Windows Server 2008 R2 - Group Policy - Forcing Network Drive Shares

Create a Share on the server. Map a Network Drive to that Share. Then using Group Policy we will force all domain users to connect to that share upon login.

Subnetting

How many subnets? 2x = number of subnets. x is the number of masked bits, or the 1s. For example, in 11000000, the number of 1s gives us 22 subnets. In this example, there are 4 subnets.

How many hosts per subnet? 2y – 2 = number of hosts per subnet. y is the number of unmasked bits, or the 0s. For example, in 11000000, the number of 0s gives us 26 – 2 hosts. In this example, there are 62 hosts per subnet. You need to subtract 2 for the subnet address and the broadcast address, which are not valid hosts.

What are the valid subnets? 256 – subnet mask = block size, or increment number. An example would be 256 – 192 = 64. The block size of a 192 mask is always 64. Start counting at zero in blocks of 64 until you reach the subnet mask value and these are your sub- nets. 0, 64, 128, 192. Easy, huh?

What’s the broadcast address for each subnet? Now here’s the really easy part. Since we counted our subnets in the last section as 0, 64, 128, and 192, the broadcast address is always the number right before the next subnet. For example, the 0 subnet has a broadcast address of 63 because the next subnet is 64. The 64 subnet has a broadcast address of 127 because the next subnet is 128. And so on. And remember, the broadcast address of the last subnet is always 255.

What are the valid hosts? Valid hosts are the numbers between the subnets, omitting the all 0s and all 1s. For example, if 64 is the subnet number and 127 is the broadcast address, then 65–126 is the valid host range—it’s always the numbers between the subnet address and the broadcast address.

Cisco Static Route Example

Below is a simple static routing example. The basic syntax for a static route is:

ip route [destination_network] [mask] [next-hop_address or exitinterface] [administrative_distance] [permanent]

ip route The command used to create the static route.

destination_network The network you’re placing in the routing table. mask The subnet mask being used on the network.

next-hop_address The address of the next-hop router that will receive the packet and for- ward it to the remote network. This is a router interface that’s on a directly connected net- work. You must be able to ping the router interface before you add the route. If you type in the wrong next-hop address or the interface to that router is down, the static route will show up in the router’s configuration but not in the routing table.

exitinterface Used in place of the next-hop address if you want, and shows up as a directly connected route.

administrative_distance By default, static routes have an administrative distance of 1 (or even 0 if you use an exit interface instead of a next-hop address). You can change the default value by adding an administrative weight at the end of the command.

permanent If the interface is shut down or the router can’t communicate to the next-hop router, the route will automatically be discarded from the routing table. Choosing the permanent option keeps the entry in the routing table no matter what happens.

Tulsa(config)# ip route 10.10.0.0 255.255.0.0 172.16.16.2 [AD]

  Dallas(config)# ip route 192.168.2.0 255.255.255.0 172.16.16.1 [AD]

InterVLAN Routing and SVI

InterVLAN Routing

Recall that a Layer 2 network is defined as a broadcast domain. A Layer 2 network can also exist as a VLAN inside one or more switches. VLANs essentially are isolated from each other so that packets in one VLAN cannot cross into another VLAN.

To transport packets between VLANs, you must use a Layer 3 device. Traditionally, this has been a router’s function. The router must have a physical or logical connection to each VLAN so that it can forward packets between them. This is known as interVLAN routing.

InterVLAN routing can be performed by an external router that connects to each of the VLANs on a switch. Separate physical connections can be used, or the router can access each of the VLANs through a single trunk link. The external router also can connect to the switch through a single trunk link, carrying all the necessary VLANs. 

----------------------------------

Types of Interfaces

Multilayer switches can perform both Layer 2 switching and interVLAN routing, as appropriate. Layer 2 switching occurs between interfaces that are assigned to Layer 2 VLANs or Layer 2 trunks. Layer 3 switching can occur between any type of interface, as long as the interface can have a Layer 3 address assigned to it.

As with a router, a multilayer switch can assign a Layer 3 address to a physical interface. It also can assign a Layer 3 address to a logical interface that represents an entire VLAN. This is known as a switched virtual interface (SVI). Keep in mind that the Layer 3 address you configure becomes the default gateway for any hosts that are connected to the inter- face or VLAN. The hosts will use the Layer 3 interface to communicate outside of their local broadcast domains.

----------------------------------

Configuring InterVLAN Routing

InterVLAN routing first requires that routing be enabled for the Layer 3 protocol. In the case of IP, you would enable IP routing. In addition, you must configure static routes or a dynamic routing protocol. These topics are covered fully in the CCNP ROUTE course. By default, every switch port on most Catalyst switch platforms is a Layer 2 interface, whereas every switch port on a Catalyst 6500 is a Layer 3 interface. If an interface needs to operate in a different mode, you must explicitly configure it.

