Archive for the ‘General info’ Category

« Newer Entries
Older Entries »
h1

R&S Quick Notes – Security & IP Services

May 22, 2009

Security

  • Know how to use extended access-lists in distribute-lists, see Brian McGahan article @INE.
  • Know how to use extended access-lists instead of prefix-lists, see Brian Dennis article @ INE.
  • Know your binary voodoo as Scott Morris @ INE calls it,  PartI & PartII.
  • Dont forget to allow IGP’s, BGP, Multicast , IPv6 and any other needed protocols when adding ACL to a interface.
  • Know when to use the “established” keyword.
  • When matching Multicast traffic in a extended ACL, remember that Multicast traffic can NEVER be a source.
  • Allowing Telnet to a local router on a port other then 23: Option 1- Rotary command or Option 2- Port NAT.
  • NBAR can be used if you not forbidden from using ACL’s.  You can also map undefined custom ports with “ip nbar port-map custom”
  • Dynamic ACL time-outs specified in the acl:  “dynamic NAME timeout {x} permit tcp any any eq 80″.
  • When configuring SSH, don’t forget to specify a Domain-name and generate your RSA keys.

IP-Services

  • “no service config” – Disables the router from auto-answering for tftp config files
  • WCCP uses udp port 2048 and protcol 47-GRE
  • If talk about router discovery > IRDP
  • DNS server config : “ip dns server” & “ip host”
  • DNS client config : “ip domain-lookup” & “ip name-server”
  • DHCP stands for Dont Hit Computer People
  • DHCP option-82 = dhcp-relay.
  • DHCP option-66 = Hand out IP address off TFTP server
  • When configuring DHCP and earlier in the swithcing section you configured DHCP snooping you must enable the port connecting to the DHCP server as trusted.
  • Incase DHCP was configured you need either “no ip dhcp snooping info option” on the switch OR “ip dhcp relay information trust” on the dhcp router.
  • HSRP timers only need to be configure on one of the participating routers.
  • HSRP uses UDP port 1984.
  • When using HSRP with earlier configured port-security, you might need to allow you HSRP MAC 0000.0c07.acxx – where XX is the group number in hex.

Posted in General info | Tagged | 2 Comments »

h1

Cisco CCIE R&S Lab Blueprint v4

May 14, 2009

A couple days off and so much has happened in the industry.

As most are aware the R&S track is set to change from the 17th October 2009, with some interesting but controversial changes. Some that I personally agree with, some I don’t. But these changes has come about due to public demand, and as with many things in life, majority rules.

Mr Scott Morris wrote a brilliant article in his usual humorous way, about the upcoming changes to the existing Routing and Switching version3.  Source

The proposed changes to the layout are as follow:

- The Open-Ended-Questions are here to stay. (no surprise)
- A NEW 2-hour troubleshooting section will be introduced.
- Then the remaining 6 hours will be the normal configuration section.

I’m currently working in a support environment, so I personally can not imagine the troubleshooting sections being that hard. But that really depends on your background. The troubleshooting section entails a candidate troubleshooting given problems on a pre-configured network. Once done the config on the routers will be wiped and the initial configs for the configuration section will be loaded.

The proposed changes to the hardware and software:

- IOS 12.4 to be replaced with more recent 12.4T versions
- All switches available will be 3560′s
- 3725s Routers to be changed with 1841s and 3825s.

Then the proposed changes to the exam topics in short format are as follow:

- PPPoE (PPP over Ethernet)
- OER (Cisco Optimized Edge Routing)
- PFR (Performance Routing)
- EIGRPv6 (EIGRP version 6)
- IPv6 Multicast
- MSDP – Implement Interdomain Multicast Routing
- MPLS Overview
- Layer 3 VPNs
- VRF-Lite (Multi-VRF Customer Edge)
- MPBGP (Multi-Protocol BGP)
- Cisco AutoQoS
- Zone Based Firewall
- IPS (Intrusion Prevention System)
- NetFlow
- RITE (Router IP traffic export)
- EEM (Cisco IOS Embedded Event Manager)
- SCP (Switch-module Configuration Protocol)

I have created a new R&S version 4 blueprint with the new topics above based on my original version 3, along with a more detailed breakdown of  the new topics. Its listed on the right.

In all honestly, I hear most are worried about MPLS and the L3 VPN’s, but trust me when I say there is nothing difficult about this. Basic MPLS has so much theory but 3-4 command to configure. VRF’s are really nothing difficult if you have never worked on it before. In my humble opinion this will really be free points :) since Cell-Mode MPLS, L2 VPN’s, and TE-Tunnels are not included.

Posted in General info | Tagged | Leave a Comment »

h1

Cisco Documentation-CD

April 3, 2009

I often see guys requesting where certain topics are on the DOC-CD.
And I made a index sometime back to cover just about everything, (I said just)

Sooo I thought I’ll share it.
If there is anything you can add, let me know :)

(Obviously the index for  pages like IPv6 and Multicast are not listed, as the heading implies the index’s contents

To access the page,
On the right, in the section “PAGES”,
click on “Cisco DOC-CD Locations”

Posted in General info | Tagged | Leave a Comment »

h1

Cisco Cli Shortcuts

March 22, 2009

I was browsing around the Cisco Doc-CD and came across the cli shortcuts.
Some I know and use, but a couple I didn’t know about.
Pretty nifty that you can change the CASE of the characters.

Esc, B Moves the cursor back one word.
Esc, F Moves the cursor forward one word.
Ctrl-A Moves the cursor to the beginning of the line.
Ctrl-E Moves the cursor to the end of the command line.
Ctrl-D Deletes one characters right of the cursor.
Ctrl-K Deletes all characters right of the cursor.
Ctrl-U or Ctrl-X Deletes all characters left of the cursor.
Ctrl-W Deletes one word to the left of the cursor.
Ctrl-Y Recalls the most recent entry in the buffer.
Ctrl-T Transposes the character to the left of the cursor.
Ctrl-R Redisplays the current command line.
Esc, L Changes the word at the cursor to lowercase.
Esc, U Capitalizes letters from the cursor to the end of the word.

Posted in General info | Tagged | Leave a Comment »

h1

Converting IPv4 to IPv6 and back

March 19, 2009

Converting from IPv4 to IPv6

is so easy, yet everyone seem to convert a IPv4 address to binary, then to IPv6. Why? Why waste time and do things the long way? Not cool.

When would you need to do this? One specific use is IPv6 6-to-4 tunnels, which always concatenates 2002::/16 with the IPv4 address embedded.
With Automatic 6-to-4-tunnels, your address format is as follow:
2002:<32 bit IPv4 site address in Hex>:<16 bit network number in Hex>::/64

The question is how to do the conversion.

Firstly before starting I will assume everyone knows the following:

  • Binary is a Base-2 numbering system, as it has only 0,1
  • Decimal is a Base-10 numbering system, as it has 0,1,2,3,4,5,6,7,8,9
  • Hexadecimal is a Base-16 numbering system, as it has 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F

I also assume you know the hex values in decimal:

A = 10
B = 11
C = 12
D = 13
E = 14
F = 15

Two more things I would like to mention before explaining the conversion.
An IPv4 address : example 192.168.99.1

  • Each Octet (8 bits) “between the dot-thingys” denote 1 byte

An IPv6 address : example 2001:0db8:85a3:0000:0000:8a2e:0370:7334

  • Two Tuples (1 Tuple = 4 bits = 1 Hex character) denotes 1 byte

Then converting is easy. Lets take the following IPv4 address : 192.168.99.1 and convert it to Hex.

Read the rest of this entry ?

Posted in General info, IPv6 | Tagged , | Leave a Comment »

h1

ACL Editing

March 9, 2009

Let say you create the following numbered extended access-list:

access-list 123 permit tcp any any eq www
access-list 123 permit udp any any eq 54
access-list 123 permit tcp any any eq smtp
access-list 123 permit tcp any any eq pop3
access-list 123 permit udp any any eq syslog

As you type in the last line you release you made a typo, by entering UDP-54 instead of UDP-53. This is likely why most of us prefer using Named-ACL’s, because without sequence numbers in the ACL you can not remove that one entry, you have to remove the whole ACL. Although Named-ACL’s are handy, there are still times when you have to use a Numbered-ACL.

Read the rest of this entry ?

Posted in General info | Tagged | Leave a Comment »

h1

Accounting packets on the fly

February 18, 2009

Have you ever quickly needed to see how much traffic a host is sending/receiving or how much traffic is in a flow between hosts. IP accounting can easily provide the amount of packets and data for each source/destination pair.

By enabling the following under the interface:
R4#interface fa0/0
ip accounting output-packets

After a couple minutes, you should get a quick idea of the data flows

R4#sh ip accounting output-packets
Source          Destination     Packets  Bytes
192.168.89.171  192.168.54.72    2394     1410785
192.168.89.171  192.168.54.10    5119     6976939
192.168.89.239  192.168.54.10    662      194296
192.168.89.211  192.168.54.155   124      15048

Posted in General info | Tagged | 2 Comments »

h1

ICMP Rate-Limit

February 13, 2009

Ever wonder why when you do a trace and the last hop shows timeouts?

trace1

.

