Friday, August 31, 2012

What are Private VLANs (PVLANS)?

If you are working hard towards achieving Cisco CCNP Switch 642-813 certification exams, private VLANs does comes into picture. Yeah its part of CCNP Switch 642-813 curriculum.  Cisco basically designed Private VLANs (PVLANS) as part of layer 2 security, in normal condition in any given network the traffic is allowed to move unconditionally within a VLAN. What if you want to restrict the movement of traffic with in a VLAN?  Private VLAN (PVLANS) comes into picture.

Private VLAN (PVLANS) are really just sub-VLAN inside a VLAN, they basically allows you to split the VLAN domain into multiple isolated subdomains. When it comes to inter-VLAN routing we need a Layer 3 device to forward packets. The same analogy applies to Private VLAN (PVLANS). They need layer 3 devices such as Cisco Router or Cisco MultilayerSwitch.

To make things much simpler, consider a Network environment in which the service provider need to connects servers belonging to different customers to the Internet. These servers must all be able to reach their first-hop router, but for security reasons, servers belonging to one customer must not be able to communicate with servers belonging to another. An obvious design solution for these requirements is to place each customer’s servers in a separate VLAN, which also requires the assignment of a separate IP subnet per customer (even if they have only one server).

By creating separate VLANs not only wastes the VLAN IDs but also IP addresses as well. To overcome this Private VLAN (PVLANS) were introduced as a more elegant alternative, allowing multiple devices to reside in the same IP subnet, yet remain isolated from one another at layer two.

In upcoming post we see what terminologies are used in Private VLAN (PVANS) and how they are distinguished.

More Private VLANs Tips and Tutorials:

Wednesday, August 29, 2012

Cisco to Break the 1-Gigabit Barrier on Enterprise WiFi Networks

The networking giant will introduce a 1G-bit access point in 2013 to accommodate the need for faster wireless enterprise networks, but competitors are expected to be close behind.

Cisco Systems says it will be the first networking vendor to deliver 1-gigabit-per-second speeds on enterprise wireless networks when it introduces an 802.11ac-based access point next year, but a few other things have to also happen before that actually means something.

The 802.11ac WiFi standard, currently under development by the Institute of Electrical and Electronics Engineers (IEEE) standards body, would be the successor to the predominant 802.11n standard today. Cisco officials said 802.11ac is needed to handle the growing number of devices seeking wireless access to corporate networks as the smartphones and tablet computers people are bringing to work lack an Ethernet jack to plug into the wired network. 

They said Cisco will introduce an 802.11ac module in the first half of 2013 that can be plugged into an existing Cisco Aironet 3600 access point that runs on the 802.11n standard now, said Sujai Hajela, vice president and general manager of the wireless networking business unit at Cisco.

“It allows [customers] to upgrade and not have to go through the guesswork of, ‘Should we upgrade to 802.11n or go with 802.11ac?’ You can invest in 11n now and upgrade to 11ac with a new radio,” Hajela said, referring to the module. “It’s a way of future-proofing your network.”
Wired networks already operate at 1G-bps speeds and are quickly accelerating to 10G, 40G and even 100G speeds, but Hajela said Cisco would be the first to break the 1G-bps barrier on a wireless local area network (WLAN).

However, a few other things have to happen before end users can actually experience 1G-bps speeds on their wireless networks, said Mike Spanbauer, principal analyst at Current Analysis, a research firm.

First, the 1G-bps speeds Cisco is touting are dependent upon a number of variables, including radio frequency (RF) interference, the kind of antenna used, the strength of the endpoint radio and other factors. Second, 11ac-capable access points won’t mean much unless 11ac-enabled devices are there to connect to them. The smartphones, tablets and laptops currently shipping are still based on the 802.11n standard, although Spanbauer expects the endpoint devices will be on the market by the time the access points are.

And although Cisco may claim bragging rights as the first networking vendor to publicly declare a coming 1G-bps WLAN access point, Cisco’s competitors—particularly Aruba Networks and Hewlett-Packard—may not be far behind, he said. All three vendors were placed in the “Leaders” quadrant in a June Magic Quadrant report from research firm Gartner profiling the top vendors in both the wired and wireless networking equipment markets.

“I think that every one of those vendors is very aggressively working on 11ac themselves,” said Spanbauer.

“[HP] is working on our 802.11ac portfolio of access points,” said Kevin Secino, a marketing manager within HP Networking, but emphasized that “our business objective is to be standards-compliant.” Furthermore, he noted that the 802.11ac standard is still in development and may not be finalized until sometime in 2013 anyway.

HP’s experience in wireless access points dates back to its acquisition of a company called Colubris in 2008, whose technology went into HP’s ProCurve line of wireless devices. It entered into a joint venture with 3Com to sell a line of wireless devices called the H3C line, which was followed by HP’s acquisition of 3Com in 2010.

While noting that competitors are expected to introduce 1G-bps access points in competition with Cisco, Current Analysis’ Spanbauer lauded Cisco for enabling its existing Aeronet 3600 WLAN access point devices already shipping and installed to be easily upgraded to 802.11ac when the time comes.

“It’s important to know that your wireless LAN vendor is going to be supporting and moving forward with the next specification,” he said.

HP’s Secino, meanwhile, said the company “has been very good in ensuring that customers’ investments are protected.”
---Original News Reading from eWeek

More Cisco News:

Monday, August 20, 2012

How to Set Passwords on a Cisco Router?

Passwords are absolutely the best defense against would-be hackers. Leaving no passwords on a Cisco router can cause major problems. Keep in mind that using passwords is just the first line of defense, and you should have other security features on your network as well.

Cisco has some defense against would-be hackers built into its router Internetworking Operating System (IOS). For example, it is impossible to Telnet into a Cisco router unless an administrator configures the router with a Telnet password or uses the No Login command, which allows users to Telnet into a router with no password. Either way, something has to be configured for Telnet to work. Also, you cannot enter privileged mode (which is the IOS EXEC mode that allows you to view or change the configuration on a router) from Telnet unless an Enable password is set. These are very basic features of Cisco routers and allow only some security.

Here, I will focus on the five basic Cisco router passwords you can use to protect your network. However, first you must know the difference between user mode and privileged mode. Both of these modes are called EXEC mode, and a prompt is used to tell you which mode you are in.

User mode CLI
The user mode EXEC command-line interface (CLI) is sometimes referred to as “useless mode” because it doesn’t do a whole lot. User mode lets you view interface statistics and is typically used by junior administrators to gather facts for the senior staff. You don’t want highly paid people sitting around gathering basic network statistics when a junior administrator can be adequately trained to document this information. To get into user mode, you can connect in one of three ways:

  • Console: An RJ-45 connection on all Cisco routers allows full access to the router if no passwords are set.
  • Aux: An RJ-45 connection on most routers allows you to connect a modem to the port, dial in to the router, and make a console connection.
  • VTY: Virtual Teletype is used to allow a Telnet connection to the router, which will then work like a console port. You must have an active interface on the router for Telnet to connect to the router.

The most important thing to understand about the three connection modes is that they get you into user mode only. To view and change the configuration, you need to be in privileged mode.

Privileged mode CLI
The privileged EXEC mode allows full access to a Cisco router by default, and the configuration can be both viewed and changed in this EXEC mode. You can enter privileged mode by first entering user mode and then typing the command enable.

It is important to remember that to change the router configuration, you must be in privileged EXEC mode. The console, aux, and VTY ports are used to get into user mode only and have nothing to do with how the router is configured.

Here is an example of how to get into privileged mode on a Cisco router through the console port:
Line con 0 now ready, press return to continue

At this point, you press Enter. Next, you will see:
Enter password:

This prompt is asking for the console user-mode password. Then, you will see:

The prompt at user mode is the greater-than sign (>). When you are in privileged mode, the prompt changes to a pound sign (#).

Global configuration mode
Once you are in privileged mode, you enter global configuration mode to change the configuration. You make changes by typing the command configure terminal. However, I prefer to type the shortcut command config t. This allows you to change the running-config, a file that is in DRAM and is the configuration the router is using. You can save the running-config to what is called Non-Violate RAM (NVRAM). The file that is copied into NVRAM is called startup-config and is the configuration that is copied to RAM when the router is rebooted or powered up.

Once you type configure terminalfrom privileged mode, your prompt changes to the following:
Router#configure terminal

This prompt tells you that you are in global configuration mode. From here, you can make changes to the router that affect the router in whole, hence the name global configuration mode. For example, this is the location where you set the router passwords.

If you want to change the configuration of an interface, you would have to enter interface configuration mode from global configuration mode. Here is an example:
Router#configure terminal
Router(config)#interface fastethernet 0/0

Notice the prompt is Router(config-if)#, which tells you that you are in interface configuration mode. From here, you can enable or disable the interface, add IP and IPX addresses, and more.

The five passwords
Now that you understand the difference between user mode, privileged mode, and global and interface configuration modes, you can now set the passwords for each level.

Here are the five passwords you can set on a Cisco router:
  • Console
  • Aux
  • VTY
  • Enable password
  • Enable Secret

We will discuss each of these passwords and how to configure them in the following sections.
This is the basic connection into every router. To initially set up a router, you need to connect to the console port and at a minimum enable one interface and set the VTY password. After one interface is enabled and the VTY lines are configured, an administrator can then Telnet into the router and do the final configurations from that connection. However, the console port can be used to configure the complete configuration at any time. This makes it very important to protect the console port with a password.

To configure a console user-mode password, use the Line command from global configuration mode. There is only one console port on all routers, so the command is
line console 0

Here is an example:
Router#config t
Router(config)#line console 0

Notice the prompt changed to Router(config-line)#. This prompt tells you that you are configuring the console, aux, or VTY lines.

To finish configuring the console port, you can use two more commands:
  • Login:This tells the router to look under the console line configuration for the password. If you do not use this command, you will not be prompted for a password when you connect to the router’s console port.
  • Password: This sets the console user-mode password. It is case sensitive.

The complete command will look like this:
Router#config t
Router(config)#line console 0
Router(config-line)#password todd

On some routers, aux is called the auxiliary port, and on some it is called the aux port. To find the complete command-line name on your router, use a question mark with the Line command as shown:
Router(config)#line ?
< 0-4> First Line Number
aux           Auxiliary line
console       Primary terminal line
vty           Virtual terminal

At this point, you can choose the correct command you need. Here is an example of setting the aux port on a Cisco router to prompt for a user-mode password with a console cable connected (this port can be used with or without a modem):
Router#config t
Router(config)#line aux 0
Router(config-line)#password cisco

VTY (Telnet)
The Virtual Teletype (VTY) lines are used to configure Telnet access to a Cisco router. As I mentioned earlier, the VTY lines must be configured for Telnet to be successful.

Here is an example of an administrator’s attempt to Telnet to a router that does not have the VTY lines configured:
Password not set, connection refused

This is the default on every Cisco router.

To configure the VTY lines, you must use the question mark with the command
line 0

to determine the number of lines available on your router. The number varies with the type of router and the IOS version. However, five is the most common number of lines.
Router#config t
Router(config)#line vty 0 ?
<0-4>  Last Line Number
Router(config)#line vty 0 4
Router(config-line)#password cisco

Notice that you choose all the lines available for the most efficient configuration. You can set each line individually, but because you cannot choose the line you enter the router with when you Telnet, this can cause problems.

