Wednesday, March 16, 2016

Shortening ACLs

 on  with No comments 
In ,  
There are two main ways of shortening ACLs and improving their readability or performance. As you know, ACLs can grow to include hundreds of ACEs and cover many pages when printed.  So any way of minimizing the number of ACEs present may be welcomed.   A shorter ACL will consume less flash memory in the form of the startup configuration, less RAM in the form of the running configuration, and less CPU utilization when a packet is eligible to be analyzed by the ACL.

The first method of shortening an ACL is by using CIDR to combine multiple ACEs into a single statement. This method is useful when combining multiple ACEs specifying networks. For example, if you have two statements in an ACL which allow 10.0.0.0/8 and 11.0.0.0/8 as such:

     access-list 1 permit 10.0.0.0 0.255.255.255
     access-list 1 permit 11.0.0.0 0.255.255.255


These two statements can be combined into the single statement 10.0.0.0/7 as such:

     access-list 1 permit 10.0.0.0 1.255.255.255

Anyone who has worked with routers and routing protocols will recognize this method as summarization.  In a properly designed network, multiple networks can be combined, or summarized, into a smaller number of networks for use in ACLs and other purposes such as routing protocols/routing tables. You ultimately strive to be able to summarize down to one network wherever you can.
The second method of reducing the size of ACLs falls into the category of what I would call stupid router tricks. It is accomplished by utilizing binary math to combine two statements into one. This method is useful when combining ACEs that specify individual hosts.  To use this method, first convert the two host addresses into binary.   Second, do a bitwise AND of these two binary numbers. The result of this AND operation will be used and the address of the combined ACE. Next, do a bitwise XOR of the original two binary numbers. This output of this operation will be used as the wildcard mask of the new combined ACE. For example, if an ACL contained the following statements:

     access-list 10 deny host 10.20.30.40
     access-list 10 deny host 40.30.20.10


The result of this operation would yield

     access-list 10 deny 8.20.20.8 34.0.10.34

While this operation results in ACLs whose meaning is not clear, reducing the number of deny or permit statements in half definitely helps in a routers memory, flash, and CPU utilization. 

Would you be interested in a long ACL with dozens of cryptic statements such as the above?
Share:

Tuesday, March 8, 2016

Would Anyone Like to Take a Survey?

 on  with No comments 
In , ,  
I'm looking for a little help for a research project. There are three sections to the survey, and I need answers for all three. You shouldn't spend even 5 minutes. I'll share the results of the study once the data has been analyzed

This study investigates the relationship between emotional intelligence and computer anxiety. In addition, this the study will further explore the extent that age moderates this relationship.

https://www.surveymonkey.com/r/VNDRXQF
Share:

Saturday, February 27, 2016

Buyer Beware

 on  with No comments 
In ,  
While looking over the profiles of people sending me friend requests on Facebook (if I've never said two words to you before, don't bother) I came across this page Cisco Training Online which is selling CCIE bootcamps.  Just for the heck of it, I scrolled down the page.  Besides the ads for their bootcamps, one image jumped out at me. It was labeled TCP/UDP Port Numbers, and it had a very familiar theme to it.  Yes, it is one of PacketLife's cheat sheets, but with the copyright information conveniently chopped off.



So out of curiosity, I kept scrolling down the page. Everything that was text, I put into Google.  I found material copied directly from networklessons.com, material copied from a very old Cisco Press book, and material from other blogs.  They're charging money I'm sure, but have they created any original content at all?   Yes, I commented on the above post, and I commented on many others as well.  I doubt my posts will still be there by the time you see this.

If you don't stick with the well known training companies (I think it's safe to say Narbik Kocharians and Keith Barker aren't stealing content), then be sure to investigate what you're paying for.  Don't pay someone to give you material that is not theirs.  And more important, don't pay someone to give you material that is freely available on the Internet.  A web browser can do that for you free of charge.
Share:

Sunday, February 21, 2016

Setting up the 2511 Part 2

 on  with No comments 
In , ,  
There is one more feature of the Cisco access servers that I do not see mentioned very often. Maybe it's been talked to death and I just missed it. But either way, I think is hugely important. That is the ability to telnet through it to the connected devices without ever actually appearing to touch the access server itself. In this post, I'll go over that briefly.

To recap, in the previous post, which can be found here, I set up the 2511 on my network with an address of 192.168.10.10/24 on the Ethernet interface and 192.168.254.1/24 on Loopback0. Connected to line 1 is a 2611 router with no connection to the local network. There is a serial connection between term1 and r1, but I have not really done anything with it.

