Network technologies and trends

July 7, 2008  10:47 AM

Cisco Catalyst Switches are Certified Green!

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

I was just browsing Cisco website and figured out Cisco happens to be the first company to achieve the new certification, Certified Green by Miercom. Just to brief you about Miercom is a leading network product test center and consultancy firm.

The Certified Green program is based on detailed lab test results and qualitative product assessments, and is designed to provide meaningful, independent guidance to IT organizations looking to improve their own Green IT and business practices.Yet another mile stone Cisco achieved. Currently following Cisco® Catalyst® 3750-E, 3560-E, 3750, 3560 and 2960 Series Switches are designated as Certified Green.

More details can be accessed from the press release

[kml_flashembed movie="" width="425" height="350" wmode="transparent" /]

July 6, 2008  6:25 AM

How to restrict the web access to Cisco Switches & Routers.

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

 Here in this example I am going to show you how to restrict the web access to any Cisco IOS Switch or Router.

If web-based administration of the switch is necessary, then restrict HTTP access to the switch.
Configure a standard access-list (e.g., 11) that allows only the administrators’ systems to make these connections and apply this access-list to the HTTP service on the switch. Finally, use the ip http authentication local command to enable local account checking at login that will prompt for a username and a password.

Switch(config)# access-list 11 remark Permit HTTP access from administrators’ systems
Switch(config)# access-list 11 permit host log
Switch(config)# access-list 11 permit host log
Switch(config)# access-list 11 deny any log
Switch(config)# ip http server
Switch(config)# ip http access-class 11
Switch(config)# ip http authentication local
Note that the web browser used for administration will cache important information (e.g., passwords).Make sure that the cache is emptied periodically.


Personel Web<p

July 5, 2008  11:37 AM

Fiber Runner – Great for Data Centers

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Other Day I was in a seminar Data Center Stratergy 3.0 organised by Cisco.Leading local industry pundits attended this seminar and it was a simply great. Cisco officially launched Nexus 5000 in this part of the region. There were some good presentations and case studies on Nexus 5000.Well the intresting part was some of the partners presentations. Among them Panduit came up with some great products which I would like to share with you all.Panduit designed an exclusive 45 U cabinet exclusively for the Nexus 7000 series Switch. This cabinet kit enhances interoperability, reduces installation time and supports the performance need s of Data Center. More details can be access from their website ttp://
One more interesting thing Panduit came up is the fiber runner. This offers complete fiber cable routing solution to Data centers, it’s modular and can be installed in few minutes. It’s easy to manage and install. Do have a look at this video

[kml_flashembed movie="" width="425" height="350" wmode="transparent" /]

July 5, 2008  6:35 AM

Sample I.T Security Policy – Data Security

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

As we are proceeding ahead, and we have two more topics to be covered to complete this Sample I.T Security Policy, hope fully it will be good and useful to you all. I would like to have some comments which may boost my morale to take up more interesting things in future. Here we are with Data Security.



1. Create a strong backup & Disaster recovery strategy and test backups regularly.
2. Create separate partitions for the Windows System files and the volume the server will share. Then don’t share the system boot partition, share only the empty volume created for file storage.
3. Implement strong permission-based security for all files stored on the server.
4. Never use the FAT file system on the hard disk of a Windows computer when security is a concern.
5. Remove default assignments to the everyone group.
6. Repair damaged drives in mirror or stripe sets as soon as possible.
7. Store backup tapes in a waterproof, flameproof safe in the server room. If tapes must be moved off site, be certain security measures are in place to prevent their being compromised while off site.
8. Use disk mirroring or duplexing for critical data. Use duplexing when possible.
9. Consider using hardware RAID, which is faster and is independent of the operating system.
10. Consider using SAN for huge amount of data.
11. If the server’s physical security could be compromised in any way, and the data on the disk warrants protection, use file system encryption.
12. Use file system encryption to protect sensitive data when operating system features are not effective (when the hard drive has been removed or the operating system has been replaced).
13. For extreme fault tolerance, consider using a third -party server replication system.
14. Access to information and documents is to be carefully controlled; ensuring that only authorized personnel may have access to sensitive information.
15. With poor or inadequate access control over your documents and files, information may be copied or modified by unauthorized persons, or become corrupted unintentionally or maliciously.
16. High risk systems require more stringent access control safeguards due to the confidentiality of the information that process and / or the purpose of the system e.g. the funds transfer used by banks. Ideally, the operating systems for such systems should be hardened for further enhance security.
17. Properly mark proprietary and confidential documents. The confidential markings can be minimized if they are seen on routine documents. Mark only proprietary documents, not everything.
18. Track printouts from any computer. Have confidential and proprietary markings automatically put on every printed proprietary document.
19. Limit access to source code; limit physical access to documents.
20. Access to data and information is at the heart of every set of Information Security Policies. Inappropriate access to data may contravene Organization policy and infringe legal regulations.
21. The right to access systems and data is based upon identified and approved business needs and should be withdrawn when the need ceases.
22. Denying unauthorized person’s access, both physical and logical, to the Organist ion systems is part of an effective Information Security process. Physical access to the data centre or computer room’ should always be restricted to authorized persons only.
23. However, data access goes beyond access to PCs and servers; it also includes access to written and printed information on the desks of personnel, notes pinned to notice boards etc. Access to such information must also be controlled. Traditionally, door locks and keys ensured security; nowadays, even greater security can be provided by electronic keys, biometrics with the additional benefit that they may also monitor and record access attempts.
24. Where user’s access rights and privileges are not documented, information security may be compromised.


Bookmark and Share     0 Comments     RSS Feed     Email a friend

July 1, 2008  11:20 AM

Cisco Cool tips- Series 4 -Show modules

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Here is one more cool command which shows a summary of modules installed in a Cisco 6500 Switch.

MBGF-DAC-6500-BB02#sho modules
Mod Ports Card Type Model Serial No.
— —– ————————————– —————— ———–
3 24 CEF720 24 port 1000mb SFP WS-X6724-SFP SAL0828061N
4 24 CEF720 24 port 1000mb SFP WS-X6724-SFP SAL10478H52
7 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAD083208MN

Mod MAC addresses Hw Fw Sw Status
— ———————————- —— ———— ———— ——-
3 0011.5cce.ff54 to 0011.5cce.ff6b 2.1 12.2(14r)S5 12.2(18)SXD7 Ok
4 0018.bab0.4a94 to 0018.bab0.4aab 2.5 12.2(14r)S5 12.2(18)SXD7 Ok
7 0011.21ba.4d58 to 0011.21ba.4d5b 4.0 8.1(3) 12.2(18)SXD7 Ok

Mod Sub-Module Model Serial Hw Status
— ————————— —————— ———— ——- ——-
3 Centralized Forwarding Card WS-F6700-CFC SAD0816031H 2.0 Ok
4 Centralized Forwarding Card WS-F6700-CFC SAL10478F23 2.1 Ok
7 Policy Feature Card 3 WS-F6K-PFC3B SAD08300ACJ 1.0 Ok
7 MSFC3 Daughterboard WS-SUP720 SAD08300GY0 2.1 Ok

Mod Online Diag Status
— ——————-
3 Pass
4 Pass
7 Pass


Bookmark and Share     0 Comments     RSS Feed     Email a friend

July 1, 2008  7:25 AM

New CCNA Certifications– CCNA Voice, CCNA Security & CCNA Wireless

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

As the network trends are changing so does Cisco, they came up with three new certifications. The hot new areas for CCNA Certifications are Voice, Security and Wireless. Intorduction of these three certifications can assure and help you to verify the specialized skills that are great demand among employers.

Logo courtesy (Cisco)
A CCNA Voice sertifcations helps to prepare for the jobs such as voice administartorm voice engineer. It gives terrific exposer to unified communication applications and architectures.

The CCNA Security certification prepares you for jobs such as network security specialist, security administrator, and network security support engineer. This certification verifies your ability to manage security devices, implement security policies, and mitigate risks.

CCNA Wireless recognizes the critical importance of professionals supporting wireless LANS including Networking Associates/Administrators, Wireless Support Specialists and WLAN project managers.

Cisco press rerecelty released the study guides for these new certifications. For further details about these study guides access the following link Cisco Press Books

Bookmark and Share     0 Comments     RSS Feed     Email a friend

July 1, 2008  7:25 AM

Sample I.T Securty Policy – Server Security

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Now we are proceeding towards the Server Security Policy, which was quite tiresome to draft.

1. Limit the number of protocols in use throughout the network to the extent possible.
2. Use connection-monitoring software like the performance monitor to alert the network administrator to potential intrusion attempts.
3. Antivirus software must be chosen from a proven leading supplier
4. Remove the keyboard and monitor from servers if possible. They can be reattached when administration is necessary. Certain mouse devices will not reset properly when reattached; they should be left attached.
5. Add trust relationships between domains only when several users need access.
6. Create groups based on natural associations in the Dept. Assign file permissions by groups. Make user accounts members of the groups that need access to certain files.
7. Don’t allow unrestricted file sharing. Use files sharing with user-based authentication or, at the very least, passwords.
8. Limit the rights of Guest and Anonymous accounts.
9. Never enable the Guest account.
10. Try to arrange data so that as few user accounts as possible are required for users to access it.
11. Do not make Internet Information Server user accounts members of the Users or Domain Users groups. A void making these accounts members of groups that would grant these users additional rights or access permissions.
12. Do not make script virtual directories readable, do not make other virtual directories executable.
13. Create a group for Internet users for lIS; apply permissions to that group account.
14. Do not allow users to place scripts in their own WWW service virtual directories.
15. Use the logging facilities of lIS to watch for a high proportion of unauthorized, forbidden, and not found access attempts.
16. Do not allow NetBIOS connections to be made over the Internet.
17. Replace the default Everyone, Full Control permission with a Domain Users, Change permission on all drives except the system and boot volumes.
18. On each Window 2003 server inside the network, establish filters to pass only those protocols that are explicitly served. This prevents software from working in unexpected ways.
19. To make administration easier and leave less possibility for error, use several shares on one workstation rather than scattering them among several workstations, if possible.
20. Use the No Access permission only then necessary to override other permitted access.
21. Grant permissions for a share to a specific group or set of users, rather than using the everyone group and attempting to restrict users at the subdirectory level.
22. Use NTFS volumes for file sharing whenever possible, and use file-level security rather than share-level security when possible.
23. Keep sensitive information out of the shopper table because that information is accessible to a web browser.
24. Use both a secure port (HTTPS) and Secure Socket Layer encryption, and use strong NTFS permissions restrictions on WWW service virtual directories.
25. Require all possible network connections to services outside the network security to go through a proxy server.
26. Configure the DNS server to exchange information with only computers within the network security and with the DNS server “up” the network tree from them.
27. Remove all instances of the Everyone, Full Control permission. Do not set a default permission to replace it so that all subdirectories from the root do not by default inherit permissions. Add permissions only where specifically required.
28. Access to operating systems is to be restricted to those persons who are authorized to perform systems administration/management functions. Even then such access must be operated under dual control requiring the specific approval of senior management.
29. Staff with access to the $ prompt or command line, could succeed in executing system command,which could damage and corrupt your system and data.
30. Operating System commands could be used to disable or circumvent access control and audit log facilities, etc System access must be monitored regularly to prevent attempts at unauthorized access and to confirm that access control standards are effective.
31. Apply intrusion detection sensor for each server you want to protect.
32. Make sure the audit or accounting functions are turned on.
33. Keep try to find the last patches found for both the Operating systems and applications installed on that servers .That will help for closed O.S and Application holes.
34. Have servers in a physically secure location to prevent unauthorized access.
35. On a regular basis, run programs (for example, Crack, Tiger, COPS and Satan) to check for system weaknesses.
36. Make timely system backups.
37. Keep one copy of backup tapes in a secure facility offsite.
38. Use a virus-checker program.
39. Modify registry in windows severs for maximum security issues according to Microsoft security check list.


Bookmark and Share     0 Comments     RSS Feed     Email a friend

June 30, 2008  6:28 AM

Good Bye CCNA Prep Center. CCNP Prep Center

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Do you know Cisco is closing the CNNA Prep Center,CCNP Prep Center, Certifications Community Site and the Cisco Learning Connection sites and will not be accessible after July 25, 2008. They came up with a new portal known as Cisco Learning Network which has lot of resources, which are helpful to achieve CCNA,CCNP and much more. Wow what a commitment from Cisco.You can access the new site by following this link Cisco Learning Network.

June 28, 2008  12:25 PM

How to configure ASA/PIX firewall to collect Net flow data from an external router to the netflow collector located in Inside Network.

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

This article provides an example of Net flow configurations in a Cisco Router, ASA/PIX firewall to collect the Net flow data in the internal network.
Components Uses
The information in this document is based on following hardware and software versions
• Cisco Router 3745 – IOS version 12.3(17b. (Network
• PIX 525 7.0.3 ( ASA can also be used) (Internal
• Manage Engine Net flow Analyzer 6 ( Any net flow collector can be used)(

In this example let’s start by configuring Net flow in a Cisco Router

Cisco Router Configuration
Here the IP address for the interface is

Enabling Net flow in an Interface
Enter global configuration mode on the router and issue the following commands for each interface on which you want to enable Net Flow:

interface {interface} {interface_number}
ip route-cache flow

After applying the commands the example will be as follows
router3745#configure terminal
router-3745(config)#interface FastEthernet 0/1
router-3745(config)#ip address
router-3745(config-if)#ip route-cache flow
router-3745(config-if)Bandwidth 1000

Exporting NetFlow Data

Issue the following commands to export Net Flow data to the server on which NetFlow Analyzer is running:

ip flow-export destination {hostname|ip_address} 9996 ( Exports the NetFlow cache entries to the specified IP address. Use the IP address of the NetFlow Analyzer server and the configured NetFlow listener port. The default port is 9996. )

ip flow-export source {interface} {interface_number} (Sets the source IP address of the NetFlow exports sent by the device to the specified IP address. NetFlow Analyzer will make SNMP requests of the device on this address.)

ip flow-export version 5 [peer-as | origin-as] (Sets the NetFlow export version to version 5. Version 5,7 & 9 are available)

ip flow-cache timeout active 1 (Breaks up long-lived flows into 1-minute fragments. You can choose any number of minutes between 1 and 60. If you leave it at the default of 30 minutes your traffic reports will have spikes.It is important to set this value to 1 minute in order to generate alerts and view troubleshooting data.)

ip flow-cache timeout inactive 15 (Ensures that flows that have finished are periodically exported. The default value is 15 seconds. You can choose any number of seconds between 10 and 600. )

snmp-server ifindex persist (Enables ifIndex persistence (interface names) globally. This ensures that the ifIndex values are persisted during device reboots.)

The following example shows the above mentioned commands

router-3745(config)#ip flow-export destination 9996
router-3745(config)#ip flow-export source FastEthernet 0/1
router-3745(config)#ip flow-export version 5
router-3745(config)#ip flow-cache timeout active 1
router-3745(config)#ip flow-cache timeout inactive 15
router-3745(config)#snmp-server ifindex persist

Issue the following commands in normal (not configuration) mode to verify whether NetFlow export has been configured correctly:

show ip flow export (Shows the current NetFlow configuration)
show ip cache flow (These commands summarize the active flows and give an indication of how much NetFlow data the device is exporting

router-3745#show ip flow export
router-3745#show ip cache flow

The next step is make a Natting in ASA/PIX

pix-525# configure t
pix-525# (config)# static (inside,outside) netmask dns

In order to export to the netflow statistics to the netflow analyzer located in the internal network we have configure the following access-list and apply it to outside interface to allow the Netflow traffic

pix-525# configure t
pix-525# (config)#access-list NETFLOW extended permit udp any host eq 9996
pix-525# (config)#access-list NETFLOW extended permit tcp any any

Apply the created access-list to the outside interface
pix-525# (config)#access-group NETFLOW in interface outside

Now install the Netflow Analyzer software and configure it to recieve the netflow statists from the external router.

Troubleshooting tips

Verify Netflow is working in Cisco Router

router-3745#sho ip cache flow
IP packet size distribution (78841980 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.003 .453 .023 .012 .008 .010 .004 .003 .003 .003 .004 .003 .003 .003 .004

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.003 .005 .022 .021 .401 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
548 active, 3548 inactive, 4045717 added
84147818 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 33416 bytes
548 active, 1500 inactive, 4045717 added, 4045717 added to flow
0 alloc failures, 0 force free
2 chunks, 14 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
——– Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 143 0.0 2 52 0.0 0.4 12.7
TCP-FTP 255 0.0 6 100 0.0 9.0 7.2
TCP-FTPD 15010 0.0 1 63 0.0 0.6 15.4
TCP-WWW 1100665 2.5 14 607 37.7 8.2 6.9
TCP-SMTP 171448 0.3 69 633 27.3 35.8 6.2
TCP-X 723 0.0 2 245 0.0 0.4 13.0
TCP-other 1966270 4.5 21 656 95.4 11.7 6.6
UDP-DNS 56825 0.1 12 66 1.5 20.5 11.6
UDP-NTP 8 0.0 1 76 0.0 0.0 15.5
UDP-Frag 1 0.0 1 1476 0.0 0.0 15.0
UDP-other 684203 1.5 11 319 17.9 4.8 14.9
ICMP 48198 0.1 1 78 0.2 1.6 15.4
GRE 1358 0.0 183 182 0.5 50.0 4.2
IP-other 62 0.0 83 108 0.0 53.4 3.2
Total: 4045169 9.2 19 601 180.9 10.6 8.3

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/1 Tu0 11 1705 0D96 8
Fa0/1 Tu0 06 0019 10EC 32
Fa0/1 Tu0 06 0019 714B 29

Check Nating is working in the Firewall

pix-525# show xlate
2in use, 417 most used
Global Local

Check access -list is forwading the netflow traffic

pix-525# sho access-list NETFLOW
access-list NETFLOW; 2 elements
access-list NETFLOW line 1 extended permit udp any host eq 9996 (hitcnt=7)
access-list NETFLOW line 2 extended permit ip any any (hitcnt=140861)

To know more about Netflow Analyzer and its configuration click this link Netflow.

Bookmark and Share     5 Comments     RSS Feed     Email a friend

June 28, 2008  5:24 AM

Sample I.T Secuirty – Network Security

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

We are continuing our series on Sample I.T Security Policy, so far we have covered Physical, Human, User Secuity and Client. Today lets concentrate on Network security which is as follows

1. The network must be designed and configured to deliver high performance and reliability to meet the needs of business whilst providing a high degree of access control and range of privilege restrictions.
2. Inappropriate control over access to the network will threaten the confidentiality and integrity of Organisation data.
3. Apply Strong monitor and management utilities in Organisation network.
4. Never communicate between Organisation units over the Internet without using some form of encryption.Unencrypted packet headers contain valuable nuggets of information about the structure of the internal network.
5. Always use encrypted communications for data that flows over public networks like the Internet.
6. Locally control and administer all security services for the network.
7. Make telecommunications security an integral part of the network security if the network can be accessed via modems.
8. Use leased lines rather than encrypted tunnels whenever practical.
9. Monitor and Audit the logs for the internal routers and switches.
10. Install fiber cables instead of UTP cables.
11. All speed dialing facility create information security risks as confidential customer contact information can be accesses just by pressing telephone keys.

I.S issues concerned:
• Sensitive information may be stolen because caller masquerade as you over the
• Secure or unlisted phone numbers may be acquires from your stored information.
• Secure or unlisted phone numbers may be acquired from global information stored in PBX.

Personel Website:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: