CCNP EXAM

Posted on by
Reply

Well you might notice I am not updating and working on this blog much this week. Main reason is I have my CCNP SWITCH Exam coming up in a few days and hard at work revising!

I think I have it sorted just as long as no silly planning questions catch me out. It seems as though Cisco want you to “forget” things you know, and only come to the exam with the exact information in the book. It doesn’t matter if something is actual correct.. If its not in the book then you are not expected to know it.

config wise and technology I think I am fine though. I have been working on LAYER 2 for 5 years now so apart from a few small bits running through the book has been confirming lots of what I have learnt on the job over that time.

Still had time to play with the links in the blog and add a few more quotes.

And later I have a part 2 for trouble shooting with ACCL’s to write up, and a nice layer 3 NAT scenario to lab up soon to show a use for the “NAT enable” and virtual NAT interfaces. Hopefully get one of them at least sorted out this week, but if not I will do it after my celebrations (I’m thinking positive here) at passing.

DEVILWAH

Download article as PDF

Trouble shooting with ACL’s

Posted on by
1

We all know of ACL’s for use in restricting traffic when applied to an interface, and also for classing traffic such as when used in NAT to chose the ranges to apply NATing to. But they can also be very useful in trouble shooting you network, and the last few days brought this back to me.

It all started with what seemed like a simple problem. On one of my networks the DHCP helper function had stopped working, and clients could no longer get an IP address. However a quick check of he DHCP server and a glance over the config on the network devices and it all seemed fine.

Now the set up is quite simple, your standard basic router on a stick set up. With a CISCO 1841 as the router, which as well as working as the router also is set up as one of the network firewalls. With one interface pointing to the internet (not shown) and the other to the internal network.


FIG 1

We can imagen that the DHCP server is sitting in VLAN 200 and the clients that have stopped working are in VLAN 100. So what’s going on?

Well first move was to look at the DHCP logs on the server to see any sign of requests eing received. Nothing there suggesting the packets whegetting stopped before they gotthere.

Check the router config for the “ip-helper” command. This all looked fine and a quick ping from the router to the DHCP server shows that there is not issue with the router forwarding packets to it. Net step ping the Client PC from the router….. OK here’s an issue router can’t ping the Client? But the client can reach the internet through the router? And stranger still the Client CAN ping the router interface of  192.168.10.254??

To bypass any other part of the network, I set up two SVI on vlan 100 and 200 on the switch directly connected to the router and checked the trunk was carrying both. Again the switch could ping both the interface on the router, but the router could only ping the IP address assigned to the SVI for vlan 200?

Well the first step was to work out if the router was indeed sending a packet out, as I mentioned the Router also acts as a fire wall so could a policy update be causing the issue?

Here is the first use for ACL’s in trouble shooting. Debug commands in cisco are very useful as we know, and one I have used often is the “debug ip packet detail”. But before you go typing it in to a router to test, be aware it will have a massive hit on the CPU and you will be over whelmed with information as the detail of every packet crossing your router is displayed to you.

Before you start debugging create an access list that will permit all the traffic you are interested in. In this case I only want to see traffic to and from 192.168.10.254, so logging on the the router create the access list.

ip acccess-list extended 150

permit ip any host 192.168.10.254

permit ip host 192.168.10.254 any

Then you can run the debug command and only view the details about packets covered by this access list.

debug ip packets 150 detail

Enabling this on the Router and again pinging the 192.168.10.250 address and the debug output show the packets sent out on vlan 100, and to be sure enabling the same debug on the switch and I could see the packets both received from the router and being sent back out the same vlan interface. Yet the router logs show no sign of packets getting dropped or even being received. Neither dose this debug show any sign of the packets this is not surprising as debugging IP packets shows packets that are crossing the control plane of the router and if an  ACL or the fire wall are blocking them they will not reach this.

So here is the next use for a ACL in trouble shooting. One of the first steps a packet takes when received on an interface is getting checked by any applied ACL. This is a reasonable step as for security reasons you want to drop any rogue packets ASAP.  So by creating adding the line “permit ip any any” to the end of the above ACL, and the command “log” to the first two line. I then applied this ACL to the interface in the inward direction.

Now repeating the ping to 192.168.10.250 from the router and I see in the logs packets being transmitted and getting received. Now I know that the issue is with in the firewall policy’s on the router.

So yes ACL’s are not only great for security and for managing live data flows across the network. But they are also useful in trouble shooting, especially when used to filter outputs of show and debug commands to  useful information. And using the log function you can capture sporadic issues with out having to be logged on the whole time watching for it.

DevilWAH

PS. There is also the “debug packet” command to capture traffic received on an interface, but I like the simplicity and logging ability of using an ACL.

Download article as PDF

A new way to navigate.

Posted on by
Reply

Unfortunately I can’t get the full paper on this, however the link below is to the article on new scientist.

An alternative to turn by turn

I should point out this is not for car drivers, but for pedestrians walking through city’s and towns. Although I can see how it could easily be adapted for cars. The Idea is simple, with most turn by turn based solutions on our hand-held devices you are directed the most direct way to your destination. This invariable takes you on the main streets, or even worse down some back ally where all the shops are throwing out there rubbish.

In Swansea university they developed a new method. Rather than displaying a map, the device simple vibrates when you point it in the direction you need to take to get to your destination. So if there are several routes your device will vibrate across all of them. Although apart from the strength of the vibration and with of its field, the idea seems to be there is no way to “know” which one is quicker. You simple chose the one you like the look of and continue on your way.

Now I know for many people the best was is the fastest, no matter what you see along the way. But for people on holiday in a new city, often the reason for visiting a city is to see the sites. A system that will keep you pointing in the right general direction, while allowing you a choice of the exact path I think could become a standard feature on hand held devices.

I can also like I said see it being used in cars, Of course we have to be careful here as you don’t want drivers spending to much time worrying about what turning to make. However we already have the ability to avoid motor ways and toll roads. but these still give us a fixed route, and although system will re-root if we take a wrong turn, they don’t upfront give us any information about the alternatives. My be a system where you can set an acceptable % increase of journey time for alternate route to be suggested. Then as you approach a turning where the alternative falls with in this limit, the system alerts you to the alternative and tell you how much time it will add.

I really like this idea as I love to see new areas, but I am hopeless at direction. I hope it makes it through to a hand-held device near me in the future.

DevilWAH

Download article as PDF

Music to the Cloud

Posted on by
Reply

So came across this today.

Moving music to the cloud

I wonder if this is just another one of those ideas that will disappear in to the ether, or will it actually take of this time.

It’s all we seem to here now, “the cloud”. But the issues is always going to be that even if there is 99.9% coverage. The times you want to be listening to your music are when driving / holiday / walking, there very times you are most likely to be out side of the coverage areas. And the only way to cope with this is to have off line local storage that you can carry around with you as we do right now.

May be the way to manage a cloud based music system if not to charge for how much music you have access to. But how much you can store off line. So you would pay for a set amount of off line storage that you can save to your music player. Each time you download a song it is subtracted from your allowance and each time you check a song back in it is removed from your device and you account is re-credited.

So you still always have access to all the music, and you can keep your favourite music local to you for those time when you are out of coverage. With the artists getting paid depending on how often there tunes are played through the cloud of when they are downloaded .

But can cloud music possible bet the piracy? In my view Piracy is not winning because it is cheaper (although this is a big factor I grant you), but because there are no ties. Once you have a tune, it is yours, you can leave one piracy site and go to another and you don’t lose what you already have. No one likes to be tied to a company, and this is why I personal dislike I-tunes, the idea that music purchased through it is tied to it. So if a better offer comes along or a better player you can’t take advantage of it.

In my view this is what has got to change and is what will bring people in from piracy, that once you have purchased music it “belongs” to you, or at least for you to listen to how and when you want to. For this to happen there has to be an open DRM standard that all of the industry sign up to. But while all the different companies fight to get customers and then lock them in. Piracy will only get worse.

I like the idea of cloud music, especially the peer to peer model, but I will be surprised if this takes of in any really big way, or really changed the music industry.

DevilWAH

Download article as PDF

Quotes

Posted on by
Reply

Man I seem to be contently adding my quote collection but still no where near the end! In fact not even 20% of the way through! Main trouble is that I have them all over the place with different formats so have to copy each one by hand! Once there all up I shall be tidying up the quote pages.

On a side note added a few more flash cards to Anki, some QoS stuff.

Download article as PDF

QoS and leaky Buckets

Posted on by
1

Just been going through QoS in the foundation guide, it has a small bit on the Leaky bucket algorithm, but I think the wikipedia article explains in much clearer.

I had always though of it as the packets where the water running in to the bucket and there was a small hole in the bottom from which it drained out. As long as the average in was less than the drainage hole, and bursting did not over flow the bucket the water flows out with out spilling.

However I see now that in the case of CISCO switches the leaky bucket is a metering method. The packet it self does not flow in to the bucket. Rather how fast the packets flow in to the switch determines how fast the tap above the bucket it flowing. While the bucket it not full the packets can pass through the switch. But if the bucket should over flow the packets are dropped until enough water has run out of the bucket that they can continue.

Like I said the article on wikipedia explains it all very nicely, so if like me it is taking a bit to get your head around have a look.

DevilWAH

Download article as PDF

Do you like the Pretty links?

Posted on by
Reply

Getting the pretty Permalink’s to work on this blog has been a bit of a pain, According to word press you click on the format you want under the settings and then they should all work nicely.

so rather than have a link that looks like

“http://www.devilwah.com/?p=344”

you can have the same link looking like

“http://www.devilwah.com/2010/09/minority-report-the-reality/”

Pretty 🙂 right.. 😉

So how did I get it all up and running?

I found out when first trying to activate it that I came across a “page not found error” suggesting that the mod_rewrite module in Apache was not running correctly. And after lots of searching around I found it this is to do with the “Allowoveride” directive in Apache.

The default setting for the directive in the virtual site file in Unbuntu is,

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>

Further reading suggests that with this set to none, the .htaccess file that is needed for  mod_rewrite to be able to work will not be used.

Searching the net lots of people suggest changing this to “Allowoverride All”, which after a restart of Apache will work fine. But for a little more security I found “Allowoverride FileInfo” will achieve the same thing.

And that’s it, one little word change is the difference between it all working fine and page not found!

The same can be achieved by editing the httpd.conf and associated config files, but as I use virtual sites I prefer editing these directly.

Thank fully the old style links still work just find, the mod_rewrite simple takes the pretty version of the link and translates it back to the ugly version behind the scene. Leaving you the user with a more pleasurable browsing experience.  🙂

DevilWAH

Download article as PDF

A step up from Minority Report interface.

Posted on by
1

OK so the real life Minority Report interface did not do it for you?

Well lets try a bit of Brain control!

OK so its not perfect yet, but I have been following these over the years and they are getting better and faster to respond year by year. I remember when the most they could flip the colour of the screen by thinking about a CAT?! To think it can learn an action in 8 seconds, and if its any think like Voice recognition software, I know from experience practice really does make perfect.

I still think there’s a long way to go yet, but we are getting close to being able to sit at our desk and control objects on the screen with our mind.

However I think the use I would most like to see the research go to first if for helping disabled. Controlling wheel chairs is only the beginning, Imagen those people with diseases like Stephen Hawkins, who currently can only communicate by moving his eye lids. Returning some ones ability to move is a great thing to be able to do, but returning some ones ability to communicate would be something truly amazing.

Plus I want one cause they look cool!!! 😉

DevilWAH

Download article as PDF

Setting up Lock and Key

Posted on by
Reply

I remember searching around for ages looking for this solution a few years back, so I thought I would share it with you. Bear in mind that there are much more secure solutions around, such as 802.1x port based authentication. However these require a lot more setting up, not to mention the kit to support it. For what it is “Lock and Key” is one of these ideas that does exactly what it says on the tin..

So what exactly is it that “Lock and key” does any way. The idea behind it is to allow you to on demand open up access between subnet / networks. May be it is clearer if we look at the following digram.

Figure 1

In Figure 1 we have the IT PC’s, the users PC’s, the servers and the DRAC cards all on separate networks. If you have not come across DRAC cards before, they are an additional card that can be fitted to Dell servers, that have there own redundant NIC, if the server should crash, you can connect to the DRAC card and force a hard reboot among other things. Very useful for remote management of server! However as you can image not some thing you want to allow users near!!

So looking at the digram above you may place an access list on the incoming traffic from the user network (192.168.20.0) to block any access to the DRAC network. While leaving the IT admin PC’s able to reach them. But what happens if you are at a users PC, the server has crashed and you need to reboot it? This is where the “Lock and Key” idea come in.

By using a dynamic Access list along with the user name auto command. you can on the fly open up the blocking access list you have created to allow the PC you are working on have access to the Drac network.

First we need to set up the a dynamic IP access list under global config, remember this access list has to be applied to the interface connection to the user PC’s, we will be applying it in the “in” direction.

ip access-list extended Lock-key
dynamic Dracacess timeout 60 permit ip any 172.64.20.0.0 0.0.0.255 log
deny  ip any 172.64.20.0 0.0.0.255
deny ip any 172.16.10.0 0.0.0.255
permit ip any any

So before “lock and Key” is active users are prevented from accessing the IT unit PC’s and the Drac network, but have access to every thing else.

Next we set up the user we are going to use as the “Key”

username Dracs secret CISCO
username Dracs autocommand access-enable host timeout 15

So here we set up the user Drac and add the auto command to run when they log in. The 15 minute time out here is the idle time out. However as we have set an absolute time out above in the access list its self, this will log out the user after 60 minutes if they are active or not.

Lastly we need to go in to the interface that faces the users network and assing the Access list, and set the VTY line for telnet access and to use the local user database. so from global config again.

interface <ID>
ip access-group Lock-key in

exit

vty 0 15

transport input telnet

login local

exit

Now to use it is simple, from a users PC start a telnet session with the router, at the user name and password prompt users the user name of Drac and password configured. The connection will be droped by the user but you an extra line will be added to the access list along the lines of.

permit ip host xxx.xxx.xxx.xxx 172.64.20.0.0 0.0.0.255 log

Any you user PC now has access as long as it is sending data or until the limit of 60 minutes.

Of course you may not like using telnet and it is possible to use SSH (but then the user PC needs a ssh client installed), you can also change the port that the router listens for telnet or SSH on a VTY line. You can also apply the auto command to the VTY line so any one who logs on through that VTY line will trigger the lock and key. If you do this then you will need to set up some VTY lines to use one port with the autocommand config, and some other VTY lines to use a different port with out the autocommand. Other wise you will not be able to mange the router!!!

This Link covers some more examples.

As I said at the beginning there are much better ways to do this, 802.1x as i mentioned is just one of them and some thing I will cover in more detail soon.  But for a small/medium size networks, where cost is an issue, but you still want to add an extra bit of security. They are a nice way to restrict users, while allowing network admins to carry on working efficiently away from there desks.

DevilWAH

Download article as PDF

Roller coaster of a day out.

Posted on by
Reply

Well just back from a very nice day at the theme park near home :), Parents very kindly looked after our lovely baby so wife and I could have our first trip out alone. What a feeling of release to be able to walk around with out having to worry about the baby and knowing she was OK.

My wife has decided that she is not to keen on rides that accelerate from 0 to 80mph in 2 seconds! But apart from that great fun.

But now back to wireless, before adding some more quotes and a new techno blog.

DevilWAH

Edit: updated menu to contain links to the categorise. Now all I need is for WordPress to allow me to put the link categories in the menu to 🙂

Download article as PDF