To prepare for this setup, the local network needs to know how to reach the loopback interface of the terminal server. There are a couple of ways you can do this. You can set up a routing protocol between the terminal server and your home router (we are studying Cisco networking here right? So why not?), you can put a static route into you computer

route add 192.168.254.0 mask 255.255.255.0 192.168.10.10 /p

or you can put a static route into your home router. I have done all three of these at one time or another, and they all work fine. This time around, I elected to put a static route into my SonicWall (counting down the days until I can replace this piece) because it is the simplest way to achieve network connectivity from my entire network. With this static route in place, I can see from the output of a ping to 192.168.254.1 on my computer, it receives a ICMP redirect from the SonicWall, and then the pings are successful.

Now that the loopback on the terminal server is reachable from your PC, lets experiment and see how things work. First, I'll telnet directly into the terminal server as usual, and it still works as expected.



So what happens when we telnet to the IP address of the loopback interface?



Again, this is what I expected to happen. So now let's acutally use this terminal server for what it is. Let's telnet into it on a different port and see what happens.



Notice how this time we essentially connected to the console port of r1. The one thing to take note of is when you hit exit, you are not returned to the command prompt of your host OS, instead, it shows console port behavior.



And of course, hitting enter at this point drops you back at the r1> prompt. I'm not quite sure how I feel about this behavior yet, it's going to take a little getting used to.
Share:

Thursday, February 18, 2016

Setting up the Cisco 2511

 on  with No comments 
In , ,  
Racked up in my lab, I have more routers, switches, firewalls and access points than I care to count.  These devices are all in the basement, which is a place I don't necessarily want to set up shop when I'm labbing due do a number of reasons such as the temperature and the constant hum of the dehumidifier.  So when I'm upstairs, any oopsie that causes loss of connectivity would require another trip down the stairs.

So what to do?  That's where my trusty Cisco 2511 comes in. This device, like many other devices in my rack, was rescued from the recycling pile at work and is becoming one of my favorite items. The only complaint that I have so far is the slow speed of the device. It's a 2500, so everything from the boot time to even just logging in is way slower than a modern router. Since I'll be using a number of these devices shortly, I'm going to set up the 2511 now.

The Cisco 2509/2511/2512 router is what is known as a terminal server. This 2511 that I have has what appear to be two 68 pin SCSI connectors that are used to plug in Cisco's proprietary octal cables. These octal cables give you 8 RJ45 connectors to plug into the console ports of your other devices, making these console ports all accessible from the 2511, and therefore from anywhere that the 2511 can be reached. This would include my laptop while I sit on the couch in my living room, or anywhere else in the house that isn't the basement. The 2509 is the same as the 2511 except for the fact that it only has one 68 pin connector so it can therefore only connect to 8 devices. And then there is the 2509-RJ and 2511-RJ, which do not have the connectors for the octal cables, but instead have RJ45 jacks for use with rollover cables. Finally, there is the 2512, which is the same as a 2511 except for the fact that it has a DB9 Token Ring interface in place of the AUI Ethernet interface. If you don't want to put your faith into something as old as a 2500 series router (they were introduced in 1994 after all), there is also the NM-32A which contains 4 of these connectors and can be used in pretty much any router with an NM port.

So let's get started with the 2511. I've powered up the 2511 and an additional router connected to the first port of the octal cable. The AUI Port has an Ethernet transceiver connected to it ($5 or so on eBay), and this transceiver is connected to my switch with a standard Ethernet cable. This gives me a staggering 10Mbps half-duplex connection over the network. On my octal cables, there is a yellow plastic band near the RJ45 jack with numbers from 1 - 8, indicating which one is which. Since these two octal cables that I have are the only two that I've seen, I cannot confirm whether or not this is standard. The second router, a 2611, doesn't really have any configuration on it except for setting a host name for convenience in identification when it comes time to switch back and forth between the two devices.
The first thing we want to figure out is the line numbers that will be used by the connections. The command show line will give you this information.



Please excuse the formatting, I'm a networking guy not a web developer.

The TTY lines are what we're looking for here, and you'll see that on my router, they're conveniently numbered 1 - 16. Your mileage may vary if you're using an NM-32A and depending on which NM slot it's installed into. Note that in the column "Uses" you'll see a 1 for the first TTY line rather than a 0 as every other line has. The first TTY line is the one connected to my 2611 router.

Next I'll put a basic configuration on the device. I want it accessable on the network, and easily distinguished from the other router. And since this is my lab and not a production network, I'm looking for convenience rather than security here. Don't forget to set an enable password, otherwise it'll squawk that no password is set when you type enable. The IOS I have installed doesn't support SSH at all, so that will need to be addressed at some point.



Next, let's configure the the lines for reverse telnet. Cisco says "Reverse Telnet allows you to establish a Telnet connection out on the same device you telnet from, but on a different interface. For more information on Reverse Telnet refer to Managing Telnet Sessions.



We'll need a loopback interface with a usable IP address for reverse telnet purposes, and then we'll set up our devices. Starting with port 2001, the port numbers indicate which line that device is connected to. Where you see r1, r2, etc. are just the names I'll be using for these devices, name them as you wish though I highly suggest the names here match the hostnames of the devices. And finally, the IP address of the loopback.



Now that this is all set up, we can attempt to connect to r1. Simply type in the host name you've assigned to the device and it should connect momentarily.



Note the prompt showing that we are indeed connected to r1. At any time, you can press the escape sequence of Ctrl + Shift + 6 and then X in order to return back to the terminal server.

Once back at the terminal server, you can use the command show sessions to see the open sessions.



You can type 1 to return to the open session for r1, or you can type clear line 1 or disconnect session 1 in order to close the session.



Also note that besides the otcal cables, the 25xx access server is otherwise a functional 2500 series router, running up to IOS 12.3. The 2511 and 2512 have 2 syncronous serial ports, and the 2509 has one. They support all the same routing protocols and features as any other 2500 series router, so they can pull double duty as a backbone router in your topology. A lot of rack rentals do exactly this. So all in all, a rather useful device.

Should I exceed the 16 devices that I can manage through the 2511 (which I'm sure that I will eventually), I also have a couple Digi PortServer II 16-port terminal servers which I'll probably do a post on in the future.
Share:

Wednesday, February 10, 2016

ASA Liscense Woes

 on  with No comments 
In , ,  
This evening I was tasked with installing a PAK on an ASA 5512-X for a client.  Sales forwarded me the eDelivery Order Notification without event, I grabbed the serial number from the output of the "show version" command, and with a click on "Register Claim Certificates (PAKs)" within the email.  I already had this handy guide from one of my favorite blogs loaded up in my browser and figured I would be done in no time.

So where does the woe come in?  On the Cisco licensing page.  After clicking the link and then logging into the Cisco site, I was brought to the licensing page.  I selected the only outstanding item showing (the recently purchased license upgrade for the 5512-X), and clicked Proceed.  On the next page, it asked for the serial number of the unit.  As I had that handy already, I copied it and pasted it into the box.  Proceed remained grayed out.

After rereading the email, the output of show version and Pete's guide a couple more times, I was starting to think maybe the client would have to log in and enter everything into the licensing page under their account. So I tried one more thing before throwing in the towel for the night.  After clicking towards the end of the serial number box to ensure there were no stray spaces at the end, I hit enter for no particular reason. And wouldn't you know, the Proceed button became available, and after one more page, Cisco emailed me the new PAK which the firewall took with no problem.

I still can't complain as the entire process took me about 20 minutes, although well over half of it was spent wondering why the Proceed button was still grayed out.  Moral of the story: if you want me to press enter after I'm done entering something into the box, say so.
Share:

Saturday, January 23, 2016

Generating Test Users

 on  with No comments 
In , ,  
In setting up an Active Directory environment, you often need test users that are part of test groups and test Organizational Units. In a post at TechExams, Slowhand presents a script that will take a csv file containing names and departments of some dummy users, then creates an OU structure based on a couple of questions.  The users will be created based on the names in the file, and each user will be added into a group with the name of their department.  

Because I always subscribe to the theory of overkill, I used this site to generate a much longer list of names.  Tell it to generate 50 names, and then once they are generated, scroll down to the bottom and click List in text area, then you can copy/paste them out into a text file.  Run it as many times as you wish to generate longer lists. Don't forget to replace the space in between the first and last name with a comma, and then add another comma after the last name, followed by a department. They can all be the same department if you don't care to separate them.

Somehow this post was eaten, so I've rewritten it.
Share:

Saturday, January 16, 2016

Building the Domain

 on  with No comments 
In , ,  
Edit: This post has been updated with a new walkthrough as I changed my mind on a few things.   Most notably, I'll be working with a new isolated domain rather than a child domain off of my production domain.

In this post, I'll go through the steps of building an Active Directory domain.  I'll assume you already have Windows Server installed, a host name set and a static IP address assigned to the network interface.  Here, I'm using Windows Server 2016 Technical Preview 4, just because I want to kick the tires on the lastest bits.  The process should be pretty much the same in any other Technical Preview build or Server 2012/2012R2 but has changed vastly from Windows Server 2008R2 and earlier.  Server Manager is vastly different, and the dcpromo command is only there to process an answer file at this point, everything is done via Server Manager.

This is going to be a long post with a lot of screen shots.

When you log into the server, you'll see Server Manager pop up.  In the main field, you'll see common steps numbered from 1 - 5. We're looking for number 2, Add roles and features.


Next, it asks if you want to perform a role-based/feature-based installation, or a remote desktop services installation. Leave the default selected.



Next, you will be asked to select which server you wish to install roles or features on.  One of the nice additions to Server 2012 is the ability to manage multiple servers from a common instance of Server Manger. You can add additional servers to be managed in, and from here install roles and features on other servers in your environment. And if you install the latest Windows Management Framework for Server 2008 or Server 2008R2, you can manage those (although more limited) from Server 2012/2012R2 as well.

In this case, we're don't have a domain set up yet, so the local host should be the only server appearing on the list. Click Next.


Next, you'll want to tick the box next to Active Directory Domain Services.  A box will then pop up labeled Add Roles and Features wizard that informs you of any additional prerequisite roles and features for what you just selected for installation.  Click Add Feature to install these additional options.

Once you have Active Directory selected, do the same for DNS Server.  DNS is an integral part of Active Directory and simply cannot be left out. I've read conflicting reports on whether or not non-Windows DNS Servers can be used, but I've never gotten it working with recent versions of Windows Server if it is indeed still possible.  I'm not really studying advanced Windows Server topics, so I never kept at it.  Has anyone gotten it to work?

Select any other roles you care to install as well.

Here you can select various features to install if your server isn't going to be limited to a domain controller, but I'm not adding anything that hasn't already been automatically selected so I'm just clicking Next again.


Next you'll see this informational box on ADDS.  Feel free to read it, or don't, your call. Click Next.


Another similar box for DNS.  Again, read it or don't and click next.


Here is the final confirmation of what you've chosen to install, and a checkbox at the top selecting whether or not you want the server to reboot if required once the installation has completed, if necessary. Obviously for a production machine that is performing other tasks, you'll want to hold off until a scheduled maintenance window, but in the lab go ahead and let it reboot. Click Install when you're ready to let it begin.  Interestingly enough, this server didn't reboot after installing the Active Directory bits. 

One you let it begin, it's going to take some time to complete, especially if this is in a virtual machine so go ahead and grab a sandwich.



Once the roles and features have finished installing, note the yellow exclamation mark at the top of Server Manger trying to get your attention. If you click that, you'll see the following box indicating that your server is ready to be promoted to a domain controller. Click on "Promote this server to a domain controller" to begin.

The first thing that comes up will ask you about the environment. I'm building a new domain here and naming it firewallninja.info (clever, eh?), so I selected Add a new forest and entered the name.  Fill in the boxes appropriately for you, and then click next.  A bit of a wait here, and a command prompt comes and goes without warning. 



Next it will ask you some questions regarding this domain controller. The first is the FFL and DFL of the domain. Since this is a lab domain, I'm going to select the highest avaiable to ensure I have all the latest/greatest bits to experiment with.  We need to check off DNS and Global Catalog since its the first domain controller in the domain.  Finally, give it a DSRM password that you'll be able to remember. Or not, because in the lab you'll probably be better off just rolling back to a snapshot of this server than trying to fix an problem of the magnitude necessary to use Directory Service Restore Mode.


Next is the DNS Options. Nothing to change here as it is the first domain controller for the domain.


Next is the Additional Options, which consists of nothing more than the NetBIOS domain name. Whatever comes up as the default is fine because who uses NetBIOS anymore?


Next is the directory paths for various parts of Active Directory. Spread the love around to multiple spindels in production, but the defaults are fine in the lab.



Finally we have a summary of all the options selected. If this were a domain controller for an existing domain, you could click view script to get a PowerShell script to run on any additional servers you want to promote to domain controllers.  Click Next again.


Prerequisites will be checked here. There shouldn't be anything stopping you from proceeding at this point, but it will tell you if there is. The one warning is letting you know about a default cryptography option that is not best practice, but chosen for compatibility reasons.  This can be fixed in group policy later if you care to lock this setting down.

Click Install to begin the promotion.


The process will run for some time, and the server will reboot once it's done. The local administrator will be converted to the domain administrator once the process has completed.  There are no local user accounts on a domain controller.


Share:

Thursday, December 31, 2015

FreeCCNAWorkbook.com in Packet Tracer - Section 4

 on  with No comments 
In ,  
In this previous post, I began to look into working through the Free CCNA Workbook in Packet Tracer.  I had worked through the first three sections, and found that while there were some unsupported commands here and there, there was not anything missing that I would consider to be a show stopper so far.  So moving along, I have worked through Section 4 tonight and here's what I found. For reference, I am using the latest version of Packet Tracer for Linux available from the NetAcad website at the time of this writing, which is version 6.2.  Your results may vary on the Windows version, but I doubt it.

Share:

Wednesday, December 30, 2015

FreeCCNAWorkbook.com in Packet Tracer Through Section 3

 on  with No comments 
In ,  
I had a discussion with somebody on line a while back on the feasibility of working through the labs at freeccnaworkbook.com using Cisco Packet Tracer. After a little back and forth and a lot of thought on the matter, I decided to give it a try rather than continue to speculate. Since I haven't used the program in years, I logged into my NetAcad account and downloaded the latest version (6.2.0.0052) and installed it on my desktop. And no, I will not provide you with a copy, so don't bother asking.
Share: