Friday, December 25, 2009

IPSEC not supported!!!! Reason you go for router

One of the many things that my customer ask why we donot go for layer 3 switch instead of router when ethernet is our only requirement. Cisco 1 port FE card still have GPL of 950 USD. While L3 switches comes with 24/48 port and this is really cheaper when customer require many Ethernet interfaces.

Well although in some cases the customer may opt the option but i still don't encourage them as one obvious answer is router is still intended for routing while L3 switch is still have switching hardware and intended for LAN . It cannot support many necessary features like IPSEC VPN, GRE tunnel and even NAT that are necessary for WAN edge

Well i still remember from my previous job experience that one of my colleague purchase 3560 for site to site vpn with router, only to figure out that IPsec is not supported on it.

To summarize L3 switches were introduced by keeping mind to perform efficient intervlan routing and are best within campus. Routers are destined for edge and will still be used at WAN edges.

Subinterface, SVI and Catalyst Catch!!!

Well there are many who do not know this

You cannot make subinterfaces on Cisco switches. No matter its 2960,3560 or 3750. No matter its LANLITE or LAN base. No matter its standard image or enhanced image. Subinterfaces are simply not supported.

So what the alternative solution? You get it. Use SVI instead. You can do almost every thing that you can do with physical interface

Int vlan 10
ip address x.x.x.x x.x.x.x
Access-group 101
IP ospf cost 10

Saturday, October 24, 2009

BGP Support on ASA

Lesson of the Day: BGP is not supported on ASA

Juniper SSG using ScreenOS are featured rich but it can also become internet facing device even if you need dual homing, as it supports BGP

Beside other feaures Cisco ASA with Linux kernell left behinf in routing protocol support. Till now BGP is still unsupported on ASA platform.

SSG support RIPv1/2, OSPF, BGP, Frame Relay, Multilink Frame Relay, PPP, Multilink PPP, HDLC and ASA only RIPv1/2, OSPF.

Thursday, October 22, 2009

Repartition Cisco Flash

Repartition Flash

Well I have 2621XM in my hand; I need to enable IPsec VPN on it. Ooops it shows no option for Cypto isamkp. I need to upgrade to Security IOS. Before that I must figure out the version that fits in my little 32MB Flash. After a while I were able to find it, download it. Now TFTP server is ready to finsh the job and make the router ready tor VPN.

Copy tftp flash …………………

Oh I get error Error : Your flash is 16 MB you cannot copy 24 Mb IOS.

I check flash again

Router# show flash

The repartition process involves erasing Flash memory, so as per a document I found on a forum that

1- Reboot the router to run in ROM mode.

2- Change the config-register to 0x2101 and reload, using the following commands

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config) # config-register 0x2101

Router(config) # exit

Router # reload
Below is excerpting what I found on this document that is originally written for 25XX.

This will bring the router up in boot mode and Flash will be idle. You can not change the partition when the router is running under a full IOS from Flash. You will see a different router prompt, but enable passwords and most commands will remain the same.

3- Now Erase the flash using

Router # erase flash

4- Now repartition it to a single 32 MB flash using command,
Router # configure t

Router(config) # partition flash 1 32

Where 1 in above command denotes number of partition

5- Change the config register value again

Router(config) # config-register 0x2102

Router(config) # exit

Router # reload

Before reloading donot forget to copy new ios to the flash, else you should know how play with Xmodem on Saturday night (:

Work done!!! Now it 2:00 AM …Go to sleep now (:

Saturday, August 8, 2009

Back It Up! By Omair Siddiqui

This article is already published and copied from CIO pakistan March 2009 edition This was also republished in network world

Your business is only as redundant as the integrity of the data that you have stored on your servers. For companies that service customers in the cloud, if you can’t offer 99.9999% uptime and absolutely ensure data backup and restoration, you might as well not be in business.

There are a few issues at hand here. Not only must you ensure that the data is accurately and securely backed up whereby every packet and byte is accounted for, but you must also ensure that when the time comes, the data is “clean” enough to be plugged back into the system without a hiccup. It’s the hiccup that companies need to avoid which is why they look for ways to backup their data to begin with, however they aren’t always as proactive as the results they were expecting.

There has to be a process to acquire backups. Recent advancements in network and backup technologies have improved the performance, making it easier to backup data over the network. The traditional process which involves tape drives at branch servers, where an end-of-day-tape backup is usually taken and physically sent to the head office. This, by the way, is not what they were talking about when the term “data in transit” was discussed.

There are obvious problems with physically moving data – the unavailability of qualified technical resources to take properly handle the backups, verification of the backed up data before shipping it to the head office, risk of damaging the tape, data loss or theft during transportation; the list is quite endless. More importantly, because the backup in the current scenario, at least is done on an ad hoc basis, when the IT Administrator tries to sync the data into the data center, they find that it was not a successful backup to begin with. But most of these issues are usually revealed beyond the point of no return - when the restoration or a DR (Disaster Recovery) drill is performed.

By virtue of the technological advancements, there are solutions available which support a wide variety of operating systems and applications which can take optimized backups over WAN links.

The Solution
The solution in this case is actually a paradigm shift making use of modern data protection technologies to cope up with the ever increasing backup data vis a vis bandwidth. It uses fingerprint technology to distinguish unique file segments and maintain a check on all the redundant data in the remote sites. The solution that addresses these requirement includes a storage pool at each remote locations which then replicate the data over the WAN. These agents are thin software deployed in the remote servers. The software makes sure to send only new unique segments of file to a local storage pool, which automatically reduces the size of the transfer. It then becomes the job of the pool to check the uniqueness of the file across all local agents. It only replicates unique file segments to the main storage located in the centralized Data Center. This minimizes WAN bandwidth requirements and allows scalability because of the reduced storage capacity requirements.

A storage pool on the remote site optimizes the data over all the branch’s clients by identifying unique contents and storing the backup data locally. This shortens backup and restore tasks, and enables synchronization with central locations. Instead the files can be backed up over the WAN to a central storage.

The solution is also able to deal with one of the most important aspect of data security over the WAN by encrypting every file segment that it sends to the storage. The data in transit, as discussed earlier, comes to life in this segment of the solution whereby the data is encrypted before it is sent over the WAN to the storage, ensuring that the data is secure during the communication. This architecture eliminates the risk of accidental loss of tapes and unauthorized access of data, both in transit and at rest.

The solution has a very tangible return on investment. It is cost effective because the alternative would be to deploy separate tape drives, media, backup software, and technical support at each distinct site. There are then additional costs involved in the administration of each site and management of the off-site storage of the tape media. Since the solution removes the need for on-site tapes, the customers who have deployed this, have been able to justify their investment in a relatively short span of time.

Bank Islami – A Case Study
Innovative Integration recently deployed the solution at Bank Islami, ensuring that they had scalable, high performance data protection architecture for the bank’s Linux environment. Their environment includes more than 100 HP servers and a centralized pool of Network Appliance Storage. The problem the bank was having was to consolidate the data from its more than 100 branches across the major cities, located all over Pakistan. The institution was relying on a local data protection solution, built on an Open Source backup software. Almost all of the PCs and servers operated by the bank are running a SuSe Linux environment, which extended to the branch network as well.

Bank-Islami Setup at a Glance
“Each Bank Islami branch contains a file server which holds files from the specific branch users,” says Asad Alim, Head of Information Technology at Bank Islami. “At that time, there was no option other than to place a tape drive in each of the branches and use conventional scripts to perform the requisite backup.”

Using the traditional method, it could take up to a day to manage a recovery. As long as the tape was readable, it could always restore successfully providing the tapes were acquired from the remote location, locating the right tape containing the right block of information and then getting down to the restoration before having to send the tape back to the site. “Now none of this hassle is involved,” explains Asad.

Talking about bandwidth constraints Asad Alim commented that “We were concerned about the pressure the backup would put on the network, but despite of the 256Kbps bandwidth connectivity, the performance has proven to be stable”. Changes in data is first compressed at source and then sent across WAN to the central storage where it is decompressed and then stored in a duplicated fashion. It then employs an intelligent algorithm for data transfer. In case a backup fails during the process due to link failure or connectivity loss, the backup will resume from the point it was interrupted.

“The cost savings are a great endorsement but what is most important is that the branch data is now secure. You have to remember that in the past, we could never be 100% certain that we could restore a lost file. Now we are. With PureDisk, we are reducing our reliance on tapes for Disaster Recovery with secure replication of the data we backup,” says Asad Alim.
Please visit for more details.

Tuesday, July 28, 2009

Cisco's Fast Ethernet Support

Well Cisco has huge database of its lively documentation. I guess they seriously require some solution for handling it. I have personally see many contradictory information on there site. They do update on one site but forget to synchronize on other locations. Few months back i have face a situation where a customer need 4 Ethernet port on 2801, to my surprise cisco router 1841 and 28XX do not support 2 port FE card and eventually i end up with giving two 1 port FE cards. Similar requirement arise and i again check website to make sure to cover any change happening. I found following link which says

Q. Is the 2-port HWIC supported on the Cisco 1800 and 2800 Series Integrated Services Routers?
A. No, the 2-port HWIC is supported only on the Cisco 3800 Series Integrated Services Routers. The Cisco 1841 can support only a single additional Fast Ethernet interface. The Cisco 2800 Series can support up to two additional interfaces, but this density must be attained using two 1-port HWICs

After making sure i presented my solution and inform the customer about cisco inabilty to support 2 port FE card. I were told that cisco do support 2 port FE card on 2801. As i had already double check so i were sure. I were surprise when i got the link

Now what to do after searching a bit, i found that the cisco latest IOS start supporting it and eliminate the previous limitation. I were again surprised but can't to any thing about it. Cisco keep it up (:
. You Rocks !!!

Friday, July 24, 2009

Redundancy when there is no redundancy

Redundancy is must!!!
Today one of my customer asked me whether 3750 support RPS(redundant power supply) !!! no worry man it do, i replied, but very soon i found it to be partially true. I have seen in datasheets about RPS but i decide to dig it deeper. Cisco is offering a separate 1 RU device 2300, its basically a redundant power system for internal power supply failure. It can support up to six device at a time (you need to plug the special cable to appliance to the router/switch) and at max can provide two active backups (if u purchase two power supply). One cable come with the bundle and you need to purchase spare if u need to backup other devices too. hmmm the appliance is not very cheap but i think its worthy it cost near about 3000 USD. the coolest thing you can even prioritize fail over, means say core switch has more priority then access layer so if both failed at same time it will backup core first.

What models did it support
Switches: 3750-E, 3560 E, 3750, 3560, 3550, 2960, 2950, CE 500 (Select models)

Router: 3825, 2851, 2821, 2811

The catch is you need to go for right power supply for example 700 Watt AC PS donot support support 3750E series but do support plain 3750 so watch it out first.

Part Number:

1- PWR-RPS2300 RPS 2300 chassis

2- C3K-PWR-750WAC Catalyst 3750-E/3560-E 750W AC power supply

3-C3K-PWR-1150WAC Catalyst 3750-E/3560-E 1150W AC power supply

4- CAB-RPS2300-E= Spare RPS Cable RPS 2300 Cat 3750E/3560E Switches

5-CAB-RPS2300= Spare RPS Cable for Cisco Redundant Power System 2300


Wednesday, July 22, 2009

cisco extending 90 days warranty to life time for switches

As of right now cisco is leader in switching world. Juniper with introduction of there ESX switches are newbie in this industry. Nortel already in worst condition. But HP is consistent competitor of cisco in the switching world and already snatch a significant market share from cisco. Cisco is trying to give extras to beat to competition now a new announcement from cisco for extending its warranty

Effective May 1, 2009, Cisco is extending the warranty period for Cisco Catalyst 3750-E and Cisco Catalyst 3560-E series switches from the previously offered 90-day warranty to a limited lifetime warranty (LLW).

This is not the end in a seperate bullitein simlar announcement for 4500 series switch:
As of May 1, 2009, Cisco is offering a limited lifetime hardware warranty on the Cisco® Catalyst® 4500 E-Series and Cisco Catalyst 4500 Switches. This LLW is 5 year warranty in which cisco will make sure to ship the equipment within ten days of RMA request.

Similarly to better survive at access layer switching cisco has come up with LAN LITE image software of 2960 that offer prices that are almost equal to CE500. This was announced back in 2008

Let us hope for some other better moves (: in the beneficiaries will be whom customer (:

Friday, March 13, 2009

Simple Setup for Dual Link ISP

I know a couple of customers that do run BGP just to ensure failover for there internet connectivity. The headache of running BGP with ISP can be saved by using few tricks, i shouldn't say it trick, rather its a feature of Cisco IOS.

A draw back of ehternet interface is that its status remain same regardless of far side interface status, this cause serious issues as for routing process as link remains up even the remote router ethernet interface fails to respond and thus the invalid route remain in routing table.

IP SLA can send echo packet to remote router and upon failure to receive ICMP reply can trigger the any specifed event like installing less prefered route to routing table and remove the old one below is the sample config of above topology


ip sla monitor 1 // Enter a number to reference our monitor

type echo protocol ipIcmpEcho // is the ISP A IP i.e. Far side IP address of remote router)
timeout 500
frequency 3
ip sla monitor schedule 1 life forever start-time now // Scedule SLA to run forever
track 1 rtr 1 reachability // Creates tracked object 1 for RTR (Response time Reporter)
interface FastEthernet0/0
// Connection to ISP A

ip address
duplex auto
speed auto
interface FastEthernet1/0

// Connection to ISP B
ip address
duplex auto
speed auto
Now Time for routing (:
ip route track 1
(Add primary route, installed if track 1 is successfully completed)
ip route 20 (Secondary route to ISP B, should activate if Link to ISP A fails) =====================================================================
State 1: ISP A is active

R0#sh ip route {Output ommited}
S* [1/0] via

R0#sh ip route track-table
ip route track 1 state is [up] ======================================================================
State 2:
ISP A is inactive( I had shutdown R1 F0/0 to simulate it)
R0#sh ip route track-table
ip route track 1 state is [down]
R0#sh ip route
S* [20/0] via (Notice routing table has installed new default route to ISP B) ======================================================================

Mine one is just starter for more details and digging it with NAT etc below are very good links

Thursday, February 5, 2009

Cisco Unity Express NM-CUE VS AIM-CUE

Cisco is everywhere, they are not even neglecting small businesses for their solution, same is the case with VoIP solution. From complicated call manger cluster to one box unified solution cisco is offering more and more.

Just take Cisco call manger express,what you need a single router that in any case you will need WAN connectivity but just add PVDM and enjoy call manger solution within router. i will discuss PVDM and AIM in later posts)and voice enable IOS. Pay more and you will get voice mail facilty in same router. Either you can purchase a NM module (NM_CUE)or additional card that you will insert inside router (AIM-CUE).

What is CUE : Cisco unity express is one of the three falvours avaiable for cisco voice mail.

  • Cisco Unity Express: NM_CUE or AIM-CUE for upto 250 mail boxes
  • Cisco Unity Connection: Upto 500 user if installed in same machine where CCM is installed. Extends to 7500 mailboxes if installed on seperate machine. No redundancy
  • Cisco Unity: 7500 mailboxes per server, integration with MS exhange. lotus notes etc.

