Wednesday, 21 December 2011

Quick Cisco Switch and Router Troubleshooting

Haye.. !! some helpful quick troubleshooting commans

show run sec class-map
show run sec policy-map
sh run sec router
sh run sec crypto
sh run inc ip access-group
sh run inc ip local
sh run inc ip policy
sh run inc service-policy
sh run inc ip access-group
sh run inc vlan filter

Friday, 16 December 2011

Cisco and HP Procurve Trunk 802.1Q

This post only discusses how to configure an 802.1q VLAN trunk between a Cisco switch and an HP ProCurve switch. In this test I am using Cisco 3560 and HP ProCurve 2910 AL over here trunking refer to an 802.1q tagged VLAN trunk. Don’t get confused in Procurve world trunking refers to a feature like ether channel in Cisco world.

Mind that ISL trunk will not work between Cisco and HP because it is Cisco proprietary protocol. The trunk between a Cisco and HP Procurve switch must be 802.1q I rarely see ISL in use these days, and I personally consider 802.1q the preferred method of encapsulation if for no other reason than its interoperability.

Once you have configured all of the required VLANs (I hope I don’t need to explain how to configure VLANS) now configure the trunk on the Cisco switch in fa0/48 is our trunk port connected to HP ProCurve using the following commands:

Cisco3560(config)# interface fa0/48
Cisco3560(config-if)#switchport mode trunk
Cisco3560(config-if)# switchport trunk allow vlan 1,2,3
Cisco3560(config-if)#no shut

In this example I am using three VLANS Vlan 1 , 2, and 3
Here interface Fa0/48 is the trunk port on the Cisco switch.

Procurve switches, can have a VLAN either tagged or untagged on any particular port as shown in the configuration below.

HP2910al(config)#vlan 2
HP2910al(Vlan-2)#tagged 48

Now we have enabled trunk interface between HP and Cisco for Vlan 2 only, trunk will not carry any traffic a part from Vlan 2 in order to allow Vlan 3 traffic on Trunk we need to setup port 48 in HP switch as tagged port for Vlan 3 (Clear as MUD.. !!!!)

HP2910al(config)#vlan 3
HP2910al(Vlan-2)#tagged 48

Key point you have to setup uplink port 48 in our case on HP as tagged port for all the vlan that will pass through the trunk.

Now test connectivity between two hosts that are in the same VLAN i.e Vlan 2 , but on different switches. As you have learnt, configuration of 802.1q trunks between Cisco and HP Procurve switches is not a rocket science . if its not working double check the config and every thing should be fine.

Thursday, 15 December 2011

HP and Cisco commands Reference

Hi Everyone , forget about the fight which one is the better technology every product have its on Pros and Cons .
I am sharing here some terminologies and command differences , I hope they would be helpful

HP aggregated interfaces are called trunks and Cisco it is EtherChannel.

The confusion arises because term trunk is used differently in Cisco and HP. In Cisco trunk is an interface that is configured to support 802.1Q (VLAN). which is configured to support multiple VLANs is called a trunk however in HP Prociurve operating system, an interface that supports multiple VLANs is tagged.

Remeber these guidelines

An “access port” on Cisco is an “untagged port” on HP ProCurve.
A “trunk port” on Cisco is a “tagged port” on HP ProCurve.
A “port channel” on Cisco is called a “trunk” on HP ProCurve.
A Cisco "Access port" is "untagged" in HP Procurve

Trunking from the ProCurve side is meant to aggregate multiple ports together, while on Cisco it is meant to transport multiple VLANs over one port.

Link aggregation on the Cisco side is called “channeling"

*****Some main Hints and Tips******

Pay attention to multi-VLAN ports.
Make sure that the native VLAN on the Cisco trunk is the untagged VLAN on the ProCurve tagged port.
Ensure that the same VLANs are allowed and configured on both sides.
Remember that, unlike with Cisco, BPDUs (spanning tree, LLDP, and LACP) are not attached to the untagged port or any VLAN on HP ProCurve

To combine Cisco and HP ProCurve spanning tree networks, MSTP can be run on the Cisco devices, or PVST Cisco networks can be combined with MSTP HP ProCurve networks, I am running PVST on Cisco network and I added couple of HP Procurves with RSTP and didn't caused any problem, make sure you modify the priority at HP or cisco as per requirement.

