In my previous post I was talking about the DNS query problem we were facing with Windows 2008 R2 server. The solution is quite simple. Immediately I started monitoring the logs in the Cisco PIX 525 firewall using ADSM and syslog. I figured out the DNS queries were replied back from the ISP but were dropped by the Cisco PIX 525 Firewall.
%PIX-4-410001: Dropped UDP DNS reply from outside:x.x.x.x/53 to
inside:y.y.y.y/49746; packet length 768 bytes exceeds configured limit of 512
I was wondering what might be the reason, then figured out the packets received from ISP is of 768 bytes whereas by default the Cisco PIX 525 Firewall allows 512 bytes as shown below.
The problem was with the default DNS inspection policy-map. By default in Cisco PIX 525, Cisco ASA it’s configured to 512 bytes
The moment I changed the default DNS inspection policy-map from 512 bytes to 1000 bytes things were normal the Windows 2008 R2 Server was resolving the DNS queries.
The commands I used to change the default DNS inspection policy-map is as follows.
MBGF-DAC-525-FW01# configure t
MBGF-DAC-525-FW01(config)# class-map inspection_default
MBGF-DAC-525-FW01(config-cmap)# match default-inspection-traffic
MBGF-DAC-525-FW01(config-cmap)# policy-map global_policy
MBGF-DAC-525-FW01(config-pmap)# class inspection_default
MBGF-DAC-525-FW01(config-pmap-c)# inspect dns maximum-length 1000
In our new Data Center we added new HP Blade servers and installed Windows 2008 R2 on those servers. Our Servers are connected inside our network behind a Cisco PIX 525 firewall. We are looking to resolve all our DNS queries for the external network using a DNS IP address provided by our ISP which is 212.x.x.2.
In windows 2008 Server we have specified the DNS forwarder as shown in the below diagram.
But it always fails to resolve the DNS queries from internal network to external network using nslookup command from the command prompt of the Windows 2008 Server as well when we are testing the simple and recursive query to other DNS Servers it’s failing as demonstrated below
We have done the following to
1) The internal IP address for the Windows 2008 R2 server is PATed in our PIX 525 Firewall, I could browse the internet.
2) In Windows 2008 R2 Server we have specified the DNS IP Address provided by our ISP.
3) All our servers in the DMZ zone are working fine.
I am working on this issue; meanwhile if any one of you knows who to resolve this issue, your comments are always welcomed.
Cisco Systems new appliance Cisco ISE: Identity Service Engine , which can be deployed as an appliance or a Virtual machine basically designed to help Organizations to gain enterprise wide visibility into their network, allowing authentication, authorization, accounting, posture profiling gathering real-time contextual information from the network, users, and devices, and make proactive governance decisions by enforcing policy across the network infrastructure.
The Cisco Identity Services Engine (ISE) is a next-generation identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline service operations. It is an integral part of the overall Cisco TrustSec® solution and SecureX architecture.
The Cisco Identity Services Engine (ISE)is a policy-based service-enablement platform which ensures corporate and regulatory compliance.
Some of the highlights of Cisco Identity Services Engine (ISE are as follows
- Context-aware enforcement: Gathers information from users, devices, infrastructure, and network services to enable organizations to enforce contextual-based business policies across the network.
- Business-relevant policies: Create and enforce consistent policy from the head office to the branch office.
- Systemwide visibility: Let IT see who and what is on the network for advanced discovery and troubleshooting.
- Flexible architecture: Combine authentication, authorization, and accounting (AAA), posture, profiling, and guest management
Currently the Cisco Identity Services Engine (ISE) is available in following models and platforms
|Appliance||Identity Services Engine 3315 (small) 1000-endpoint target|
|Software/virtual machine||1, 5, or 10 virtual machines|
For further info please check the Cisco Identity Services Engine (ISE) home page at Cisco Systems.
According Cisco they will release an updated v3.0 CCIE Service Provider written and Lab exams in all testing location worldwide and the v2.0 exam will retire simultaneously. CCIE Service Provider aspirers willing to take exam on or after April 18th 2011 should expect to be tested on the CCIE SP v3.0 Written and CCIE SP v3.0 Lab Exam topics, which were released in October 2010.
To brief the updated exam will cover configuration and optimization of IP core technologies, aggregation and edge technologies, and remote access technologies-all of which are key to service provider infrastructures. The exams will also cover managing services for voice, video, and security traversing the core IP network.
For further info check Cisco Learning Network.
Whenever you are preparing for the Cisco CCNA ®, Cisco CCNP®, and Cisco CCIP® certifications especially when you are doing a self-study the major concern is lab experience to answer the simulated questions. Often many of us end up looking for real Cisco hardware from eBay, as most of the present day simulators fail to fulfill our requirements. To certain extent GNS3 did an amazing job by emulating the power of Cisco IOS in our machines. But GNS3 does have some limitations; when it comes to switching GNS3 have no answer.
Current high end systems fail to handle most complex GNS3 topologies. To ease all these hurdles Cisco has an answer. Yeah you can experience the Cisco real labs. A more flexible option is here known as Cisco Learning Labs. For the first time, Cisco certifications aspirers can secure hands-on Cisco IOS® Software lab practice for both routing and core switching.
Cisco Learning Labs are powered by Cisco IOS® Software on UNIX and enable critical, hands-on lab experience for future networking engineers interested in attaining Cisco certifications.
- Cisco Learning Labsare currently available forCisco CCNA®,CCNP®andCCIP®study, through theCisco Learning Network Storeand Cisco Authorized Learning Partners.
- Accessible from the convenience of the user’s PC,Cisco Learning Labsprovide complete lab preparation experience for routing and switching skills.
- Multiple labs are available in each lab bundle, accessible anytime for 90 days, for up to 25 hours. Supplemental lab time is available in increments of five hours.
According to Cisco, Cisco Network Academy has enrolled its 1 millionth student for the first time. The Cisco Network Academy offers the program in partnership with educational institutions, government administrations and community based organizations globally and delivers information and communications technology (ICT) education through classroom-based and cloud-based curricula.
One of the programs offered at the Academy is teaching students how to design, build, troubleshoot, and secure computer networks for increased access to career and economic opportunities in communities around the world.
I have seen few CCIE’s who started their Cisco Certification path form Cisco Network Academy, while they were studying in their Universities and now they are flurshing in their career and doing an exceptional job for their organization.
- The Networking Academy began in 1997 with 64 schools and has grown to become one of the “world’s largest classrooms”with 10,000 academies in 165 countries, and nearly 4 million studentshaving participated in the program to date.
- A pioneering example of cloud-based education delivery, the Networking Academy teaches students how to design, build, troubleshoot, and secure computer networks for increased access to career and economic opportunities in communities around the world.Students who complete the program often go on to secure entry-level career opportunities, participate in continuing education and achieve globally recognized career certifications.
- Networking Academy courses are delivered in multiple languages through a cloud-based learning system. Courses are supported by classroom instruction, hands-on learning activities, and interactive online assessments that provide personalized feedback. Networking Academy instructors receive extensive training and support to help ensure a consistently-enriching learning experience for students around the world.
- Cisco is celebrating thismilestone by offering Networking Academy students and alumni the chance toshow the benefits of this unique classroom experience through a videocontest titled “Why is The Cisco Networking Academy Classroom like No other?”
Amy Christen, vice president of Cisco Corporate Affairs and Networking Academy
“Networking Academy is truly the world’s largest classroom. The unique delivery model combines the power of the network and the cloud with the global need for ICT skills-based education to address the critical need for networking professionals around the world.”
Key Networking Academy Statistics:
- 1 million Networking Academy students worldwide concurrently engaged in learning this year
- Nearly 4 million students reached by the Networking Academy to date
- 10,000 Networking Academies operating in 165 countries
- 1 million online assessments delivered monthly
- 100 million online assessments delivered to date
- 175,000 Facebook fans, whose numbers are growing daily
[kml_flashembed movie="http://www.youtube.com/v/rcW41PvuV2g" width="425" height="350" wmode="transparent" /]
When you are preparing for Cisco CCNP- Switch Exam, IP SLA is one of the key topics included at quite later stage even surprised David Hucaby the author of the title “CCNP Switch Official Certification Guide” Even he included the supplementary material for the “CCNP Switch Official Certification Guide”
The Cisco IOS IP Service Level Agreement better known as IPSLA is a feature which was introduced in the IOS version 11.2 under the name of Response Time Responder (RTR). Later on Cisco sensed RTR is creating some sort of confusion as some of reference texts referred RTR as Real time responder; hence they renamed RTR as Service Assurance Agent (SAA). Even SAA didn’t stick for long time and now it’s known as IP SLA. IP SLA is truly excellent for built-in network testing. In fact, it is a key ingredient for sophisticated implementations of Performance Routing (PfR).
At its introduction in IOS 11.2 version under the name of RTR it had very limited offerings
- ICMP Ping
- ICMP Echo Path
- IBM SNANativeEcho
The Cisco IOS IP Service Level Agreement (IP SLA) feature can be used to gather realistic information about how specific types of traffic are being handled end-to-end across a network. To do this, an IP SLA device runs a preconfigured test and generates traffic that is destined for a far end device. As the far end responds with packets that are received back at the source, IP SLA gathers data about what happened along the way.
IP SLA is capable of running following tests in Cisco Switches and routers
|Test Type||Description||IP SLA Required on Target?|
|icmp-echo||ICMP Echo response time||No|
|path-echo||Hop-by-hop and end-to-end response times over path discovered from ICMP Echo||No|
|path-jitter||Hop-by-hop jitter over ICMP Echo path||Yes|
|dns||DNS query response time||No|
|dhcp||DHCP IP address request response time||No|
|ftp||FTP file retrieval response time||No|
|http||Web page retrieval response time||No|
|udp-echo||End-to-end response time of UDP echo||No|
|udp-jitter||Round trip delay, one-way delay, one-way jitter, one-way packet loss, and connectivity using UDP packets||Yes|
|tcp-connect||Response time to build a TCP connection with a host||No|
As I am working with Nexus 7000, Nexus 5000 and 2000 Series Switches, I discovered by default Telnet Server is disabled in a NX-OS devices such as Nexus 7000, Nexus 5000 and 2000 Series Switches.
We all know Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP connection to a login server at another site and then passes the keystrokes from one device to the other. Telnet can accept either an IP address or a domain name as the remote device address.
I will show you how to enable the Telnet Server in NX-OS devices
VDC-Admin(config)# feature telnet
VDC-Admin(config)# show telnet server
telnet service enabled
For all those folks working hard to achieve Cisco CCNA Certification, one of the most recognized certification in the IT Industry, good news is here. The Cisco learning Network is conducting a 90-minute webinar which highlights the technologies and topics an individual will need to know to achieve their CCNA certification. In addition, The Essentials of CCNA webinar reviews the latest training methods and content available for CCNA, as well as the certifications and career paths available after you’ve achieved your certification. You’ll hear from Cisco Subject Matter Experts who developed the actual CCNA exam and course materials. Plus, the Essentials of CCNA webinar takes a look at the latest training methods and content available for CCNA, as well the certifications and career paths available after you’ve achieved your certification.
It’s completely free is recommended for individuals who are thinking of becoming CCNA certified, or have just started preparing to take their CCNA exams. Don’t delay, register now.
Event: The Essentials of CCNA webinar
Date: March 30
Time: 8:00 a.m. Pacific Daylight Time
Registration link: https://cisco.webex.com/cisco/onstage/g.php?t=a&d=204136809
Perhaps it’s better for the time being to disable the flash. According to the Adobe Security Advisory (APSA11-01) post there is a critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.18 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 101.106.16 and earlier versions for Android, and the authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment. At this time, Adobe is not aware of attacks targeting Adobe Reader and Acrobat
Adobe is in the process of finalizing a fix for the issue and expect to make available an update for Flash Player 10.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, and an update for Adobe Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.2 and earlier 9.x versions during the week of March 21, 2011