Friday, October 31, 2008

JNCIP-M Test Scheduled

On a more personal note, I have been scheduled for for my Juniper Network Certified Internet Professional to take it on January 5th, 2009. I will be taking it along with my good friend (and network Über-genius) Joel Studtmann. The JNCIP is the first of TWO 8 hour labs you must take to achieve Expert level certification for the Juniper M/T Series (Service Provider) track. Joel passed the JNCIP-M several months ago and he will be attempting the JNCIE-M for the first time.

You can find more information about the JNCIx tests here:
http://www.juniper.net/training/certification/mt_series_track.html

Wednesday, October 29, 2008

Router Lab update

It's been a while since I posted anything out here but I've been extremely busy. Although I haven't blogged, I have been making progress of bringing the router lab online. I got my domain registered for the lab which is www.onlinerouterlab.com however I haven't really put anything out there yet as I have still been building the lab.

I have purchased 2 APC Masterswitch Remote Power strips which will allow people using the lab to remotely reboot them as needed. Given my limited budget for this, I don't have enough ports for everything to get its own port on the switch. My plan is that for the free labs to put them on a single port (so make sure and do a write mem before rebooting everything) and then have each device in the paid lab on its own port.

Thanks to my friends Ryan Walz and Rakesh Hegde (who should be congratulated on his recent CCIE R&S certification - CCIE #22050) I have two small free standing racks which all of the equipment is now installed.

As of last night the terminal server is online and cabling is ready to be started which I won't get a chance to until probably this weekend. I think Rakesh will be helping design the most flexible layout for the paid lab to make it as useful as possible for those using it to study for certifcation exams (given that he's studied and passed the test).


From Online Router Lab - Build

Wednesday, October 15, 2008

Millions of unused IP's out there *ROFL*

There is an article I saw on Slashdot today that pointed to some research done by a group that indicated there are Millions of IP addresses out there that are unused (or lying idle). You can find the article here but I decided to post a few of my thoughts about this.

There are numerous reasons out there why there is a lot of PUBLIC IP space that will not be reachable from the Internet. Business to Business (B2B) where multiple companies networks need to talk to each other is the perfect example of this. B2B is becoming much more relevant in the days of outsourcing services and for service providers. Additionally there is a lot of infrastructure that is out there that uses Public IP space that will not respond to scans because they have been hardened not to do so. Someone on Slashdot pointed out that blocking ICMP THROUGH a router or firewall is a no-no, but blocking it destined to the device is just fine and is actually good practice. Now there are companies like GE that were assigned a /8 and assigned every device a Public IP whether it needed it or not. These companies need to be read the riot act by ARIN and return it.


Some people out there use every study about IPv4 to sing the praises of IPv6. Here is how I respond to that. Please note, I do believe that IPv6 makes a lot of sense in places but there are huge obstacles that are going to have to be overcome before we get there. I think the ultimate irony about it is that we want to move to IPv6 to get away from our band aid IPv4 solution of NAT. I find this hilarious because in order to move from IPv4 to IPv6 we are going to still end up doing NAT until IPv4 is totally gone.

BEGIN RANT ^^
Those who just spout that we should just up and move to IPv6 have no clue. The world is not ready for IPv6 and my money is that we will not end up with mainstream adoption (and I mean every new consumer device and piece of software that comes out is IPv6 aware) for at least another decade. There is way too much to do and companies have just over the last few years really started networking everything and they are going to have to re-tool and re-learn.
Nobody wants to go back and learn a brand new protocol for which you basically need to throw away 80% of what you thought you know.

Finally, IPv6 only truly solves one problem that we have in IP networking today and that is the number of available addresses. We know for a fact in Ethernet that your not going to have several million devices in the same broadcast domain (VLAN) (and yes, I know some of IPv6 uses multicast) so we are going to be orders of magnitude more wasteful than we can possibly be with IPv4. The only way around it is to subnet which past a /80 you lose the ability to do autoconfiguration which basically renders IPv6 useless.

END RANT ^^

Tuesday, September 16, 2008

Router Lab under construction

I am currently working on building a router lab that I will be putting online for people to use. The goal of it is to allow people that might not otherwise want to buy hardware to be able to get time on actual gear. As I'm not going to be making huge money on this, its fairly low end equipment (mostly 2500's) but I did recently purchase several Catalyst 2950's and a 3662 router. Below are some (very low quality) pictures of the construction.

Monday, August 25, 2008

Juniper Fastrack JNCIA-EX expiring

This is the last week to qualify and take the test for the Enterprise Switching exam. The program offers a free voucher for the exam at any Prometric testing center. I've been slacking myself but I plan to take the test on Thursday night.

Friday, August 15, 2008

Installation Tips for Cisco ACS on Windows 2003 Server

Last year I was working on a project to install some new Cisco ACS servers at the company I was at. During the installation I ran into a problem that I had never run into with Windows 2000.
The issue that I ran into was not found in the installation guide so I thought I would outline it here for anyone else that runs into them.

Getting to the Admin Webpage

In order to configure ACS you have to get into the admin web page which is managed by the CSAdmin service. Once you complete the installation the service is automatically started and an icon is put on the desktop that points to http://127.0.0.1:2002. The problem is that if you pull up that icon straight after installing Windows 2003 Server and ACS, it will just come up with a blank page. The first reason for that is that you don't have the Sun Java Runtime Environment (JRE) installed. The webpage uses java to run and Cisco tested ACS (4.1 at least) with JRE 1.4.2_04 which you can download here:

http://java.sun.com/products/archive/j2se/1.4.2_04/index.html

Once you have installed the JRE, you have one more step to complete before you can launch the webpage (or you will still just get a blank page when you try and bring it up - with no warnings btw) which is to add the site to the "Trusted Sites" in Internet Explorer. You do this by navigating to Tools -> Internet Options -> Security and then click on the Trusted Sites Icon and click the "Sites" button. Here you will need to add "http://127.0.0.1" and click "Add". You will need to uncheck the "Require server verification (https://) for all sites in this zone" button because the ACS Admin page doesn't use SSL.



Once you have added the admin webpage to the Trusted Sites you should be able to just refresh the page and configure the application.

Friday, July 18, 2008

DIY Packet Sniffer

This isn’t going to put Netscout or Network Instruments out of business anytime soon, but if you have a network with several switches eventually you are going to run into a problem where you’re going to need the ability to do a packet capture and I’m here to show you how to build your own.

The first thing to note is that this is not meant to be a line rate packet capture system so don’t come into this thinking your going to be able to capture several Gigabit Ethernet interfaces. The idea is to be able to have a system deployed that you can access remotely to do basic packet captures without having to take a laptop out and plug into a switch.

The first thing that you should identify is the hardware you want to use. I would recommend that you have a recent processor (2Ghz+) and plenty of memory (2GB+) in the system. You want to make sure that you have plenty of memory because the packets will be stored in memory. From there, I just loaded up the system with dual port NICS (I recommend Intel NICS due to their ability to capture packets with VLAN tags). I used the Intel PRO 100/S Dual Port Server NICS (as used Compaq DL380 G2 servers for my hardware base). You can find a list of NIC's that support Dot1Q VLAN tags and how to modify the registry to capture them here:


http://www.intel.com/support/network/sb/CS-005897.htm
As far as OS goes, I went the cheap route and used Windows XP Pro (which is interesting to install on server hardware). This allows you to natively use the Remote Desktop Protocol (RDP) to access the system. However, Windows is not a requirement and Linux is a better option when it comes to trying to capture at speeds approaching line rate.

For software I decided to use the tried and true, free and open source Wireshark (formerly known as Ethereal). Wireshark uses the libpcap library (WinPCAP on Windows) to capture packets just like tcpdump. Where Wireshark really excels is in its filtering ability. The ability to easily write filter strings based on any field in a packet makes it my choice for even decoding packet captures that I get from our Infinitstream sniffers.

I would also recommend installing Cisco Discovery Protocol Reporter (CDPR) on the system if you’re connecting up to Cisco switches. This can be helpful it you have a “Roaming” port on your sniffer that you move to different switches as needed so that you can identify which switch and port it is connected to.

Once you have all of the software installed, I created a directory and shared it out called “Packet Captures” that I then mapped to my PC so that once I performed the capture I could quickly copy the capture to my PC for decoding.

My only frustration with Wireshark was that we were permanently wiring interfaces into dedicated SPAN ports on our switches and when you have 4 interfaces that all have descriptions of “Intel PRO 100/S NIC” its hard to remember where its hooked up to. I searched high and low trying to find a way to rename these so I could put in a description of which switch and port it was connected to. Finally, while I was doing the registry addition for VLAN tags I noticed that the description that “DriverDesc” had the same description that Wireshark (and for that matter CDPR) reported. A quick edit of that field and a reboot will change the value that’s displayed to anything that you want. You can find the key in:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}

Under this you will find several sub entries and you will need to figure out which interface goes to which entry and then name it.

That's it for this post, I hope somebody finds this helpful.

Friday, July 4, 2008

Managing small(er) Cisco networks


Not everyone out there managing a network is a service provider and until recently I never had the pleasure of working in an environment where I wasn't using literally the largest routers and switches Cisco manufactures. Nowadays I am working with networks that may only have a few dozen devices per site. For managing these smaller networks that may not have the resources to purchase a suite such as Ciscoworks, Cisco has a free tool called Network Assistant which can be downloaded here http://www.cisco.com/pcgi-bin/tablebuild.pl?topic=279230132 (Free CCO Account required).

Unfortunately it doesn't support much of the older (or larger) equipment that you may have deployed, but odds are if you purchased it within the last couple of years this software can manage it. Additionally it can only manage 40 devices however you can pick and chose what you are going to manage with the software.

The list of features feels like reading those of its much more expensive Ciscoworks relative:

Configuration management
Troubleshooting advice
Inventory reports
Event notification
Network security settings
Task-based menu
File management
Drag-and-drop Cisco IOS Software upgrades
Even if you don't want to use all of the features, the interface graphing option can be helpful if you need to quickly see the utilization or errors on an interface. Additionally the configuration backup and restore can be very helpful. In short, if you have a Cisco network, its a small and free download that may save you some headaches.

Saturday, June 21, 2008

Office War 3 - Nerf Armageddon

This is one of those video's that you watch on Saturday, but can't wait for it to be Monday to show everyone in the office. I'm not sure that there will ever be a more amazing NERF War ever recorded (however I won't be disappointed if I'm wrong).



http://view.break.com/521743 - Watch more free videos

Friday, June 20, 2008

Windows Window Management or Eazy Resizing

Recently I was lucky enough to come across a great deal on a 24" monitor that I could use for all of the network design work (Visio deserves at least 24") that I have been doing recently. In addition, I wanted the screen real estate so that I could have numerous terminal sessions open as I am usually logged into 4-8 devices at a time. However, resizing windows to take advantage of all of this space is time consuming, boring, and inaccurate. I found a tool called Ponderosa in my previous searches that would allow for me to have multiple sessions open and resize them individually however it didn't quite have everything I wanted in a terminal program (I like SecureCRT or Putty) and it couldn't allow me to resize other applications.

Lucky for me there is such a FREE tool out there and it is called WinSplit Revolution. It is an amazing tool and has easy quickset keys based on the number pad that allow you to resize or maximize windows individually and tile them however you want. As if this wasn't enough, it even support for multiple monitors so you can quickly send an application to another window.

I highly recommend this program if you have lots of screen to put to use or have lots of applications open that you want to tile.

Cisco Discovery Protocol (CDP) for your PC

At my previous job I once saw an Engineer walk around with a Cisco 2500 router when he would go out to work on an end users network port. He used this to identify which switch and port that user was connected to by doing a show cdp neighbors. After that I remembered that I had seen a Linux module that allowed you to capture and decode CDP messages however not everyone runs Linux and Windows is much more common. To that end here is an open source project that runs not only on Linux, but on Windows as well.

You can find it on SourceForge here: http://sourceforge.net/projects/cdpr

It runs from the Windows Command prompt and when invoked lists your Network Adapters so that you can select which interface you would like to monitor for CDP messages. When a CDP message is recieved (and remember the default for CDP is 60 seconds so you may have to wait a bit) it will decode the message and display the neighbor information.


Example Output:

C:\Documents and Settings\carlfugate>cdpr
cdpr - Cisco Discovery Protocol Reporter Version 1.0.7
Copyright (c) 2002 - MonkeyMental.com

1. \Device\NPF_GenericDialupAdapter (Adapter for generic dialup and VPN capture)
2. \Device\NPF_{DD1F69AE-A3A2-463A-A382-34AA18C49A39} (3Com 3C90x Ethernet Adapter (Microsoft's Packet Scheduler) )
3. \Device\NPF_{7D01E702-D424-4232-884C-868EFFAEC66B} (3Com EtherLink PCI)
4. \Device\NPF_{A08F5F58-A83E-47DD-AF89-9BCAA20CA10B} (NOC Extranet Access Adapter (Microsoft's Packet Scheduler) )
Enter the interface number (1-4):3
Using Device: \Device\NPF_{7D01E702-D424-4232-884C-868EFFAEC66B}
Waiting for CDP advertisement
(default config is to transmit CDP packets every 60 seconds)
Device ID
value: lab-switch
Addresses
value: 192.168.3.10
Port ID
value: FastEthernet0/24


This is a great tool which sure beats having to go out and get a MAC address and track it down through several different switches.

Thursday, June 19, 2008

Juniper Enterprise Switching Certification - FREE!

Last year Juniper started a program called FastTrack to help people who had certifications from other vendors (read Cisco) obtain the equivalent Juniper certification. The first test was the Juniper Networks Certified Network Associate - M/T series (JNCIA-M). The only catch is that you first have to pass (70%) an assessment test which you can take as many times as you want. After you pass the assessment they email you a voucher for the real exam. Once you pass the real exam, you can take the assessment for the JNCIS-M. Additionally when they launched their Enterprise Routing Certifications the same process applied. When the test first launches the vouchers are for 100% of the cost and a few months later they change them to 50% off which is still a great deal. Additionally, they give you all of the coursework that you would get as if you were taking the instructor led classes so you have study material to help you pass the tests.

NOTE: The voucher program for the JNCIA/S M/T series is no longer available

Recently, Juniper launched their new series of Mulitlayer Ethernet Switches and are now offering the Enterprise Switching as part of the FastTrack series. The voucher is good for 100% of the cost of the test if you pass the assessment by August 31st.

You can read more about the FastTrack program here:
http://www.juniper.net/training/fasttrack/

You will need an access card to register which you can get here:
http://www.juniper.net/training/technical_education/web_portal_access_card.pdf


Special Thanks to BJ Hoskins for pointing out this new addition to the program.

Welcome to IP Router Admin

The purpose of this site is to serve as a portal for tips, tricks and tools related to managing IP networks. I hope to have the first of my content online within a week.

--Carl