Category Archives: CISCO

Azure Active Directory management experience in preview

Azure Active Directory management experience now in preview. This is very big step as now in one place you can management all your azure active directory related functions. Previously we had to move through few screens to access different AD related functions. For example, if I need to access identity management or Azure AD connect health both functions are in different pages. Navigation was painful sometime. But now it’s all integrated in once console. You also do not need to go to classic portal anymore to access Azure AD. And more importantly monitoring and reporting is nicely integrated and its allows to review the health of your azure AD infrastructure more sufficiently. Idea of this post is to show you these functions available in preview. 

To access the Azure Active Directory management experience preview, log in to azure portal and click on the azure active directory from the left hand options. 

pre1

If it’s not there go to more services and then type azure active directory. It will list the option down and click on the yellow start next to name to add it to the above list. 

pre2

The initial tile contain links to different options and also quick links to the functions such as add users, add groups, access application and quickly check the health of azure AD connect. 

pre3

Other capabilities tile gives links to feature such as PIM and IM. 

pre4

Recommended tab gives you recommendations to make your setup better. Beauty is if you click on each link it will directly bring you to the task to enable or configure it

pre5

pre6

In the top if you click on the notification it will bring you to the page where it lists down more info about preview and quick links to setup your Azure AD infrastructure. 

pre7

pre8

pre9

The right hand navigation link to different section. 

pre10

Users and groups link will bring you to the section where you can manage your users and groups. What I like is it’s also list all the associated functions for the feature such as password reset. 

pre11

By clicking on a user account it will list down its activities, group membership and profile details. Also in same page it has option to reset password or even to delete. 

pre12

Under the activity you can review sign in and audit logs.

pre13

Enterprise application option will bring you to the page to review your application usage under the directory. 

pre21

App Registration option will bring you to manage your app registration

pre14

Azure AD Connect link will give you option to setup the initial sync or to manage already setup sync. Also it gives links to load up the azure AD connect health

pre15

Domain Names option allow you to manage your domain names. You can add domain names, delete names etc. 

pre16

Password reset option gives you option to setup/manage the self-service password reset feature. By the way you need Azure premium subscriptions to use this feature.

pre17

Company branding option – this is really useful feature. There you have options to customize the login pages using company own logo, texts etc. 

pre18

User settings are to manage the user privileges to the azure active directory instance. 

pre19

Last but not least if you still wish to manage azure AD using classic portal you can navigate it to it using classic portal option

pre20

This new feature is really big improvement for the Azure AD management and hope lots of you agree. 

If you have any questions, feel free to contact me on rebeladm@live.com

STEP-BY-STEP GUIDE TO AZURE AD PRIVILEGED IDENTITY MANAGEMENT – PART 2

In my previous post on this series I have explain about azure AD privileged identity management including its features and how to get it enabled. If you not read it yet you can find it using this link.

in this post I am going to show you more of its features and capabilities. 

How to manage privileged roles?

The main point of the identity management is that administrators will have the required privileges when they needed. In part 1 of the post billing administrators and service administrator roles were eligible for the Identity management. So it will remove its permanent permissions which is assigned to role. 

So if you still need to make one of the account permanent administrator let’s see how we can do it. 

Log in to the azure portal as global administrator (it should be associated with relevant AD instance)

Open the azure identity management from portal

idm2-1

Then click on managed privileged roles

idm2-2

In next page it will list down the summary of the roles. Let’s assume we need to make one of the billing administrators “permanent”. To do that click on billing administrators

idm2-3

It will list down the users which is eligible for the role and click on the account you need to make permanent. 

idm2-4

Then click on more in next page and click on option make perm

idm2-5

Once completed its shows as permanent

idm2-6

Same way we can add an administrator to the roles. To do it go to roles, if you need to add new role it can do too. Click on roles on the manage privileges roles page

idm2-10roles

Then click on add

idm2-11roles

Then from roles click on the role you going to add

idm2-12roles

Then under the select users, select the user using search and click on done

idm2-13roles

 

How to activate roles?

Now we have the roles but how we can use them with time bound activation (Just in time administration

Go to the role page again like in previous page. In my demo I am going to use service administrator role

Then click on settings

idm2-7

In next window we can see that option to define the time. Also we can enable notifications so email notification will send to admin in event of role activation. Also option to request ticket or incident number. This is important to justify the privileged access. Also can use the multifactor authentication in activation to make sure the request is legitimate. 

idm2-8

idm2-9

Once you satisfied with settings, click on save to apply. 

