Search This Blog

Monday 22 January 2018

PCI DSS 3.1 compliant TLS



The followings are required in order to consider a TLS site PCI DSS 3.1 compliant:
  • Trusted certificate
  • SSL 2.0, SSL 3.0 and TLS 1.0 not supported
  • Strong private key
    • 2048+ bits if RSA
    • 256+ bits if EC
  • All cipher suites strong
    • Cipher of 128 bits or stronger
    • DH parameters 2048+ bits
    • Export suites are not allowed
    • Anonymous key exchange suites are not allowed
In addition, it is required that no known vulnerabilities are present. This translates to the following:
  • Insecure renegotiation not supported
  • Compression not supported

Thursday 23 February 2017

Automating Multiple Cisco Wireless SSID change.




Python-Cisco-SSID-Change

Automating Multiple Cisco Wireless SSID change.
Welcome to the Python-Cisco-SSID-Change! You can use this Script to Automate the process of changing multiple Cisco Aironet SSID passphrase. It already designed for two AccessPoint but you can copy paste the code and add mainXX() at the bottom as many as you need.



Cisco-Configuration-Backup

Automatically Backup Multiple Cisco Device Configuration(Startup-Config)
Welcome to the Cisco-Configuration-Backup! You can use this Script to Automate the Backup process of multiple Cisco Devices. It already designed for two Device but you can copy paste the code and add mainXX() at the bottom as many as you need.

Sunday 17 April 2016

Bandwith hog, Top ten Talkers and NBAR.

Network is so slow, This could be a nightmare for many Network Engineers. So what's next?
Giving a call to your service provider? most probably they will tell you: "Your line is Over Utilized".
But seriously what should we do?
You won't have this problem if you have the luxury of having a Netflow application in your network.
You can easily log to it and check what IP address and what Port is chewing up your bandwidth.
But if you don't have Netflow, then this is how you can find out what are chewing up your bandwidth:

    Top-Talkers

The very first thing is to configure your router to show the top talkers:

First enable the flow on your all of your interfaces(or at least on your Wan interface), in our case I configured it on gigabitEthernet 0/0.


MyRouter#interface gigabitEthernet 0/0
MyRouter(config-if)#ip route-cache flow



Now we need to enable the Top-Talker:

MyRouter#ip flow-top-talkers
MyRouter(config-flow-top-talkers)#top ?
  <1-200>  Number of top talkers            You can choose up to 200 but normally the first 10 is enough

So:

MyRouter(config-flow-top-talkers)#top 10

Now we should configure it to sort the result based on bytes or packets:

MyRouter(config-flow-top-talkers)#sort-by ?
  bytes    Sort top talkers by bytes
  packets  Sort top talkers by packets

In our case I prefer bytes:

MyRouter(config-flow-top-talkers)#sort-by bytes

Ok, All done. Now we can see who are the top ten talkers:

MyRouter# show ip flow top-talkers

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes
Gi0/0        192.168.70.247  Gi0/0*       10.3.50.213     06 D5E7 01BD    20M
Gi0/0        192.168.70.247  Gi0/0        10.3.50.213     06 D5E7 01BD    13M
Gi0/0        10.73.20.133    Gi0/0         192.168.45.113  06 0A26 C01B    11M
Gi0/0        192.168.71.184  Gi0/0         192.168.117.103 06 0A26 C01B  6336K
Gi0/0        192.168.71.156  Gi0/0*        10.7.64.124     06 0A26 C019  3577K
Gi0/0        10.73.20.133    Gi0/0*        192.168.47.157  06 0A26 C016  2838K
Gi0/0        192.168.71.154  Gi0/0*        10.7.19.110     06 0A26 C061  2837K
Gi0/0        192.168.71.201  Gi0/0*        10.7.38.127     06 0A26 C07F  2444K
Gi0/0        192.168.71.203  Gi0/0        10.7.85.187     06 0A26 C172  2152K
Gi0/0        192.168.71.172  Gi0/0*        10.7.32.109     06 0A26 C018  1623K
10 of 10 top talkers shown. 4086 flows processed.

You can also use the "verbose" switch to get more details, including: Source Interface, Source IP, Destination Interface, Destination IP address and...

MyRouter# show ip flow top-talkers verbose

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs Bytes
Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active
Gi0/0         10.73.20.133    Gi0/0          192.168.45.113  06 00  18      10M
0A26 /26 0                     C01B /24 0     10.40.2.18           1423     4.9

Gi0/0         192.168.70.247  Gi0/0*        10.3.50.251     06 00  18    6826K
D5E7 /24 0                     01BD /24 0     192.168.70.250       1478     5.3
FFlags: 01

Gi0/0         192.168.71.179  Gi0/0          10.5.18.136     06 00  18    5060K
0A26 /24 0                     C012 /24 0     10.50.2.18           1416    12.6

Gi0/0         10.73.20.133    Gi0/0*         192.168.47.113  06 60  18    2499K
0A26 /26 0                     C01B /24 0     10.40.2.18           1401     1.5
FFlags: 01

Gi0/0         192.168.70.71   Gi0/0         199.30.226.25   06 00  1A    2485K
6361 /24 0                     0019 /0  0     192.168.71.244       1403    25.9

Gi0/0         192.168.71.184  Gi0/0          192.168.113.103 06 00  18    2470K
0A26 /24 0                     C01B /24 0     10.40.2.18           1458     3.1

Gi0/0         192.168.71.203  Gi0/0         10.7.85.187     06 00  18    2224K
0A26 /24 0                     C172 /0  0     192.168.71.244       1354     9.4

Gi0/0         192.168.71.203  Gi0/0*        10.7.85.187     06 60  18    2224K
0A26 /24 0                     C172 /0  0     192.168.71.244       1354     9.4
FFlags: 01

Gi0/0         10.73.20.133    Gi0/0          192.168.45.155  06 00  18    2183K
0A26 /26 0                     C016 /24 0     10.40.2.18           1115     5.5

Gi0/0         192.168.71.172  Gi0/0          10.7.32.109     06 00  18    1423K
0A26 /24 0                     C018 /24 0     10.40.2.18           1091     5.2

10 of 10 top talkers shown. 4079 flows processed.


Now you have clear idea about the source and destination of your top talkers, however still we need to know what are they doing to judge if you need more bandwidth or stop them if they are downloading movies...
To do so we can use NBAR.
NBAR give you full visibility on top-n applications.
The configuration is very simple:
The only thing we need to is to configure NBAR on the interface we need to monitor, in our case it's gi0/0

MyRouter(config)#interface gigabitEthernet 0/0
MyRouter(config-if)#ip nbar protocol-discovery    (you can add ipv6 if you want to monitor ipv6 traffic on your network)

Done!

To check what are the top applications:

MyRouter#show ip nbar protocol-discovery top-n 5 (I checked top 5 but you can check up to top 50)

Gi0/1

 Last clearing of "show ip nbar protocol-discovery" counters 00:54:31


                            Input                    Output
                            -----                    ------
   Protocol                 Packet Count             Packet Count
                            Byte Count               Byte Count
                            5min Bit Rate (bps)      5min Bit Rate (bps)
                            5min Max Bit Rate (bps)  5min Max Bit Rate (bps)
   ------------------------ ------------------------ ------------------------
   citrix                   34338582                 4222051
                            21611665553              1012442959
                            59121000                 2001000
                            59121000                 3382000
   smtp                     79034                    603036
                            5787772                  738574298
                            10000                    1970000
                            29000                    2801000
   exchange                 20289                    268006
                            14620242                 332928296
                            3000                     898000
                            94000                    2364000
   http                     483510                   355924
                            518767031                56569465
                            1075000                  119000
                            1458000                  178000
   printer                  36107                    31758
                            53454456                 39233451
                            106000                   1000
                            350000                   329000
   unknown                  4155173                  5877564
                            5937458309               7236874994
                            13009000                 17089000
                            17008000                 18779000
   Total                    40032075                 11761695
                            28300547829              9465172577
                            73559000                 22199000
                            78927000                 28012000


(I've not included the result of all of the interfaces to save the space)

Now you have clear idea on what applications are chewing up the bandwidth as well.
having both top ten conversations and and top-n applications you have full visibility on your network and can deal with the issue.

Babak.


 






















Saturday 30 January 2016

Cisco or Juniper

All my IT life, I've tried not to be bias on anything. If something works better on something then simply use it. But these days I'm hereing very often people are discussing about Cisco or Juniper and which one is better.
Albeit these days Juniper looks abit competitive but still it has a very long way to show as a reall competitor to giant Cisco. If you check their websites you simply find the variety of  Cisco products while it looks fairly limited Juniper side.
I started my Networking with Cisco and consider it the best brand to start network with since it has very good training and certification program.