To set a limit on the number of allowed IPSEC VPN session on an Cisco ASA 5540 we need to define how many sessions \ users are allowed to be connected to the ASA in each given time.
By default the number of allowed VPN session is unlimited.
To set a limit we need use the Cisco ASDM.
Once logged to the ASDM go to:
Configuration > remote access VPN > Network (client) access > advanced > IPsec > System options
Once there change the maximum IPsec sessions, to the applicable number.
To check which ports are active or disable on a Cisco switch we need to use the status command and follow the steps below.
1. Log on to the router.
2. Type “show interfaces status” command
Example:
SWITCH1#sh interfaces status
Port     Name              Status      Vlan      Duplex Speed Type
Gi0/1                       connected   24        a-full a-1000 10/100/1000BaseTX
Gi0/2                       connected   24        a-full a-1000 10/100/1000BaseTX
Gi0/3                       disabled    24          auto  auto 10/100/1000BaseTX
Gi0/4                       disabled    24          auto  auto 10/100/1000BaseTX
Gi0/5                       disabled    24          auto  auto 10/100/1000BaseTX
Gi0/6                       connected   24        a-full a-100 10/100/1000BaseTX
Gi0/7                       connected   23        a-full a-1000 10/100/1000BaseTX
Gi0/8                       connected   23        a-full a-100 10/100/1000BaseTX
Gi0/9                       connected   22        a-full a-1000 10/100/1000BaseTX
Gi0/10                      notconnect  1           auto  auto 10/100/1000BaseTX
Gi0/11                      connected   27        a-full a-1000 10/100/1000BaseTX
Gi0/12                      connected   26        a-full a-1000 10/100/1000BaseTX
Gi0/13                      disabled    26          auto  auto 10/100/1000BaseTX
Gi0/14                      connected   26        a-full a-100 10/100/1000BaseTX
Gi0/15                      connected   22        a-full a-1000 10/100/1000BaseTX
Gi0/16                      notconnect  27          auto  auto 10/100/1000BaseTX
Gi0/17                      connected   22        a-full a-1000 10/100/1000BaseTX
Gi0/18                      notconnect  25          auto  auto 10/100/1000BaseTX
Gi0/19                      connected   25        a-full a-1000 10/100/1000BaseTX
Gi0/20                      connected   25        a-full a-1000 10/100/1000BaseTX
Gi0/21                      disabled    1           auto  auto Not Present
Gi0/22                      disabled    1           auto  auto Not Present
Gi0/23                      connected   trunk     a-full a-1000 1000BaseLX SFP
Gi0/24                      connected   trunk     a-full a-1000 1000BaseLX SFP
Po1                         connected   trunk     a-full a-1000
Â
In order for us to enable or disable a port on a Cisco switch do the following:
To Enable a Port Type:
SWITCH1# int Gi0/2
SWITCH1# no shutdown
To disable a port Type:
SWITCH1#int Gi0/2
SWITCH1#shutdown\0
To block a sander in Exchange server 2007 never been easier, all you have to do is add the the sander to the Exchange Server 2007 Anti Span built in function.
To do that:
 select the Individual e-mail address option, and then type the e-mail address.
4.      Click Apply to save your changes.
Â
If you would like to configure you Cisco Router or switch to send all it’s logs to a SysLog server all you have to do is to type a few command that will tell the router\switch to send the logs to the server.
To do that:
Log to the router \ switch and type (in this example I used a switch):
SWITCH# Config t
SWITCH(config)#logging 172.40.51.44Â Â — SysLog IP address
SWITCH(config)#logging trap notifications — What do you want to send
SWITCH(config)#logging source-interface ?  — Interface that will send the logs
 Async             Async interface
 Auto-Template     Auto-Template interface
 BVI               Bridge-Group Virtual Interface
 CTunnel           CTunnel interface
 Dialer            Dialer interface
 Filter            Filter interface
 Filtergroup       Filter Group interface
 GigabitEthernet   GigabitEthernet IEEE 802.3z
 GroupVI           Group Virtual interface
 Lex               Lex interface
 Loopback          Loopback interface
 Null              Null interface
 Port-channel      Ethernet Channel of interfaces
 Portgroup         Portgroup interface
 Pos-channel       POS Channel of interfaces
 Tunnel            Tunnel interface
 Vif               PGM Multicast Host interface
 Virtual-Template  Virtual Template interface
 Virtual-TokenRing Virtual TokenRing
 Vlan              Catalyst Vlans
 fcpa              Fiber Channel
SWITCH(config)#logging source-interface vlan2�
SWITCH(config)#exit
All done, don’t forget to save the config.
ROUTER(config)#copy run start.
Sometimes there are times that you will need to grant access to other administrators to access the CISCO ASA using telnet.
In Cisco ASA Devices enabling Telnet will not allow all network\hosts to access the ASA using Telnet which will work with Routers and Switches.
In ASA we need to add hosts or networks to the Allowed telnet access list.
First, to view who can access the ASA using telnet type:
ASA# sh run telnet
telnet 10.60.4.20 255.255.255.255 inside
telnet 10.60.4.30 255.255.255.255 inside
In this case we have two host that can access the ASA using telnet.
To add an host to the Telnet access list type:
ASA (config)# telnet 10.60.4.30 255.255.255.255 inside
Hostname or A.B.C.DÂ The IP address of the host and/or network authorized to
You can also use the ASDM GUI interface by going to:
Configuration > Device Managment > Management Access > Command Line (CLI) >Telnet
Â
To restart a cisco router or switch we need to use the following command:
Router#reload
To restart the router in a certain number of minutes type:
Router#reload in 5
To see router uptime type:
router#sh version
Sometimes when applying a group policy to the domain there is a need to exclude users, groups or computers from the policy or in other words not applying the group policy to them.
To do so, follow the steps:
Open the group policy using the group policy management utility.
Click on group policy you want to exclude users form.
Go to Delegation tab and add the User, Group or machine
Then Choose “Read” from the drop down as the default. Click OK.
Select the User, Group Or machine from the list
Then click the advanced tab
Select “Deny” next to the “Apply Group Policy”
To check the policy run “gpupdate /force” and “gpresult”.
Recently I was wondering what was the best way to analyze and monitor the traffic that passes the routers between sites \ offices.
Â
After researching the issue I found out the Cisco NetFlow protocol allows you to analyze the traffic that pass the router, Â however In order to get this done we need to
Configure our routers to do a few things:
Â
1.      Install Software that analyze NetFlow
2.      Enable NetFlow on the router
3.      Configure the router to send the logs to a netflow analyzer server (needs to be configure before)
Â
Once you got the server or PC up and running with a netflow software (there are a lot of free application, I used Manage Engine NetFlow Analyzer 6 which allows you to monitor 2 router for free) , We need to tell the router to send the NetFlow logs to the server, To do that here is the commands we need to type:
Â
Â
Router(config)# ip flow-export destination {hostname|ip_address} 9996Â Â Â Â
Router(config)# Â ip flow-export source {interface} {interface_number}Â Â Â Â
Router(config)#ip flow-export version 5Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
Router(config)# Â ip flow-export version 5
Router(config)# Â ip flow-cache timeout inactive 15
Router(config)# Â snmp-server ifindex persist
Â
Â
To monitor and Check that we configured the Router to send the logs type:
Â
Router# show ip flow export
Router#Â Â show ip cache flow
Router# Â show ip cache verbose flow
Â
Â
Configuration Sample:
Â
router#configure terminal
router(config)#interface FastEthernet 0/1
router(config-if)#ip route-cache flow
router(config-if)#exit
router(config)#ip flow-export destination 10.60.1.254 9996
router(config)#ip flow-export source FastEthernet 0/1
router(config)#ip flow-export version 5
router(config)#ip flow-cache timeout active 1
router(config)#ip flow-cache timeout inactive 15
router(config)#snmp-server ifindex persist
router(config)#^Z
router# copy run start
router#show ip flow export
router#show ip cache flow
Â
Â
To Cancel NetFlow:
Â
no ip flow-export destination {hostname|ip_address} {port_number}
no ip route-cache flow
Â
Â
After a few days of searching the Internet for a simple template and example of VOIP QoS implamntation without any results I have decided to write KB on how to implement VOIP Q0S on a Cisco router between two offices \ sites.
This example is ready to use however you need to find which protocol your VoIp telephone system is using (in this example i used MITEL 3000)
once you find it all you have to do is fill it in and paste the code to to both routers.
If you happy with the policy map names leave it as it is, and don’t forget to apply the policy to the right interface.
The commands with explanations:
Â
class-map match-all Voice
 match ip dscp 46                          —- Remember to put the right protocol number. (46 is for MITEL)
class-map match-all signalling    — this name can be change
match ip dscp 26Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â —- Remember to put the right protocol number. (26 is for MITEL)
policy-map voip                           — this name can be change
class Voice                                   — this name need to match class-map match-all
bandwidth percent 30Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â —Â percent for voice
class signalling                           — this name need to match class-map match-all�
bandwidth percent 5Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â ——Â percent for signalling
class class-default
fair-queue
interface gi0/1Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â —- Apply Policy Map to Interface
service-policy output Voip
To monitor the traffic and see that everything is working type:
show policy-map interface gi0/0
The commands without  explanations and ready to be copied:
class-map match-all Voice
 match ip dscp 46
class-map match-all signalling
match ip dscp 26
policy-map voip
class Voice
bandwidth percent 30
class signalling
bandwidth percent 8
class class-default
 fair-queue
interface gi0/1
service-policy output Voip
�
In order for to Monitor a Cisco Router or Switch using SMNP with a 3rd party software like MTRG we need to enable SNMP on the device and set a SNMP String.
To do it follow the steps below:
Log in to the router and enter configuration mode:
Router#configure terminal
Enable SMNP:
Router(config)#snmp-server community public RO
Router(config)#snmp-server community private RW
Router(config)#exit
Then save the changes:
Router#write memory
View SNMP command :
Router# sh snmp
Chassis: FHK1215F41P
2411 SNMP packets input
   0 Bad SNMP version errors
   0 Unknown community name
   0 Illegal operation for community name supplied
   0 Encoding errors
   2819 Number of requested variables
   0 Number of altered variables
   178 Get-request PDUs
   2233 Get-next PDUs
   0 Set-request PDUs
   0 Input queue packet drops (Maximum queue size 1000)
2411 SNMP packets output
   0 Too big errors (Maximum packet size 1500)
   18 No such name errors
   0 Bad values errors
   0 General errors
   2411 Response PDUs
   0 Trap PDUs
To Remove \ Disable SNMP
Router(config)#no snmp-server community public RO
Router(config)#no snmp-server community private RW
Â
Â
