My buddy says, Help! My server won't boot up, I keep seeing these errors:
The following VD's are missing: 01
and
The battery hardware is missing
The second one is possibly easy to fix, probably the battery drained from being unplugged on the shelf for too long. Plugging in the Dell 2950 without powering up should do the trick, probably abou 24 hours to reach full charge.
VD1 is the RAID 0 virtual drive that is set up across the drives 2,3,4 and 5
VD0 is the RAID 1 mirrored on drives 0 and 1
Were the drives installed in the right bays? yes.
If not, you can recreate this from the RAID Controller GUI
Now the tech has started the proceduce to reconfigure the RAID but the system is not seeing the hardrives 2,3,4,5 anymore.
HOW TO configure RAID on Dell 2950
http://www.thegeekstuff.com/2008/07/step-by-step-guide-to-configure-hardware-raid-on-dell-servers-with-screenshots/
Check if the RAID controller card is functioning.
Swap with another system that is working to verify.
PDF explaining the Dell diagnostic utilities (written by Dell):
http://www.dell.com/downloads/global/power/ps1q05-20040119-Patel-OE.pdf
Downloads page for Dell PowerEdge 2950:
http://www.dell.com/support/troubleshooting/us/en/555/Index
The "Dell 32 Bit Diagnostics" tool (best):http://www.dell.com/support/drivers/us/en/555/DriverDetails?DriverId=Y6D93&FileId=2731107576&DriverName=Dell%2032%20Bit%20Diagnostics%2C%20v.5118A0%2C%205118.3&productCode=poweredge-2950&urlProductCode=Falsehttp://www.dell.com/support/troubleshooting/us/en/555/Indexhttp://www.dell.com/downloads/global/power/ps1q05-20040119-Patel-OE.pdf
HOW TO remotely run the Dell 32 bit Tier 2 Diagnostic over KVM
http://technicalsupportnetwork.org/blog/index.php?op=ViewArticle&articleId=5&blogId=1
Wednesday, June 6, 2012
What the heck is on that guyz roof?
I often see the strangest antennas strapped to someone's chimney or poking out of someone's trunk of the car. Usually it belongs to someone who's a ham radio enthusiast, or buddy searching for extra terrestrials or simply someone grabbing HDTV off the air. I've always been fascinated by the symmetry or the mathematical basis behind the aesthetic design, and "what does that antenna do?"
I came across a Log Periodic Antenna design, while looking up the Blonder-Tongue Doctrine in US patent law oddly enough; the case set a precedent. Sometimes LPA is referred to as Isabel (in honor of one of the creators) at the University of Illinois. The repeating nature also gives it a fractal design. The design parameters are simplified into four design criteria
1) Upper and lower operating frequencies set the shortest and longest dipole length
2) Number of elements
3) Apex angle of antennae
4) Each successive element is a scaled-down length of its immediate predecessor down the array.
5) The scaling factor τ (tau) derived from a log function.
The longest dipole is 1/4 wavelength of the lowest frequency; the shortest dipole is 1/4 wavelength of the highest frequency. The geometry diagram shows only the top half of the antenna; the bottom half is a mirror image of it. I don't understand why they have to make it a pyramidal design for aesthetics. They must do this to achieve a symetrical RF footprint instead for two lobe pairs instead of just a single side. This article explains in detail how the formulas are used and the magic math involved.
I found an online calculator for the LPA design parameters but I just find it creepy that the page displays your IP address and makes snide comments about the browser you're using. Other than that, it's very accurate, I matched the numbers I punched in with a real Kathrein-Scala dual band wireless antenna spec sheet.
The LPA can be quite small to cover a fairly broad radiation footprint with a reasonable power gain. What's neat is only a part of the array is active at a given frequency. Therefore the antenna can cover a wide frequency band without the need of a switching system. This is good for television reception or as advertised, dual band wireless applications.
To the untrained eye, the Log Periodic Antenna could be confused as a Yagi or have many similarities but I'd say that the LPA is more triangular while a yagi is more rectangular.
 |
| Image Source |
1) Upper and lower operating frequencies set the shortest and longest dipole length
2) Number of elements
3) Apex angle of antennae
4) Each successive element is a scaled-down length of its immediate predecessor down the array.
5) The scaling factor τ (tau) derived from a log function.
The longest dipole is 1/4 wavelength of the lowest frequency; the shortest dipole is 1/4 wavelength of the highest frequency. The geometry diagram shows only the top half of the antenna; the bottom half is a mirror image of it. I don't understand why they have to make it a pyramidal design for aesthetics. They must do this to achieve a symetrical RF footprint instead for two lobe pairs instead of just a single side. This article explains in detail how the formulas are used and the magic math involved.
I found an online calculator for the LPA design parameters but I just find it creepy that the page displays your IP address and makes snide comments about the browser you're using. Other than that, it's very accurate, I matched the numbers I punched in with a real Kathrein-Scala dual band wireless antenna spec sheet.
 |
| Cross Polarization |
The LPA can be quite small to cover a fairly broad radiation footprint with a reasonable power gain. What's neat is only a part of the array is active at a given frequency. Therefore the antenna can cover a wide frequency band without the need of a switching system. This is good for television reception or as advertised, dual band wireless applications.
To the untrained eye, the Log Periodic Antenna could be confused as a Yagi or have many similarities but I'd say that the LPA is more triangular while a yagi is more rectangular.
 |
| Image Source |
Friday, June 1, 2012
Miss Canada answers Ubiquitous Broadband Internet Access
At every beauty pageant they always ask the bikini-clad candidate, what is your wish for mankind. Everyone always says the noble standard answer, "World peace" and the crowds cheer. However if I were ever the Miss Canada candidate, I would have to make my answer, free broadband Internet access in Africa.
I cannot claim this idea as my own but it starts with an obscure agreement between the government of the Province of British Columbia and a major Canadian telco Telus Corporation signed in July 29, 2011. BC is in a business agreement with Telus, for a transfer of $10.00 Canadian (if I read that right), to provide access to all residents in BC access to broadband Internet and telecommunications services to have access to the social benefits of connectivity for economic initiatives, access to government services, electronic health and
education services. Contract in pdf here.
The 109 page document signed by the Minister of Citizen's Services and Open Government outlines lots of provisions including askingTelus
- to facilitate last mile connectivity
- expand cellular coverage in rural areas
- maintain Central Office live status if no other ISP is available
- to provide carrier service to the CO for a small ISP
- set a fair wholesale pricing list
- to not compete with eligible ISPs to provide the retail broadband services to end users, except where Telus already has cellular coverage (EVDO, HSPA, LTE) and DSL
The agreement seems to support fair market prices for the consumer and a non competition period of three years, and seems to leave it up to Telus to build the infrastructure, the way I understand it. Sound like a pretty sweet deal for all!
I read a recent article on CNN that poverty in the USA was linked to lack of access to basic telecommunications and Internet because job searching opportunities and even access to higher education and everything these days were most accessible to folks with Internet access, and the have nots were hurting even more with lack of it. We'll see how this reaches out the more rural communities and people living off the grid. Imagine what it could do for a developing nation! Access to information and the capability to communicate and collaborate with other humans.
In my search for the road to world peace, I came across the most inspiring article on CNN by Hamadoun Touré who writes the best case scenario for how mobile broadband could save Africa and help them reach Millennium Development Goals. The UN Millennium Development Goals are best summarized in three categories of education, health, and the environment, and the author sees mobile broadband playing a key role in each. Alright, he takes the crown from Miss Canada's idea.
"If you combat disease, you also reduce child mortality; if you give every child a primary education, you promote gender equality. It is because these goals are interlinked that broadband is so important."
http://edition.cnn.com/2012/02/27/opinion/technology-toure-africa-mobile/index.html?iref=allsearch
The government priority or foreign aid should be geared at building the infrastructure to support the broadband network or even mobile public transport vehicles equipped with low-cost wifi repeaters.
Here are examples of the Smartphone usage helping local businesses
1) Regular weather updates for the farmer on his Smartphone to plan his planting and seeding schedules
2) GPS geolocation capability for precision farming and optimizing fertilizer and pesticide usage
3) Online access to employment and training in Kenya
4) A young entrepreneur who developed an app for children to improve literacy, numeracy and general knowledge and the platform to delivery the wifi Internet access by public transport vehicles
As long as the kids don't spend too much time playing Angry Birds, here's to saving Africa one smartphone at a time.
I cannot claim this idea as my own but it starts with an obscure agreement between the government of the Province of British Columbia and a major Canadian telco Telus Corporation signed in July 29, 2011. BC is in a business agreement with Telus, for a transfer of $10.00 Canadian (if I read that right), to provide access to all residents in BC access to broadband Internet and telecommunications services to have access to the social benefits of connectivity for economic initiatives, access to government services, electronic health and
education services. Contract in pdf here.
The 109 page document signed by the Minister of Citizen's Services and Open Government outlines lots of provisions including askingTelus
- to facilitate last mile connectivity
- expand cellular coverage in rural areas
- maintain Central Office live status if no other ISP is available
- to provide carrier service to the CO for a small ISP
- set a fair wholesale pricing list
- to not compete with eligible ISPs to provide the retail broadband services to end users, except where Telus already has cellular coverage (EVDO, HSPA, LTE) and DSL
The agreement seems to support fair market prices for the consumer and a non competition period of three years, and seems to leave it up to Telus to build the infrastructure, the way I understand it. Sound like a pretty sweet deal for all!
I read a recent article on CNN that poverty in the USA was linked to lack of access to basic telecommunications and Internet because job searching opportunities and even access to higher education and everything these days were most accessible to folks with Internet access, and the have nots were hurting even more with lack of it. We'll see how this reaches out the more rural communities and people living off the grid. Imagine what it could do for a developing nation! Access to information and the capability to communicate and collaborate with other humans.
In my search for the road to world peace, I came across the most inspiring article on CNN by Hamadoun Touré who writes the best case scenario for how mobile broadband could save Africa and help them reach Millennium Development Goals. The UN Millennium Development Goals are best summarized in three categories of education, health, and the environment, and the author sees mobile broadband playing a key role in each. Alright, he takes the crown from Miss Canada's idea.
"If you combat disease, you also reduce child mortality; if you give every child a primary education, you promote gender equality. It is because these goals are interlinked that broadband is so important."
http://edition.cnn.com/2012/02/27/opinion/technology-toure-africa-mobile/index.html?iref=allsearch
The government priority or foreign aid should be geared at building the infrastructure to support the broadband network or even mobile public transport vehicles equipped with low-cost wifi repeaters.
Here are examples of the Smartphone usage helping local businesses
1) Regular weather updates for the farmer on his Smartphone to plan his planting and seeding schedules
2) GPS geolocation capability for precision farming and optimizing fertilizer and pesticide usage
3) Online access to employment and training in Kenya
4) A young entrepreneur who developed an app for children to improve literacy, numeracy and general knowledge and the platform to delivery the wifi Internet access by public transport vehicles
As long as the kids don't spend too much time playing Angry Birds, here's to saving Africa one smartphone at a time.
Monday, March 26, 2012
Top Female Astronauts of China
Wow you have to be smart and hot to be chosen as the next Astronaut of China. Really? Perfect teeth, for the photo ops I bet. Another criteria, having given birth naturally, so that cosmic rays don't affect reproduction or rather their reasoning was, to prove that biologically all systems were functioning. Ew.
The original article mentions that there were two top candidates selected from a list of top fighter pilots. Some folks were upset that requirements for higher education wasn't mentioned. My opinion is that I'd rather have a good pilot fly the spacecraft; if they've made it this far, they definitely have an impressive resume. Last I heard, Chinese people are all about having that Dr. in front of the name, and the extra degrees and fancy industry qualifications. Therefore, by default to be a pilot you have to have a university degree.
I have a friend who would indeed meet all the other specs, writes: "The article itself doesn't seem to say that they need to be photogenetic (though the photo certainly implies that), but rather have a body with certain biological standard, none of which applies to looks. What I'm naturally skeptic about are their "scientific" claims as to why these standards are necessary in space."
What makes the best astronaut for the mission?
Here is a more balanced view of reporting on mothers for female crew selection.
 |
| Can you wear makeup in space? Image Source |
I have a friend who would indeed meet all the other specs, writes: "The article itself doesn't seem to say that they need to be photogenetic (though the photo certainly implies that), but rather have a body with certain biological standard, none of which applies to looks. What I'm naturally skeptic about are their "scientific" claims as to why these standards are necessary in space."
What makes the best astronaut for the mission?
Here is a more balanced view of reporting on mothers for female crew selection.
Wednesday, March 21, 2012
Forever Stocks to Buy
Bill Gates buys $571 Million dollars in stocks on this ticker. Are you gonna read on? He calls these kind of things, like Mastercard and the Deer & co (farm equipment) his Forever stocks, things that you could hold on to forever.
What are Warren Buffet and Bill Gates buying.
Personally I would consider Cisco a Forever stock, and for sure Lululemon. I'm just bragging because I made over $200 in one day on that stock the other day. I bought the shares at $71 and it went up to $72-something. I say something cuz I'm obviously not managing my own money, too busy studying for these Cisco exams but there you go. Imagine if I had bought these in 2009 when they were $9 something a share, and then they split at $100 a few months ago.
My friend works at Cisco in Silicon Valley Kanata and he writes the Cisco IOS. They get stock options so that's pretty awesome. He was explaining to me this new thing with delivery of wireless in a metropolitan area and enabling mobility by having the user keep the same IP. The cellular bandwith is getting to congested so it sounds like folks in Hong Kong are moving over to the internet routing. Sounded really impressive, I'm not in mobile or wireless but that sounds really neat.
I won't be rich like Warren Buffet and Bill Gates, just working full time hours on routers and switches but atleast I know what is powering those supercomputers at the NYSE, forever!
What are Warren Buffet and Bill Gates buying.
Personally I would consider Cisco a Forever stock, and for sure Lululemon. I'm just bragging because I made over $200 in one day on that stock the other day. I bought the shares at $71 and it went up to $72-something. I say something cuz I'm obviously not managing my own money, too busy studying for these Cisco exams but there you go. Imagine if I had bought these in 2009 when they were $9 something a share, and then they split at $100 a few months ago.
My friend works at Cisco in Silicon Valley Kanata and he writes the Cisco IOS. They get stock options so that's pretty awesome. He was explaining to me this new thing with delivery of wireless in a metropolitan area and enabling mobility by having the user keep the same IP. The cellular bandwith is getting to congested so it sounds like folks in Hong Kong are moving over to the internet routing. Sounded really impressive, I'm not in mobile or wireless but that sounds really neat.
I won't be rich like Warren Buffet and Bill Gates, just working full time hours on routers and switches but atleast I know what is powering those supercomputers at the NYSE, forever!
Friday, March 16, 2012
ICND 2 Flashcard: Frame Relay
Frame Relay allows the expansion of the WAN with less hardware by providing virtual circuits; less costly than running multiple leased lines like HDLC and PPP.
For example Router 1 (DTE) at your company site has to connect to Router 2 (DTE) at the other site. In between is the Frame Relay cloud. The Router 1 connects to one switch (DCE) in the cloud, and the other Router 2 connects to anothr swtich (DCE). Router 1 could also connect to a Router 3 and so on.
One router is an access linl which can support multiple virtual circuits to send data to multiple remote routers. Each link is a virtual circuit. The data link header and trailers on each frame. The header holds ad address filed called a DLCI.
DLCI - Data Link Connection Identifier
The notes for this section are taken from the first CCNA Bootcamp course I studied in 2003 by Marketbridge Technologies in Hull-Gatineau. http://www.marketbridge.com/# The company has grown and changed alot over the years from offering courses to consulting services, but the owner remains the same so it's probably the same company.
Two Frame Relay encapsulations: Cisco and IETF
Cisco is the default, and it means that you have a Cisco router on each end of the Frame Relay network. If you don’t have a Cisco router on the remote end of your Frame Relay network, then you need IETF encapsulation.