Then for the testing I logged in as the security administrator to the azure portal. 

idm2-14

Then go to the privileged identity management page

Click on the service administrator 

idm2-15

Then click on the activate button, to activate the role

idm2-16

According to the settings its asking for ticket number for activation. Once put the information click on ok

idm2-17

Perfect, now its saying when it expires and it also shows the that roles been activated

idm2-18

Now I change the login and logged back as global administrator.

Then if go to privileged management page and click on audit history you can see all the events. 

idm2-19

idm2-20

Hope this series add knowledge about azure AD privileged identity management and if you have any questions feel free to contact me on rebeladm@live.com

It’s happening!!!!, in Redmond – MVP Global Summit 2015

After boring 10 hours’ flight here I am in Seattle for Microsoft MVP Global Summit 2015. This is my first MVP summit and it is really honour to be part of great family.

Once a year MVPs from all around the world joining MVP global summit to share “knowledge”, “Experience” which is more value than anything.

I am sure it’s going to be an amazing experience. hopefully weather will settle down too.

Big thanks to Microsoft for well planning on the event, I already impressed by the transportation between hotel and the event, well done!! Also for nice gifts!

WP_20151101_11_51_15_Pro

WP_20151101_11_50_41_Pro

Automatic IP addressing

There are lots of ways that you can configure DHCP Services. Most of the modern day Routers, Switches are comes with inbuilt DHCP server which can simply configure for network. Also we can configure operating system level DHCP servers on windows, Linux environments.

As demo I will be setting up DHCP on Router level. For demo I will be using Cisco Packet Tracer as simulator.
In setup I will be configuring 10.10.10.0/24 IP Range.

Let’s look in to the some of the commands that will be using in router to configure this.

All These commands should be running from global configuration mode.

Command

Description

ip dhcp pool xxxxx

This will be creating dhcp instance on the router. You can define your own name for the DHCP pool

network 10.10.10.0 /24 

Using this you can define the ip range that will be use by the DHCP clients. You can define this range as you wish.

domain-name mydomain.com

This defines DNS domain name for the client. This is optional and you can just ignore if you don’t need to configure it.

dns-server 10.10.10.1

Using this you can define the DNS server settings that DHCP client will use. This is must as this helps for the proper communication.

default-router 10.10.10.1

This command defines the default gateway settings for the dhcp clients. This is the ip they will get as gateway in there NIC.

lease

This will defines the lease time of the ip from the DHCP pool. For ex- we can set lease time to 2 days and the host will have same ip for 2 days before it connect to DHCP server again.

In demo I will be using following

Device

IP

Cisco Router 2811

10.10.10.1

Cisco Switch 2960

10.10.10.2

DHCP Pool Range

10.10.10.0/24

2 Laptops

Will get ip address from the DHCP

In here in the configuration we have done the initial configurations on the switch and the router as I explained in details in previous question. It will have basic security setup and IP assign to it.

dh1

To configure the DHCP on the Router we need to use following commands in global configuration mode.

> ip dhcp pool Greenwich-DHCP ( this set the name of the DHCP pool to  Greenwich-DHCP)
> network 10.10.10.0 255.255.255.0 ( this defines the DHCP ip range that DHCP clients will using )
> dns-server 4.4.4.4 ( This defines the DNS Server for the dhcp clients. Here I used open DNS for now )
> default-router 10.10.10.1 ( This defines the default gateway for the dhcp clients )

dh2

Here I cannot use some commands due to the limitations of the cisco packet tracer.

After these you need to save the configuration of the router to the running config. Otherwise it will disappear with power cycle.

dh3

Now we need to test if it’s providing the IP addresses to the Laptops that connected to the switch as we wanted.

To do that, I have configured one of pc to use DHCP and check the results.

dh4

As we can see it’s got the DHCP ip address from the router.
 

OSI in Action

As a network administrator, network student its important to have clear understanding over the OSI model. Also its important to understand its process through network process.

In this post i will explain a simple IT process using OSI model. Lets assume your HR Manager sends an email to Head of IT by using her email client regarding a meeting. let's see how the email will deliver through the 7 layers.

When computer communicates with another host, it’s goes through all 7 layers top to bottom or bottom to top. In one side these layers can talk to its upper layer or lower layers.

OSI1

Each of these layers talks to the corresponding layer in the other side when it communicates. For ex- application layer from one end will only talk to application layer on the other side. It cannot talk to any other layer which means application layer cannot talk to presentation layer on the other side.

OSI2

So let’s move in to the given scenario. As the first step HR manager sends the email.  To sends the email from his computer he may using email client. It can be outlook express, MS office outlook, Thunderbird, Mac mail etc. This process is goes in to Application Layer of the OSI model. It’s provides the interface for the user to tell the computer how to handle the data. In this scenario since its emails the email client will use SMTP protocol and command to tell computer how to handle those data.

OSI3

Then the email starts to operate on the Transport Layer of the OSI model. In this layer the email content will be converting in to network formats. It’s defines how the data will be presented. So the E-mail text will be converting in to ASCII and images will specify as TIFF, JPEG, etc. other important thing that will happen in this layer is data encryption and data compression. With encryption it defines the how secure the communication should happened going down through the OSI Layer. For example in this layer you can use SSL (secure socket layer) for the encryption of the data. With compression of data in this layer can improve the through put of the data along the lower layers.

OSI4

As the email is starts to operate in session layer it will be responsible for starting, handling and terminating the connection with the other end. So in this scenario this session layer responsible with keep the connection with the IT Head to deliver the email correctly. In computer in given time it’s not only one connection made to different hosts. For example while HR manager send email he may also having a website open in internet explorer. So when data packets send/receive how computer knows this data packet should go to this application?  Another way if he opens 2 websites same time how computer know the receiving packet should go to which browser tab? The answer is session layer. Session layer creates, manage and terminate the “connections” to the relevant host. This is doing by based on the port numbers. Its separate the connections using random ports so the connections are not mixed up. Without connections the data will not flow through the OSI Layers.

OSI5

As email going down to the next layer, its starts to operate in transport layer. This is the layer which will decide the reliability and the flow control. In this the email data from HR Manager will break in to segments to transmit over. In here it need to be select is this going to be transmit as TCP packets or UDP packets. With TCP packets it’s defines the reliability. It’s always acknowledging the transfer of the data packet. So from sender end once TCP packet go to receiver end it confirms as the packet is received so sender always know the packet is transfer properly as he wish. UDP in other side is faster but no reliability. It doesn’t provide any acknowledgment of packet transfer. In this scenario the email will use TCP port number 25 which use the SMTP protocol. Sender port as well the receiver port will define in this layer, since receiver also get it as email it going to be port 25. It’s going to be reliable data packet transfer. The other important thing is in this layer since its break in to segments; once the other parties receive the packet he should be able to reassemble it in correct order. This flow control also defines by this layer. When other user receives these packets he can reassemble it in correct order.

OSI6

As the email data packet flow in to network layer it defines how the routing of this data packet will happens. To send data packet from one location to another there should be some way of identify the exact receiver among all the hosts. It’s like sending a postal mail to someone. To identify that house among all the houses in the area it have address so when mail send to that address it will deliver properly checking on these addresses. So in this layer from HR manager computer to the IT head’s computer it will define the routes how from which location to which it should deliver. It does add the sender IP address and receiver IP address to the data packet. Now each data packet knows where it should go to.

OSI7

As the packet move further down along the layer net it reach to the Data Link layer. Now the email data packet will be prepare to send over the Ethernet. For that the data packet will be converts in to data frames. As we know in network layer the packet was modified with the sender IP and the receiver IP address. Once the data receive by receiver’s network how exactly it knows it should goes to exactly to this computer? The Head of IT may be checking emails from different network with lot of computers so when email packets reach this network there should be way to send it to exact computer. It’s like this let’s say you send postal mail to a friend house. In that house if there is 5 peoples how postman known to whom it goes to. If you mentioned the name of the receiver he knows where it goes. So data link layer it do the same thing. It’s defines the Physical address also known as MAC address to the data frame. MAC address mainly burned in address for the NIC. That is unique address there want be 2 MAC address with same value. So with this address it can easily identify exactly to which host the packet should deliver to.  In the data frame in this layer it will add the sender MAC address as well as the Receiver Mac address and send it over.

OSI8

Now the data is ready for transmit over to receiver side. In physical layer it’s going to be preparing data frames. In this physical layer the data frame will be converts in to bits. After it converts it will be send over the physical media which means through your NIC, Ethernet Cable, Wireless connection etc. in this layer there is not much preparation or activity than that.

OSI9

Now the data frames are off from the sender machine. Now it’s in its way to receiver end. But still it has to pass several major points. As soon as its leave the NIC its first stop place will be the switch that sender computer is connected to. So the only layers it will operate in this process is the data link layer and physical layer which means in the data frame the data link layer information will be modified with the destination MAC address and sender MAC address. So in given scenario the sender MAC is HR manager’s NIC MAC and destination Mac is going to be the switch port. That’s the only change will happened in data frame. Then it will look for the E-mail Server because to deliver email first it should go to e-mail server. In this scenario I assumed it’s in same office environment. So its looks for the E-mail server and its headers again get modify with the MAC addresses so destination will be E-mail server NIC Mac address and sender is the switch port MAC. Now switch checks weather this destination can be reach. The same time remember it’s removed the old data link layer MAC address as those no need. So if switch can find it in its ARP table its then route the data frame to the NIC of the E-mail Server. If it cannot find what it do is it sends this to network layer where routers are working so its check network layer and check if original destination of email server is in same network or now and if not it send it out as it knows how to handle those paths. And then it will go point to point with modifying its headers based on destinations.

But in here I had assumed it’s connected in same network so it will not reach out via router. Once E-mail server receives the request it will process and send it to receiver mail box. Then again email server will send the new data frame to the switch to process it to the receiver. In that frame again the data link layer headers will be modified and add the new destination and sender MAC address. Then switch again have to find the receiver destination. The process is exact same as it follows to find the email server first place. Once it found the correct port the data frames will be delivering via Ethernet cable which is works under physical layer.

OSI10

Once its reach by the NIC card of the receiver end which means the physical layer of the Head of IT’s end its start to remove the header information that was added from the sender and gets the data inside it. In the physical layer it will convert the bits in to the data frames and send it for further process from data link layer.

osi11

Once the data packet comes in to data link layer it removes the all the information about MAC address that embedded in to frame’s header. Then it converts that frames in to the IP Packets. After that its sending packets to network layer.

osi12

Once network layer receive the packets it’s remove the IP header information. This will includes all the information about the sender IP address and Receiver IP Address. Since packet is received in the correct party those information will not needed any more. After removing those data it will convert these IP packets to segments and send it over to transport layer.

osi13

When data segments move to the transport layer, based on the protocol it used for ex- TCP it will reassemble them in to the order. In sender side it was break the data in to segments before its start the transmit. In receiver end it needs to make in to proper order and make the actual data of it. Another important thing is its reads the port that used in the segments and determine in to which application the data should pass in to. Based on this only it identifies it’s HTTP, SNMP, FTP data. In our scenario it’s based on SMTP TCP Port 25. After convert this segments to actual data it will pass in to session layer.

osi14

Once data reach the session layer based on session information it will identify the communication type this data belongs to. Let’s say user have few email applications such as outlook express, incredimail etc. all these are working with SMTP port 25 but there should way to identify for which mail client this should delivers. To make this connection, this session information helps. Once connection made is made its move the data in to presentation layer.

osi15

As it reaches the presentation layer it used the info to determine the way it should presented in the applications. If there were ant encryption happened from sender’s presentation layer it will be decrypted in here. If there were compression happened on the data it will be decompress in this layer. Once all these done now it’s ready to presented to the receiver which is Head of IT.

osi16

Now it’s everything ready to present the content that HR manager sends in Head of IT’s E-mail Client. All the header details that were added now removed and only the data will be deliver to his email client. With this the whole process is completed successfully.

osi17

OSI (Open Systems Interconnection) Model

OSI Model

OSI stands for Open Systems Interconnection. This model was developed on 1984 by International Organization for Standardization (ISO).

There was requirement of some sort of standard for industry. There were few main reasons why we needed Layered model

•    Standard for hardware vendors – most advantage of OSI layer is for hardware vendors. With layered standards they can develop their products according to its layer. So it want effect other layer data communication patterns.

•    Changes will only effect its own layer mostly – the changes are doing on one layer will rarely effect the other layer standards.

•    Troubleshooting – with layer model it’s easy for troubleshooting. Troubleshooting steps, actions can break down according to layers and find out the easy in effective manner
 

Layer


Description

Layer 7 – Application Layer




This layer is responsible for user Interface. It means the software we use day to day is goes in this layer. For ex- e-mail programs, ftp programs, telnet etc. everything deal on this layer will be applications. The format that deal in this layer known as “Data”. And also please remember the applications that need network access only will fall in this category. Applications like word, excel will not go in this layer.


Layer 6 – Presentation Layer




In this layer the data that comes from application layer will be converted in to some standard format that other layers can understands. It works in other way also. So encrypting, decrypting is happening on this layer. The packaging of data that move though the layer will still known as “Data”


Layer 5 – Session Layer




In this layer will establish, manage and terminate sessions with applications. For ex- if you have open 3 tabs in your browser and visit 3 different sites session layer is the one identify which data connection goes to which tab. The packaging of data that move though the layer will still known as “Data”


Layer 4 – Transport Layer




In this layer it will maintain reliable data transmission of data segments. TCP/IP will operate on this layer. It will also flow control of data and it will error check and recovery of data between hosts. The packaging of data that move though the layer will known as “Segment”


Layer 3 – Network Layer




This is the layer where routing happens. The IP address also work on this layer. In this layer it will determine the paths to transfer data from one point to another. The devices like routers also work under this layer. The packaging of data that move though the layer will known as “Packet”


Layer 2 – Data Link Layer




In this layer data will be encoded/decoded in to bits. MAC addresses are work under this layer. It defined the mechanism that will used to move data in to network. Such As Ethernet, Token Ring etc. The packaging of data that move though the layer will known as “Frame”


Layer 1 – Physical Layer




In this layer defines the media that bring data across the network for ex – network cable, hub etc fall in to this layer. The packaging of data that move though the layer will known as “Bits”


Equipments that matches from Above network design

Layer

Devices

Layer 7 – Application Layer

 

 

In here there are no devices matches here. Can get user applications such as E-mail clients, FTP programs etc

Protocols – FTP,HTTP

Layer 6 – Presentation Layer

 

 

There is no devices, applications for this layer

Protocols – TELNET

Layer 5 – Session Layer

 

 

There is no devices, applications for this layer

Protocols – NetBios, RPC (Remote Procedure Call Protocol)

Layer 4 – Transport Layer

 

 

There is no devices, applications for this layer

Protocols- TCP,UDP

Layer 3 – Network Layer

 

Layer 3 Switch as Core switch ( Cisco WS-C3550 ), IP Addresses

Protocols – IPv4/IPv6,ICMP,IPsec

Layer 2 – Data Link Layer

 

3 Layer 2 Manageable Switches ( Cisco WS-C3750 48 Ports), MAC Addresses

Protocols- ARP,CDP ( Cisco Discovery Protocol),Ethernet

Layer 1 – Physical Layer

Network Cables, NIC

Protocols – USB,DSL,ISDN

Ip routing vs. Ip default-gateway

When we talk about cisco switches the "ip routing" and "default-gateway" is two common commands that we use for configure the routing info. But if you didn't use this 2 carefully it can cause some serious routing issues. You cannot use both of this in same time in any switches.

Use of default-gateway

To define a default gateway (router) when IP routing is disabled, use the ip default-gateway global configuration command. To disable this function, use the no form of this command.

ip default-gateway ip-address

ex : ip default-gateway 172.16.15.4

this command is used in layer 2 switches to define the default gateway of it.

In here we define what is the gateway for this range of ips since layer 2 switch donot have any routing capabilities itself.

Use of ip routing

Since the introduce of layer 3 switches it added the routing capabilities to the switch. Which means layer 3 switch also can act as router by default.

ip routing is not enabled by default in layer 3 switch so it will not find any routing details. To enable it all you need to do is goto configuration terminal and type

ip routing

but before do this you need to make sure that you do not have default-gateway setup on there. If you have enable ip routing while default-gateway configured you will lost access to the switch. Its more important if you connect remotely.

What are the issues if you have configured default-gateway in layer 3 switch?

If you have different class of ips configured on switch this will cause lot of issues. For example lets say in your layer 3 switch you have different class as main ip and different class for the ports. Then you have requirement to break it to vlans. Then you break it to sub nets and create new vlans and assign it to one of user pc or server. So in here you will only able to ping to the its gateway ip ( vlan interface ip ) and you will not be able to ping to any other. And also in server or pc end it will not be able to access internet or ping to any. Its because the switch do not getting any routing information about these. So to fix it you have to disable default-gateway with no default-gateway command and then enable ip routing

if any questions please feel free to ask me on rebeladm@live.com