Monday, February 27, 2012

Cisco Port Security

Use port security to manage the ingress of traffic from dynamically learned and static MAC address.  When a secure MAC address is assigned to a secure port, the port will not forward traffic from any other MAC address outside the defined MAC Address.

There is a security violation if one of these infractions occur
1) When access is attempted by a MAC addresses that is different from any of the identified secure MAC addresses, port security applies the configured violation action or mode.
2) If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN, port security applies the configured violation action or mode. It is a move violation!

Possible actions are:
switchport port-security violation {protect | restrict | shutdown}


protect—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

restrict— the same, but causes the SecurityViolation counter to increment.

shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

To bring a secure port out of the error-disabled state, in global configuration mode
usage: errdisable recovery cause violation_mode command
or manually reenable it usage: shutdown and no shut down interface configuration commands

To prevent overtaxing the CPU, use the port security command with rate limiting
Methods of MAC address configuration
Static
How to statically configure all secure MAC addresses?
Use the switchport port-security mac-address mac_address interface configuration command.

Dynamic
Dynamiclly configure secure MAC addresses?
1) You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.

2) You can statically configure a number of addresses and allow the rest to be dynamically configured by sticky!

Sticky MAC addresses
These can be learned dynamically. Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.
Remember to write memory (wr is the shortcut) or copy running-config startup-config command, then port security with sticky MAC addresses saves dynamically learned MAC addresses in the startup-config file.  Theport does not have to learn addresses from ingress traffic after bootup or a restart.

Friday, February 24, 2012

Where does TV come from?

I had the same discussion with my child the other day, and I managed to explain about digital off the air and rabbit ear antennas, and the converter; plus since we're still old school, the good old CRT TV.

Now I'm contemplating the absurdity yet logic of a friend's post, "watching youtube on tv through HDMI to playbook wifi controlled by Blackberry Bold using bluetooth" That's impressive.

ICND2 Topic: Access Lists, Standard and Extended

A topic for the practical CCNA Exam, but it is only in the ICND2. This will be discussed in greater detail when the article is more complete. For starters,

Setting up an access list on a brand new Cisco router, here are a few key points to remember:
  • Implicit deny at the end of access lists; you must permit administrative traffic or you will block yourself out of the router
  • Order matters, place the most restrictive rules first, or the more restrictive rules will never get a hit
  • Issue one access list per direction or interface
  • Standard access lists are placed closest to the destination
  • Extended access lists closest to the source, purpose being to eliminate undesirable traffic across network
REMEMBER: Specific statements at the start; general ones after. Assume deny all. Use a "permit any" statement at the end.

IMPORTANT: Create the ACL before applying to an interface. An empty ACL applied will permit all traffic.
Access Lists inspect criteria for permit or deny rules based on source address, destination address, protocols, and port numbers. They operate on the principle of inbound rules process packets before routing to outbound.

Special handling required to identify
  • type of traffic to be encrypted on VPN
  • identify a router
  • route filtering, which route to include in updates
  • policy based routing
  • NAT
Standard Access List
Checks for the source on entire protocol suite
Standard IP ACL 1 to 99 & 1300 to 1999

Here is an example from Cisco Tests:
access-list 10 deny 172.16.3.10 0.0.0.0
access-list 10 permit any
access-list 10 remark Stop all traffic whose source IP is Bob


Extended Access List
Checks both source and destination address, protocols and port numbers.
Extended IP ACL 100 to 199 & 2000 to 2699

access-list 110 remark Stop Bob to FTP Server and Larry to WWW Server
access-list 110 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp
access-list 110 deny tcp host 172.16.2.10 host 172.16.1.100 eq www
access-list 110 permit ip any any


Dynamic ACL - telnet

Reflexive ACL - allows outbound, limits inbound. These are defined as a extended by named IP ACL not a numbered one like the standard.

Time based ACL - can be used with standard and extended ACL

usage:
ip access-list standard TROUBLEMAKER
 permit ....
 deny ....
 remark .... a good idea to explain what the rule is for!

HOW TO Apply the IP Access List to an Interface
int eth 0
 ip access-group TROUBLEMAKER out

show access-lists
no ip access-list extended
access-list resequence

Removing the Access List
conf t
int eth 0
no ip access-group # in
exit
no access-list #

In  a lab setup, you'll have to really trust your neighbors not to lock you out.
Use the host keyword when  you are specifying a single machine.
host 172.16.10.2 means the same as 172.16.10.2 0.0.0.0
Use the any keyword to specify 0.0.0.0 255.255.255.255 wild card masking.
Use when you don't care about source or destination addresses because  you are filtering on other parameters.

me: access-list 1 permit host 10.10.10.8 (need to permit own wokstartion)
buddy1: access-list 1 permit host 10.0.0.101
buddy2: access-list 1 permit host 10.0.0.106
buddy1: access-list 1 permit 30.3.3.0 0.0.0.255
buddy2: access-list 1 permit host 80.8.8.0 255.255.255.255

How to apply the access-list on a vty interface
usage: access-class 1 in

How to create an IP named standard access-list?
usage: ip access-list standard name

syntax:
access-list [number] [permit or deny] [protocol] [source] [destination] [port]

Cyber Defense Engineering Rant

I read up on some recent SANS White papers and a topic caught my eye,  toting the weakness of Defense in Depth Alright, I'm taking notes.  Companies spend millions of dollars on ITS and they are still getting hacked, well the ones worth hacking into anyway. Sony PS3 customer credit card data, Citibank, US military drones, like really run targets! So what are some alternatives, what are the weaknesses and strengths of technologies today?

The author seems to promote the fact that Defense in Depth is not employed properly by governments and IT departments doing IT Security and Cyber Defence. The Layered defense approach works for the physical and kinetic world (as they call earth). Even an armed intruder cannot walk through walls of fire (clever). However all kinds of cyber threats can be "encapsulated" and shift silently through one layer to the next, both OSI Layer and Layers of Security I presume. Frequency of attack is increasing, and skill level required for success attack is decreasing. IT departments have limited people, process and technology. Hackers can launch attacks as effectively and quickly overseas as next door with limitless power, process and technology. Actions cross international boundaries and legal jurisdictions.

Analogies of common approaches
1) Fire prevention - more like the use of a fire extinguisher or incident handling when an intrusion occurs
2) Nuclear Energy - the core is highly reactive. Clarification please?
3) Engineering - many redundancies built in, failover and contingency plans
4) Online gaming - chance encounters, attack by attrition, using up resources until they're gone

Defense in Breadth was a complementary initiative, involving multiple vendors not competing but rather collaborating. Perhaps something as simple as preventing  the attackers from getting back out the internet with the stolen sensitive electronic information. Threat detection, intrusion detection, network baseline monitoring, anomalous behaviour tracking.

Cyber Siege Defense sounds cool but I couldn't quite capture it in notes. Rather I got out of it one really good idea about Managing the Attacker with strategies like

1) Understand the mindset and motivation
2) Feed false information by setting up honeypots or false data
3) Increase the attackers level of effort
4) Drive up their costs, combine defensive technologies to increase complexity
5) Deprive the profits they seek
6) Damage their reputation

What does this all mean? The whole point I got out of it was rather dismal, the hackers know everything that is commercially available and it's weaknesses. Some professionals have to take the SANS course to even learn what the weaknesses are. How do you know that hackers aren't on the same course and laughing at everyone in the back of the room?

Now it's too late, you're already under attack. I found some notebook ideas here useful for incident handling on Windows anyway. Here's a link to a CIRT Whitepaper. Well that is SAN safe link, but how do you know it's really safe, and it's not downloading malicious code? That's what I mean that the weakest security is the OSI Layer 8, the Between Chair and Monitor Error, desktop USER.

More fuel to the fire that IT Security is defenceless... even CEO's agree.

Thursday, February 23, 2012

Career Choices 101


Reitman's a women's clothing line for everyday wear has a catchy advertising tagline, "You have a job evaluation everyday" and there's a poster size image of a woman dressed in a business suit looking ready for a job interview. Well obviously you have to be qualified for the job, well in some jobs looks are part of the qualifications!