You can tell the router to allow Telnet connections without a password by using the No Login command:
Router(config)#line vty 0 4
Router(config-line)#no login

Enable password
The Enable password is used to allow security on a Cisco router when an administrator is trying to go from user mode to privileged mode. The Enable password is an old, unencrypted password that will prompt for a password when used from privileged mode. You set the Enable password from global configuration EXEC mode and use the command
enable password password

Here is an example:
Router#config t
Router(config)#enable password lammle
Router#disable (the disable command takes you from privilege mode back to user mode)
Enter password:

Enable Secret
The Enable Secret password accomplishes the same thing as Enable. However, it is encrypted by default and supercedes Enable if it is set. In other words, if you set the Enable password and then set the Enable Secret password, the Enable password will never be used.

You set the Enable Secret password from global configuration mode by using the command:
enable secret password

Here’s an example:
Router#config t
Router(config)#enable secret san jose

Encrypting your passwords
The Line command passwords (console, aux, and VTY) are not encrypted by default and can be seen by going into privileged EXEC mode and typing the command
show running-config

This displays the complete configuration that the router is running, including all the passwords. Remember that the Enable Secret password is encrypted by default, but the other four are not. To encrypt your passwords, use the global configuration command
service password-encryption

Here is an example of how to perform manual password encryption (as well as an example of how to set all five passwords):
Router#config t
Router(config)#service password-encryption
Router(config)#enable password todd
Router(config)#line vty 0 4
Router(config-line)#password todd
Router(config-line)#line con 0
Router(config-line)#password cisco
Router(config-line)#line aux 0
Router(config-line)#password sanjose
Router(config)#no service password-encryption
Router(config)#enable secret lammle

All of the passwords can be the same except the Enable and the Enable Secret passwords. You should make them different for security reasons, however.

It is extremely important to set your passwords on every Cisco router your company has. If you are studying for your Cisco certification exams, be sure you understand the passwords and how to set them. Remember the difference between the Enable Secret and the Enable password and that the Enable Secret password supercedes the Enable password if it’s set.

The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.
---Original tutorial from

More Related Cisco Router Password Setup

Friday, August 17, 2012

Best Cisco Press: CCNP TSHOOT 642-832 Official

Best Cisco Press Details are shared as follows: CCNP TSHOOT 642-832 Official

  • By Kevin Wallace.
  • Published by Cisco Press.
  • Series: Official Cert Guide.
  • Published: Feb 11, 2010
  • Copyright 2010
  • Dimensions: 7-3/8 X 9-1/8
  • Pages: 552
  • Edition: 1st
Product Description
Official Certification Guide
Kevin Wallace, CCIE No. 7945 
CCNP TSHOOT Exam Preparation

  • Master CCNP TSHOOT 642-832 exam topics
  • Assess your knowledge with chapter-opening quizzes
  • Review key concepts with Exam Preparation Tasks
  • Practice with realistic exam questions on the CD-ROM

The official study guide helps you master all the topics on the CCNP TSHOOT exam, including
  • Common network maintenance tasks and tools
  • Troubleshooting models
  • Cisco IOS troubleshooting commands and features
  • Troubleshooting Cisco Catalyst Switches and STP
  • Troubleshooting BGP, OSPF, and EIGRP routing protocols
  • Route redistribution, security, and router performance troubleshooting
  • IP services and IP communications troubleshooting
  • IPv6 troubleshooting
  • Large enterprise network troubleshooting

CCNP TSHOOT 642-832 Official Certification Guide is a best-of-breed Cisco exam study guide that focuses specifically on the objectives for the CCNP TSHOOT exam. Senior instructor and best-selling author Kevin Wallace shares preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.

CCNP TSHOOT 642-832 Official Certification Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks sections help drill you on key concepts you must know thoroughly.

The companion CD-ROM contains a powerful testing engine that enables you to focus on individual topic areas or take complete, timed exams. The assessment engine also tracks your performance and provides feedback on a module-by-module basis, laying out a complete study plan for review.

Well regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.

CCNP TSHOOT 642-832 Official Certification Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit

Kevin Wallace, CCIE No. 7945, is a certified Cisco instructor who holds multiple Cisco certifications including CCSP, CCVP, CCNP, and CCDP, in addition to multiple security and voice specializations. With Cisco experience dating back to 1989 (beginning with a Cisco AGS+ running Cisco IOS 7.x), Kevin has been a network design specialist for the Walt Disney World Resort, a senior technical instructor for SkillSoft/Thomson NETg/KnowledgeNet, and a network manager for Eastern Kentucky University.

This volume is part of the Official Certification Guide Series from Cisco Press. Books in this series provide officially developed exam preparation materials that offer assessment, review, and practice to help Cisco Career Certification candidates identify weaknesses, concentrate their study efforts, and enhance their confidence as exam day nears.

Companion CD-ROM
The CD-ROM contains 100 practice questions for the exam developed by Cisco Press and delivered by the Boson Exam Environment (BEE).
Boson’s ExSim-Max premium practice exams available at

Category: Cisco Press—Cisco Certification
Covers: CCNP TSHOOT exam 642-832

More Customer Reviews from Amazon, you can see here

Monday, August 13, 2012

How to Configure EIGRP on Your Cisco Router?

Do you need to configure dynamic routing protocol for you network? EIGRP may be an excellent choice. It is a full-featured routing protocol that can grow as your network grows. Let's learn how to configure EIGRP in the Cisco IOS.

What do you need to know about EIGRP?
Before you configure EIGRP, there are some things you should know about it first. Here they are:
  • EIGRP is the Enhanced Interior Gateway Routing Protocol.
  • EIGRP is a Cisco proprietary routing protocol based on their original Interior Gateway Routing Protocol. EIGRP can only be used on networks where all routers are Cisco routers.
  • The administrative distance for EIGRP is 90 and 170 for internal and external EIGRP, respectively.

What features does EIGRP offer?
  • Automatic redistribution of routes between IGRP and EIGRP.
  • Ability to turn off and on EIGRP and IGRP on individual interfaces of the router.
  • Fast network convergence thanks to EIGRP's DUAL algorithm (convergence is when all routers know about all the networks that every other router is offering).
  • Incremental updates that save network bandwidth and speed convergence.
  • Reduced router CPU load, as compared to IGRP.
  • EIGRP uses neighbor discovery to find and keep track of neighboring routers. Neighbor discovery uses multicast IP and is not tied to whether or not the the IP network is properly configured.
  • EIGRP prevents routing loops on the network
  • Supports variable length subnet masks (VLSM)
  • Automatic Route Summarization

How do you configure EIGRP in the Cisco IOS?
To configure EIGRP in the Cisco IOS, just follow these steps:
  1. Set the bandwidth on your interfaces using the bandwidth command
Router (config-if)# bandwidth XX
(where XX signify the bandwidth of the WAN connection)
  1. Start the EIGRP routing process and specify your AS number
Router (config)# router eigrp AS
Where the "AS" in the above-mentioned command stands for Autonomous System number. This number should be the same on all routers.
  1. Once you are through this stage, next step is to instruct the router in order to advertise the networks that are directly linked to it. You can do it with the help of command
Router (config-router)# network X.X.X.X

Where X.X.X.X is the network id of a network that is linked directly to the router. You should enter this command for each network directly attached to the router. However, you can, in a single statement, enter the supernet of a group of subnets. When you do that, the router will automatically identify the subnets.

Optionally, you can configure the amount of WAN link bandwidth that an EIGRP router will use with this command:

Router(config-if)# ip bandwidth-percent eigrp XX

Once EIGRP is configured, you can check the status using the show ip route and show ip eigrp commands. Here are some examples:

Router# show ip route is subnetted, 1 subnets D [90/8199936] via, 1w1d, Serial0/0 is variably subnetted, 217 subnets, 4 masks D [90/6535936] via, 5w1d, Serial0/0

Notice the "D" on the left side of the output. All "D" routes are EIGRP routes.

There are a number of show ip eigrp xxxx commands. Here is an example of the "neighbors" version:

Router# show ip eigrp neighbors IP-EIGRP neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq Type (sec) (ms) Cnt Num 0 Se0/0 11 5w1d 20 282 0 887645 Router#

Tips: EIGRP is not too difficult to configure and it can handle even the largest networks.

