network

You are currently browsing articles tagged network.

SonicWall VPN with RADIUS authentication

Thu 11-Feb-2010 in english, sysadmin | Please leave a comment!

SonicWall has a rather nice VPN application called Global Client. What makes it nice is that it does most of the configuration jobs transparently to the user. And for the network administrator, setting up a VPN really is a one banana job.

The flip side of this is that it’s too easy to set up a VPN server with only Shared Secret authentication. This is all nice and fine if you have two or three VPN users but for any real installation, you really should authenticate the users individually. And if your real installation is based on Microsoft Windows, you probably have an Active Directory on the backline which already has all the users on it.

I’ve been handheld through one such installation and this is the attempt to get another one running, while blogging about the experience.

Prereq

The magic ingredient here is the RADIUS server (Remote Authentication Dial-In User Service). On Windows 2003, the RADIUS service is provided by the Internet Authentication Service, IAS. On Windows 2008 it’s a part of the Network Policy Server. SonicWall has a pretty decent techdoc about configuring RADIUS authentication on Windows Server 2003 but the 2008 implementation is left as an exercise to the reader.

If NPS isn’t installed yet, add it from Server manager –> Roles –> Add role.

The prerequisite step is to create a Windows Active Directory group of folks who will be granted VPN access using RADIUS authentication. While you could use All Users, you might be slipping in a few test users (username test, password test – i’m sure you don’t have any of those on your net, right?). So be a good sysadmin and create the group VPN users, then add users or groups there manually.

Now you can fire up the Internet Authentication Service or Network Policy Server.

RADIUS

imageThe first step is to add a RADIUS client to the configuration. A RADIUS client is the box which uses RADIUS, not the end user itself, using the box. So in this case, we’ll add the Firewall as a RADIUS client.

On Windows 2003, right-click RADIUS Clients –> New RADIUS Client. On Windows 2008, RADIUS Clients and Servers –> RADIUS Clients (right-click) –> New RADIUS Client. Give it the Friendly Name “Firewall” and fill in the IP address. For this discussion, we’ll say the firewall lives at 192.168.42.1. The Client-Vendor can be set to RADIUS Standard. I don’t know if the SonicWall supports the Additional Options listed, so you can leave them blank.

Now tap in a fairly complex Shared Secret which the RADIUS server and the firewall will use, into Notepad. You’ll need the same Shared Secret later.

Since you’ll probably want to test the connection, create a similar RADIUS Client for either your own PC if you happen to be on the local network at the time, or at some test server. Or at the RADIUS server itself, which means you’ll need to add a RADIUS client either for the local IP address or 127.0.0.1. I found a fairly decent, and non-cost RADIUS test client at IEA Software called Radlogin. The least i can do for the favour is to suggest you check out the client too.

The next step is to create a Remote Access Policy. On Windows 2003, right click Remote Access Policies –> New Remote Access Policy. On Windows 2008, it’s complicated. I’ll get to that in a paragraph or two.

If you’re still on 2003, a wizard appears. Name your new “Custom Policy” something like VPN Authentication. Now you need to add the following Policy Conditions: NAS-IP-Address is the one of your firewall, eg 192.168.42.1, and Windows-Groups is the group VPN Users you created in the prerequisite step above. As an extra measure, you could also demand that the NAS-IP-Address matches that of your firewall. In that way you can use RADIUS for other fun things too. Click Next. Tick the right radio button so that these users should be Granted remote access permission. Next. Now you’ll still need to Edit the Profile. On the Authentication tab, check all Authentication methods except Unauthenticated access. Unfortunately the current Sonic Walls do not reliably use MS-CHAP2, which is a shame. We’ll even need to tick the trivially encrypted CHAP and the non-encrypted PAP. Not much for security, i know. On the Advanced tab, make sure you have the following attributes selected: Service-Type: Framed, and Framed-Protocol: PPP, both of vendor “RADIUS Standard”.

Phew. And now for Windows 2008.

NPS –> Policies –> Network Policies (right-click) –> New. This will also pop up a wizard. Give the Policy a name like VPN Authentication and set the Type of network access to Remote Access Server. Add the following Conditions: User Groups (or Windows Groups) must be the VPN Users group you selected above. Then scroll down down down the Conditions list and require that the RADIUS Client –> Client IPv4 Address is that of your firewall, for the very same reasons as above. Do that now or later when the test shows green lights. Next. Access Granted. Next. Select all the Less Secure Authentication Methods except the last two, Allow clients to connect without negotiating… and machine health check only. You can uncheck CHAP and PAP while you test the RADIUS authentication later from the firewall, as they are security holes.

Run Radlogin and test whether you get a response, Good or Bad, or whether you get a Timeout. A Timeout probably means that you haven’t got the RADIUS Client configured right on the NPS. A Bad response probably means that your Constraints are wrong.

The Wall

Here’s a tip. Use anything but Internet Explorer to manage the SonicWall. It emits such buggy HTML code that it’s just hopelessly slow with IE.

I might be taking an extra step here because we also wanted RADIUS authentication to the firewall. In that case, you’re getting two settings at the price of one. Live with it and log on to the SonicWall admin interface.

A safety measure, add a Local User to the firewall which we’ll also allow access in case the RADIUS server is in a twist. For this discussion, we’ll call this user Backdoor. Put Backdoor into relevant groups (Firewall Admin). On the VPN Access tab, give Backdoor the appropriate networks (Firewalled subnets).

Then we want to create a group for VPN users. Thus, go to Users –> Local Groups (sic) and click Add Group. On the Settings tab, call your group VPN Users. On the Members tab, scroll down the left box and hopefully you should find the entry All RADIUS Users. Add it. Also add the Backdoor user we created above. Under the VPN Access tab, add whatever networks you see fit; LAN Subnets may be what you’re looking for. Edit the CFS policy if you (really) want to.

Now from Users –> Settings, set the Authentication method for login to RADIUS + Local and click the Configure button. What now probably happens is that you configure the global settings for the whole firewall, not just the VPN login. On the now popped-up RADIUS Configuration Settings tab, enter the name or IP address of your RADIUS server, the one you created half a page up. Find that Notepad page where you created the Shared Secret and paste it in the corresponding box. On the RADIUS Users tab, tick Local configuration only (yeah, beats me too) and select the VPN Users as the Default RADIUS group.

Final step, and now it’s time to take a deep breath. If you’re configuring this over a VPN connection, make sure you have a backup plan, because you’re now going to change the VPN access settings. Thus, go to VPN –> Settings. I’m assuming that you already have a WAN GroupVPN in place. Click the pencil icon to edit the entry. Switch to the Advanced tab. Check Require Authentication of VPN Clients via XAUTH and choose your previously created VPN Users group as the User Group. Also Enable NetBIOS Broadcasts while you’re at it.

Click OK.

Test your VPN settings. Breathe normally.

Extra sugar

For extra brownie points, you can configure firewall administration logins to be authenticated by RADIUS. From Network –> Interfaces –> LAN –> edit pencil, tick all relevant Management options and the HTTPS User Login checkbox. Voilá, RADIUS authentication to the firewall!

I wonder what we can authenticate next… :)

Tags: , , , , ,

Cisco ASDM Upgrade from the Command Line

Mon 21-Dec-2009 in english, sysadmin | Please leave a comment!

After having locked myself out from the graphical user interface goodness of the Cisco ASA, i needed to Set Things Straight again. Rebooting (or reloading in Cisco lingo) the firewall would of course only reload the firmware into the upgraded 8.0.x version which won’t let me in. The Cisco upgrade example documentation happily mentions that one can use TFTP to do the upgrading bit if the GUI seems too easy. Or unavailable.

But there’s a huge chasm between “you could do this” and “here’s how you do it”. So here’s how i did it.

0. Get the ASA and ASDM images from Cisco

I could write a whole rant about this because it’s a nightmare getting the software updates from Cisco. Why can’t they be like other vendors and just distribute the updates to the customers who have bought their hardware? Anyway, if you managed to lock yourself out with an ASA update, you probably have the ASDM software handy as well.

Trivial FTP

TFTP is not FTP. TFTP is a simpler file transfer protocol, joyously dubbed Trivial File Transfer Protocol. Windows comes with a TFTP client, but no server. Linux comes with both. And if you’re on a Mac, you already know more than i.

In this posting, i will assume you have ASDM 6.2.3 handy, and that it is saved as asdm-623.bin

1. Locate a TFTP server software

I decided to get the Open TFTP server from Sourceforge. WinAgents has an Industry Strength TFTP server which has an installer package of 24 megs, which is a bit overkill for a one shot installation. Jounin.net has a nice and graphical tftp server i’ve used before, but i missed it when googling. The OpenTFTPd installer is only 173 kB which was nice.

Go get it.

2. Configure it

The Open TFTP Server installs in c:\Program Files (x86)\OpenTFTPServer by default, which is also where the configuration file OpenTFTPServerMT.ini is. To edit this, you need to have Admin privileges. I’m (still) on Vista, so i pushed the Windows button, wrote Command line, right clicked that on the Start menu and chose Run as Administrator. Yeah i know there was some meta-alt-shift-something to do the same thing but i’ve forgotten the chord. Now edit the ini file (notepad will do) and enter the directory where your ASDM image is under the section [HOME].

