September, 2008

Things to be considered before upgrading an IOS in a Cisco 6500 Series Switch with SUP720- Series 1

Today I successfully upgraded the IOS for a Cisco Catalyst 6513 Switch with Supervisor Engine SUP720. Couple of years I faced some problems while I was upgrading the IOS for Catalyst 6513 Switch. In this series I will try to focus on the things to be considered before upgrading an IOS in Cisco Catalyst 6513 Switch.

First and foremost is the TFTP server. The main problem you face is the file size limitations with the TFTP servers. Most of the TFTP servers won’t support more than 30 MB of IOS file to transfer. At that time I was using Solar Winds TFTP server which is an excellent software but cannot support more than 30 MB. The IOS transfer failed exactly after 30 MB of transfer. I was worried what might be the problem, after careful observation I figured out the problem lies with the Solar Winds TFTP server .Then I tried Cisco’s old TFTP server but the same problem. Later on I figured out TFTP server can support more than 30 MB of file transfer.

Hence after changing to 3Coms 3CDaemon Server  &  PacketTrap pt360 Tool Suite FREE edition I could able to transfer the IOS files more than 30 MB. So the main point is to make sure your TFTP server can support more than 30 MB of file transfer as always the image file for Cisco Catalyst 6513 Switch is more than 30 MB in size. Presonally I would recommend the TFTP server from PacketTRAP pt360  Tool Suite

Things to be considered for IOS upgrade series 2 

Cisco boosts collaboration products

Cisco announced the launch of latest set of collaborative solutions, which Cisco believes will help them to tap the 34$ billion market for collaborative solutions.This launch includes more than 40 products, which includes key updates & new additions for unified communications including Web 2.0 and video platforms. Cisco CEO and Chairman John Chambers in a video briefing with journalist said “decade of productivity and a decade of innovation, in which people all around the world will be able to participate”.Earlier this month Cisco launched Virtual Office for home workers, is set to release more offerings to tap into the demand for flexible working. The launch also includes the latest version of Cisco Unified Communication 7.0. The latest version of Unified Communication includes the compatibity with windows mobile to increase the mobility usage. Cisco also plans to introduce integration with Apple iPhone by next year.For more details about this launch do check this article.

How to turn a Cisco Router into ASA..

Guess what your Routers  support zone-based policies, which really helps with multi-interface restrictions (rather than just one outside & one inside interface with individual access list applications). Likewise, it now supports application inspection to catch those scandalous peer-to-peer programs.  

Courtesy: Cisco

Cisco IOS® Software Release 12.4(6)T introduced Zone-Based Policy Firewall (ZFW), a new configuration model for the Cisco IOS Firewall feature set. This new configuration model offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic. For more details do access this document from Cisco.

HP to Acquire Colubris Networks to Expand, HP ProCurve’s Wireless Technology Offerings

HP  announced that it has signed a definitive agreement to acquire Colubris Networks Inc., a Waltham, Mass.-based, privately-held global provider of intelligent wireless networks for enterprises and service providers.HP plans to integrate Colubris’ extensive product line into its ProCurve Networking product portfolio. This will expand HP ProCurve’s reach into vertical markets such as hospitality, transportation, healthcare, manufacturing, service provider and education.

The award-winning Colubris Networks Intelligent Mobility Solution delivers wireless integrated access, management and security products as well as 802.11n capability – all of which help enterprises and service providers broaden the reach and impact of voice, data and multimedia applications.

“The acquisition of Colubris Networks will strengthen ProCurve’s hardware, management platform and services, significantly improving the overall performance capabilities of both wired and wireless networks, and will deliver even more best-in-class choices for our customers worldwide,” said Marius Haas, senior vice president and general manager, HP ProCurve. “With our vision and continued support from HP leadership, I am convinced that ProCurve’s impressive growth and market leadership is unlimited.”

The acquisition is subject to certain closing conditions and is expected to close by the end of HP’s fiscal year 2008. Financial terms of the transaction were not disclosed.

How to configure intervlan routing between Cisco Catalyst Switches and HP Procurve Switches Series 2

In my previous post I did discussed about the how common terminologies are applied by both Cisco & HP, now it’s time  proceed further , in this example we will create two VLANs and make intervlan communication between HP Procurve Switches  and Cisco Catalyst Switches.

We will create 2 VLANS in both Switches, as shown in the below table

Now let’s see what configuration commands required to create a VLAN, and enable intervlan communication between HP Procurve Switches  and Cisco Catalyst Switches.

How to configure intervlan routing between Cisco Catalyst Switches and HP Procurve Switches Series 1.

