+ Jorge Arredondo Dorantes IT Blog + How to Master Networking CCIE CCNP CCNA Juniper junOS

dmvpn ipsec vpn L2 L3 vpls mpls bgp ospf expert engineer ccie ccnp ccna routing switching certifications security voice data center service provider design enterprise best ways to tshoot networking less and efective time juniper huawei check point avaya blue coat call manager ips ids ip ios xr

Jorge Arredondo Dorantes CCIE

Jorge Arredondo Dorantes CCIE

Flushing your DNS Cache on any Operative System (any OS)

The following specific instructions for clearing the DNS cache on computers and servers with any OS:


Windows OS (from Windows 8 and earlier)
  1. Click the Start Menu
  2. Go to All Programs
  3. Choose Accessories and right-click Command Prompt
  4. Choose Run as Administrator
 Execute: 
ipconfig /flushdns



MAC OS X 10.4 tiger
  1. Click the Terminal icon in the dock or in Finder under Application/Utilities/Terminal
 Execute:
lookupd -flushcache







MAC OS X 10.5 and 10.6
  1. Click the Terminal icon in the dock or in Finder under Application/Utilities/Terminal
 Execute:
dscacheutil -flushcache



MAC OS X 10.7 and 10.8
  1. Click the Terminal icon in the dock or in Finder under Application/Utilities/Terminal
 Execute:
sudo killall -HUP mDNSResponder



MAC OS X 10.9 and 10.10
  1. Click the Terminal icon in the dock or in Finder under Application/Utilities/Terminal
 Execute:
dscacheutil -flushcache;sudo killall -HUP mDNSResponder



Ubuntu Linux
Open a terminal window
  1. Run the following command in the command line and hit enter
Execute:
sudo service network-manager restart



Linux (all other distributions)
  1. Open a terminal window (gnome-terminal, konsole, xterm, etc)
Execute:
sudo /etc/init.d/nscd restart
or
sudo /etc/init.d/nscd restart

Block facebook network segments - web content filtering at OSI layer 3

Hello networkers.
Are you guys interested to filter the whole facebook segment?
Do you want to re-route or block facebook traffic at L3 level?

In case you have plenty of free time and willing to make a little bit of research you will find out that Facebook inc. is currently using 3 public AS world wide only:

AS 32934
AS 54115
AS 63293

(I used this url to validate public AS list: 
http://bgp.potaroo.net/cidr/autnums.html )

Anyways, within this ranges they have bunch of public network segments obviously. I worked one by one to bring you here the supernets matching ALL Facebook inc. segments. Here we go:

31.13.64.0/18
31.13.24.0/21
45.64.40.0/22
66.220.144.0/20
69.63.176.0/20
69.171.224.0/19
74.119.76.0/22
103.4.96.0/22
129.134.0.0/16
157.240.0.0/16
173.252.64.0/18
179.60.192.0/22
185.60.216.0/22
204.15.20.0/22
199.201.64.0/22

Table updated friday May 26th, 2017.
In case you find another supernet or segment I skipped please add it in the comments below.
Also if you have other public AS list more reliable please share. Thank you

Palo Alto Networks on premise VPN Microsoft Azure issue solved

If you are trying to set up an On Premise VPN using Palo Alto Networks with PAN-OS version prior to 7.1.4 you will be experiencing connectivity issues to Azure route-based VPN gateways. 
 After I was working with Azure Support, I got this working configuration. This will be your workaround in case you have older version from 7.1.4

Phase 1:
Encryption: aes-256-cbc, 3des
Authentication: sha1, sha256
DH Group: group2
Lifetime: 11000 seconds
IKEv2 Authentication Multiple: 3 (new setting, was set at 0 which means disabled)
Phase 2:
Encryption: aes256-cbc
Authentication: sha1
DH Group: no-pfs
Lifetime: 28800 seconds
Gateway:
Passive Mode: Enabled
NAT Traversal: Disabled

If have a newer
version from 7.1.4 use:

Phase 1:
Encryption: aes-256-cbc, 3des
Authentication: sha1, sha256
DH Group: group2
Lifetime: 11000 seconds
IKEv2 Authentication Multiple: 3 (new setting, was set at 0 which means disabled)
Phase 2:
Encryption: aes256-cbc
Authentication: sha1
DH Group: no-pfs
Lifetime: 3600 seconds
Gateway:
Passive Mode: Disabled
NAT Traversal: Disabled


If you are still experiencing connectivity issues, open a support request from the Azure portal and they will help you.

what is Cisco SMARTnet Service?

This article will help clarify what is/isn't  included in SMARTnet and the roles it can play in managing your network. 

Cisco SMARTnet Service Overview

1. What is Cisco SMARTnet Service?

Cisco SMARTnet Service is an award-winning technical support service that can give your IT staff direct, anytime access to Cisco experts and online self-help resources required to resolve issues with most Cisco products. With SMARTnet Service, you can choose from a broad range of service delivery options for Cisco products.

2. What is included with Cisco SMARTnet Service?

Cisco SMARTnet Service provides the following device-level support:
  •  Direct access 24 hours a day, 365 days a year to specialized experts in the Cisco Technical Assistance Center (TAC).
  • Extensive self-help support through Cisco’s online knowledge base, communities, resources, and tools.
  • Smart, proactive diagnostics and immediate alerts on select devices enabled with Cisco Smart Call Home feature.
  • Operating system (OS) software updates, including both minor and major releases within your licensed feature set.
  • Advance hardware replacement options, including 2-hour, 4-hour, and next-business-day (NBD) replacement, as well as return for repair (RFR).
  • Optional onsite service that provides a field engineer who can install replacement parts at your location.

3. Why should you purchase Cisco SMARTnet Service?

By covering networking devices with a Cisco SMARTnet contract, you can:
  • Improve network availability, reliability, stability, and security with direct access to networking engineers at Cisco
  • Reduce the cost of network ownership by using Cisco expertise, knowledge, and availability
  • Increase ROI by up to 192 percent having access to Cisco operating system software enhancements
  • Expedite time to repair with the right parts at the right time to resolve issues quickly
  • Better manage scarce internal expert resources at all locations when utilizing the proactive diagnostics and real-time alerts available with Smart Call Home, on select devices
  • Empower your IT staff and improve productivity and revenue per employee with access to tools and technical support documentation that can increase self-sufficiency and technical knowledge

4. Is Cisco SMARTnet Service only limited to break/fix insurance?

 No. The Cisco SMARTnet Service offers you help handling complex network operation and management issues such as:
  • Advance software configuration
  • Interoperability and upgrade questions
  • Hardware and software information

5. Is support for Cisco application software products, such as security, IP telephony, and network management, included in the Cisco SMARTnet Service?

No, application support is not covered in SMARTnet. Cisco does offer software application support services separately that provide support for Cisco application software products such as security, IP telephony, and network management. There are currently four support offers available:
  • Cisco Software Application Support Service (SAS)— includes maintenance and minor releases
  • Cisco Software Application Support Service with Upgrades (SASU)—includes all components of SAS plus upgrades
  • Cisco UC Essential Operate Service (ESW)—includes maintenance and minor releases
  • Cisco UC Software Subscription Service

6. What is included in a Cisco warranty?

 Warranties provide short-term limited liability for Cisco to repair and/or replace defects in Cisco products. They are limited in both the duration and the support they offer, and most warranties do not include Cisco TAC support, software updates, or any of the additional benefits obtained under a support service contract. It is the responsibility of Cisco to repair and/or replace the Cisco product within the time frame specified in the warranty card that accompanied the originally purchased Cisco product. Elements covered under a typical Cisco warranty are:
  •  Hardware: This guarantees that the piece of hardware will be free of defects in material and workmanship under normal use, or it will be replaced by Cisco in the designated time period.
  • Software: This guarantees that the physical media are free from defects or they will be replaced by Cisco. The warranty is explicitly “as is,” and no new releases are included.

7. If a product is already covered under the standard Cisco warranty, why should I buy Cisco SMARTnet Service during the warranty duration?

 The Cisco SMARTnet Service provides more robust levels of support than are available under a Cisco warranty. For most products, Cisco warranties are limited in duration (detailed specifically by product type) compared to Cisco SMARTnet Service. Features available under a Cisco SMARTnet Service contract that are not covered under a warranty are:
  •  Rapid replacement of hardware in NBD, 4-hour, or 2-hour dispatch options (restrictions apply; see Cisco SMARTnet data sheet for additional information, as well as Return for Repair on select video products)
  • Continuous technical support through the Cisco TAC
  • Latest OS updates, including both minor and major releases within the licensed feature set
  • Registered access to online self-help resources and tools
  • Proactive troubleshooting and alerts for Call Home - capable devices

8. What is Cisco Smart Call Home?

Cisco Smart Call Home, a secure, smart service capability of Cisco SMARTnet Service, provides proactive, detailed diagnostics and real-time alerts on many products to help you identify and resolve issues quickly, conserving valuable staff time and improving network availability. With automated network device monitoring, Smart Call Home dynamically and securely gathers device information, sending an alert when a problem is detected. Using Cisco intellectual capital, Smart Call Home can enable early diagnosis and remediation of device-related issues through proactive, rules-based problem resolution. As a result, customers can dramatically streamline their device maintenance, accelerate problem resolution, and reduce their network operating expense. Call home-enabled devices can continuously monitor their own health and automatically notify you of potential issues using secure transmissions. If a serious problem arises, Smart Call Home automatically detects it and can generate a Cisco Technical Assistance Center (TAC) service request to remediate the issue. Smart Call Home also provides you with access to a Smart Call Home web portal that contains personalized Call Home messages, recommendations, and more for all your Call Home devices.

9. What additional features are available under the Cisco SMARTnet ONSITE option?

Cisco SMARTnet onsite includes the same capabilities as Cisco SMARTnet, with the addition of an onsite technician for parts replacement and installation. It is available with all SMARTnet advance hardware replacement service levels.
SMARTnet Onsite Hardware Replacement Service Levels
 SMARTnet Description and Service Level SKU Decoder

10. How do I buy SMARTnet?

Most SMARTnet is sold on an annual basis. 3 Year agreements will have bigger discounts than single year. The next time you send an RFQ, request a 3 year SMARTnet quote with an option to lease for 36 months with annual payments. The discounts should offset the cost of any interest.  More information on how to accomplish this can be found here
If you're still with me, Thank you. I hope this was interesting.  I personally found the SMARTnet Description and Service Level SKU Decoder extremely helpful when reading SMARTnet quotes.
Please note due to its complexity that some of this content has been consolidated from multiple Cisco articles which I will listed below.

How do prefix-list works? what is a prefix -list? all you need to know about prefix-list with examples

The truth about prefix-lists.
 How it works? what is a prefix -list? prefix-list examples

Hey guys, remember prefix-lists are used to match on prefix and prefix-length pairs. Normal prefix-list syntax is as follows:
ip prefix-list LIST permit w.x.y.z/len
Where w.x.y.z is your exact prefix
And where len is your exact prefix-length
“ip prefix-list LIST permit 1.2.3.0/24! would be an exact match for the prefix 1.2.3.0
with a subnet mask of 255.255.255.0. This does not match 1.2.0.0/24, nor does it match
1.2.3.4/32, nor anything in between.

When you add the keywords “GE” and “LE” to the prefix-list, the “len” value changes its
meaning. When using GE and LE, the len value specifies how many bits of the prefix you
are checking, starting with the most significant bit.

ip prefix-list LIST permit 1.2.3.0/24 le 32
This means:
Check the first 24 bits of the prefix 1.2.3.0
The subnet mask must be less than or equal to 32
This equates to the access-list syntax:
access-list 1 permit 1.2.3.0 0.0.0.255

ip prefix-list LIST permit 0.0.0.0/0 le 32
This means:
Check the first 0 bits of the prefix 0.0.0.0
The subnet mask must be less than or equal to 32
This equates to anything

ip prefix-list LIST permit 0.0.0.0/0
This means:
The exact prefix 0.0.0.0, with the exact prefix-length 0.
This is matching a default route.

ip prefix-list LIST permit 10.0.0.0/8 ge 21 le 29
This means:
Check the first 8 bits of the prefix 10.0.0.0
1
The subnet mask must be greater than or equal to 21, and less than or
equal to 29.

When using the GE and LE values, you must satisfy the condition:
Len < GE <= LE

Therefore “ip prefix-list LIST permit 1.2.3.0/24 ge 8! is not a valid list.

The way prefix lists work are you can specify a network and mask or a
network and a range of masks. Specifying a network and mask is fairly
simple:
ip prefix-list mylist seq 10 permit 172.16.25.0/24
This will allow (match) the exact network 172.16.25.0/24 to pass the list.
However prefix lists can also specify a network with a range of masks. For
example:
ip prefix-list mylist seq 10 permit 172.16.0.0/16 ge 24 le 26
This will take the entire class B network 172.16.0.0 (172.16.0.0/16) and
pass only subnets with a /24, /25 or /26 mask (ge 24 le 26). So the exact
network 172.16.0.0/16 would actually fail the list because it does not have
a mask of /24, /25 or /26.
By default if you only specify "ge" then any subnet with a mask greater than
or equal to the ge value will pass. That is, ge all the way up to /32. For
example:
ip prefix-list mylist seq 10 permit 10.10.10.0/24 ge 28
2
This list specifies any subnet within the 10.10.10.0/24 range that has a
mask of /28 or greater (255.255.255.240 to 255.255.255.255). Again, the
exact subnet 10.10.10.0/24 would fail because it does not have a mask of /28
or greater.
By default if you only specify "le" then any subnet with a mask less than or
equal to the le value but greater than or equal to the mask specified will
pass. That is, le all the way down to the mask listed. For example:
ip prefix-list mylist seq 10 permit 10.64.0.0/16 le 23
This list specifies any subnet within the 10.64.0.0/16 range that has a
mask between /16 and /23, inclusive (255.255.0.0 to 255.255.254.0). In this
case the exact subnet 10.64.0.0/16 would pass because it has a mask in the
range /16 to /23.
The "permit any any" in a prefix list is:
ip prefix-list mylist seq 200 permit 0.0.0.0/0 le 32
I recommend getting quite familiar with them because they are very powerful
and actually not too bad to use once you get used to them!
Hope this helps

8.8.8.8 for IPv6? public DNS equivalent

  •     For IPv4: 8.8.8.8 and/or 8.8.4.4.
  •     For IPv6: 2001:4860:4860::8888 and/or 2001:4860:4860::8844

Cisco Systems