Monday, 22 September 2014

Failover on Cisco ASA

Configuring high availability requires two identical ASAs connected to each other through a dedicated failover link and, optionally, a Stateful Failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.
The ASA supports two failover configurations, Active/Active failover and Active/Standby failover. Each failover configuration has its own method for determining and performing failover.
With Active/Active failover, both units can pass network traffic. This also lets you configure traffic sharing on your network. Active/Active failover is available only on units running in multiple context mode.
With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby failover is available on units running in either single or multiple context mode.
Both failover configurations support stateful or stateless (regular) failover.

Hardware Requirements

The two units in a failover configuration must be the same model, have the same number and types of interfaces, and the same SSMs installed (if any).
If you are using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail.
Although it is not required, it is recommended that both units have the same amount of RAM memory installed.

Software Requirements

The two units in a failover configuration must be in the same operating modes (routed or transparent, single or multiple context). They must have the same major (first number) and minor (second number) software version. However, you can use different versions of the software during an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active.
The two units in a failover pair constantly communicate over a failover link to determine the operating status of each unit. The following information is communicated over the failover link:
•The unit state (active or standby)
•Hello messages (keep-alives)
•Network link status
•MAC address exchange
•Configuration replication and synchronization
All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the ASA is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a

Use Google Chrome as a SSH Client

We always use Putty client software for Secure SSH connection between  PC to Router or PC to Firewall.
Today i am going to show you how to use your Google chrome browser as a SSH Client.

Open your Chrome browser and enter chrome://extensions/

then search for Secure Shell chrome extension. Install it

Then after it will prompt you SSH client option


Tuesday, 2 September 2014

IP Unnumbered Explained

In this tutorial we will take a look at IP unnumbered and how to configure it. First of all…what is IP unnumbered and why do we need it?
On a router each interface requires a unique IP address so it can install an entry in the routing table and process IP packets. IP unnumbered allows you to process IP packets without configuring a unique IP address on an interface, this works by “borrowing” an IP address from another interface.
Why would you want this and not just configure an IP address on the interface? To answer that question we have to dive into the past.
Once upon a time we didn’t have VLSM (Variable Length Subnet Mask) and we used classful routing protocols like RIP version 1 and IGRP (the predecessor of EIGRP). This means that the smallest subnet you could use was a /24. When using public IP addresses this is a huge waste of IP space. Take a look at the picture below:
R1 R2 R3 serial links
There are 3 routers connected with each other using point-to-point serial links. We have to use two /24 subnets while we only require 4 IP addresses in total…such a waste!
IP unnumbered was created to solve this problem so you didn’t have to waste entire subnets on point-to-point interfaces. It borrows an IP address from another interface so you don’t have to configure one on the point-to-point interface.

Multiple Spanning Tree (MST)

By default Cisco Catalyst Switches run PVST+ or Rapid PVST+ (Per VLAN Spanning Tree). This means that each VLAN is mapped to a single spanning tree instance. When you have 20 VLANs, it means there are 20 instances of spanning tree.
Is this a problem? Like always…it depends, let’s take a look at an example:
Cisco MST Topology 200 VLANs
Take a look at the topology above. We have three switches and a lot of VLANs. There’s 199 VLANs in total. If we are running PVST or Rapid PVST this means that we have 199 different calculations for each VLAN. This requires a lot of CPU power and memory.
When SwitchB is the root bridge for VLAN 100 – 200 and SwitchC for VLAN 201 – 300 our spanning-tree topologies will look like this: