PIX 2

CISCO PIX: BASIC PIX CONFIGURATION

Basic PIX configuration

There are only 6 steps that need to be taken to enable the PIX to be able to send packets to the outside world, known by some as the PIX SIX, they are:

Hostname
Interface
Nat-Control
Nat
Global
Route

Hostname:

This assigns a host name to the PIX and should be called something that is meaningful for that particular PIX. The prompt will change to what you call the PIX when you set this and is set in the configuration mode with the command ‘hostname ’, like so:

Code:
pixfirewall>en
password:
pixfirewall#conf t
pixfirewall(config)# hostname Belaga
Belaga(config)#


Notice ‘pixfirewall’ now becomes ‘Belaga’. Usually the firewall may be named after its geographic location, the service/project it is protecting etc. I look at it in such a way that if you have 3 different telnet sessions open to three different PIX’s you will always know exactly what you are configuring.

The hostname can be up to 63 alphanumeric characters in either uppercase of lowercase and defaults to ‘pixfirewall’ out of the box or when the ‘wr erase’ command is used followed by a reload.

Interface:

The interface command differs per PIX operating system, in version 7 it acts much like a Cisco router and drops you in to the ‘config-if’ sub context. On version 6.3 and earlier the prompt will not change and the command should be issued all on the one line. For this paper we are using version 7

The Interface or ‘int’ for short is the configuration command we use to allow us to alter the configuration of the PIX interfaces. We can assign it an IP address, subnet mask etc from this sub context.

Code:
Belaga (config)# interface ethernet0 (or ‘int e0’ for short)
Belaga (config-if)#


Notice with version 7 the prompt now changes to ‘config-if’ to let us know we are configuring an InterFace.

We can now configure the interface with a name, IP address, speed settings and duplex settings amongst others.

Code:
Belaga (config-if)# nameif outside


Although it is already named outside by default the above example is to show the relevant command. ‘nameif’ as is fairly obvious, is used to assign a name to the interface.

Next we need to assign an IP address and subnet mask:

Code:
Belaga (config)# interface ethernet0 (or ‘int e0’ for short)
Belaga (config-if)# nameif outside
Belaga (config-if)# ip address 80.80.80.80 255.255.0.0


If you make a mistake whilst entering this command, simply re-enter the correct information. The ‘clear configure ip’ command will clear ALL interfaces IP addresses to no IP address.

Interfaces can also be configured to pick up a DCHP assigned IP address, by using the ‘dhcp’ command.

Code:
Belaga (config)# interface ethernet0 (or ‘int e0’ for short)
Belaga (config-if)# nameif outside
Belaga (config-if)# ip address dhcp


The PIX will now pick up a DCHP IP address on the OUTSIDE interface.

There are various DHCP commands we can use to view information about the DHCP IP address, such as the lease time etc

Code:
Belaga# sh ip address outside dhcp lease


And

Code:
Belaga# sh ip address outside dhcp server


The above will both provide you with information about the DHCP server and details about the IP address that the interface has been assigned.

To stop the interface from getting a DHCP IP address we use the ‘no’ command before the dhcp command. So:

Code:
Belaga (config-if)# no ip address dhcp


*Most of the commands you issue via the CLI can be disabled by re-entering them with the word ‘no’ in front of them.*

Next we need to assign a security level to the interfaces (the INSIDE and OUTSIDE interfaces have a precompiled security level, but for this example we will set them anyway).
A security level can be between 0 and 100, with 100 being the highest and most trusted. See part one if you want to read more about security levels.

To set it we use the ‘security-level’ command:


Code:
Belaga (config)# interface ethernet0 (or ‘int e0’ for short)
Belaga (config-if)# nameif outside
Belaga (config-if)# ip address 80.80.80.80 255.255.0.0
Belaga (config-if)# security-level 0


By default interfaces with the same security level can not communicate, to enable it use the ‘same-security-traffic’ command. This may be handy when you have a DMZ and you want it to be able to communicate with the INSIDE network without NAT being preformed.

Code:

Belaga (config-if)# same-security-traffic


Next we need to tell the interface what speed and duplex settings we want it to operate at. By default all interfaces are set to automatic detection and will try to detect the best speed and duplex settings to work at. However sometimes you may need to configure them manually.

The speeds for an Ethernet cable you can choose from are 10, 100, auto or nonegotiate.

10 = 10BASE-T
100 = 100BASE-T
Auto = automatically sets the speed
Nonegotiate = for small form factor pluggable media types (SFP) and sets the speed to 1000Mbps.

Code:
Belaga (config)# interface ethernet0 (or ‘int e0’ for short)
Belaga (config-if)# nameif outside
Belaga (config-if)# ip address 80.80.80.80 255.255.0.0
Belaga (config-if)# security-level 0
Belaga (config-if)# speed 100
Belaga (config-if)# duplex full

Network Address Translation (NAT)

As this paper is about configuring a PIX and not explaining how network protocols work I will very briefly explain about NAT.

Network Address Translation enables you to prevent external hosts from learning your internal IP addresses.
It accomplishes this by translating internal IP address, which is not routable over the internet, in to a globally unique IP address, which is routable over the internet. If you assigned your PC an IP address of 192.168.2.2 and tried to put it directly on the internet you would neither be able to receive or send traffic as the first router would drop your packets as soon as it saw your IP address.

This poses a problem for anyone with more than one computer behind a single connection, as if the above is true we would need an external IP address for every single computer on our network – which is obviously not possible as all the valid IP addresses would be used up very quickly.

Enter NAT.

Providing certain criteria are met the PIX will translate internal addresses to an external address as per your configuration. To anyone looking from the internet it will look like you have an external IP assigned to you and in most cases will never find out your internal address.

When an outbound IP packet that is sent from a device on the INSIDE network reaches your PIX which has NAT configured the source address is extracted and then compared with a table of existing translations. If the source address is not already in this table, it is now translated to an address taken from our external pool of addresses called a Global Pool. The table is now updated and the packet is forwarded on with our new external IP address in the source address part of the frames header.

This entry will stay in the translation table for three hours by default (this can be changed manually) if no activity is detected for this translation after the three hours it is removed and the external IP is free to be used for another host.

