• Hyper-V Concepts

    It's time to get familiar with Hyper-V Virtualization, virtual servers, virtual switches, virtual CPUs, virtual deployment infrastructure (VDI) and more.
    Read more

    Hyper-V Installation

    Learn how to install and monitor the Windows 2012 Hyper-V platform via Server Manager & Windows PowerShell

    read more

Hot Downloads

How to Detect Routing Loops and Physical Loops with a Network Analyzer

Posted in Network Fundamentals

How to Detect Routing Loops and Physical Loops with a Network Analyzer - 5.0 out of 5 based on 5 votes

how-to-detect-routing-and-physical-loops-using-a-network-analyzer-01aWhen working with medium to large scale networks, IT departments are often faced dealing with network loops and broadcast storms that are caused by user error, faulty network devices or incorrect configuration of network equipment.  Network loops and broadcast storms are capable of causing major network disruptions and therefore must be dealt with very quickly.

There are two kinds of network loops and these are routing loops and physical loops.

Routing loops are caused by the incorrect configuration of routing protocols where data packets sent between hosts of different networks, are caught in an endless loop travelling between network routers with incorrect route entries.

A Physical loop is caused by a loop link between devices. A common example is two switches with two active Ethernet links between them. Broadcast packets exiting the links on one switch are replicated and sent back from the other switch. This is also known as a broadcast storm.

Both type of loops are capable of causing major network outages, waste of valuable bandwidth and can disrupt network communications.

We will show you how to detect routing loop and physical loop with a network analyzer such as Colasoft Capsa or Wireshark.

Download your copy of Colasoft Capsa - a professional network analyzer designed to help locate and deal with network and protocol problems.

We’ve selected Colasoft Capsa 8.0 as our preferred packet analyzer because of its new feature that allows the quick diagnosis of routing loops and physical loops.

Note: To capture packets on a port that's connected to a Cisco Catalyst switch, users can also read our Configuring SPAN On Cisco Catalyst Switches - Monitor & Capture Network Traffic/Packets

If there are routing loops or physical loops in the network, Capsa will immediately report them in the Diagnosis tab as shown below. This makes troubleshooting easier for network managers and administrators:

how-to-detect-routing-and-physical-loops-using-a-network-analyzer-01 
Figure 1. Capsa quickly detects and displays Routings and Physical Loops

Further examination of Capsa’s findings is possible by simply clicking on each detected problem. This allows us to further check the characteristics of the related packets and then decide what action must be taken to rectify the problem.

Drilling into our Captured Information

Let’s take a routing loop for example. First, find out the related conversation using Filter (red arrow) in the MAC Conversation tab. MAC addresses can be obtained easily from the notices given in the Diagnosis tab:

Demystifying Cisco AnyConnect 4.x Licensing. Plus, Plus Perpetual, Apex & Migration Licenses for Cisco IOS Routers & ASA Firewalls (5500/5500-X Series). Supported Operating Systems & Ordering Guide

Posted in Cisco Firewalls - ASA & PIX Firewall Configuration

Demystifying Cisco AnyConnect 4.x Licensing. Plus, Plus Perpetual, Apex & Migration Licenses for Cisco IOS Routers & ASA Firewalls (5500/5500-X Series). Supported Operating Systems & Ordering Guide - 4.0 out of 5 based on 2 votes

cisco-anyconnect-license-plus-perpetual-apex-essential-premium-ssl-mobility-vpn-01aIn late 2014, Cisco announced the new licensing model for the latest AnyConnect Secure Mobility client v4.x. With this new version, Cisco introduced a number of new features, but also simplified the licensing model which was somewhat confusing. In this article, we will take a look at the new AnyConnect 4.x licenses which consist of: AnyConnect Plus license, AnyConnect Plus Perpetual license and AnyConnect Apex license.
 
We will also show how the new licenses map to the older AnyConnect Essentials and AnyConnect Premium license, plus the available migration paths. Finally, we also take a look at Cisco’s Software Application Support (SAS) and Software Application Support plus Upgrade (SASU), which are required when purchasing AnyConnect.

All AnyConnect licenses prior to version 4 had the AnyConnect Essentials and Premium licensing scheme. The newer v4.x AnyConnect licenses now have one of the three licensing options:

  • Cisco AnyConnect Plus License (Subscription Based)
  • Cisco AnyConnect Plus Perpetual License (Permanent – no subscription)
  • Cisco AnyConnect Apex License (Subscription Based)

With the new AnyConnect licenses, Cisco has moved to a subscription-based licensing model which means customers will unfortunately need to fork out more money in the long run.  The Plus Perpetual License on the other hand allows Cisco customers to purchase a one-time license, however the license costs significantly higher than the subscription-based license.

We should also note that AnyConnect 4.0 is not licensed based on simultaneous connections (like the previous AnyConnect 3.x), but is now user-based. This means a user connecting via his smartphone and laptop simultaneously will only occupy a single license.

Since the newer AnyConnect licenses are subscription-based, according to Cisco, if their subscription expires and is not renewed, they will stop working.
 
Cisco AnyConnect Secure Mobility Client 4.0 supports the following operating systems:

  • Windows 8.1 (32bit & 64Bit)
  • Windows 8 (32bit & 64Bit)
  • Windows 7 (32bit & 64Bit)
  • Linux Ubuntu 12.X 64Bit
  • Linux RedHat 6 64Bit
  • Mac OS X 10.10 – 10.8

As expected, Windows XP is no longer supported.

Let’s take a look at each license feature and how the older AnyConnect Essentials and Premium licenses map to the newer AnyConnect Plus and Apex licenses:

cisco-anyconnect-license-plus-perpetual-apex-essential-premium-ssl-mobility-vpn-01

Figure 1. Mapping AnyConnect 3.x Essentials & Premium to AnyConnect 4.x Plus & Apex

 

Related AnyConnect Articles on Firewall.cx:

 

Cisco AnyConnect Plus License (Equivalent to the old Essentials License) 5, 3 or 1-Year Term

The AnyConnect Plus License is a subscription-based license with the option of a 5, 3 or 1-year renewable subscription and supports the following features:

  • VPN Support for Devices. Includes Workstations and Laptops.
  • Secure Mobility Client support (AnyConnect Mobile). Includes mobile phones, tablets etc.
  • SSL VPN (Client-based)
  • Per-app VPN. Authorize specific applications access the VPN.  Supports specific devices and software.
  • Basic endpoint context collection
  • IEEE 802.1X Windows supplicant
  • Cisco Cloud Web Security agent for Windows & Mac OS X platforms
  • Cloud Web Security and Web Security Appliance support
  • Cisco Advanced Malware Protection for Endpoints Enabler. AMP for Endpoints is licensed separately
  • Network Access Manager
  • Federal Information Processing Standards (FIPS) Compliance

It is worth noting that AnyConnect 3.x required the purchase of Essentials or Premium license + AnyConnect Mobile (L-ASA-AC-M-55xx) in order to support mobile devices (Smartphones, Tablets etc.).  AnyConnect Mobile is now integrated into the new AnyConnect Plus license.

 

Cisco AnyConnect Plus Perpetual (permanent) License

Enabling & Configuring SSH on Cisco Routers. Restrict SSH for Management & Enable AAA Authentication for SSH Sessions

Posted in Cisco Routers - Configuring Cisco Routers

Enabling & Configuring SSH on Cisco Routers. Restrict SSH for Management & Enable AAA Authentication for SSH Sessions - 5.0 out of 5 based on 2 votes

cisco-routers-ssh-support-configuration-rsa-key-generation-01This article shows how to configure and setup SSH for remote management of Cisco IOS Routers. We’ll show you how to check if SSH is supported by your IOS version, how to enable it, generate an RSA key for your router and finally configure SSH as the preferred management protocol under the VTY interfaces.

Secure Shell (SSH) provides a secure and reliable mean of connecting to remote devices. It’s an encrypted network protocol that allows users to safely access equipment via command line interface sessions. SSH makes use of TCP port 22 which’s assigned to secure logins, file transfer and port forwarding.

SSH uses public key for authenticating the remote device and encrypt all data between that device and the workstation which makes it the best choice for public networks, unlike (telnet) which transmits data in plain text which subjects it to security threats, this makes (telnet) recommended for private networks only to keep the data uncompromised.

 

Verifying SSH Support on your Router

The first step involves examining whether your Cisco router’s IOS supports SSH or not. Most modern Cisco routers support SSH, so this shouldn’t be a problem.

Products with (K9) in the image name e.g c2900-universalk9-mz.SPA.154-3.M2.bin, support strong encryption with 3DES/AES while (K8) IOS bundles support weak encryption with the outdated DES.

To check, simply enter privilege mode and use the show ip ssh command:

R1# show ip ssh
SSH Disabled - version 1.99
%Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): NONE

In the above output, the system is showing SSH support, but it’s currently disabled as no RSA key has been generated.  It is also worth noting that a key of at least 768 bits must be generated to enable SSHv2.

 

Securing Access to Router

It’s always a good idea to first restrict access to the Cisco router before enabling SSH. This is very important especially when the device has an interface facing public networks e.g Internet, Public Hotspot.

We first create user credentials for the device and then enable Athentication, Authorization & Accounting Services (AAA).  Finally, ensure a secret password is set to protect access to privilege mode, along with the service password-encryption command to ensure all clear-text passwords are encrypted:

Router (config)# username admin privilege 15 secret Firewall.cx
Router (config)# aaa new-model
Router (config)# aaa authentication login default local
Router (config)# enable secret $FirewAll.cx!
Router (config)# service password-encryption

Next, it is highly recommended to restrict remote access via the SSH protocol only. This will ensure that insecure services such as Telnet cannot be used to access the router. Telnet sends all information unencrypted, including username/password, and is therefore considered a security risk.

We’ll use the transport input ssh command under the VTY section to restrict remote access using SSH only. Note that we can also use Access-lists to restrict SSH connections to our router:

R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login authentication default
R1(config-line)# password $Cisco!

Note: the password command used under line vty 0 4 section is completely optional and not used in our case because of the login authentication default command which forces the router to use the AAA mechanism for all user authentication.

 

Generating Our Router’s RSA Key – Digital Certificate

Troubleshooting Windows Server 2012 R2 Crashes. Analysis of Dump Files & Options. Forcing System Server Crash (Physical/Virtual)

Posted in Windows 2012 Server

Troubleshooting Windows Server 2012 R2 Crashes. Analysis of Dump Files & Options. Forcing System Server Crash (Physical/Virtual) - 5.0 out of 5 based on 1 vote

windows-2012-troubleshooing-server-crashes-memory-dumps-debug-001aThere are umpteen reasons why your Windows Server 2012 R2 decides to present you with a Blue Screen of Death (BSOD) or the stop screen. As virtual machines become more prominent in enterprise environments, the same problems that plagued physical servers earlier are now increasingly being observed for crashes of virtual machines as well.

Microsoft designs and configures Windows systems to capture information about the state of the operating systems if a total system failure occurs, unlike a failure of an individual application. You can see and analyze the captured information in the dump files, the settings of which you can configure using the System Tool in the Control Panel. By default, BSOD provides minimal information about the possible cause of the system crash and this may suffice in most circumstances to help in identifying the cause of the crash.

However, some crashes may require a deeper level of information than what the stop screen provides – for example, when your server simply hangs and becomes unresponsive. In that case, you may still be able to see the desktop, but moving the mouse or pressing keys on the keyboard produces no response. To resolve the issue, you need a memory dump. This is basically a binary file that contains a portion of the server's memory just before it crashed. Windows Server 2012 R2 provides five options for configuring memory dumps.

SafeGuard your Hyper-V servers from unrecoverable crashes with a reliable FREE Backup – Altaro’s Hyper-V Backup. Download Now!

 

Types of Memory Dump Files Possible

1. Automatic Memory Dump

Automatic memory dump is the default memory dump that Windows Server 2012 R2 starts off with. This is really not a new memory dump type, but is a Kernel memory dump that allows the SMSS process to reduce the page file to be smaller than the size of existing RAM. Therefore, this System Managed page file now reduces the size of page file on disk.

2. Complete Memory Dump

A complete memory dump is a record of the complete contents of the physical memory or RAM in the computer at the time of crash. Therefore, this needs a page file that is at least as large as the size of the RAM present plus 1MB. The complete memory dump will usually contain data from the processes that were running when the dump was collected. A subsequent crash will overwrite the previous contents of the dump.

3. Kernel Memory Dump

The kernel memory dump records only the read/write pages associated with the kernel-mode in physical memory at the time of crash. The non-paged memory saved in the kernel memory dump contains a list of running processes, state of the current thread and the list of loaded drivers. The amount of kernel-mode memory allocated by Windows and the drivers present on the system define the size of the kernel memory dump.