An interface is either in Layer 2 or Layer 3 mode, depending on the use of the switchport interface configuration command. You can display a port’s current mode with the following command:

Switch# show interface type mod/num switchport

If the Switchport: line in the command output is shown as enabled, the port is in Layer 2 mode. If this line is shown as disabled, as in the following example, the port is in Layer 3 mode:

Switch# show interface gigabitethernet 0/1 switchport Name: Gi0/1 Switchport: Disabled Switch#

----------------------------------

Layer 2 Port Configuration

If an interface is in Layer 3 mode and you need to reconfigure it for Layer 2 functionality instead, use the following command sequence:

Switch(config)# interface type mod/num 

Switch(config-if)# switchport

  The switchport command puts the port in Layer 2 mode. Then you can use other switchport command keywords to configure trunking, access VLANs, and so on. As dis- played in Figure 11-2, several Layer 2 ports exist, each assigned to a specific VLAN. A Layer 2 port also can act as a trunk, transporting multiple Layer 2 VLANs.

Tip: Whenever you see the word switchport, think Layer 2. So if switchport is disabled, it must be Layer 3.

Physical switch ports also can operate as Layer 3 interfaces, where a Layer 3 network ad- dress is assigned and routing can occur, as shown previously in Figure 11-2. For Layer 3 functionality, you must explicitly configure switch ports with the following command sequence:

Switch(config)# interface type mod/num Switch(config-if)# no switchport Switch(config-if)# ip address ip-address mask [secondary]

The no switchport command takes the port out of Layer 2 operation. You then can assign a network address to the port, as you would to a router interface.

Note: Keep in mind that a Layer 3 port assigns a network address to one specific physical interface. If several interfaces are bundled as an EtherChannel, the EtherChannel can also become a Layer 3 port. In that case, the network address is assigned to the port-channel interface—not to the individual physical links within the channel.

----------------------------------

SVI Port Configuration

On a multilayer switch, you also can enable Layer 3 functionality for an entire VLAN on the switch. This allows a network address to be assigned to a logical interface—that of the VLAN itself. This is useful when the switch has many ports assigned to a common VLAN, and routing is needed in and out of that VLAN.

In Figure 11-2, you can see how an IP address is applied to the switched virtual interface called VLAN 10. Notice that the SVI itself has no physical connection to the outside world; to reach the outside, VLAN 10 must extend through a Layer 2 port or trunk to the outside.

The logical Layer 3 interface is known as an SVI. However, when it is configured, it uses the much more intuitive interface name vlan vlan-id, as if the VLAN itself is a physical interface. First, define or identify the VLAN interface; then assign any Layer 3 functionality to it with the following configuration commands:

Switch(config)# interface vlan vlan-id Switch(config-if)# ip address ip-address mask [secondary]

The VLAN must be defined and active on the switch before the SVI can be used. Make sure that the new VLAN interface also is enabled with the no shutdown interface configu- ration command.

----------------------------------

Note: The VLAN and the SVI are configured separately, even though they interoperate. Creating or configuring the SVI doesn’t create or configure the VLAN; you still must define each one independently.

As an example, the following commands show how VLAN 100 is created and then defined as a Layer 3 SVI:

Switch(config)# vlan 100 Switch(config-vlan)# name Example_VLAN Switch(config-vlan)# exit Switch(config)# interface vlan 100 Switch(config-if)# ip address 192.168.100.1 255.255.255.0 Switch(config-if)# no shutdown

Destination Host Unreachable // Request Timeout

Destination Host Unreachable: typically happens when the host is actually down, or a router does not have the router to the network.

Request Timeout: this happens typically on the way back to the original sender because of an unknown error.

Diffie-Hellman

The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel.

Cisco ASA 5505 (8.2) - IPsec Remote Access VPN

ISAKMP Policy: 1

ip local pool: VPN_POOL

transform-set: TRANSFORM

tunnel-group: TESTGROUP

pre-shared key: testingkey

group-policy: group_policy

split-tunnel: ACL-SPLIT-TUNNEL

--------------------------------------------------------------------

ASA(config)# interface vlan2 ASA(config-if)# ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx  <-- public static IP and mask

ASA(config-if)# nameif outside ASA(config-if)# no shutdown

  ASA(config)# interface e0/0

ASA(config-if)# switchport access vlan 2

ASA(config-if)# no shutdown

  ASA(config)# isakmp enable outside ASA(config)# isakmp policy 1 authentication pre-share 

ASA(config)# isakmp policy 1 encryption aes ASA(config)# isakmp policy 1 hash sha ASA(config)# isakmp policy 1 group 2 ASA(config)# isakmp policy 1 lifetime 43200

