password

Final day of the ICND1 course (was yesterday but i was too tired to write about it then). The day consisted of three parts: network management with Cisco’s discovery/announcement protocol, The Great Lab (which had a niftier name but i never quite caught it), and a bit about wireless networking. We also got answers to some questions we’d been asking thus far, left to the last day of the course.

Cisco Discovery Protocol (CDP) is a proprietary method for routers and switches to yell about themselves in the local net. The good thing is that it works like an L1/L2 link tester, the bad thing is that it is enabled by default on all network devices. Or let’s say, it is a good thing when you know about it and while it’s on the internal network, and dangerous if it leaks. Since it’s L2 traffic, it won’t get routed, but a cunning network geek/hacker/cracker/[0xNN, N=0..F]-hat could probably snoop it from your public interface. And if your public interface’s public before you’ve disabled cdp, well, you’re busted. Or at least not very quiet about things.

CDP would be a better thing if it were standardized and if it wasn’t so vocal about things. If it was up to me, i’d go with one of the a myriad of discovery/advertisement protocols out there, say Zeroconf. By default, all devices listen to service announcements and will send a single blip after they boot. If you don’t like this behaviour, turn it off. If you’d like constant updates, configure this. When you’re adding devices to the net, one blip would be welcome; just see that you have your data cables connected before you power up. And on an internal network, i think i’d rather keep the protocol running and the blips coming.

Another issue re network management was that of storing your configuration files centrally if you have a sufficiently large network to manage. You will then have one central repository of config files instead of having the files spread out over all the devices. If you’re paranoid, your configuration will not be revealed if the device is stolen (for example, a wireless access point?). And backing up the configuration files would be a piece of cake.

We now came to a crucial bit of network device management. If may happen that you inherit a Cisco router, or purchase it off eBay or on a shady street somewhere. Chances are that you will not know one or more of the passwords required to maintain the box. But there is a way to reset any password, and the procedure is quite like resetting the root password of a Linux box. You need console access to do this. Power cycle the device and before it starts reading the IOS system image, send a few break signals to the device. You will be dropped to the ROM monitor. Here, change the configuration register (the Number That Should Never Be Changed) from 0×2102 (boot normally) to 0×2142 (do not read the startup config file) and reboot. When you’re back up, enable privileged mode, configure the passwords, change the configuration register back to 0×2102, save the running config and reboot. If you want to retain the configuration, you could send the startup config file over the wire, edit the passwords and beam it back. Power-cycle and you’re the boss.

To get into a switch you don’t have the passwords to, just power-cycle the switch while holding the “mode” button. This will start the switch without reading the default config.txt file. Rename that file and reboot. Switch pwned. (again, beam the config file elsewhere, edit the passwords, and beam it back to have the earlier configuration intact).

The Big Thing of today was a big lab drill where we were given an unconfigured network that we should get into running order. Help was provided in writing in the form of a task list, and of course our drill sergeant was there to answer any questions (”Why don’t my pings reach the router?!”, “You need to enable the vlan1 on the switch.” “Oh. Right.” “Network interfaces are enabled by default, virtual LANs are not.” “Err, yes, that’s right.”). Our network consisted of one router, one switch, two PCs, one “Lab Internet”, one “head quarters” with a link, a router and a server. Switch and router were to be configured in a secure manner, PAT on the router’s public interface, discard traffic from unauthorized hosts to the switch, the HQ needed to be connected over ppp, and a few more. I did feel rather satisfied when that lab was in the can! I just hope i can recall that stuff in a live situation, and learn it for the exam!

After this, our excellent trainer exited the room and we got a two hour brief on everything about wireless networks. Basically, WLANs are maturing and in later this year, we should have the final version of 802.11n (more bandwidth, less variation on the bandwidth, and all that with fewer access points) and protocols for rapid hand-over and secure handling of control data on a wireless network.

All in all i must say that i never expected a basic course in networking to be this valuable. I can really recommend it to anyone in a situation like mine: a bunch of network theory learned a few years back but very little of getting your hands dirty. Now i just need a few switches and routers to play on, preferably here in my home!

Today was a rather uneven day, a mix of highs and lows. I’m still on a “developing a cold” mode, so that might explain why i wasn’t in full receive mode on this fourth day of the ICND course.

We continued working with the SDM “router GUI” (the one that did not suck) to turn off unnecessary services and to create a DHCP server. Small and sweet. A piece of trivia is that you need to enable ssh access to get the SDM up. No idea why, since ssl and ssh have very little in common, save the first two characters in the name (ok, the first of which is “secure” in both cases).

We also noted that while the Cisco IOS has privelege (or access) levels 0 to 15, only 0 and 15 are used — for unprivileged and admin user respectively — and the rest of the levels should be left untouched. If you need more finely grained user access, you should use views. What exactly those views are and how they are administered was outside the scope of ICND1.

Today’s big topic was routing, so we added static routes and used RIPv2 to show how dynamic routing works. We opened up a few regular Ethernet tubes and one serial connection using PPP. While a serial connection may sound outdated, i’m sure (or at least, i hope) that i’ll wake up one day in a UNDP project on the other side of the world where i need to understand what this or that cable is doing and how to get traffic through it.

If you’re to link two boxes with a serial connection, you need to set the “bandwidth” of that connection. Note to self: check out how before going to the exam.

We also touched Frame Relay, which is a slowly dying technology in Finland (as is ATM). Just to note that each connection in a Frame Relay (virtual) circuit has a specific data-link connection identifier (DLCI), which probably will be a different one on the different sides of your connection.

One tool to configure network equipment back and forth was to ssh (or telnet) between the switches. You can escape back to the host you came from without dropping your connection by pressing Ctrl-Shift-6 x. The connection is resumed by pressing enter or using the resume command. To drop the connection, you need to “clear the line” from either host: use clear line from the remote box, or disconnect from the other. Entering logout will only get you to the login screen of the remote box.

Then we had a bit about WAN connections, which was mostly boring. The only flash of light was the bit about DSL, so i might understand my own home connection better.

Then we had a bit about NAT and PAT. Turns out that Everything I Knew Was Wrong, which was an enlightening moment. NAT, or Network Address Translation means just that. It is a one-to-one translation of the network address. It is not having a private network hiding behind one public address. Proper NAT exposes all ports of the machine inside as an address on the outside, which demands a bunch of public IP addresses (which you may not have) and a firewall (which you do). Port Address Translation on the other hand is what i believed to be NAT. Take one host on the inside, push it through the PAT. On the inside it will have your “inside” IP address, on the outside it will have your public IP address. Now here comes the catch: the PAT will generate a source port number (which may or may not be the same as the “inside” source port number) for the translated packet and send it away with the public IP as source address. When a reply comes, the PAT looks up the host on the inside network using destination the port of the return traffic. Cool, and my life has meaning again.

There’s a kind of a hybrid between NAT and PAT, namely Dynamic NAT. Say you have a pool of public IP addresses. For each NAT translation, grab a public IP address and use it for the transaction. When the “NAT lease” expires, the public address is returned to the pool. This way, all ports of a certain host can use the same public IP address — for a while. Old VPN solutions will have an easier time here. Speaking of which, old VPN solutions, as well as pings, that do not use ports (because it’s not part of their design), will either need to have their protocol slightly altered (VPNs) or will get source and destination ports inserted at NAT/PAT time (pings).

PAT is also called Overloading of an inside global address.

As admin, you can ping the whole subnet and get an ARPfull of entries.

More about routing. If you’re talking ethernet, you need to have the connecting ports of the connecting routers to be of the same subnet. Since you don’t want to throw away a whole class C subnet just to connect two routers, just take one with a /30 mask. Or re-use IP addresses, but that may cause some head-scratching a few months after you designed your net.

Dynamic routing again. RIPv1 is old and poxy and should not be used. Among others, it doesn’t care about your mask, so you can’t use subnetting if you use RIPv1. Avoid it. RIPv2 on the other hand is not compleatly poxy and does its work alright on a small network. It even has (false) security built in, meaning that it will send out an MD5 hash of its password (in clear text) over the network. This password needs to be the same on two RIPv2 enabled routers, which i find insane (cf. “shared secret” = no secret), which means there’s nothing stopping a bad guy from just transmitting the MD5 hash instead. I’m unsure whether there really has to be a common RIPv2 password or if it’s just to identify a router pair.

For bigger networks, there are other protocols and we talked about them too.

debug all will bring any router (or switch) to its knees.

And that’s all for today.

Today we got to lay our configuring hands on the router. While i’ve previously thought that stand-alone routers are kinda redundant, dinosaurs of a time passed, i’ve come to realize that in a proper setting, a router can be rather useful…. the proper setting being a Large one .

Furthermore, i got to play with Cisco’s configuration GUI, which much to my surprise, did not suck.

Today’s insights and trivialities:

Duplexity

In a business network environment, set the “backline” switch ports (servers, network equipment…) to full duplex manually and leave the end user ports to auto-negotiation. If one network element [A] is set to full duplex while the other one [B] is set to auto-negotiate, the auto-negotiate process at [B] is going to fail and [B] will communicate in half-duplex, expecting collision detection (”standard” CSMA/CD) on the wire.

If you have a lot of traffic in a configuration with a duplex mismatch, [A] will experience CRC errors and [B] will experience Late Collisions.

Routing

The reason a broadcast package won’t go through a router is that the router will disassemble the L2 header from any incoming traffic, keep the L3 bits, and create a new L2 frame which it forwards down the line if deemed necessary. It’s not a property “of the router port”, it’s a by-product of the router’s design.

A netmask is not a subnet mask. A netmask is a mask tied to the “old” Class-A/B/C (…) networks. A subnet mask, though, can be considered a mask, or at least a bit of one. A proper and academically correct mask will consist of a network mask and an optional subnet mask.

A routing decision is made on the most specific information available (meaning the matching rule with the longest subnet mask). You can thus have one route for 192.168.0.0/16 and another for 192.168.42.0/24. Traffic to the 42-subnet (ha!) will be routed according to the second rule, and there is no difference in which order the rules are listed. It is just common sense to order them in a logical order, but there is nothing that dictates the use of common sense. At least not here.

Loops

A single loop in a normal network (without any counter-measures are applied) can bring the whole network to a screeching halt and make your switches melt… well, figuratively at least. In a situation where two switches are connected with two wires, the first broadcast that appears on the network will be looped infinitely between the switches and distributed all over the network. Inded, the loop will go in two directions between the mis-connected switches, creating a two-way infinite loop and multiple identical copies of the frame, as well as make the bridging tables “vibrate” on the connected equipment. Just one wire, and boom.

An easy remedy is to apply Spanning Tree Protocol available on all managed switches, and possibly on some unmanaged ones. Each STP-capable switch has a Bridge Priority number so bridges/switches can compete who’ll be the root switch of that LAN or VLAN. An unmanaged, non-STP switch can still bring the network down in a mixed environment, as can an unmanaged STP-capable switch where you cannot change the bridge priority number, and you haven’t pimped your “core” switches’ prio yet. If there are many switches with the same priority, the one with the lowest MAC number wins.

STP exists in a multiple of flavours, including a couple of Cisco-proprietary ones.

Uplink load balancing

Real geeks (and real offices) have more than one Internet pipe. With routing, you can rather painlessly have the other one either as a backup connection or use both as uplinks. To share the load among uplinks, set their metric to be the same. To have one pipe as primary and the other as backup, give a higher metric (lower priority) to the backup pipe. Your router should realize what to do if the other pipe goes down.

Cool. Now i wants me another uplink from home (though i’d also want my 24 Mbps pipe to give 24 Mbps down-bandwidth; currently it supports about 11 Mbps).

Other

A welding device will induce so much electromagnetic interference (EMI) that even an shielded twisted pair (STP) cable won’t be unaffected. Use fibre instead.

Make backups of your configuration files before you start to poke around with them. Yes, this applies to network equipment too .

OSPF works like a flower. Distance vector routing protocols can be s..l…o….w…..

I need to do more binary-decimal conversion in my head (or even on paper).

Is there any use for a network with a /31 mask? Such a network would only have space for the network’s address and the broadcast address.

Is there any use for a mask that isn’t “continuous” (as in 255.0.255.0)? Can it be used to show more routing info in one rule? Should it?

Why does a Cisco router have a power button when a Cisco switch doesn’t?

Can we get a warning that we’re going to be logged out by timeout a bit before we are?

Can we get the tab key for autocompletion and the ? key for command proposal to work together like the tab key does in zsh?

There are bugs on the slides “Host to host packet delivery”. IP is going to address the packet to the other subnet, not the router (unlike L2, which will address the MAC of the router, not the host on the other subnet). ARP is not going to get, or even ask for a MAC address in another subnet and it won’t make a routing decision either (slides 2, 3 and 4 on page 4-87 and on).

Dijkstra was cool (even if he didn’t like Linux). Not only did he develop the spanning tree thingy, but he also developed Reverse polish notation. Kudos post mortem, dude.

If US crypto stuff (keys exceeding a certain length, etc) can’t be exported to dangerous countries like, uh, supposedly Afghanistan, Iraq and other axis-of-eeeevil states, what does the US military use to encrypt their network equipment when they’re on a shooting spr… a military mission there?

Continued from yesterday’s ICND1 course, here are my collected ramblings from today’s session. I’m sure they make very little sense unless you already know the CCNA curricula. But this time, i’m mainly writing it for myself, not as a field report. Take it as a learning log.

Lots about VLANs today, and we finally got to configure a switch! Rock on

In a previous job, we had two VLANs on the internal network to separate the Big Customer’s data from Other Customers’ data (including the internal office stuff). Cisco takes a very different approach to why VLANs are good: If you have more than ~250 hosts on a single LAN, you get so much broadcast traffic that the network gets congested, and it doesn’t matter how many switches you throw at your LAN, it ain’t going to help. The reason — yeah, this is basic, but i had all forgotten it — is that ARP requests, which hosts on the network use to go “yoohoo, can the Real Slim Shady please stand up [and tell me their MAC address]?”, are by definition broadcast messages. When you have over 250 hosts that all need to yoohoo to each other, you get a lot of yoohooing. Hence, you split your LAN into multiple virtual LANs.

Admittedly, our use of VLANs was alright, but i hadn’t really thought of theirs.

Bridges/switches live and thrive on MAC addresses too. I was thrilled to see that bridges can bridge (or switches can switch) traffic through a network without the need for IP addresses. I mean, come on, you need IP addresses to get things done? Nope. But what bothers me is that apparently, a bridge or a switch isn’t allowed to answer an ARP message and respond to the yoohooer above that hey, Slim Shady has the MAC addy 0102.0304.0506. A switch can’t be an ARP proxy and thus cut down on the broadcast traffic. OK, so you will have the freshest, accuratest info if you got it from the horse’s mouth but puh-leeze…

Moreover, we enabled ssh on the switch, toyed with (badly) encrypted passwords, and i nearly caused a demonstration of how to get into a switch you’ve locked yourself out from. Apparently, we’re going to learn that anyway, which is another Good Thing.

What is fun is that from half a day’s tinkering with the switch over a command line, i know more than i’ve ever known about the Cisco’s capabilities. I really never expected a basic “101-level” course to be this valuable!

Here are today’s irrelevancies and trivialities:

• How are transoceanic optical cable amplifiers powered? You can’t run several thousand kilometres of superconductive copper just to transport electricity, you can’t have a fusion reactor there, and if you’re at the bottom of the ocean, you probably can’t generate power from waves.
• What are the voltage levels on an Ethernet wire? Not that it matters really, it would just be fun to know.
• A GBIC is a plug-in module to allow stuff like an optical connection to a copper switch, not the type of connectors in the module. Duh.
• An SX wire is multimode, an LX wire is single mode. The S which doesn’t stand for single mode stands for “short[er] range”. No extra points for guessing what the L stands for. There’s also a not-really-standardized ZX which stands for exztended range or something.
• A straight-through cable is used to connect a switch with a terminal (host, active network … thing), including a router. On the other hand, most switches these days auto-sense whether there’s a straight-through (MDI, media dependent interface — what a poxy abbreviation) cable from a cross-over (MDIX = MDI with cross-over). And that these days, most routers come with switches built in, or the other way around.
• A “layer three switch” is a switch with a router built in. A “layer four switch” is a layer three switch with most of the switching done in ASIC. Unlike with the L2 and L3 switches, L4 has nothing to do with the fourth OSI layer. It is a marketing term. How lame.
• What does the X in 100Base-TX stand for?
• Cisco thinks collisions are bad. I’ve learned that collisions are a part of Ethernet life… part of the design. It’s the don’t worry, we’ll just do it again mentality (that Token Ring lacks).
• A switch is a faster bridge with more ports.
• A switch will detect a collision on a port and not forward the poxy frame to the rest of its ports, so it will make “collision domains” smaller. It will forward all broadcast traffic, thus not make the “broadcast domain” smaller. Switches do not solve everything (VLANs do… and pigs will fly/we will have Global PKI).
• Twisted pair cables are twisted to cancel out EM disturbances. I thought TP cables are twisted to cancel out capacitance with inductance. Otoh, maybe both reasons are right.
• Bridging/switching is fun.
• Broadcasts are broadcast through switches by design, not as a special implementation. This is because switches learn where MAC addresses are (or rather, to which switch port they are connected) using the source MAC of a frame. A broadcast will have the MAC address ffff.ffff.ffff and while all hosts on the net will pick up the signal, nobody will answer to tell that they are ffff.ffff.ffff. It’s damn elegant.
• A MAC code with the prefix 01-00-5E is multicast.
• Multicast is cool. IGMP snooping multicast is elegant.
• A hub is a bit (or packet) regenerator.
• What does a VLAN tag look like?
• Why oh why does an IP packet have the destination MAC, the source MAC, the source IP address and the destination IP address in that order? (dst/src MAC, src/dst IP)

Update: Added more trivialities

I’m taking the “basic” Cisco course which aims for the CCNA certification. The course is made up of the modules ICND1 (Interconnecting Cisco Networking Devices) and ICND2. The first module focuses mainly on general networking issues whereas module two takes a more product-centered perspective — or at least that’s how i believe it to be.

As an MSc (diplomingenjör), i’ve had a few networking courses in my study career, but yesterday was a good reminder of what TCP/IP networking really is, in practice. Most of the TCP/IP training i had in school was rather theoretically oriented, so it’s good to have training that is more focused on the practicalities. And it was a while ago since i had to think of the OSI stack.

Here are the fun bits i reacted on from day 1:

• The “old” classification of networks to A, B and C-class networks also has a D-class (multicast — yeah, i had forgotten it is The D-class) and an E-class, which is “reserved for research” and practically unused.
• I need to read more on the OSI stack so that it becomes second nature to me.
• I wonder what those funky OSI stack mnemonics were? All people need… data something? Something about Prince one or the other?
• Can you have routing with Auto-IP? Using Service advertisement? UPnP? Is it really worth it?
• What about those ACK and SEQ numbers? How do they jump? The literature talks about either growing with the amount of transported traffic, but can a predictable pattern cause a security hole?
• What exactly does Ethernet padding consist of, and how can it be discerned from the actual data?