Free CCNA "Book" | Posted to CCNA
I ran across this "book" while randomly surfing the net. I REALLY like the concept - it's a CCNA study book...sort of...with step-by-step labs and so on. If someone were interested in CCNA study materials (just exam focused), I don't think I'd recommend this...it's too much material and a little dated (IGRP, IPX, etc...)...but if someone were wanting to get into networking & technology - what great material to do so! You end up learning a little about everything by time it's said and done (I stopped skimming somewhere around Knoppix).
I've put the PDF here locally just so I don't lose it. CCNABookV5.pdf
Here's the link to the original site: http://www.lulu.com/content/815026
Posted by JC at 11:55 AM | Comments (2) | TrackBack (0)
Blocking Instant Messaging and Peer-to-Peer | Posted to Direct from Cisco
Cisco has published a complete white paper on how to block IM and P2P applications using the Cisco IOS Firewall (the artist formerly known as CBAC). While there are many commands to be discussed for IOS Firewall, here's the core syntax needed:
appfw policy-name abuse-control
application http
port-misuse default action reset alarm
The complete white paper can be found here.
Posted by JC at 2:50 PM | Comments (3) | TrackBack (0)
Configuring (simple) SNMPv3 | Posted to SNMP
SNMP is awesome...All the free SNMP utilities for Cisco devices are even more awesome...but the most popular versions of SNMP (Version 1 and 2c) are completely clear text, completely insecure. SNMPv3 adds authentication and encryption capabilities, however, GOOD LUCK finding an easy, working configuration on Cisco's website. Here's an SNMPv3 configuration that will provide both authentication and encryption services on Cisco routers and switches:
Router(config)#snmp-server group TESTGROUP v3 priv
Router(config)#snmp-server user Jeremy TESTGROUP v3 auth sha JeremyPassword priv des56 3NCRYPT!0NK3Y
*Note: "auth" methods support both md5 and sha
**Note: "priv" also allows AES encryption
***Note: Most SNMP utilities I've seen only support DES encryption
Posted by JC at 9:31 AM | Comments (2) | TrackBack (0)
Cisco SmartNET Gets Better: "Smart Call Home" | Posted to Direct from Cisco
If I get one more email about this from Cisco...I'm adding them to my SPAM list. Cisco is HEAVILY pushing the new "Smart Call Home" feature, implemented primarily on Cat 6500s and data center gear. Just to save you some reading, this feature allows Cisco devices to automatically create a secure connection to Cisco TAC to transmit troubleshooting / diagnostic information. It's supposed to hit the ISR series (800, 1800, 2800, etc...) in "Late 2009". Seems nice...as long as your device still has Internet access...
Posted by JC at 7:00 PM | Comments (2) | TrackBack (0)
A Switch Powered by PoE | Posted to Switching
Interesting find: Cisco now makes a switch (8 ports) POWERED by PoE (not one that supplies PoE power, but receives it and does not need to be plugged in). Check it out: Catalyst 2960PD-8TT-L.
Posted by JC at 2:40 PM | Comments (12) | TrackBack (0)
MGCP Configuration for Voice Gateways | Posted to Cisco CallManager
I put this here primarily for my reference. I always end up forgetting one of the global commands when configuring a voice gateway for MGCP...this assumes a Cisco CallManager @ 172.30.100.104:
Router(config)#mgcp
Router(config)#mgcp call-agent 172.30.100.104
Router(config)#ccm-manager mgcp
!Now, the redundant CCM hosts:
Router(config)#ccm-manager redundant-host 172.30.100.105 172.30.100.106
!Now, the TFTP server configuration...gateway should be configured in CCM by this point.
Router(config)#ccm-manager config server 172.30.100.104
Router(config)#ccm-manager config
!In newer IOS/CCM versions, voice dial-peers are created automatically...older versions need this to place each port under MGCP control.
Router(config)#dial-peer voice 5000 pots
Router(config-dial-peer)#port 0/0/0 !FXS port
Router(config-dial-peer)#service MGCPAPP !or application MGCPAPP on older IOS versions
Posted by JC at 9:41 AM | Comments (8) | TrackBack (0)
CCNA Voice...It's Finally Here! | Posted to CallManager Express | Voice over IP
My latest work has finally come to fruition: Cisco Press CCNA Voice. In approaching this book, I took a different strategy of writing. Rather than focusing solely on covering exam topics, it's written from a "let's build a VoIP network...step-by-step." It contains configuration example after configuration example, which is what I love when I'm looking for technical documentation. Check it out!
Posted by JC at 10:27 AM | Comments (18) | TrackBack (0)
Looking for a Cisco Job? | Posted to Direct from Cisco
I never knew this, but Cisco has a "Cisco Learning Network Job Portal" to help you find jobs by certification level. Looks pretty awesome!