Cisco supports Hot Standby Router Protocol (HSRP), and HP ProCurve supports Virtual Router Redundancy Protocol (VRRP), during migration ensure that both cores are from the same
vendor, whether HP ProCurve or Cisco. If you replace one core, replace the other at the same time.

Finally Routing Protocol HP doesn't support Cisco proprietary routing protocols.

There are some minor differences to consider between the two different OSPF implementations:

  • Cisco OSPF is enabled with network statements globally.

  • HP ProCurve OSPF is enabled within the VLAN context.

  • There are redistribution differences.

  • HP ProCurve is always non-broadcast multiple access (NBMA).

  • Cisco uses the highest loopback IP address for router ID, while HP ProCurve devices typically use the lowest.

  • With HP ProCurve, the loopback is always /32 mask.

  • With HP ProCurve, the OSPF link cost is “1” by default.

Tuesday, 6 December 2011

Toughest Job interview Questions

I and my friends have recently gone though some interviews processes, last night we thought to share our experience to help others.

Below are top tough interview questions that you may face, there is no obvious right answers that is aimed to highlight your abilities and strengths.

1. Describe your self.

It is definitely not an invitation to give your life history they are not interested in this. You should aim to describe the kind of person you are in a couple of minutes at most. Concentrate on positive qualities, and link them to the key responsibilities of the job you're applying for.

2.What do you enjoy most in your current job?

It is tricky question he actually wants to know what you don’t link in this job. The key is that you like everything about your job. Pick some part of current job that matches new job for which you are interviewed fro.

3. What do you feel you can bring to this job?

This is another question that gives you a chance to shine. You need to link your past experience or skills to the requirements of the job. Pick up to three key strong points in your favour that are relevant to this job.

4. What is your biggest weakness?

Huummm!!! it is hard and very easy at the same time depending if you are prepared for it or not, I always answer 'I'm useless at getting round to household jobs - changing light bulbs and fixing leaky taps. Avoid giving any weakness like I don’t like taking OrdersJ. Then why you are here start your own business.

5. What is your goal or what you want to do in next 5 years time?

Explain your career aligned with the role you are applying for, don’t tell about your dreams :)

6. Why you think you are the right Candidate for the role? Being on harsh end it can be asked as Convince me to hire you.

This question need some preparation and company research, interviewer is looking for any one candidate who have same goals as the company have.

7. Tell me about how you work as part of a team?

Employer want to know how well you work as a part of team , explain you can work on your own or with any one else , you are a self starter , good time management skills .

Wednesday, 16 November 2011

What is the difference between category 5e and category 6?

There is a lot of confusion among the networkers what is the main difference between Cat 5 E and Cat 6 cables.

Cat5e cable run near gigabit speed (With any above normal noise or substandard equipment you can see performance drop), it just cannot be "certified" for this use. Howevre Cat 6 cable is designed especially for gigabit use, and is certified to operate at said speed despite of some noise and abnormalities.

Main difference between Cat 5e and Cat 6 cable is transmission performance and available bandwidth as Cat 5 support 100 MHZ and Cat 6 Support 200 MHZ

These will provide better signal-to-noise ratio, allowing higher reliability for current applications and higher data rates for bandwidth intensive applications.

When implementing Cat 6 make sure you are using appropriate connectors to achieve best performance.

I have learnt from difference resources there is not standard for Cat6 cabling however there is approved standard for Cat 6 cabling which is ANSI/TIA-568-B.2-1

There is one new standard for Cat 6A which will support 10 Gbps and can support up to 500 MHZ.

Thursday, 3 November 2011

Is your E-mail compromised ?

Hi Guys!!! Just discovered some thing really good ...

