Q1: Is the cisco 2960 switch serie is a layer 3 switches?
A1: No not all 2960 switches is a layer3 swtch,only the 2960S is a layer3 switch.
Q2: How to turn on the layer 3 features on the cisco 2960 switch?
A2: in order to turn on the layer 3 features you need to type the following commands followed by saving the configuration and rebooting the system.
"sdm prefer lanbase-routing"
after the reboot i can enter all the layer3 commands that you know.
Sunday, February 17, 2013
Saturday, February 9, 2013
ntop on CentOS6
NTOP shows the current network usage. It displays a list of hosts that are
currently using the network and reports information concerning the IP
(Internet Protocol) and Fibre Channel (FC) traffic generated by each host. The traffic is
sorted according to host and protocol.
I found it really easy to install ntop using the following procedure
firt get the rpm from this blog .
for 64 bit
wget http://www.zemris.fer.hr/%7Esgros/files/ntop/ntop-5.0-2.el6.x86_64.rpm
install the rpm using the follwing command : rpm -ivh ntop-5.0-2.el6.x86_64.rpm
then install these packages : yum install GeoIP net-snmp-libs
now ntop is installed and have all nursery packages to tun.
type ntop and hit enter it should as for user and password
then run this command to specify the ports: ntop -w 80 -W 443
now I used ntop to monitor my cisco router using netflow , you can use it to monitor all the network but a port span is needed (port monitoring).
here is what I configuted from the cisco side:
int fa0/0
ip route-cache flow
do show run int f0/0
exit
ip flow-export destination [IP of the NTOP server]
ip flow-export destination [IP of the NTOP server] 2055 ! 2055 is a udp port to use with ntop.
ip flow-export source fastEthernet 0/0
ip flow-export version 5
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
snmp-server ifindex persist
now to configure the ntop server open the browser and type http://[IP of the ntop server]
then again [plagins][Netflow][veiw/Configure] and set up the port that we configured in the cisco router, you also can set a name for the nic
and now [admin][switch nic] to switch to the nic that we configured.
I found it really easy to install ntop using the following procedure
firt get the rpm from this blog .
for 64 bit
wget http://www.zemris.fer.hr/%7Esgros/files/ntop/ntop-5.0-2.el6.x86_64.rpm
install the rpm using the follwing command : rpm -ivh ntop-5.0-2.el6.x86_64.rpm
then install these packages : yum install GeoIP net-snmp-libs
now ntop is installed and have all nursery packages to tun.
type ntop and hit enter it should as for user and password
then run this command to specify the ports: ntop -w 80 -W 443
now I used ntop to monitor my cisco router using netflow , you can use it to monitor all the network but a port span is needed (port monitoring).
here is what I configuted from the cisco side:
int fa0/0
ip route-cache flow
do show run int f0/0
exit
ip flow-export destination [IP of the NTOP server]
ip flow-export destination [IP of the NTOP server] 2055 ! 2055 is a udp port to use with ntop.
ip flow-export source fastEthernet 0/0
ip flow-export version 5
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
snmp-server ifindex persist
now to configure the ntop server open the browser and type http://[IP of the ntop server]
then again [plagins][Netflow][veiw/Configure] and set up the port that we configured in the cisco router, you also can set a name for the nic
and now [admin][switch nic] to switch to the nic that we configured.
Friday, February 8, 2013
Checkpoint Site2Site with interoperable devices
I spent the last hour trying to understand what is wrong with my Check point Site to Site configuration with a Cisco ASA Firewall.
The tunnel is up and they can reach me but in my side I even can't initialize the tunnel after a reset and I can't reach there side.
After some debugging I understand that my peer send the wrong subnet. it send a super subnet even though I specify all of my subnets and put them in a group and attached it under topology to the encryption domain.
After a bit of search I found out that it's a well known issue with checkpoint and interoperable devices and you can fix it by editing some fine with the dbedit tool.
Here is the relevant SK
sk39419 & sk1959.
So when setting up a S2S with interoperable devices make sure that the other side accept a super subnet or just fix the issue using the SK above
The tunnel is up and they can reach me but in my side I even can't initialize the tunnel after a reset and I can't reach there side.
After some debugging I understand that my peer send the wrong subnet. it send a super subnet even though I specify all of my subnets and put them in a group and attached it under topology to the encryption domain.
After a bit of search I found out that it's a well known issue with checkpoint and interoperable devices and you can fix it by editing some fine with the dbedit tool.
Here is the relevant SK
sk39419 & sk1959.
So when setting up a S2S with interoperable devices make sure that the other side accept a super subnet or just fix the issue using the SK above
Menu is missing from CheckPoint Dashboard
last week while i working on a customer's Checkpoint Security Mangment in the Dachboard I realized that menu is missing. the menu was ok in the Secure Tracker and monitor , it disappear on from the DachBoard.
after 10Min of searching on Checkpoint KB search i found up that there is a value in the registry that need to be set in order to get back the menu.
[HKEY_CURRENT_USER\Software\CheckPoint\Management Clients\6.2.5\GA\Check Point SmartDashboard\Check Point SmartDashboard\Toolbar States\ToolBar-Bar0]
then Right click [new] [binary value] , name it Visible put 1 in the value data
Or just save this script as *.reg File and run it
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\CheckPoint\Management Clients\6.2.5\GA\Check Point SmartDashboard\Check Point SmartDashboard\Toolbar States\ToolBar-Bar0]
"BarID"=dword:0000e81a
"Visible"=dword:00000001
after 10Min of searching on Checkpoint KB search i found up that there is a value in the registry that need to be set in order to get back the menu.
[HKEY_CURRENT_USER\Software\CheckPoint\Management Clients\6.2.5\GA\Check Point SmartDashboard\Check Point SmartDashboard\Toolbar States\ToolBar-Bar0]
then Right click [new] [binary value] , name it Visible put 1 in the value data
Or just save this script as *.reg File and run it
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\CheckPoint\Management Clients\6.2.5\GA\Check Point SmartDashboard\Check Point SmartDashboard\Toolbar States\ToolBar-Bar0]
"BarID"=dword:0000e81a
"Visible"=dword:00000001
Friday, June 15, 2012
list/Set IP address in GAIA , SecurePlatform , Linux
some times you need to list all your interfaces names include there ip address, here is good way to do it, will work only in expert mode (its a linux commnad so it will work with all linux distributions too).
ifconfig | grep -i -e Link -e inet
ifconfig | grep -i "Link|inet"
ip addr
cpstat os -f ifconfig
fw getifs
cpstat os -f ifconfig
show interfaces all
show interface [Inerface Name]
set static-route default nexthop gateway address 1.1.1.254 on
ip addr
if you still what to use CheckPoint command for this use this
cpstat os -f ifconfig
fw getifs
in Gaya you can use:
cpstat os -f ifconfig
show interfaces all
show interface [Inerface Name]
To set an IP adderess :
Secureplatform:
use sysconfig navigate to 5 network connections then choose add or config etc..Gaia:
set intface [interface Name] ipv4-address 1.1.1.1 mask-length 24set static-route default nexthop gateway address 1.1.1.254 on
Friday, April 27, 2012
Cisco Context Based Access Control (CBAC)-inspect
In today's network there is always potential threat to harm our network. so how we protect our network from this threat?
well an easy way is to do a Context Based Access Control (CBAC)
How CBAC works
the traffic will be inspected before it leaves the router , so when it come back from the internet the router will recognize that its belong to our network and will let it pass through .
let's begin by secure our netwrok, and we will do so by Creating an access-list that deny every thing in and we will apply it on our external interface.
ip access-list extended POLICING
deny ip any any
interface fa0/1
ip access-group POLICING in
now our network is very secure and will not allow any traffic to pass in.
more than that, This access-list that we created will block the local netwrok from accessing the internet. (the traffic will leave the router , but will be blocked by the router in it way back).
In order to let our router know this packets and permit them we need to mark these traffic/packets on it way out.
we do this by inspecting the traffic on it way out in the internal interface
ip inspect name CBAC udp
ip inspect name CBAC tcp
ip inspect name CBAC icmp
intface fa0/0
ip inspect CBAC out
now every packet that pass our internal fa0/0 interface to the internet , it will be inspected and will be allowed in its way back.
show ip inspect all // to see our configuration
hope you enjoyed it..
Monday, March 5, 2012
Wednesday, February 22, 2012
Create and access linux with certificate from windows using putty
Many of my friends have asked me lately: How can I connect to a Linux Terminal using SSH from a Windows environment?
I searched around the internet and found several guides, each a little different, but none that I liked.
Here is a simpler way, step by step...
I searched around the internet and found several guides, each a little different, but none that I liked.
Here is a simpler way, step by step...
1. From the Linux box run this command : ssh-keygen –t rsa
It will generate a public and private rsa key pair
You should see this two files under .shh folder : id_rsa and id_rsa.pub
2. now do the following command :
cp $Home.ssh/id_rsa $home.ssh/authorized_keys
3. now we need to copy the file id_rsa from Linux to window, to do so use winscp.
winscp is a piece of software that let you browse/copy files from windows to linux.
i will skip the installing part and jump directly to the fun part ...
use your credentials to access the linux box like so
hit LOGIN ... then look for your .shh folder access it and copy it by dragging it to the left window
3. after coping it to windows , download another small software putty-gen
4. - open it and got to file->load private key
- after loading press save private key - it will convert it to .ppk format
5. last step is to go to your putty
- under session tab fill the hostname with your user@ip
- under ssh -> auth browse for your ppk file that we created and load it
- better to save this setting so ti woud be easy to access it for the next time , save it by
going back to session tab in the middle under saved sessions type a name for your session and press save .
it looks hard but after you done it ones it will be easy for the next time..
hope you enjoy it.
