Anki – Spaced Repetition

Posted on 24 December 2017 by Robert

While studying, I am seeking for ways to study more efficient. In the beginning I stumbled upon a method called ‘spaced repetition’. This method is wildly popular in the U.S. Unfortunately when I attended high school my home country this method was not used. I guess when if I knew about this method earlier in life my career would have looked much different.

Since I am network professional, a computer is never far away. The computer hardware uses Windows, Ubuntu and Android as an OS.  I want the study progress to be available on all hardware. First I used different software, unfortunately the variety of  OS’s proved difficult.

Recently I found a tool automate spaced repetition and which enabled syncing between the computers and tablets. The tool is called Anki. ( https://apps.ankiweb.net/ ). At this point I have only checked syncing between Ubuntu and Android.

It works like a charm.

Posted in Lifehacking | Comments Off on Anki – Spaced Repetition

First Hop Redundancy Protocol – HSRP

Posted on 22 December 2017 by Robert

Cisco proprietary HSRP protocol is a protocol for enabling a first hop fault tolerant router. Enabling your default gateway ip address to ‘live’ on more than one router. Back in the old days you had one router to exit a lan.
Once the router died or was out of service due to maintenance hosts in the LAN were not able to communicate out of the lan.

Cisco created a protocol which enabled two (or more) routers to listen to one ip address (layer 3) and one mac-address (layer 2).
Both layer 2 and 3 addresses have used in the redundancy setup otherwise you have to wait for arp entries to time-out.

While configuring you need to set the standby priority. Priority can be set between 0 and 255. Default value is 100.
When the HSRP Active interface has become unavailable, priority is decremented by 10. Choose you HSRP priorities smart.

In the topologies I have seen, the priorities chosen were 100 and 105 or 95 and 100. In all cases that were two router set-ups.
Of course you can be creative and create a three router set-up.

Communication between participating router is done through multicast ip’s HSRP v1 224.0.0.2:1985(UDP) and HSRP v2 224.0.0.102:1985(UDP).

Important use “preemt” : to get the router with the highest priority to recover to Active after an outage.

 R1#sh run int e1/1
 !
 interface Ethernet1/1
 description lan-1
 ip address 172.16.10.2 255.255.255.0
 ip helper-address 172.16.99.254
 standby 1 ip 172.16.10.1
 standby 1 priority 105
 standby 1 preempt
 R2#sh run int e1/1
 !
 interface Ethernet1/1
 description lan-1
 ip address 172.16.10.3 255.255.255.0
 ip helper-address 172.16.99.254
 standby 2 ip 172.16.10.1
 standby 2 priority 100
 standby 2 preempt

The configuration of the DHCP server is not very complicated.

 ip dhcp excluded-address 172.16.10.1 172.16.10.10
 ip dhcp excluded-address 172.16.10.254
 !
 ip dhcp pool lan-1
  network 172.16.10.0 255.255.255.0
  default-router 172.16.10.1 
 !

Be sure to set the default gateway to the HSRP address, otherwise you have a very neat solution which does not give you the fail save you need.

Posted in CCNP | Comments Off on First Hop Redundancy Protocol – HSRP

Access-list mask or wildcard

Posted on 6 November 2017 by Robert

G’day all, today I was messing around with access-list.  And after getting my head around the weird subnets of rfc1918. Weird as in an A-class (/8) is reserved in A-space, B-class (/16) in reserved in C-space, and for the B-space has a /12 is reserved. Nothing is standard in the world of standards.

But that on a side-note. The whole rfc1918 got me distracted. So when I started creating the access-list, I mistakenly used the subnet mask instead of the wildcard.

First I made the access-list using subnet masks.

ISP1-R1(config)#ip access-list extended rfc1918-wrong
ISP1-R1(config-ext-nacl)#permit ip 10.0.0.0 255.0.0.0 any
ISP1-R1(config-ext-nacl)#permit ip 172.16.0.0 255.240.0.0 any
ISP1-R1(config-ext-nacl)#permit ip 192.168.0.0 255.255.255.0 any
ISP1-R1(config-ext-nacl)#deny ip any any
ISP1-R1(config-ext-nacl)#exit

Next I made the access-list using wild cards.

ISP1-R1(config)#ip access-list ex rfc1918-right
ISP1-R1(config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 any
ISP1-R1(config-ext-nacl)#permit ip 172.16.0.0 0.15.255.255 any
ISP1-R1(config-ext-nacl)#permit ip 192.168.0.0 0.0.255.255 any
ISP1-R1(config-ext-nacl)#deny ip any any

I check the things that I do in a network. I think its a good habit and somebodies health might depend on it.

ISP1-R1#sh access-lists
Extended IP access list rfc1918-wrong
10 permit ip 0.0.0.0 255.0.0.0 any
20 permit ip 0.0.0.0 255.240.0.0 any
30 permit ip 0.0.0.0 255.255.255.0 any
40 deny ip any any
Extended IP access list rfc1918-right
10 permit ip 10.0.0.0 0.255.255.255 any
20 permit ip 172.16.0.0 0.15.255.255 any
30 permit ip 192.168.0.0 0.0.255.255 any
40 deny ip any any

You see that the access-list made using subnet mask are completely borked.

The moral of the story is as follows;

  • always check what you have configured.
  • Use subnet mask to assign ip addresses to interfaces ans wildcards for accesslists.

 

Posted in CCNP | Tagged , , , , | Comments Off on Access-list mask or wildcard

Juniper filters

Posted on 20 October 2017 by Robert

In the networking world a multitude of vendors are present. And each of them have their magnificent features  but also their quirks. And one of the quirks, for the network vendors in general, is that terminology is not uniform.

Where Cisco likes to talk about Access-Control List or ACL for short Juniper likes to talk about filters. Juniper filters are awesome. Juniper likes to arrange information a tree-like structure. This enables Juniper for future changes in software approach.

Cisco has standard access-list, the down-side; modification can not be done. Deletion of one ACE is not possible.  The entire ACL has to be removed.

A slight improvement are extended access-lists. Every ACE has a number associated with it. And using some ip access-list resequence magic you can make some room to insert ACE’s.

This hassle is not known to Juniper engineers.

Simply create a access-list ehm …. filter

set firewall family inet filter generic-filter term discard then discard

This filter simply, forwards every packet to the great bit-bucket in the sky.

If you want to allow traffic from you lan towards webservers you add the following;

set firewall family inet filter generic-filter term web_lan from source-address 10.0.0.0/8
set firewall family inet filter generic-filter term web_lan from protocol tcp
set firewall family inet filter generic-filter term web_lan from destination-port 80
set firewall family inet filter generic-filter term web_lan then accept

Now you have two terms within the “generic-filter”

show configuration firewall
family inet {
    filter generic-filter {    
        term discard {
            then {
                discard;
            }
        }
        term web_lan {
            from {
                source-address {
                    10.0.0.0/8;   
                }
                protocol tcp;
                destination-port 80;
            }
            then accept;
        }
    }

If you leave it this way traffic to the webservers are discarded instead of allowed. This is where Juniper added some pretty awesome magic;just shuffle the term to a place where is fits best.

insert firewall family inet filter generic-filter term web_lan before term discard

Of course you need to address some more issues like established traffic etc.

But this is how Juniper addresses filters. And there are a whole lot more things you can manage with filters. You can create a variables , and when a condition is met the counter is raised by the value you like.  Variable is readable in the context of show firewall.

Today my first steps in Juniper filtering. An awesome experience.

Posted in Juniper | Comments Off on Juniper filters

Be micro-ambitious

Posted on 19 August 2017 by Robert

I love to read.  And one of my favorite topics is how information is stored in the brain.  How the brain learns.  What interval of learning is most effective an how goal setting works. 

A couple of books clearly state.  Do not set your goal too high.  But better set a lot of smaller goals.  In this way you can tick off many boxes whilst reaching your ultimate goal.  So be micro-ambitious instead of being ambitious.  

Posted in Lifehacking | Tagged , , | Comments Off on Be micro-ambitious

Juniper SRX 110

Posted on 10 July 2017 by Robert

This week I bought an Juniper SRX 110. This device will help me to get more acquainted with the Junos cli structure.  From a Cisco perspective this box is slightly wider than a Cisco 8xx series router. But maintaining 1U height.

IMG_20170706_010630This box will sit in the utilities closet when I find time to tinker around with this new toy.

 

 

Posted in Juniper | Tagged , , | Comments Off on Juniper SRX 110

Policy Based Routing

Posted on 1 July 2017 by Robert

Policy-Based routing is a neat trick to tweak traffic streams.

For Policy Based Routing to work you will the following;
– Define traffic stream in an access-list.
– Write down a policy.
– Determine the inbound interface.

First use an ACL to define the traffic streams.
You can use standard, extended or named access-list.

In this example traffic sourced from 1.1.1.1 and 2.2.2.2 destined for 3.3.3.3 is defined in ACL 100.

access-list 100 permit ip host 1.1.1.1 host 3.3.3.3
access-list 100 permit ip host 2.2.2.2 host 3.3.3.3

Next you will to define the policy.
If you want to want set the next hop for this traffic stream. You have to do;

route-map just-a-name permit 10
 match ip address 100
 set ip default next-hop 10.10.10.20

Once you have formulated the traffic stream and the tweak all you have to do is apply it to an interface.

interface Ethernet0/0
 ip address 100.100.100.1 255.255.255.0
 ip policy route-map just-a-name

Be careful : the name of the route-map is CaSe senSitive.

Why is this a great little trick; you can use policy based routing to prevent asymetric routing in a HSRP setup. Or you can send specific traffic towards an IDS / firewall /deep packet inspection device. Or simply send traffic to an black-hole in case of unwanted/malicious traffic.

 

Posted in CCNP | Tagged , | Comments Off on Policy Based Routing

Error-Disable

Posted on 30 May 2017 by Robert

When a network port encounters an error. This port is automatically shutdown to ensure network stability. When error-disable is enabled.

The predefined error are as follows;

arp-inspection 
bpduguard
channel-misconfig
dhcp-rate-limit              
gbic-invalid                 
l2ptguard                  
link-flap
mac-limit
link-monitor-failure
loopback
oam-remote-failure
pagp-flap
port-mode-failure
psecure-violation
security-violation
sfp-config-mismatch
storm-control
udld
vmps

Primary function of error-disable is fault detection. Secondary you can set up recovery, per predefined error.  This can be done by ;

errdisable recovery cause

Be sure to set the recovery interval to your specific needs;

errdisable recovery interval 60

Whenever  a port is disabled due to an error-disable condition you should see something like ;

somerouter#show interface GigabitEthernet1/6
GigabitEthernet1/6 is down, line protocol is down (err-disabled)
--//output omitted for brevity//--

Interesting to see that the port is in down/down status with an err-disabled condition.

If you do not resolve the root cause the log will be flooded with

Jan 10 08:51:35.074 CET: %PM-4-ERR_RECOVER: Attempting to recover from link-flap err-disable state on Gi1/6
Jan 10 08:51:37.179 CETT: %PM-4-ERR_DISABLE: link-flap error detected on Gi1/6, putting Gi1/6 in err-disable state

To resolve the problme one has to know the root cause, for this you’ll have to issue the command “show errdisable recovery”. First you see a list of errors where recovery is enabled, or disabled. (See column ‘Timer Status’)

somerouter#sh errdisable recovery
ErrDisable Reason            Timer Status
-----------------            --------------
arp-inspection               Disabled
bpduguard                    Enabled
channel-misconfig            Enabled
dhcp-rate-limit              Disabled
gbic-invalid                 Enabled
l2ptguard                    Disabled
link-flap                    Enabled          
mac-limit                    Disabled
link-monitor-failure         Disabled
loopback                     Disabled
oam-remote-failure           Disabled
pagp-flap                    Enabled
port-mode-failure            Disabled
psecure-violation            Enabled
security-violation           Enabled
sfp-config-mismatch          Disabled
storm-control                Disabled
udld                         Enabled
vmps                         Enabled

Timer interval: 60 seconds                     

Interfaces that will be enabled at the next timeout:

Interface       Errdisable reason       Time left(sec)
---------       -----------------       --------------
Gi1/6                 link-flap           47

Root cause for the problem with interface Gi1/6 lies in link-flap. This is somewhat cryptic but will give you an idea where to find the solution.

Possible root causes are;
dodgy cabling
faulty optics (sfp/gbic)
wrong speed/duplex settings
hardware loop

In this particular case I suspected the speed/duplex settings.

somerouter(config-if)#speed nonegotiate
somerouter(config-if)#shut
somerouter(config-if)#no shut
somerouter(config-if)#
Jan 10 11:20:31.589 CET: %LINK-5-CHANGED: Interface GigabitEthernet1/6, changed state to administratively down
somerouter(config-if)#
Jan 10 11:20:33.703 CET: %LINK-3-UPDOWN: Interface GigabitEthernet1/6, changed state to up
somerouter(config-if)#
Jan 10 11:20:33.712 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/6, changed state to up

Link was forced down and up to get rid of the error-disable condition.
Terminal monitor was turned on to instantly see what is going on.
Logging tells me that the port is admin down and that changed to up.
Et voilà, line protocol is also changed to up.

Root cause found and resolved.

Posted in CCNP | Tagged , , | Comments Off on Error-Disable

SSH error on cisco router

Posted on 14 March 2017 by Robert

Enabling SSH on a Cisco router is not enough to guarantee SSH is working.
Enabling ssh version 2.0 on a routers is as straight forward as;.

>ip ssh version 1-2

I surely recommend the use of version 2, because ssh v1 has a bug which allows root access.

Anyhow… ssh needs some sort of encryption to work. In other words create a crypto key.

host(config)#crypto key generate rsa modulus 2048
The name for the keys will be: host.somenetwork.com
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)
host(config)#
Nov  5 14:17:17.240 UTC: %SSH-5-ENABLED: SSH 2.0 has been enabled

The good thing is the crypto key is not saved in config. The bad thing is, whenever you commission a router and forget to create the crypto key it can cost you some time in troubleshooting. Worst case you have to travel on-site to create the crypro key.

By the way, make sure you enable ssh on the VTY ports and if applicable deny telnet input.

line vty 0 15 
transport input ssh
no transport input telnet

And create an access-list and apply it to the VTY ports.

FYI: SSH enables encrypted CLI access towards a host. And the crypto key validates the host communication i.e. detection of a man-in-the-middle attack.

Posted in CCNP | Comments Off on SSH error on cisco router

DHCP Helper address

Posted on 6 March 2017 by Robert

This week a project manager contacted me with an rather peculiar question. I work with this project manager now for almost two years. And I know he is technically very skilled.  So if he doesn’t know the answer then the answer is not always straight forward.

I currently work for a large telco in the Netherlands. One of the services offered is DHCP-relay. Technically this is a very basic and straight forward service. The customer wanted to know which address is used as source address in the packets destined to the DHCP server. This was needed to set some static routes.

Okay lets start labbing, within GNS3 I made the following lab setup;

DHCPHelper_Source

IP addresses used are;

  • DHCP-Server
    • e0/0   172.16.1.1
  • Router
    • e0/0   172.16.1.2
    • e1/0.1 192.168.1.1 (switch management vlan)
    • e1/0.100 192.168.100.1 (customer vlan)
  • Switch
    • vlan1 192.168.1.10
  • PC1
    • e0 will get ip from DHCP server.

Router config  interface facing the dhcp client.

interface Ethernet1/0.100
 encapsulation dot1Q 100
 ip address 192.168.100.1 255.255.255.0
 ip helper-address 172.16.1.1  
end

With the set up ready I am able to get an ip address. During the DHCP negotiation wireshark is gathering information on the link between the router and the dhcp-server.

DHCP request and reply

Opcode: 1 (REQUEST)
Client IP Address: 192.168.100.13
Your IP Address: 0.0.0.0
Server IP Address: 0.0.0.0
Gateway IP Address: 0.0.0.0
Client MAC Address: 00:50:79:66:68:00
Option 53: Message Type = Request
Option 54: DHCP Server = 172.16.1.1
Option 50: Requested IP Address = 192.168.100.13
Option 61: Client Identifier = Hardware Type=Ethernet MAC Address = 00:50:79:66:68:00
Option 12: Host Name = PC11

Some messages have been omitted for readability. In the process prior to assigning an IP address the DHCP server chooses an IP and checks uniqueness in the network using ping.

Opcode: 2 (REPLY)
Client IP Address: 192.168.100.13
Your IP Address: 192.168.100.13
Server IP Address: 0.0.0.0
Gateway IP Address: 192.168.100.1 
Client MAC Address: 00:50:79:66:68:00
Option 53: Message Type = Ack
Option 54: DHCP Server = 172.16.1.1
Option 51: Lease Time = 86400
Option 58: Renewal Time = 43200
Option 59: Rebinding Time = 75600
Option 1: Subnet Mask = 255.255.255.0
Option 3: Router = 192.168.100.1

 IP 192.168.100.13/24 GW 192.168.100.1

To be honest I set a static route on the DHCP-server

ip route 192.168.100.0 255.255.255.0 172.16.1.2

What does Wireshark tell me ?  This whole exercise is undertaken to ‘see’ what information passes from the router to the dhcp-server and vice-versa.

I expect a dhcp discover followed by a offer. Between discover and offer the dhcp-server should ping the ip address which it is going to serve to the dhcp-client. No ping reply means; ip address if not currently in use. No duplicate ip addresses are injected.

DHCPHelper_Wireshark

A little close-up reveals the answer;

DHCPHelper_Wireshark2

The DHCP unicast packet is sourced by 192.168.100.1 which is the router interface facing the dhcp-client. This interface contains the ip helper-address 172.16.1.1 statement.

NOTE: the network diagram is overly simplified. First because I do not wish to reveal any business proprietary information. Second it withdraws focus from the question at hand.

NOTE2: Thank you David Theuns for being your ‘vraagbaak’.

Posted in CCNP, GNS3 | Tagged , , , | 1 Comment