Configuring NAT

To configure NAT we first need to tell the PIX which hosts/networks on our INSIDE interface are allowed to be translated and them we tell it what we would like them to be translated to.

We can configure NAT on a global level with the command ‘nat-control’. If we enter the nat-control command we are telling the PIX that all addresses need to be translated before packets can be sent out of another interface.

The opposite is ‘no nat-control’ which means that all hosts can send packets and only where a specific NAT rule has been entered will a translation take place. No nat-control is the default.

There are two types of NAT policies on a PIX; Inside NAT Policy and Outside NAT Policy.

As their names suggest if Inside NAT Policy is enabled all INSIDE hosts need to have an inside NAT rule configured, likewise it Outside NAT is enabled all OUTSIDE addresses must have an outside rule configured

We configure NAT by telling the PIX, which interface the hosts/network is on that we want to translate:

Code:
Belaga (config)# nat (inside) 1 0.0.0.0 0.0.0.0


The above tells the PIX that we want to perform nat on the (inside) interface, the 1 is the ‘nat group’ we have assigned it, this will be come apparent later, the 0.0.0.0 0.0.0.0 tells the PIX that we want to perform NAT on everything that is attached to the INSIDE interface. We could substitute this with 192.168.2.2 255.255.255.255 which would say that the host with that exact IP address needs to be NAT’ed or we could use 192.168.1.0 255.255.255.0 which would say that everything between192.168.0.1 and 192.168.0.255 needs to be translated.

*The 0.0.0.0 0.0.0.0 can be abbreviated to 0 0 however this can look a bit confusing to anyone not comfortable configuring a PIX so you may want to use 0.0.0.0 0.0.0.0.*

So now we have told it what IP addresses that require translating we need to tell the PIX what we want them translated to.
To do this we use the ‘global’ command.

Code:
Belaga (config)# global (outside) 1 80.80.80.81 – 80.80.80.200 netmask 255.255.255.0


The above command tells the PIX that we are assigning global IP addresses on the (outside) from NAT group 1 and the range of address available are 80.80.80.81 – 80.80.80.200

Our configuration so far:

Code:
Belaga (config)# interface ethernet0 (or ‘int e0’ for short)
Belaga (config-if)# nameif outside
Belaga (config-if)# ip address 80.80.80.80 255.255.0.0
Belaga (config-if)# security-level 0
Belaga (config-if)# speed 100
Belaga (config-if)# duplex full
Belaga (config-if)# end
Belaga# conf t
Belaga (config)# nat (inside) 1 0.0.0.0 0.0.0.0
Belaga (config)# global (outside) 1 80.80.80.81 – 80.80.80.200 netmask 255.255.255.0


So now all hosts on the INSIDE interface will be translated to an address between 80.80.80.81 to 80.80.80.200 whenever the send traffic from the INSDIE interface to the OUTSIDE interface.

*If the NAT command is used there MUST be a GLOBAL command, otherwise NAT will not work*

We can use static NAT’s that NAT a specific IP address either on the INSIDE or OUTSIDE interface to another IP on a different interface but this will be covered later in the Advanced PIX Configuration papers.

Route

Just like a router we need to tell the PIX where to send traffic destined for unknown and known IP addresses. We do this by configuring Static and/or Default Routes.

A static route is basically saying ‘To send a packet to the specified network, send it to this router’

A default route tells the PIX where to send traffic destined for an IP address/network not in its routing table. We normally configure a default route to state where internet traffic should go. It is impossible to enter every IP address on the internet in to the PIX’s routing table but it is easy to enter out internal networks in to it. So we say that, if there is no entry in the routing table, then the traffic is destined for the internet so send it here. If when the packet gets to the gateway it is not destined for the internet and has an internal IP, it will be dropped for reasons mentioned earlier.

Code:
Belaga (config)# route outside 0.0.0.0. 0.0.0.0 192.168.2.1 1


The above is an example of a default route. It is saying to route traffic out the outside interface if the IP address is not in the routing table 0.0.0.0. 0.0.0.0 to the router with the IP address of 192.168.2.1 which is 1 hop away.

Code:
Belaga (config)# route inside 10.10.10.0 255.255.255.0 10.10.10.1 1


The above is an example of a static route. This is telling the PIX that any traffic arriving on the inside interface destined for the 10.10.10.0 network should be sent to the router with the IP address of 10.10.10.1 which is 1 hop away.

Code:
Belaga (config)# interface ethernet0 (or ‘int e0’ for short)
Belaga (config-if)# nameif outside
Belaga (config-if)# ip address 80.80.80.80 255.255.0.0
Belaga (config-if)# security-level 0
Belaga (config-if)# speed 100
Belaga (config-if)# duplex full
Belaga (config-if)# end
Belaga# conf t
Belaga (config)# nat (inside) 1 0.0.0.0 0.0.0.0
Belaga (config)# global (outside) 1 80.80.80.81 – 80.80.80.200 netmask 255.255.255.0
Belaga (config)# route outside 0.0.0.0. 0.0.0.0 192.168.2.1 1
Belaga (config)# route inside 10.10.10.0 255.255.255.0 10.10.10.1 1
Belaga (config)# end
Belaga#wr mem


There we have our finished initial BASIC configuration. We have named an interface, assigned it an IP address and subnet mask, told it what speed to operate at, told it that we want to NAT all hosts on the INSIDE interface to the external IP addresses of 80.80.80.81-200, we have gave it a default route to tell it where to send unknown traffic and we have told it where to send traffic destined for the internal network of 10.10.10.0.

Obviously the IP addresses are just for demonstration purposes and all interfaces will need to be configured as above for the PIX to work.

PIX 1

CISCO PIX: INTRODUCTION, HOW IT OPERATES AND THE CLI

The PIX Firewall.

The Cisco PIX firewall is one of the most popular brands of firewalls available today. Whilst they can be a very useful piece of equipment, it is not always straight forward to configure them.
Due to the nature of a Firewall and what it is used for it is essential to deploy and configure it correctly to prevent you inadvertently leaving your network wide open to attack when you thought it was secure.

The PIX comes in several form factors:

501 – This the cheapest and smallest firewall in the PIX range and is aimed almost exclusively at Small Office – Home Office (SOHO) setups. It can support up to 7500 concurrent connections and has 60 Mbps throughput.
Interface wise it has a 10/100BASE-T Ethernet interface for the outside connection (100BASE-T is only in version 6.3) and a four-port 10/100 switch for the inside interfaces. It can also support up to 10 simultaneous VPN connections. It does not support any failover at all.

As you can no doubt see it is only useful for the very small SOHO setup.

506E – Although more useful for the SOHO setup than the 501, the 506E is more geared up towards the ROBO setup (Remote Office – Branch Office) and is an ideal choice for a small – medium sized business if you don’t need any failover capabilities, a lot of VLAN’s or a very fast throughput of data.
It can provide 25,000 concurrent connections and 100 Mbps clear text throughput.
It has only two 10/100BASE-T interfaces and support for up to Two VLAN’s and can support up to 25 simultaneous VPN connections. It does not support version 7 of the PIX operating system or the ADSM utility, instead it has a less useful PDM for remote configuration.

515E – Is designed for small to medium sized businesses and enterprise networks. It can handle up to 130,000 concurrent connections and provides 190 Mbps of clear text throughput. It can have up to 6 10/100 Fast Ethernet interfaces, 25 VLAN’s and up to five contexts (contexts will be explained later).
It is the first PIX in the range that supports failover and version 7 of the PIX operating system. It can have up to 2,000 VPN tunnels and supports site to site and remote access VPN’s

525 – The 525 is probably the most common security appliance in the PIX range that you may come across due to its affodability Vs funcionality. It can support up to 280,000 concurrent connections, has 330 Mbps of clear text throughput, up to 10 10/100 Fast Ethernet interfaces, up to 100 VLAN’s and 50 contexts.
It supports failover and version 7 of the PIX operating System and up to 2,000 VPN tunnels.

535 -The Cisco PIX 535 is a high-performance, purpose-built security appliance designed for very large enterprise and service provider networks.

It supports up to ten 10/100 Fast Ethernet interfaces or nine Gigabit Ethernet interfaces and redundant power supplies, can handle up to 1.7 Gbps of firewall throughput with the capacity to handle more than 500,000 simultaneous sessions.

Certain PIX 535 models include an integrated hardware VPN acceleration card that delivers up to 440 Mbps of Triple Data Encryption Standard (3DES) VPN throughput and 440 Mbps of Advanced Encryption Standard-256 (AES) VPN throughput.


The PIX firewall range has a wide variety of add on cards and can work hand in hand with the Adaptive Security Appliance (ASA). There are too many add on cards and different ASA configurations to go in to here but the Cisco web site has all the information if you need to research it further.

Getting Started:

There are three ways to connect to the PIX:

1) Via the console cable
2) Via the PDM or for the 515 and later the ADSM
3) Via Telnet /SSH (needs to be configured first)

If you are comfortable with the Command Line Interface (CLI) on the PIX then the best way to connect is via the console port. To do this, simply attach the supplied console cable and open hyper terminal (or a terminal emulation program of your choice) set the baud rate to 9600 and press enter.

If you are not comfortable using the CLI then Cisco have provided a GUI for you to use. On the 501 and the 506E this is known as the PDM and on the 515 and above it is known as the ADSM.

Connect to the INSDIE interface of the PIX (Eth1) using a normal Cat5 Ethernet cable, open your web browser and type 192.168.1.1.If you get stuck trying to connect to the PIX to use the PDM/ADSM refer to the user manual and it will tell you the IP address range the DHCP server uses. This is usually 192.168.1.1/24 so either set your PC to receive an IP via DHCP or configure it in the correct subnet 192.168.1.2 is usually good with a 255.255.255.0 mask.

There is a known problem when using the PDM with Sun’s latest versions of Java. You need to have version 4 installed, which you can get from the archive pages on the Sun web site. If you can not connect you may need to remove the latest Java update from the Add/ Remove programs window in the control panel.( 5.0 update 5 and 5.0 update 6)

For now we will use the CLI.

Once connected there are four administrative modes you can be in:

1) Unprivileged
2) Privileged
3) Configuration
4) Monitor

When you first connect via the CLI you will be in unprivileged mode, which uses the > prompt:

Code:
Firewall>


Just like a router you would now type ‘enable’ or en for short

Code:
Firewall>en


If there is a password set you will now be prompted for a password, the PIX usually ships with the default password of either pix or cisco.

If you enter the password successfully you will now land in privileged mode, which uses the # symbol:

Code:
Firewall#


From the privileged mode you can issue most commands that will show you details about the configuration but will not allow you to alter the configuration except for setting passwords, writing configuration to memory and a few others:

Code:
Firewall#show running-config (or sh run for short)


The above command would show you the entire running configuration of the PIX.
To make and changes to the actual configuration of the PIX we need to be in configuration mode. We get this by using the command Configure Terminal (or conf t for short)

Code:
Firewall#conf t


The prompt will now change to:

Code:
Firewall#


This shows us we are in configuration mode. From here we can now change the configuration of the firewall.

Monitor mode is a special mode that enables us to update the OS image over a network to perform password recovery. Whilst in Monitor mode we can enter commands to specify the location of a TFTP server, the location of the updates software or a password recovery file to download.

As mentioned with most Cisco equipment that uses a CLI commands can be abbreviated to the fewest unique characters for that command.
So sh run is short for Show Running-Configuration, en is short for Enable, copy run start is short for copy running-configuration > startup-configuration.

The first thing we can do is set a password for the PIX to stop unauthorised access. It is easy to get so engrossed in the configuration of the PIX to forget to set a user password once finished, so I make it a habit to set the password on any device first.

There are 15 different access levels we can grant a user when he logs on to the PIX, with 15 being the highest. Depending on what password is used will depend on what access level the user is dropped in to.

To set the password we need to be in the privileged mode (the # prompt).