4. Small Memory Dump

A small memory dump or a MiniDump is a record of the stop code, parameters, list of loaded device drivers, information about the current process and thread, and includes the kernel stack for the thread that caused the crash.

5. No Memory Dump

Sometimes you may not want a memory dump when the server crashes.

 

Configuring Dump File Settings

Installation and Configuration of Fine-Grained Password Policy for Windows Server 2012

Posted in Windows 2012 Server

Installation and Configuration of Fine-Grained Password Policy for Windows Server 2012 - 3.0 out of 5 based on 2 votes

windows-2012-install-setup-fine-grained-password-policy-01aMicrosoft introduced Fine-Grained Password Policy for the first time in Windows Server 2008 and the policy has been part of every Windows Server since then. Fine-Grained Password Policy allows overcoming the limitations of only one password policy for a single domain. A brief example is that we apply different password and account lockout policies to different users in a domain with the help of Fine-Grained Password Policies.
 
This article discusses the Fine-Grained Password Policy as applicable to Windows Server 2012, and the different ways of configuring this policy. Windows Server 2012 allows two methods of configuring the Fine-Grained Password Policy:

1. Using the Windows PowerShell

2. Using the Active Directory Administrative Center or ADAC

In earlier Windows Server editions, it was possible to configure Fine-Grained Password Policy only through the command line interface (CLI). However with Windows Server 2012 a graphical user interface has been added, allowing the configuration of the Fine-Grained Password Policy via the Active Directory Administrative Center. We will discuss both the methods.

Before you begin to implement the Fine-Grained Password Policy, you must make sure the domain functional level must be Windows Server 2008 or higher. Refer to relevant Windows 2012 articles on our website Firewall.cx.

Backup your Windows Server 2012 R2 host using Altaro’s Free Hyper-V Backup solution. Download Now!

Configuring Fine-Grained Password Policy using the Windows PowerShell

Use your administrative credentials to login to your Windows Server 2012 domain controller. Invoke the PowerShell console by Right clicking on the third icon from the left in the taskbar on the Windows Server desktop and then clicking on Run as Administrator.

windows-2012-install-setup-fine-grained-password-policy-01

Figure 1. Executing Windows PowerShell as Administrator

 

Clicking on Yes to the UAC confirmation will open up an Administrator: Windows PowerShell console.

Within the PowerShell console, type the following command in order to begin the creation of a new fine grained password policy and press Enter:

C:\Windows\system32> New-ADFineGrainedPasswordPolicy

windows-2012-install-setup-fine-grained-password-policy-02

Figure 2. Creating a new Fine Grained Password Policy via PowerShell

 

Type a name for the new policy at the Name: prompt and press Enter. In our example, we named our policy FGPP:

windows-2012-install-setup-fine-grained-password-policy-03

Figure 3. Naming our Fine Grained Password Policy

 

Type a precedence index number at the Precedence: prompt and press Enter. Note that policies that have a lower precedence number have a higher priority over those with higher precedence numbers. We’ve set our new policy with a precedence of 15: windows-2012-install-setup-fine-grained-password-policy-04

Figure 4. Setting the Precedence index number of our Fine Grained Password Policy

 

Now the policy is configured, but has all default values. If there is need to add specific parameters to the policy, you can do that by typing the following at the Windows PowerShell command prompt and press Enter:

C:\Windows\system32> New-ADFineGrainedPasswordPolicy -Name FGPP -DisplayName FGPP -Precedence 15 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -PasswordHistoryCount 20 -MinPasswordLength 10 -MinPasswordAge 3.00:30:00 -MaxPasswordAge 30.00:30:00 -LockoutThreshold 4 -LockoutObservationWindow 0.00:30:00 -LockoutDuration 0.00:45:00


In the above command, replace the name FGPP with the name of your password policy, which in our example is FGPP.

The parameters used in the above are mandatory and pretty much self-explanatory:

Attributes for Password Settings above include:

  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Passwords must meet complexity requirements
  • Store passwords using reversible encryption

Attributes involving account lockout settings include:

  • Account lockout duration
  • Account lockout threshold
  • Reset account lockout after


To apply the policy to a user/group or users/groups, use the following command at the PowerShell command prompt:

C:\Windows\system32> Add-ADFineGrainedPasswordPolicySubject -Identity FGPP -Subjects “Chris_Partsenidis”

For confirming whether the policy has indeed been applied to the groups/users correctly, type the following command at the PowerShell command prompt and press Enter:

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup