This is just a quick blog today since we're all pretty busy these past few weeks, preparing for certification exams.
Anyway, this is how you configure two full-T1s whenever you need an extra bandwidth but do not need full-DS3 or fractional DS3. This is way cheaper than a fractional DS3.
Note: This router is using two WIC-1DSU-T1-V2 card.
interface s0/0/0
service-module t1 timeslots 1-24
encapsulation ppp
ppp multilink
ppp multilink group 1
!
interface s0/1/0
service-module t1 timeslots 1-24
encapsulation ppp
ppp multilink
ppp multilink group 1
!
interface multlink1
ip address 1.1.1.1 255.255.255.252
ppp multilink
ppp multilink group 1
Hope you learn something today. See you next time!
"I know nothing except the fact of my ignorance" - Socrates
Monday, February 8, 2010
Thursday, February 4, 2010
Dont be like this guy
I had lunch with my mentor (I am working for a different department once a week) and a consultant guy that used to work for the same department with my mentor. Let's name them so it'll be easier for me to tell the story. The mentor is Morpheus and the consultant is Agent Smith. No, I haven't been watching Matrix trilogy. Heck, to be honest, I forgot what the story is all about! c",)
From what I've heard, Agent Smith is pretty new in the industry and I believe that his first job in Cisco networking was his old position in our company. He's CCNP and just recently passed his QoS exam (CCIP/CCVP). So the reason for this lunch is not to catch up with Morpheus, it was basically to discuss what they've encountered together that was unclear to Agent Smith so to better prepare for his interview coming up. Of course, the conversation started with how are you, Morpheus introducing me to Agent Smith, and etc that were unrelated to the reason for the lunch. After ordering, they started talking about the problem that they've encountered. I was just listening to them because I had no idea what the problem was. I listened to them discussing the problem and what the solution was. Apparently, one of the network lady, let's call her Trinity, entered passive-interface vlan x under router eigrp and lost all the EIGRP neighbors. These routers were just in a test lab so no production routers were harmed. By the way, Trinity was our shift lead in our department but does not really know sh!t. A lot of people from our department, including myself, were actually surprised why they hired her in that department! End of ranting. What the command does is outside the scope of this post, so try to research it if you do not know how it works. The command has different effect on some routing protocols so be careful using the command.
Let's go back to the story, shall we? Well, Agent Smith is having a hard time understanding why there are some scenarios they use the command and why in this particular scenario they had to take it out. According to Agent Smith, he understands what the command does on a regular interface but does not on an SVI. Well, the behavior is pretty much the same. Morpheus tried his best to explain it to Agent Smith and probably almost gave up. Morpheus even asked me to try to explain to him because he knew that I understand the concept well enough to try explaining why in some cases you need it and why in some cases you don't. That conversation probably lasted almost an hour before he finally got it, we sure hope so.
Here's the thing, Agent Smith is CCNP and simple thing like this should've clicked right away. We have to assume that this guy used dumps to pass his CCNP because he just couldn't get our explanation. Another sign that he used dumps is because he just left the company about three weeks ago and passed his QoS exam. From what I've heard from Morpheus, he wasn't trying to study for that exam before he left the company. That said, he must be using dumps to pass the Cisco exams. While I don't condone using dumps, if you are ever going to use one, make sure you actually understand what was covered in the book.
"I know nothing except the fact of my ignorance" - Socrates
Tuesday, January 26, 2010
Switch command
Another quick blog for me today. I just want to share with you what I've learned from my BCMSN studies last year which I find very handy. Normally, what you will see in most access switches are the following commands:
switchport mode access
switchport portfast
The commands above can be issued with a single command. These commands were first mentioned in this post. One caveat though, the command will also disable the channel group capability of a port, which doesn't really concern a lot of network administrators because the fact that these ports are access ports. Without further delay, the command to consolidate both commands is shown below:
switchport host
Once you've done that, make sure that you have spanning-tree bpduguard enable on all interfaces that are configured as portfast or issue spanning-tree portfast bpduguard default under global configuration mode. This way, if someone accidentally put a switch that is capable of sending BPDUs then you'll be protected for the unwanted broadcast storm.
Written by: Andr01d
"I know nothing except the fact of my ignorance" - Socrates
switchport mode access
switchport portfast
The commands above can be issued with a single command. These commands were first mentioned in this post. One caveat though, the command will also disable the channel group capability of a port, which doesn't really concern a lot of network administrators because the fact that these ports are access ports. Without further delay, the command to consolidate both commands is shown below:
switchport host
Once you've done that, make sure that you have spanning-tree bpduguard enable on all interfaces that are configured as portfast or issue spanning-tree portfast bpduguard default under global configuration mode. This way, if someone accidentally put a switch that is capable of sending BPDUs then you'll be protected for the unwanted broadcast storm.
Written by: Andr01d
"I know nothing except the fact of my ignorance" - Socrates
Sunday, January 24, 2010
Cisco VoIP - IOS image causing more trouble than fix
Just a quick blog about what we've been encountering these past few days. Apparently, we upgraded the code that we have been running from 2800nm-adventerprisek9-mz.124-10.T2.bin to a newer one which is 2800nm-adventerprisek9-mz.124-24.T2.bin. With the new code, it pretty much screwed our paging system in our remote sites. It affected pretty much a lot of the remote sites were we rolled out the newer code. So what is the problem? Well, when you hit the correct number or speed dial to pick up the paging system, the E&M (Ear and Mouth) card will seize it and will stay seized until you hang up the phone. However, with this newer code the line will just be in seized status even after hanging up the phone. It happens a lot with this newer code so if your company has the same ingredients as ours expect to have problems with it.
You may ask, why are you upgrading the code if the older code is just fine. Well, unfortunately, we also need to bounce (shut/no shut) the voice ports once in a while since it get stuck as well using the older code. However, those trouble tickets don't pop up as often as with this newer code.
Just to give you some new commands to play with, below are the commands to check the status of the voice ports and how to bounce the voice ports.
Router# sh voice port summ
IN OUT
PORT CH SIG-TYPE ADMIN OPER STATUS STATUS EC
=============== == ============ ===== ==== ======== ======== ==
0/1/0 -- e&m-imd up up idle seized y
I omitted a lot of the information but you'll see more if you have more than VIC2-2E/M card installed. This command is very useful for us to check and see the status of the voice ports. This is pretty much equivalent to the show ip interface brief command.
To bounce the voice port, you issue the command below:
Router# config t
Router (config)# voice-port 0/1/0
Router (config-voiceport)# shut
Router (config-voiceport)# no shut
This command is pretty the same as bouncing your Serial or Fast Ethernet interface in your router.
Well, I hope you learn something from this post.
Written by: Andr01d
"I know nothing except the fact of my ignorance" - Socrates
You may ask, why are you upgrading the code if the older code is just fine. Well, unfortunately, we also need to bounce (shut/no shut) the voice ports once in a while since it get stuck as well using the older code. However, those trouble tickets don't pop up as often as with this newer code.
Just to give you some new commands to play with, below are the commands to check the status of the voice ports and how to bounce the voice ports.
Router# sh voice port summ
IN OUT
PORT CH SIG-TYPE ADMIN OPER STATUS STATUS EC
=============== == ============ ===== ==== ======== ======== ==
0/1/0 -- e&m-imd up up idle seized y
I omitted a lot of the information but you'll see more if you have more than VIC2-2E/M card installed. This command is very useful for us to check and see the status of the voice ports. This is pretty much equivalent to the show ip interface brief command.
To bounce the voice port, you issue the command below:
Router# config t
Router (config)# voice-port 0/1/0
Router (config-voiceport)# shut
Router (config-voiceport)# no shut
This command is pretty the same as bouncing your Serial or Fast Ethernet interface in your router.
Well, I hope you learn something from this post.
Written by: Andr01d
"I know nothing except the fact of my ignorance" - Socrates
Aurora, DEP and you.
The “Aurora” exploit used to access Google’s private network to steal closely-guarded source codes reminded me of a healthy debate I had with one of our big customers last year claiming how "insecure" our application is according to their Anti-Virus vendor. So here we go, read and have fun. I have omitted the names of the parties involved for security purposes.
(Customer’s Security Admin First Name),
I just want to connect with you regarding the Buffer Overflow/Overrun error log you are encountering when using xxxx xxxxx Agent Bridge Integration. One of our developers did his homework and researched on this feature of Xxxx and found a lot of cases posted on the Internet by end-users of the same product encountering a similar issue. I was able to confirm this by doing my own research; it was forwarded to you by my colleague xxxxx.
It seems that this security feature is not 100% compatible to all software. We should not be alarmed when we are getting this error message since our application and xxxxxx.com are secure applications.
Disabling this feature to accommodate xxxxx application on your network will not expose your network to serious security breaches using the Buffer Overflow/Overrun method.
This exploit happens at the software or application layer, the application being xxxx Agent and xxxx Bridge. Those are two separate applications, with separate codes. The attacker needs to go through multiple layers of security before they can accomplish it (see below), unless someone is paying them to work on this, it will take tremendous man hours to accomplish it.
Attacker>Network Layer>OS Layer>Application Layer
To start with, the attacker needs to be able to have an access on your local network to “sniff” this IP traffic. If your network has standard security policies in place, this will not happen. A well placed Firewall or even a simple Router with Access Control Lists will mitigate this risk. Second, once your traffic hits the Public Internet all the way to our servers, our server can detect and acknowledge if the packet has been altered or modified. We have security mechanisms in place built-in on our code to prevent this. Our servers will not reply to a client with an unusual type of request.
And also, every Windows Operating System since Windows XP Service Pack 2 has a built in Data Execution Prevention (DEP) security feature intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, DEP was introduced in Windows XP Service Pack 2 and is included in Windows XP Tablet PC Edition 2005, Windows Server 2003 Service Pack 1 and later,[1] Windows Vista, and Windows Server 2008, and all newer versions of Windows.
Hope these clear things up. On a side-note, a company’s business objectives should dictate a company’s security policy and not the other way around. In your case, if we let this Antivirus feature override xxxx and xxxx, we will not be able to help you with your business goals.
Let me know if there are questions.
Thanks,
Ron
This E-mail ended the healthy debate and I was able to prove that:
- the Anti-virus they are using produces too many false-positives when using web-based applications.
- we secure communication channels from client to our servers, not sure how they secure their network.
- they are being paranoid of being "hacked"; probably watched too much Die Hard 4 and Matrix movies.
- business policies should dictate an organization's security policies, not the other way around.
(P.S. Remember, this E-mail was drafted and sent early last year, where Aurora is still unheard of.)
Thursday, January 21, 2010
IP address [secondary]
I'll give you a scenario that I recently learned how to solve. This will come in handy whenever you're readdressing your network, which is by the way sucks. I haven't done it just yet but I know it is tedious task. It requires a lot of coordination with a lot of department (depending on your organization). The scenario that we've encountered was pretty similar to what I have down below.
So what's the task? As mentioned earlier, we are trying to re-address everything here because the one that configured and sent these routers out failed to double check the middle octets of the IP address. Fortunately, there was no hosts, yet, in this particular location so issuing the [secondary] command was only temporary.
Question is, how do we re-address everything without any help locally. That's what secondary IP address comes in. Basically, you can add a secondary IP address to an interface that is completely separate to the primary one. In this particular scenario, the correct IP address that needs to be used is 10.2.2.0/24 network. Now, our task is to maintain connectivity to all devices in the network so we don't need to send a tech out there to be our eyes and hands.
The running configuration for the devices are shown below.
Note: Only relative to the task is what shown below.
Current R1's running configuration:
interface g0/0
ip address 10.1.1.1 255.255.255.0
Current S1's running configuration:
interface vlan 1
ip address 10.1.1.100 255.255.255.0
!
ip default-gateway 10.1.1.1
Current S2's running configuration:
interface vlan 1
ip address 10.1.1.101 255.255.255.0
!
ip default-gateway 10.1.1.1
Current S3's running configuration:
interface vlan 1
ip address 10.1.1.102 255.255.255.0
!
ip default-gateway 10.1.1.1
To maintain connectivity to all these devices as we go through the re-addressing, we need to issue to command in the router, as shown below.
interface g0/0
ip address 10.2.2.1 255.255.255.0 secondary
Once the Gigabit interface has a secondary IP address, we can now re-address the switches to the correct management IP address and the default gateway pointing to the secondary IP address that was in the router.
When you're done, you can just issue the command ip address 10.2.2.1 255.255.255.0 without the secondary and it should take out both commands in the router interface. Beware though, when there are still nodes in the old network then you may need to leave everything the way it is until they change out the IP addresses, usually printers, servers, and what have you. When I say leave it the way it is, don't issue the command above because it'll delete the old network in the running configuration and those nodes will be down.
There are other uses to this secondary IP address as you see may fit. Another example is when you need to add a live network address without users in it, yet, to a test lab that needs real production IP address within a VLAN that is not being routed to the whole enterprise network. I am sure you can think of another use of it once you're better than we are. :-) Let us know what else you come up with in your production network and let us know! We love to learn from you!
Written by: Andr01d
"I know nothing except the fact of my ignorance" - Socrates
Wednesday, January 20, 2010
Catalyst Switch
I was configuring routers and switches and came across this Catalyst 2960G. This switch is a 48 port switch with four SFP (Small form-factor pluggable) as you can see in the picture below.
So what's so special about this? Well, aside from having SFP ports, the way you configure these ports are different. In an ordinary port, you can just issue commands like, speed 1000 and duplex full. With these, you need to specify which port you're going to be using. Either, the SFP or the RJ45 port. So in an ordinary port, you just issue just like the commands below:
interface g0/1
speed 1000
duplex full
While, the one with the SFP ports you need to issue the commands below:
interface g0/45
media-type rj45
speed 1000
duplex full
So remember, if you come across this type of switch or similar to this then make sure you use the media-type command because you might just end up scratching your head when your trunk doesn't come up.
Written by: Andr01d
"I know nothing except the fact of my ignorance" - Socrates
Subscribe to:
Posts (Atom)
