Difference between Plenum & Riser Cat5/Cat6 cable

Plenum vs. Riser

Cable Ratings

Plenum (CMP) Rated Cable
Complies with NFPA-262 and UL-910. Only cable allowed in spaces defined as air plenums such as raised flooring systems and air handling ducts. Plenum cables must self extinguish and not reignite. They also produce less smoke than traditional PVC cables. The smoke and fumes are toxic.

Riser (CMR) Rated Cable
Comples with UL-1666. Defined for usage in vertical tray applications such as cable runs between floors through cable risers or in elevator shafts. These spaces cannot be used for environmental air. These cables must self extinguish and must also prvent the flame from traveling up the cable in a vertical burn test.

Other Cable Ratings:

Low Smoke Zero Halogen (LSZH) Rated Cable
Used in shipboard applications and computer networking rooms where toxic or acidic smoke and fumes can injure people and/or equipment. Examples of Halogens include Fluorine, Chlorine, Bromine, and Iodine. These materials when burned produce acidic smoke that can harm people and computer equipment. Low Smoke means the cable does not produce the heavy black soot and smoke common with PVC cables. These cables will self extinguish but cannot pass UL-910 or UL-1666 for a plenum or riser rating. 

General Purpose (CM, CMG, CMx) Cable
Complies with UL-1581 testing. Will burn and partially self extinguish. Not for use between build floors or in air plenum spaces. Often these cables are used for workstation cables and patch cords.

How-TO: Configure DHCP on a CISCO router

This post is about configuring a CISCO router to act as a DHCP server in your network.

Task1: Configure R1 to act as a DHCP server and provide all network information to hosts in the LAN dynamically. (R1 and R2 are directly connected via Ethernet)

Server Configuration (R1)

!– enable dhcp server (default) service dhcp ! — defining DHCP pool with all network information ip dhcp pool OFFICE network 192.168.12.0 255.255.255.0 domain-name networkers-online.com default-router 192.168.12.1 !– gateway address dns-server 192.168.12.100 192.168.12.101 !– DNS servers netbios-name-server 192.168.12.99 !– WINS servers lease 2 !– lease time !– defining static binding to R2 using its client-id ip dhcp pool STATIC host 192.168.12.2 255.255.255.0 client-identifier 01cc.010d.f000.00 !– exclude server and static addresses from the dynamic pool ip dhcp excluded-address 192.168.12.1 ip dhcp excluded-address 192.168.12.100 192.168.12.101 ip dhcp excluded-address 192.168.12.200 p dhcp excluded-address 192.168.12.2

Client Configuration:

interface FastEthernet0/0 ip address dhcp client-id FastEthernet0/0

Troubleshooting and verfication:

IP address is assigned dynamically to R2

!– R2 f0/0 address is assigned via DHCP R2(config-if)#do sh ip int b Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.12.2 YES DHCP up up !– R1 bindings has R2 as a static entry R1#sh ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name 192.168.12.2 01cc.010d.f000.00 Infinite Manual

R2 gets its domain-name dynamically from R1

R2#sh ip domain networkers-online.com

R2 sets R1 as a default gateway using a floating static route

R2#sh ip route Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2 i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2 ia – IS-IS inter area, * – candidate default, U – per-user static route o – ODR, P – periodic downloaded static routeGateway of last resort is 192.168.12.1 to network 0.0.0.0 C 192.168.12.0/24 is directly connected, FastEthernet0/0 2.0.0.0/24 is subnetted, 1 subnets C 2.2.2.0 is directly connected, Loopback0 S* 0.0.0.0/0 [254/0] via 192.168.12.1

R2 learns Primary and secondary DNS servers from R1

R2#ping xyz.comTranslating “yahoo.com”…domain server (192.168.12.100) (192.168.12.101) % Unrecognized host or address, or protocol not running.

for more information on how to configure DHCP features consult the following link CISCO IOS DHCP Server

Top 10 Tips for Cisco Routers Configuration

There are few simple things that might help administrators in utilizing their time working with Cisco routers. I gathered the most important ten things, in my point of view, and wrote them down.

1. The best sequence of configuring a Cisco router, as I see it, is the following:

 

a. Setup the hostname with the ‘hostname XXXXXX’ command.

b. Setup the secret password (or enable password) with the ‘enable secret XXXXX’ command.

c. Setup console and telnet passwords (use the ‘logging synchronous’ command at the console) with the ‘password XXXXX’ and ‘login’ commands.

d. Encrypt the un-encrypted passwords with ‘service password-encryption’ command and don’t forget to turn it off after you ‘show run’.

e. Setup the interfaces (IP addresses, description, bandwidth, etc) with ‘ip address’, ‘bandwidth’, and ‘description’ commands

f. Setup the Routing protocols (or static routes)

g. Test the connectivity with ‘ping’ and ‘traceroute’

h. Setup the access-lists

i. Test the connectivity (again)

 

2. Be as descriptive as possible.

Use the ‘description’ command on ALL interfaces. And give useful description in it. Describe the network to which this interface is connected, the bandwidth of the link, the duplex settings, and any other information that you might think useful. Use ‘remark’ in writing the access-lists so you would identify the access-list according to its function. And if you find it necessary, use banners. 

Examples:

RouterA(config-if)#description This link is connected to the Accounting Lan

RouterA(config)#access-list 101 remark This list stops the telnet to the Marketing net

RouterA(config)#banner motd #This router is connected to the marketing and accounting LANS#

3. Use hotkeys.

There are many useful hotkeys in the configuration command line environment. Few of the most important are:

Control P Recalls the previous command in the history buffer

Control N Recalls the next command in the history buffer

Control E Goes to the end of the line

Control A Goes to the beginning of the line

4. Stop the router from looking-up DNS server for wrong commands.

When you misspell a command and hit the ‘Enter’ key, the router does not recognize the command and thinks that it might be a host name. The router, then, tries to contact the DNS server to resolve the name to an IP address so it would telnet it. This would take a large amount of time, especially when you have not setup a valid DNS server (because the router will broadcast the request and waits for a DNS server to reply). To turn this off, use the ‘transport preferred none’ command in the console and vty lines.

Example:

RouterA(config)#line con 0

RouterA(config-line)#transport preferred none

5. Setup the Bandwidth of serial interfaces.

Use the ‘bandwidth’ command for setting the bandwidth of ALL serial interfaces to guarantee the correct calculation of routing table. The bandwidth of a serial link is dependant on the type of WAN connection you are using. And unlike Ethernet or FastEthernet, serial interfaces cannot automatically detect the bandwidth of the link. And the bandwidth of the actual link might be different from the small link between the serial interface and the modem or CSU/DSU device you are using. And remember to write the bandwidth after the ‘bandwidth’ command in Kilobits.

Example:

RouterA(config)#int serial 0

RouterA(config-if)#bandwidth 1024       >> This means the link bandwidth is 1Mbit/second

6. Turn off Auto-summarization of routing updates when using subnetted addresses.

If you are using subnetting, remember use the ‘no auto-summary’ command to turn off auto-summarization. This is when using routing protocols that support it, like OSPF.

Example:

RouterA(config)#no auto-summary

 

7. Turn off split-horizon in two cases.

The first is when you are doing inter-VLAN routing. This is because updates from one VLAN can not pass to other VLANs. And the second case is when you are using frame-relay to connect one site to multiple sites.

Example:

RouterA(config-if)#no ip split-horizon

 

8. The ‘show’ command is your best friend.

Whenever you’re in trouble, or even if you’re not in trouble yet, you best friend comes up; the ‘show’ command. The most widely used ‘show’ commands are the following:

show version - Shows some good information like the IOS version, the configuration-register value and the interfaces available.

show ip route - Shows the routing table

show ip interface - Shows the access-lists applied to interfaces

show access-list - Shows the contents of access-lists

show ip protocols - Shows information about the routing protocols currently running.

show cdp neighbor detail - Shows detailed information about neighboring devices.

show interface - Show status information about interfaces.

show run - Shows the running configuration, i.e., all the commands now in action.

 

9. Keep the IP addresses of servers and printers out of the DHCP pool.

When using the router as a DHCP server, do NOT forget to exclude the addresses of server and printers off the DHCP pool.

Example:

RouterA(config)#ip dhcp excluded-address 192.168.0.1

RouterA(config)#ip dhcp excluded-address 192.168.0.1 192.168.0.10

You can use a single IP address in this command or a start-IP and end-IP to define a range.

 

10. Keep a scheduled ‘reload’ when configuring a router remotely.

When you are configuring a router remotely, you might do something wring and loose the connectivity with the router. In this case, you will need to restart the router physically. There are chances that no one is around the router to restart it for you. You can solve this by yourself by using the ‘reload in xx’ command. This command schedules a reload after xx minutes. So, before you start nosing around the router remotely, issue this command and schedule a reload. If something goes wrong and you loose the connectivity with the router, the router will reload and you get back in business. And if things go smooth and you don’t need to reload after all, you can issue a ‘reload cancel’ command to stop the scheduled restart from happening.

I hope you find these tips useful in getting you out of trouble or getting you away from it. 