More Cisco Router and Networking Tips:

Monday, August 6, 2012

Tutorial: Determine What Device is on What Port on a Cisco Switch

Your network grinds to a screeching halt. All the switch port lights are solid, and your only theory is that the network is under attack. What do you do?

Question: “I have 3 cisco switches, each 48 ports. How do u know, in which switch, in which port, my pc is connected. i just know my pc IP address. i can access my switch.”

The first step is to fire up your network protocol analyzer and capture data off of the core switch. From your protocol analyzer, you see that an IP address is flooding the network with unidentifiable traffic. From the packet, you get the MAC address. Now you need to find the location of the PC.

You know that the PC must be connected to any one of a few hundred Ethernet patch panel ports in the network room; those switch ports go to ports on the Ethernet switch. If you could tell which MAC address is on which switch port, you could identify the PC and either shut down the switch port or go to the office where the PC is and shut it down.

Here are various solutions that may help you determine which device is connected to which port on your Cisco switch.

An Appliance Solution
At Interop 2007, I spotted an interesting solution from port tracker. The U. K.-based company offers a dedicated appliance called port tracker that maps your network for you. This solution tries to solve three issues: (1) ports going unused (port tracker refers to this as port wastage); (2) reduce downtime and know “what is connected where”; (3) identify at-risk ports.

Software Applications
There are a vast number of software applications out there to help you in this situation. Here are a few that I think are worth checking out.
  • Northwest Performance Software’s Managed Switch Port Mapping Tool uses SNMP to communicate with switches and to find out what is attached where. It works with different brands of switches; it shows VLAN assignments; and it exports to a spreadsheet. The standalone price for the tool is $199, and there is 15-day free trial.
  • Manage Engine offers the Switch Port Mapper Tool, which handles multiple brands of switches and imports cable port mappings. See the Manage Engine site for detailed pricing information.
  • Netxar Technologies’ Switch Inspector maps switch ports. The cost is $99, and there is a 15-day trial download.
  • SolarWinds’ LANsurveyor automatically discovers and diagrams your network and what is connected where. It does more than the other packages, which is why it has a price tag of $1,995.
  • Solar Winds’ Switch port Mapper is similar to LAN surveyor, and it’s part of Solar Winds’ Engineer’s Toolset. The suite runs about $1,400, and the company offers a 30-day evaluation.
Note: My search didn’t turn up any free open-source products. If you know of any open source products that map switch ports, please post your recommendations in the article discussion.

The Cisco IOS CLI Command
The easiest way to see which Ethernet MAC address is on which port is to use the show mac-address-table command. Here is an example:
switch# show mac-address-table
           Mac Address Table

 Vlan    Mac Address       Type        Ports
 ----    -----------       --------    -----
    1    0007.e9e2.2d7d    DYNAMIC     Fa0/5
    1    0009.0f30.07e9    DYNAMIC     Fa0/48
    1    0009.5bbc.af04    DYNAMIC     Fa0/28
   1    00e0.bb2c.30d1    DYNAMIC     Gi0/1
    1    00e0.bb2c.3e5f    DYNAMIC     Gi0/1
 Total Mac Addresses for this criterion: 5             


(The MAC address table is truncated for brevity.)

With the command, you can figure out which MAC address is on which port. When you use the command, you have to go to each switch and run the command. If the network is down, you will have to go to the console of each switch. If you had one of the applications above, you should have been able to map out which MAC address (and even which PC name) is on every switch in the network.

If the scenario I describe at the beginning of the article does happen, you could reference your spreadsheet or printout of which device is connected where.

When your network is in crisis, it’s important to know which device is connected to which switch port without having to run to the network room, hook up a console cable, and/or trace cables from switches to wall ports. By having network analysis applications and switch port mapping tools available ahead of time, you may be able to resolve the problem on your network before it actually becomes a crisis.

More Cisco Switch and Cisco Network Info and Tips