ASA(config)# crypto ipsec transform set TRANSFORM_SET esp-aes esp-sha-hmac

ASA(config)# crypto isakmp nat-traversal 20

  ASA(config)# crypto dynamic-map dyn1 1 set transform-set TRANSFORM_SET 

ASA(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1 

ASA(config)# crypto map mymap interface outside

ASA(config)# ip local pool VPN_POOL 192.168.50.0 192.168.50.128 mask 255.255.255.128  <-- pool that your VPN users will be assigned to

  <-- The below NONAT statements defines what traffic we do not want to be translated by the appliance. This is also called Identity NAT. -->

ASA(config)# access-list NONAT extended permit ip 192.168.2.0 255.255.255.128 192.168.2.128 255.255.255.128 

ASA(config)# nat (inside) 0 access-list NONAT

  ASA(config)# access-list ACL-SPLIT-TUNNEL extended permit ip 192.168.2.0 255.255.255.128 <-- inside local network 192.168.2.128 255.255.255.128 <-- VPN local pool

  ASA(config)# username testuser password 12345678

  ASA(config)# group-policy GROUP_POLICY internal

ASA(config)# group-policy GROUP_POLICY attributes 

ASA(config-group-policy)# vpn-idle-timeout 120

ASA(config-group-policy)# split-tunnel-policy tunnelspecified

ASA(config-group-policy)# split-tunnel-network-list value ACL-SPLIT-TUNNEL

  ASA(config)# tunnel-group TESTGROUP type remote-access ASA(config)# tunnel-group TESTGROUP general-attributes 

ASA(config-general)# address-pool VPN_POOL

ASA(config-general)# default-group-policy GROUP_POLICY ASA(config)# tunnel-group TESTGROUP ipsec-attributes 

ASA(config-ipsec)# pre-shared-key testingkey

  ASA(config)# management-access inside   <-- this allows us to ping/telnet/ssh/http to the inside interface when connected to the VPN ASA(config)# write memory

Cisco IPsec VPN Parts and Pieces

The ASA uses the ISAKMP and IPsec tunneling standards to build and manage tunnels. ISAKMP and IPsec accomplish the following: 

Negotiate tunnel parameters 

Establish tunnels 

Authenticate users and data 

Manage security keys 

Encrypt and decrypt data 

Manage data transfer across the tunnel 

Manage data transfer inbound and outbound as a tunnel endpoint or router 

--------------------------- IKE (Internet Key Exchange), also known as ISAKMP (Internet Security Association and Key Management Protocol), is the negotiation protocol that lets two hosts agree on how to build an IPsec security association. ISAKMP separates negotiation into two phases: Phase 1 and Phase 2. 

To set the terms of the ISAKMP negotiations, you create an ISAKMP policy, which includes the following:

An authentication method, to ensure the identity of the peers. 

An encryption method, to protect the data and ensure privacy. 

A Hashed Message Authentication Codes (HMAC) method to ensure the identity of the sender, and to ensure that the message has not been modified in transit. 

A Diffie-Hellman group to determine the strength of the encryption-key-determination algorithm. The ASA uses this algorithm to derive the encryption and hash keys. 

A limit to the time the ASA uses an encryption key before replacing it.

---------------------------

A security association (SA) is a term used to generalize the IPsec connection parameters as a whole. An SA is a relationship between two or more entities that describes how the entities will use security services to communicate securely.

--------------------------- NAT-T lets IPsec peers establish a connection through a NAT device. It does this by encapsulating IPsec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPsec traffic when necessary. This feature is disabled by default. IPsec was not designed to work through NAT so that is where NAT-Traversal comes in.

To enable NAT-T use the following command: crypto isakmp nat-traversal

--------------------------- A transform set is a combination of security protocols and algorithms that define how the ASA protects data. 

During the IPsec security association negotiation with ISAKMP, the peers agree to use a particular transform set to protect a particular data flow.

The transform set must be the same for both peers.

  --------------------------- A tunnel group is a set of records that contain tunnel connection policies. You configure a tunnel group to identify AAA servers, specify connection parameters, and define a default group policy.

  --------------------------- To configure IP address pools to use for VPN remote access tunnels, enter the ip local pool command in global configuration mode.

--------------------------- Crypto maps define the IPsec policy to be negotiated in the IPsec SA. They include the following:

Access list to identify the packets that the IPsec connection permits and protects. 

Peer identification 

Local address for the IPsec traffic

Up to six transform sets with which to attempt to match the peer security settings. 

--------------------------- A dynamic crypto map is a crypto map without all of the parameters configured. It acts as a policy template where the missing parameters are later dynamically learned, as the result of an IPsec negotiation, to match the peer requirements. The ASA applies a dynamic crypto map to let a peer negotiate a tunnel if its IP address is not already identified in a static crypto map. This occurs with the following types of peers:

Peers with dynamically assigned public IP addresses. Both LAN-to-LAN and remote access peers can use DHCP to obtain a public IP address. The ASA uses this address only to initiate the tunnel. 

Peers with dynamically assigned private IP addresses. Peers requesting remote access tunnels typically have private IP addresses assigned by the headend. Generally, LAN-to-LAN tunnels have a predetermined set of private networks that are used to configure static maps and therefore used to establish IPsec SAs. 

Dynamic crypto maps can ease IPsec configuration and we recommend them for use in networks where the peers are not always predetermined. Use dynamic crypto maps for Cisco VPN clients (such as mobile users) and routers that obtain dynamically assigned IP addresses.

--------------------------- Split tunneling controls what traffic is or isn't protected by the tunnel. By default, all VPN traffic is forced to route to the ASA first. By configuring split tunneling we can allow our users to use their Internet connection to browse the web, instead of their traffic hitting the ASA and then going to the Internet. This filters only the traffic that needs to travel to the corporate network.

Mac OS X: Find Default Gateway in Terminal

netstat -nr | grep default

IP Renew for Windows and Mac OS X

Windows: ipconfig /renew 

------------------------------ Mac OS X: sudo ifconfig en1 down sudo ifconfig en1 up  Depending on what interface you want to renew. For WiFi: en1 For Ethernet: en0 

Cisco ASA - Allow Pinging of Outside Interface

Inbound ICMP through the PIX/ASA is denied by default. Outbound ICMP is permitted, but the incoming reply is denied by default. 

By default, you cannot ping the ASA's outside interface - or in other words the public IP you assigned to it. To allow pinging of the outside interface:

ASA(config)#access-list ACL-OUTSIDE extended permit icmp any any  ASA(config)#access-group ACL-OUTSIDE in interface outside 

Cisco ASA - Default Route

To add a default route to your Cisco ASA, add the following:

ASA(config)#: route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

X is the gateway your ISP provides you, or the next hop to another device such as a perimeter router.

Adelaide's first two months with us.

CSMA/CD and CSMA/CA

CSMA/CD: Carrier Sense Multiple Access with Collision Detection. Used in wired Ethernet bus topologies, including a hub. A technology defined by the Ethernet IEEE 802.3 committee. Each device senses the cable for a digital signal before transmitting. Also, CSMA/CD allows all devices on the network to share the same cable, but one at a time. If two devices transmit at the same time, a frame collision will occur and a jamming pattern will be sent; the devices will stop transmitting, wait a predetermined time as well as a self-imposed random amount of time, and then try to transmit again. 

CSMA/CA: Carrier Sense Multiple Access with Collision Avoidance. Used in wireless Ethernet networks. A transmission technology that attempts to avoid collisions rather than detect them as in CSMA/CD. Used in wireless Ethernet (802.11) and Apple's LocalTalk, when a device needs to transmit, it listens to the network (senses the carrier) and waits for it to be free. In 802.11, it then waits a random period of time and transmits. If the receiver gets the frame intact, it sends back an ACK to the sender.

Great YouTube video here.

Windows Server 2008 R2 - Change External NTP Servers

Time synchronization is an important aspect for all computers on the network. By default, the clients computers get their time from a Domain Controller and the Domain Controller gets his time from the domain’s PDC Operation Master. Therefore the PDC must synchronize his time from an external source, such as time.apple.com. Before you begin, don’t forget to open the default UDP 123 port (in and outbound) on the firewall. 

1. First, locate your PDC Server. Open the command prompt and type: C:\>netdom /query fsmo 2. Log in to your PDC Server and open the command prompt. Stop the W32Time service: C:\>net stop w32time 3. Configure the external time sources, type: C:\> w32tm /config /syncfromflags:manual /manualpeerlist:”time.apple.com, 1.pool.ntp.org, 2.pool.ntp.org” 4. Make your PDC a reliable time source for the clients. Type: C:\>w32tm /config /reliable:yes 5. Start the w32time service: C:\>net start w32time 6. The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing: C:\>w32tm /query /configuration 7. Check the Event Viewer for any errors.

Configuration Register on Cisco Routers

The two important configuration register modes to remember are:

0x2102 for normal use.

0x2142 for password recovery. This ignores the configuration (NVRAM).

Cisco page.

Local Loop

In telephony, a local loop is the physical wire connection that reaches from the telephone company's central office (CO) to the customer premises, whether that be a home or a business. Traditionally, the local loop was used only to carry analog signals for voice, but with today's modems we can use DSL and ISDN over the same lines.

Local Loop Unbundling (LLU) is a telephony term that means the owner of the local loop (Incumbent Local Exchanger Carrier or ILEC) must offer its copper lines to other telecommunications operators for leased use. They must do this in accordance with the Telecommunications Act of 1996, which was created to spur competition and block monopolies from forming in the telephony business.