I went and #commented out all lines starting with an ‘apostrophe just to be sure there’d be no bugs.

2½. Know your IP address

Type ipconfig (and scroll up) to see what your IP address is. Mine is 10.10.42.4.

3. Run it

Run the RunAsStandAloneMT.bat file from the admin command line window. Running the .exe file from the command line will just ask you to unblock the TFTP service and exit. No fun.

4. Suck the image

If you haven’t got a terminal connection to the ASA, now’s the time. Connect that nice blue flat cable between your serial port and the ASA console. Use PuTTY (or whatever that terminal thingy that comes with Windows is called, if you must) and connect to COM1 with 9600 bps, 8-N-1.

Tap enter a few times, log on if you need, and enter the following magic words, remembering to breathe normally:


ena
tap your “enable password”
conf t
copy tftp://10.10.42.4/asdm-623.bin disk0:asdm-623.bin

At this stage (dumb) ASA will re-ask what all the parameters you just entered above were, and then proceed to…

Accessing tftp://10.10.42.4/asdm-623.bin…!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (a lot of exclamation marks omitted here!)

Writing file disk0:/asdm-623.bin… !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (yeah)

Finally, type


asdm image disk0:/asdm-623.bin
wr

…whereby the firewall answers something along the lines of

Building configuration…
Cryptochecksum: 058305fa 13371597 acdcafb8 gabagaba

5368 bytes copied in 1.440 secs (5368 bytes/sec)
[OK]

Take a deep breath.

Write a blog post.

reload

Tags: , ,

Cisco ASA Upgradefail

Mon 21-Dec-2009 in english, sysadmin | 1 comment

Grrrr. Sometimes you should just go by your hunch. I was in the process of updating a Cisco ASA 5505 firewall from software version 7.x to 8.0 according to the instructions from Cisco, using the ASA management (”ASDM”) software that came on the firewall.

Versioning?

To confuse the novice firewall administrator, the ASA has one series of version numbers which has absolutely nothing in common with the ASDM version numbers.

Anyway, my ASA was at 7.2.4 going to 8.0.5 and my ASDM was on 5.2.4 and was eventually going to be upgraded to 6.2.3.

I was really wondering if the old ASA management software (”ASDM”) would be able to manage the newer ASA software, but the instructions were in the order of first upgrading the ASA software, then reboot, then upgrade the ASDM. So i follow the instructions, upgrade, select the proper boot image, reload, fire up the (old) ASDM and…

Boom. I’m stranded.

Now i can either make a careful guess on how to get to the right boot image using the command line or try and upgrade the ASDM image using TFTP. I really don’t fancy either option….

Anyway, here’s my humble suggestion if you want to upgrade your ASA: start with the ASDM. It Just Might Work™.

Tags: , , , , ,

How to render a HP server useless (and back again)

Wed 16-Dec-2009 in english, sysadmin | Please leave a comment!

I had a very tense few hours with a customer’s server yesterday. The fact that it’s a Small Business Server and thus, the “Everything Server”, didn’t make things much better. I did two things, and both turned out to be bad. I also didn’t reboot between the two things, which also turned bad to be even worse.

One. I installed the new service pack, which is a Good Thing (generally), except when the computer hangs at “setting up, stage 3 of 3, 0% ready” and spins the little circle thingy for half an hour. At that stage the “please do not turn off your computer” becomes stressful to ignore. So i leaned on the power button, chose to restart in Safe mode and everything seemed okay. For a while.

Two. I changed the network adapter to traffic at 1 Gb/s full duplex. This turned out to be catastrophic. And i fully blame HP for this. After a reboot into normal mode, i had no network. At all. And i was not able to open the HP network interface control panel thingy, since the “management database” was locked. Not even netsh would help me this time.

After much stressful head scratching and beard tearing, i hypothesized that HP NIC management is grumpy because it was in fact plugged into a switch that only goes to 100 Mb/s. Yeah, i can appreciate that it can’t traffic with the wrong line speeds but that i can’t turn that setting off is criminal. If that indeed was the case. So i plugged the server’s NIC into a backline giga-Ether switch (yeah, you shouldn’t do that either) and rebooted. And hey presto, the “management database” was no longer locked.

Back to 100/full, plug the server where it belonged, and normality is restored. Just in time to go and fetch the kids. Sysadmin feat in true Hollywood style.

I just wonder what those HP engineers were thinking about.

Tags: , , , ,

The call for a media centre

Mon 23-Nov-2009 in english, geek | Please leave a comment!

Two or three weeks ago, our digibox gave up. Over its last months, it got slower and slower. The boot-up times became increasingly sluggish, and eventually it became so laggy that it couldn’t even record stuff anymore.

Digibox?

For those outside Finland, a digibox is what we call the “set top box” (which, in these times of thin television sets, resides under the set, not on top of it) which allows our analogue TVs receive DVB television or, which is increasingly their job, record stuff. So in all essence, the modern day VCR.

I did two things. First, i backed up all essential stuff (mostly moomins [0]). Then i did a whole bunch of testing. Our digibox is a Linux appliance, a Maximum 8000 [1], so there were a few things i could figure out. I did a disk check, first on the device itself and then connected to my laptop. I tried running the box without an Ethernet connection. I formatted the disk’s partitions with the built in formatting tool and I re-installed the whole damn box with factory settings. Turned out that “formatting” it only removed the files, so using instructions on the Maximum discussion board, i really formatted the disk using a laptop. The box came back up but was just as sluggish. I even took it to a friend who has an identical box (sans problemos) and tried it there. But all to no avail.

Finally, i asked on Twitter what the best recording digibox out there would be. The answer was TVkaista.fi.

TVkaista is a service, basically “your VCR on the ‘net” with which you watch or download any program on the free-to-air stations in Finland. Legally [2]. A bit like the Hulus and BBC services that exist in the big world. All for a nice fee of 98 € a year. And with some reading of their news pages, i was able to subscribe to a free testing account. Not bad.

Turns out that there is hope for integration (ah! there’s that word again!) with TVkaista. On the pages for your recordings, you can “import to iTunes”. What happens is that iTunes connects to your recordings as a podcast. If you check out the properties of that podcast, there’s a regular URL to a regular RSS feed behind it. It just requires authentication, which wget can handle just fine.

The integration doesn’t stop there though. For a more hard core approach, i could apply some magick to the RSS feed and with that be able to download the full resolution shows instead of the iTunes-ely compressed ones. Or i could get the TVkaista-XBMC plugin and have the magick applied for me. Which would be nice. And if the plugin isn’t magick enough, i’ll just have to learn enough Python to improve it (oh the joys of open source :) ). Or – this just in — i could use the Boxee feed which uses Yahoo! Pipes magick. Whoa.

But i’m getting way ahead of me. Right now the Asus Revo i’ve ordered for the project is sitting in the customs, and have done so for nearly a week. Turns out you don’t have to pay customs for imported computers but you have to pay 22% VAT. I guess that’s what the customs are thinking about. Or then their department is just filled with imported computers waiting to become media centres.

If you’ve actually read this far, here’s an easter egg. Post a nice comment if you want a two weeks’ free TVkaista trial account from me!

More to follow.


[0] I never said they were essential to me :)

[1] the name, pretentious as a progressive concept double album

[2] OK, this has been disputed, but so far not actually deemed illegal.

Tags: , , , , , , ,

What goes down must come up

Tue 11-Nov-2008 in english, geek | Please leave a comment!

I got a service call from our biggest customer on Sunday. The girl at the check in desk told me that she couldn’t get to the reservation system, so she couldn’t check customers in or out. She also could not open her email. And there was something about cooling equipment in the engine room that had failed.

That last bit worried me that a reboot of the workstation might not do the trick this time.

Last Sunday was also Fathers’ day. Not a good day for an emergency. I am happy that the call didn’t come before my kids had the chance to “wake me up” and deliver their congratulations and prezzies. They had really been waiting for it. In fact, i even had the time for a proper breakfast. But the rest of the day would seem to go to the dumps. My wife was also on duty call that weekend, and the kids and i were supposed to show up at my parents in law mid-day. Doom was impending.

I called the customer’s site security manager and got the news. There had been a power failure in a transformer a few blocks away. The on-site UPS was sucked dry, and the generators had failed to start. It was a cascade failure, and it was not good. But hey, they are a big customer. Maybe the servers would come back once power had been restored.

Power was back at about eleven-thirty. I did a bunch of phone calls to the customer’s different sites to ask whether their reservation systems were down or up, while the kids were growing louder. They were all dressed up and ready to leave and did an excellent job getting on each others’ nerves.

The reports from the sites were contradictory to say the least. The reservation system was up, no down, no it was up but now it’s not. Email was still down. And the lunch at the in-laws was about to start. So i gave them too a call and said that we’re going to be a few minutes late but that i’d probably have to set up a remote office at their place and do some phone calls and use my computer to take a remote connection to the customer. If all was really bad, i might have to skip lunch and visit the customer’s site, but the kids would be there anyway. And it surely wouldn’t take very long.

I felt the first grain of bad karma fall on me.

From my remote office, i was able to talk with the firewall, but the mail server didn’t respond to pings. And with the site manager on the phone suggesting that i should maybe stop mucking about with remote help and get my servicing arse over there instead, i concurred. Since i don’t have access to the servers’ ILO management system (which works even if the server is off and through which i could be able to remotely switch on the server), i thought i might as well look good in the customers’ eyes and drive down town to push the damn power button and be back in time for desert. Or coffee, if it was more than one server.

On the way down town, i had another chat with the customer’s IT manager and he decided he too would come to the disaster area. At the time, i thought it might be overkill. It’s probably just a flick of the switch on a server and we’re back up and running.

Boy i was wrong.

Things were a bit more silent in the engine room than usual. The air conditioning was okay, which was the first good bit of work related news for the day. We proceeded to fire up the servers. The domain controller was off. The file server was off. The mail server had hung, or it was off, or just b0rked. The intranet was down. The virtual server server (in lack of a better term) was off, and with it, the virtual servers. The disk array was on but one of the virtual servers could not connect to it. The reservation system was off for this site but up for another. The billing system, it turned out, was off. The orders printer in the kitchen was blown. The applications to operate and monitor telephone calls, wake-ups, keys and (oh!) the mini bars were off. Also, our management PC was off. And to top things off, the console thingy that one would operate half the servers with had suddenly decided that it wanted a password which nobody had. And all this was by no means apparent with a glance. Problems oozed in as others were solved. On site, three fathers: the site security chief, the IT manager, and me. How could things be better.

We started with the most critical systems. At this time, i had mobilized half of the Infra crew, most notably Niko who got the virtual servers and the disk array into order and Tero who was on a beach in Spain and remote-instructed us from there. Had it not been for their expertise, the customer’s systems would probably still be down. Soon, we had the check in system up and the three systems that need to run in tandem (trindem?) to take care of billings was slowly back in operation. Email required an extra booting, but it also came back.

Seldom had i more wished for proper documentation of the system than now. An inventory of equipment and servers and how to get everything running even for a guy like me who doesn’t spend most of his billable hours at this customer… would have save the day.

At this time, lunch, dessert and coffee were but a pressing but sad memory. By each hour, i had to tell my wife that this won’t take much longer and we just need this one system back up, after which it turned out that that one system really is a whole bunch of subsystems that first need to be physically located to get into operation. I felt the bad karma pile in massive quantities.

At this time i should probably tell you about the third server room on site. The first two ones are like proper server rooms. There’s loud air conditioning. There are a bit more monitors, cables, power supplies, cardboard boxes and junk lying around than there should be. There are racks with loud expensive technical equipment having lots of lights that blink. There’s a crapload of cables going in front of the boxes that blink most, so you can’t really access the equipment without a jungle machete or a lot of patience (the second option is preferred). Many of the servers are tightly crammed because at the time, nobody thought you really would need to get to the other side of the servers. Say, to plug in one of those bulky CRT monitors lying around because the console demands a password which, as i probably mentioned, nobody knew. And you couldn’t use remote desktop, because the stickers on the computers failed to mention the hostname or IP address of the box. And you would need to get to the computer to see if the apps on it are running. And just to really top it off, a few of the machines refused to start without a keyboard plugged in, and since the console was off-line because nobody knew of the password, it wasn’t considered a working keyboard, at least not by the computer.

Compared to the two main server rooms, the third server room is a mess. The non-techie people working around there use the room for ad-hoc storage of audiovisual equipment (speakers, cables, microphones, amps, cables, more cables…) and junk. I had to step around a cardboard box of miscellanea just to get into the room. A ghetto blaster was obstructing half of the entrance. A snake pit of cables was lying on the so called operator table, partly on top of and partly under the keyboard, mouse and KVM switch.

Above the operator table are a few shelves with servers. Well, actually they aren’t servers of the kind you would call servers. They are more like old workstations on server duty, in part because it’s cheaper that way and in part because nobody seems to know whether an application on one “server” will play nice with the application on another. Thus, there is one box per application. Per critical application, i might add, and that the workstations are five years old or more, and that they live in a crammed space on the second to top shelf in a room filled with snakes, audiovisual trash and a ghetto blaster. I really should have taken a picture.

Since nobody thought of it at installation time, the “servers” were not set to start automatically once they got power. In fact, this held true for nearly all computers, be they proper servers or workstations working as servers. And even if they had started, many of the critical applications still needed somebody to actually log in to the computer and start the application in question. Here, the computers were not part of any site-wide Windows domain, so we had to guess the passwords, just to keep things interesting.

It was a quarter past four when i headed back towards the remains of the fathers’ day reception. The other guests had looked after our kids who had been a bit confused on the non-presence of their father on that fathers’ day reception. I gave my kids a big hug, apologized to the company present, and hoped that i’d never have to see a computer again.

Boy was i wrong.

Tags: , , ,

ICND2 day 1

Mon 19-May-2008 in english | Please leave a comment!

I have now personally shown that risen stress levels lead to lessened blogging. But that’s another story (as is all the stuff that’s happened since the last post) because i’m back on the ICND track, now on the second Interconnecting Cisco networking devices course. In my previous write-ups about the ICND, i know i’ve been rather messy. I’m mainly writing so that i can remind myself later what i’ve been learning. So my apologies for the incoherence. Here’s more of it.

If the ICND 1 was a mix of repetition and good tidbits, this course, at least judging from the first day, is drinking from the information fire hose. The fire hose, as you may guess, only has two settings: off and full, and this one’s been on full all day.

Today we had two topics: recap of ICND 1 and All About VLANs. Here are some unconnected bits. First…

ICND 1 in a nutshell

Cisco are taking into account that information can be stored in a myriad of places. Thus, you should specify if your storage is on the system, flash, tftp or anywhere else, and not just relying on the defaults. What used to be wr became copy running-config startup-config and now should be written copy system:running-config nvram:startup-config. Likewise, you should not type wrt when you mean show running-config.

A switch is a switch is a switch is either a Layer 2 switch or a Layer 3 switch (L2/L3). I absolutely need to recap the L2/L3 stuff so that it becomes second nature to me, otherwise things are going to go over my head a lot. On a multi-layer device, a switch port becomes an L2 port through the command switchport (short: sw) and an L3 port by issuing no switchport. An L2 “switchport” would be related to commands sw mode access and sw access vlan number, or sw mode trunk. Lots of that to come. An L3 “no switchport” would gain an ip address x.x.x.x m.m.m.m.

The Cisco (proprietary) Discovery Protocol or cdp will announce and gather information from neighbouring devices, which can be a Really Useful thing. On newer Cisco devices, the Logical (or Local?) Link Layer Discovery Protocol (LLDP) will do the same, but in a non-proprietary way.

To wake up a switch port, do this:

enable
conf t
int vlan 1
ip address aa.bb.cc.dd mm.aa.ss.kk
ip default-gateway n.n.n.n
no shutdown

The last bit is kind of funny. To enable the interface, you “un-shut-it-down”.

To factory reset a router, erase nvram:startup-config (or write erase) and reload.

To factory reset a switch, write erase (or delete config.text) then delete vlan.dat and finally reboot. If you don’t delete the vlan.dat file, the vlan information will be re-read when the machine reboots and you effectively don’t have a factory reset switch.

A Cisco device will try to translate typos into hostnames. To remove the name lookup service, assign a no ip domain lookup.

When you initially configure your device, you’ll receive a bunch of error messages because things just aren’t up yet. If you don’t want to read this stuff, issue a no logging console and remember to get logging back when you’re a bit closer to done.

To crack in to a switch, unplug the power, hold down the mode button when re-plugging the power. Wait for the switch to boot. Run load_helper, then delete flash:config.text and boot.

VLANs

Cisco knows of two VLAN technologies, the old ISL and the new dot1q. To activate VLAN (which you will), set a port to a VLAN port statically by conf t, int this-or-that and sw acc vlan n. Then set it to use dot1q. Check the documentation :)

A trunk port will forward traffic from multiple VLANs and is used to connect network equipment (switches and routers) together. An access port is used to connect “end equipment” such as PCs and printers to the net. An access port will only convey traffic of a single VLAN.

And this is where the Wizard Tools started to show. If you use dot1x RADIUS authentication, you can dynamically assign a port to a vlan. Nifty, but requires some black belt magic. Previously, Cisco pushed the (proprietary) VLAN Port Management Server (VPMS) but this is thankfully being phased out. /me likes open standards.

In a perfectly tuned VLAN network, all traffic is tagged to some VLAN. In reality, some stuf ain’t. This untagged network traffic is assigned to VLAN 1 and assigned as “native” VLAN traffic. To increase security (including the inadverted wiping of all your VLAN data), you should set the native VLAN another VLAN ID, such as 99. You can then route VLAN 99 into a black hole and voila, there is security (if not a lot of functionality).

Cisco also uses the “native” VLAN in association with Voice over IP (VoIP). A Cisco VoIP phone has two Ethernet jacks; one’s an uplink to the network and the other goes to your PC (who the heck has only one PC on their table anyway? :) . The VoIP stuff is tagged with a VVID (voice-something-id) which is kind of like a VLAN tag except that it isn’t. Thus, you can connect a VoIP phone and a PC to a regular, un-trunked switch access port.

More wizard tools: the VLAN Trunking Protocol (VTP) will announce the VLAN configuration to other VTP-enabled devices, as well as receive VLAN configuration. A VTP box can either be set as a server, a client or as transparent. A VTP Server can send and receive VTP updates, a VTP Client will receive them, and a Transparent box will only relay VTP configuration. A problem will arise if you plug a new switch into a network, since it by default will be a VTP server and may thus overwrite all other VTP boxes of the same VTP Domain – including a blank or non-assigned name — if the newly connected box’s update revision number happens to be higher than that on the rest of the network. For that, you should always set a VTP domain to your network if you’re going to use VTP. For starters, you may want to run vtp transparent and vtp client to reset the update revision number on the new box, then set the vtp domain to match your network. VTP messages are only relayed through trunk ports, not access ports.

VTP Pruning is another nifty feature: a switch (or a router, supposedly) running vtp pruning will not convey broadcast and multicast traffic down a port which it knows does not have the recipient VLAN connected to it. This is pretty much what a switch should do anyway, but now it does so on VLAN traffic too.

The next wizard tool is the Dynamic Trunking Protocol (DTP — and yes, it’s another Cisco-proprietary protocol). If you connect two Cisco boxes together and unless they are explicitly configured not to, they will exchange DTP information to see whether there’s a trunking port on the other side, and configure themselves accordingly. At least the other side has to be configured switchport mode dynamic desirable while the other can be set to switchport mode dynamic auto. Also, if the other side is set to sw mode trunk, a port set to dynamic desirable or dynamic trunk be able to get the right settings.

Real Network Administrators will connect their switches and routers with multiple parallel network cables. In a normal world, this would lead to a network loop, a broadcast storm and the whole network coming to a screeching halt, melting all equipment connected to it. In the world of Real Network Administrators, such cables are grouped as an EtherChannel™ (ungh) for redundancy and, more importantly, throughput. 802.1Q trunks go well through EtherChannels, if properly administered by Real Network Administrators. So there.

Back to the basics of trunking. If you have a box capable of both VLAN standards, first set a switchport manually and statically to use only 802.1Q by saying sw trunk encapsulation dot1q. After that, you can set your port to switchport mode { access | dynamic { auto | desirable } | trunk }.

Adding VLANs is easy: conf t, then vlan n. After this you can assign your VLAN a name saying name somename. Check your settings saying show vlan {brief}. Make sure your VLAN exists on other network equipment too, otherwise your traffic will just end up on the floor.

In a large network, you will need to buy the IPservices “feature pack” which will enable all four thousand-and-something (some VLANs are reserved) VLANs. The IPservices pack will cost you about as much as the switch you are buying it for. With only the Basic IP pack, you are “only” going to get fourty or sixty someting VLANs, which probably will be quite enough for any network i’ll administer.

To get traffic from one VLAN to another, it needs to be routed. In a small example environment, a Cisco 35xx will handle VLANs internally (and not disclose this information elsewhere) using the following magic

ip routing
int vlan 1
ip add 10.1.1.1 255.255.255.0
int vlan 2
ip add 10.2.2.0 255.255.255.0

…and assign int fa0/1 sw acc vlan 1, int fa0/2 to sw mode trunk and int fa0/3 to sw acc vlan 2. Traffic on fa0/1 or fa0/3 going from one vlan to the other wil be L3-routed (ip routing) internally.

In a slightly more realistic environment, you can do VLAN-to-VLAN routing employing a “router on a stick” (where a “stick”) means one interface on the router. For that, you enable a sub-interface for each VLAN you want to route between, on the same port (”stick”). On, say, interface 0/0, you disable the “main” and actual interface, then create two sub-interfaces doing the routing, thusly:

interface fa0/0
no ip address
int fa0/0.1
encapsulation dot1q native
ip address 10.1.1.1 255.255.255.0
int fa0/0.2
encapsulation dot1Q 2
ip address 10.2.2.1 255.255.255.0

You’ll need to fill in the blanks yourself, but this will route the “native” untagged VLAN 1 on the FastEthernet 0/0.1sub-interface and properly 802.1Q-tagged VLAN 2 on sub-interface 0/0.2.

Throw in one recap-of-ICND1-lab and another about VLANs and trunking, and that’s about the size of it! Tomorrow, we’ll handle spanning trees and link aggregation (that’s right, EtherChannels), among a bunch of other things. Phew!

Tags: , , , , , ,

Cacti on Kubuntu 7.10

Fri 4-Apr-2008 in Timor-Leste, english, geek, suomeksi | Anna palautetta!

A cactusCacti is a free network monitoring and graphing (”trending”) tool, which i’ve managed to install on a computer at work. The idea is that eventually i will have a portable network monitoring tool that is both easy to physically lug around and reasonably easy to plug into a new network and let it do its thing. Eventually, there will be more tools installed. While the solution presented here is really simple, i did four complete re-installs of the system before i was up and running. I could have made it with less work if i’d either followed the kind instructions given, or if i’d spent more time debugging. This time i just took the lazier path. These are the steps i took:

  • Install Kubuntu 7.10 (which is the current stable version — the new one’s out in twenty odd days). While any Linux installation will do, these instructions are for a Debian-based distribution… which includes the aptitude application. If you don’t have aptitude, just use whatever package management system may you have. When you’re done, reboot.
  • Optional, but recommended: Using Adept, or any other package management tool of your choice (use apt-get, if everything else fails), remove the packages you don’t need. I removed the office and multimedia packages, since this won’t be a desktop/office station.
  • Optional: Add proprietary display driver, in my case, the NVidia driver. REBOOT once you’re done, or start from step one above.

Now it’s time to update your system. I first did this using the graphical Adept tool, but it crashed on me, so i moved to the command line instead.

  • Fire up a terminal (i use konsole) and enter sudo aptitude update. You will be prompted for your password. Watch the texts fly.
  • Next, enter the following two lines:
    sudo aptitude safe-upgrade
    sudo dpkg –configure -a
    Repeat until you get no errors

Your computer is now updated. Time to add Cacti. Cacti needs MySQL to be installed first, and while the cacti package suggests that it will install MySQL properly, it won’t. At least not yet. A future version probably will. Again at the terminal (konsole), enter the following and answer Yes to any questions.

  • sudo aptitude install mysql-server
  • sudo aptitude install cacti

The installers will ask for the passwords for mysql administration and the cacti application. Depending on the context, you will create one or recall it. In either case, write that password down, because once you need it, you won’t remember it :)

The Cacti installation will use the Apache 2 web server, but i had a problem with the Cacti installation that needed to be (located, debugged and) fixed first:

Edit the /etc/apache2/conf.d/cacti.conf file. On the first line of the file, change the Alias /cacti into Alias /cacti/site. Leave the path at the end of the line untouched.

I know i’m probably doing something fundamentally wrong here, as Cacti should be running from the aliased directory /cacti, not /cacti/site, but applying this fix made Cacti run for me.

Now fire up a web browser on your monitoring box and go to http://localhost/cacti/site to access your Cacti installation. If all goes well, log in as admin/admin, change your password and (with the help of the Cacti manual) start adding devices!

Tags: , , , , , , , , , ,

Kirja painoon?

Sat 22-Mar-2008 in suomeksi | Anna palautetta!

Missäköhän olisi sellainen palvelu johon voi lähettää 425-sivuisen kirjan painettavaksi yhdeksi kappaleeksi?

Update: Kas. Kirjan webbisivujen kautta pääsee myös kirjakauppaan. Koko höskä kympillä + postikulut. Ei paha.

Tags: , , , , , ,

End of article leeching

Sat 22-Mar-2008 in english, geek | Please leave a comment!

It was only towards the very end of my academic “career” that i discovered how fun technical articles are. Esteemed researchers — and wannabes — write the latest in technological innovation for the world to see. And since i had the “study right” at the school, i had free (gratis) access to these articles.

However, there are a few mighty organizations that make money on distributing these articles. And while there’s nothing immoral of making money (to a certain degree), from my perspective, this sucks. I’m not going to pay US$35 a pop.

I’ve got an account at the student union Teknologföreningen’s machine mask. When making an ssh connection to mask, i was allowed to set up an ssh tunnel to the school’s web proxy, and through it, gain gratis access to ACM and IEEEexplore. However, due to how the school has decided that student unions and the like shall not be part of the school’s network, i now don’t have access to the proxy. And it bugs me to pieces.

Is the only way to regain article access to become a postgrad student?

Tags: , , , , , , , , , , , ,

« Older entries

Bad Behavior has blocked 766 access attempts in the last 7 days.