Support free auto attendant and seperate licensed IVR:
Support voice retrival from email web and phone
  1. NM-CUE: 100 mail boxes, 6 sessions 14 hours of messages
  2. NM-CUE-EC: 250 mail boxes, 8 sessions and 100 hours of messages storage
  3. NME-CUE: 250 mailboxes, 24 sessions, 300 hours of storage
  • Eat up whole module of router.
  • Linux based
  • Mature GUI contrary to CME GUI nad more people use GUI
  • Laptop harddrive so gigs of storage
  • Much Faster access to voice mails

  • Linux based boot from flash chips
  • No moving part, so less break down
  • Less storage as no hard drive
  • Slower access to voice mails
  • Similar GUI and features as that of NM-CUE

TOP 12 Shorcuts


Few of the microsoft shortcuts that are making my life easier

  • To open RUN prompt of windows <-----> press window key + R
  • To lock computer <-----> press windows key + L
  • To Open word <-----> enter winword in run box
  • To Open EXCEL <-----> enter Excel in run box
  • To Open POWERPOINT <-----> enter powerpnt in run box
  • To explore harddisk <-----> explore
  • to use firefox <-----> firefox
  • To open C drive <-----> C:\
  • To view network connection <-----> Type ncpa.cpl into the run prompt
  • To go to control panel <-----> Type Control into the run prompt
  • To open system properties <-----> Type System.cpl

Tuesday, January 27, 2009

External Hard Disk Selection

Now I have more than 200 GB of data and i am falling short of space, therefore I decided to buy an external hard disk to cope up with increasing storage requirement.

At first i were considering to buy a simple hardisk with external kit but as it requires power from outside thus it is far away from the word PORTABLE. I researched on web and found a couple of good names including WD, seagate, LAcie and toshiba. I were unable to find a differentiators that compel me to buy that product. Lacie is rugged and thus shock proof but considerably costly. All coming with same 8 MB cahce and about 5400 RPM so i decided to go for seagate 320 GB(least price) but eventually end up with buying western digital due to seagate availability in market. Overall WD seems fine to me with 3 year limited and 1 year full warranty. Price is reasonable, i got it @ PKR 7200/=.

Brand160 GB250 GB320 GB500 GB1 TB

Western digital47506500730011700



looking and offcourse praying (: for longer life for the disk.

Sunday, January 25, 2009

Cisco IOS Packaging

At first understanding Cisco IOS packaging is alone a complex thing. One should always make sure to do proper research before getting it, as many of the important features are available in higher versions. Feature like OSPF in switches is supported in IP services. BGP is supported in routers above IP Voice. The below image(taken from is pretty nice summary and good starting point.

Wednesday, January 21, 2009

Real World eXperienCe


Today I were engaged in a deployment for cisco 2821, The router was ordered with HSEC bundle which do comes with ADV IP SERVICES IOS along with VPN accleration card. By the passage of time i realize that how important the real world experience is. The deployment was simple I copy the old router configuration modified it and pasted it to new router. That's it !!!

Althogh i need to configure BGP multiohoming too. The customer has one wimax link nad other DSL, both from link DOT net and they want to ensure that automatic switch over to second link. I thought that i can just give two default route and change AD for both and that would work but the problem is that both link are terminating on Rj45 ethernet so either i have to use BGP or IP SLA monitor. I will explore it in depth to see what works better.

The REAL world notes:
1- When i booted the brand new router it enters in ROMMON mode and i were wondering why it happens and a mighty REBOOT makes the job for me and normalize every thing.

2- Somehow I lost user name after configuring router and fortuntely worldcall EVDO (USB internet) do the maigc for me. I Google for password reset 2800 and found
Press Break key on keyboard when reboor router.
In Rommon1 > Rebbot and give ansower no to every question
type # confreg 0x2142

Now saved config is ignored

type # copy start run
do the changes as needed and remember to do No shut on interfaces

#config-register 0x2102

#copy run start
Thats all I enjoyed every bit of it, the network integration really makes me crazy no matter how small the deployment is, i enjoyed it. Last but not the least USB internet is a blessing for network engineer. Grab it if you can.............