tree example. We have 3 tiered network structure of enterprise network. Top of Switch is Access, which is directly connected with the user and middle is Distribution then core switch, at bottom server FARM switches. We don't change anything priority and mac address are the same; now guess who will be the Root Bridge. Obviously switch0, because it has the lowest mac address. That access layer switch became the Root Bridge. Now do we want that switch became Root Bridge in our network? No we didn't want it to be Root Bridge. That isn't the center of the network. Remember that all switch finds best way to reach Root Bridge and block all other redundant links. Switches th

What is STP? Spanning Tree protocol was created to prevent loops in redundant network. What is BPDU? Switches send "PROBES” into the network called Bride Protocol data units (BPDUS) to discover loops. All switched in the network have that probes data back. Flipping all the switches. Checking out every single links. Actually it’s a Multicast packet. If there is redundancy in the network the switch will gets its own BPDU. Switches know there is redundant link in the network. Now switch work to find it out. That’s the goal of the BPDU. What is ROOT Bridge? BPDU also help to elect Root Bridge. The root bridge of the network, STP election will pick the oldest switch of the network as the root bridge by default.  All switches will find the best way to reach Root Bridge.  All other path which aren't fast to reach the root end of getting block which disable redundancy of the network. BPDU and Elections? BPDU are sent once every two seconds out every singl

Make sure that target router are running Cisco IOS Release 12.1(1)T image or later to support SSH. Before continuing this task don't forget to change the hostname  of the router R1(config)#ip domain-name jpudasaini.com.np R1(config)# crypto key generate rsa The name for the keys will be: R1.jpudasaini.com.np Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]: 768 % Generating 768 bit RSA keys, keys will be non-exportable...[ok] R1(config)#ip ssh time-out 60 R1(config)#ip authentication-retries 3 R1(config)#username jayaram secret cisco R1(config)#line vty 0 15 R1(config-line)#transport input ssh R1(config-line)# exit after this configuration you can login R1#ssh -l {login with(login name)} -v [ssh version 1 or 2] [remote server name]