So

Code:
Firewall>en
Password:
Firewall#


We now issue the command enable password

Code:
Firewall#enable password tazzone123 15


Enable = we want to set the enable password (the password that is presented when the enable command is issued)
Password = we are setting the password and not giving the enable command.
Tazzone123 = the password we want to set
15 = the privilege level that anyone using that password will be granted. In this case the user will have total control of the PIX.


Before we go in to the configuration commands there are a few commands we need to know to save the configuration to memory and to erase it in case we mess it up!

Like a router the PIX has two different configurations; running configuration and start-up configuration.

The running configuration is what we are making all the changes to. If after making the changes we do not save it to the start-up configuration and the PIX was to be unplugged, suffer a power cut etc it would start up with the configuration that is in the start-up configuration and all our changes would be lost.

There is a twofold advantage to this – we can make changes ‘on the fly’ and if the firewall was to stop working as it should, we can just reload it and it will have its old configuration, the other benefit of it is if we are unsure of any changes that have been made we can use the sh start and the sh run commands to view both configuration’s and compare then to each other.

After we have made a change to the running configuration and are sure we want to keep it, the command ‘write memory’ is used to save the running configuration to the start-up configuration.

Code:
Firewall#write memory (or wr mem for short)


If we have made a complete hash of the running configuration and want to start over again but still retain the start-up configuration we can use the command ‘clear configure all’.

Code:
Firewall#clear configure all (or clear con all for short)


Finally if we want to clear everything and start from afresh we can use the command ‘write erase’

Code:
Firewall#write erase (or wr er for short)


You will be prompted to confirm that you do want to erase the start-up configuration, hitting Enter or typing Yes will clear the configuration.

We will still be active in the running configuration however so we need to either reload the PIX or copy the running configuration to the start-up configuration.

To reboot the PIX we use the command ‘reload’

Code:
Firewall#reload


We will be prompted to confirm we want to reload the device.

Or we can use the copy run start command to copy the running configuration to the start-up configuration:

Code:
Firewall#copy run start


If you are writing a script to send or paste straight in to the PIX we can issue the ‘reload noconfirm’ command – which will just reload the device without asking for confirmation.

*Before making any changes to the PIX once you have an up and running configuration you can copy the results of the ‘show run’ command in to a text editor such as notepad. Then if you ever need to revert back to the configuration you can just copy and paste it straight back in to the firewall.*

Security Levels

The whole concept of the PIX security appliance revolves around security levels. The more trusted the network the higher the security level.

Obviously the most un-trusted network is going to always be the internet – and the interface that is going to be attached to the internet is the OUTSIDE interface (Eth0) which has by default the security level of 0.

The most trusted network attached to the PIX is going to be your internal network, which funnily enough is attached to the INSIDE (Eth1) interface and has a security level of 100 by default.

*You can remember which interface is which by the Ethernet numbers, Eth0 = Outside interface, Eth1 = Inside network…. 0-Out 1-In)*

The interfaces came with the INSIDE and OUTSIDE names pre-complied and can not be changed, likewise the security levels can not be changed either.

Code:
Outside level 0 -<--<---<--|PIX|--<---<---<-Inside level 100


An interface that has a higher security level can by default send traffic to an interface with a lower security level – hence internal hosts attached to the inside network with a security level of 100 can by default pass traffic through the outside interface as it only has a security level of 0. Traffic can flow downhill but not uphill.

This allows for one way (outbound) connections with a minimum number of configuration changes. The PIX will monitor the outgoing packets and when the return packet comes in, it is checked to ensure it is a valid packet and if so, is sent on its way.


The outside interface as it has a 0 security level can not send traffic to the inside interface with out a preconfigured permission to do so in the form of an Access Control List (ACL)

If you were to add a third interface for a DMZ and give it a security level of 50, the INSDIE interface would be able to pass traffic to it by default, but with out an ACL the DMZ would not be able to initiate a connection to send data to the INSIDE interface and obviously the least trusted interface (OUTSIDE) would not be able to initiate any connection to any interface with out an ACL being in place.

It is possible to enable same security level traffic flow, so two interfaces with the same security level can pas traffic unhindered should you wish..


The PIX Adaptive Security Algorithm is a stateful approach to security, in so much as every inbound packet (the packet originating from a host on a less secure network destined for a host on a more secure network, i.e. DMZ (50) ->->-> INSIDE (100) ) is checked against a database called the State Table which is stored in the PIX’s memory which keeps the state of every connection that has passed through the PIX. This will tell the PIX if the packet is a return packet from a connection initiated from the INSIDE network, or if it has arrived out of the blue.

This table keeps a record of the original packets:-

1) Source IP Address
2) Source Port
3) Destination IP Address
4) Destination Port
5) Additional TCP / UDP Flags / Protocol etc
6) Original TCP Sequence number
7) Replacement TCP Sequence number
(The PIX randomizes the first TCP sequence number to reduce the risk of TCP Hijacking and does this by default.)

If a returning packet does not match ALL of the above criteria it is dropped there and then. Each of these entries is called a 'Session Object' and will stay in memory until the connection is terminated in the normal way or the session has timed out.

So in a nutshell if a packet arrives on the OUTSIDE interface, the PIX will check that either a Static NAT/PAT Translation exists for it and if so will then check if it is permitted by an ACL, if there is an ACL the PIX will act in accordance with it.
If no static translation exists the PIX will check the state table to see if it is a return packet from a connection that has been initiated by an inside and therefore trusted host - if it meets all the requirements in the state table the packet is allowed to continue its journey. If not the packet is dropped straight away.

The stateful design to the PIX maintains the secure perimeters of the different networks by creating session flows based upon the destination and source address and also the destination and source port numbers of the packets. Fundamentally, this is how the whole PIX is designed to work and will be discussed in more detail in further papers.

*Inbound and outbound traffic is not necessarily traffic coming from the internet to the inside network and vice versa. Traffic is considered to be inbound if it is coming from an interface with a lower security level and is considered to be outbound if it is coming from a higher security level. The most interfaces the PIX can support is 14 depending on Model and License*

Dementia

Dementia is a problem in the brain, making it hard for the patient to remember a person, learn and communicate. After a while , this makes it difficult to manage the person himself. Dementia can also cause human mood and personality changes. Before memory loss and trouble to think properly may bother the person who has dementia. Later, disruptive behavior and other problems can begin.

