Moving to IPv6 in the Lab

IPv6 is one of those technologies that I've been wanting to dig into further.  I know enough that I can get through the certification exam of the day with a little book time to refresh, but I don't know it well enough.  It's not something I've been avoiding, just something that I've kept putting off because something was more pressing, more interesting, or potentially more useful.  So there's no time like the present. Let's get started.

I began by reconfiguring the network to better align with all the blog posts and docs that I've read to date.  I originally had the 3750 doing the intraVLAN routing, but I decided to simplify and push everything out to the 2821 at the edge for now.  So the 2821 and 3750 are doing router on a stick.  There are 2 VLANs I'll be using (10 and 20 for now, additional VLANs are there but not IPv6 enabled yet), so the /60 Comcast is currently handing out that can be broken down into 16 /64's will suffice.  I think a lot of areas are getting more than a /60, but it's more than enough for now.

On the 2821, we'll start by enabling ipv6 routing.  Naturally, the commands are a bit different here and there.

ipv6 unicast-routing
ipv6 cef

Then on the outside interface, we'll pull our /60.  If your ISP is handing out bigger chunks, adjust your hint accordingly.

interface GigabitEthernet0/1
 ipv6 enable
 ipv6 address autoconfig default
 ipv6 dhcp client pd hint ::/60
 ipv6 dhcp client pd COMCAST

First we enable ipv6 on the interface and then pull a /60 and put it into a pool called COMCAST.  In a lot of other docs online, I see the addition of "ipv6 address dhcp" added on the outside interface as well.  But my router/IOS combination wouldn't take that command and it's working fine without it, so keep this in the back of your mind.

Next, we'll go onto the inside interfaces.  We'll set up the IPv6 addresses and have a little ROAS review here too.

interface GigabitEthernet0/0
 no ip address
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ipv6 address COMCAST ::1/64
 ipv6 dhcp server COMCASTPOOL
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ipv6 address COMCAST ::2:0:0:0:1/64
 ipv6 dhcp server COMCASTPOOL

What we've done here is put the first /64 from the COMCAST pool onto VLAN 10, and the second /64 onto VLAN 20.  The next line on the interface sets up the dhcp options for the two VLANS.  The only options that I've currently configured are the DNS servers.  I'm actually using my own Domain Controllers (which is what you should use if you have them), but for here I'll put in Google's.  There's some timers that may need tweaked in regards to neighbor discovery, but that's a little beyond my understanding at this point.  I'll get into that at a later date.

ipv6 dhcp pool COMCASTPOOL
 dns-server 2001:4860:4860::8888
 dns-server 2001:4860:4860::8844

So now we have full IPv6 connectivity on just about everything in the lab (for some reason, none of my Virtualbox guests can ping past their own Ethernet NIC, but that's a topic for another day).  I've disabled IPv4 completely on a test machine (Server 2008 Enterprise) and loaded up Yahoo.

So far so good.  We've got connectivity.  The NIC settings are shown to demonstrate that IPv4 is indeed disabled.

What's next?  I would like to move intraVLAN routing back down to the 3750 and have a single routed link between it and the 2821. Then I want to move the DHCPv6 functionality for each VLAN down to the domain controllers so I can manage all the IPv6 bits with Windows IPAM as I do now with the IPv4 bits.  And finally, I need to update the IOS on my 3750 to an image that supports IPv6, among other shortcomings I'm currently hampered by.

But first things first, I'm going to move my Hyper-V servers from Server 2012r2 to 2016 and finally get them into a failover cluster.  Between that and getting some shared storage together for the cluster should get me through a good section of the MCSA 2016 topics.

The Nation of Tokelau

Tokelau is a self-governing territory of New Zealand consisting of three coral atolls in the southern Pacific Ocean. It lies north of the Samoan Islands, east of Tuvala, south of the Phoenix Islands and northwest of the Cook Islands. It's believed that the islands were first settled approximately 1000 years ago. Tokelau is a free and democratic nation with no political parties, holding elections every 3 years. And Tokelau is the first 100% solar powered nation in the world.

So why the interest in this small group of islands in the Pacific?  Well, it's not the islands, the nation, or even the people per se that interest me, it's their ccTLD, .tk that I have recently become aware of.  Tokelau allows any individual to register a domain under this ccTLD, and with few restrictions (such as sexual, drug, hate and firearms content), users and small businesses may register any number of domains free of charge.  "Special" .tk domains, such as those containing the trademark domain names for most Fortune 500 companies must be purchased. Users may also opt to forward their web and email traffic.

The nation of Tokelau boasts a population of 1,499 as of the October 2016 census, good for 237th in the world.  What makes this small population most remarkable is the fact that more than 28 million domains have been registered under the .tk ccTLD.  According to a McAfee survey in 2006, .tk domains were twice as likely to be used for "unwanted behaviors" when compared to the global average. In 2010, the Anti-Phishing Working Group noted that 21.5% of all worldwide phishing originated from .tk domains.

So what does this mean for you?  Have you ever done legitimate business with a person or organization coming from a .tk domain?  I can't say that I have.  And other than the free domain registration (which hardly matters with what GoDaddy and other registrars are selling domains for these days), why would anyone want to register their domain with such a small, and otherwise unknown nation?  They claim to have rules, but are clearly not enforcing them. And how could they with 28 million domains and counting registered? As of right now, it's probably safe to just blacklist the entire .tk for now.

Thoughts on the CISSP

Saturday afternoon, I took the CISSP exam and passed.  Not only is this a sweet certification on my resume, it's the final requirement for my Masters degree.  So all in all, a pretty awesome weekend, even though it was quite stressful leading up with so much riding on this exam.

So the first thing that stands out on this exam is just how long it is.  250 questions long and by far the longest exam I've ever taken either for a certification or in academia.  I'm normally a fast test taker, and it still took me around 2.5 hours to complete.  I can't even imagine someone who is a slow test taker and up against the clock.

My road to success on this exam is not for everybody.  In 2008, I decided to use what I had left of GI Bill eligibility and make a career change into I.T.  Some of my earliest classes were infosec related, and I first read Shon Harris's incredible CISSP All-in-One Exam Guide somewhere in the neighborhood of 2009 as it was the textbook for a couple classes.  From there I went on to study Information Assurance at Eastern Michigan University, earning a Bachelors in 2012.  Many of these classes focused around CISSP topics.  Three years later I went back to Eastern to pursue a Masters degree, and many of these classes also focused on CISSP topics.  Everything from a class on Risk Management in my undergrad days, through graduate classes on Business Continuity and Incident Management recently.

For the capstone of my Masters program, I chose the option of taking this exam, and dedicated the semester to studying for it.  Over the course of the semester, I read Eric Conrad's CISSP Study Guide and Adam Gordon's Official Guide to the CISSP CBK, both on Books 24x7 (thanks EMU!).  I also watched a great video series on FedVTE (thanks government contracting position!).  I took it one domain at a time, first reading the chapter in Eric Conrad's book, watching the video, then reading the chapter in Adam Gordon's book, using each sources practice questions to gauge my progress before moving on to the next source.  Along the way, I kept notes on my strong and weak points of each domain (a learning log was a requirement of the class, otherwise I may not have) and spent the last couple weeks of the semester reviewing all the areas I wasn't comfortable with.

For anyone considering taking the exam, know that this isn't like your typical Cisco or Microsoft exam.  For those, you can almost always find a seat at a nearby testing center on the day you prefer to take your exam.  Not so with the CISSP.  In mid-February when I went to book the exam, I could find a couple seats in early March (way too soon!) or mid to late April, so I took it April 15.  My due date to present proof of passing was April 17, so there was no second chance.  So if you're up against the clock, either for work or school, book sooner than later.  I also ended up having to go with a testing center that was a little over an hour drive from my house, where as the one I normally go to is 15 minutes away.  I'm assuming it's the 6 hours you get for this, but there simply isn't a lot of available seats for this exam.  At least in early 2017 for the Detroit and Ann Arbor areas.

So no rest for the weary, its on to the next thing.  I'm initially leaning towards getting the "Upgrading Your Skills to MCSA: Windows Server 2016" knocked out now before Microsoft drops all the 2012 exams off of the list of available qualifications for partner status.  That wasn't a fun scramble when they dropped the 2008 exams.  Without school taking precedent in my mind, I probably won't take 6 to 9 months to prepare for a test this time.

Power On virtual machine stuck at 35%

Here's  just a quick little blurb about a problem I ran into this morning.  The cables for my SAS controller FINALLY arrived yesterday, so I installed them last night.  With the additional storage now available, I moved a couple VMs over to give the existing datastore some breathing room.

It's not a very intuitive process, you have to browse the datastore, right click on the folder containing the VMs files, and select move.  From there, you'd think ESXi would be smart enough to figure it all out, but you'd be wrong.  I had to remove the VM from inventory, then add it back in from it's new location.  But that's not the end of the fun, both of the ones I moved got stuck at 35% when powering them back on.

So here's what happened because you may not see the problem right away.  When I clicked on the summary for the VM (Not the default tab when you go to the VM in the vSphere client), you'll see a bright yellow box asking if you moved the VM or if you copied it because it knows you've done one or the other.  I selected "I Moved It," and then the VM's finished starting up without any further delay.

Free CISSP Resources

Because I'm currently focusing on the CISSP exam, I'm going to create a new list in the spirit of my most popular post so far, the Free CCNA Resources 2.0 list.  Because I want to share it with the rest of the class in my Masters Degree Capstone course, I'm going to go ahead and post it now while it's still a little rough around the edges.  With that being said, I will not include anything that is only freely available to Eastern Michigan University students or government employees and contractors.

It's going to be a living document, more so than my other resource lists.  A lot of these are coming right from a couple CISSP study guides I am using on Books 24/7, and a lot of these are coming from my own time spent on Google.

Unwanted Phone Calls Really Upset People

Like most people, I get an occasional call from an unknown number on my cell phone.  Most of the time I ignore it, especially if they're calling while I'm at work.  But if I'm bored, I may Google the number later.  And it seems like every time that I do, it's a different group of 5 or 6 "who calls me from" databases that show up in the top hits on Google.  It appears that the call I got was from someone trying to sell extended car warranties this time, but what really caught my eye was some of the comments regarding this number.  Aside from the atrocious spelling and grammar, there's some real gems. Also enjoy the DMCA notice from the web sheriff.