• Best VPN Service for 2017

    Top VPNs that Unlock Netflix, provide Secure Torrenting, Strong Encryption, Fast Downloads, DNS Leak Protection, Identity Protection and have Cheap VPN prices.

    read more

    Hyper-V Concepts

    It's time to get familiar with Hyper-V Virtualization, virtual servers, virtual switches, virtual CPUs, virtual deployment infrastructure (VDI) and more.
    Read more

Hot Downloads

Palo Alto Firewall Configuration Options. Tap Mode, Virtual Wire, Layer 2 & Layer 3 Deployment modes

Posted in Palo Alto Firewalls

Palo Alto Firewall Configuration Options. Tap Mode, Virtual Wire, Layer 2 & Layer 3 Deployment modes - 4.4 out of 5 based on 7 votes

Our previous article explained how Palo Alto Firewalls make use of Security Zones to process and enforce security policies. This article will explain the different configuration options for physical Ethernet and logical interfaces available on the Palo Alto Firewall.

It’s easy to mix and match the interface types and deployment options in real world deployments and this seems to be the strongest selling point of Palo Alto Networks Next-Generation Firewalls. Network segmentation becomes easier due to the flexibility offered by a single pair of Palo Alto appliances.

Below is a list of the configuration options available for Ethernet (physical) interfaces:

  • Tap Mode
  • Virtual Wire
  • Layer 2
  • Layer 3
  • Aggregate Interfaces
  • HA

Following are the Logical interface options available:

  • VLAN
  • Loopback
  • Tunnel
  • Decrypt Mirror

The various interface types offered by Palo Alto Networks Next-Generation Firewalls provide flexible deployment options.

Tap Mode Deployment Option

TAP Mode deployment allows passive monitoring of the traffic flow across a network by using the SPAN feature (also known as mirroring).

A typical deployment would involve the configuration of SPAN on Cisco Catalyst switches where the destination SPAN port is the switch port to which our Palo Alto Firewall connects, as shown in the diagram below:

 Palo Alto Next Generation Firewall deployed in TAP mode

Figure 1. Palo Alto Next Generation Firewall deployed in TAP mode

The advantage of this deployment model is that it allows organizations to closely monitor traffic to their servers or network without requiring any changes to the network infrastructure.

During the configuration of SPAN it is important to ensure the correct SPAN source and SPAN Destination ports are configured while also enabling Tap mode at the Firewall.

The VIRL Book – A Guide to Cisco’s Virtual Internet Routing Lab (Cisco Lab)

Posted in Cisco Technologies

The VIRL Book – A Guide to Cisco’s Virtual Internet Routing Lab (Cisco Lab) - 4.8 out of 5 based on 5 votes

cisco-virl-book-guide-to-cisco-virtual-internet-routing-lab-1Cisco’s Virtual Internet Routing Lab (VIRL) is a network simulation tool developed by Cisco that allows engineers, certification candidates and network architects to create their own Cisco Lab using the latest Cisco IOS devices such as Routers, Catalyst or Nexus switches, ASA Firewall appliances and more.

Read Jack Wang's Introduction to Cisco VIRL article to find out more information about the product

Being a fairly new but extremely promising product it’s quickly becoming the standard tool for Cisco Lab simulations. Managing and operating Cisco VIRL might have its challenges, especially for those new to the virtualization world, but one of the biggest problems has been the lack of dedicated online resources for VIRL management leaving a lot of unanswered questions on how to use VIRL for different types of simulations, how to build topologies, how to fine tune them etc.

The recent publication of “The VIRL Book’ by Jack Wang has changed the game for VIRL users. Tasks outlined above plus a lot more are now becoming easier to handle, helping users manage their VIRL server in an effective and easy to understand way.

The introduction to VIRL has been well crafted by Jack as he addressed each and every aspect of VIRL, why one should opt for VIRL, what VIRL can offer and how it different from other simulation tools.

This unique title addresses all possible aspects of VIRL and has been written to satisfy even the most demanding users seeking to create complex network simulations. Key topics covered include:

  • Planning the VIRL Installation
  • Installing VIRL
  • Creating your first simulation
  • Basic operation & best practices,
  • Understanding the anatomy of VIRL
  • External Connectivity to the world
  • Advanced features
  • Use VIRL for certifications
  • Running 3rd party virtual machines
  • Sample Network Topologies

Introduction to Cisco VIRL – Virtual Internet Routing Lab & Other Simulation Tools

Posted in Cisco Services & Technologies

Introduction to Cisco VIRL – Virtual Internet Routing Lab & Other Simulation Tools - 5.0 out of 5 based on 3 votes

Cisco VIRL – Virtual Internet Routing LabOne of the most difficult things for people who are starting out in a networking career is getting their hands on the equipment. Whether you are studying for Cisco certification or just wanting to test certain network behaviors in a lab, no one would argue that practicing is the best way to learn.

I have seen people spend hundreds or thousands of dollars (myself included) buying used networking equipment in order to build a home Cisco lab to gain practical experiences and study for certification exams. Until a few years ago it was the only option available, or you had to rent lab hours through one of the training companies.

Other Simulation Tools

GNS3 is a well-known free network simulation platform that has been around for many years. Cisco IOS on UNIX (IOU) is another option for running Cisco routers in a virtual environment. It is a fully working version of IOS that runs as a user mode UNIX (Solaris) process. IOU was built as a native Solaris image and runs just like any other program. One key advantage that Cisco IOU has is that it does not require nearly as much resources as GNS3 and VIRL would require. However, the legality of the source of Cisco images for GNS3 is questionable.

Cisco VIRL Network Topology

Figure 1. Cisco VIRL Network Topology

If you are not an authorized Cisco employee or trusted partner, usage of Cisco IOU is potentially a legal gray area. Because of lack of publicity and availability to average certification students and network engineers, online resources are limited and setting up a network takes much more effort. Also, due to missing features and delays in supporting the recent Cisco image releases, Cisco is not recommending them to engineers and students.

Read our review on "The VIRL Book" – A Guide to Cisco’s Virtual Internet Routing Lab (Cisco Lab)

Here Comes Cisco VIRL

Cisco Virtual Internet Routing Lab (VIRL) is a software tool Cisco developed to build and run network simulations without the need for physical hardware.

Cisco Nexus 7000 Series Module Shutdown and Removal Procedure

Posted in Cisco Switches - Catalyst Switch Configuration

Cisco Nexus 7000 Series Module Shutdown and Removal Procedure - 5.0 out of 5 based on 5 votes

cisco-nexus-7000-module-shutdown-replacement-removal-1aThis article explains the procedure that should be followed to correctly shutdown/powerdown a Cisco Nexus 7000 series module and remove it from the chassis. We also include important tips that will help ensure you avoid common problems and mistakes during the removal procedure.

The Nexus 7010 is one of the larger data center switches in the Nexus portfolio found in most enterprise-class data centers. Even though the Nexus 7000 series switches have been in the market since 2008 there are still a lot of data centers powering their core infrastructure using the well-known Cisco Catalyst series.

The Nexus 7000 series switches are designed for continuous operation, which means all parts are hot-swappable thereby eliminating downtime for upgrades or parts replacement.

The process covered in this installation guide can be used with all Nexus 7000 series modules including:

  • 48-port 10/100/1000 Ethernet module (N7K-M148GT-11)
  • 48-port 10/100/1000 Ethernet module with XL option (N7K-M148GT-11L)
  • 48-port 1-Gigabit Ethernet I/O module (N7K-M148GS-11)
  • 48-port 1-Gigabit Ethernet I/O module with XL option (N7K-M148GS-11L)
  • 48-port 1-/10-Gigabit Ethernet I/O modules with XL (N7K-F248XP-25 and N7K-F248XP-25E)
  • 32-port 10-Gigabit Ethernet I/O module (N7K-M132XP-12)
  • 32-port 10-Gigabit Ethernet I/O module with XL option (N7K-M132XP-12L)
  • 32-port 1- and 10-Gigabit Ethernet I/O module (N7K-F132XP-15)
  • 8-port 10-Gigabit Ethernet I/O module with XL option (N7K-M108X2-12L)

Step 1. Nexus 7000 Module Shutdown - Poweroff

The Nexus 7000 series modules are hot swappable and support automatic shutdown when ejected, however, it is always advisable to poweroff the module before removing it. If the module is to be removed or swapped with a different module type it is advisable to also ensure all configuration associated with the old module’s ports is cleared and ports are shutdown before the module is removed.

Locate the slot number of the module to be uninstalled and remove all attached cables. It is very important no cables are attached to the module and there is enough space on both sides of the module. In our example we’ll be removing the module located in slot No.9:

Click on the images to enlarge

cisco-nexus-7000-module-shutdown-replacement-removal-1Figure 1. Nexus 7010 with module No.9 to be removed.

Issuing the show module 9 command will reveal the module’s model, status, capabilities, serial number and diagnostic status:

FCX_NEXUS_7010# show module 9
Mod Ports Module-Type                         Model             Status
--- ----- ----------------------------------- ------------------ ----------
9   48     10/100/1000 Mbps Ethernet XL Module N7K-M148GT-11L     ok
Mod Sw             Hw
--- -------------- ------
9   6.0(2)         1.0    
Mod MAC-Address(es)                         Serial-Num
--- -------------------------------------- ----------
9   e8-b7-48-d4-75-00 to e8-b7-48-d4-75-34 JAF1327BFHA
Mod Online Diag Status
--- ------------------
9   Pass
 
Chassis Ejector Support: Enabled
Ejector Status:
Top ejector CLOSE, Bottom ejector CLOSE, Module HW does support ejector based shutdown.

The output of the show module is also reflected on the module’s status LED. A green Status LED, as shown in the photo on the left, tells us that the module is currently online (powered on) and operating.

The orange interface LEDs confirm that the interfaces are in a shutdown state.

The specific card we are about to remove is a 48-port 10/100/1000 Ethernet card (N7K-M148GT-11L):

Nexus 7000 Module Status and Interface LEDsFigure 2. Nexus 7000 Module Status and Interface LEDs

Now proceed to power off the module using the poweroff module 9 command:

Palo Alto Firewalls Security Zones – Tap Zone, Virtual Wire, Layer 2 and Layer 3 Zones

Posted in Palo Alto Firewalls

Palo Alto Firewalls Security Zones – Tap Zone, Virtual Wire, Layer 2 and Layer 3 Zones - 4.3 out of 5 based on 6 votes

Palo Alto Networks Next-Generation Firewalls rely on the concept of security zones in order to apply security policies. This means that access lists (firewall rules) are applied to zones and not interfaces – this is similar to Cisco’s Zone-Based Firewall supported by IOS routers.

Palo Alto Networks Next-Generation Firewalls zones have no dependency on their physical location and they may reside in any location within the enterprise network. This is also illustrated in the network security diagram below:

Palo Alto Firewall Security Zones can contain networks in different locations Figure 1. Palo Alto Firewall Security Zones can contain networks in different locations

The above topology illustrated shows VLANs 10, 11 ,12 and 2 managed by a Cisco Catalyst 4507R+E Switch and are all part of OSPF Area 0 and visible as routes in the Palo Alto Firewall. A Layer 3 aggregated link has been created between the Palo Alto Firewall (Interface ae1 on each firewall) and the Cisco 4507R+E Switch (Port-Channel 1 & 2).

When aggregation interface ae1.2 on the Palo Alto Firewall is configured to be part of the DMZ Security Zone, all networks learnt by the OSPF routing protocol on interface ae1.2 will be part of the DMZ Security Zone.

Creating a Security Zone involves tasks such as naming the zone, assigning the interfaces to the new zone created and more. Palo Alto Networks Next-Generation Firewalls won’t process traffic from any interface unless they are part of a Security Zone.

The diagram below depicts the order in which packets are processed by the Palo Alto Firewall:

Initial Packet Processing – Flow Logic of Palo Alto Next-Generation Firewall Figure 2. Initial Packet Processing – Flow Logic of Palo Alto Next-Generation Firewall

It is without doubt Zone based firewalls provide greater flexibility in security design and are also considered easier to administer and maintain especially in large scale network deployments.

Palo Alto Networks Next-Generation Firewalls have four main types of Zones namely as shown in the screenshot below:

  • Tap Zone. Used in conjunction with SPAN/RSPAN to monitor traffic.
  • Virtual Wire. Also known as Transparent Firewall.
  • Layer 2. Used when switching between two or more networks.
  • Layer 3. Used when routing between two or more networks. Interfaces must be assigned an IP address.

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup