Bandwidth-Bandits

Farewell

2011-10-22T17:32:00.000-07:00

Farewell my fellow IT geeks! As you probably have noticed, I haven't been logging in to post in the forum and I've already deleted my twitter account. I am not leaving IT and/or online scene. I will still be contributing to the online community but will be a different audience. I will be deleting all the contents that I've contributed here. Hopefully, it was helpful to you all. Thank you and farewell!

MRTG Graphing of VoIP Sessions on Cisco IP-to-IP Gateway

2010-12-03T10:16:00.000-08:00

Just a quick post. I would like to share this helpful PERL script created by Yasin Kaplan,especially to those who use MRTG as part of their daily network traffic monitoring task.

Cisco does not provide an OID for fetching number of VoIP sessions on an IP-to-IP Gateway. One way to plot number of VoIP sessions using MRTG is explained below. You need IOS version >= 12.4 on the Cisco gateway.

IOS command “show call leg active event -log” gives total number of call legs established on a Cisco gateway. Half of this number gives actual VoIP session s established on a Cisco IP-to-IP Gateway:

Cisco#show call leg active event-log
Total call-legs: 268

You can get updated number of sessions information periodically telnet into gateway. MRTG allows console output of shell or PERL scripts as data source in place of SNMP OIDs. Following PERL script can be used to get number of active call legs form a Cisco Gateway:

monitor# more /usr/local/bin/voip_sess.pl
#!/usr/bin/perl
use Net::Rsh;

my $mgw = $ARGV[0];

my $voip_sess;
my @greped;

$a=Net::Rsh->new();

@c=$a->rsh($mgw,"root","root","sh call leg act event-log");
@greped=grep(/^Total/, @c);

if ($greped[0] =~ m/Total call-legs: (\d+)/) {
$voip_sess = sprintf("%.0f", $1/2);
print "$voip_sess\n$voip_sess\n0\n0\n";
} else {
print "0\n0\n0\n0\n";}

You need to add following configuration to Cisco Gateway in order the gateway permit incoming
RCMD request:

ip rcmd rsh-enable
ip rcmd remote-host root 101 root enable
ip rcmd remote-username root
ip rcmd source-interface
!
access-list 101 remark **** RCMD Access Control ****
access-list 101 permit ip host 192.168.10.1 any

Finally add a profile to your “mrtg.cfg” script to read number of VoIP sessions. MRTG user must have necessary rights to run “voip_sess.pl” (chmod +x /usr/local/bin/voip_sess).

Target[Number_of_VoIP_Sessions]: `/usr/local/bin/voip_sess.pl 192.168.10.2`
MaxBytes[Number_of_VoIP_Sessions]: 500
YLegend[Number_of_VoIP_Sessions]: Active sessions
Options[Number_of_VoIP_Sessions]: growright, integer, gauge
Title[Number_of_VoIP_Sessions]: Number of Active VoIP Sessions (Cisco)
PageTop[Number_of_VoIP_Sessions]: < h1 >Number of Active VoIP Sessions
(Cisco)

< h1 >

Scripts are heaven-sent to make network administration tasks easier. Hope this helps.

Ron

Buying the right Stuff

2010-11-27T19:03:00.000-08:00

Buying the cheapest right stuff

So you want to have a home voice lab, that is cheap as much as possible?

I hope this short explanation would help you guys out there to decide what are the right equipments to buy.

The first equipment I acquired was 2 units of 2801 for the HQ, you don’t have to worry about the dsp because it has built in dsp and plug and play voice interface card, quite expensive and it cost me a lot

But I have to let go off my 1 unit 2801 so I could buy all the equipment I need to achieve my goal

I bought 2 units of 2611XM, and 1 unit 2621xm, >>> all of these cost me 1/3 price of the 2801.

Gateways

2801 gw (HQ) w/ fxo card

2 units 2611xm gw (Branch) w/ nm-hdv2 –t1 installed w/ pvdm, (borrowed it from a friend), fxo card

2621xm (pstn simulator) w/ nm-2v w/ fxo & fxs installed

2621xm and 2611xm doesn’t have built in dsp’s so you have to buy nm modules for voice

I prefer nm-hdv2 for the gateways (so you could add some pvdm’s cards)

H.323 and MGCP are the only protocol’s that you can simulate for the 2600xm series it does not support sip and sccp protocols. However I can simulate sip & sccp protocol thru my 2801 router

For the endpoints

7960g 2 units w/ poe inj.

7961 1 unit w/ poe inj.

3 host created in vmware with different lan cards and installed with ip communicator (my old pc), “to save some power consumption”

For the call processing

I bought highend pc installed with 64bit Operating system (so I could maximize the memory of the mobo) installed w/ dual lancards, additional lan cards would vary depending on the design you want , for me I used 3 lancards. run them in the vmware, I allocate 1 gig ram of memory every call manager even the Unified presence and cisco unity connection manager.

For the switch (network infrastructure)

2950 1 unit

The strategy is using a different vlan to every sites. in my design I used vlan 2 for the hq and vlan 3 & 4 for the branch

“To get through the hardest journey we need to take only one step at a time, but we must keep on stepping”

Owned because a control to provide Availability was not implemented correctly

2010-07-01T15:42:00.000-07:00

(This quick post assumes that the reader knows how to configure Cisco’s proprietary Hot Standby Routing Protocol or HSRP. If you don’t have a basic working knowledge with HSRP yet, please head to Cisco’s website for introductory documentation.)

Scenario:

R. Phoenix was hired by a startup company called Secure4Sure to see if he can circumvent their existing security policies in place in preparation for a 3rd party audit. Before the engagement, both parties were aware of the limitations of the security assessment. R. Phoenix agreed and signed documents, such as a Rule of Engagement (RoE) and a Non-Disclosure Agreement (NDA) document so everything is official and within boundaries.

On the first day, R. Phoenix used his social engineering skills and pretended to be an applicant for a network engineer position posted by the company on a famous job searching website. He handed over his fake ID and resume to the front desk personnel, and was immediately granted a day pass. Off he went to the office of the Senior Network guy for an interview. R. Phoenix immediately noticed the abundance of network cables lying around connected to the wall’s Ethernet port. Old network devices and other gadgets are present as well.

Noticing the lack of a water fountain on the area, R. Phoenix asked the Senior Network guy for a glass of water. The guy politely nodded, asked him to take a seat and went out of the room to get a glass of water. R. Phoenix quickly grabbed a tiny USB device tucked on his left shoe and immediately plugged it in on one of the wall Ethernet ports. He created a small program that automatically sniffs the traffic of an IP network and dumps the result as a text file on his tiny USB drive. It only took him 15 seconds to sniff the IP network; thanks to an unsecured wall Ethernet port.

R. Phoenix went over with the interview and the entire process. Shook hands with the interviewer, surrendered his guest day pass at the front desk, and went straight home. He immediately booted up his computer, launched his favorite packet sniffer program and started to conduct network analysis. He was smiling while scrolling around the packet capture because on his first day, he already has all the information he needed along with a solid plan on how to penetrate Secure4Sure’s network.

He simply saw a multicast traffic to 224.0.02 and he knew what to do next. "The menu for tomorrow is either Denial of Service (DoS) or a possible Man-in-the-Middle (MiTM) attack baby!" he said to himself.

And the rest of the events that unfolded are history.

HSRP multicast

No authentication enabled, default password (cisco)

Weak authentication in HSRP, non-default, plain-text password (test-1)

Lessons Learned:

This attack is nothing new. A clever social engineer can easily bypass all your policies and technical controls in place. If someone wants to gain access to your network given enough means, motive, and opportunities (MOM) they will gain access. A bonus to them is lousy configuration on a network device.

What happened with the scenario above is simple; they want high availability on their IP network and they implemented Cisco's HSRP without an acceptable authentication in place. Without an acceptable authentication in place, a rogue router can be inserted in the network to participate in exchange of HSRP traffic (MiTM). This router will be configured with the highest priority so it acts as the primary router in the HSRP network. Then all traffic can be sniffed from this rogue router that the bad guy has complete control.

Because their network traffic was sniffed, an HSRP packet was discovered containing no acceptable authenticaion in place. A bad guy can also forge packets to mess with the HSRP multicast packets; inducing a DoS attack to the network.

Using plain-text passwords for HSRP authentication will suffer the same fate. The solution is to use the command to enable MD5, so the password is hashed and not transmitted as plain text over the network. Hashing provides the elements of confidentiality and integrity.

An Ethernet port without a MAC-based authentication in place is another door of opportunity. The best thing to do is to shut down ports not in use.

Links below will help:

Hijacking HSRP
http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/

RFC 2281
http://www.ietf.org/rfc/rfc2281.txt

Cisco HSRP
http://www.cisco.com/en/US/tech/tk648/tk362/tk321/tsd_technology_support_sub-protocol_home.html

Cisco HSRP MD5 Authentication
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gthsrpau.html

Man-in-the-middle Attack (MITM)
http://en.wikipedia.org/wiki/Man-in-the-middle_attack

Scapy
http://www.secdev.org/projects/scapy/

Means, motive and opportunity (US Criminal Law)
http://en.wikipedia.org/wiki/Means,_motive,_and_opportunity

Hope this helps, shout outs to the guys at Pauldotcom.com, the best security podcast in the planet!

Ron(guerilla7)
http://packetboyperseus.blogspot.com

Is your network ready for Cloud Computing?

2010-04-19T14:10:00.001-07:00

For an excellent primer in Cloud Computing, please go here:
http://en.wikipedia.org/wiki/Cloud_computing

One faithful Monday morning and late in the game of planning, your Boss suddenly changed his mind and decided to convert a new retail branch to 100% cloud-based applications. Microsoft Office software will be replaced by Google Apps. The Customer Relationship Management (CRM) Software will be Salesforce.com. And regular phones lines will be replaced by a Softphone-based Voice-over-IP (VoIP) solution, hosted by another Internet Telephony Service Provider (ITSP)somewhere in the Silicon Valley.

As the overall network and systems administrator for your company, you have all the reasons to panic because it will be entirely up to you (or your team if you the benefit and privilege of having people working under you) to make the deployment successful. Due to the unplanned change, the transition will be rough as hell, but its not impossible. Here's a couple of things you can do to overcome this stressful event in your IT life. So, throw away those gadgets and tech books for a while and pull-up a blank spreadsheet file on your PC (or Mac). It's time to put on your Project Manager Hat and take lead.

1. Initiate a emergency meeting with your Boss and the rest of management and discuss the following items according to the order of your preference:

A. The current security controls in effect needs to be adjusted and modifications approved.
- Review your Access Control Lists (ACL), IDS-IPS rules, HIPS, HIDS and overall Technical security policies to accommodate the new Port, Protocol and general traffic requirements of the new applications.
- Most hosted VoIP applications require opening of an entire range of ports rather than specific ports, think about that.
- Some cloud-based applications require either Java or ActiveX running on browsers, think about that as well.
- If your company process sensitive information such Credit Card transaction, medical services involving patient information and Personally Identifiable Information (PII) in general, stop and consult your company's legal department because your company might be bounded by PCI-DSS or HIPAA. If this is the case, Cloud Computing might not be suited for your company.

Your security rules will be a mess. But don't worry, you can adjust later. Remember, business goals should drive security policies, not the other way around.

B. Network bandwidth consumption will increase.
- Cloud Computing means all the applications are accessed from the Cloud, a.k.a. the Public Internet. You need to start gathering the bandwidth requirements per application that will be running on workstations inside your network.
- Prioritize Critical Applications, the best candidate is VoIP because VoIP is very sensitive to bandwidth changes, delay, jitter and packet loss. Unless you want your customer service agents or marketing agents to end up knocking at your door every minute because of robotic sounds, echoing and worst, dropped calls.
- Review the Baseline Network Performance of your network (if you have one) and start doing Math.
- Use simulators to at least measure how much traffic your network can handle by sending simulated VoIP traffic with the same CODEC (G711, G729, etc.) Choosing the same CODEC is vital in VoIP pre-deployment testing because each CODEC has a different bandwidth requirement. (G711 CODEC consumes 64kbps, G729 consumes 8kbps, etc.)
- Hopefully the simulators will help you gauge your bandwidth if you need to add a new T1 line, or a couple. I hope not.

C. Document, Document, Document.
- This is where your Project Management skills come in handy. You need to document all major things that have changed, implemented or modified if you want to keep your sanity once each application starts to fall apart. Or worst, your network starts to fall apart after making all those configuration adjustments to accommodate new web-based applications.

Throw away your gadgets and IT books for a while, that spreadsheet I asked you to create will be your personal friend for the initial 2 to 3 months of this project. Treat it as your personal diary where you log all configuration changes, target dates of installation, and all trouble tickets from those cloud-based application vendors.

Have fun playing in the clouds! And be safe.

Ron

TRACE then HEAD and GET

2010-02-28T05:27:00.000-08:00

In a networking job you'll always get into a situation wherein somebody's going to complain about not being able to browse a site or some specific sites. It could be customers of your company or even users within the organization. What do you do when this happens? typically you would browse them by yourself (hopefully your not behind a proxy), then you find out your are able to browse the site. You ask them what troubleshooting steps has been done; where you able to ping the site? have your tried to do an nslookup? changed dns servers? have you tried browsing by IP address? used a public proxy server? tried changing your IP address, etc etc..but most likely, 99% of the time you'll ask them to perform a traceroute to the website. Generally a traceroute will be your most effective troubleshooting tool in these scenarios. It's like the basic swiss knife of troubleshooting routing issues and the likes. Though i know of a bit better one called 'pathping' (Windows only) but most of the time a traceroute will do the work. You'll see every hop, latency on each hop, and the path towards the destination. Probably the best thing you have to keep in mind in using this is that it's only the forward path to the destination. You don't ever see the reverse path unless you do a trace the other way..from the destination to the source. To make that even more challenging is that reverse paths can vary per hop. Imagine that every router always has their own best way around the Internet, and it is normal that every hop/router on the traceroute will have a different path back to the source of the traceroute, and that you don't see unless there something wrong with the trace like a huge spike on the latency where its not expected to.

As a start, traceroutes have different types. They vary on which type of packet they use. These are the most common ones i know: UDP, TPC and ICMP based traceroutes. UDP is the default for Linux, ICMP is the one that's used in Windows and TCP is a another variant which comes by default in Linux but is available for Windows as well as a free download over the net. Now these variants are pretty straight forward. In Linux, the default traceroute uses UDP packets. Most of the time this is fine however there are times that you will encounter target machines that just don't respond to UDP. Honestly there are a lot of them out there!

$traceroute hostname/IP address

Another variant is the ICMP based traceroute. In windows this is the default however it is more known as 'tracert'. By the name ICMP you would immediately know that it uses PING or echo requests as it goes through each hop along the path. So typically if you can ping it then it would respond, with some rare exceptions ofcourse due to firewalls and security policies put in place by organizations.

in Linux:

$traceroute -I hostname/IP address

in Windows:

C:\>tracert hostname/IP address

So basic stuff isn't it? Yes but the trick is knowing how and when to use them. Now probably the best one that I myself prefer. The TCP traceroute almost always does the job when finding out if you can really reach a site. The problem with ICMP and UDP is that not all routers respond to these type of packets. Specially ICMP since most modems nowadays are distributed with ICMP replies disabled as an anti denial of service mechanism. Some do respond but will drop packets every certain interval to prevent against ping floods. Many of them are just turned off since by just turning it on makes you vulnerable to OS fingerprinting. Each OS vendor has their own little tweak on their TCP/IP stack making them identifiable from each other. Redhat has their own, Windows has their own so you know which is which. Therefore attackers would already have a clue on how to attack. Knowing what type of OS and which version is it then what programs are installed, all these would be very important information for hackers around the net. So watch out for that ICMP unless there's nothing really important on your machine and you don't really care. LOL

A lot of times you will see that traceroutes will stop just right before the target machine. Most people will think - Oops there's a problem, i'm not able to reach the site i'm trying to access. Maybe that's why i can't browse that website.

Trust me this isn't always the case. Most of the time the target machine just doesn't respond to your requests. Since your trying to access a website. . hmmm.
http. .which is TCP port 80, then it would just make sense if you will use TCP packets to probe if the websites http port is accessible.

$tcptraceroute hostname/IP address [80]

Specifying the port is optional. The default is 80 and you may specify other ports e.g. SMTP, FTP, and so on. You'll now then see the target machine respond since you know that it's listening on TCP port 80. Almost every time you'll see a traceroute complete by using this. But there are times that servers/routers are just so secure they just don't respond to anything! even TCP. Maybe due to TCP SYN attacks? who knows. The point is they just stay stealth mode:)

These are the times that you may want to access the server head on. Try telnetting into the server.

$telnet hostname/IP addess 80

Yes trying to get inside the server to make sure you can access it. For secured sites use port 443. Now if it tells you your connected then that's it you proved that you can access the site. But wait. .sometimes there are underlying issues we must not fall for. These are the times that you would like to mimic your browser and send some server requests just to make sure you are indeed able to download the webpages. Why even bother? I was able to access the site via command line.

Since your already in the server why not try to see if you are able to download the page.

$telnet www.somesite.com 80
Connected to www.somesite.com.
HEAD / HTTP/1.0
press Enter/Return twice!

Texts in bold are the ones you will type.

example:

Passing a HEAD command to the server is sending an http request to download a resource (in this case '/') without actually downloading it. HTTP/1.0 is telling the server its an HTTP 1.0 request. Press Enter to end the request then you may type in some optional request headers then press Enter again to end. In our example we didn't so we just press Enter twice.

note: If you get the code "200 OK" that means it's all good! Also notice that the server told us that its using HTTP 1.1, you may also make your request as HTTP1.1 by using 1.1 instead of 1.0. See how much stuff you can get by this? It even tells you what type of web server it's using and what version. ASP.NET and what version, useful stuff for some:)

To actually download the webpage then you issue the GET command.

$telnet www.somesite.com 80
Connected to www.somesite.com.
GET / HTTP/1.0
press Enter/Return twice!

This is like actually doing what your browser is doing on the background when you're browsing a website. You will see the source of the page your trying to download by issuing this command. HTML stuff and javascript are common.

sample output:

All you will be able to catch really is just the end of the page because it just blurts it all out on you until it reaches that closing tag of the web page. But you wouldn't really mind because all that matters for us is to know its working!

Now question is why go all the way in doing this? Like what I said there are times that there are issues we do not see or might overlook. Doing these steps would make our troubleshooting much more concrete and will bring us to more accurate conclusions. What if there was an MTU issue along the path? How do you detect that? You send large pings as you can? Even if you do so on the direct gateway of the user its still not guaranteed he/she will be able to browse with the maximum mtu the end device is allowed to. Nothing beats the view from the source device so its always recommended to trust the tests more on their end rather than the tests you do from the middle of the network.

Now if there are routing issues everything i said in this post will be basically useless. Sometimes the source address can be blocked on the target site but that you will detect if traceroutes and telnet fails.

Surprisingly there is always a huge chance the destinaton hop would not be seen in a traceroute, but hey..as long as you are able to reach the last hop router then you can already guarantee there's no problem on your end. Remember that it's the last hop router's responsibility to route to that destination and that it must be a directly connected interface anyway so you're sure its going to route for that unless it's down. If it's not the last hop router then that's where you investigate for blocking or routing issues.

So then watch out for those browsing issues as they're always gonna be around. Understanding how they work and having the knowledge on how to troubleshoot them if they are not accessible through the browser will make things a lot easier for you:)

FAQs (Frequently Asked Questions)

2010-02-22T17:14:00.000-08:00

Please feel free to add or let us know what you think that is wrong to this list by posting your comment below.

Q. How much are the Cisco exams?

CCNA
640-822 costs $125 each attempt.
640-816 costs $125 each attempt.
640-802 (combination for ICND1 and ICND2) costs $250 each attempt.

CCDA/CCNP/CCNP Wireless/CCVP/CCSP/CCDP
64x-??? costs $150 each attempt.

Some people are saying that the new exams for CCNP will be $200 each attempt.

CCNA concentrations (Voice/Security/Wireless)

Exams costs $250 each attempt.

CCDE/CCIE exams

CCIE written exam costs $350 each attempt.
CCIE lab exam costs $1,400 each attempt.

CCA (Cisco Certified Architect) exam costs $15K each attempt.

Now, there are some countries that charge tax on top of exam prices.

Q. Do you know where to get cheaper voucher for the Cisco exams?

Yes, just go here between 25th - 31st of the month and you will see discounted vouchers. Though, they usually sell the 640-822/816 every single day for $120 but they do sell it cheaper than that during those days that I have mentioned above. There was a time where they were selling the voucher for $75, that's 40% off the original price! Just make sure you're buying the International voucher if you're outside USA/Canada.

Q. Do I need credit card to purchase the voucher?

If you buy it from Vue directly then yes. If you buy it from the site mentioned above then you have the option to pay credit card or PayPal.

In the Philippines, you can call the testing center and ask them to register for you. Once you arrived at the testing center, you can pay the exam fee by cash. Choosing this option will probably cost more than using your credit card.

Q. Is the site above legit?

Of course it is! I won't put it here if it wasn't legit. I have bought three vouchers from them and will continually do so for the next exams that I will be taking.

Q. Are you getting paid to advertise them?

We are not getting paid for this. We are just trying to help you save money!

Q. Where can I take CCNA exam?

Click here and it will tell you the answer. Now, if you're from the Philippines then there are some suggestions that I've read from the thread. MISnet (Makati City) and Database Wizard Inc. (Makati City) are the recommended testing centers.

Q. Can I reschedule my exam?

Yes, you can. If you register the exam from Vue's site then you can do it online. If not, then call the testing center at least 24 hours before your exam date and time or more just to be in the safe side.

Q. What do you recommend self study, CNAP (Cisco Network Academy Program), or bootcamp?

Team members of Bandwidth Bandits will have different opinion about this.

CNAP has its benefits. One of the benefits is access to real equipment and it is an instructor-led training. The materials that are posted from their website are laid out very well. Some, if not all, instructors have been teaching the material for so long so they know the material well enough. Another benefit is access to a special link to avail discounted Cisco Press books up to 45% off. Well, some people do not buy hardcopies anymore because of piracy so that is not a benefit for people that supports piracy. Another benefit is access to Packet Tracer application provided to students and alumni. Again, this may not be viewed as advantage because of piracy. Another benefit I can think of is the discounted voucher if you pass the lab exam. They will give you more than 50% off the exam price if you pass the lab exams. When I was enrolled in CNAP for CCNA, there were only two lab exams. These were easy exams if you've been doing your labs. These vouchers are only for CCNA by the way. Disadvantage of CNAP, it takes three to four semester to finish the CCNA curriculum.

Bootcamp is an instructor-led 5-day or 7-day training. They teach you the materials for short amount of time. You will also have access to real equipment to play with. Some companies will pay for this type of training because they are really expensive. Here in the USA, bootcamps price are ranging from $2K - $5K, depending on which subject. From what I have heard, bootcamps in the Philippines are cheaper than CNAP. Here in the USA, it is the other way around. Community colleges and even high schools are offering CNAP classes and range from $60 - $1K. Normally though, it is less than $300 for one class. When I took my CCNA 1 - 4 from CNAP, I paid about $200 for three semesters in California. When I took my BCMSN class last year here in Illinois, I paid almost $400 for the class. I would've paid almost $1K if I didn't know how to get the discounted rate. Disadvantage of bootcamp is the fast-paced training. Normally, you can't retain all that information crammed to your brain in such a short week.

Self study is the cheapest option out of the three. With what is happening to our world (recession) it is what most, if not all, people are doing. If you take this path, make sure to buy CBT Nuggets or Train Signal materials to help on some of the topics you may have a hard time with.

Q. Which school should I enroll to?

My friend went to Meralco Foundation and he seems to know his stuff. Some suggest University of the Philippines, Mapua, and DLSU. One of the team members of Bandwidth Bandits (Prime) suggests CNCTC.

Q. Which book should I get?

Any Cisco Press books is fine. However, I've been reading comments of other people that Todd Lammle's CCNA book is really good.

Q. What is the passing score in Cisco exams?

Well, you'll see it when you take the exam. It'll let you know how much points you need to accumulate to pass the exam. The maximum points that you can get is 1000. For CCNA, unless they change the passing score, it is 849 out of 1000.

Q. I want to build a home lab, what routers and switches do I need to buy?

Click here.

Q. I do not have money to spend for a home lab, what should I do?

You can use simulator. Boson is selling simulator. Some books come with simulator for free. You can use Packet Tracer. You can use GNS3 or Dynagen/Dynamips. These two require you to use Cisco IOS. To legally use an IOS, you need to buy the license. However, the EULA may state that you are only supposed to run it on Cisco hardware so it may be a violation.

Q. Who can teach me about subnetting?

Click here.

Q. How to check my subnetting answers?

Click here.

Q. I heard about CCNP changes, should I take the old curriculum or the new one?

If you can pass the exam(s) by July 31st then by all means take the old curriculum. However, make sure you pass the most important ones first, BSCI and BCMSN. These two exams will be counted towards the new CCNP curriculum. ONT and ISCW won't be counted at all. The new exams consists of ROUTE, SWITCH, and TSHOOT. More info here.

Q. How do I renew my Cisco certification(s)?

It really depends on which certification you're trying to renew. Please click here for more details.

Q. Do Cisco certifications expire?

Yes, every three years.

Q. I let my Cisco certification expired, how can I renew it?

Well, once it is expired then you won't be able to renew it, per se. You need to pass all the exams again starting from CCNA.

Q. I noticed that CCNA Voice is $250 and CVOICE is only $150, should I take CCNA Voice or straight to CVOICE?

I honestly think you should just skip CCNA Voice because of the price. Though, I suggest you to read the book because there are some information there that are important as a VoIP Engineer. Pass the CVOICE and you'll be CCNA Voice.

Q. What are the right combination for the CCNP exam?

BSCI + BCMSN + ONT + ISCW = CCNP <-- All exams should be passed by July 31st BSCI + BCMSN + TSHOOT = CCNP ROUTE + BCMSN + TSHOOT = CCNP BSCI + SWITCH + TSHOOT = CCNP ROUTE + SWITCH + TSHOOT = CCNP

Q. Where can I buy Cisco books?

You can buy them from Powerbooks, National Bookstore, or DataBlitz. You can also try ordering from Cisco Press or Amazon.

Let’s get physical!

2010-02-20T13:05:00.000-08:00

Let me start by saying that I do not hold any Cisco Certifications but I believe that I have the necessary experience in playing around with their devices to make this post.

Cisco networking devices has been the de-facto standard for small business to enterprise networks. It’s one of those devices where all you need to do is set it up for the first time securely, and it will continue to work as long as no one physically or virtually attacks it.

It has been a habit of mine to implement security in layers when building up networks from the ground up. My signature I guess will be a Master Lock, and it comes with a set of four. This is the first line of defense before you can access my rack or server cabinet. I usually rotate the four Master Locks randomly every two weeks, sometimes weekly. The randomness adds salt to the hash, like in cryptography. The cables are usually wrapped and inside EMI and RFI shielded pipes. No loose wires here man, and I make sure the contractors we hire to do our wiring signs a NDA for client infrastructure materials used during the buildup. Oh yes, we do have a couple of shielded walls as well, especially the ones around the server rack itself. This is for emission and transmission security for those nasty sniffers out there, like me.

Traditional CCTVS are all over the place of course. Most of the guys are migrating already to IP-Based CCTV’s but I find it inherently flawed when it comes to security simply because of one factor; it runs on IP.

(To be continued on next post. Need to go the San Francisco, Market Street, Old Navy is on sale, you can’t miss that  )

Aurora, DEP and you.

2010-01-24T00:16:00.000-08:00

The “Aurora” exploit used to access Google’s private network to steal closely-guarded source codes reminded me of a healthy debate I had with one of our big customers last year claiming how "insecure" our application is according to their Anti-Virus vendor. So here we go, read and have fun. I have omitted the names of the parties involved for security purposes.

(Customer’s Security Admin First Name),

I just want to connect with you regarding the Buffer Overflow/Overrun error log you are encountering when using xxxx xxxxx Agent Bridge Integration. One of our developers did his homework and researched on this feature of Xxxx and found a lot of cases posted on the Internet by end-users of the same product encountering a similar issue. I was able to confirm this by doing my own research; it was forwarded to you by my colleague xxxxx.

It seems that this security feature is not 100% compatible to all software. We should not be alarmed when we are getting this error message since our application and xxxxxx.com are secure applications.

Disabling this feature to accommodate xxxxx application on your network will not expose your network to serious security breaches using the Buffer Overflow/Overrun method.

This exploit happens at the software or application layer, the application being xxxx Agent and xxxx Bridge. Those are two separate applications, with separate codes. The attacker needs to go through multiple layers of security before they can accomplish it (see below), unless someone is paying them to work on this, it will take tremendous man hours to accomplish it.

Attacker>Network Layer>OS Layer>Application Layer

To start with, the attacker needs to be able to have an access on your local network to “sniff” this IP traffic. If your network has standard security policies in place, this will not happen. A well placed Firewall or even a simple Router with Access Control Lists will mitigate this risk. Second, once your traffic hits the Public Internet all the way to our servers, our server can detect and acknowledge if the packet has been altered or modified. We have security mechanisms in place built-in on our code to prevent this. Our servers will not reply to a client with an unusual type of request.

And also, every Windows Operating System since Windows XP Service Pack 2 has a built in Data Execution Prevention (DEP) security feature intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, DEP was introduced in Windows XP Service Pack 2 and is included in Windows XP Tablet PC Edition 2005, Windows Server 2003 Service Pack 1 and later,^[1] Windows Vista, and Windows Server 2008, and all newer versions of Windows.

Hope these clear things up. On a side-note, a company’s business objectives should dictate a company’s security policy and not the other way around. In your case, if we let this Antivirus feature override xxxx and xxxx, we will not be able to help you with your business goals.

Let me know if there are questions.

Thanks,

Ron

This E-mail ended the healthy debate and I was able to prove that:

- the Anti-virus they are using produces too many false-positives when using web-based applications.

- we secure communication channels from client to our servers, not sure how they secure their network.

- they are being paranoid of being "hacked"; probably watched too much Die Hard 4 and Matrix movies.

- business policies should dictate an organization's security policies, not the other way around.

(P.S. Remember, this E-mail was drafted and sent early last year, where Aurora is still unheard of.)

Some tips on getting the career that you want (Part 1)

2010-01-13T06:23:00.000-08:00

There isn't a really good formula in trying to get the career you really want. Sure, there are degrees offered by colleges/universities that is specifically aligned in certain career, but does not necessarily mean you're going to claim the job you saw from the job board. Unfortunately, more and more companies now are requiring candidates to have experience in the field of their choice before they can get a job. That means, you may start from the bottom of the IT field that isn't really what you want but can definitely get your foot in the door. I decided to give you some tips that may or may not work for you to get the IT job that you really want.

Look for a volunteer gig if you can afford to do it. If you're currently working in a non-IT or IT department that is not in the network pyramid then ask for more responsibilities from the bottom level of the network pyramid. There are companies out there that has a need of an extra body but do not have the resources to hire someone. Also, just because you work in a different department does not mean you're stuck doing what your duties and responsibilities are. If, for whatever reason, you are not allowed to take more responsibilities during your work week, then ask if you can volunteer your time outside your work week. Do not be afraid to ask questions. This is especially true if you're trying to add value to yourself in the company you work for and not just a headcount. Remember, everybody is expendable in every company. Adding value to yourself will make it less likely that you'll be let go by your employer.

Sometimes, it pays to be loyal to the company you work for. I've been working in this particular company, which I am not comfortable to mention the name but will give you a clue it is in the top 50 of Fortune 500, for several years. Held three positions (first position wasn't IT and the very bottom position in pyramid of the company's organization chart) and I am currently in the fourth one temporarily but can turn into a permanent position after the company is done restructuring, which basically means laying people off. Though, I am pretty sure that I am doing a great job because I've been in this department since January but I was working part time and was asked to become full time. I wouldn't be asked to become full time if I wasn't doing a good job right? Besides, I've already had a talk with my immediate manager and was told that he wants to keep me and the other guys that came after me that came from the same department that I was in. Though, out of the three that came after me, they've been in the industry for more than five years so I still feel pretty good. c",)

That goes back to my first point. I asked for a volunteer gig and they gave it to me. I could have asked them a lot sooner but I was in school and studying for more certs. I think it turned out to be a good thing because every week that I am with my teammate running around the campus for the project that we were doing, he was able to find things I am capable of, my potential, and had a lot of good things to say about me compared to some of my old and new teammates. He also gave a lot of good press to my new manager but I am pretty sure that he heard some good press from other people as well since I try to be known as much as possible in the company I work for. Obviously, I like the positive thing to get to his ears and not the bad thing. But, you know what they say though, bad news travels fast. I've made mistakes (only human) and it is possible that he had heard about it. But, one thing I have never done in our network and hopefully never is to cause an unexpected outage. That is a big NO-NO.

I like what Randy Pausch in his video The Last Lecture - definitely worth watching and probably reading the book. Once I finish all the Cisco certs that I want to get, I'll probably read the book.) said: "We cannot change the cards we are dealt, just how we play the hand." While, I haven't watched the video when I was thinking about my decision to volunteer my time, I guess I did pretty good because Randy Pausch was giving this lecture to people and I was able to come up with a solution to my "problem".

I've said this several times but I'll say it again. Expand your human network - sounds like a Cisco advertisement, right? I've seen it and heard stories that sometimes it is not what you know, but who you know that matters. Keep in touch to the people you know. They may have a position open in the company that they work for that may have an opening for a job that you may be qualified for. Even if you are not qualified sometimes a referral is always a preferrable way of many companies to hire someone. Why? Because a lot of times employees won't refer someone that he/she knows that will screw up his/her reputation. Will you refer someone that won't be effective for the job? I do not know about you, but I won't refer someone that will eventually ruin my name.

I hope that this post will help you to land a job that you really want in the future. I'll leave you guys with more quotes today.

"The day you stop learning is the day you start becoming obsolete." - Unknown

"Don't complain. Just work harder." - Randy Pausch

New technology should simplify things, not complicate them

2009-11-28T13:12:00.000-08:00

An old-school guy like me adheres to an old-school mantra on network and system administration: "If it 'ain't broke, don't fix it"

Rookie Netads and Sysads tend to be too excited when new technologies are available on the market. Under the impression that it will make their jobs and responsibilities easier, they jump to the bandwagon. First they sign up for a trial, then they extend the trial and eventually purchasing the product in the end. "Hey boss, this software/product will cut off costs and man-hours of working on _______ manually, blah, blah"

In other words, please buy this software for me. But sometimes we fail to put into consideration that introducing a new technology on our network most of the time tends to complicate things, especially in troubleshooting when problems start to surface.

There's this company based in the East Coast. They have a corporate size network, with a couple of WAN connections to connect to their regional offices and remote employees. Things were doing good until after they implemented redundancy across all routers and Layer 3 devices on their network. How ironic that they started experiencing major issues when they tried to implement a technology that address the availability of their network.

These guys implemented a technology that they fail to test first on at least half of the nodes/workstations on their network. They fell prey to the "herd mentality". Hey, customer ABC and XYZ are doing it, we should to, that type of herd mentality in IT. And hearing this directly coming from their "seasoned" IT Director saddens me.

Again, I am big fan of keeping things simple. A simple network consumes less resources in all aspects of your business or organization. From technical to administrative. If you want redundancy in your network, study the technology t first before implementing it. Try to look beyond brochures, case studies and white papers. Not all networks are the same despite what those "Best Practices" guide say.

Cofiguring ACLs on Huawei

2009-07-07T07:26:00.000-07:00

First of all, why ACLs? Did it have to be specific? Not really, it's just that I find configuring ACLs on Huawei a bit more complex or should I say. .structured. More complex in a sense that if you know how to configure ACLs on Cisco, you might find configuring it on Huawei a bit weird because it's kind of like the way route-map or a QoS policy is configured in Cisco. But don't get me wrong its not that hard, really, all I'm saying is that its pretty similar as to the way those are configured but it doesn't necessarily mean its hard. It only takes a little bit of time to understand the equivalents specially for guys who had their basics the Cisco way just like me.

Now if you're already good at Cisco ACLs then this might just be a piece of cake for you to understand. There's just a little bit more to it but its pretty easy to digest. First up, there's three new terms you would need to know – Traffic Classifier, Traffic Behavior & Traffic policy. Now let me introduce you to these terms (actually they're already the exact commands lol).

Traffic Classifier – This where we match/catch our traffic using our acl. Under this command we specify the acl no. we would like to filter

Traffic Behavior – Under this command we tell how our filtered traffic will be treated e.g. permit/deny.

Traffic Policy – As the name tells this will be our actual policy. You may think of this as a route-map or a QoS policy as I have mentioned. Under this command you will specify what traffic are we interested in and what are we going to do with it.

Does it all come together now? Yes we will calling the Traffic Classifier and Traffic Behavior we configured to basically tell our policy WHAT traffic are we going to look at and HOW are we going to treat it.

Now that we are already familiar with the terms lets get to know how ACLs are done. Its almost the same as in Cisco however with a few better syntaxes.

First create the ACL. Now in Cisco if standard ACLs are from 1-99, in Huawei they are 2000-2999. They are also termed as basic ACLs. And for extended ACLs which is 100-199 in Cisco, in Huawei its 3000-3999 and referred to as advanced ACLs. The command for these are as follows:

[Router]acl acl-number

As for our first example lets have a basic ACL. Under this command you may already start entering the ACL lines, or rules rather. The syntax will be:

rule rule-number {permit | deny} source source-ip source-mask destination destination-ip destination-mask

Lets say we would want to deny 110.100.174.0/24 and 110.100.175.0/25 from getting to a server 115.128.85.93.

acl 2100

rule 1 permit source 110.100.174.0 0.0.0.255 destination 115.128.85.93 0

rule 2 permit source 110.100.175.0 0.0.0.255 destination 115.128.85.93 0

Now notice how easy it is know what's going on with this ACL? The source and destination addresses are explicitly defined as compared to Cisco ACLs. And also there's a bit of difference when it comes to specifying a single host. In Cisco when its a single host then you specify the parameter host, and then its IP address. Here we specify the address then specify in its mask that it is a host but instead of putting in 0.0.0.0 instead you only put in 0 which is much shorter, to understand that its a host.

How about we make our example into an advanced ACL. Lets say we just want to deny ssh access to this server. Also let’s do some summarization just for example. The syntax would be as follows:

acl 3100

rule 1 permit tcp source 110.100.174.0 0.0.1.255 destination 115.128.85.93 0 destination-port eq 22

As you can see its not that hard to figure out. The options are well defined and you won’t go wrong unless you put in the wrong values or mistyped it. But look..haven’t you guys noticed? I’ve been putting in permit rules wherein the purpose of our ACL is to deny/block. This where the 3 commands we discussed earlier comes in. So to complete our configuration lets go through those one by one.

traffic classifier c300

if-match acl 3100

traffic behavior b300

deny

traffic policy p300

classifier c300 behavior b300

As you can see above we have configured traffic classifier c300 to match our acl (acl 3100). Please note that the words in italics (e.g.c300) are just names and I just labeled them for easy identification. For our traffic behavior b300 we specified it to deny. So whatever we match with this behavior will be blocked. Finally for our traffic policy p300 we called on our traffic classifier and traffic behavior to complete our overall policy. In essence, what this policy will do is DENY whatever is permitted or matched in our classifier, in this case c300 and so which ever interface we apply this to will start filtering traffic according to this policy.

So to finalize the whole configuration let's put them altogether and apply it to an interface, plus I'll show you how its done from that start!

Telnet into Huawei device

super

system-view

acl 3100

rule 1 permit tcp source 110.100.174.0 0.0.1.255 destination 115.128.85.93 0 destination-port eq 22

quit

traffic classifier c300

if-match acl 3100

traffic behavior b300

deny

traffic policy p300

classifier c300 behavior b300

quit

interface GigabitEthernet0/1/1

traffic-policy p300 inbound

return

save

Let me give you the equivalent of the unfamiliar commands here in Cisco

super – enable

system-view – config terminal

quit – exit

return – end

save - write

See? It's not that bad right? If you already know Cisco its not hard to learn Huawei or vice versa.

Note: There's actually an old way to this. Previously Huawei uses the same way how Cisco uses ACLs (the basic way) however in newer devices this is already the standard.

And does this configuration remind you of route-maps? Yes it did not take me that long to figure out ACLs in Huawei as they're not that far from the concepts which we have in Cisco. Yes I am aware of the controversy which happened between them but then its not really our problem. I guess one important thing to keep in mind here is that its not just a Cisco world out there. I am experiencing that first hand in my current company and really you got to be open into handling devices from other vendors and embracing this truth. We even have Linux routers to add to that and its running OSPF(Zebra), handling PPPoE sessions and all that. I'd be grinning if someday we'll eventually be ordering hardware from Juniper. Be a cross-platform Network Engineer if you can because you'll never know what you may encounter at work. Until my next topic hope you guys picked up something:)

IPv6 address types

2009-06-13T20:41:00.000-07:00

One of the topics to focus on in IPv6 is the addressing part, greatly because its a totally new addressing scheme. As compared to IPv4 which has 32 bits, the IPv6 address is 128 bits long and is in hexadecimal format (0-9 A-F) or four bits per digit.

0000:0000:0000:0000: 0000:0000:0000:0000

NOTE: In IPv6, due to the length of the address itself there were rules that were made to somehow shorten the address into a bit more human-readable format. These two rules are zero compression and leading zero compression.

zero compression - in case there are consecutive zeros within the address you may replace it by putting in double colons (::). However you can only do this once within an address as the device would have no way of determining how many zeros are there in each '::' theres is if there were more than one. For an example 2001:0005:0000:0000:0201:50FF:FE68:AF50 could be compressed as 2001:0005::0201:50FF:FE68:AF50. The zeros in between were omitted and was replaced by ::.

leading zero compression - for any leading zeros you can go ahead and exclude them to make the address a bit more shorter. However in case there are all zeros within colons you must leave at least one zero to specify that it is all zeros before that hex digit. Using our previous example our address would look like 2001:5:0:0:201:50FF:FE68:AF50.

We could use these two rules simultaneously. And therefore our fully compressed IPv6 address would be 2001:5::201:50FF:FE68:AF50.

One major difference also is there is no ‘class’ system here (class A, B, C, D). In IPv6, we more refer to them as types. Now lets go through them one by one.

Unicast Address – used for sending to one host or interface. Currently there are two types of IPv6 unicast addresses:

Global Unicast – formerly known as Global Aggregatable Unicast address but the ‘Aggregatable’ has now been omitted in the latest RFC. Global Unicast is equal to IPv4s public or Internet address. Knowing this we can understand that this address type will be the ones we use to communicate to the Internet. These addresses composes of the global routing prefix (as of today IANA is assigning numbers that starts with 2000::/3) plus the 64-bit Interface Identifier (EUI-64 format) which we will discuss later.

Link-Local Unicast – are the addresses our devices use to communicate with other nodes on the same local network even without a global unicast address. You may compare this type of address to the layer 2 address or data-link layer address we have in IPv4. Note that these address are autoconfigured on the interfaces using FE80::/10 prefix plus the EUI-64 format Interace Identifier, which again will be discussed later.

Anycast Address – an anycast address is a global unicast address assigned to two or more devices. Packets coming from nodes who wants to access this address will be routed to the closest active device with the anycast address. This is determined by the routing protocol metric or rather the router which receives this packet then routes to the closest one to it.

Multicast Address – a multicast address identifies a group of interfaces. Traffic sent to these addresses are sent to all of the interfaces in that group. Mulicast in IPv6 is not that different in IPv4, its just that in IPv6 only multicast exists. There is no such thing as broadcast in IPv6 (except for some that is specifically addressed to interfaces that maybe within one segment or layer 2 domain like in IPv4). Interfaces may belong to many multicast groups simultaneously. Multicast addresses are addresses that start with FF00::/8. All IPv6 multicast address are within this prefix and so when you see an address that starts with this you will know that this is an IPv6 Multicast address.

Now lets get to the Interface Identifier as promised. Knowing how this address is made is important as you don’t really get to configure this since this is autoconfigured already on the IPv6 enabled interface.

Interface Identifiers (IDs) – are addresses used to identify a unique interface on a link and are sometimes referred to as the ‘host portion’ of the IPv6 address. These address are 64-bits long and is can be dynamically created based on the data-link layer address of the interface. IPv6 Interface IDs are determined depending on the specific data-link layer type of interface there is. In this topic we will discussing Ethernet Interface IDs as this is what we commonly use almost everywhere (even on non-ethernet mediums). Now we can determine its ID based on its MAC address, using a format called Extended Universal Identifier 64-bit (EUI-64). The EUI-64 format Interface ID is derived from the 48-bit MAC address by inserting the hexadecimal digits FFFE between the Organizationally Unique Identifier (OUI), which is the upper three bytes, and the vendor code, which is the lower three bytes of the MAC address. I hope you guys could still remember your MAC addressing fundamentals back in the days because yes it back and used a lot in the IPv6 world. In addition to this the 7^th bit in the first byte in the resulting Interface ID, which is the Universal/Local (U/L) bit is always set to binary 1. The U/L bit indicates whether the Interface ID is locally unique on the link or universally (globally) unique. IDs derived from universally unique MAC addresses are assumed to be globally unique so no worries if your already using the Burn In Address of your Interfaces. The 8^th bit on the first byte then is the Individual/Group (I/G) bit for managing multicast groups, it is not altered.

As you can see in this example it is pretty easy to understand how an IPv6 Interface ID is composed. You just have to remember two steps. First insert FFFE in between the 48 bit MAC address (in between the two sets of three bytes or 24bits) and then the 7^th bit is set to 1. MAC addresses almost always starts with 00 as of yet (I haven’t seen one which isn’t or at least not that I can remember at this time) so you will always see this as ‘02’ (0000 0010).

Now going back to the Glocal Unicast and Link-Local Unicast where we used this Interface IDs. For Global Unicast for example we have a IPv6 public address assigned by APNIC 2001:1F14::/32 (/32s are assigned to ISPs). We now then assign a subnet to our main PoP the subnet 1 and assign a Network Access Server located there an IPv6 address. The server happens to have the MAC address of 00:53:07:2B:AE:09. Knowing this we now determine the Globally unique IPv6 address of this server. The public IPv6 address assigned to us with a subnet of 1 – 2001:1F14::1:, plus the EUI-64 format Interface Identifier derived from the MAC address of the device - 0253:07FF:FE2B:AE09. Our Global Unicast address for our server would be 2001:1F14::1:0253:07FF:FE2B:AE09/64. Now for our Link-Local address we only have to use FE80:: along with our Interface ID. We then now get FE80::0253:07FF:FE2B:AE09. Please note again that this is autogenerated (you will see that once you start assigning an IPv6 address on a router) and that you have to get use to these addresses as these addresses are the ones used by routing protocols for IPv6 e.g OSPFv3, RIPng & MP-BGP.

I hope you guys learned something new and I’ll probably post more topics about IPv6 if I find the time. Yes its been busy these days so it sort of feels good to be able to post a topic again. If you have any questions about this topic just post you may visit the forum.

VoIP Application Layer 1: The Packet Infrastructure

2009-05-26T16:19:00.000-07:00

Thinking of creating your own VoIP application Part II.
Layer 1: The Packet Infrastructure

Let's say I am Superman and I have X-ray vision. My goal is to look at the inner-workings of a VoIP application or clients like Skype, Yahoo Messenger and Five9 Virtual Contact Center (VCC) Agent.

Like Superman, my goal is to "see-through" this VoIP application because I need to investigate on something. Apparently, Lex Luthor, being a rich genius that he is, has managed to create his own secure VoIP client. Lex Luthor is using this VoIP client application to make calls to his henchmen. So its up to me to investigate on this, retrieve evidence and prove to that he is the mastermind.

If I was Superman, all I need to do is use my X-ray vision to see-through the VoIP application Lex Luthor is using. I will immediately see hundreds of lines of programming codes, specifically variables, commands, and on the networking side, what communication protocols and their corresponding ports this application is using to communicate over the Internet. Now that's interesting.

Luckily, we do not need to be a man of steel or someone who wears blue and red tights and fly around the city saving people and still look cool in the process. Thank goodness for protocol analyzers. It is the X-ray vision of us guys in the voice and data networking field.

Wireshark, (known as Ethereal from its early days) is one of the leading protocol analyzers out there, and its free. If you need to investigate the inner-workings of an application connected to a network, Wireshark is your answer. It is slowly becoming the tool of choice for network sniffers and VoIP phreakers, black hat or white hat. There's tons of things you can do with Wireshark once you have it installed and running on your network, but that is beyond the topic of this post.

For this post, I will refer and use Wireshark extensively to show to you what networking protocols and ports Five9 Agent VCC is using. Five9 Agent VCC is a VoIP client used by Call Center Agents around the globe in making and receiving calls. Five9 VCC Agent utilizes a Softphone feature, the dial pad and other telephone features are on the screen, just push the buttons you need. All you need is a reliable Internet connection, a USB headset with microphone and an account with Five9, and that's it.

(To be continued on next post)

Thinking of creating your own VoIP application?

2009-05-17T22:15:00.000-07:00

Voice-Over-Internet Protocol, a.k.a VoIP, was labeled as a disruptive technology during its infancy. Disruptive in a sense that it will have a massive effect on the current Telecom industry. There were even rumors that it will totally replace the traditional Public Switched Telephone Network (PSTN), or what Cisco-fellows commonly call as POTS for Plain-Old Telephone Service. My belief is that VoIP was and should be developed to work with PSTN, not make it obsolete. Using PSTN and VoIP technology together is even better.

Contrary to public notion, VoIP is not that new to Telecom providers or carriers. In fact, a lot of them has been using VoIP for years now. Carriers mostly use VoIP in transferring international calls and trunking with other major carriers around the globe. They still use Signaling System 7 or SS7 (SS7 is the standard signaling method/protocol of PSTN, which is digital as well) as the primary method of signaling for the majority of their calls, but a consumer doesn't know that sometimes, to cut costs and connect with other carriers faster, a specific international call made by a subscriber is routed using VoIP to connect to another country. Then once the call hits the terminating carrier, the call is then transformed and/or encoded back to analog, then routed using SS7 to the destination telephone number. This method has been saving carriers around the world thousands of dollars.

The beauty of VoIP communication on a technology level is you do not need a dedicated physical or virtual circuit, always reserved for a communication to take place. With IP technology, the voice traffic can use the current available bandwidth of a circuit, then make it open and available for other applications or traffic once the communication has ended. This has been made possible because of Time-Division Multiplexing (TDM) technology.

The current state of VoIP is amazing. Despite not yet being fully-mature in my opinion, hundreds of start-up companies are now offering top-notch carrier-grade, easy to setup VoIP technology. I for one uses Skype as my major tool of communication with my family in the Philippines. I am hoping that someday Skype will decide to make public their proprietary P2P Signaling Protocol that makes their Skype Video Chat light-years ahead with the current competition.

If you want to test this, go and make a video chat session using the latest version of Yahoo Messenger. Observe and compare the delay and quality of the audio and video. Now launch Skype, and you will immediately notice the difference. The WiFi latency inside our house in Manila averages between 190 to 250ms when pinging a US gateway, but this doesn't seem to have a big effect with the quality of my Skype Video Chat session. I live here in the Bay Area, using Comcast Cable Internet with basic 1024K up and 325K download. My laptops are hooked on wireless so I can blog even while I watch my roommates outside skating on our homemade half-pipe at our backyard. Skype is utilizing an excellent proprietary protocol for their signaling resulting in an excellent performance of their VoIP product.

If you are code geek, someone who can easily develop their own application using various programming languages, you will find it relatively easy to develop your own VoIP application.

So what makes up a VoIP application?

A conceptual model has been developed by various leading companies and developers in the VoIP industry. The Internet Engineering Task Force (IETF) is one of the major contributors for the success of VoIP because of the excellent Standardization and Drafts members contributed.

Remember the Open System Interconnect Model a.k.a. OSI Model? Traditional Data Network guys use this conceptual model as a guide in developing and troubleshooting applications and processes that are made for transferring data from one network to another, regardless of its geographical location. A computer network's primary function is to transfer data in form of packets or radio signals from point A to point B. Everything else is optional and for maintenance purposes.

A VoIP application in a nutshell is composed of 3 Layers:

Layer 3: Application
Layer 2: Call Control
Layer 1: Packet Infrastructure

Layer 1, the Packet Infrastructure in a nutshell would map to the Transport Layer, (Layer 4) of the OSI Model. On this layer, you define if your application will use TCP, UDP, RTP over UDP or a combination of the identified standard communication protocols for your VoIP application to establish communication channels to carry the signal and actual voice payload from source to receiver.

Layer 2, Call Control, or Signaling, is the layer where you define how your VoIP application will be able to establish a connection from source to destination. This is where you define if your VoIP application will be using the signaling standards such as Session Initiation Protocol (SIP), H.323, MeGaCo and others to name a few.

Layer 3, Application, defines the actual capabilities of your VoIP application. Features such as Call Waiting, 3-way conferencing, Hold Music, Voicemail and Click-to-Call functionalities are defined here. This is where you make your application unique and stand-out among other VoIP products.

Stay tuned and I will explain and breakdown the 3 Core Layers of VoIP in details on my next post. I will include sample applications and opensource source codes that developers out there can use as a guide in discovering the inner-works of a VoIP application. Just be sure to credit me if you were able to create a wonderful Skype-like proprietary VoIP application after reading this series of blog :-)

Reach for the sky!
Ron

Route Summarization – make your network scale

2009-05-17T08:32:00.000-07:00

Probably one of the most critical parts of deploying and maintaining a network is route summarization. Many of you may find this easy, may be in an ideal network yes, however it is never perfect out there in the real world. Even I would admit that the summarization of our IPv4 addresses is not that good, at least to a point that we know we coud do better, but its already there and its virtually impossible to re-address an ISP network. That is why, planning out your address scheme is very critical into having a fine tuned and well summarized network.

Route Summarization is defined as – the technique of grouping IP networks together to minimize advertisements.

Why is summarization important anyway? Here are some of the benefits you will get in a well summarized network.

Faster routing – the smaller the routing table you have, the better. When it comes to network performance, speed is the key. We must make our routing table smaller whenever we can as this will make our routers forward traffic faster and thus resulting into a faster, more efficient network.

Hides route information details – this is to simplify your routing process. This is the key scalable routing, taking a huge set of advertisements and reduce it down to a single(if possible) or a fewer set of advertisements. You guys may refer to this as ‘supernetting’ – consolidating smaller networks into one route entry that represents a bigger network. This is good for hiding unimportant details like flapping routes. Information as detailed as this may not be significant to the neighboring routers as they may not be able to do anything about it anyway.

Reduces router resources – summarization reduces resource consumption because you save processor times for calculating routing information and reduced memory utilization due to the reduced number of routes. This would also save on network capacity there would be fewer and smaller advertisements to send around the network.

Speeds up convergence – because router with fewer routing entries has less routes to process and routers will receive updates faster. This advantage may even tuned more and may just depend on the routing protocol you are using.

Now let’s get to an example. Lets say we have 3 routers., and Router A has the networks 112.89.0.0/24 through 112.89.13.0/24 and we will be summarizing routes to advertise to routers B and C. As you can see this is a class A range chopped down into smaller class C (/24) blocks and that the first 2 octects will be the same for each and every network either we put them down in decimal or in binary.

112.89.0.0 – 01110000.01011001.00000000.00000000

112.89.1.0 – 01110000.01011001.00000001.00000000

112.89.2.0 – 01110000.01011001.00000010.00000000

112.89.3.0 – 01110000.01011001.00000011.00000000

112.89.4.0 – 01110000.01011001.00000100.00000000

112.89.5.0 – 01110000.01011001.00000101.00000000

112.89.6.0 – 01110000.01011001.00000110.00000000

112.89.7.0 – 01110000.01011001.00000111.00000000

112.89.8.0 – 01110000.01011001.00001000.00000000

112.89.9.0 – 01110000.01011001.00001001.00000000

112.89.10.0 – 01110000.01011001.00001010.00000000

112.89.11.0 – 01110000.01011001.00001011.00000000

112.89.12.0 – 01110000.01011001.00001100.00000000

112.89.13.0 – 01110000.01011001.00001101.00000000

We just wrote down each network in binary and the next thing to do is to the number of bits that match on these networks. This will result into a single summary that includes all the routes.

Looking at our example we can see that all networks are identical upto the 20^th bit starting from the left. Therefore we could assume that we can summarize all these networks as 112.89.0.0/20 or 255.255.240.0. Now to check if we are correct we have to lay out the possible networks that this summary will include. The fastest way to achieve this is to simply put down in binary the first and last network within this summary route. The first network in the range will be put down as is in binary and the remaining bits will be turned on to determine the last network in the summarized range.

Using our example here is the binary to decimal conversion:

01110000.01011001.00000000.00000000 – 112.89.0.0/20

There we understand that the bits in bold are our network bits right? So we can only turn on bits upto the 24^th bit or the last bit in the octet were we are in (3^rd) and stop at that classful boundary. If all those remaining bits are turned on the result would be:

01110000.01011001.00001111.00000000 – 112.89.15.0/20

Based on the results, the range of 112.89.0.0/20 covers upto 112.89.15.0/20. What does this mean? Obviously this network summary summarized all our networks in Router A which is 112.89.0.0/24 through 112.89.13.0/24 however It also included 2 more networks, 112.89.14.0/24 and 112.89.15.0/24. This simply shows that we over summarized and that we actually included the networks that we are not even advertising. This is fine if we own these remaining networks and were to advertise them anyway in the future however if this isn’t the case we can’t just do that, specially in public IP routing because you can only advertise the range that was assigned to you and nothing more.

The next step would be to find the range in between wherein we can summarize properly without over summarizing. To find that out we just have to move our summarization 1 bit smaller. When I say this I mean we have to move 1 bit to the right and check upto which network we can summarize and stop there then move on to summarize the remaining networks that were left out.

Going back to our example we used a /20 mask and since we have to move 1 bit to the right we then have to use /21 as our mask. Let us check again to see the range of this mask.

01110000.01011001.00000000.00000000 – 112.89.0.0/21

Setting the remaining bits to 1 will result to:

01110000.01011001.00000111.00000000 – 112.89.7.0/21

Knowing this we determine that the networks that have the same matching bits is from 112.89.0.0 through 112.89.7.0 and thus can be summarized without over summarizing.

What happens now to the remaining networks? Ofcourse we start all over again and try to summarize what is left.

112.89.8.0 – 01110000.01011001.00001000.00000000

112.89.9.0 – 01110000.01011001.00001001.00000000

112.89.10.0 – 01110000.01011001.00001010.00000000

112.89.11.0 – 01110000.01011001.00001011.00000000

112.89.12.0 – 01110000.01011001.00001100.00000000

112.89.13.0 – 01110000.01011001.00001101.00000000

Looking at the remaining networks in binary we can see that we have the bits matched upto the 21^st bit. Will we over summarize if we use this mask? Lets find out.

01110000.01011001.00001000.00000000 – 112.89.8.0/21

Turning on the remaining bits will give:

01110000.01011001.00001111.00000000 – 112.89.15.0/21

It’s over summarized again and so then we try again and move 1 bit to the right.

01110000.01011001.00001000.00000000 – 112.89.8.0/22

Turning on the remaining bits will give:

01110000.01011001.00001011.00000000 – 112.89.11.0/22

The proper summarization then would be 112.89.88.0/22. The remaining networks will be just easy for you:)

112.89.12.0 – 01110000.01011001.00001100.00000000

112.89.13.0 – 01110000.01011001.00001101.00000000

The matching bits for these last 2 networks is upto the 23^rd bit. We actually don’t even have to check because obviously were already looking at the first and last network in the range. Therefore the last summary we have is 112.89.12.0/23.

In summarizing our networks we ended up with 3 summary routes. We weren’t able to advertise a single route but this the best we do and is way much better than advertising 14 individual class C networks.

Here’s what we our neighbors will get in their routing tables.

112.89.0.0/21

112.89.8.0/22

112.89.12.0/23

But then wait what if we say 112.89.14.0/22? Is that possible? Just for the sake of example let’s say a colleague of yours was being cocky and asked you wether this can be summarized or not on the spot. There is no way you would get a paper and convert these networks in binary. So the real question im trying to imply here is; Is there an easy way? Ofcourse there isJ But you still got to have a pretty good math to answer it quickly. For that we have to at least have an idea how much addresses are there in a summary or in a CIDR notation.

Here's the table for this. It shows the summary mask and how many addresses are there in that specific summary.

class C	/24	/23	/22	/21	/20	/19	/18	/17	/16
/24	1
/23	2	1
/22	4	2	1
/21	8	4	2	1
/20	16	8	4	2	1
/19	32	16	8	4	2	1
/18	64	32	16	8	4	2	1
/17	128	64	32	16	8	4	2	1
/16	256	128	64	32	16	8	4	2	1
class B	/16	/15	/14	/13	/12	/11	/10	/9	/8
/16	1
/15	2	1
/14	4	2	1
/13	8	4	2	1
/12	16	8	4	2	1
/11	32	16	8	4	2	1
/10	64	32	16	8	4	2	1
/9	128	64	32	16	8	4	2	1
/8	256	128	64	32	16	8	4	2	1

I had it illustrated as using class C and class B summaries as these are the most common

summarization on the internet. If ever you get the chance to see the Inernet routing table these CIDR notations are the most that you will see.

So how are we going to use this anyway? Going back to our example we have 112.89.14.0/22 and we want to determine of this is a proper summarization without converting it to binary or any long method. The trick is to know how many addresses are there within the range of the mask used. We have a /22 mask and looking at the table we can see that it is composed of 4 class C or /24 blocks and it could also consist of 2 /23 blocks. We then take the the number on the class C octet (3^rd octet) and divide it with how many class blocks we have for the given mask, in our case we’ll ofcourse try 4 class Cs first as this is the most number of class Cs. So 14 divided by 4 is equal to what? We have 3 but we still have a remainder of 2. What does this mean? It means we over summarized and cannot use the /22 mask therefore we move on then to the next possible divisor which is 2 which then equals to a 23 block or 2 /24 blocks. So 14 divided by 2 is equals to 7 and we don’t have any remainder. This just means that 112.89.14.0/23 is properly summarized network and this range consists of 2 class C blocks. To make it clearer lets check it on binary.

01110000.01011001.00001110.00000000 – 112.89.14.0/23

If we turn on the remaining bit, this range also includes:

01110000.01011001.00001111.00000000 – 112.89.15.0/23

So we were able answer the question by familiarization with how many addresses are there in a specified mask and simple division. We then were able to check and prove our answer using binary. Doing a lot more of these would actually make yourself much faster in route summarization. Not that you need to be fast but having to determine if a route is summarized correctly by a single glance will be an advantage. Having the ability to do so saves you time in preparing configurations for your routers or layer 3 switches.

Just some final tips before I end this topic. Having to know how to properly summarize routes is good but having to know how to use summarization on different routing protocols is a different story. Routing protocols behave differently when it comes to route summarization and this means that you may have to use different techniques in doing so. Not that there are other ways of summarization but on techniques to implement with your routing protocol. For example, summarization in OSPF can only be done on Area Border Routers (ABRs) and Autonomous System Boundary Routers (ASBRs). For EIGRP on the other hand, summarization can be done on the interface level and therefore gives you more flexibility on were to advertise your summary routes. You will be taking these things in consideration when planning and designing your network along with your addressing scheme.

One common practice you must always do along with summarizing your routes on a router is creating a route to Null 0 or better known as the bit bucket interface (blackhole). Because you are advertising a summary route, other routers on your network will send packets to any network within your summary route regardless wether that network is up or down. Your neighboring routers don’t know the status of that network as information such as that doesn’t even get to them. Remember that summary routes hides the detailed information for the specific networks within your summary route. This is because when you advertise a summary route you are basically saying “For all the addresses starting with ‘n’ bits, can be found behind me – do not worry about the details, just pass on the packets and leave the forwarding of your traffic to me”. If a packet gets to that router and the destination network or address happens to be down, it either gets dropped, or it will loop around until its time-to-live expires. So in order to be sure that traffic destined to unavailable networks get dropped we put in Null 0 routes to catch all those packets.

note: in EIGRP when you create a summary route it automatically creats a Null 0 route for that summary.

I hope this has been another informative topic and you guys learned something out of it.

How a Router makes routing decisions

2009-05-10T20:04:00.000-07:00

For my first post I want to talk about and tackle the basics on how a Cisco router makes routing decisions. Before that why is this important anyway? As to many network guys out there and a whole lot more who's planning to move into the field, to get a good seat on a stable job will require solid foundations and at least basic skills. I say this as you would never know when your evaluator would ask you questions that would relate to this topic and you couldn't answer later to find out its BASIC. When I say basic it doesn't mean it's easy, because sometimes it's the most basic things actually the we miss out during unexpected trouble or network downtime etc. So whether you're creating configs or troubleshooting your network it's always good to have a good grasp of the foundation knowledge.

There are 3 steps as to how a router 'routes'. Below is how it makes routing decisions
in sequence.

1. Selects the most specific route or the route with the longest prefix. When the router receives a packet it takes a look at the routing table and checks if it has a route to the destination of the packet. If there's only one route then it forwards it out right away, when there's more than one route it checks for the prefix length. For those of you who are not yet familiar what a prefix length is, to put it in simple words, it is how many bits are set on the subnet mask. So the longer the subnet mask is - which is also the same as the more specific the route is - the better. To understand better let me give you an example.

Lets say there are two routes to a destination. One is 206.15.45.0/24 and the other is 206.15.45.0/26. Now a packet comes in and is destined to 206.15.45.34, which route will the router use? We have two routes, one is a /24 which is in subnet mask notation reads 255.255.255.0, and then we got another one with a /26 mask, which converts to 255.255.255.192, which happens to be longer. This would mean that upon seeing those two routes, the router will choose the route with a longer prefix length - 206.15.45.0/26, because it is a more specific route and will most likely get the packet there with higher percentage over the more summarized route. You can think of it as a much more accurate path. I say that as that /24 route could be a summary route and has more specific networks behind it. If this is the case then we won't know whether those routes behind are up or down as to this is one of the advantages route summarization can do for us, not letting other routers know what they don't need to know. But that's completely a whole other topic so probably in another post. :)

But how about if both routes have the same prefix length? They could be both /24s or both /26s right? This is when the next step will come in.

2. Selects the route with a better AD. Now for those who are not yet familiar what an AD is, it stands for Administrative Distance. Some sources will say that it's the believability of a route, some say it's kind of a metric for routing protocols, but yeah you get the point by that. A router would choose to use a route over the other (if you have more than one route with the same prefixes) and choosing the one with the lower Administrative Distance. Each routing protocol has its own AD and even depending on what type of route it is. Below is the list of ADs for each protocol and for each route type for a protocol.

connected route 0
static route 1
EIGRP summary 5
BGP 20
Internal EIGRP 90
OSPF 110
IS-IS 115
RIP 120
ODR 160
External EIGRP 170
Internal BGP 200
Unknown/Unreachable 255

Note: I have not included those that I know are obsolete and does not exist anymore.

As you can see is a value from 0-255 where 255 is considered unreachable. The lower the AD is the better, and so this is the route which the router will choose to use. Let's say for example the same route as what we used in step #1 206.15.45.0/26 as an OSPF route, and then I hopped into the router and put in a static route for that the same route. Since a static route has an AD of 1 which happens to be lower than the AD of 90 for OSPF, the router would start using the static route.

There are ways to manipulate the AD for certain types of routes but one that I would like to point out
is the static route because it can be done in two common ways. First is to specifically set the AD for it. For example, to put in a static route you put in the below command under global config.

Router(config)#ip route 206.15.45.0 255.255.255.192 {next-hop | exit-interface} [AD]

This is the basic configuration for a static route. After specifying the next-hop IP address or exit interface you can specify an optional AD value for your static route. Most often this is manipulated due to the need of back-up routes. This is when you have a dynamic routing protocol in place and you would want to have a back-up static route just in case that dynamic routing fails. This static route is called a 'floating static' route as to what it does. It just stays there just in case the dynamic route fails. This is done by setting a higher AD for the static route than the dynamic route. In our example if we have an OSPF route and then we put in a static route with a higher AD than OSPF, the OSPF route will still be used because of its better AD.

Router(config)#router ospf 1
Router(config-router)#network 206.15.45.0 0.0.0.63 area 0
Router(config-router)#exit
Router(config#ip route 206.15.45.0 255.255.255.192 Serial1/0 115

The other way is setting the next-hop IP address or the exit-interface. For some network guys, it
could be just a matter of preference but you've got to know that there is a difference when setting a static route and using one over the other. A static route when you opt to use a next-hop IP sets its AD to 1. Of course this is expected because yes it is its default AD. However setting it to use an exit-interface rather than a next-hop IP will set consider it a directly connected route - assigning it an AD of 0. For some it doesn't matter, but there are certain network setups out there that may be sensitive enough for these kinds of configurations. In my experience I have found out that setting the next-hop IP address is a safer choice, not that the exit-interface is not good but it posed issues to our network when I did it lol. Well that's just based from experience and not discouraging everybody from using the exit-interface option. The only instance wherein I see exit-interfaces constantly in our network is on default-routes. Either of the two is good it just depends how you're going to use it and as long as it does'nt cause any outage or routing issues in your network:)

What if more than one route has the same AD?

3. Selects the route with the best metric. Routes with the same AD will most likely come from the same routing protocol. In this case comparing each route's metric is what the router will do next. This would just depend on which routing protocol is used as different routing protocols has different ways of finding the best path. For EIGRP for example it used the fastest way to get traffic to its destination. It calculates the best path including a secondary best path if there is (EIGRP is the only routing protocol that uses back-up routes). Below is the list on what metrics each routing protocol uses to determine the best path through a network.

RIP - distance-vector (hop-count)
EIGRP - distance-vector/hybrid (fastest path)
OSPF - link-state (shortest path)
IS-IS - link-state (shortest path)
BGP - path-vector (shortest AS-path by default)

Now as much as would like to give a good example for this step It would lean more towards to basics of routing protocols and thus be out of scope for this topic or even might be a little info-overload for some newbies. As I do post more topics I would probably explain more on the metrics of each of these routing protocols and how they do the whole routing thing:)

Lastly what if more than one route has the same metric? You bet it! it will load-balance, otherwise there will be a need for a 4th step:)

I hope you guys learned something or at least something new and more posts to come.