+ Jorge Arredondo Dorantes IT Blog + How to Master Networking CCIE CCNP CCNA Juniper junOS

dmvpn ipsec vpn L2 L3 vpls mpls bgp ospf expert engineer ccie ccnp ccna routing switching certifications security voice data center service provider design enterprise best ways to tshoot networking less and efective time juniper huawei check point avaya blue coat call manager ips ids ip ios xr

Jorge Arredondo Dorantes CCIE

Jorge Arredondo Dorantes CCIE

Palo Alto Networks on premise VPN Microsoft Azure issue solved

If you are trying to set up an On Premise VPN using Palo Alto Networks with PAN-OS version prior to 7.1.4 you will be experiencing connectivity issues to Azure route-based VPN gateways. 
 After I was working with Azure Support, I got this working configuration. This will be your workaround in case you have older version from 7.1.4

Phase 1:
Encryption: aes-256-cbc, 3des
Authentication: sha1, sha256
DH Group: group2
Lifetime: 11000 seconds
IKEv2 Authentication Multiple: 3 (new setting, was set at 0 which means disabled)
Phase 2:
Encryption: aes256-cbc
Authentication: sha1
DH Group: no-pfs
Lifetime: 28800 seconds
Gateway:
Passive Mode: Enabled
NAT Traversal: Disabled

If have a newer
version from 7.1.4 use:

Phase 1:
Encryption: aes-256-cbc, 3des
Authentication: sha1, sha256
DH Group: group2
Lifetime: 11000 seconds
IKEv2 Authentication Multiple: 3 (new setting, was set at 0 which means disabled)
Phase 2:
Encryption: aes256-cbc
Authentication: sha1
DH Group: no-pfs
Lifetime: 3600 seconds
Gateway:
Passive Mode: Disabled
NAT Traversal: Disabled


If you are still experiencing connectivity issues, open a support request from the Azure portal and they will help you.

what is Cisco SMARTnet Service?

This article will help clarify what is/isn't  included in SMARTnet and the roles it can play in managing your network. 

Cisco SMARTnet Service Overview

1. What is Cisco SMARTnet Service?

Cisco SMARTnet Service is an award-winning technical support service that can give your IT staff direct, anytime access to Cisco experts and online self-help resources required to resolve issues with most Cisco products. With SMARTnet Service, you can choose from a broad range of service delivery options for Cisco products.

2. What is included with Cisco SMARTnet Service?

Cisco SMARTnet Service provides the following device-level support:
  •  Direct access 24 hours a day, 365 days a year to specialized experts in the Cisco Technical Assistance Center (TAC).
  • Extensive self-help support through Cisco’s online knowledge base, communities, resources, and tools.
  • Smart, proactive diagnostics and immediate alerts on select devices enabled with Cisco Smart Call Home feature.
  • Operating system (OS) software updates, including both minor and major releases within your licensed feature set.
  • Advance hardware replacement options, including 2-hour, 4-hour, and next-business-day (NBD) replacement, as well as return for repair (RFR).
  • Optional onsite service that provides a field engineer who can install replacement parts at your location.

3. Why should you purchase Cisco SMARTnet Service?

By covering networking devices with a Cisco SMARTnet contract, you can:
  • Improve network availability, reliability, stability, and security with direct access to networking engineers at Cisco
  • Reduce the cost of network ownership by using Cisco expertise, knowledge, and availability
  • Increase ROI by up to 192 percent having access to Cisco operating system software enhancements
  • Expedite time to repair with the right parts at the right time to resolve issues quickly
  • Better manage scarce internal expert resources at all locations when utilizing the proactive diagnostics and real-time alerts available with Smart Call Home, on select devices
  • Empower your IT staff and improve productivity and revenue per employee with access to tools and technical support documentation that can increase self-sufficiency and technical knowledge

4. Is Cisco SMARTnet Service only limited to break/fix insurance?

 No. The Cisco SMARTnet Service offers you help handling complex network operation and management issues such as:
  • Advance software configuration
  • Interoperability and upgrade questions
  • Hardware and software information

5. Is support for Cisco application software products, such as security, IP telephony, and network management, included in the Cisco SMARTnet Service?

No, application support is not covered in SMARTnet. Cisco does offer software application support services separately that provide support for Cisco application software products such as security, IP telephony, and network management. There are currently four support offers available:
  • Cisco Software Application Support Service (SAS)— includes maintenance and minor releases
  • Cisco Software Application Support Service with Upgrades (SASU)—includes all components of SAS plus upgrades
  • Cisco UC Essential Operate Service (ESW)—includes maintenance and minor releases
  • Cisco UC Software Subscription Service

6. What is included in a Cisco warranty?

 Warranties provide short-term limited liability for Cisco to repair and/or replace defects in Cisco products. They are limited in both the duration and the support they offer, and most warranties do not include Cisco TAC support, software updates, or any of the additional benefits obtained under a support service contract. It is the responsibility of Cisco to repair and/or replace the Cisco product within the time frame specified in the warranty card that accompanied the originally purchased Cisco product. Elements covered under a typical Cisco warranty are:
  •  Hardware: This guarantees that the piece of hardware will be free of defects in material and workmanship under normal use, or it will be replaced by Cisco in the designated time period.
  • Software: This guarantees that the physical media are free from defects or they will be replaced by Cisco. The warranty is explicitly “as is,” and no new releases are included.

7. If a product is already covered under the standard Cisco warranty, why should I buy Cisco SMARTnet Service during the warranty duration?

 The Cisco SMARTnet Service provides more robust levels of support than are available under a Cisco warranty. For most products, Cisco warranties are limited in duration (detailed specifically by product type) compared to Cisco SMARTnet Service. Features available under a Cisco SMARTnet Service contract that are not covered under a warranty are:
  •  Rapid replacement of hardware in NBD, 4-hour, or 2-hour dispatch options (restrictions apply; see Cisco SMARTnet data sheet for additional information, as well as Return for Repair on select video products)
  • Continuous technical support through the Cisco TAC
  • Latest OS updates, including both minor and major releases within the licensed feature set
  • Registered access to online self-help resources and tools
  • Proactive troubleshooting and alerts for Call Home - capable devices

8. What is Cisco Smart Call Home?

Cisco Smart Call Home, a secure, smart service capability of Cisco SMARTnet Service, provides proactive, detailed diagnostics and real-time alerts on many products to help you identify and resolve issues quickly, conserving valuable staff time and improving network availability. With automated network device monitoring, Smart Call Home dynamically and securely gathers device information, sending an alert when a problem is detected. Using Cisco intellectual capital, Smart Call Home can enable early diagnosis and remediation of device-related issues through proactive, rules-based problem resolution. As a result, customers can dramatically streamline their device maintenance, accelerate problem resolution, and reduce their network operating expense. Call home-enabled devices can continuously monitor their own health and automatically notify you of potential issues using secure transmissions. If a serious problem arises, Smart Call Home automatically detects it and can generate a Cisco Technical Assistance Center (TAC) service request to remediate the issue. Smart Call Home also provides you with access to a Smart Call Home web portal that contains personalized Call Home messages, recommendations, and more for all your Call Home devices.

9. What additional features are available under the Cisco SMARTnet ONSITE option?

Cisco SMARTnet onsite includes the same capabilities as Cisco SMARTnet, with the addition of an onsite technician for parts replacement and installation. It is available with all SMARTnet advance hardware replacement service levels.
SMARTnet Onsite Hardware Replacement Service Levels
 SMARTnet Description and Service Level SKU Decoder

10. How do I buy SMARTnet?

Most SMARTnet is sold on an annual basis. 3 Year agreements will have bigger discounts than single year. The next time you send an RFQ, request a 3 year SMARTnet quote with an option to lease for 36 months with annual payments. The discounts should offset the cost of any interest.  More information on how to accomplish this can be found here
If you're still with me, Thank you. I hope this was interesting.  I personally found the SMARTnet Description and Service Level SKU Decoder extremely helpful when reading SMARTnet quotes.
Please note due to its complexity that some of this content has been consolidated from multiple Cisco articles which I will listed below.

How do prefix-list works? what is a prefix -list? all you need to know about prefix-list with examples

The truth about prefix-lists.
 How it works? what is a prefix -list? prefix-list examples

Hey guys, remember prefix-lists are used to match on prefix and prefix-length pairs. Normal prefix-list syntax is as follows:
ip prefix-list LIST permit w.x.y.z/len
Where w.x.y.z is your exact prefix
And where len is your exact prefix-length
“ip prefix-list LIST permit 1.2.3.0/24! would be an exact match for the prefix 1.2.3.0
with a subnet mask of 255.255.255.0. This does not match 1.2.0.0/24, nor does it match
1.2.3.4/32, nor anything in between.

When you add the keywords “GE” and “LE” to the prefix-list, the “len” value changes its
meaning. When using GE and LE, the len value specifies how many bits of the prefix you
are checking, starting with the most significant bit.

ip prefix-list LIST permit 1.2.3.0/24 le 32
This means:
Check the first 24 bits of the prefix 1.2.3.0
The subnet mask must be less than or equal to 32
This equates to the access-list syntax:
access-list 1 permit 1.2.3.0 0.0.0.255

ip prefix-list LIST permit 0.0.0.0/0 le 32
This means:
Check the first 0 bits of the prefix 0.0.0.0
The subnet mask must be less than or equal to 32
This equates to anything

ip prefix-list LIST permit 0.0.0.0/0
This means:
The exact prefix 0.0.0.0, with the exact prefix-length 0.
This is matching a default route.

ip prefix-list LIST permit 10.0.0.0/8 ge 21 le 29
This means:
Check the first 8 bits of the prefix 10.0.0.0
1
The subnet mask must be greater than or equal to 21, and less than or
equal to 29.

When using the GE and LE values, you must satisfy the condition:
Len < GE <= LE

Therefore “ip prefix-list LIST permit 1.2.3.0/24 ge 8! is not a valid list.

The way prefix lists work are you can specify a network and mask or a
network and a range of masks. Specifying a network and mask is fairly
simple:
ip prefix-list mylist seq 10 permit 172.16.25.0/24
This will allow (match) the exact network 172.16.25.0/24 to pass the list.
However prefix lists can also specify a network with a range of masks. For
example:
ip prefix-list mylist seq 10 permit 172.16.0.0/16 ge 24 le 26
This will take the entire class B network 172.16.0.0 (172.16.0.0/16) and
pass only subnets with a /24, /25 or /26 mask (ge 24 le 26). So the exact
network 172.16.0.0/16 would actually fail the list because it does not have
a mask of /24, /25 or /26.
By default if you only specify "ge" then any subnet with a mask greater than
or equal to the ge value will pass. That is, ge all the way up to /32. For
example:
ip prefix-list mylist seq 10 permit 10.10.10.0/24 ge 28
2
This list specifies any subnet within the 10.10.10.0/24 range that has a
mask of /28 or greater (255.255.255.240 to 255.255.255.255). Again, the
exact subnet 10.10.10.0/24 would fail because it does not have a mask of /28
or greater.
By default if you only specify "le" then any subnet with a mask less than or
equal to the le value but greater than or equal to the mask specified will
pass. That is, le all the way down to the mask listed. For example:
ip prefix-list mylist seq 10 permit 10.64.0.0/16 le 23
This list specifies any subnet within the 10.64.0.0/16 range that has a
mask between /16 and /23, inclusive (255.255.0.0 to 255.255.254.0). In this
case the exact subnet 10.64.0.0/16 would pass because it has a mask in the
range /16 to /23.
The "permit any any" in a prefix list is:
ip prefix-list mylist seq 200 permit 0.0.0.0/0 le 32
I recommend getting quite familiar with them because they are very powerful
and actually not too bad to use once you get used to them!
Hope this helps

8.8.8.8 for IPv6? public DNS equivalent

  •     For IPv4: 8.8.8.8 and/or 8.8.4.4.
  •     For IPv6: 2001:4860:4860::8888 and/or 2001:4860:4860::8844

OSPF LSA TYPES EXPLAINED! BEST HIGHLIGHTS. Learn Briefly clear and useful with picture

Have you ever wondered what is is the function of each of all the OSPF LSAs?


How it works? 
To master OSPF you should go straight to the OSPF LSA types. this is a brief and clear introduction of LSA OSPF types you must know before getting deeply on each specific type.
 Let's start with the first one:

LSA type 1  Router  Each router creates its own Type 1 LSA to represent itself for each area to which it connects. The LSDB for one area contains one Type 1 LSA per router per area, listing the RID and all interface IP addresses on that router that are in that area. Represents stub networks as well.


LSA type 2  Network  One per transit network. Created by the DR on the subnet, and represents the subnet and the router interfaces connected to the subnet.

LSA type 3  Net Summary  Created by ABRs to represent subnets listed in one area’s type 1 and 2 LSAs when being advertised into another area. Defines the links (subnets) in the origin area, and cost, but no topology data.

LSA type 4  ASBR Summary  Like a type 3 LSA, except it advertises a host route used to reach an ASBR

LSA type 5  AS External  Created by ASBRs for external routes injected into OSPF.

LSA type 6  Group Membership  Defined for MOSPF; not supported by Cisco IOS.

LSA type 7  NSSA External  Created by ASBRs inside an NSSA area, instead of a type 5 LSA.

LSA type 8  External Attributes  Not implemented in Cisco routers.

LSA type 9 to 11  Opaque  Used as generic LSAs to allow for easy future extension of OSPF; for example, type 10 has been adapted for MPLS traffic engineering.

To get a better understanding of how different OSPF LSA TYPES work, this image will help you better:



What is hardening networking hardening? follow this steps to have a protected and secure network

In the following tip, we'll explore nine easy steps that you can take to ensure that you have a brick wall protecting your network and not an open door.



1. Change the default password!

According to CERT/CC at Carnegie Mellon University, 80% of security incidents are caused by weak passwords. Extensive lists of default passwords are available online for most routers, and you can be sure that someone, somewhere knows your birthday. SecurityStats.com maintains a thorough do/don't list for passwords, as well as a password strength test.

2. Disable IP directed broadcasts

Your router is obedient. It will do what it's told, no matter who's doing the telling. A Smurf attack is a version of a Denial of Service (DOS) attack in which an attacker sends an ICMP echo request to your network's broadcast address using a spoofed source address. This causes all the hosts to respond to the broadcast request, which will slow down your network, at the very least.Consult your router's documentation for information on how to disable IP directed broadcasts. For instance, the command "Central(config)#no ip source-route" will disable IP directed broadcasts on Cisco routers.

3. Disable HTTP configuration for the router, if possible

As outlined in a Cisco Tech Note, "The authentication protocol used for HTTP is equivalent to sending a cleartext password across the network, and, unfortunately, there is no effective provision in HTTP for challenge-based or one-time passwords."

Although it may be convenient to configure your router from a remote location (from home for example), the fact that you can do it means that anyone else can as well. Especially if you're still using the default password! If you must remotely manage the router, make sure that you are using SNMPv3 or greater, as it supports hashed passwords.

4. Block ICMP ping requests

The primary purpose of a ping request is to identify hosts that are currently active. As such, it is often used as part of reconnaissance activity preceding a larger, more coordinated attack. By removing a remote user's ability to receive a response from a ping request, you are more likely to be passed over by unattended scans or from "script kiddies," who generally will look for an easier target.

Note that this does not actually protect you from an attack, but will make you far less likely to become a target.

5. Disable IP source routing

The IP protocol allows a host to specify the packet's route through your network, instead of allowing the network components to determine the best path. The only legitimate use that you may come across for this feature is to troubleshoot connections, but this is rare. It's far more common to be used to map your network for reconnaissance purposes, or when an attacker is attempting to locate a backdoor into your private network. Unless specifically needed for troubleshooting, this feature should be disabled.

6. Determine your packet filtering needs

There are two philosophies to blocking ports, and which one is appropriate for your network depends on the level of security that you require.

For a high-security network, especially when storing or maintaining confidential data, it is normally recommended to "filter by permission." This is the scheme in which all ports and IP address permissions are blocked, except for what is explicitly required for network functions. For instance, port 80 for web traffic and 110/25 for SMTP can be allowed to come from a dedicated address, while all other ports and addresses can be disabled.

Most networks will enjoy an acceptable level of security by using a "filter by rejection" scheme. When using this filtering policy, ports that are not used by your network and are commonly used for Trojan Horses or reconnaissance can be blocked to increase the security of your network. For instance, blocking ports 139 and 445 (TCP and UDP) will make your network more difficult to enumerate, and blocking port 31337 (TCP and UDP) will make you more secure from Back Orifice.

This should be determined during the network planning phase, when the level of security required is compared to the needs of the network users. Check out this extensive list of ports with their normally associated uses.

7. Establish Ingress and Egress address filtering policies.

Establish policies on your border router to filter security violations both outbound (egress) and inbound (ingress) based on IP address. Except for unique and unusual cases, all IP addresses that are attempting to access the Internet from inside of your network should bear an address that is assigned to your LAN. For instance, 192.168.0.1 may have a legitimate need to access the Internet through the router, but 216.239.55.99 is most likely to be spoofed, and part of an attack.

Inversely, traffic from the outside of the Internet should not claim a source address that is part of your internal network. For that reason, inbound addresses of 192.168.X.X, 172.16.X.X and 10.X.X.X should be blocked.

And lastly, all traffic with either a source or a destination address that is reserved or unroutable should not be permitted to pass thorough the router. This can include the loopback address of 127.0.0.1 or the class E address block of 240.0.0.0-254.255.255.255.



8. Maintain physical security of the router

A router is much more secure than a hub, especially from network sniffing. This is because a router intelligently routes packets based on IP destination, where a hub broadcasts the data to all nodes. If one system that is connected to that hub places their network adapter in promiscuous mode, they are able to receive and view all broadcasts, including passwords, POP3 traffic and web traffic.

It is important then to make sure that physical access to your networking equipment is secure to prevent the placement of sniffing equipment, such as an unauthorized laptop, on the local subnet.

9. Take the time to review the security logs

Reviewing your router's logs (via its built-in firewall functions) is often the most effective way to identify security incidents, both in-progress attacks and indicators of upcoming attacks. Using outbound logs, you can also identify Trojans and spyware programs that are attempting to establish an outbound connection. Attentive security administrators were able to identify the Code Red and Nimda attacks before antivirus publishers were able to react.

Also, generally, the router is on the perimeter of your network, and allows you to get an overall picture of the inbound and outbound activity of your network.

Cisco Systems