Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Recent posts

How to Configure AAA Authentication on Cisco ASA Firewall

May 15 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

AAA stands for Authentication, Authorization, and Accounting. AAA is a mechanism that is used to tell the firewall appliance who the user is (Authentication), what actions the user is authorized to perform on the network (Authorization), and what the user did on the network after connecting (Accounting). In this post we will focus on the first element of AAA (that is Authentication).

Types of Authentication supported on ASA appliances

Three types of Authentication are available for Cisco ASA firewalls:

1. User Authentication for accessing the security appliance itself.

2. User Authentication for accessing services through the security appliance. This is also called “cut-through proxy” and is used to authenticate users for accessing Telnet, FTP, HTTP, and HTTPs services located in the network through the firewall.

3. User Authentication for VPN tunnel access (IPsec or SSL VPN).


We will see a configuration example for the first type (authentication for accessing the security appliance for management using Serial Console, SSH, and Telnet access).


Authentication configuration example

In this example we assume that we have already installed and configured a AAA server (e.g Cisco ACS) running the TACACS+ authentication protocol. On the AAA server, we have configured a username/password account that the firewall administrators will use to authenticate. Assume also that the AAA server is located on our internal LAN network with address


Referring to the figure above, the firewall administrator (Admin) requests firewall access (serial console, SSH, or Telnet) (Arrow 1) for managing the appliance. The ASA firewall (Arrow 2) will request Authentication permission from the AAA server in order to prompt the admin user for Username/Password credentials. After the Admin successfully enters his credentials, the AAA server will give the permission to the Firewall to allow the user in.

Here is the configuration below:

! Specify a AAA server name (NY_AAA) and which protocol to use (Radius or TACACS+)
ASA(config)#  aaa-server NY_AAA protocol tacacs+

! Designate the Authentication server IP address and the authentication secret key
ASA(config)#  aaa-server NY_AAA (inside) host
ASA(config-aaa-server-host)#  key secretauthkey

! Enable Authentication for management access
ASA(config)#  aaa authentication serial console NY_AAA LOCAL
ASA(config)#  aaa authentication telnet console NY_AAA LOCAL
ASA(config)#  aaa authentication ssh console NY_AAA LOCAL


The “LOCAL” keyword at the end designates the use of the local firewall username database for authentication in case the AAA server authentication is not available (e.g AAA server is down).

Of course, to complete the scenario above, you need to properly configure the AAA Server with the internal IP address of the ASA firewall and the same authentication key (e.gsecretauthkey) as the one you configured on the ASA above.

---Article reference from http://www.tech21century.com/configuring-aaa-authentication-on-cisco-asa-firewall/


Site-to-Site IPSEC VPN between Two Cisco ASA 5520

Configuring Static NAT on a Cisco ASA Security Appliance

EIGRP on a Cisco ASA Firewall Configuration

How to Set up a Cisco ASA 5505 Firewall with a Wireless Router?

How to Configure Cisco ASA 5505 Firewall?

Read more

Cisco Gets Tough: Details Ruggedized Switches for Harsh Environments

May 13 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco News

In small form factor, CGS-1000 switch is low-latency and designed for utilities


Cisco, which wants to expand its clout into the industrial networks used by power-generation utilities to support the electric grid, today announced an expansion of its "smart grid" portfolio with ruggedized and low-latency switches and other equipment intended for use in electric-power distribution systems.


"Utilities often have systems unique to them," said Jenny Gomez, marketing manager in Cisco's Connected Energy Business Unit that oversees the architecting of a wide range of equipment for networking and physical security to modernize utility networks while supporting their legacy systems that in some cases aren't being swapped out. As part of this effort, Cisco today introduced a number of products, including the CGS-1000 switch in a small form factor for use in a location such as an electric substation that's part of a complex, critical power-distribution system.


"The CGS-1000 is built to withstand harsh environments," pointed out Joe Ammirato, senior director of product management at Cisco's Connected Energy Business Unit. The ruggedized low-latency switch is intended to be able to work with utility sensors that often have serial interfaces, not Ethernet ones, Ammirato noted.


With experience gained over a few years in working with some utilities in North America and Europe, Cisco has been designing specialized switching, network access and security products for both data center and substation equipment under its so-called GridBlocks architecture. The push is part of Cisco's much-ballyhooed "Internet of Everything" initiative that's taking the company further into areas outside of traditional business IT networking.


The GridBlocks architecture supposes that Cisco will be able to provide equipment aimed not only at the substation tier, but also the system-control level where wide-area networks connect substations with each other and with control systems as well as SCADA and other event messaging.


The architecture also addresses utility data centers and control centers, plus devices and systems associated with residences and third-party elements. The Cisco GridBlocks architecture lists several other tiers for interchange and trans-national grid monitoring and tie-ins as well. In many cases, Cisco isn't coming up with entirely new products for the utilities but adapting its network segmentation, switching, security and management platforms to try and suit specialized needs utilities have.


Cisco is recommending MPLS as a core technology for utility use, especially in substations, says Ammirato, who points out that utility networks associated with the grid may not necessarily be IP-based at all today or they connect in a style not seen in modern IT business networks. For utilities intending to modernize, the challenge is in swapping out what can reasonably be changed while bridging older legacy systems that for one reason or another will remain related to the transmission grid. 

---News from http://www.networkworld.com/news/2013/050713-cisco-ruggedized-switches-269475.html

More Cisco News and Reviews:

Four Key Networking Predictions for 2013

Cisco to Acquire Cloud Integration Firm SolveDirect

5 Ways ‘Big Data’ is Going to Blow Your Mind and Change Your World

Cisco Buys Firm Ubiquisys to Highlight Growing Interest in Small Cells

Exciting, the State Of Social Ads

Cisco, Google Top Greenpeace IT Ranking 2013

Read more

Cisco 2960s Can Route

May 10 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

As of 12.2(55) SE, Cisco 2960s are layer 3 switches. Configuring Catalyst 2960s to route is pretty simple. The Switch Database Management template (SDM) needs to be changed to “lanbase-routing”. A reboot is (always) needed after changing the SDM template. After reboot, it’s just like enabling routing on any other L3 switch with the command “ip routing” from global config.


First we’ll change the SDM template:

SwitchA(config)#sdm prefer lanbase-routing

Changes to the running SDM preferences have been stored, but cannot take effect until the next reload.

Use 'show sdm prefer' to see what SDM preference is currently active.



System configuration has been modified. Save? [yes/no]: y

Proceed with reload? [confirm]


After changing the SDM template, we are reminded that we’ll need to reboot and also given a command to verify the change after the next boot.


Now we verify:

SwitchA#show sdm prefer

The current template is "lanbase-routing" template.

 The selected template optimizes the resources in

 the switch to support this level of features for

 8 routed interfaces and 255 VLANs.

  number of unicast mac addresses:                  4K

  number of IPv4 IGMP groups + multicast routes:    0.25K

  number of IPv4 unicast routes:                    4.25K

  number of directly-connected IPv4 hosts:          4K

  number of indirect IPv4 routes:                   0.25K

  number of IPv4 policy based routing aces:         0

  number of IPv4/MAC qos aces:                      0.125k

  number of IPv4/MAC security aces:                 0.375k

The change was successful and we’re given the details about this SDM template.


Now seems like a good time to touch on the limitations of the layer 3 capabilities on 2960s. As we see in the output above, we’re limited to 8 routed interfaces. These will be SVIs. At this point, the Cisco 2960s don’t support routed physical interfaces (“no switchport”). Another important note is that we’re only allowed 16 static routes and there is no dynamic routing capability.


Now we’ll enable IP routing and configure a couple SVIs:

SwitchA#conf t

SwitchA(config)#ip routing


SwitchA(config)#int vlan 15

SwitchA(config-if)#ip add


SwitchA(config-if)#int vlan 25

SwitchA(config-if)#ip add


SwitchA#sh ip route


C is directly connected, Vlan15

C is directly connected, Vlan25

Even now, I’m still amazed that we can do this with a 2960. As expected, it’s working. We have two SVIs and we can see the routing table reflect this.


More Related Cisco 2960 Tips:

Cisco Catalyst 2960 Series Enables Routing

Cisco Catalyst 2960 LAN Base Series & Catalyst 2960 LAN Lite Series

How to Configure a Cisco 2960 Switch/Layer 2 Switch?

Layer 2 Switches & Layer 3 switches

Read more

What Features The Cisco Catalyst 3K Family of Switches Supports?

May 6 2013 , Written by Cisco & Cisco Router, Network Switch


The Cisco Catalyst 3K family of switches supports the following three feature sets depending on the specific model of switch:

• LAN Base: Enterprise access Layer 2 switching features

• IP Base: Enterprise access Layer 3 switching features

• IP Services: Advanced Layer 3 switching (IPv4 and IPv6) features

As visually summarized in Figure 1, the Cisco Catalyst 3560-E and 3750-E Series support the IP Base and IP Services feature sets, whereas the Cisco Catalyst 3560-X and 3750-X Series support the LAN Base, IP Base, and IP Services feature sets.


Figure1. Feature Set Overview


In particular, Figure 2 shows the main differences between the three feature sets supported on the Cisco Catalyst 3K switch family.


Figure2. Feature Set Characteristics and Differences



Universal Image

Each Cisco Catalyst 3750-E/3560-E or 3750-X/3560-X system is loaded with a universal Cisco IOS Software image. Universal Cisco IOS Software images contain all Cisco IOS Software features. The level of Cisco IOS Software functionality available is determined by the combination of one (or more) licenses installed on the device. A specific license file stored in the flash memory of the switch can unlock a specific Cisco IOS Software feature set, from the smallest one to the largest one (Figure 3).

Figure3. Feature Set Activation in a Universal Image



For the Cisco Catalyst 3750-E/3560-E Series, there can be two versions of universal images: plain no crypto universal images and universalk9 images (which offer all the Cisco IOS Software features, including strong crypto features).


For the Cisco Catalyst 3750-X/3560-X Series, in addition to the aforementioned universalk9 images, there are also images with the universalk9-npe designation in the image name. The reason for this alternate image type is that some countries have import regulations that require that the device does not support any strong data-plane crypto functionality, such as IEEE 802.1AE, in any form. To satisfy the import requirements of those countries, this universal image does not support any strong payload encryption (that is, it is of the no payload encryption type).

Note that for the aforementioned platforms "no universal" IP Base images are still available and posted on the cisco.com guest page. This is done so that those who have not purchased a Cisco SMARTnet contract can still get software updates for their LAN Base or IP Base images (or downgrade from IP Services to IP Base and get software updates). LAN Base or IP Base updates are offered as part of the software update policy (see Updating Software on the Cisco Catalyst 3750-E, 3560-E, 3750, and 3560 Series Switches).

---More details: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/white_paper_c11-579326_ps10745_Products_White_Paper.html

More Cisco Catalyst Switch Info and Tutorials:

Main Differences between Lines of Cisco 3750 Series Switches

Cisco 3750 Stacking Configuration

Cisco Catalyst 3850 Series- the Industry’s first Fixed, Stackable GE Switch

Cisco Combines Wired, Wireless and SDN into Its New Catalyst Switch


Read more

the Difference between a Layer-3 Switch and a Router

May 2 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

In general, a Layer-3 switch (routing switch) is primarily a switch (a Layer-2 device) that has been enhanced or taught some routing (Layer 3) capabilities. A router is a Layer-3 device that simply does routing only. In the case of a switching router, it is primarily a router that may use switching technology (high-speed ASICs) for speed and performance (as well as also supporting Layer-2 bridging functions).

As illustration, here are some examples
Layer-2 switches
Cisco: Catalyst 2950, 2960 series

Layer-3 switches or routing switches
Cisco: Catalyst 3550, 3560, 3750, 4500, 6500 series
Juniper: EX series

Routers (with some bridging and/or security features) or switching routers
Cisco: 1800, 1900, 2600, 2800, 2900, 3700, 3800, 3900, 7200, 7600, ASR 1000 series
Juniper: MX series, J series, M series

Several factors have created significant confusion surrounding the subject of Layer-3 switch and Layer-3 switching. Some of this bewilderment arises from the recent merging of several technologies. In the past, switches and routers have been separate and distinct devices. The term switch was reserved for hardware-based platforms that generally functioned at Layer-2. For example, ATM switches perform hardware-based forwarding of fixed-length cells whereas Ethernet switches use MAC addresses to make forwarding decisions. Conversely, the term router has been used to refer to a device that runs routing protocols to discover the Layer-3 topology and makes forwarding decisions based on hierarchical Layer-3 addresses. Because of the complexity of these tasks, routers have traditionally been software-based devices. Routers have also performed a wide variety of "high touch" and value added features such as tunneling, data-link switching (DLSw), protocol translation, access lists, and Dynamic Host Configuration Protocol (DHCP) relay.

To understand better of switching router and routing switch differences, following is an illustration. In early Cisco switches (i.e. Catalyst 3500 switches), there are only basic Layer-2 capabilities such as bridging and switching. With newer models (i.e. Catalyst 3550 or 3560 switches), there are also some routing capabilities such as terminating multiple Layer-3 interfaces and running dynamic routing protocol. In router world, early Cisco routers (i.e. 1600 or 2500 model), there are only basic Layer-3 capabilities such as running dynamic routing protocol, terminating Serial ports, and running non-IP protocols such as IPX and SNA. With newer models (i.e. 1700, 1800, 2600 or 2800 models), there are also some Layer-2 capabilities such as bridging and switching. In addition there are some WIC (WAN Interface Cards) and NM (Network Modules) with Ethernet ports supporting bridging and switching in those newer router models even further such as WIC-4ESW Ethernet Switching card for 1700 series, HWIC-4ESW High-Density Ethernet Switching card for 1800 and 2800 series, and NM-16ESW Ethernet Switching module for 2600 and 2800 series.

As a broad category, routing switches use hardware to create shortcut paths through the middle of the network, by bypassing the traditional software-based router. However, unlike traditional routers that utilize general-purpose CPUs for both control-plane and data-plane functions, Layer-3 switches use high-speed application specific integrated circuits (ASICs) in the data plane. By removing CPUs from the data-plane forwarding path, wire-speed performance can be obtained. This results in a much faster version of the traditional router. In Cisco world, this routing switch ASIC technology implementation as example applies to Catalyst 6500 switch series. These kind of switches are typically blade or module based switch which you have to specify which "switch brain" (called Supervisor Engine in Cisco world) and which port modules you like the switch to have.

In the case of a switching router as primarily a router that uses switching technology (high-speed ASICs) for speed and performance (as well as also supporting Layer-2 bridging functions), there are Cisco 7600 series and Juniper MX series routers as examples. These kind of routers are typically blade or module-based router which you have to specify which "router brain" (also called Supervisor Engine in Cisco world) and which port modules you like the router to have.