How to enable browsing with multiple subnets(VLANS) through Microsoft ISA Server 2006

Other day we installed Microsoft ISA Server 2006 for Internet Browsing as shown in the below figure.

The ISA Server has two NICS one is connected to the DMZ zone with a Real IP Natted to a Private DMZ Zone IP and the Second NIC is connected to the internal network.

Users were able to access the internet from the same subnet of the Windows ISA Server 2006  (10.0.0.0/23 with Default Gateway 10.0.0.1). But we were facing a problem with the users in other subnet they couldn’t able to browse the Internet. So we checked the connectivity from the client to Windows ISA Server 2006  network and VLAN configurations in the Cisco Catalyst Switch. Everything was fine. But we couldn’t able to ping the default gateways for all the VLANS (subnets). Finally we checked the event log in Windows ISA Server 2006 and found that the Windows ISA Server 2006 is dropping the packets due to a suspected spoof attack. Why should requests coming from a different subnet be considered as spoof? This is because Windows ISA Server 2006 believes that requests coming from any network which does not have a direct route mentioned in its routing table are spoof. So what is the solution? Quite Simple! Add a static route using the route add command.

Learn How to secure your Cisco router with Cisco’s Secure Device Manager (SMD) Firewall Policy Wizard.

This document describes how to use the Cisco Security Device Manager (SDM) to secure your Cisco router. The Cisco Security Device Manager (SDM) firewall policy wizard can help make things easier for the first time users who are not comfortable with the Cisco CLI commands.In this example let’s configure the basic firewall using the Cisco Security Device Manager (SDM) firewall policy wizard. For this example a Cisco 877W router with an IOS version 12.4(4)T8  is used with SDM version 2.5.

Using the Cisco Security Device Manager (SDM) Firewall and ACL task section , you can create new Firewall and ACL.

The Cisco Security Device Manager (SDM) offers wizard to create either a Basic Firewall or an Advance Firewall. Now you are thinking what is the difference? The Basic Firewall won’t allow you to configure a DMZ zone where as the advance firewall does.

Th below figure explains how the basic firewall Configuration Wizard applies its template policy to the inside and outside interfaces. The wizard will give you the opportunity to which interface is which. The new policy will inspect TCP, UDP and other protocols that travel from inside to outside zone. It will block IM, P2P, MSN, Yahoo and AOL  IM traffic. It will also deny any unsolicited traffic coming on to the outside interface Figure B

Click Next, which will take you to the basic firewall Interface Configuration screen, as seen in figure B. This is where you can select which interface will be the inside and which will be the outside.

After you have made your selection, click Next. This takes you to the Basic firewall Security Configuration screen, as shown in figure C. Choose the level of Security for the firewall: High, Medium, or Low.

I choose Medium Security and clicked the preview commands button to review the commands this settings would apply.Figure C

When you see the output, you are pleased as you didn’t have to type all those commands manually

Figure D

Click Next. This takes you to the Basic Firewall Domain Name Server Configuration Screen, as shown in figure D. Specify the primary & secondary DNS server, and click Next. The Firewall Configuration summary screen sums up our choices as shown in figure E. Then click Finish.

Figure E

After successful completion of the above mentioned steps you can always review the changes as shown in figure F by clicking Edit Firewall Policy tab

Figure F

How to reset/delete the password & configuraton on a Cisco WS-C350-48-SMI

This article describes the procedure for resetting / delete  the  password & current configuration on a Cisco Catalyst WS-C3550-48-SMI.Model: WS-C3550-48-SMI
Warning: This procedure will remove the switch configuration. Be sure to have a backup of you current switch configuration before proceeding.The Cisco WS-C3550-48-SMI Catalyst switch is similar to most Catalyst switches and the procedure for resetting the password is the same.

Step 1: Connect the console cable to the switch and start your terminal program (HyperTerminal/Secure CRT). Console port settings are 9600,8,N,1

Step 2: Hold the MODE button (on the front of the switch) while you power on the switch.

Step 3: Hold the MODE button for a few seconds until you the System light stop flashing.Step 4: At this point, the switch should be in ROMmon mode. Step 5: From ROMmon mode, type: flash_initStep 6: From ROMmon mode, type: delete flash:config.textStep 7: From ROMmon mode, type: boot

At this point the switch will boot as normal with a new configuration and no password.

The best way to record the serial number for Cisco Devices for Remote support.

Imagine if you are accesing the remote router and need to figure out the serial number for a router or the Circuit IDs of the serial interface, then you may start looking your docmented data or call the remote technician to help you out in figuring these details. The best and easy way to get these details in matter of seconds is to put the serial number of each device in the Banner MOTD, and the circuit IDs in the serial interface descriptions.