This is due to a built-in Deniel-Of-Service protection mechanism, to limit the rate of transmitted ICMP packets out an Interface. The default value is one ICMP destination unreachable message per 500 milliseconds ( 1/2 second), this would be why 1 in 3 response from the destination appears as a timeout, since the destination router silently discards the second packet.

The following command allows you to change the interval at which ICMP unreachable messages are generated (1 packet every 100 ms):

R5#conf t
R5(config)#ip icmp  rate-limit  unreachable 100

The show and clear commands available, was only introduced in IOS 12.4(2).

clear ip icmp rate-limit
show ip icmp rate-limit

.

A trace route will then complete as you would expect:

trace2

Posted in General info | Tagged | Leave a Comment »

h1

CCIE R&S Lab Update

January 27, 2009

Effective February 1, 2009,  to increase the security & integrity of the CCIE R&S Lab exam, Cisco will introduce a new type of question format to CCIE Routing and Switching lab exams. In addition to the live configuration scenarios.

Candidates will be asked a series of four or five open-ended questions, on the computer screen, drawn from a pool of questions based on the material covered on the lab blueprint. No new topics are being added. Candidates can expect to spend about 10-12 total minutes on them.

Candidates must achieve a passing score on the short answer questions, as well as the configurations, in order to pass the Lab Exam and achieve certification. This applies to the mobile lab too.

Candidates will also see two other changes to the CCIE written exams. Effective February 17th, 2009, candidates will be required to answer each question before moving on to the next question. In other words, candidates will no longer be allowed to skip a question and come back to it at a later time. Finally, there will be an update to the overall score report. The overall exam score and the exam passing score will now be reported on a scale from 300-1000.

More Info.

Posted in General info | Tagged | Leave a Comment »

h1

Hung/Orphaned telnet sessions

November 23, 2008

If you have had your reverse telnet sessions timeout, or your remote connection lost, you might have come across the following error when trying to reconnect:

IETS#sw1
Translating "sw1"
Trying R1 (172.69.1.1, 2002)...
% Connection refused by remote host

.

The happens because the sessions according to the router is still active and the inactive timeout has not yet expired. To fix this is easy, using the show line command you will see the active sessions marked with a “*”, like below:

.
shline

.

In order to reconnect, you have to release the current active/orphaned sessions. Use the clear line {line number} command referencing the output from above.
IETS#clear line 2
[confirm]
[OK]

IETS#clear line 3
[confirm]
[OK]

.

Then once all the orphaned sessions are closed, you will be able to connect again.

IETS#sw1
Translating "sw1"
Trying SW1 (172.69.1.1, 2002)... Open
SW1#

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

Posted in General info | Tagged | 2 Comments »

h1

New Cisco ASR 9000

November 11, 2008

Today, 11-11-08, Cisco unveiled the new Cisco ASR 9000 series routers:

ASR-9000

ASR-9000

The ASR 9000 builds on the ASR series and QuantumFlow processor announced earlier this year. It cost $200 million and was in development for more than four years. The box runs Cisco’s IOS-XR operating system with edge-specific enhancements, and is expected to succeed the company’s eight-year-old and widely installed 7600 series systems.

ASR 9000 is designed for a subscriber and enterprise world of increasing video and mobile service use. According to Cisco, IP traffic over wireline and mobile networks will nearly double every two years until 2012, reaching 522 exabytes — an exabyte is a billion gigabytes – or the equivalent of downloading 125 billion DVD movies per month.

The ASR 9000 comes in six- and 10-slot configurations and Cisco says they support 400Gbps per slot.

At 6.4Tbps across the backplane, Cisco says the ASR 9000 provide six times the capacity of competitive edge routers, which include Juniper’s MX960, Alcatel-Lucent’s 7750 and Ericsson’s Redback SM 480.

The Cisco ASR 9000 is in trial with service provider Softbank in Japan, and with Tier 1 service providers based in the North America and Europe regions. It will be available in the first quarter of 2009.

More Info

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

Posted in General info | Tagged , | Leave a Comment »

h1

History of Ping

November 4, 2008

Ever wondered where ping comes from? Who wrote it? When was it written? What it stand for?

From the experts to the noobs using it as a basic first line troubleshooting tool, to the non-technical people, just knowing the term appose to what it actually does, I think it is safe to say, that ping has become one of the most widely used terms in computer technology and networks.

Michael John Muuss

Michael John Muuss

MIKE MUUSS,  (pronounced “moose”) ‘A graduate of Johns Hopkins University, Muuss was a senior scientist specializing in geometric solid modeling, ray-tracing, MIMD architectures and digital computer networks at the United States Army Research Laboratory in Maryland when he died.’ –from WIKI–

Mike is the author PING for UNIX, a little thousand-line hack that Mike wrote one evening,  July 1983, from an idea that came about to measure path latency using timed ICMP Echo packets. PING is NOT an acronym, many believe PING is short for Packet Internet Groper, but this is not the case nor was Mike’s intention.

Mike named PING after the sounds a Sonar makes, due to operational simularities, in that ping uses timed IP/ICMP ECHO_REQUEST and ECHO_REPLY packets to probe the “distance” to the target machine. PING is included in every copy of UNIX® and Microsoft Windows®, putting it into nearly every computer on the planet.

ping

Mike  also wrote a number of software packages (including architect of BRL-CAD) and network tools (including TTCP and the concept of the default route or “default gateway”) and contributed to many others (including BIND).

Sadly, Mike was killed in an automobile accident on US route 95 in Maryland, on November 20, 2000. His homepage is still available, a testament to his intellect and indomitable spirit. A true loss indeed.

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

Posted in General info | Tagged | Leave a Comment »

h1

ACL Object-groups now on Cisco IOS

October 29, 2008

A week of standby and late shift is not really permitting of time to blog.

Cisco IOS 12.4(20)T, have some neat new features. One in particular that I’m very excited about, is ACL Obect-groups. Object-groups were very popular and widely used on  PIX-OS.  It minimizes complex and large ACL configurations, in production environment tremendously.

Being able to group ACE entries into groups, you can easily, add/remove entries, while maintaining ordered and more readable ACL structure, while keeping the time spend on changes to a minimum. It provides a simple and intuitive mechanism for configuring and managing large ACLs, especially ones that frequently change.

You have two types of objects-groups: network object groups and service object groups.

Read the rest of this entry ?

Posted in General info | Tagged | Leave a Comment »

h1

Output-101 : Limit a Debug to an interface

October 17, 2008

Debugging is one of the best tools to use when troubleshooting problems, but also the most dangerous tool if missused in production networks.

By limiting the debug capture only to the interface that you need, instead of all 100+ client interfaces, you mitigate the risk to a reasonable degree.

The following command enables conditional debugs for interface serial1/0. This means that only debugs for ser1/0 are displayed:

Rack1R1#debug interface s1/0
Condition 1 set

Rack1R1#sh debugging
TCP:
TCP Packet debugging is on

Condition 1: interface Se1/0 (1 flags triggered)
Flags: Se1/0

-

Note that the command ‘undebug all’ does not remove conditional triggers, only the normal debugs, ie like below only the the TCP Packet debugging has been removed:

Rack1R1#un all
Port Statistics for unclassified packets is not turned on.

All possible debugging has been turned off
Rack1R1#sh debug

Condition 1: interface Se1/0 (1 flags triggered)
Flags: Se1/0

-

To remove your conditional debug, use the following:

Rack1R1#undebug interface s1/0
This condition is the last interface condition set.
Removing all conditions may cause a flood of debugging
messages to result, unless specific debugging flags
are first removed.
Proceed with removal? [yes/no]: yes
Condition 1 has been removed

Rack1R1#sh debug
Rack1R1#

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

Posted in General info, OUTPUT-101 | Tagged , | Leave a Comment »

h1

Cisco Terminal Server with ‘Menu’ command

September 30, 2008

To setup  a Cisco Terminal Server for your CCIE Lab you would require the following:
- Either a Cisco 2509/11 access router or 1841 with a HWIC-8A (8ports) or 28xx with a HWIC-16A (16ports) expansion card.
-  1 or 2 Octal Cables(CAB-HD8-ASYNC) to connect the Access Router(above) to every other router in your LAB, via their console ports.

To configure your Terminal Server you can setup just reverse telnet sessions with the ‘host’ command, but I prefer using the ‘Menu’ command, it looks a lot better and is more convenient to use.

This current lab setup is according to Internetwork Expert R&S Lab Workbook V4, so the menu config will be based on that. This is what is looks like:

The configuration is as follow:

Read the rest of this entry ?

Posted in General info | Leave a Comment »

« Newer Entries
Older Entries »