Skip to Content

Cisco

Cisco Systems is a major network technologies company. This tag identifies general information related to the company.

How to configure DHCP Snooping on a Cisco Catalyst switch

Command Line

A question was asked in the Tekcert forums regarding DHCP snooping configuration. After thinking about writing an in depth response, I decided to just write a full blown blog post.

Everything in this post has been tested in a lab environment with a Cisco 3550, Infoblox DHCP servers, a Netgear router as a "rogue" dhcp server, and a MacBook Pro as a client. The 3550 is configured with ip routing and a layer 3 interface on the subnet where the DHCP servers are located (10.0.10.0/24). VLAN 20 has been created on the 3550 with an interface ip address of 10.0.20.254/24. All the DHCP server configuration and helper addresses were tested and working prior to implementing DHCP snooping to eliminate any doubt as to whether the DHCP snooping configuration is working or not. So, let's get started.

Cisco QOS Exam

If you are currently working toward the CCVP, which was renamed to the CCNP Voice last year, one of the exams on the check list is the 642-642 QOS Exam, but only for a couple more months. If you take the QOS exam after February 28th 2012, it will no longer count toward the CCNP Voice. The new exam list is available on Cisco's page for the CCNP Voice, but here's a quick reference:

IPv6 Action Plan Video

If you have just been given the task of implementing IPv6 in your company or if you are in the middle of a deployment, you may be asking yourself "How?!" How exactly should you roll out an IPv6 network? Do you configure /64 subnets on point to point links or do you use /127's? How do you secure your network against the initial IPv6 attacks that are available?

These questions and more are covered in this hour long TechWise TV  episode, The IPv6 Action Plan. Some very good points and useful information here, have a look...

Cisco Security Advisory - IKE Resource Exhaustion Attack

If you have ever setup an IPSEC VPN, then you are most likely aware of IKE. IKE is a protocol that can be used to get the first phase of an IPSEC VPN established, a.k.a exchange keys. Well, Cisco has identified a vulnerability in the IKE implementation on Cisco platforms thanks to the work of Roy Hills from NTA Monitor Ltd that could allow a malicious individual to unleash a denial of service on your VPN devices.

What's Vulnerable

Essentially, if your Internet facing VPN devices or border routers
allow anyone on the planet to establish an IKE session with your Cisco
VPN devices (Cisco 3000 VPN Concentrator, Pix, ASA, ISR, etc), then you
are vulnerable.

The issue is pretty much present in anything that supports IPSEC VPNs and doesn't explicitly filter traffic to the VPN devices. Cisco is tracking the issue in the following bug ID's:

CCNA Cert Library, 3rd Edition

A couple months back, I blogged about the pre-order status of the new CCNA Library, 3rd edition. Well, the new edition is now available for purchase. If you are looking to begin your studies toward a CCNA, this would be an invaluable place to start. 

The library includes two books, one for each of the two tests you can take to achieve the CCNA certification. Alternatively you could read both books and take the single CCNA exam. The library also includes updated practice questions, videos, and a network simulator.

CCDE Certification Exams Revised to Version 2.0

If you are studying for the CCDE, that's the design expert certification, then you most likely are aware that you have about a week left before the first version of the written and practical exams are retired. Version 2 of the CCDE written and practical exams will be the only available version beginning October 22, 2011.

If you are interested in more information regarding this announce, here's the official announcement.

For more information about the CCDE certification, here are some helpful links:

CCDE Certification Page

CCDE Data Sheet (PDF)

Let the IPv6 Vulnerabilities Begin

Cisco last week released a slew of security advisories. One that specifically caught my eye is a Denial of Service vulnerability due to "improper processing of malformed IP version 6 (IPv6) packets by Cisco IOS Software."

I've been wondering how long it would take for the exploits to start to trickle in with IPv6. One can only imagine how many vulnerabilities Windows will have with IPv6 enabled by default. Expect to see more of these in the future as IPv6 becomes more prevalent.

The alert details are available here.

The vulnerability details are available here.

How to configure Rate Limit to stop bandwidth hogs

Have you ever had a low speed serial link get overrun by a single user hogging all the bandwidth? Well, there is a quick and easy way to prevent any type of traffic from using up an entire link - rate-limit.

To implement this feature, you simply type in rate-limit under an interface and specify a few parameters such as the allowable bits per second and the burst rate. However, if you do that it will rate-limit all traffic traversing the link which honestly the link will do on its own when traffic exceeds the available bandwidth. A more useful configuration is to include the access-group keyword in the command and point it to an access list that defines the traffic you want to rate-limit.

To demonstrate, I've configured two routers connected with a low speed serial link clocked at 128k. Without the rate limit configured, you can ping between them with no problems:

Cisco Certified Technician (CCT)

The newest addition to Cisco's line of certifications is the CCT, or Cisco Certified Technician. Released in August of this year, the CCT certification has three different areas of focus:

Each certification focuses on the on-site maintenance and support of Cisco equipment in each specific area.

You might be wondering what is the difference between the CCT and the CCENT? Cisco explains that and several more questions in their FAQ, but for those not interested in reading through all of that, here's the basics...

Mobile CCIE Labs

If you are planning on going for the CCIE R&S or Security and you live in a country where the lab is not administered, it can be a challenge to get to the testing center, let alone pass the exam! Cisco has had a program in place to combat this very issue for quite some time called the Mobile CCIE Lab. The program allows you to register to take the lab exam in your city or one closer to you than in a foreign country. The benefits here, of course, are potential savings in travel expenses and missing less work ( even though you might not be missing it).

For a complete schedule of where and when the lab will be available, or if you are interested in learning more about this program, check out the official Mobile CCIE Lab page at Cisco's website.

https://learningnetwork.cisco.com/docs/DOC-3224

How to configure an IPv4 GRE tunnel to carry IPv6 traffic

Continuing the review of the TSHOOT Topology, on the IPv6 network map there is a GRE tunnel that is configured between Router 3 and Router 4. This tunnel is in place to allow IPv6 traffic to traverse the 10.1.1.8/30 IPv4 network. So, while reviewing the IPv6 tshoot topology, I decided to try out the tunnel configuration.

There are several ways to configure tunnels to allow IPv6 traffic to traverse IPv4 networks (and vice versa). This post will be focusing on a GRE tunnel configuration. If you want to review the other ways to create tunnels, i.e.  Automatic IPv4-Compatible IPv6 Tunnels, IPv6 Rapid Deployment Tunnels, and Automatic 6to4 Tunnels, I've included a link below to a great resource on Cisco's website that shows some great examples of other tunnels.

I threw together the following network diagram to provide a visual of what we are configuring: 

IPv6_GRE_Tunnel2

Cisco SG100-16 Unmanaged Switch

Need more Gigabit Ethernet? Don't need it to be a managed switch? This 16 port 10/100/1000 Cisco switch might be a quick and easy solution for you.


B003AVN1PM_3

The Cisco SR2016T 16-Port Rackmount 10/100/1000 Gigabit Switch (A.K.A. SG100-16) is currently listing for below $200 USD and has several appealing features:

How to configure a Cisco router to be a frame relay switch

If you are studying for the TSHOOT exam, it is a good idea to familiarize yourself with the topology. I've been working on creating a lab that mocks the TSHOOT topology, and it has forced me to recall how to setup a Cisco router to act like a Frame Relay switch. 

Here is the topology that I've built. As you can see, it closely resembles the topology that Cisco has provided on their site. Since their doc doesn't provide specific DLCIs, I've used the most logical numbers I could think of.

tshoot-wan

The first step in configuring a Cisco router to act like a frame relay switch is to enable frame relay switching:

End of Life Announced for Cisco 7200 NPE-G1

Cisco this week has announced the end of sale and end of life dates for the 7200 Series NPE-G1 Network Processing Engine. This is an older routing engine that is definitely showing its age compared to newer platforms that are available.

The last day to buy the NPE-G1 is February 27, 2012. Last day for hardware support is February 28, 2017. The recommended upgrade path is the ASR1000 series.

Full details are available in the official announcement.

Free Cisco Press Chapter - Configuring Policies, Inheritance, and Attributes

Studying for your CCNP Security? If you are, or if you simply want to learn more about VPNs, take a look at this free chapter from Cisco Press on Configuring Policies, Inheritance, and Attributes.

This is straight out of the CCNP Security VPN 642-647 Official Cert Guide. According to Cisco Press, the chapter covers the following topics:

  • Policies and Their Relationships
  • Understanding Connection Profiles
  • Understanding Group Policies
  • Configure User Attributes
  • Using External Servers for AAA and Policy Assignment

Give it a read if you got your certification cross-hairs fixed on the CCNP Security.

Syndicate content


tekcert.com