Wednesday, 13 August 2008

Native VLAN

I was confused by this word for a while since I didn't play with switches for a few months.

But now I found it :
Note: On an 802.1Q trunk, one VLAN is NOT tagged. This VLAN, named the native VLAN, must be configured the same on each side of the trunk. In this way, you can deduce to which VLAN a frame belongs when you receive a frame with no tag.

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008012ecf3.shtml#basic_char

So that means if you use switch to connect firewall and core network by trunking them, the better way is to use an unused VLAN and make it as the native vlan. Then the untagged traffic (might be an attacker) won't bypass the firewall via trunk link.

Monday, 28 July 2008

ISDN backup link configuration and EIGRP redistribution - Part 2

While, route of backup link has been redistributed secussfully. Let's bring it on and see what will happen!

I pinged the fake ip address and debug message showed the backup link is on, oh wait a minute, the router 2 established neighbour adjacency with south router. I had feeling that something would be wrong.

Yes, the core switch rebooted! I believe it was caused by routing loop.

The more detailed network topology should be something like this:





So you can see the route loop was created if the backup link was brought up.

It is all the fault by ISP's BGP redistribution settings. They did it without routing filtering!

So the only solution is to configure passive interface:

router eigrp xx
passive-interface bri1/3


Now it is all done.

Wednesday, 23 July 2008

ISDN backup link configuration and EIGRP redistribution


Had a few days with ISDN backup link setup on a new Cisco 2821 router with 12.4(7) IOS.

It was quite easy to dump all the old configuration from old Cisco 4000 router (with IOS 11.2) with a few change - something like define the isdn switch-type since the new IOS doesn't have default value.


aaa authentication ppp default local
!
username southrouter password 7 xxxxxxxxxx
!
interface BRI1/3
description ISDN Backup to South Router
no ip address
encapsulation ppp
dialer pool-member 8
isdn switch-type basic-net3
isdn point-to-point-setup
no fair-queue
ppp authentication chap
!
interface Dialer8
description Link to South Router
bandwidth 1
ip address s.s.s.s.2 255.255.255.0
encapsulation ppp
delay 10000000
dialer pool 8
dialer remote-name southrouter
dialer idle-timeout 300
dialer enable-timeout 2
dialer string 5555555
dialer-group 10
ppp authentication chap
!
access-list 100 deny ip any host 255.255.255.255
access-list 100 deny eigrp any any
access-list 100 deny udp any any eq snmptrap
access-list 100 deny udp any any eq syslog
access-list 100 deny udp any any eq ntp
access-list 100 permit ip any any
dialer-list 10 protocol ip list 100
!



So far so good, ping the other end and link was brought up. Well done! the next step is to make a float static route and inject into eigrp. So I typed in

router eigrp 20
redistribute static


And another fake floating static route with the real one:
ip route 10.200.10.0 255.255.255.0 s.s.s.1 210

But in the core switch, this route didn't show up and neither with other real routes.

After about one hour's internet search, I found something intersting here:

When redistributing between different routing protocols, the default-metric com-mand must be configured. When one routing protocol is being redistributed into another, the router doesn't have a way to translate the routing metric from one routing protocol into another. The default-metric command is used so that the network administrator can manually initialize the routing metric during route redistribution.
(from: http://www.ciscopress.com/articles/article.asp?p=27839&seqNum=7)

Default Setting for EIGRP "default-metric" Command:

Only connected routes can be redistributed without a default metric. The metric of redistributed connected routes is set to 0.

(http://www.cisco.com/en/US/docs/ios/12_3t/ip_route/command/reference/ip2_c1gt.html#wp1094645)




After I typed in:
router eigrp 20
default-metric 64 20 255 1 1500

Guess what happened, the floating route is in RIB of core switch now!


TO BE CONTINUED...

Opinion: Microsoft-Lite (why anti-apple?)

Origin Link
http://www.itnews.com.au/News/NewsStory.aspx?story=80906

That is why I don't like apple.

22 July 2008 03:11PM
Tags: opinion | microsoftlite

What on earth has happened to Apple? The company is growing its market share according to the latest figures but it seems it can’t handle the extra numbers.

What was once a rock solid platform slowly drawing Windows users away from their endless crashing and patching routine has now become just a smaller version of its arch nemesis. Is this what has to happen when a computer company grows bigger?

Now we’re getting 500MB+ downloads from Apple when there’s a new revision of OS X, Mobile Me is just well….borked…. the company’s email has turned into silly putty, trying to sync turns your Mac into a go-slow zone, USB audio is right down the dunny, USB drives stop working until you update their firmware, MacBook Pros freeze when between open applications. Sure, you can also get this behaviour with Windows but at least the PC was cheaper to start with. Why pay more to get rogered?

And what does Apple say? No comment. Nada. Nix. Apple has taken a leaf out of the religious annals and thinks it is infallible. Problem with your Mac? Your iPhone? Your iPod? Oh no, never happens, it must be your fault. But hey, wait six months or so until umpteen thousand users have the same problem, and some hacker has posted a patch to fix the problem, and then, and only then, will Apple decide there might possibly be something wrong. And if they do decide to fix the bug, you still won’t get an apology.

And don’t get me started on the security side of things. Vista is looking a whole lot better than it used to, that’s for sure. Why have Microsoft-lite when you can get Microsoft full-cream for less money?

Tuesday, 22 April 2008

Install ntop3.3 onto Ubuntu linux v7 - a brief guide

So now, it seems you have Ubuntu linux working on a PC (or VirtualPC as I am doing now). The next step is to install ntop-3.3 onto it.

Why I like ntop, because I want to see what kind of network traffic my network have. And it seems a good open source tool and many people on the net have discussed about it.

Unfortunately, to install it successfully is not very simple. You might need to download 16~17 packages for it.

There are:

ntop-3.3
automake-1.6.3
autoconf-2.53
libtool-1.5.10
libpng-1.2.26
libtool-1.5.10
openssl-0.9.8g
zlib-1.2.3
rrdtool-1.2.27
freetype-2.1.10
pkg-config-0.23
libart_lgpl-2.3.20
m4-1.4.9
libpcap-0.9.8
flex-2.5.35
bison-2.3
gawk-3.1.6

All of these packages can be searched in Google. And basically you only need to do is just unpack them (except ntop), "./configure", "make", "make install" (as root).

Now you might spent 3 hours for all of these. Before you start to install ntop, you might need to edit configure.in file. Search for the rrd direction and you might have to modify it from default value.

Then you can just use "./autogen.sh", "make" then "make install" to install ntop onto your PC.

Alright, now ntop is on your system under "/user/local/var/ntop". Then you need to create a group and a user to use ntop.

# groupadd ntop

# useradd -m -s /bin/false -d /var/lib/ntop -c "ntop user" -g ntop ntop

For the first run, you need to type this command to change the password for administrator:

# ntop -A

now, you can start ntop:

# ntop -p /var/lib/ntop -u ntop

To check if it is running, you can type "http://localhost:3000" in to web browser.

Making Ubuntu 7.04 Work Under Virtual PC 2007

Original Link:

http://blogs.msdn.com/mikekol/archive/2007/08/06/making-ubuntu-7-04-work-under-virtual-pc-2007.aspx


This is a really good artical to make Ubuntu 7 works on your Virtual PC 2007.:

  • So, the first step, obviously, is to get a Windows PC with Virtual PC 2007 installed. I'm running the x64 version on Windows Vista Ultimate. Download the ISO for Ubuntu in whatever fashion you choose - just remember that Virtual PC only supports 32-bit guests, so make sure you grab the i386 version. Also, you don't need the alternate installer version. Just grab the regular one.
  • Start Virtual PC, create a VM with the specifications you want, and boot it. During POST, click the CD menu, and capture the Ubuntu ISO you just downloaded. You may need to reset the VM to get it to boot properly.
  • On the Ubuntu boot menu, select Start or install Ubuntu and hit F6. Add i8042.noloop to the end of the line, and press Enter. This will make the mouse work in recent versions of the kernel.
  • When Ubuntu boots to the Live CD and XWindows loads, the graphics will be... not good. You're going to need to change the color depth to make it display correctly. To do that:
    • Hit CTRL-ALT-F1 to drop to a console.
    • Type sudo nano /etc/X11/xorg.conf and press Enter.
    • Press CTRL W, type depth and press Enter. You should see a line that says "DefaultDepth 24". Delete 24 and type 16.
    • Press CTRL O, and press Enter to save the file.
    • Press CTRL X to exit the nano editor.
    • Press CTRL-ALT-F7 to switch back to XWindows - that graphics will still not be right.
    • Press CTRL-ALT-Backspace to reload XWindows. The graphics should be good to go now.
  • Run the installation like you normally would. When installation is complete, Ubuntu will boot, and the video should be correct (it was for me - if it's not, repeat the step listed above), but the mouse won't work. To fix the mouse in a more permenant manner, we'll need to add a kernel parameter to the GRUB loader. Here's how:
    • Boot into Ubuntu on the hard drive.
    • Hit CTRL-ALT-F1 to drop to a console and log in.
    • Type sudo nano /boot/grub/menu.lst.
    • Press CTRL W and type end default options, then press Enter.
    • The first entry in the list below is the entry containing the information to boot Ubuntu in regular mode. Find the line that starts with kernel and go all the way to the end of it. At the end, type i8042.noloop, press CTRL O, and press Enter to save.
    • At this point, you can do the same with the other entries, like the recovery mode one if you care enough to bother. If not, just hit CTRL X to exit nano.
    • Type sudo reboot to reboot the VM.
    • The next time you boot into XWindows, your mouse should work without issue. (You should also note that if you happen to upgrade your kernel version, you'll need to make this change *again*.)
  • And you're good to go do whatever it is you want to do.

Wednesday, 19 March 2008

FW: Understand Cisco's new IOS Packaging

Original Link:
http://articles.techrepublic.com.com/5100-10878_11-6078554.html

Even if you haven't bought a new router lately, or made a recent upgrade, you should be aware that Cisco has begun repackaging all IOS versions with its new naming conventions, starting with IOS version 12.3. (If you don't know what version of the IOS you have, see my article on the show version command). In this article, I will explain Cisco's "Legacy Naming," and then summarize the updated IOS Packaging system, which reduces the possible version names from 40+ to only eight. Armed with this background knowledge, you'll be better equipped to make your next upgrade or purchasing decision.

Legacy Naming

For IOS versions prior to IOS 12.3, Cisco used a confusing combination of letters and numbers to indicate which version of the IOS you had. There weren't just a few versions either; taking into account all of the possible combinations you could create, there were probably more versions of the IOS than of drinks at your local coffee bar (you know which one I am talking about). According to Cisco, there were a possible 44 versions available for most of the device series.

Cisco now refers to this older convention as "Legacy Naming." Since many of you are still using an IOS version older than 12.3 on your routers, here's a little background on how the Legacy Naming worked.

As an example, if I perform a show version command on my 2611 router, I see the following line in the output:

System image file is "flash:c2600-ik9o3s3-mz.122-15.T9.bin"

This is the actual name of the IOS file that my router is running, which indicates the following:

  • The c2600 tells me this is for the 2600 series of routers.
  • The i in ik9o3s3 tells me that this is the IP routing version of the IOS.
  • The k9 tells me that this is the 3DES encryption version of the IOS.
  • The o3 tells me that this is the Firewall/IDS version of the IOS.
  • The s3 tells me that this is the "Basic limited routing / limited memory" version of the IOS for the 2600 and 3600 series routers.
  • The mz tells me that this version of the IOS runs from RAM and is compressed.
  • The 122-15.T9 tells me that this is IOS version 12.2, patch level 15, and "training" version 9.

As you can see from this breakdown of the IOS name on my router, the old way was pretty confusing. These aren't the only letters and numbers used. Cisco's document, "Portable Product Sheet – IOS Naming," offers explanations on all of the old IOS naming conventions, along with the new packaging system.

New IOS Packaging

To make software selections easier, Cisco has adopted a new method of naming IOS versions, called "IOS Packaging." Cisco says that this will allow them to reduce the amount of IOS versions available for each device from 44 to only eight.

Here are the new versions of the IOS Cisco offers:

  • IP Base
  • IP Voice
  • Enterprise Base
  • Advanced Security
  • SP Services
  • Advanced IP Services
  • Enterprise Services
  • Advanced Enterprise Services

Each of these versions, of course, groups a large number of features inside the package. For example, the Advanced Security package contains the Cisco IOS Firewall, IPSEC, 3DES, VPN, and SSH. So, I should be able to use that version to replace the IOS on the 2611 router that I used as an example above (assuming I have enough RAM and Flash). In other words, I would be moving from this IOS version:

c2600-ik9o3s3-mz

To this IOS version:

c2600-advsecurityk9-mz

As you can see, the designation is less confusing and there are fewer options. If you still need guidance on which version of the IOS you need and what the hardware requirements are for that version, take a look at the Cisco Feature Navigator II and the IOS Upgrade Planner (requires Cisco Web site registration).

When I look at the show version output of a new 3845 router on my network, I see the following:

System image file is "flash:c3845-ipbase-mz.123-11.T7.bin"

This router is running the 12.3 IOS and is using the new package naming. This router has the IP Base IOS, which is the most entry level Cisco IOS available. However, it still has most of the standard IP routing features you are used to. Some of these packages roll up into larger packages with more and more features (and cost, of course). Figure A shows an illustration of the packages from the Cisco Web site.

Figure A

Summary

All of the details of Cisco's legacy naming and new IOS packaging information can be found at the Cisco IOS Packaging Web site. In addition, I just read that Cisco has expanded this new IOS packaging to switches as well as routers.

The new IOS Packaging is something that will affect all Cisco users the next time you buy a new router or go to upgrade your existing router. By being more informed about it now, you can make the right decisions later.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.


------------------------------------------------------------------------------------------------

Thanks David!