Boothbabe

Wikipedia has an interesting article on "promotional models". The caption for this photo indicates that the woman is a "booth babe" at a defense industry trade show. (Not the fat dude in combats) Well maybe but what if she was an HR Rep for the company, or even an Engineering Manager. I've never heard of that word before but then again, how many defense industry trade shows have I been too.

For some jobs, good looks are implied - Flight Attendant, Supermodel, etc.  Looked at recent job postings where they specifically noted looks as a requirement. A Swedish hospital posted a hiring ad looking for Hot Looking Nurses, a hiring campaign that was well received. You still had to have a nursing degree and job related qualifications to apply. 

There are alot of google search results for Import Car Model or how to become an import car model.  The general opinion was that most import car models were asian, and I didn't realize that because I thought a requirement was actually being naturally blonde and tall.  Turns out I'm wrong, the hottest import car model in Canada is Steph Ly, I was suprised to learn is the sister of a childhood friend who studied accounting and moved on to life in/on fast cars. It was tough to find a webpage that was not blocked by the firewall at work.  Another popular asian model is Min Hee Hwang from South Korea.  They call her the race queen so I thought she was a race car driver like Danica Patrick.. but drivers are usually in the drivers seat right? There aren't nearly as many photos or web posts dedicated to her (in English). I would categorize her look as classic authentic beauty, stoic, with Japanime-qualities, but not like Kat von D hot. But what do I know. I like looking at the cars in TunerZine.com; I learned alot about my new car featured this month actually, newer Toyota Prius, and the Engineering features behind that.  I finally clicked Model because I was looking for a new car. Well anyway they weren't talking about a model number for a car... so that's how this whole article got started.

Whatever career you choose though, make sure it is something you are passionate about. Engineering is a broad field that starts out with Electrical, Mechanical, Chemical, Civil and then they start branching off into various specialties like Aerospace, Environmental, Bio Medical, Bio Mechanical, Process, Manufacturing, Geomatics, Computer and so on. Automobile Engineer, design the fastest and sexiest car on the planet! Personally I wish I had chosen Mining Engineering instead, to look for all those sparkly diamonds!

So are there good looking girls and boys in Engineering? Yah a few for sure.  I read a cartoon before that touched on this issue. There's a girl sitting at a desk between two guys. The guy on the left leans over and says "Being a girl in engineering, your odds are good." She looks over at the guy on the right and says "The odds are good, but the goods are odd." I did a google search on "engineers good looking" and it's funny there are not too many photos of people but just machines. Now that's funny.

Big Bang Theory - Howard Walowitz the Engineer.

Monday, February 20, 2012

Superpowers in the Super Computing Race

Forget the arms race, it's all about supremacy in super computers and math skills.  I saw a desktop CRAY computer running the simulations for certain DSP solution for Matlab and Simulink, and it got me thinking, well what if I had a business case and I could ask my boss to buy me one? First off though, I would have to clearly explain what is 786 gigaflops, and if it will run Linux.

A teraflop is a measure of a computer's computing speed or processing power, based on the acronym FLOPS - Floating Operations Per Second. A teraflop is a trillion or 10 to the 12th-power flops (Note the use of the plural, no need for an additional "s"), available on the market for most affordable parallel computing solutions. And of course, within the realm of possibility or imagination is a computer capable of petaflops, a thousand teraflops or a quadrillion (thousand trillion) flops.

Supercomputers are capable of so many amazing tasks, previously to discover new elements, detect dark matter components. simulate nuclear chain reaction or particle collisions.  At present, they can model climate change, crack codes, model protein behaviours and drug reactions.  Therefore it's obvious that the top buyers include the biosciences, computer aided engineering and defense industries. Hewlett-Packard, Dell and IBM are all competitors in the market. This CRAY system came out in 2008, so I'm a bit 2000-and-late but in this world, by the time you've already built and deployed the number one system, someone has already imagined something 20 times better.

Canada
As of Nov 2011, Canada did not have a system listed within the public top 500 supercomputer list. Boo.

However we do see Supercomputers on the trading floor at the Toronto Stock Exchange (perhaps the server room) called electronic traders. Math geeks design the algorithms (users input parameters like selling or holding thresholds) or dark pools (when trades have to be hidden from algorithms).

Computation resource allocation on the SciNet, another system at the University of Toronto is very competitive though.  The Compute Canada's Resource Allocation Committees are in charge of connecting researchers with computational and personnel resources to run calculations for biomedical research, climate change modeling and even galaxy formation simulations.


Japan
Japan ranks number one. As of Nov 2011, the K Computer, based at the Riken Advanced Institute for Computational Science in Japan was the first to clear 10 petaflops, beating its own record.  Hardware includes 705,024 Fujitsu Sparc64 processor cores.

Read more: http://news.cnet.com/8301-30685_3-57324194-264/japanese-supercomputer-first-to-clear-10-petaflops/#ixzz1mwp3L6yU


US
The Blue Gen/L can do 0.5 Quadrillion operations per second, the most powerful in 2005-2008.  The Blue Gen is deployed at Livermore, San Francisco where 263 supercomputers from the Top 500 list also reside.
The up and coming Sequoia is being built by IBM, for end 2012, capable of 20 quadrillion operations per second, that's 20 petaflops.  The main challenges being to write software to run across all the chips amounting to 1.6 million processors 96 racks of 32 slim servers

I like the supercomputer made from many old model Sony PS3's in parallel used by the US Air Force for satellite imagery analysis, demonstrated years ago. Many researchers have already done the same though this is no longer possible with newer generation PS3.

China
In Nov 2010 China was number one with the Tianhe-1A doing 2.5 Quadrillion operations per second
by Dawning Information Industry Ltd.  Tianhue means "The Milky Way", although surpassed within six weeks by Japan. Another amazing fact, China owns 74 of the 500 biggest supercomputers in the world

By 2020 the Chinese have something in the works to rival 500x Sequoia and 8x power of Tianhe

Cisco
Anyway it's not supercomputing but here is the fastest Cisco switch ever. http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6021/product_data_sheet0900aecd8017a72e.html I'm bringing this up simply because one has to consider connectivity to these super computers and all the glorious applications.

Cisco Self Defending Network Strategy

I found a CCNA test question on the Cisco Self Defending Network Strategy so I looked it up.

Cyber Security
Trust and Identity Management, responsible for security of critical assets
Threat Defence, respond to problems caused by security outbreaks

Physical Security
Potential security breaches should be evaluated.
Asses  the potential impact of stolen netwokr resources and equipments
Secure Connectivity, ensures privacy and confidentiality

Properties of a Self Defending Network
Network Availability: remain active when under attack

Ubiquitous Access: provide secure access from any location

Admission Control: authenticate all users, devices and their posture

Application Intelligence: extend application visibility controls into the network

Day-Zero Protection: ensure endpoints are immune to new threats

Infection Containment: rapidly identify & contain virulent attacks

Network Monitoring:
  • Syslog maintans a lot of data, feature of Cisco IOS
  • Simple Network Management Protocol (SNMP) Cisco IOS feature for network management

Monitoring Analysis Response System (MARS) provides security monitoring for networks and hosts
  • Netflow provides packet level stats
  • Cisco Traffic Anomaly Detector Module - detects high speed DoS attacks
  • Firewall and IDS - IPS Sensor Application, Adaptive Security Appliance (ASA) and Cisco Security Agent (CSA)


Key Components and Necessary Behaviours
  • 100% Network Up Time. Keep functioning in the presence of viruses and related infections.
  • Network Admission Control (NAC) program. NAC allows customers to determine what level of network access to grant to an endpoint based on its security posture
  • Infection Containment as a third-order dampener to the virus and worm propagation effect.
  • Adaptive Threat Defense (ATD) capabilities, which enhances the ability of a network to respond to threats based on a new set of Anti-X technologies.
  • Network Intrusion Detection Systems (NIDS), integrate NIDS into its router and switching platforms and transforms aspects of into an intrusion prevention system (IPS) with inline filtering capabilities.
  • Beyond endpoints, apply to points of presence (POPs) in the network (firewalls, network intrusion detection systems -NIDS, routers, switches, and hosts) with context while learning the L2 and L3 network topology.
Taken from: Message of the Vice President, Chief Technology Officer

  

Summary of Cisco Threat Detection Technologies
IPS Sensor Application
Adaptive Security Appliance (ASA)
Cisco Security Agent (CSA)
Cisco PIX Firewall
FWSM Catalyst 6500 Firewall Services Module
IOS Firewall (feature of Cisco IOS)
IPS (feature of Cisco IOS)

Movies on Network Security
War Game (script kiddies break into the Pentagon computers)
Hackers (Angelina Jolie, 1995. Hacking, dial-up modems, social engineering, dumpster diving)
The Net (not so much  hacker movie, but privacy issues online)
Mission Impossible 4: Ghost Protocol (breaking network security and halting a nuclear disaster)

Friday, February 17, 2012

HOW TO do Remote Access to Computers

There are several commands to do remote access to computers.

Telnet - The least secure, unencrypted.

SSH - Secure Shell

Putty - SSH emulator for Windows.

VNC and RDP will be discussed in more detail below.

VNC
Virtual Network Computing. You have to use the vnc viewer to emulate a workstation display over a remote login connection.

The local machine will run the vnc server
vncserver is used to start a VNC (Virtual Network Computing) desktop. vncserver is a Perl script which simplifies the process of starting an Xvnc server.

The remote computer will run vnc viewer
At the pop up the command is issued, local ip: channel ID

Launching vncviewer
This is a good summary of using vnc from the real authors.

To close the vnc window
usage: service vncserver stop

To port the display over
setenv DISPLAY server2:1.0
setenv DISPLAY localhost:1.0

RDP
Remote Desktop Protocol. More to follow!

Thursday, February 16, 2012

Are you ready for Rsync?

How many times have you set up a file transfer by FTP over the weekend because it was a massive file that would take four days, and you find out that somwhere along the way there was an unexplained drop in the network connection, and your file transfer is incomplete with bits lost in the ether.

Enter rsync and you'll be much happier with the delivery guarantee. What do you call this UDP or TCP? Tricky... must be TCP because you're looking for better late than never, as opposed to be never than late.

Rsync is actually a backup/mirroring tool, but I suppose it is also good for a one time transfer.  Step by step instructions are here.

http://www.thegeekstuff.com/2010/09/rsync-command-examples/
http://everythinglinux.org/rsync/

Do I need a Host Table?

I didn't quite see the need to create the host table for the little lab network with a data server talking to a recording device, because I thought the switch in between would be enough. Anyway I decided to do some digging.

Linux
Obviously the host table is located in the “/etc/hosts” file, containg IP addresses and hostnames. Here's a sample below:
$ cat /etc/hosts
# Table of IP addresses and host names
127.0.0.1 localhost
192.168.1.2 myserver aliasname anotheralias

Windows
Windows 95/98/Me c:\windows\hosts
Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
Windows XP Home c:\windows\system32\drivers\etc\hosts
The host table is useful when you have a small number of servers in the group and you want to use some alias, and/ or there is no DNS or connection to the internet. The host table simple converts IP addresses to host names and the reverse.

It gets tricky when the host table is long and it gets messy.

Cisco ICND1 Flashcard: Wireless LAN Implementation and Security

The Wireless Access notes for the CCNA Exam in short form.
The topic of Wireless LAN is covered in the ICND1 Exam

Connecting to a Wireless Network
This is how it happens at Starbucks, MacDonald's, the hotel offering free wireless internet, or your own home.  Wireless Access Points send out beacons announcing the SSID, data rates and other information.  The client's laptop wifi network card scans all channels while listening for beacons and responses from the AP. Then the client will associate to the AP with the strongest signal.  Client repeats the scan if the signal becomes slow to associate to another AP while roaming.  During the association phase, SSID, MAC address, and security settings are sent from the client to AP, and verified by the AP.  The basic service area is the physical area of RF coverage provided by the AP.

Wireless access is a half duplex CSMA/ CA (Carrier Sense Multiple Access - Collision Avoidance) half-duplex type of signal that uses RTS (ready to send) and CTS (clear to send) protocols. Yes I know it is wierd to place the acronym ahead of the definition at first use.   For every packet sent, an RTS/CTS and acknowledgment must be received.

About the RF Wireless Signal
While setting up the Access Point, the following parameters are configured. Basic IP address (static or DHCP), subnet mask, default gateway; the wireless protocol being used could be 802.11a, b, g, n; channel adjustments namely channel 1, 6, 11 and a power adjustment.  Security parameters include SSID which identifies the network, authentication scheme (WPA, WPA2 PSK) and the encryption method (TKIP, AES).
IBSS - Independent Basic Service Set Identifier, users connected in ad hoc mode without an AP
BSSID - Mac Address of the RF Interface Card
SSID - Net Admin configured network identified that is broadcast, sent in the clear
The frequencies of the unlicensed bands are:
900 MHz
2.4 GHz used by the 802.11b and g, using DSSS. Max data rate of 11 Mbps (for 802.11g when using DSS) Other rates possible 1,2, 5.

5 GHz used by 802.11a, using OFDM data rate of 6, 9, 12, 18, 24, 36, 48 Mbps to 54 Mbps, 12 non-overlapping frequency channels. When 802.11g operates on OFDM the max data rate of 54 Mbps can be achieved.

The FCC has released three unlicensed bands for public use: 900MHz, 2.4GHz, and 5.7GHz. The 900MHz and 2.4GHz bands are referred to as the Industrial, Scientific, and Medical (ISM) bands, and the 5-GHz band is known as the Unlicensed National Information Infrastructure (UNII) band.

802.11a operating in the 5GHz radio band, makes it immune to interference from devices operating in the 2.4GHz band, like microwave ovens, cordless phones, and Bluetooth devices.
Quiz: Which two 802.11 standards have the highest data rate?
802.11a and 802.11g both up to 54 Mbps

Quiz: Which standards are most widely used today?
 802.11b/g being the most widely used wireless network found today.  802.11b operates in the 2.4GHz unlicensed radio band, delivers a maximum data rate of 11Mbps
Facts to consider: This is the sort of thought process in an exam question, the 802.11g standard delivers the same 54Mbps maximum data rate as 802.11a but runs in the 2.4GHz range—the same as 802.11b
Data rates for Indoor and Outdoor ranges.
802.11g  400m  140m
802.11b  40m    140m
802.11a  35m    100m
802.11n  70m    250m

Modulation
802.11a and 802.11g uses OFDM
802.11b uses Direct Sequence Spread Spectrum (DSSS)
though 802.11g is DSSS/ OFDM
IEEE 802.11 was the first, original standardized WLAN at 1 and 2Mbps, running in the 2.4GHz
802.11n the New Wireless Standard
802.11n supports more channels using spatial division multiplex and more transmittes to reach a higher data rate of 600Mbps.  It also uses OFDM (I need more info) and is backward compatible with 802.11a,b,g

802.11b
It is more accessible, has a higher CCK and data rate.  There are 14 channels each 22MHz wide with a 5MHz separation. To completely avoid overlapping, the signalling requires a 5-channel separation; therefore only Channels 1, 6, and 11 are in use.

Wifi Equipment
Access points, wireless controllers, wireless LAN client adapters, security and management servers, wireless management devices, wireless integrated switches and routers—even antennas and accessories
Key Players in Wifi
The Wifi Alliance is a non government, no profit, industry trade organization that promotes interoperability between wifi product manufacturers, and promotes wireless growth. As for securing wireles networks, the evolution of encryption algorithms have come a long way.

The IEEE writes out the technical standards or Engineering specs, publishes technical documentation or journals.

ITU-R is the international union that regulates RF usage bands including wireless.

Quiz: Who created WPA?
Answer: WPA was created by the Wifi Alliance based on the IEEE 802.11i standard
Quiz: What is a rogue access point? An unsecured AP that has been placed on the WLAN.
WIFI Encryption
Common standards dealing with wireless client authentication, coding something from plaintext into ciphertext.
  • WEP is a bit outdated and too easy to break, very basic and static.
  • Cisco adds CKIP and MIC to protect keys.
  • Enhancements are TKIP MIC (Per Packet Keying Message Integrity Check)
  • TKIP 802.1x EAP
  • WPA uses TKIP/ MIC Encryption
  • 802.11i/ WPA2 is the strongest level of WLAN security
  • WPA2 includes a AES counter with CBC-MAC Protocol (AES-CCMP)
  • Enhancement to TKIP is AES 128 bit, 192 bit, and 256 bit.
  • LEAP uses TCP handshake like EAP-TLS and Radius
How is the client authenticated in IEEE 802.1x?
The AP encapsulates any 802.1x traffic that is bound for the authentication server and sends it to the server

Modes of Operation

Ad Hoc Mode
IBSS - Client directly connects to the server peer to peer, no access point.
Infrastructure Mode
BSS - clients connect to each other through a network resource. The BSSID is the MAC address of the RF interface card; B for basic.
ESS - Two or more BSS are connected by a common distibution system. E for extended. SSID is the wireless network advertised, user configured.


More than one BSS will form an ESS, that means when a group of BSS (or many AP's) in the WLAN have the same SSID, the client can be mobile and authenticate with the various AP's in the same BSS.


WPA
Enterprise mode
used for Business, Education, Government and a term for products tested to be interoperable for authentication in PSK + IEEE 802.1x EAP
Personal mode
for SOHO, home, personal and interoperable in PSK mode of operation only

Issues with Roaming
  • Consider the range of combined calls form an extended service area
  • Allow 10-15% overlap to allow users to roam without losing RF connection
  • Configure three access points with the same SSID so user can roam wirelesly without dropping connectivity
  • Allow the range of 15-20% overlap for wireless voice
Solution for Roaming
  • Shift the data rate while moving: 11 Mbps, 5.5 Mbps, 2 Mbps
  • The higher data rate requires stronger signals at the receiver; a lower data rate, the range is longer
  • The clients want the highest data rate
  • If there are transmission errors, reduce the data rate 
Connecting the AP to a LAN switch, which cable would you use? Just a straight through, much like a regulare PC.

Wireless Zero Configuration 
Three basic wireless access point parameters: SSID, authentication, RF channel with optional power. Microsoft has a feature that does all this automatically. Though most Wireless NIC vendors have their own software GUI as well.

Cisco’s Wireless Control System (WCS) actually requires zero configuration. This means the AP will automatically configure itself based on the controller’s information, check for channel overlap and interference and move to a  non-overlapping channel; lower its transmitting level to limit interference called by Cisco as "auto RF controls."

I found a really good reference for the Wireless LAN topic. I'd hazard to say that I found nuggets of information that I had missed on the exam from my notes! Lookup the Cisco Tests blog.

Wednesday, February 15, 2012

The Linsanity of Super Lintendo

Valentine Cupcakes by Nora, Bliss & Co. in Calgary

While most people were eating Valentine cupcakes, my very lucky sister in law was at the big Raptors and Knicks game at the Air Canada Center! I haven't seen Jeremy Lin play basketball, I don't know what he looks like, but he is all over my friends' facebook posts.

"So tonight, all the good little Asian boys and girls will put down their violins, close the piano covers, postpone Calculus club and put away their Chinese/Korean school homework. Bubble tea shops will be empty from east to west, and even Battle.net will be silent and barren. They will quiver with excitement over their bowls of rice as they turn on the TV.  And for what?  A basketball game. Yes, this is Linsanity." quote from buddy Thomas, about the you-know-who.

Linsanity Game on Valentines Day

There's already a Wikipedia article written about him, throngs of asian girls and boys are drawn to him because he is the guy who made it big on the NBA from out of nowhere (well Harvard actually), he's smart, friendly, fairly tall for an asian guy, and is a Christian. I use the term asian because he's actually an American born Taiwanese, meaning his ancestors are from Taiwan and not China (very much different).

Day in the Life: Jeremy Lin.  (Sneakers all in a row? Now that's hot).
http://www.youtube.com/watch?v=CLzrLXQIbwM

Anyways I really should go back to studying for the CCNA, practising piano, violin, playing Nintendo or whatever good asian kids are supposed to do.

Test Tips for CCNA, Simulators and a bullet-proof Guarantee!

1. Manage your time

The number one hint I have to give everyone: the CCNA Exam is a test of power and speed, you have to know your material solid and answer the questions quickly. The prof said that the number one reason for failure on the exam is not lack of preparation (I could argue with that) but rather, running out of time! You have remember to ask yourself, "Is this your final answer?" because once you click "yes" or "submit", there is no back button, you cannot go back!

2. Core Knowledge

Videos for ICND1 and ICND2 free on the Cisco Learning Network.

Here is a breakdown of the core areas the exam was testing, taken from my real score sheet in November 2011. I am not breaking any oaths or sharing any secrets about the exam.
  • Describe how a network works
  • Configure, verify, troubleshoot a switch with VLANs and interswitch communications
  • Implement an IP addressing scheme and IP services to meet network requirements in a medium-size Enterprise branch office network
  • Configure, verify, and troubleshoot basic router operation and routing on Cisco devices
  • Explain and select the appropriate administrative tasks required for WLAN
  • Identify security threats to a network and describe general methods to mitigate those threats
  • Implement, verify and troubleshoot NAT and ACLs in a medium-size Enterprise branch office network
  • Implement and verify WAN links
I copied this from my report card, but I'm not sure if it was an adaptive exam and only selected knowledge areas were tested on, or if I wrote the same test again it would be a similar bank of questions. You may not retake the exam within the same week. Passing score is 825 out of 1000.

A good collection of resources at www.cisco.com/go/ccna-study

3. Hands On Experience

Apparently the original purpose of CCNA was to certify someone already with the job experience as a Network Administrator, who has spent years on the job doing this. In fact Cisco never offered Bootcamp courses and it was the training delivery vendors that developed their own courses to cover relevant subjects, in preparation for the CCNA Exam.  Now it seems like everyone is taking the boot camp courses: the newbies, managers, purchasers.  The courses often come with extra lab time on the router simulation lab, but it is better to have your own equipment. Unfortunately not many people have access to a test lab or one with enough routers to generate any trouble to troubleshoot!

Packet Tracer is another program folks use for router simulation.  My buddy recommends http://www.gns3.net/ and it's free, if you have your own IOS images then you're set.

4. Read the Fine Print

Rather I should say, read between the lines. For multiple choice questions, there will always be an obvious oddball answer, and perhaps one or two that are very close but there is something that makes one answer more correct or superior.Unless of course the question was, choose two then you should make sure you choose two.

If you're really pressed for time, well you still have to give an answer for every question. Make a guess, pick C or ACDC whatever random pattern you have to resort to in a bind.

5. Get it Right the First time...

However, heaven forbid if you should fall short of 825/ 1000, read the fine print on the vendor's exam guarantee. I took my bootcamp course with the Global Knowledge and I'd have to say their certification guarantee is bullet proof. Upon course completion you get one CCNA exam voucher and 10 hours of lab time with KAPLAN. If you have fail the exam, fax in the fail results and ask for a voucher for the retake exam (within one year of the course date). If you fail the second round, perhaps you should reconsider your career choice. JK! Global Knowledge offers a free retake of the course (provide your own course materials from the first run). Then I suppose the brave could do the exam a third time. Just remember you will have to recertifiy again in three years anyway.

Tuesday, February 14, 2012

Cisco ICND1 Flashcard: OSI Layer Model and PDU's

Pick up any CCNA Exam Preparation Guide. There are plenty enough books or chapters and webpages dedicated to the topic of OSI Layer Model of Internetworking. I'm just providing a short summary of notes to remember. It's guaranteed that there will be questions of the 7 Layer OSI model, the Cisco three layer, model, and even the DoD's model and how all the layers interrelate.

Physical Topology - Defines how the computer and networking devices are connected (physical)
Logical Topology - Describes the path the signals travel from one path to another (routing, tunnels: layer 2 for ipsec, layer 4 for ssl)

ESSENTIAL FACTS
* Each layer of the OSI model is only interested in communicating with its peer later at the destination.
* Each layer provides services to the layer above it.
* Encapsulation: as application data parses down the protocol stack to transmit across network media, each layer adds a header or trailer (containing addressing information).
* OSI model uses structure, forms a good reference model, permits change at one layer without affecting the other layers

Cisco Hierarchical Three Layer Model
Access - provides work group access for end users, desktop layer
Distribution - routing protocols and security, includes LAN based routers and layer 3 switches, enables routing between VLANs
Core - high speed and redundancy, provides high speed data transfer between sites

TCP/IP Stack - 4 Layers
Application - Application, Presentation, Session
Transport - Transport
Internet - Network
Network Access - Data Link, Physical

CCNA Illustrated OSI Layer Graphics

OSI Model - 7 Layers
* Including some quick notes on the pdu, addressing used
Application - data
Presentation - data
Session - data
Transport - segment, port number
Network - packet, ip address
Data-Link - frame, mac address
Physical - bits

Application Issues: Application, Presentation, Session
Data Transport, Implementation details: Transport, Network, Data-Link, Physical
Therefore, the de-encapsulation first occurs at the Transport leve.
Application Layer
* Authentication
* Examples: email, file transfer, terminal emulation

Presentation Layer
* Data representation, such as the format or structure of data (say jpeg, wav etc)
* Negotiates data transfer, syntax
* Provides encryption
* http, ssh operates at this layer
* It's safe to say, it makes sure that information sent at the application layer of one system is readable by the application layer of the other.

Session Layer
* Client - server connection
* Inter host communication
* Establish, manage, terminate sessions between applications. Such as the Shopping Cart?
* Web server, data exchange
* Examples: NFS, SQL, Netbios

Transport Layer
* Establishes end to end connections between hosts
* TCP and UDP ports
* The source port in the UDP Header and TCP Header is a 16 bit calling port.
* Reliability and flow control (windowing)
* Establish, maintain, terminates virtual circuits

Network Layer
* Primarily deals with data delivery
* Routes data packets
* Selects the best path to deliver data
* Provides local addressing and path selection
* Manages connectivity
* IP addresses to route packets

The Ethernet source and destination address is a 6-byte hex
Data Link Layer
* MAC address
* Error detection
* Does Encapsulation Frame Relay or PPP ring a bell?
* The most diverse

Physical Layer
* Examples: Copper, wireless, satellite, fiber
* 1, 0 bits transmitted by electrical pulse, electrons, light
* Think Cabling

CCNA Illustrated OSI Layer Model Graphics Blog

Video Games in Military Training

I really should be studying for the CCNA Exam or building my test network to complete some router configurations. Perhaps I could find a good router simulation software, though nothing beats having to set up all the wiring and cabling by hand. Nonetheless, are there software packages for soldiers to do military training in a simulated environment, such as video games?

Source: Friend's Facebook post

I stumbled upon an article debating whether a gamers make good soldiers. I've seen world class flight simulator programs made by the Canadian firm CAE. Reading on, I also discovered the Army's Engagement Skills Trainer (EST) to simulate the sound and feel of the different firearms used on the job for target practise. Well what happened to the firing ranges? I guess this makes an environmentally sound alternative without spent casings to clean up. The EST also provides possible scenarios to help soldiers make life changing decisions on when to shoot and when not to shoot. There was another simulator software called the Virtual Convoy Operations Trainer (VCOT) and DARWARS Ambush seems to be a big hit. DARWARS allows users to add or modify scenarios with their own learned experience.

Here's the link because it was such a page turner: http://science.howstuffworks.com/gamer-soldier2.htm

Now goes the question, if I played my daily dose of Wii golf, would that train me to be a world class golfer. Well I'd really have to say no because you need to feel the true weight of an expensive golf club, you'd have to feel the action and reaction of hitting a real ball, and experience real wind and air flow to influence the true path of the ball. There's no way to get that from a game.

In the same way, just studying for this exam on paper won't do.  We don't want a CCNA "paper cert". Time to solve some real world router problems!

Monday, February 13, 2012

Cisco ICND1 Flashcard: IP Subnetting Quick Tips

Classes of IP Addresses

Sample Quiz
Will these IP's require a router to talk to each other? This is another way of asking are these hosts on the same network or subnet?

Given 192.168.1.0/ 24
Host a: 192.168.1.33/ 27
Host b: 192.168.1.50/ 28
Host c: 192.168.1.100/ 26
Host d: 192.168.1.90/ 27

There are whole chapters in books dedicated to subnetting. This can be easily simplified into two rows of numbers; it would be a very short book if I was writing it. This is like subnetting in your brain!

Write this down:
128  64  32   16   8     4     2      1
128 192 224 240 248 252 254 255

Start with Host a 192.168.1.33
/ 27 mask means a mask of 255.255.255.224
Then valid networks are 0, 32, 64, etc *
Network address would be .32
Valid hosts would be .33 to 62
Broadcast address would be .63
The number of subnets 2^3  = 8 where 3 is the number of masked bits or 1s
The number of hosts in each subnet 2^5 -2 = 30

* Finding the subnet base number
256 - mask = base number
Host b 192.168.1.50
/28 means a mask of 255.255.255.240
The valid networks would be 0, 16, 32, 48, 64 etc
Network address would be .48
Valid hosts would be .49 to 62
Broadcast address would be .63

Host c 192.168.1.100
/26 means a mask of 255.255.255.192
The valid networks are 0, 64, 128 etc
Network address is .64
Valid hosts  .65 to 126
Broadcast .127

Host d 192.168.1.90
/27 mask means 255.255.255.224
Valid networks 0, 32, 64, 96
Network address is .64
Valid hosts .65 to .94
Broadcast .95

Answer, no body can talk to each other because they're on different subnets (different network addresses). A router would be required.

Binary Quiz
Convert 452 into binary
answer: 111000100

What is 11000111?
answer: 199

Convert 11101000111 into decimal
answer: 1863

A Class A network has 3 octets for the host field.
What is the practical minimum number of bits to borrow? 2
Using six subnet bits, how many usual subnets are created?
62

How many subnet bits do you borrow?
To see how many bits you should borrow from the host portion of the network address to give the required number of subnets, you should...
answer: substract the number of subnets you need from the network portion

Friday, February 10, 2012

Canadian Navy invades Video game space

I always like it when the PM refers to Canadians coast to coast to coast. It reasserts Canada's sovereignty and three ocean boundaries. I also like how board games sometimes turn Geo-political too. I remember playing a good game of Mission Risk and Risk 2210 and the countries and nations we see today have boundaries barely recognizable, including Quebec as it's own sovereign entity. The moon is up for grabs and there are water colonies. Then there was the fiasco of Parker Brothers Monopoly Metropolitan Cities edition where coveted properties are labelled by city name and country. That was the case until the name Jerusalem, Israel became a hot issue and the game reverted to city names only. I believe Montreal and Toronto made the list! What is the capital of Canada again?

A Norway based game developer has launched a new video game set in 2030 when NATO and Russian forces go head to head for Arctic Sovereignty. Doesn't sound that futuristic to me. Especially the best ship Canada has to offer is the HMCS Halifax class frigate built in the 80's. Seriously? They couldn't come up with a better battleship for Canada, even a fictional upgrade? The game is called Naval War: Arctic Circle due for launch in the Spring 2013. Anyway here is the article I read but I want do dive into this more. Perhaps someday when Canada owns more than four rusty submarines.

Algorithms for Image Analysis

My intention is to post my technical paper that spun off from my Masters Thesis Project on my web blog here, but my paper is literally hardcopy on paper. I will have to scan it as a PDF and convert to text using OCR using an automated process mind you, but it will take some time.

COMPARISON of DATA FUSION TECHNIQUES:
IHS AND MULTIRESOLUTION WAVELET DECOMPOSITION.


ABSTRACT

A new algorithm for data fusion of satellite imagery using wavelet analysis. Data fusion is a very useful technique to maximize the resolution of spatial and spectral information in multi-sensor satellite imagery. In remote sensing application there is a trade-off between the two. The objective - to compare two commercially available algorithms such as the Intensity-Hue-Saturation (I.H.S) and Brovey-Sharpening merged-image results, with my own algorithm using Multi-resolution Wavelet Decomposition (M.W.D) data fusion on recent satellite imagery. M.W.D was completed using the Maximum Fusion Rule and also Pyramidal Substitution, which the results proved superior.

Thursday, February 9, 2012

Best Geek Girl Movies

I love action movies best, but I am drawn to science fiction or a mix of the two. I recently started to take note of the Costume Designer's choices for the leading female character, more so after a vivid encounter. I borrow this quote from a buddy's girlfriend, about Megan Fox (the high school hottie and auto mechanic geek) in Transformers 2: Revenge of the Fallen, the part where she survives the crossfire between the Autobots and Deceptacons in an epic land and air battle featuring US military heavy fire power; her T-shirt is ripped in the right places and she is wearing tight white leather pants that seemed to stay so sparkling white through all the mud and oil splatter. "Her pants are still white!"

Anyway the "geek fiction" movies are dear to me, because of the enduring pursuit of the truth, the admirable female lead is a leading scientist in her field, and I like the hard science the screen writers have woven into the fabric of the story. Anyway here's the lo-down. Who is the geek, what is the subject matter of expertise, and what is she wearing.

Proof - Gwyneth Paltrow is the Math geek.
Contact - Jodie Foster is the Astrophysicist or RF Engineer geek
The Saint - Elisabeth Shue is the Electrochemist geek
Thor - Natalie Portman is the Electric Storm Chaser geek
Miss Congeniality - Sandra Bullock is a geek in the FBI who ends up in the Miss America Pageant.

Cosmic Background RF for SETI Research, by Freescia

SETI - Steerable Antenna was Tracking! by Freescia
Movie: CONTACT
She searches the air waves for clues in the galaxy about extra terrestrial life. You see the huge low frequency antenna arrays and the SETI computer algorithms in the movie, as well as the inspiration and legacy of her loving father; a little girl who speaks into the universe, Daddy, CQ are you out there? Blueprints and design documents to build an enormous space apparatus are intercepted from an RF transmission, possibly originating from aliens. The UN or some global entity led by the US must select one candidate to represent mankind on a journey to meet the aliens. A romantic interest is a man of faith and forbidden love, who questions her convictions of atheism and scientific proof. She is catapulted into a journey that seems only too real and symbolic, yet when she returns to earth, one can only rely on faith to prove it ever happened.
Most Memorable Wardrobe: Space Suit, silver locket from her father. More fact and fiction on the movie.

It is the same antenna, just tracking... by Freescia, Australia 2008.
Movie: THE SAINT
There is more to the back story of the main character Val Kilmer plays, but I am most interested in his attempted theft of the secret of Cold Fusion from a top nuclear scientist, the smart and beautiful Dr Emma. Fact: In 1992, two chemists in England Ponds and Fleischman had claimed to discover cold fusion, supposed heat energy released when hydrogen atoms bonded together on a palladium rod, after electrolysis of water. Of course it was all a myth or a flop that generated more controversy than real nuclear energy at room temperature. The movie was exploiting the hype which unfortunately may have also contributed to the movie being a flop. Despite that, I still enjoyed it as an action movie with some romance. I was really drawn to the movie because I was an impressionable Grade 7 student when Cold Fusion came about. In fact, I am not embarrassed to admit that my science fair partner and I actually tried to replicate this experiment and we were expecting some big flash or amazing event at the moment of "fusing hydrogen atoms together". Fiction: The movie finishes with the world being saved from an evil person in Russia owning unlimited nuclear energy because the secret formula is openly shared, on live TV, or in today's world that would be Wikipedia.
Most Memorable Wardrobe: White lab coat, and a white sweater dress (the kind from Victoria's Secret)

Movie: THOR
The god of Thunder is cast down to earth, generating an epic electromagetic disturbance on earth. Two female storm chasers and their stern father find a mortal man with amazing abs unconscious and discover he is an old soul who has lost his superpowers but not his fury. The US government confiscates her notebook with all the information about the storm's origin and coordinates. He fights off all the armed guards with the same double-leg kick each time (how about a new dance move?) and retrieves the notebook for her. In the end, his power is restored but in order to save mankind he chooses to leave his beloved on earth. She is a storm chaser and more determined than ever to find him again.
Most Memorable Wardrobe: I missed the bubble bath scene I saw in the trailers. Otherwise, it would have to be the oversized plaid shirts and think warm jackets. I think they spent more money on the Asgard costume set.


Movie: MISS CONGENIALITY
A geeky FBI agent is chosen to infiltrate the Miss America Pageant to halt a plot to assassinate Miss America. The US government enlists enough staff to fill an abandoned aircraft hangar to transform her into a super model to fit the role. She hits the mark, and even survives a beating with a bouquet of roses by the real Miss America and they remain best friends.  She keeps the job for another movie while famously keeping her guns in an expensive Fendi.
Most Memorable Wardrobe: agent in black pant suits and greasy hair, later tripping in high heels; Bavarian bar maid tackles man in cowboy hat.

Movie: PROOF
I had first seen the theatre adaptation of the book, "Proof" long before it was made into a movie, at the Ottawa Little Theatre years ago actually. From my memory, it is a charming and heart-warming story bout a grieving daughter who happens to be a stellar math student, stumbles upon a prized collection of her late father's math notebooks. He is a professor of Mathematics at a prestigious university and there is another hot-looking grad student looking for access to the notebooks as well. The notebooks are precious because it contains an elaborate formula or proof for a very significant theorem of sorts. There are appearances and visitations; in a theatre setting the border between reality and imagination seem to blend, and it all seems so logical mathematically until at the end you really discover the truth. Poof! How do you prove that something you believe truly existed?
Most Memorable Wardrobe: Nothing out of the ordinary, I only remember the baggy jeans.

Just an odd observation, why is it that every movie about a clever guy or girl, highly skilled in math, is usually someone who ends up with a borderline case of insanity or other medical condition? Think of Rainman, A Beautiful Mind, even Proof. Why couldn't people just be geeks without further explanation?

Anyways, I found another great click the link for more website math in the movies! I hope you really enjoyed reading this post. What is your favorite movie? Please comment!

Cisco ICND1 Flashcard: NAT, PAT, Overloading

Network Address Translation

When you have internal IP addresses routing to another network and you don't want someone to know the originating IP address, you can use NAT.  Or if you have internal IP addresses mapping to the Internet and you have a limited number of Public IP addresses to give out.

NAT operates on a Cisco Layer 3 and designed for IP address simplification and conservation by converting private IP addresses into public IP addresses.  Apparently, NAT is not to be used with tunneling protocols or IPSec.

STATIC NAT
This means statically assigned by a network adminstrator I presume, one by one. The steps include, applying the NAT to the interface


LAB SUMMARY
Configure Static NAT on Router 1, inside and outside interfaces, x = 2 for my Pod 2
usage: conf t
ip nat inside source static 192.168.xx.10 172.16.xx.10
int fa 0/0
ip nat inside
int serial 1/1
ip nat outside
end

show ip nat translations
debug ip nat
ping 10.1.1.1
show ip nat statistics

Remove Static NAT from Router 1
usage: conf t
no ip nat inside source static 192.168.xx.10 172.16.xx.10

DYNAMIC NAT
Use the IP address assignment by DHCP.  The quickest way would be to use a DHCP server. Create a pool name, range

Create a standard ACL to permit traffic from the switch network and deny everyone else.
usage: conf t
access-list 3 permit 192.168.xx.0 0.0.0.255
ip nat pool LAN 172.16.xx.65 172.16.xx.126 netmask 255.255.255.192

Enable the translation by tying the access list (3) to the pool (LAN) and leave config mode
ip nat inside source list 3 pool LAN
end

show ip nat translations
debug ip nat
ping 10.1.1.1
show ip nat statistics

To clear the entire NAT table usage: clear ip nat translations *
To remove Dynamic NAT from router 1 usage: no ip nat inside source list 3 pool LAN
Another day, I'll add more info about PAT
PAT is many-to-one dynamic translation.

Bonus
I wonder if this is the same way to NAT IPv4 addresses with IPv6. In fact, on newer computers and laptops, the Network Settings Info will also include an IP v6 address. In the late 1990's the US DOD issued a command that all new computer systems being purchased must be IP v6 compatible. Most are, as the IPv6 address is formed from the MAC address. It's HEX and the initial digit assigned is a 2 (the number 2) which indicates planet Earth. Now that's planning ahead for future implementation, scalable to include the rest of the galaxies. To Infinity and Beyond!

Troubleshooting NAT
* Determine if there are enough addresses in the NAT pool
* Verify that the router interfaces are appropriately defined as NAT inside or NAT outside
* Verify that the ACL referenced by NAT command is permiting the necessary inside local IP addresses

HOW TO change file permissions on LINUX

To change file permissions on Linux is easy stuff that should just fly off your fingertips, but just in case you forgot or someone asks you a question and you want to just send them a summary.

To change file ownership
usage: chmod +x thefilename

File permissions
666 means the sign of the devil! And also that the owner is allowed to read and write, group is allowed to read and write, and everyone is allowed to read and write. Well what good is that if you can't run it?

777 means read, write and execute for the owner, group and everyone respectively.

123 means owner can execute, group can write, everyone else can write and execute

321 means owner can write and execute, group can write, everyone else can execute

4321 same as 321, except that "4" is a special mode bit for "Set User ID" on execution

Using grep
searching for a file containing a certain string
usage: grep string filenames | more
means look for this string within these names of files, could be 2* (for example a bunch of log files beginning with 2012-month-day etc) pipe to more

Verifying process ID
usage: ps -ef | grep theprocessIDnumber

Wednesday, February 8, 2012

Cisco ICND1 Flashcard: Router RIP and IGRP

ICND1 Topic: RIP
ICND2 Topics: RIPv2 VLSM, single area OSPF, EIGRP


Routing is taking a packet from one device and sending it over the network to another device on a different network. Routing requires routers.  Routers learn about remote networks from neighbor routers (dynamic) or programmed static routes by the administrator.  All Cisco routers are classful routers, that means expecting a default subnet mask on each interface on the router, otherwise the packet will be dropped. For default routing, the command "ip classless" must be used.

Two types of interior routing protocols
Static, Default and Dynamic Routes

IP Routing requirements
  • destination address and a source address
  • routing table for destination
  • neighbor
See other article about Static Route vs. Dynamic Routes
On directly connected networks, hosts and routers find the destination MAC address for the destination IP addresses using ARP.

Strategies to prevent routing loops:

Split Horizon Rule: the router will not advertise a route back through the same interface from which the route was learned

Route Poisoning: to poison a route, set the metric to infinite; for RIP that number would be 16 for the maximum number of hops. When used with Split Horizon, this strategy is called Split-Horizon with Poison Reverse.

Holddown: holddown timer is used in route convergence, by preventing  route from reinstating the route until all routers have enough time to "age out" the route from the tables. Prevents routes from advertising bad or expired routing information.

Routing Protocols QUIZ

Most common metrics used by routing protocols to determine a network path
hop count
bandwidth - data capacity. Say 10 Mbps is better than 64 kbps leased line
delay
load
reliability - bit error rate of each network link
cost - configuraable, by default based on bandwidth
not packet length, distance.
1. What are three types of routing protocols?
a) hop count based
b) link state
c) cost based
d) distance-vector
e) advanced distance-vector (hybrid)
f) bndwidth based
answer 1. b,d,e


Name two IGP (interior gateway protocol) Distance Vector protocols: RIP, IGRP (Cisco proprietary)
  • uses hop count as a metric
  • sends entire routing table to neighbor, called routing by rumour and periodic updates
  • lower CPU overhead than link-state protocols
  • uses split horizon, route poisoning, and holddown to protect from routing loops

RIP - Routing Information Protocol
Configure RIP to run on the router:
conf t usage:
router rip
network 192.5.5.0
network 10.0.0.0 0.255.255.255
  • RIP v1 and RIP v2
  • RIP Classful
  • RIP v2 supports VLSM (variable length subnet mask), route authentication
  • distance vector protocol
  • can load balance up to 6 equal cost paths
  • uses hop count as the metric. The maximum hop count is 15, therefore 16 is infinite and unreachable
  • sends periodic update every 30 seconds
  • RIP timers include: update, invalid, holddown, flush (and garbage collection).

A handy command to create an interface to learn routes but not advertise
In router config mode usage: passive-interface interface#

IGRP - Cisco Proprietary
Interior Gateway Routing Protocol.  All routers within the same autonomous system should use the same AS number, and all routers should be Cisco if IGRP is used. IGRP was created to overcome the problems with RIP such as 15 hop count limit.  The maximum hop count for IGRP is 255 though 100 is the default. The IGRP metric (value to calculate best route) based on bandwidth and delay of the line called a composite metric; others factors optional but not required are reliability, load, maximum transmission unit (MTU). Sends a periodic update every 90s

usage: conf t
router igrp 10
network 172.16.0.0

IGRP can load balance up to six unequal links to a remote network (RIP networks must have the same hop count to load balance).


Summary 
How does RIP work in the internetwork?
RIP uses hop counts to determine the best route to a network, with an upper hop count limit of 15

Know the RIP commands
router rip
show ip route
show ip route rip

Administrative distance
Rates the trustworthiness of routing information received on a router from a neighbor; an integer between 0 to 255, where 0 is the most trusted and 255 means no traffic will pass through this route.
Default Administrative Distances
Route Source, Default Distance
Connected interface = 0
Static route = 1
EIGRP = 90
IGRP = 100
OSPF = 110
RIP = 120
External EIGRP = 170
Unknown = 255 not routable
      
What is AS, autonomous system
An AS is a group of routers that share the same routing information.

Know the difference between RIP and IGRP
Describe the metrics used. RIP only uses hop count.
Others are hop count, bandwidth, delay.

Three truths, from a quiz:
Routers evaluate the available paths to a destination
The routing process uses metrics and administrative distances when evaluating network paths
Dynamic routing occurs when information is learned using routing information that is obtained from routing protocols.

Note: the routing table is only displaying the information to the user
Routing table provides an ordered list of known network addresses.
Routing tables contain metrics that are used to determine the desirability of the route
Routing table associations tell a router that a particular destination is either directly connected to the router (C) or that it can reached via another router (the next-hop router or exit interface) on the way to the final destination

Link State Routing Protocols
Link state routing protocol respond quickly to network changes
Link state routing protocols send peridoic updates (link state refreshes) at long time intervals, about once every 30 minutes!!
In link state routing protocols, every router tries to build its own internap map of the network topology

ICND2 Flashcard: VLAN

ICND2 Topic: Implementing VLAN and Trunks, Improving performance with Spanning Tree, Routing between VLANs.



VLAN definition:

Short for Virtual LAN. Each switchport may be assigned to one VLAN, ports in the same VLAN share broadcasts, and there is one IP subnet per VLAN.

Reasons for implementing VLAN
- keep the broadcasts local within the same VLAN, more security
- Inter VLAN traffic can be filtered
- departmental network segmentation for example: Sales, Engineering, Marketing, HR

Static VLAN
Create separate VLAN in the switch by assigning specific ports to VLANs
More secure but no flexibility for moving in the office network

Dynmic VLAN
Permits user to move computer around and still be connected to the department's VLAN
Requires Cisco VLAN Management Policy Server; set up a list of MAC addresses and the VLANs they belong to. User can plug computer into any switch on the LAN (though the NIC card can be removed, less secure).

Trunking VLAN
If two switches have ports with two separate VLANs on both switches, the frames need a frame tag with the VLAN ID. Protocols for trunking:
ISL - Cisco only for fast ethernet or 1 Gig. Spanning Tree works.
802.1q - only one instance of spanning tree runs with 802.1q no matter the number of VLANs

Creating a VLAN and assigning ports.
How does it get added to the vlan.dat in flash, it just does!
usage: conf t
vlan 2 (creates it!)
name Test2 (name optional)

verify: show vlan brief

Assigning a switchport to a VLAN
conf t/ int fa 0/1 usage: switchport access vlan2

Inter VLAN Routing
A router is required to communicate between two different broadcast domains or VLANs. Router will not forward broadcasts, router will forward a unicast with the layer 3 address.

TRUNKING
A trunk is required to carry traffic for multiple VLAN, the IEEE protocol is 802.1q intervlan trunking. There is a practical application for VoIP, using a separate VLAN for IP phone traffic and data traffic.
The VTP or VLAN Trunking Protocol is configured
conf t
int fa 0/0.2
encapsulation dot1q
router rip
network 10.0.0.0

Trunk can carry traffic for mulitple VLANs. The switches tell each other which VLAN they belong to. The administrator has to configure one switch as the VTP Server

VTP Modes:
Server
- default for Cisco Switch
- must be server mode to create, modify or delete a VLAN
- need one switch in server mode
- propogates VLAN information to the whole network

usage: conf t
vtp domain Pod2
vtp mode server
end
Client
- sends and recevies updates about VLAN changes
- Receives information from the VTP server
- cannot modify VLAN

Transparent
- switches just pass alont the VLAN advertisements to other switches
- will not accept or send VLAN information from itself
- can create, modify, delte VLANs for itself

Adding a previously used switch on the network creates a potential issue because switches typical try to sync with a device with a higher revision number.  To clean properly clean a switch's flash memory, delete the vlan.dat file.  The safest mode to when decommissioning an old switch, and before you plug it back in to avoid damaging or destroying the present VLAN configuration, type the command

usage: vtp mode transparent
usage: show vtp status

Tuesday, February 7, 2012

Cisco ICND1 Flashcard: Are you tech savvy about DSL, the Last Mile, NAT and PAT?

The topic of DSL was covered in the CCNA Bootcamp course as a requirement for the ICND1 Exam.

Internet Resellers
TekSavvy talk has been making the rounds lately on forums at work and online. They're in the news among the other victims of the ongoing CRTC ruling on the "usage based billing" or wholesale billing regulations from large ISPs to small ISPs. I decided to take a look at what folks were talking about - really cheap rates for high speed internet, long distance calling, residential phone and even cable at much lower rates than the standard Bell or Rogers! However the ruling will make unlimited packages impossible or too expensive, as the cost of using Bell or Internet backbone services is transferred to the consumer, say for example Bell will charge TekSavvy or Acanac an extra $22/ Mbit or 22k for 1 Gbps link. The other thing is I didn't quite understand right away, why when the TekSavvy customers had a problem and they called up TekSavvy tech support, a service call would be sent out to Bell or Rogers. Ok I get it, Bell or Rogers still provide the DSL or last mile connection. TekSavvy is an "internet reseller" or ISP.

There is a business arguement for open competition that folks are feeling very strongly about for Open Media debate and a petition. My article is purely about the electrons not the politics.  Back to the basics.

Image Source
What is DSL and the Last Mile?
The story begins with the telephone cabling we are already familiar with. It's copper and can carry 300 Hz to 1 MHz of data. However the human voice is only using the 300Hz to 3 kHz portion of the link, DSL can use the remainder 3 kHz to 1 MHz for high speed data, "always on".  DSL stands for Digital Subscriber Line, and this allows the packets to be sent over copper, owned by an ISP. It is not a shared medium, each user has his own direct connection to the DSLAM. It's scalable, adding new users does not impede the network performance. DSL can be used simultaneously as voice.

The cabling part there is also refered to as the local-loop or last-mile or the last step of the local telephone network connection. DSL may be added incrementally in any area with some distance limitations, but is not universally available everywhere in all geographic locations. Equipment required includes the CPE (Customer Premise Equipment) and DSL-Access Multiplexer (Time Division Multiplexer).  There is a physical geographic limitation of 5.5km distance for ASDL, and some folks would consider the "always on" aspect of the DLS as hackable; well whatever.


DSL can be used by a large company to support the "work at home" workers. The worker cannot connect to the enterprise network directly; instead he first connects to the ISP and then an IP connection is made from the Internet to the enterprise network.

There are two categories of DSL
DSL places the data upload and download above the 4kHz window, allowing voice and data transmission to occur simulataneously on the same DSL service.

ADSL Asychronous, higher download bandwidth than upload (less than 5.5 km distance)
VDSL, VDSL 2 is very high data rate
250 Mbps at the source
100 Mbps at 0.5km
500 Mbps at 1km
G Lite, G 992.2
ADSL, ADSL2, ADSL 2+
Consumer DSL aka G.Lite or G992.2

SDSL Synchronous, same capacity both directions
HDSL high data rate DSL
ISDN DSL(IDSL)
G.shdsl, symmetric high bit data rate DSL

In all instances, it's WAN access. It is not cable; cable is best described as a bus network topology, fiber under the street, copper to the home. (Why do I have this in my notes?)

Transceiver - connects the computer of the worker to the DSL, usually a modem with USB or Ethernet cable. Newer DSL transceiver can be installed on routers with 10/100 switch ports for home and office use.

DSLAM - located at Central Office of the carrier. DSLAM combines individual DSL connections into one high capacity link to the ISP and Internet.

Assigning an IP Address
Used to be that when you turned on your computer the ISP would assign an IP address to your computer by DHCP, and then when you were finished with your connection the computer would return the IP address to the pool. The only thing is, people don't usually turn off the computer so this IP address will almost permanently taken. I suppose if it was a work computer, the network administrator could use Private and Public IP addresses translation.

The global internet  is like a large WAN.  Servers need an IP address from  the ISP and interfaces - which are manualy assigned by the ISP or dynamically assigned.  When you have private IP address and need to go on line. The IP addresses will have to be translated by NAT from an Internal  lab to the outside world.

Next Topic:
NAT, PAT and Overloading

VPN in a Nutshell

Not sure if this topic is for the CCNA Exam, ICND1, or ICND2 Exam but it was covered peripherally in the CCNA Bootcamp course and is offered as a separate course or certification for Cisco VPNs.

What is a VPN?
Definition: Virtual Private Network, for creating a private network tunneling over a public network, while maintaining confidentiality and security. It's a way to communicate through a dedicated server securely to a corporate network over the Internet. Windows NT, 2000 and XP offer native VPN support. The Cisco Router IOS has to support VPN.

VPN Client can also be setup on a Linux platform, the first of its kind. Download the network-manager-vpnc package. http://www.linuxplanet.com/linuxplanet/tutorials/6773/1

What are the Components of a VPN?
  • A real network with servers and workstations
  • An Internet connection
  • VPN gateways are endpoints to establish, maintain and control VPN connections; these could be routers, firewalls, VPN concentrators and ASA (Adaptive Security Applicance)
  • Software to manage the VPN tunnels
  • Cisco IOS software that supports VPN

How to make VPN's secure?
VPNs are inherently secure. In fact, there are certain totalitarian regimes in the world today where VPN's are absolutely banned! I suppose it is because the added security prevents the government from spying on its own people plotting a revolt. Now what I want to know is, how does the government know if someone is using a VPN, where it starts and where it ends? How do you even see a VPN signature?

VPN's are secure by virtue of encapsulation or tunneling, by transmitting data transparently from network to another through a shared infrastructure. Encryption is also used to code data into a format using a shared secret key, and then decode encrypted data into the original unencrypted format

Read more about Encryption Standards

Setting up or Connecting to the VPN
  • IPSEC gateway: the hostname or IP of the VPN server
  • IPSEC ID: the groupname
  • IPSEC secret: the shared password for the group
  • your username
  • your password
The pre shared key replaces the certificate file to form the tunnel. It sounds like a pretty serious breach if someone acquired the pre shared key so don't leave it stored on the computer in file called "my vpn shared password for the group" if you know what I'm saying.

Hardware
Cisco ASA 5500 Series offers both IPSec and SSL VPN, application inspection firewall and intrusion prevention services.

Cisco 7600 Series/ Catalyst 6500 Series IPSec VPN, requires a shared port adapter. Did I read correctly, it runs AES encryption and can carry up to 8,000 IPSec tunnels?

Configuration Commands
Here is a mishmash of commands I have to reorder in the right sequence because it is supposed to work on a Cisco 2811. It's not an actual configuration file but notes I wrote to myself as comments for things to include. Sample config file coming soon, when I can prove that it works!

It's tricky but there is useful information on HOW TO configure an IPSEC encrypted tunnel with Cisco. A lot of helpful pages on cisco.com as well.


% Prerequisites
% ip cef or ip cef distributed
% configure loopback interface
% enable SNMP notifications of L2TP session up/down; snmp-server enable traps l2tunnel session
% xconnect applied to which interface
% ip pmtu command configures the pseudowire class
% L2TPv3 data encapsulation directly over IP port 115, sessions between the same Layer 2 protocols.
% choose static or dynamic L2TPv3 sessions
% set mtu; use ipdfbit set and ip pmtu accordingly