Further, the Cisco 7600 series router Supervisor Engine modules are compatible with the Cisco Catalyst 6500 series switch due to identical architecture between the router and the switch. In other words, you could use the same Supervisor Engine model on either Cisco 7600 series router or Catalyst 6500 series switch.

Some network topologies as illustrations
1. Single Router

                             LAN 1 with Unmanaged Switch (UM)

2. Single Router with multiple LAN subnets

                                         Router --- LAN 2 with UM
                                      LAN 1 with UM

3. Single Router with single connection to a switch and with multiple LAN subnets (also known as "Router on A Stick" design)

                                            * Single Connection to a Switch using feature  called Trunking
                                  Layer-2 Managed Switch
                                    |       |       |
                                    |     LAN 2     |
                                    |    with UM    |
                                    |  |
                                    |               |
                                  LAN 1           LAN 3
                                 with UM         with UM

4. Single Router with Layer-3 Switch and with multiple LAN subnets

                                     Internet Router
                                      Layer-3 Switch
                                     |     |       |
                                     |   LAN 2     |
                                     |   with UM   |
                                     | |
                                     |             |
                                   LAN 1         LAN 3
                                  with UM       with UM

5. Multiple Routers with multiple unmanaged (dumb) switches and with multiple LAN subnets

                                     Internet Router
                                   Unmanaged Switch (UM)
                                     |     |       |
                                     |  Router 2   |
                                     |     |       |
                                     |   LAN 2     |
                                     |   with UM   |
                                     | |
                                     |             |
                                  Router 1      Router 3
                                     |             |
                                   LAN 1         LAN 3
                                  with UM       with UM

Of the variety of other switching devices and terminology released by vendors, Layer-4 and Layer-7 switching have received considerable attention. In general, these approaches refer to the capability of a switch to act on Layer 4 (transport layer) information contained in packets. For example, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port numbers can be used to make decisions affecting issues such as security and Quality of Service (QoS). However, rather than being viewed as a third type of campus switching devices, these should be seen as a logical extension and enhancement to the two types of switches already discussed. In fact, both routing switches and switching routers can perform these upper-layer functions.


More Related Network Hardware Tips and Guides

Use Layer-3 Switch or Router?

Layer 2 Switches & Layer 3 switches

Cisco Catalyst 2960 LAN Base Series & Catalyst 2960 LAN Lite Series

Main Network Hardware’s Difference: Integrated Devices, Router, Network Switch & Firewall

Read more

How to Configure SNMP V3 on Cisco ASA and IOS?

April 28 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Here we will focus on SNMP V3 configuration on Cisco ASAs with a brief overview of an IOS configuration. This article assumes a basic understanding of SNMP and its operation.


The most common and sought after reasoning behind an upgrade to SNMP V3 is security. SNMP versions 1 and 2(c) transmit data between the SNMP server and the SNMP agent “in the clear”.


This makes your infrastructure and corresponding infrastructure devices far more vulnerable to attack and or misuse. Weak SNMP provides attackers with low hanging fruit they sometimes need for improved attack vectors.


SNMP V3’s focus was to improve this security flaw. SNMP V3 adds authentication and privacy options to secure its communication between SNMP servers and SNMP agents.


SNMP V3 Security Models

The authentication (auth) and privacy (priv) options are grouped into security models.

  • NoAuthPriv – no authentication and no privacy
  • AuthNoPriv – authentication and no privacy
  • AuthPriv – you guessed it – authentication and privacy


SNMP Groups

SNMP groups provide an access control policy to which users are added. The user will inherit the security model of the group. If the SNMP group “SEC3” has the AuthPriv security model, users assigned to it will inherit the AuthPriv security model.


SNMP Users

SNMP users are assigned a username, a group to which they belong, authentication password, encryption password, and associated algorithms to use.

Authentication algorithms are MD5 and SHA
Encryption algorithms are DES, 3DES, and AES (128,192,256)



An SNMP host is the server to which SNMP notifications and traps are sent. SNMP V3 hosts require the SNMP server IP address and SNMP username. Each SNMP host can only have one username associated with it. The user credentials on the NMS (CiscoWorks, Solarwinds, etc.) must match the SNMP username credentials.

Configuring SNMP V3:

Note – the brackets <> are used to indicate a variable you assign a name to. I used these brackets to emphasize these important variables.

  1. Enable SNMP
    snmp-server enable
  2. Enable the SNMP traps (this will change depending on environment and business requirements). The following example enables all but this could be limited to a subset of traps.
    snmp-server enable traps all
  3. Create the SNMP group
    Note the following meanings:
    auth indicates authention only
    noauth indicates no authentication or encryption
    priv indicates encryption and authentication
    snmp-server group  <GROUPNAME> v3 {auth | noauth | priv}
  4. Create the SNMP user
    snmp-server user <USERNAME> <GROUPNAME> v3 encrypted auth md5 <AUTHENTICATION-PASSWORD> priv AES 128 <ENCRYPTION-KEY>
  5. Create the SNMP Server host
    snmp-server host <INTERFACE-NAME> <HOSTNAME> version 3 <USERNAME>


Full Configuration Example for the Cisco ASA (Version 8.4)

snmp-server group SEC3 v3 priv

snmp-server user SNMPUSER3 SEC3GROUP v3 encrypted auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey

snmp-server host mgmt version 3 SNMPUSER3

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

snmp-server enable traps ipsec start stop

snmp-server enable traps remote-access session-threshold-exceeded


Full Configuration Example for the Cisco IOS

snmp-server view SNMPMGR iso included

snmp-server group SEC3GROUP v3 priv read SNMPMGR write SNMPMGR notify SNMPMGR

snmp-server user SNMPUSER3 SEC3GROUP v3 auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey

snmp-server enable traps config


Note – in IOS you won’t see the following line:
snmp-server user SNMPUSER3 SEC3GROUP v3 auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey

IOS hides the authentication password and encryption key from the “show run” and “show startup”.


More Information

Cisco Configuration Guide for ASA 8.4 and 8.6


Cisco Configuration Guide for ASA 8.4 and 8.6 PDF


---Reference from



More Related Cisco and Networking TOPICS:

How to Configure SNMP on Cisco IOS-based Router/Switch?

Read more

Startup Aims SDN Technology at Cisco WANs

April 25 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Networking

Glue Networks developing automation tools for managing WAN operations

SDNs aren't just for data center networks, despite the best-use-case-scenario arguments for network virtualization and flow management pervading the industry.


SDNs can automate and manage WAN operations as well. Google is using OpenFlow to interconnect data center over a WAN.


And startup Glue Networks is targeting Cisco's installed base of WAN routers as a sweet spot for its SDN WAN offerings.


Major IT trends such as SaaS, private clouds, BYOD, mobility and voice/data convergence are stressing the quality of links in an enterprise WAN, as analyst Lee Doyle notes here. WAN links now require improved security, lower latency, higher reliability and support for any device in any location to accommodate these trends.


SDN can help enterprise IT accomplish this without the expense of upgrading individual WAN links, Doyle notes. The technology can allow for prioritization of key applications and traffic types, ease provisioning for new sites, new applications, and changed traffic priorities, enhance security and more tightly link WAN service to specific applications.


That's what Glue Networks is after. Glue's gluware software runs in the cloud and provides a cloud-based service for turning up remote sites and teleworkers worldwide. It is designed to lower the cost of private WAN networking by automating those operations and handling ongoing maintenance, monitoring, life-cycle management and feature extension.


Some of those features might include Cisco's WAAS Express, ScanSafe, ISE, MediaNet and TrustSec services.


The software automates the provisioning of voice, video, wireless, LAN networking, IP addressing, PKI security, firewalls, VLANs and ACLs, and allows users to configure a meshed, spoke-to-spoke, low-latency infrastructure that is QoS-enabled, the company says.


The company's gluware Teleworker software resides in the cloud and acts as a control plane to create a secure data plane for teleworkers to connect to the corporate network. Teleworkers can self-provision their equipment with a single click and no IT support, Glue claims.


Glue's products are essentially a software-defined dynamic multipoint VPN offered as a monthly software-as-a-service subscription. It includes a central policy-based controller, applications with "CCIE intelligence," and an API to configure the OS using the applications.


Glue's gluware also includes tools for alert notification based on thresholds; hardware ordering logistics and router provisioning workflows; end-user and administrator monitoring portals; repository of network configurations, end-user data, and reporting and monitoring data; agents to proactively monitor the health of the network and deploy large-scale configurations; and an orchestrator to generate hardware configurations, check for errors and conduct "self-healing" operations.


Glue says its addressable market is the $12 billion worth of 16 million Cisco WAN routers installed globally. Glue expects Cisco to have 23 million WAN routers installed by 2017.


Glue was founded in 2007. It has about $6.2 million in funding from a $4.5 million Series A round in 2011, and $1.7 million in convertible notes in 2012. The company's investors include Keiretsu Forum, San Joaquin Angels, Sierra Angels, Sacramento Angels, Sand Hill Angels, Harvard Angels, Halo Fund and Angel Forum.


Glue is headquartered in San Francisco and the company's executive team is comprised of officials from Yelofin Networks, Cisco, Agilent, Intel, INX and MTV Networks.


---News from http://www.networkworld.com/news/2013/041213-glue-networks-268664.html


More Related Cisco News:

Cisco SDN Strategy Doubles Cisco Software Business

Cisco Combines Wired, Wireless and SDN into Its New Catalyst Switch

Read more

Which Cisco Exam of CCENT and CCNA Certification Should You Take 2013?

April 22 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Certification - CCNA - CCNP - CCIE

If you are considering taking the exams to become certified as a Cisco Certified Entry Networking Technician (CCENT) or Cisco Certified Network Associate (CCNA), this article by Cisco expert Michelle Plumb will help you decide which exams you should take. These exams are not for the faint at heart. They are meant to weed out those who are committed from those who are easily dissuaded.


For more information on the new Cisco CCENT/CCNA exams, including special offers and study guides, visit our Cisco Press "About CCNA" page.


This article reviews the options you have when preparing for the Cisco Certified Entry Networking Technician (CCENT) certification and Cisco Certified Network Associate (CCNA) certification.



First, let’s start with the CCENT certification. This certification is geared toward an entry-level network technician. This certification proves you have foundational knowledge for a small-to medium-sized network. Passing this exam is the first step to enter into a network engineering job using Cisco routers and switches. The course that you should take for the CCENT exam is ICND1v2.0. This is an updated course and exam due this spring. The new exam number is 100-101. Once you have passed this exam, you become a CCENT.



The ICND (Interconnecting Cisco Network Devices) exams are very challenging. You need to make sure you know all the material extremely well. The exam is timed, and these exams could run close on time. Know these tips before taking the test:

  • I would know subnetting extremely well. You cannot afford to spend too much time solving the troubleshooting questions on IPv4 subnetting.
  • You do not have access to a calculator.
  • You may also run into simulations that require knowledge to configure routing protocols and the appropriate IPv4 addresses. New to this course is IPv6 configuration, and you will need to be able to use IPv6 addresses appropriately as well as configuration options with routing protocols.
  • The exams could include multiple choice, drag and drop, as well as simulations.


Cisco’s website does have practice questions so you are familiar with the exam interface.



If you have taken the ICND1 course and exam, strongly consider taking the ICND2 course and exam 200-101 as well. By taking this second exam and passing it, you will achieve the CCNA certification. The CCNA credentials show your abilities to install, configure, operate, and troubleshoot medium-sized routed and switched networks.


This exam is also challenging. Again, as with the CCENT exam, make sure you feel extremely comfortable with all the material covered in the ICND courses. You can expect the same type of questions using simulators, drag and drop, as well as multiple choices.


A Combination

You do have another option for exams. If you are a very skilled individual who has in-depth knowledge and experience configuring routers and switches in a medium- to large-sized network, then the combination exam might be for you. Cisco has an exam that covers knowledge from both ICND1 and ICND2: exam 200-120.


I highly caution anybody who is considering taking the all-in-one exam. This is a very tough exam. You need to make sure you know subnetting like the back of your hand and can do it very quickly. You also may see several simulations where you need to configure the various routing protocols, including figuring out what subnet information needs to be entered. With the new ICNDv2.0 classes and exams, you also have to be very proficient with IPv6. You will need to be capable of configuring and routing IPv4 and IPv6 at the same time. You may also see drag and drop type questions.



You will schedule these exams on the Pearson Vue website. You will need to bring a picture ID, and a photo will be taken of you at the testing center. You will also need to sign some paperwork about the exams, and sign in and out of the exam center.


Study Tips

If this is the first exam you have taken in a while, I have some study tips that have helped me:

  • Make sure to attend the appropriate course and/or purchase the official Cisco press books for the exam.
  • Review the material at least three times. Then use practice questions to see how I am doing with the material. For these exams, as stated earlier in this article, you have to know subnetting. So when I was just learning how to subnet, I made sure every day I ran through a subnetting problem, just to keep it fresh in my mind.
  • Do not wait longer than one month from finishing the class until taking the exam. We start to lose some of the information that is fresh in our minds.
  • Get a good night’s sleep the night before the exam. A good solid breakfast or lunch before the exam is a good idea as well.
  • Stop studying the day before. If you don’t know it by then, you might want to think about rescheduling the exam. You only have 24 hours before your scheduled time to make any changes. But make sure you double-check the cancelation policy.
  • Make sure to know exactly how long it will take to reach the exam center, and arrive 15 minutes early. Sometimes if no one is in the seat you are scheduled for, the test center might let you get started a little early if it is available.
  • Be prepared to store your accessories or valuables. You will be required to lock your valuables in a locker. You are not allowed to take purses, cell phones, etc. into the room where the exam is administered. You might also be asked to leave your watch in a locked locker.
  • When you get into the testing room, you will be given something to write with either a dry erase type board or paper. You will have to return these materials when you are done with the exam.


The Exam Process

Once you sit down and start into the exam process, you will see examples of the type of questions and how to navigate them. This does not take away from your timed exam. If you are not familiar with the types of questions and how to navigate the simulations, the examples will walk you through how to navigate them. You may also receive a brief questionnaire about your training before starting the official exam.


Once you are finished with this portion of the exam, the real exam begins. Try to take a deep breath and stay calm. I still get nervous to this day after taking many of these exams every year. Make sure you read each question thoroughly. This is one of the biggest reasons people miss questions. Read the entire question and all the answers before you start to formulate an answer. For simulations, double-check your work before you submit and move on. With Cisco exams, you cannot go back to a question once you have clicked Next to move to the next question.


When you have finished, you will see your score, and a printout of the exam information will be given to you by the exam proctor.


Final Thoughts

If something happens and you don’t pass on the first attempt, please don’t give up. These exams are very difficult, and I don’t want to see anyone get discouraged from trying again.


---Article resource from http://www.pearsonitcertification.com/articles/article.aspx?p=2036575


More Reviews about Cisco Exam:

CCNP SWITCH 642-813 Guide: Configuring IP SLA

Cisco CCNP: How to Configure IP Source Guard?

CCNP TSHOOT: Cisco Troubleshooting Techniques & Procedures

How to Prepare for the CCIE Voice Written Exam?

Guide to Cisco CCNA Voice Exam 640-461…Reviews, Main Topics

Top 5 VoIP Concepts to Know for CCNA Voice—VoIP Basic for CCNA Voice Exam

Top Cisco Certification Books

Read more

Cisco Ports Nexus 1000V Virtual Switch to Microsoft's Hyper-V

April 19 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco News

Hooks UCS servers into Systems Center, fast-tracks Windows infrastructure clouds

Upstart server-maker Cisco is bounding around the Microsoft Management Summit this week in Las Vegas to talk about how it is plugging its technologies into Redmond's cloud stack.


First up, as it promised it would do back in the summer of 2011, Cisco has ported its Nexus 1000V virtual switch to run atop Microsoft's Hyper-V server virtualization hypervisor.


While Microsoft has its own virtual switch, called Hyper-V Extensible Switch, there are others that run in conjunction with Windows, such as the vNetwork switch buried inside of VMware's ESXi hypervisor. The Open vSwitch created by Nicira is popular on Linux-based virtualization platforms and is now controlled by VMware. NEC in January launched its own freebie Programmable Flow 1000 Virtual Switch for Hyper-V.


Still, support for the Nexus 1000V is important for the Windows stack because Cisco is still, by far, the dominant supplier of physical switches in the data center. And a Nexus 1000V virtual switch, which is used to link virtual machines to each other, can manage their networks as the VMs migrate around a server cluster; it looks and smells like other physical switches that run the NX-OS operating system.


Satinder Sethi, vice-president of data center solutions at Cisco, tells El Reg that Cisco has watched the adoption rate for Hyper-V growing on its UCS B-Series blade and C-Series rack servers, and moreover, that Cisco expects many enterprises to have two hypervisors running across their clusters for various political and technical reasons.


The important thing for Cisco is that its Nexus 1000V virtual switch is the common element across whatever hypervisors enterprises choose. This is why Cisco already has the Nexus 1000V plugged into Red Hat's KVM hypervisor and is working on integrating it with Citrix Systems' Xen hypervisor–which has fallen into fourth place in the server virtualization beauty pageant unless you count all of the public clouds that use either XenServer (like Rackspace Hosting does) or a tweaked homegrown Xen (as Amazon Web Services does).



Cisco is making its Nexus 1000V virtual switch and fabric extenders work with Hyper-V

The Nexus 1000V support for Hyper-V 3.0, which is based on and which works with Windows Server 2012, was expected to be delivered in late 2012. So it took a few months longer to get it together than expected. (That's IT for you.)


By the way, you don't have to run the Nexus 1000V on Cisco's servers. It works on any x86 machines using a supported hypervisor, and many of the 6,000 customers who bought it through October last year run it on non-Cisco server gear.


The Nexus 1000V comes in a freebie Essential Edition with the basic switch. The Advanced Edition that costs $695 and has a plug-in for VMware's vCenter Server management console as well as extending Cisco's TrustSec security policies for physical switches down to virtual switches. The Advanced Edition, which started shipping at the end of last year, also adds high-availability clustering across data centers for virtual switches and has a rolling upgrade process for Nexus 1000V virtual switches so you don't have to take hypervisors offline to patch the virtual switch.

The Nexus 1000V support for Hyper-V 3.0 will be available later this month.


From the get-go, VMware's ESXi hypervisor has been tightly integrated with the extended fabric at the heart of the UCS system, called the Virtual Machine Fabric Extender or VM-FEX. This takes the interfaces between the integrated UCS switch and the server nodes and virtualizes and extends them down into the server nodes with virtual network interfaces that can be set up programmatically and have its bandwidth or VM assignment changed on the fly.


Now this capability is also being extended to Hyper-V, which makes Microsoft's hypervisor a peer to ESXi at this point.


VM-FEX support for Hyper-V is available now, but Sethi says improved configuration tools are coming in the June-July timeframe to make it easier for VM-FEX and Hyper-V to work together.



Microsoft and Cisco have integrated their respective control freaks

Cisco and Microsoft have also been working together to mash up their respective systems and systems-software management tools so they work together to make Windows and Hyper-V play nice on top of Cisco UCS systems. Specifically, the APIs in UCS Manager, the control freak that runs in the embedded switch in the UCS machines, and its UCS PowerTool, which are exposed to Microsoft's Systems Center 2012 SP1 and PowerShell utility.


Cisco has created a UCS Management Pack for Systems Center Operations Manager so customers can monitor UCS hardware and Windows software from the same System Center console. There is also a UI Extension add-in for Virtual Machine Manager that can talk through UCS Manager and the Nexus 1000V switch to the virtual machines on the UCS iron.


Cisco is also talking up the fact that its UCS reference architectures are now certified to be part of the Microsoft Fast Track 3.0 reference architecture, which allows partners to use the recipes cooked up by Cisco and approved by Microsoft to build private infrastructure clouds quickly and consistently.


There is a Fast Track setup that mixes UCS systems with NetApp storage, known as FlexPod. This includes B-Series blade servers using the UCS 5108 chassis and the 6248 fabric interconnects plus Nexus 5548UP switches for the access layer linking multiple blade enclosures together. The storage systems feeding the blades are NetApp FAS3240 arrays. And of course the nodes are running the Hyper-V 3.0 hypervisor and the Windows Server 2012 operating system with all the control freakage above tossed in.


The VSPEX private cloud stacks that Cisco has built with EMC to run the Microsoft server stack can run either Windows Server 2008 R2 or Windows Server 2012 with the appropriate Systems Center management tools and Hyper-V hypervisor. This particular Fast Track setup is based on the UCS C220 M3 rack servers linked together by Nexus 5548UP switches and also talking to EMC VNXe 3300 arrays using iSCSI over 10 Gigabit Ethernet links.


---From http://www.theregister.co.uk/2013/04/11/cisco_nexus_ucs_microsoft_hyperv_sc2012/ 

More Cisco Reviews and News:

Microsoft Hyper-V: What It Means for Cisco Nexus 1000v

Why Does the Nexus Core Switch Rock in the Datacenter?

Cisco Nexus Switches: Layer 2 Configuration Strategies

Cisco Catalyst 6500 vs. Cisco Nexus 7000 Switch

To Answer the Questions from Cisco Nexus 1000V InterCloud Users and Analysts

Cisco Combines Wired, Wireless and SDN into Its New Catalyst Switch

Read more

Configuring NAT on Cisco ASA

April 16 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Network address translation (NAT) allows you to translate private to public addresses. 
With CISCO ASA firewall, You can configure 2 types of NAT: 
- Dynamic NAT (including PAT - port address translation)
- Static NAT 

Nat example (Web server must send responses to a client on public/mapped address):


Dynamic NAT allows You to translate internal addresses to a predefined set or pool of public addresses You define. The "nat" command defines which internal hosts, and the "global" command defines public address range in which internal addresses will be translated. Number "1" in nat configuration defines NAT ID (number of NAT rule), and must match on "nat" and "global" command: 

ASA1(config)#nat (inside) 1                               

 ASA1(config)#global (outside) 1

PAT translates a range of internal addresses to 1 public address by mapping them to a different ports: 

ASA1(config)#nat (inside) 1                               

 ASA1(config)#global (outside) 1                 

Instead of ip address in a global command, it's possible to define word "interface". That way, the internal addresses will automatically be PAT-ed into the address of an outside inteface: 

 ASA1(config)#nat (inside) 1                               

 ASA1(config)#global (outside) 1 interface              


Static NAT, allows You to permanently map public ip address and port to an inside one (port forwarding). Along with that, cisco allows 1:1 NAT, or "mirroring", which translates all internal ports of a private address to the same ports on a public address (bi-directional). Of course, to enable traffic flow from the "outsude" to the "inside" interface, traffic also must be allowed with the Access control list. 

Port forwarding:


Port forwarding of publicly available ports to an internal addresses. After configuring NAT, to enable traffic flow from outside to inside hosts, You must apply access-lists which will allow the traffic. Finally, to activate acl, bind it on a "outside" interface with the "access-group" command: 

ASA1(config)#static (inside,outside) tcp http http netmask

 ASA1(config)#static (inside,outside) tcp ftp ftp netmask

 ASA1(config)#static (inside,outside) tcp smtp smtp netmask


ASA1(config)#access-list outside_in_acl extended permit tcp any host eq http

 ASA1(config)#access-list outside_in_acl extended permit tcp any host eq ftp

 ASA1(config)#access-list outside_in_acl extended permit tcp any host eq smtp


 ASA1(config)#access-group outside_in_acl in interface outside


Static 1:1 nat, (every public port maped to the same internal port): 

ASA1(config)#static (inside,outside) netmask        

To allow traffic flow from lower security interface "outside", to higher security interface "inside", access control list must be applied. 


More Related Cisco ASA Tips:

Site-to-Site IPSEC VPN between Two Cisco ASA 5520

How to Configure Dual ISP on Cisco ASA 5505?

Cisco ASA 8.4 vs. Typical NAT/PAT Configuration

Eight Commands on a Cisco ASA Security Appliance You Should Know

VLAN Sub-Interfaces on Cisco ASA 5500 Firewall Configuration

How to Configure Cisco ASA 5505 Firewall?

Read more
<< < 10 20 21 22 23 24 25 26 27 28 29 30 40 > >>