IOS privilege and Show Running Dispute

When this particular user is created with a privilege level 10, and only show running-config is assigned to that privelege but to my surprise it only shows blank configuration Initially it was considered to be cisco Bug. When i dig it further, it found out that it is Cisco design and not any bug.

Please refer below for details
IOS Privilege Levels Cannot See Complete Running Configuration

Cisco IOS comes with 16 privialege level from 0-15 By default, Cisco assigns commands to only three of these privilege levels: zero, user, and enable. There are five commands with privilege level zero: disable, enable, exit, help, and logout. User EXEC mode — privilege level 1 (when you login this is default level). Privileged EXEC mode — privilege level 15 (when you are in enable mode, equivalent to root access of linux)

To assign a privilege level to a user:

Router(config)# username support password abc privilege 5
Router# show privilege
Current privilege level is 5

To assign a privilege level to a particular command

Router#configure terminal
Router(config)#privilege exec level 1 show running-config


Problem Finding:
The show running configuration only displays all of the commands that the current user is able to modify. i.e. in other words, only shows configuration section that is below the user's current privilege level.

Solution:
1- Instead of using show run, we may use show startup but it may show steal configuration and might not be actual replica of running configuration.
2- We may use command

username printconfig privilege 10 password test

username printconfig privilege 15 autocommand show running

By doing when the user is login the show running config command will be executed immediately but immediately logut the user. SO we will leave with configuration but need some other account to perform troubleshooting etc.



Reference:
How to Configure Local Username Database in Cisco IOS
http://www.petri.co.il/csc_how_to_configure_local_username_database_cisco_ios.htm

IOS Privilege Levels Cannot See Complete Running Configuration
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

Configure Cisco Router as Caching/Forwarding DNS Server

A Cisco Router running Cisco IOS can function as a Caching or Forwarding DNS Server which answers to DNS queries from clients either from its host table or cache or forward it to a DNS server which can respond to the query.

This feature can come in handy in small network environments where the router can act as a Caching DNS server forwarding queries to the ISPs DNS servers or infact any external DNS servers. Also, makes sense using on under utilized DNS servers.

NOTE: This feature can have an impact on the available resource on the Cisco Router and hence plan according to the network size and ofcourse the router itself.

Enable DNS Translations

From the global Configuration mode, enable the DNS server.

ciscrouter# conf term
ciscorouter(config)# ip domain lookup

Add the Name Servers

Add the name servers to which the Cisco Router will forward the queries, if it can't answer from its host table or cache. You can specify upto 6 Namservers in a single command (seperated by a "SPACE") or specifiy one Name-server per command for legibility.

ciscorouter(config)# ip name-server 192.168.1.1 192.168.2.1

Add Hosts (optional)

Add host entries to the host table manually, if required

ciscorouter(config)# ip host webserver 10.1.1.100

In the above, the IP address 10.1.1.100 is mapped to the hostname "webserver"

Set Default Domain Name(s)

Optionally, add a domain name or a list of domain names that the Cisco Router can use to append to a unqualified hostname. Using a list is useful where the router tries to try one domain name at a time until it finds a match.

To set a single domain name

ciscorouter(config)# ip domain name example.com

To set a list of Domain names

ciscorouter(config)# ip domain list example.com
ciscorouter(config)# ip domain list test.com
ciscorouter(config)# ip domain list myowndomain.com

Set Domain Lookup Timeout (optional)

Optionally, you can set the timeout in seconds for the Cisco router to wait for a resonse to a DNS query. The default is 3 seconds

ciscorouter(config)# ip domain timeout 5

Set Domain Lookup Retry (optional)

Again optional, you can set the number of retry attempts for the DNS queries. Default is "2" times

ciscorouter(config)# ip domain retry 5

Enable DNS Round Robin (optional)

If there are hosts with load balancing enabled and having more than 1 host (example, 10.1.1.101, 10.1.1.102,10.1.1.103 are all pointing to a host, "dbserver") it makes sense to enable the DNS RoundRobin feature to rotate among the hosts else the 1st cached hosts will only be picked up causing load issues on that particular hosts

ciscorouter(config)# ip host dbserver 10.1.1.101 10.1.1.102 10.1.1.103
ciscorouter(config) ip domain round-robin

Telnet logging to Cisco router with Radius authentication based on Windows 2008 R2

Say you want to give a network admin access to a Cisco router via telnet with Radius authentication (user account is stored in AD).

The network admin is not a system admin so he does not have administrator rights on the AD domain but it has to have level 15 access to all Cisco devices.

Here is the configuration of the router (tested on Cisco 1800 Series)

enable secret 5 ############

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local

privilege configure level 7 snmp-server host
privilege configure level 7 snmp-server enable
privilege configure level 7 snmp-server
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 configure

line con 0
password 7 ############
line aux 0
line vty 0 4
password 7 ############
transport input telnet

session-timeout 60

Quick description:
enable secret 5 - password for admin level to restrict the use of "enable" command


aaa new-model - start the AAA configuration
aaa authentication login default group radius local - login authentication is done by the AAA mechanism in the following fasion:

• first the default authentication group is used (I did not create my own authgroup for this example) and checked by a Radius server
• if the server does not respond (and only then) - local user database is checked

aaa authorization exec default group radius local- command execution authorization is done in the same way as above.


The next set of commands is to create a new priviledge level. In Cisco IOS the admin level is 15. It has the full right on any hardware. Lower level must be defined before can be used.
In this case I created a 7th level of access with right to execute ping, enter configuration options and configure SNMP settings.


line vty 0 4 - telnet connection configuration (total of 5 lines - from 0 to 4)



Now for the Windows 2008 Server R2 side:

Network policy for level 15:

• Windows Group: NetAdmins
• Standard Attributes: 7 (Framed Protocol) - PPP, 6 (Service Type) - NAS Prompt
• Cisco Attributes AV-Pair: shell:priv-lvl=15

Network policy for level 7:

• Windows Group: SomeoneElse
• Standard Attributes: 7 (Framed Protocol) - PPP, 6 (Service Type) - NAS Prompt
• Cisco Attributes AV-Pair: shell:priv-lvl=7

Now when logging via telnet users belonging to NetAdmin group gain full access to router (without the need for "enable" command) while users from SomeoneElse group have only level 7.
If the other user would want the full access he would have to know the secret password

AAA

Authentication, Authorization, and Accounting... Otherwise Known as AAA (triple A). Most people who have had to implement AAA on a router or switch probably know very little about the commands they copy to the router config. Most simply grab the AAA configs from another working router or switch and be done with. But have you ever wondered what these commands do? Have you asked yourself - "Do I even need this? What's the best way to implement AAA?" Today we're gonna get our [ROUTER]FREAK on and check out some best practices with AAA.

If your working in an environment that uses AAA then you no doubt have a TACACS+ or ACS server running somewhere that is used for management of logins to your devices. AAA works in conjuction with TACACS+ to provide management of your login security. Who can login (Authentication), What can that user do (Athorization), and track the commands that are used (Accounting).

I've recently worked directly with Cisco to bang out what exactly is the best practices for configuring AAA on a router. what we came up with is the following:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+


Some router configurations look more intimidating than others and AAA is always one them. Don't worry, we'll break this down and you will see its not so bad after all.

So lets take a look at it one line at a time...

aaa new-model
This basically turns on aaa on the router.

aaa authentication login default group tacacs+ local
Here we are saying that to authenticate to this router for logins use the default group which is tacacs+. If tacacs+ fails then use the local user account configured on the router. (This is why you always want to make sure you have a local user configured on your router)

aaa authentication enable default group tacacs+ enable
Here we are saying that for enable mode we want to use the default group tacacs+ (notice the local keyword is not used. This is because that a locally defined user will have specified the authorization level they require. . for example leve 15 will get enable mode)

aaa authorization config-commands
This says we want to check with TACACS+ to authorize going into config mode.

aaa authorization exec default group tacacs+ local if-authenticated
Notice the "if-authenticated" keyword at the end of this line. This is saying that if we are authenticated we will immediately be dropped into exec (enable) mode.

aaa authorization commands 1 default group tacacs+ if-authenticated
For best practices Cisco recommends that authorization be configured to each level of user access to network devices. In this command we are authorizing level 1 user. This would also be the same as non-enable mode. A fallback method should be configured such as a local user. This also requires the use of tacacs+.

aaa authorization commands 15 default group tacacs+ local if-authenticated
Here we are providing authorization for level 15 users against tacacs+. If tacacs+ is not available then the local user account is used. If authenticated the user will immediately be dropped into exec/enable mode.

aaa accounting exec default start-stop group tacacs+
AAA Accounting for each level of commands ensures there is accountability for use of privileged commands on the router. Privilege levels range from 1 to 15, with 15 being the highest level. Some organizations may want to implement additional levels of commands where 1 might be a help desk and 15 are network administrators.

aaa accounting commands 1 default start-stop group tacacs+
This is an optional command as far as best practices go... but this provides accountability or tracking of user activity even they thay have only logged in (not exec/enable)

aaa accounting commands 15 default start-stop group tacacs+
This command will provide for accounting of adminsitrators or priveledge level 15

... And that's it! See? Oonce you go over each line its not quite so bad. The biggest hurdle is understanding the freaky Cisco command structure.

I hope this break down has helped clear things up a bit