Wednesday, February 15, 2012
Cisco PIX : Read only user
here is configuration how to add a read only user in a cisco pix firewall that works in CLI and in PDM .
1. make sure that the authentication will be from the local cisco pix database
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authorization command LOCAL
2. add the user with custom privilege
username show password ______ privilege 5
3. add the commands for this privilege
privilege show level 5 command aaa
privilege show level 5 command aaa-server
privilege show level 5 command access-group
privilege show level 5 command access-list
privilege show level 5 command activation-key
privilege show level 5 command age
privilege show level 5 command alias
privilege show level 5 command apply
privilege show level 5 command arp
privilege show level 5 command auth-prompt
privilege show level 5 command auto-update
privilege show level 5 command banner
privilege show level 5 command blocks
privilege show level 5 command ca
privilege show level 5 command capture
privilege show level 5 command chunkstat
privilege show level 5 command clock
privilege show level 5 command conduit
privilege show level 5 command conn
privilege show level 5 command console
privilege show level 5 command cpu
privilege show level 5 command Crashinfo
privilege show level 5 command crypto
privilege show level 5 command ctiqbe
privilege show level 5 command debug
privilege show level 5 command dhcpd
privilege show level 5 command dhcprelay
privilege show level 5 command domain-name
privilege show level 5 command dynamic-map
privilege show level 5 command eeprom
privilege show level 5 command established
privilege show level 5 command failover
privilege show level 5 command filter
privilege show level 5 command fixup
privilege show level 5 command flashfs
privilege show level 5 command fragment
privilege show level 5 command global
privilege show level 5 command h225
privilege show level 5 command h245
privilege show level 5 command h323-ras
privilege show level 5 command http
privilege show level 5 command icmp
privilege show level 5 command interface
privilege show level 5 command ip
privilege show level 5 command ipsec
privilege show level 5 command isakmp
privilege show level 5 command local-host
privilege show level 5 command mac-list
privilege show level 5 command map
privilege show level 5 command memory
privilege show level 5 command mgcp
privilege show level 5 command management-access
privilege show level 5 command mroute
privilege show level 5 command mtu
privilege show level 5 command multicast
privilege show level 5 command name
privilege show level 5 command nameif
privilege show level 5 command names
privilege show level 5 command nat
privilege show level 5 command ntp
privilege show level 5 command object-group
privilege show level 5 command outbound
privilege show level 5 command passwd
privilege show level 5 command pdm
privilege show level 5 command prefix-list
privilege show level 5 command privilege
privilege show level 5 command processes
privilege show level 5 command rip
privilege show level 5 command route
privilege show level 5 command route-map
privilege show level 5 command router
privilege show level 5 command routing
privilege show level 5 command running-config
privilege show level 5 command service
privilege show level 5 command shun
privilege show level 5 command sip
privilege show level 5 command skinny
privilege show level 5 command snmp-server
privilege show level 5 command ssh
privilege show level 5 command startup-config
privilege show level 5 command static
privilege show level 5 command sysopt
privilege show level 5 command tcpstat
privilege show level 5 command tech-support
privilege show level 5 command telnet
privilege show level 5 command terminal
privilege show level 5 command tftp-server
privilege show level 5 command timeout
privilege show level 5 command traffic
privilege show level 5 command uauth
privilege show level 5 command url-cache
privilege show level 5 command url-block
privilege show level 5 command url-server
privilege show level 5 command username
privilege show level 5 command virtual
privilege show level 5 command vpdn
privilege show level 5 command vpnclient
privilege show level 5 command vpngroup
privilege show level 5 command who
privilege show level 5 command xlate
privilege configure level 5 command ping
privilege configure level 5 command disable
privilege clear level 5 command interface
Sunday, February 12, 2012
Cisco Route Maintenance
Cisco make Easy for you to maintenance your router .
you can save your router configuration automatic in a period of time that you choose .
you can save it to your router flash , FTP / HTTP / HTTPS / SCP server
you can save your router configuration automatic in a period of time that you choose .
you can save it to your router flash , FTP / HTTP / HTTPS / SCP server
let's demonstrate how to save the configuration on a router
- first let's make a directory and call it backups
Router#mkdir /flash:/backups
- now last access the archive and make it backup one's every day
Router(config-archive)#path flash/backups/$h-cfg-$
the $h is your router hostname and the $t is the time stamp
Router(config-archive)#time-period 1440
1440 min = 1 day
Router(config-archive)#maximum 30
maximum number of backup copies
we can add automatic backup generation during the write memory by typing write-memory command
now if we want to roll-back to a previous configuration , the best command to to so :
Router#configure replace flash:/backups/Router-cfg--Feb-12-19:27:52.131-1 list
list will list all the changes , NOTE that this command will not marge configuration
same things can be done also to a server
Subscribe to:
Posts (Atom)