My mom starts having dementia too, she lives in the past sometimes and compares everything with former times. everything from back than comes to the surface and she talks about it for a long period of time. Well, in former times it was so and so. also her personality changes like the wind. she can get rude, than like a little kid.
When dementia appears the higher mental functions of the patient are involved initially. Eventually, in the later stages, the person may not know what day of the week, month or year it is, she may not know where she is, and might not be able to identify the people around her.

Dementia is significantly more common among elderly people. However, it can affect adults of any age.

What are the symptoms of dementia?
Memory loss - the patient may forget his way back home from the shops. He/She may forget names and places. He/She may find it hard to remember what happened earlier on during the day.

Moodiness - the patient may become more and more moody as parts of the brain that control emotion become damaged. Moods may also be affected by fear and anxiety - the patient is frightened about what is happening to her/him.

Communicative difficulties - the affected person finds it harder to talk read and/or write as they sometimes do not understand what we want from him/her.

As the dementia progresses, the patient's ability to carry out everyday tasks diminishes and he may not be able to look after himself.


My mother is seventy two years when started with dementia symptoms. I find it easier on everyone, to just agree with her in everything she says. It's heart breaking to see her so confused but at this stage of her life, making her comfortable and loving her is what they deserve after they did everything for us. I love you so much mummy and will continue to pray for you so that your current condition is not getting worst..amen...

Diseases that cause dementia
Alzheimer's disease - This is by far the most common cause of dementia. The chemistry and structure of the brain of a person with Alzheimer's disease changes and his brain cells die prematurely.

Stroke (Vascular problems) - this means problems with blood vessels (veins and arteries). Our brain needs a good supply of oxygen-rich blood. If this supply is undermined in any way our brain cells could die - causing symptoms of vascular dementia. Symptoms may appear suddenly, or gradually. A major stroke will cause symptoms to appear suddenly while a series of mini strokes will not.


What is the treatment for Dementia?In the majority of cases dementia is incurable. Researchers are making inroads into treatments that may slow down dementia's progress. Cholinestaerase inhibitors are frequently administered during the early stages. Cognitive and behavioral therapies may also be useful. Several studies have found that music therapy helps patients with dementia. It is important to remember that the patient's caregiver also needs training and emotional support.

In the USA, Tacrine (Cognex), donepezil (Aricept), galantamine (Razadyne), and rivastigmine (Exelon) have been approved for the treatment of dementia caused by Alzheimer's disease - some physicians prescribe these drugs for vascular dementia as well. Selegiline, which is used for treating Parkinson's disease, has been found to slow down the progress of dementia.

How to speed up switch port startup

Switch ports could be connected to a variety of devices – other switches, routers, trunk ports, PC’s, or VoIP phones. Each of these devices has a different configuration. When a device is connected to a switch port, the switch will attempt to negotiate settings to match this device.

These negotiations include ones for the Dynamic Trunk Protocol (DTP) (to see if the connected device wants to setup a trunk) and Spanning Tree Protocol (STP) (Used to ensure that the connection will not cause a loop).

These both take time and will delay the ability of your device (such as a PC) to transmit and receive data from the network. Most of the time, you are connecting a PC to a switch and you just want to be able to use the network as soon as possible, right?

The commands I recommend enabling on all PC/laptop/printer switch ports include these (All configured in interface configuration mode):

switch#
switch#conf t
switch(config)#int fa0/21
switch(config-if)#switchport mode access
switch(config-if)#



switchport mode access: Sets the switchport into a non-trunking mode

switchport nonegotiate (optional): Disables the switchport from negotiating

spanning-tree portfast: Disables STP negotiations which speeds switchport forwarding (ensure this switchport only connects to an endpoint device)

How to speed up switch port startup

How to Setup VLAN Trunking Protocol (VTP) on Cisco Switches

How to Setup VLAN Trunking Protocol (VTP) on Cisco Switches

In our last article about VLAN’s (Read ore about it on the What is a VLAN? How to Setup a VLAN on a Cisco Switch article), we learned about how VLAN’s provide greater performance and security for your LAN. Unfortunately, if you have more than a couple of switches, configuring VLAN’s can be a real pain. To make life easier, Cisco developed VLAN Trunking Protocol (VTP). Let’s find out what VTP can do for you.

How can VTP help me?
Say that you have 20 switches in your large office building. On each of these switches, you have four VLAN’s. Without VTP, you have to create each of these four VLANs on each of these switches. With VTP, you only have to create the four VLANs once, on one switch, and all other switches learn about the four VLANs.

In other words, the job of VTP is to distribute VLAN configuration information between all the switches.

How does it work?
The job of VTP is best explained from the perspective of the VTP server. All switches, by default, are VTP servers. The VTP server is where you would create, remove, or modify VLANs.

This VTP server sends an advertisement, across the domain, every 5 minutes or whenever a change is made in the VLAN database. That advertisement contains all the different VLAN names, VLAN numbers, what switches have ports in what VLANs, and a revision number. Whenever a switch receives an update with a larger revision number than the last one it applied, it applies that revision.

Keep in mind that VTP is a Cisco proprietary protocol. So, to use VTP between your switches, you must have all Cisco switches.

VTP Modes
VTP switches can be in three different modes. Those modes are:

•Server – the default where all VLAN adds, changes, and removals are allowed

•Client – where no changes can be made, only new revisions can be received from the VTP server switches.

•Transparent – where local VLAN information can be changed but that information is not sent out to other switches. Transparent switches also do not apply VTP advertisements from other switches but they do forward those advertisements on.

Usually, you would want a few of your core switches to be servers and all remaining remote or access layer switches to be clients. You would only make changes on the server switches and those changes would be propagated to the client switches.

What about pruning?
VTP pruning is the process of not sending IP broadcast traffic for certain VLANs to switches that do not have any ports in that VLAN. The switches that choose not to send these broadcasts know that they can not do this because of VTP. With VTP telling them what ports the other switches have, this switch knows that they don’t have to send them broadcast packets, because they know that the other switches don’t need them.

Pruning saves LAN bandwidth because broadcasts don’t have to be sent to switches that don’t need them.

How do you configure VTP?
To configure VTP, you use the vtp global configuration mode command. With this command you can specify the following:

•VTP domain – the name of the VTP domain. All switches communicating with VTP in the same domain, must have the same VTP domain name.

•VTP mode – either server, client, or transparent

•VTP password – a password to control who can and cannot receive VTP information

•VTP pruning – VTP pruning is either turned on or off

Here is a sample configuration:

switch#
switch#conf t
switch(config)#vtp mode server
Device mode already VTP Server
switch(config)#vtp domain MyNetwork
Changing VTP domain name from null to MyNetwork
switch(config)#vtp password 1MyPass1
Setting device VLAN database password to 1MyPass1
switch(config)#

To see what is going on with VTP, you can use show vtp status, like this:

switch(config)#
switch(config)#sh vtp stat
information about the switch will be displayed.

Article Summary
In summary, here is what we have learned:

•VTP is used to distribute VLAN configuration information between switches

•VTP is Cisco proprietary and can only be used on Cisco switches.

•By using VTP, you can also prune your VLANs, saving bandwidth

•The command to configure VTP is the global configuration mode command, vtp

•The command to check status is the privileged mode command, show vtp status

What is VLAN?

How to Setup a VLAN on a Cisco Switch
Have you ever wondered what a Virtual LAN (or VLAN) is or been unclear as to why you would want one? If so, I have been in your place at one time too. Since then, I have learned a lot about what a VLAN is and how it can help me. In this article, I will share that knowledge with you.

Okay, most of you already know what a LAN is but let’s give it a definition to make sure. We have to do this because, if you don’t know what a LAN is, you can’t understand what a VLAN is.

A LAN is a local area network and is defined as all devices in the same broadcast domain. If you remember, routers stop broadcasts, switches just forward them.

As I said, a VLAN is a virtual LAN. In technical terms, a VLAN is a broadcast domain created by switches. Normally, it is a router creating that broadcast domain. With VLAN’s, a switch can create the broadcast domain.
This works by, you, the administrator, putting some switch ports in a VLAN other than 1, the default VLAN. All ports in a single VLAN are in a single broadcast domain.

Because switches can talk to each other, some ports on switch A can be in VLAN 10 and other ports on switch B can be in VLAN 10. Broadcasts between these devices will not be seen on any other port in any other VLAN, other than 10. However, these devices can all communicate because they are on the same VLAN. Without additional configuration, they would not be able to communicate with any other devices, not in their VLAN.

Are VLANs required?
It is important to point out that you don’t have to configure a VLAN until your network gets so large and has so much traffic that you need one. Many times, people are simply using VLAN’s because the network they are working on was already using them.
Another important fact is that, on a Cisco switch, VLAN’s are enabled by default and ALL devices are already in a VLAN. The VLAN that all devices are already in is VLAN 1. So, by default, you can just use all the ports on a switch and all devices will be able to talk to one another.

When do I need a VLAN?
You need to consider using VLAN’s in any of the following situations:
You have more than 200 devices on your LAN
You have a lot of broadcast traffic on your LAN
Groups of users need more security or are being slowed down by too many broadcasts?
Groups of users need to be on the same broadcast domain because they are running the same applications. An example would be a company that has VoIP phones. The users using the phone could be on a different VLAN, not with the regular users.
Or, just to make a single switch into multiple virtual switches.

Why not just subnet my network?
A common question is why not just subnet the network instead of using VLAN’s? Each VLAN should be in its own subnet. The benefit that a VLAN provides over a subnetted network is that devices in different physical locations, not going back to the same router, can be on the same network. The limitation of subnetting a network with a router is that all devices on that subnet must be connected to the same switch and that switch must be connected to a port on the router.
With a VLAN, one device can be connected to one switch, another device can be connected to another switch, and those devices can still be on the same VLAN (broadcast domain).

How can devices on different VLAN’s communicate?
Devices on different VLAN’s can communicate with a router or a Layer 3 switch. As each VLAN is its own subnet, a router or Layer 3 switch must be used to route between the subnets.

What is a trunk port?
When there is a link between two switches or a router and a switch that carries the traffic of more than one VLAN, that port is a trunk port.
A trunk port must run a special trunking protocol. The protocol used would be Cisco’s proprietary Inter-switch link (ISL) or the IEEE standard 802.1q.

How do I create a VLAN?
Configuring VLAN’s can vary even between different models of Cisco switches. Your goals, no matter what the commands are, is to:
Create the new VLAN’s
Put each port in the proper VLAN
Let’s say we wanted to create VLAN’s 5 and 10. We want to put ports 2 & 3 in VLAN 5 (Marketing) and ports 4 and 5 in VLAN 10 (Human Resources). On a Cisco 2950 switch, here is how you would do it:

At this point, only ports 2 and 3 should be able to communicate with each other and ports 4 & 5 should be able to communicate. That is because each of these is in its own VLAN. For the device on port 2 to communicate with the device on port 4, you would have to configure a trunk port to a router so that it can strip off the VLAN information, route the packet, and add back the VLAN information.

What do VLAN’s offer?
VLAN’s offer higher performance for medium and large LAN’s because they limit broadcasts. As the amount of traffic and the number of devices grow, so does the number of broadcast packets. By using VLAN’s you are containing broadcasts.
VLAN’s also provide security because you are essentially putting one group of devices, in one VLAN, on their own network.

Article Summary
Here is what we have learned:
A VLAN is a broadcast domain formed by switches
Administrators must create the VLAN’s then assign what port goes in what VLAN, manually.
VLAN’s provide better performance for medium and large LAN’s.
All devices, by default, are in VLAN 1.
A trunk port is a special port that runs ISL or 802.1q so that it can carry traffic from more than one VLAN.
For devices in different VLAN’s to communicate, you must use a router or Layer 3 switch.

How a Cisco Switch functions on an Ethernet network

Many of us use switches every day but never really think about how they work. Whether you are studying to become a CCNA or just want to learn more about how a switch really functions, this article is for you.

Hubs vs. Switches
Prior to switches, Hubs were the standard for connecting devices on a local area network (LAN). The problem with hubs was that everything that went through them had to share the bandwidth of the link, bandwidth was wasted because all traffic was sent to all devices, and there were a lot of collisions because the hub didn’t do anything to prevent them. A switch fixes these problems.

What do switches do?
Here are some facts about switches that you should know:

•Switches work at Layer 2 of the OSI model, not Layer 1 like a hub

•Switches switch Ethernet frames

•Switches don’t look at IP address information, only Ethernet MAC addresses

•Switches keeps a table of all MAC addresses traversing the switch and what port they are on (this table is called the bridge forwarding table or CAM table)

•Switches only sends traffic to the devices that are the destination for that traffic, saving bandwidth

•Each device connected to the switch gets the full bandwidth of the switch port because the switch prevents collisions

Flooding
Now that you know that the switch has the bridge forwarding table and uses that to intelligently send traffic, a common question is, “what if the destination MAC address for the traffic that the switch receives is not in the bridge forwarding table?” What does the switch do with that Ethernet frame? The answer is that the switch will flood that frame out all ports on the switch. The switch will then monitor the traffic for the response from that frame and see what device, on what port, responded to that flooded frame. That information will be put in the bridge forwarding table so that, next time, the switch won’t have to flood that traffic.

Bridge forwarding table
To see the bridge forwarding table on a Cisco switch, just type show mac-address-table

Port speed & Duplex
Of particular importance when it comes to switches are port speed and duplex. The speed of a port can be set to 10Mb, 100Mb, or 1000Mb (1GB), or Auto negotiate, depending on what the switch and the connecting device offers. Most switch ports and devices use auto negotiate to find the best speed and duplex available. However, this doesn’t always work. Some devices have trouble with this and you may have to go in to the switch and hardcode the speed or duplex.

Speaking of duplex, what is duplex? Duplex is set to either half, full, or is auto negotiated. A half duplex connection is where only one device can send or receive at a time. A full duplex connection is where both devices can send and receive at the same time.

Thus, if you have a 100Mb half-duplex connection, only sending at 100Mb OR receiving at 100Mb can happen at the same time. If you have a 100Mb full duplex connection, you can effectively get 200Mb out of the link because you could be sending 100Mb and receiving 100Mb at the same time.

Here is how you see the current speed and duplex of a switch port using the show interface command:

Most administrators will hard-code the port speed and duplex of servers to prevent auto negotiation. You don’t want your switch to reboot one night and, in the morning, have the email server connecting to the network at 10Mb half-duplex. You want the email server to either run at 1GB full duplex (for example) or not work at all.

Types of Switches
There are a number of different types of switches. You can buy a “dumb” switch for about $10 these days. It has no manageability and probably only 4-8 ports. From there, you can go up to an unmanaged 24 or 48 port switch.

However, most business users prefer a managed switch so that you can get statistics on switch traffic, see your bridge forwarding table, troubleshoot connections, and hard-code port speeds and duplex.

There are many brands of managed switches including, of course, Cisco. These managed switches come in sizes from just a few ports, all the way up to over 96 ports. You can even buy chassis-based switches, costing tens of thousands of dollars, like a Cisco Catalyst 6500 series switch. The chassis-based switches can have blades (cards) that perform not just switching but also routing, intrusion detection, and other services.

Another type of switch is called a Layer 3 switch. A Layer 3 switch is a switch that also has the routing functionality of a router but no WAN ports. Layer 3 switches are used primarily when a large company wants to use VLAN’s to segregate their network into logical networks.

Article Summary
Here is what we have learned:

•Switches work at Layer 2 of the OSI model, data-link

•Switches switch Ethernet frames

•Flooding is when a switch doesn’t have a destination MAC in its bridge forwarding table and it has to send that frame out to all ports

•Port speed and duplex are critical settings when it comes to connecting devices.

•There are many types of switches, managed, unmanaged, chassis-based, and layer 3.

Usun Apau Plateau

Usun Apau is claimed by the Kayan and Kenyah of Sarawak as their heritage site or legendary place. They claimed the great forefather to have come from this plateau? They may have settled here at one time for some purposes but due to no accesses to food and other basic needs on top of this plateau, they have abandoned this plateau or 'Apau'. One of the main reason why our great grandfather was in the Usun Apau is because it is a safe place during the head hunting era. Their enemies found it very-very tough to access or come to this plateau. Indeed animals are rare found here. It’s really an exciting place to discover for anybody who can walk in a very thick tropical forest and rivers. Usun Apau basically located in between Tinjar, Rajang and Baram River. There is a plan to explore this area by the Kenyah people right after the Murum dam near Plieran river has been completed.



Geographically, the plateau is the watershed that separates the two great rivers of Sarawak, the Rajang and the Baram. The rivers that run off the plateau feed the Rajang, Baram, Murum and Tinjar catchment areas and run into four of the proposed new Sarawak dams. The plateau contains three extinct volcanoes - Mount Selidang, Kanawang and Batu Mabun. Two outlier volcanoes to the north, Kalulong and Seludong are separated from the plateau by the Paong river valley. It comprises a large part of the catchment area for the water supply for north and central Sarawak and the peat forests on the plateau act as reservoirs that filter and store many months supply of water.



Usun Apau Plateau have plenty of unexplored natural wonders like these images showing lots of high rise multi-storey chilling waterfalls. Selio, Julan, Katok waterfall are just a few example.

*Pictures were taken from some other blogs.

get your marriage back on the track

By Kimberly Dawn Neumann

First comes love, then comes marriage, then comes happily ever after. End of story, right? Not quite… While it’s true that couples relax a bit after they think they’ve nabbed the matrimonial Holy Grail, the reality is that they may also find themselves dumbfounded if their fairytale starts slipping away. “Many people think that marriage is about marrying the right person, so when things go wrong, they automatically go to the ‘Crap, I accidentally married the wrong person’ place,” says Alisa Bowman, author of Project: Happily Ever After. “Although you do want to marry someone you are basically compatible with, marriage has a lot less to do with marrying the right person than it has to do with doing the right things with the person you married.” In other words, relationships are a constant work in progress. To keep the happy connection that made you say “I do” in the first place—or maybe even create a newer-and-improved version—try out these 10 tips to rehab your romance.

1. Nurture yourself.
Marriage is about giving, but don’t make the mistake of giving too much. “To have a good marriage, you need to be a good you,” says Bowman. “Learn how to prioritize and put boundaries around activities that keep you healthy and whole—activities like rest, relaxation, fitness and time with friends.” In other words, remember that scheduling “me” time into your day is not selfish, it’s a necessity. It will strengthen your relationship because you’ll have a saner version of “you” to bring to the “us” equation.

2. Define your problems.
Spend some time looking at your relationship and figure out which parts work and which parts don’t. Bowman suggests that you take a moment to imagine a perfect day in your perfect relationship. What would this look like? How would you and your partner interact? Then create a plan of how you might get from point A (your current reality) to point B (that perfect day). Write it down if you need to, then start breaking the issues into bite-size pieces and tackling them one at a time. Before you know it, there will only be a few bite-size problems left.

3. Make a financial plan together.
Money is one of the biggest stressors in a marriage. Couples worry and argue about it constantly. If you find you and your spouse are starting to badger each other over the bottom line, it’s time to have a penny-pinching powwow. “We are all guilty of something economists call ‘passive decision-making,’ which just means defaulting to the easy option,” says Jenny Anderson, coauthor of Spousonomics: Using Economics to Master Love, Marriage, and Dirty Dishes. “Couples need to make an active plan about how they will manage their money: Combine it? Separate it? Create a joint account and keep some separate? Whatever the decision, both people have to be part of the decision to do it and then figure out what needs to be done to keep the system humming.”

4. Use the three-sentence rule.
When you need to ask your partner for something that could be misconstrued as nagging, keep the request at three sentences—max. “The art of being assertive without coming off as aggressive lies in being succinct and using a warm tone of voice and body language,” says Bowman. “When you keep your requests to three sentences or fewer, it’s almost impossible to blame, use sarcasm or use put-downs.” It’s also a lot more likely that you’ll get your point across without losing your spouse’s attention. Make your request with a smile. Be sincere and encouraging. You might even rest your hand on his thigh as you say, “Honey, the house is a mess and I am exhausted. Could you help me clean this place up? I could really use your help.”

5. Take your fighting gloves off.
Don’t duke it out. Instead, consider taking a time-out. “There's a concept called 'loss aversion' in economics, which simply means we really hate to lose. And when we think we are losing, we fight like there is no tomorrow to try to win,” says Anderson. “It happens when couples talk about hot-button issues like sex, housework, money or the kids. If either person thinks he or she is losing, he or she will ratchet up the stakes and escalate the issue.” The next time you see a spousal spat going to a not-so-happy place, take a break and revisit the subject when neither one of you feels overwhelmed by the topic.

6. Just do it.
Yes, by “do it” we mean have sex. Intimacy is an important part of a vital relationship, and one of the first areas to suffer if feelings are floundering. But sexual encounters can also be one of the quickest ways to reconnect and rekindle with your partner. “Of the many forms of couple intimacy—a smile across a room, a kiss, a touch—sex has the potential to be the most powerful positive physical experience most of us enjoy,” says Joel D. Block, PhD, coauthor of Sex Comes First: 15 Ways to Save Your Relationship…Without Leaving Your Bedroom. “This is especially true if sex results in emotional fulfillment, better communication, security and reassurance."

Make your sex life a priority by following these five tips.
7. Burn your grudges.
It’s time to set some bad memories on fire. Literally. Sometimes hanging on to those “Do you remember the time you did such and such?” moments are the things that lead to relationship sabotage. Instead of carrying grudges around forever, torch them. “Write them all down on a piece of paper. Then set a timer for a certain amount of time. It might be 10 minutes. It might be 30. It might be the whole day. The point is: Give yourself as long as you need to really wallow in the misery of these grudges. Savor them. Get angry about them. Mutter about them. Do whatever you need to do to get sick and tired of them,” says Bowman. “Once you are done, say, ‘I will not think about these anymore. These grudges have lost their usefulness.’” Then take a match and burn them.

8. Don’t be overly confident.
Overconfidence can lead to complacency, which is not good for any relationship. According to Anderson, in a survey published in August 1993 in the journal Law and Human Behavior, couples who had recently applied for a marriage license were asked to estimate the average rate of divorce. Almost uniformly, they accurately predicted about 50 percent. Then they were asked to estimate the chances that they would get divorced. They answered zero percent. The problem with this statistic is that, if there is no perceived risk of failure, no “work” is put into maintaining the relationship—until it’s suddenly faltering. Don’t let yourself gloss over the little things. Don’t forget to make an effort to keep your romance alive. Don’t find yourself in a situation where you realize that you could have done more…when it’s already too late.

9. Write your spouse’s eulogy.
This one isn’t as macabre as it sounds. It’s more of an exercise in appreciation. Bowman suggests that you work on it a little at a time as a way to notice what your spouse does right (since these are the things you’d likely eulogize him with, not the negatives). “Think back over the years you’ve known this man. When did he make you laugh? When did he make you cry tears of joy? When did he surprise you? When did he feed the cat because the smell of cat food makes you want to hurl? Put it in the eulogy,” says Bowman. “The funeral fantasy will help you remember to appreciate your spouse.”

10. Remind yourself you have a choice to stay married.
Many people stay in troubled marriages because they believe they have no other choice. “They think that they are stuck, and they blame this sensation of being stuck on their spouse. But if you are stuck, it’s your fault and not your spouse’s,” says Bowman. That fact is, “you are not stuck; you have choices. Three of them: Do nothing and remain miserable; face your fears and try to save your marriage; ask for a divorce.” Choose to either be married or not. Make a choice. And wake up every morning and make that choice again. The surest path to happiness is knowing that you are not a helpless damsel in distress, but rather a woman who can make her own decisions. You have the choice to live happily ever after.



Original article appeared on WomansDay.com