Have your accounts been compromised? Find out

PwnedList is a tool that allows an average person to check if their accounts have been compromised. No passwords are stored in the database.

Just enter an email address or username associated with any of your accounts to see if it's on our list. Data entered is not stored, re-used, or given to any third parties.

Dont worry it is safe this is run by DVLabs (part of Tipping Point) and aquired by HP I hope you know HP if not look at your laptop :)

As per Website : They have 4,945,786 entries. Around 70% of this is composed of email addresses while the other 30% is usernames. The exact number is visible in the shiny new counter on our front page

Thursday, 13 October 2011

block social networking sites

Is your network bandwidth being consumed by unwanted traffic like P2P, Socialnetworking websites ?

Stop unwanted social networking websites in 3 simple steps

1. Create a class-map to match

class-map match-any SOCIAL_NETWORK
match protocol http host ""
match protocol http host ""
match protocol http host ""
match protocol http host "*facebook*"
match protocol secure-http host ""
match protocol secure-http host ""
match protocol secure-http host ""
match protocol secure-http host "*facebook*"

2. Create a policy-map to instruct what to do with the traffic.

3. Apply the policy on teh required interface
interface FastEthernet0/1
service-policy output DROP_SOCIAL_NET

Wednesday, 21 September 2011

Which Wireless Solution to Choose

Hi Every one ,

Before I start writing any thing , I would like to clarify this post is not suggesting to go for any specific vendor, My main point here is to discuss what are the main challenges you face when you start evaluating network wireless solution.

As my company is looking to deploy the wireless solution and I have been struggling for last couple of months to get my head round with the terms and different architecture / Solution that are vendor specific, but what you need to look for to avoid any confusion during the stage of evaluation or POC.

There are many wireless vendors in the market, leaving you with a tough decision which ones to recommend and which are ideal for higher end, enterprise-wide solutions that can support VOIP , Video and all those new technologies.

what we need to look for In wireless solution Ok !! here we go stick with three main things ... that we need in wireless solution once you stick with them start learning the terms i will mention at the end of the post. then you are good to go with any vendor and discus what they offer you .

The main challenges in wireless are

  1. Coverage

  2. Capacity (how many users can connect)

  3. Throughput (how much speed you can offer to all the active users)
Mind that throughput is the main factor to future proof your network to add more and more services on the network.

As per existing market roughly all access points support all set of frequencies the main are 2.4 Ghz and 5 Ghz to memorize i use to draw it something like that
2.4 Ghz = B , G , N

B stand for BAD gives you 11 Mbps

G 54 and N 300 / 450 Mbps

However 5 GHZ gives you A with 54 Mbps and N 300/450 Mbps

there are a lot of 2.4 Ghz devices so you network should not only support 2.4 but it should be able to support 5 Ghz and when in future you switch to 5 Ghz it should still not effect your coverage.

Key point
:- 2.4 has 3 x non mapping channels like 3 lane motorway and 5 Ghz have 20 non mapping channels how ever some vendors use 9 out of those 20 channels , however some even use 16 channels , so you must look for 5 ghz support in your network.

Key point :-
when you go and buy for any wireless product and if it says it support ABGN then it supports 5 GHZ if it says B,G,N yes , It supports N but it supports N on 2.4 Ghz , (remember 3 Lane motorway no future proofing)

Make sure your wireless solution support MIMO 3 x 3

for further information on MIMO google it it is sort of multiple antenna on both TX and RX to improve performance.

Now lets discuss about wireless Architecture.

  1. Single channel Approach

  2. AP controller based

  3. Distributed
I am going to discuss about all of these three approaches in a single paragraph it is a very debate able issues , you might see lot of white paper battling on each approach.

single channel one speak other just shut up result in Less bandwidth , Only One channel , and No interference as there is only one channel .

AP / Controller based , I am not going to comment, you have to ask vendor supporting this if you have 100 Devices going through the controller how it will share the bandwidth ? , what effect it will make if you enable WPA2 , i.e if 1 have 2 controllers and 100 AP's and every AP have 10 users how much bandwidth it can practically give to each user with WPA2 enabled (we don't forget about security in wireless), if it is sufficient for your existing and future VIOP and video we don't have any problem.

Distributed approach , I would just like to say intelligent AP have every functionality happening on the AP , built in encryption engine and i would say it can easily tick all your boxes about coverage , Capacity and throughput
Now come to the first thing (HUH what we were doing above then !!!! Cmon it was just theory real work starts here)
Survey. - when doing survey you need to very clear what SNR (Signal to Noise ratio) you want to live with , dont let the Vendor or surveyor trick you saying this area is covered see you can see the signal , yes but what is the dBM here mind that - 80 dBm will be dead for you you cannot communicate , there are couple of papers suggesting stick with -70 dBm and some say 76 Depending upon your requirement .
Key point:- Here is one more trick while you are doing survey do the survey for 2.4 and 5 both dont get robbed again . 5 GHZ wave is differnt then 2.4 so it have more impact if it hit something. i.e 2.4 covergage with -70 dBM need 10 AP's however it will not give same cover on 5 Ghz.
Some AP have 2 antennas one feeding you 2.4 and other 5 ghz normally known as dual band AP.

WLAN vendors are trying to improve functionality at edge by providing Security , gest access and reliability , IPS , and some vendors with Spectrum analyzer.

That's pretty much I have to say at the moment I will revisit and try to update, before I close I would like to add some main point.

If you are more concerned about Security you might be looking for FIPS 140 and PCI certification of products.

Look for Licences cost for controller with regards to AP count.

Some AP's are coming up with dual band support for example 2 antenna one antenna 2.4 and other is 5 Ghz and in future if you don't need 2.4 you would not like to end up with one antenna, so ask vendor about future plans.

One last point if wireless vendor say its 300 Mbps it is not 300 Mbps full duplex , It is just marketing figure , your Ethernet LAN is 100 Mbps full duplex which will make it 200 Mbps .

That is pretty much from my notes, Have a nice day.

Wednesday, 7 September 2011

Fraudulent Digital Certificates

some major borwsers have issued a relased because DIGINOTAR the former Certificate Authority whihc managed to issue more than 500 bogus digital certificates in the name of majore web service providers mainly


even in the name of some intelligence agencies.

In recent update from MoZilla Firefox it have blocked any certificate signed by DigitNotar.

Microsoft have also released an update 2607712 permanently moving all five DigiNotar's root certificates to the Certificate Revokation List whihc provides protection to all Windows versions.

DigiNotar Root CA

DigiNotar Root CA G2
DigiNotar PKIoverheid CA Overheid
DigiNotar PKIoverheid CA Organisatie - G2
DigiNotar PKIoverheid CA Overheid en Bedrijven

Thursday, 25 August 2011

Netflow Vs NBAR

You are the Cisco Network Designer in Which statement is correct regarding NBARand NetFlow?
A. NBAR examines data in Layers 1 and 4.
B. NBAR examines data in Layers 3 and 4.
C. NetFlow examines data in Layers 3 and 4.
D. NBAR examines data in Layers 2 through 4.

Answer is C


Netflow works between 3 and 4

Layer Flexible Netflow workd from Layer 2 to 7 inspect payload

NBAR works 3 to 7

Friday, 12 August 2011

Switching, Backplane and Switching fabric

There is a biggest confusing in the datasheets to understand Forwarding , Switching, Backplane and Switching fabric Internally to a switch.

A specialized hardware is needed to move frames between ports.This specific part can be called backplane or in some cases we talk of switching fabric.

When the forwarding capabilities of a backplane or switching fabric are greater then the sum of speeds of all ports (counted twice one for tx and one rx direction) / full duplex we call the switching fabric non blocking

Traffic between a pair of ports is not influenced by what traffic is exchanged on all other ports.The forwarding rate is expressed in packet per seconds and expresses how many packets per second are needed to reach a certain traffic volume (throughpout)

Clearly forwarding rate depends on frame size.

Ideally a backplane switching fabric should be non blocking for every frame size including the smallest ones (64 bytes in ethernet standard) but in reality most devices can be non blocking for an average size of 400 bytes.

bandwidth is the speed of traffic.

to convert between forwarding rate and used bandwidth we need to take in account some specific aspects of ethernet: with this kind of calculation using frames of minimum size 64 bytes you need 1488000 frames per second and per direction to fill a Gigabit ethernet port.

Be aware that all figures you see sum tx and rx directions so if a switch has 100 Mpps (Million Pkts per second) capability this accounts for a certain number of GE ports at 1 Gbps full duplex.

In almost all switches (Cisco and non-Cisco) the switching limitation is actually NOT bandwidth, its Mpps (mega packets per second).

So the answer actually depends mostly on what your traffic looks like. Worst-case is VOIP traffic which consists of 100byte packets, best case is file transfers using full 1500 byte packets.

Sunday, 31 July 2011

CISSP CBK 8 Legal, Regulations, Compliance, and Investigations

Legal, Regulations, Compliance, and Investigations

Council of Europe (CoE) Convention on Cybe rcrime:
If the organization is exchanging data with European entities, it may need to adhere to the Safe harbor

safe harbor framework how any entity that is going to move Private data to and from Europe must provide protection

Civil law deals with wrongs against individuals or companies that result in damages or loss. This is referred to as tort law. no Jail sentence

Criminal law when an individuals conduct violates the government laws / Jail sentence

Administrative/regulatory law deals with regulatory standards that regulate performance and conduct

Intellectual property laws do not necessarily look at who is right or wrong, but rather how a company can protect what it rightfully owns from unauthorized duplication or use,

Trade Secret = competitive value or advantage (formula for Drink)
Copyright= rights for authors(unauthorized copying and distribution of a work)
Trademark= protect a word,name, symbol (identifiable packaging, “trade dress.”)
Patent= (usually valid for 20 years from the date of approval)

international trademark law efforts and international registration are overseen by the World Intellectual Property Organization (WIPO), an agency of the United Nations

Similar to trademarks, international patents are overseen by the WIPO

Digital Millennium Copyright Act (DMCA), which makes it illegal to create products that circumvent copyright protection mechanisms.

Federal Privacy Act of 1974, it has enacted new laws, Gramm-Leach-Bliley Act of 1999

Federal Privacy Act If an agency collects data on a person, that person has the right to receive a report outlining data collected about him if it is requested ialso gives individuals the right to review records about themselves, to find out if these records have been disclosed, and to request corrections or amendments of these records)

Sarbanes-Oxley Act (SOX) law governs accounting practices,
Health Insurance Portability and Accountability Act (HIPAA)

Gramm-Leach-Bliley Act of 1999 (GLBA) requires financial institutions to develop privacy notices and give their customers option to share the data with other companies.

1994 U.S. Communications Assistance for Law Enforcement Act all communications carriers to make wiretaps possible

Computer Fraud and Abuse Act,1986, 1996
  • access to federal Govt computers to access classified info
  • access to financial institution computers or any computer
  • unauthorised access to Govt computer
  • knowing access of a protected computer without authorization with intend to Fraud
  • causing the transmission of Program/ Information and Code from a computer without owners authorization
  • trafficking of computer password for fraud
  • transmission of communication containing threats

The Federal Privacy Act of 1974
Government agencies can maintain personnel information only if it is necessary to accomplish the agency’s purpose.

The Privacy Act dictates that an agency cannot disclose this information without written Permission from the individual however there are some exceptions.

1996 U.S Economic and Protection of Proprietary Information Act Industrial and corporate Espionage

1980 Organization for Economic Cooperation and Development (OECD) Guidelines
Deals with data collection limitations, the quality of data, specifications of the purpose for data collection, limitations of data use, participation by the individual on whom the data is being collected, and accountability of the data controller

Basel II
how much capital banks need to put aside to guard against the types of financial and operational risks banks face

1987 U.S. Computer Security Act federal government agencies to conduct security-related training, to identify sensitive systems, and to develop a security plan for those sensitive systems

Computer Security Act of 1987 identify computers with sensitive information.

American citizens are protected by the Fourth Amendment against unlawful search and seizure

Payment Card Industry Data Security Standards (PCI DSS)
any entity that processes, transmits, stores, or accepts credit card data PCI DSS is a private-sector industry initiative. It is not a law and failure to comply may lead to revocation of merchant status or a fine
PCI DSS main areas
  • Build and Maintain a Secure Network,
  • Protect Cardholder Data,
  • Maintain a Vulnerability Management Program,
  • Implement Strong Access Control Measures,
  • Regularly Monitor and Test Networks,
  • Maintain an Information Security Policy

Economic Espionage Act of 1996

1991, U.S. Federal Sentencing Guidelines were developed to provide judges with courses of action in dealing with white collar crimes max fine up to 290 Million $

Employee Privacy Issues
manager can listen your conversation with customer but not your personal conversation

Government regulations SOX, HIPAA, GLBA, BASEL
Self-regulation Payment Card Industry (PCI)
Individual user Passwords, encryption, awareness

Downstream liability when two companies work to gather they must ensure proper protection for each other so if virus effect one company other wil get effected and will finally Sue upstream company.

event is a negative occurrence that can be observed, verified, and documented, whereas an incident is a series of events that negatively affects the company and/or impacts its security posture.

incident response policy should be managed by Legal Department

Three types of incident response team
virtual team members have other jobs slower response
permanent team which is dedicated strictly to incident response
hybrid team some are permanent members and some are called when needed

Main goal of incident handling is to contain and mitigate any damage caused by an incident and to prevent any further damage.

Steps to Incident Responce
Triage : initial screening of the reported event either it is False positive
Investigation:- proper collection of relevant data

honeypots can introduce liability issues and be used to attack other internal targets

Steps of Forensic Investigation

exigent circumstances when law enforcement quickly seize the evidents to avoid destruction for some one

Most of the time, computer-related documents are considered hearsay, meaning the evidence is secondhand evidence

The life cycle of evidence includes
Collection and identification
Storage, preservation, and transportation
Presentation in court
Return of the evidence to the victim or owner

Oral evidence is not considered best evidence because there is no firsthand reliable proof

evidence should be authentic , complete , sufficient and reliable

Dumpster diving is unethical, but it’s not illegal.
Trespassing is illegal,
Emanation = Tempest

Some things may not be illegal, but that does not necessarily mean they are ethical

Red box simulated the tones of coins being deposited into a pay phone
Black Box method to manipulate line voltage to enable people to call toll-free lines.
Blue Box ' that enabled people to make free long-distance phone calls,

Generally Accepted System Security Principles (GASSP) are security-oriented principles and do not specifically cover viruses or worms

ISC2 Code of Ethics

Code of Ethics Preamble:
  • Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
  • Therefore, strict adherence to this Code is a condition of certification.

Code of Ethics Canons:
  • Protect society, the commonwealth, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principals.
  • Advance and protect the profession

Business attack = competitive intelligence to get trade secret
Intelligence attack = Military
Financing Attack = Bank Fraud

Corroborative Evidence supporting evidence is used to help prove an idea or a point, however It cannot stand on its own i.e Torn clothes, 911 call recording

computer fraudsters hold a position of trust

exclusionary rule mentions that evidence must be gathered legally

incident handling Contain and repair any damage caused by an event

Memory Dump gives an State of the Machine.

Circumstantial evidence = inference of information from other, intermediate, relevant facts. Secondary evidence = copy of evidence or oral description
Conclusive evidence = overrides all other evidence

GIASP Generally Accepted Information Security Principles
Computer security supports the mission of the organization
Computer security is an integral element of sound management
Computer security should be cost-effective
Systems owners have security responsibilities outside their own organization
Computer security responsibilities and accountability should be made explicit
Computer security requires a comprehensive and integrated approach
Computer security should be periodically reassessed
Computer security is constrained by societal factors