CCIE GET VPN (GNS3 Lab) [toc]Group Encrypted Transport (GET) VPN is slightly different and has quite different use cases from more traditional point to point IPSEC VPN where each point to point VPN is quite distinct in
CCIE DMVPN setup with PSK (GNS3 Lab) [toc] Dynamic Multipoint VPNs (DMVPN) offer a low admin overhead and scalable VPN solution. It is also efficient at routing traffic as it can dynamically reconfigure itself from a hub and spoke to
640-553 CCNA Security Disable ASA TCP State tracking (make my ASA a router) Recently had to use this (useful?) feature to help a customer with an asymmetric traffic flow via an ASA. The ASA would only see the out bound traffic from a host with the
Cisco jun2acl (Juniper to Cisco ACL Script) Recently we've needed to migrate an inherited environment away from Juniper Junos and onto Cisco IOS. As part of this a lot (!) of old an quite nasty firewall filter config needed to be
CCIE EIGRP (Named vs Legacy) Just a quick look over the basic differences with the newer style of EIGRP config. It really is quite a bit nicer (more logcal?) layout in the config with things like authentication moving
BGP BGP RTBH setup using exaBGP [toc]In this post I'll describe a basic setup using Cisco IOS, IOS XR and exaBGP that will function as a BGP remotely triggered blackhole (RTBH) allowing you to null route any source/
642-691 BGP+MPLS Difference between Router Descriptor (RD) and Route Target (RT) Studying towards the SPEDGE (great word Cisco!) tonight and couldn't quite define exactly Route Descriptors and Route Targets. So lets try First off it might be important (and obvious) to note both RT
Cisco Generate DSCP marked pings Today it was useful to confirm a switch was passing DSCP marked packets as expected and handling 'ef' marked packets. To do this on a cisco switch we can use the extended ping
Cisco SNMP ACL (after community check?!) Not my usual kind of post of "how to do ...blah" but something I'd come across yesterday that was a little interesting/annoying/silly. Best practice dictates you apply an ACL
Cisco Connectivity problems to a NAT'd host via a VPN on Cisco IOS Problem where a client on one side of a VPN tunnel cannot communicate with another host on the other side that has a static nat entry. The host 10.0.0.2 is
ASA Grab multiple OIDs via SNMPwalk SNMPWALK is a great too for grabbing SNMP oject identifier values (OIDs). To see how to install it see this post here. Mostly I use it for checking various single OID values but
Cisco Show "free" (not used for a while) ports on Cisco switch with one command Reasonably common task I come accross is to find free ports on switches (ports that havent been used for sometime). Sometimes its very easy where you can use an NMS or similar to
Cisco Cisco Security Manager logging SDEE messages from IPS in Event viewer Cisco Security Manager +4 (I was trying 4.0.1 at the time of this post) has an "event viewer" feature thats actually pretty good! It can receive syslog and SDEE messages, parse
CCNP Security DMVPN with PKI authentication (GNS3 Lab) [toc] Dynamic Multipoint VPNs (DMVPN) offer a low admin overhead and scalable VPN solution. It is also efficient at routing traffic as it can dynamically reconfigure itself from a hub and spoke to
802.1x EAP, EAPOL and EAP types Extensible Authentication Protocol (EAP) - is a transport mechanism used in 802.1x to authenticate supplicants (hosts/pcs) against a backend server (Radius) via an authenticator (Switch). The first byte of the EAP
Cisco Cisco (type 7) password decryption and encryption with Perl I've often seen password decryption tools for the Cisco (type 7) passwords and wondered how they worked. To learn more about that and Perl I thought I'd give it a go :) The short
ASA Cisco pipe options and some regex examples Just a quick post about using the pipe (|) command on Cisco devices to help format the output of any command. Add the pipe to any show command then ? can show the available options.
Cisco Display the specific port used in an etherchannel for given src/dst info Etherchannel on Cisco switches uses a hashing algorithm to determine which interface within the bundle to send the data over i.e. The port choice is deterministic and will always be the same
ASA Cacti graph template for Cisco ASA VPN sessions (IPSEC, SSL, WEBVPN + Total) Exported from Cacti 0.8.7e (including all dependencies) and made using a Cisco 5520 ASA running 8.4(1). OIDs used IPSEC VPN count - .1.3.6.1.4.1.9.
640-553 CCNA Security Role Based CLI access to Cisco IOS using Views Just having a play around with role based access and "views". Not a feature I've used much in production. Below we will configure a view that only allows the use of
ASA Install & configure nfdump with nfsen on Ubuntu server 10.04 This was done using Ubuntu server 10.04 although everything is compiled from source so the commands should be very similar on any linux box. There are also example configs for Cisco ASA
Android Setting up OpenVPN for Android phone (NAT & ZBFW on Cisco 1801) I've been looking to get a decent "native" VPN setup on my android phone for a while. There doesn't seem to be native support for IPSEC VPNs terminating on Cisco routers.
Cisco IOS ping with rotating data pattern/payload Came across an interesting problem where depending on the ping payload the loss would vary quite a bit when being sent over a WAN link. Pings using windows machines were seeing higher loss
640-553 CCNA Security Simple Zone Based IOS Firewall (GNS3 Lab) Just a post about the basic config and options of Cisco IOS zone based firewall using the Topology below Grab the initial configs and GNS3 .net file [HERE]. From the initial configs all
640-553 CCNA Security Steps to configure an IPSEC site to site VPN on a Cisco IOS device (GNS3 Lab) Just some short notes on basic IOS vpns using the topology below as an example. All the configuration examples are for the router Lefty. Grab the GNS3 .net file and initial configs [HERE]