Hi All,
For those of you interested in knowing how the Risk Rating System work on the Cisco IPS/IDS products for CCIE Security, here is a good video to review.
http://www.cisco.com/web/learning/le31/le46/cln/qlm/CCSP/ips/risk-rating-system-overview-3/player.html
Thursday, December 10, 2009
Thursday, December 3, 2009
SSL VPN - Configuration Examples and TechNotes
http://www.cisco.com/en/US/products/ps6657/prod_configuration_examples_list.html
IPsec Virtual Tunnel Interfaces
How to Configure IPsec Virtual Tunnel Interface
- Configuring Static IPsec Virtual Tunnel Interfaces, page 8
- Configuring Dynamic IPsec Virtual Tunnel Interfaces, page 10
- Configuring Per-User Attributes on a Local Easy VPN AAA Server, page 12
Configuring Static IPsec Virtual Tunnel Interfaces
This configuration shows how to configure a static IPsec VTI.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto IPsec profile profile-name
4. set transform-set transform-set-name
5. interface type number
6. ip address address mask
7. tunnel mode ipsec ipv4
8. tunnel source interface
9. tunnel destination ip-address
10. tunnel protection IPsec profile profile-name [shared]
Configuring Dynamic IPsec Virtual Tunnel Interfaces
This task shows how to configure a dynamic IPsec VTI.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto IPsec profile profile-name
4. set transform-set transform-set-name
5. interface virtual-template number
6. tunnel mode mode
7. tunnel protection IPsec profile profile-name [shared]
8. exit
9. crypto isakamp profile profile-name
10. virtual-template template-number
Configuring Per-User Attributes on a Local Easy VPN AAA Server
To configure per-user attributes on a local Easy VPN AAA server, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa attribute list list-name
4. attribute type name value [service service] [protocol protocol]
5. exit
6. crypto isakmp client configuration group
7. crypto aaa attribute list list-name
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html
Tuesday, November 17, 2009
Wednesday, November 11, 2009
Full reachability in the lab (from http://cciekid.blogspot.com/)
or those starting out in their CCNP/CCIE Journey, I would like to address one of the most crucial parts of the CCIE Lab: Verifying full reachability.
It is common practice for any CCIE candidate to verify their reachability across the lab topology when labbing. While studying for the CCNP, I learned a couple short cuts:
TCL Scripts:
TCL Scripting is what you should use on your routers to ping multiple addresses without delay.
- To configure a TCL Script -
1. Enter TCL scripting
R3#tclsh
R3(tcl)#
2. Create the script
R3(tcl)#foreach address {
+>(tcl)#1.1.1.1
+>(tcl)#2.2.2.2
+>(tcl)#3.3.3.3
+>(tcl)#} { ping $address }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
This is a great way of pinging a ton of addresses without having to manually enter each ping command and wait for its output. This saved me a lot of time on the verification during my Lab exam.
Much more in depth information on TCL Scripting in Cisco IOS can be found here:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_tcl.html
Macro:
This can do a similar thing on a switch that TCL ping scripts will do on a router.
- To configure a ping macro -
1. Create the macro name and enter macro configuration mode:
Switch(config)#macro name PINGVERIFICATION
Enter macro commands one per line. End with the character '@'.
do ping 1.1.1.1
do ping 2.2.2.2
do ping 3.3.3.3
@
IOS is nice to us, in that it will tell you how to configure the macro.
2. Apply the macro:
Switch(config)#macro global apply PINGVERIFICATION
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Another way to use a macro is for redundant configuration. For example, let's say we want to configure a bunch of switch ports with a particular port security policy:
Switch(config)#macro name PORTSEC
Enter macro commands one per line. End with the character '@'.
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security maximum 5
switchport port-security violation restrict
snmp trap mac-notification added
snmp trap mac-notification removed
@
What I have created here, is a macro that will do the following:
1. Set the port to access mode
2. Turn on port-security
3. Configure specific port-security policies
4. Enable SNMP trap notifications for whenever a MAC-address is added or removed
Now we can apply this macro to a switchport:
Switch(config)#interface fa0/7
Switch(config-if)#macro apply PORTSEC
Verify that the configurations have taken place:
Switch#show port-security interface fastEthernet 0/7
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 5
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
Switch#show mac-address-table notification interface fa0/7
MAC Notification Feature is Disabled on the switch
Interface MAC Added Trap MAC Removed Trap
--------- -------------- ----------------
FastEthernet0/7 Enabled Enabled
Smart Port Macro:
Here is where things get cool. Now we can mix that normal macro with a smart port macro.
Let's say we wanted to apply that normal macro we created earlier to many interfaces with only a couple commands. This can be done using a Smart Port Macro:
1. Create a smart port macro using the "define" command. This is a preset configuration:
Switch(config)#define interface-range FA0/7-21 fastEthernet 0/7 - 21
Here I have defined the switchport range of fa 0/7 - 21.