Click here to check it out: Cisco Learning Network Job Portal
Posted by JC at 9:41 AM | Comments (4) | TrackBack (0)
Template Parameter Access List | Posted to Security
My friend Mike Storm has come up with a good "base" ACL for use on Internet facing routers and firewall devices. While he has it listed on his blog, I am referencing it here for my own future reference.
Assuming my PubNet range is a block of 32 66.238.29.0 - 31. See below
! no fragments
access-list 100 deny tcp any 66.238.29.0 0.0.0.31 log fragments
access-list 100 deny udp any 66.238.29.0 0.0.0.31 log fragments
access-list 100 deny icmp any 66.238.29.0 0.0.0.31 log fragments
! no snmp inbound from the Internet
access-list 100 deny udp any any eq snmp
access-list 100 deny udp any any eq snmptrap
! RFC 2827 Ingress, RFC 3804 Martian Filtering and RFC 1918 private Address Filtering
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 255.0.0.0 0.255.255.255 any log
access-list 100 deny ip 224.0.0.0 31.255.255.255 any log
access-list 100 deny ip host 0.0.0.0 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip 14.0.0.0 0.255.255.255 any log
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
access-list 100 deny ip 198.18.0.0 0.0.255.255 any log
access-list 100 deny ip 66.238.29.0 0.0.0.31 any log
! no routing protocols inbound (unless needed)
access-list 100 deny tcp any any eq bgp log
access-list 100 deny tcp any eq bgp any log
access-list 100 deny ipinip any any
access-list 100 deny gre any any
access-list 100 deny pim any any
access-list 100 deny 90 any any
access-list 100 deny ospf any any log
access-list 100 deny eigrp any any log
access-list 100 deny udp any eq rip any log
access-list 100 deny udp any any eq rip log
access-list 100 permit now begins your permits...if any
Notes:
192.0.2.0 0.0.0.255 any log (range known to be used exploit default pw on WLA devices)
4.0.0.0 0.255.255.255 any log (Known as Net-14, a Public use network, possibly used by attackers)
69.254.0.0 0.0.255.255 any log (RFC2026 Link Local)
198.18.0.0 0.0.255.255 any log (block for benchmark tests of network interconnect devices, RFC2544)
Posted by JC at 3:21 PM | Comments (11) | TrackBack (0)
The Handy, Dandy Cisco Product Quick Reference Guide | Posted to Direct from Cisco
This guide rocks - it's every router, switch, or miscellaneous widget that Cisco makes and the modules each can handle. Very handy when trying to figure out what to buy for a project.
You can conveniently download it from here.
-Summer 2008 Edition
Posted by JC at 3:54 PM | Comments (5) | TrackBack (0)
Gimme a "show running-config" with SPEED! | Posted to IOS Foundations
Thanks to JW for this one...
The bigger and bigger your configuration grows, the longer you have to wait for a "show run" output. This is because each time the show run command is executed, the router queries each interface to find the individual commands entered. To save you some wait time, Cisco introduced a command to cache your configuration in memory (for a measly 15K memory sacrifice):
Router(config)#parser config cache interface
Reduced the "show run" time on my 3640 router from 8 seconds down to 3. Nice! Keep in mind that you must execute the "show run" command once after issuing this in order to cache the configuration.
If you're interested, here's all the info:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtinvgen.html
Posted by JC at 3:36 PM | Comments (8) | TrackBack (0)
Structured CCIE Study: Cisco 360 | Posted to CCIE | Direct from Cisco
It looks like Cisco has now come up with an official CCIE training. It's a 6-month program through a Cisco Learning partner that uses a "blended" lab/e-learning/mentoring solution. Businesses who sponsor CCIE students will now have a way to check up on them (accountability for their studies). Sounds interesting! It's nice to see a "Cisco official" study path for the CCIE rather than just all the CCIE bootcamp processes.
Here's the scoop: https://cisco.hosted.jivesoftware.com/community/learning_center/cisco_360/
Posted by JC at 6:57 PM | Comments (4) | TrackBack (0)
Save the Pain: Hung Telnet/SSH Sessions | Posted to IOS Foundations
Don't ya love it when you attempt to Telnet or SSH from a Cisco device to an unreachable IP address? You're guaranteed wait time is 30 seconds...and there's no CTRL-SHIFT-6 breaking out of it. Here's a command-of-the day for you:
Router(config)#ip tcp synwait-time 5
This reduces the time the router waits for a reply SYN-ACK message to 5 seconds (from 30 seconds default) for all TCP sessions (including Telnet/SSH) coming from the router.
While I'm sure there could be an argument made that some networks may be delayed enough to have more than I five second delay from a SYN to a SYN-ACK...I'd say...fix your network.
Posted by JC at 8:21 AM | Comments (4) | TrackBack (0)