2. Use the Smart Port Macro:
Switch(config)#interface range mac FA0/7-21
3. Call the normal macro we created earlier:
Switch(config-if-range)#macro apply PORTSEC
4. Verify your macro:
Switch#show parser macro
--------------------------------------------------------------
Macro name : PINGVERIFICATION
Macro type : customizable
do ping 1.1.1.1
do ping 2.2.2.2
do ping 3.3.3.3
--------------------------------------------------------------
Macro name : PORTSEC
Macro type : customizable
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security maximum 5
switchport port-security violation restrict
snmp trap mac-notification added
snmp trap mac-notification removed
--------------------------------------------------------------
If you are so interested, take a little bit of time and read through some of the pre-configured macros using the show parser macro command. There is some interesting stuff in there.
For more detailed information on Smart Port Macros visit:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2940/software/release/12.1_19_ea1/configuration/guide/swmacro.pdf
It is common practice for any CCIE candidate to verify their reachability across the lab topology when labbing. While studying for the CCNP, I learned a couple short cuts:
TCL Scripts:
TCL Scripting is what you should use on your routers to ping multiple addresses without delay.
- To configure a TCL Script -
1. Enter TCL scripting
R3#tclsh
R3(tcl)#
2. Create the script
R3(tcl)#foreach address {
+>(tcl)#1.1.1.1
+>(tcl)#2.2.2.2
+>(tcl)#3.3.3.3
+>(tcl)#} { ping $address }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
This is a great way of pinging a ton of addresses without having to manually enter each ping command and wait for its output. This saved me a lot of time on the verification during my Lab exam.
Much more in depth information on TCL Scripting in Cisco IOS can be found here:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_tcl.html
Macro:
This can do a similar thing on a switch that TCL ping scripts will do on a router.
- To configure a ping macro -
1. Create the macro name and enter macro configuration mode:
Switch(config)#macro name PINGVERIFICATION
Enter macro commands one per line. End with the character '@'.
do ping 1.1.1.1
do ping 2.2.2.2
do ping 3.3.3.3
@
IOS is nice to us, in that it will tell you how to configure the macro.
2. Apply the macro:
Switch(config)#macro global apply PINGVERIFICATION
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Another way to use a macro is for redundant configuration. For example, let's say we want to configure a bunch of switch ports with a particular port security policy:
Switch(config)#macro name PORTSEC
Enter macro commands one per line. End with the character '@'.
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security maximum 5
switchport port-security violation restrict
snmp trap mac-notification added
snmp trap mac-notification removed
@
What I have created here, is a macro that will do the following:
1. Set the port to access mode
2. Turn on port-security
3. Configure specific port-security policies
4. Enable SNMP trap notifications for whenever a MAC-address is added or removed
Now we can apply this macro to a switchport:
Switch(config)#interface fa0/7
Switch(config-if)#macro apply PORTSEC
Verify that the configurations have taken place:
Switch#show port-security interface fastEthernet 0/7
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 5
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
Switch#show mac-address-table notification interface fa0/7
MAC Notification Feature is Disabled on the switch
Interface MAC Added Trap MAC Removed Trap
--------- -------------- ----------------
FastEthernet0/7 Enabled Enabled
Smart Port Macro:
Here is where things get cool. Now we can mix that normal macro with a smart port macro.
Let's say we wanted to apply that normal macro we created earlier to many interfaces with only a couple commands. This can be done using a Smart Port Macro:
1. Create a smart port macro using the "define" command. This is a preset configuration:
Switch(config)#define interface-range FA0/7-21 fastEthernet 0/7 - 21
Here I have defined the switchport range of fa 0/7 - 21.
2. Use the Smart Port Macro:
Switch(config)#interface range mac FA0/7-21
3. Call the normal macro we created earlier:
Switch(config-if-range)#macro apply PORTSEC
4. Verify your macro:
Switch#show parser macro
--------------------------------------------------------------
Macro name : PINGVERIFICATION
Macro type : customizable
do ping 1.1.1.1
do ping 2.2.2.2
do ping 3.3.3.3
--------------------------------------------------------------
Macro name : PORTSEC
Macro type : customizable
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security maximum 5
switchport port-security violation restrict
snmp trap mac-notification added
snmp trap mac-notification removed
--------------------------------------------------------------
If you are so interested, take a little bit of time and read through some of the pre-configured macros using the show parser macro command. There is some interesting stuff in there.
For more detailed information on Smart Port Macros visit:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2940/software/release/12.1_19_ea1/configuration/guide/swmacro.pdf
Friday, October 30, 2009
Good to read the following links for Lab troubleshooting
http://www.networkworld.com/community/node/46852?page=0%2C1&source=NWWNLE_nlt_cisco_2009-10-30
http://www.networkworld.com/community/node/46561
http://www.networkworld.com/community/node/46852?page=0%2C1&source=NWWNLE_nlt_cisco_2009-10-30
http://www.networkworld.com/community/node/46561
Subscribe to:
Posts (Atom)