Frame Relay is a cost efficicient technology, for intermittent connection from LAN or between endpoints to major backbones or a public WAN. A permanent virtual circuit (PVC) is formed, enabling the customer to perceive a continous, dedicated connection without having to pay for a full-time leased line; the ISP determines the route each frame travels to its destination and can charge based on usage. Think of it as shared bandwidth, a portion of the dedicated paid bandwidth to allotted to each user; allows the user to exceed the guaranteed bandwidth if resources are available
However for a truly private network, Frame Relay would run over leased lines over T-1 lines. A dedicated connection during the transmission period is required, but without a steady flow of transmisions, so it is not often used for voice or video. The data units are in frames in variable sizes.
Packet based switching.
Frame relay is based on the older X.25 packet-switching technology which was designed for analog voice. Frame relay today is fast packet switching because it operates in the Layer 2 data-link layer and not so much Layer 3 network even though a frame can carry packets of Ethernet and X.25 Error checking or resending is up to to the endpoints to evaluate.
DLCI - Data Link Connection Identifier
I really like the description of a frame-relay map and how it joins an DLCI with an IP address much like ARP mapping MAC address to IP. See the IP-to-DLCI mappings with the command, show frame-relay map (IARP is default on Cisco routers).
Possible network topologies
Hub and Spoke: one hub many spokes used with sub interfaces
Partial Mesh or Hub and Spoke - routers do not have a VC to all other routers
Full Mesh: each router has a logical circuit to every other router
Hybrid: Two remote routers may have VC to each other providing full mesh connectivity between them and the hub. The other remote routers may have only one VC back to the hub.
Frame-Relay LMI
Frame-Relay used the Local Management Interface (LMI) protocol to generate keepalives and obtain a status on the virtual circuits. LMI message formats: Cisco (DLCI 1023), ANSI or Annex D (DLCI 0), and Q.933A or Annex A (DLCI 0?) containing info regarding -
Active - the circuit is up and running
Inactive - possible cause, circuit to CO (frame switch) is find but remote end is down
Deleted - circuit to CO not working, interface down or cabling issue, no LMI
Congestion Control in Frame-Relay
DE - Discard Eligibility, mark for packets exceeding the CIR
BECN - Backward Explicit Congestion Notification, tell source to slow down transmission
FECN - Forward Explicit Congestion Notification, tell destination there was congestion in the cloud
An excellent summary of everything you need to know about Frame Relay for Cisco CCNA, written like a study blog with network diagrams. The style of writing is like an instructor speaking. Click here.
usage: conf t
encapsulation frame-relay
Scenario
There are seven remote sites to connect and only one serial port on the router. Instead of seven leased lines, frame-relay might be a good soluction to statistically multiplex multiple logical circuits over one physical interface to save money.
Access rate The maximum speed that the Frame Relay serial interface can transmit.
CIR The maximum bandwidth of data guaranteed to be delivered. In reality, it’s the average amount that the service provider will allow you to transmit.
For example if the T1 is carrying an access rate of T1 (1.544Mbps) and you're paying for a CIR of 256Kbps. The first 256Kbps of traffic you send is guaranteed delivery. Beyond that, it's a “burst”— a transmission that exceeds the guaranteed 256Kbps rate and up to the T1 access rate (if that amount is in your contract). I believe this sounds like the whole discussion about paying for bandwidth usage and doing away with unlimited with the CRTC ruling??
Obviously if the combined committed burst (the CIR) and excess burst sizes, known as the MBR or maximum burst rate when combined, exceed the access rate, then the packets will be dropped, depending on the service provider.
For example Router 1 (DTE) at your company site has to connect to Router 2 (DTE) at the other site. In between is the Frame Relay cloud. The Router 1 connects to one switch (DCE) in the cloud, and the other Router 2 connects to anothr swtich (DCE). Router 1 could also connect to a Router 3 and so on.
One router is an access linl which can support multiple virtual circuits to send data to multiple remote routers. Each link is a virtual circuit. The data link header and trailers on each frame. The header holds ad address filed called a DLCI.
DLCI - Data Link Connection Identifier
The notes for this section are taken from the first CCNA Bootcamp course I studied in 2003 by Marketbridge Technologies in Hull-Gatineau. http://www.marketbridge.com/# The company has grown and changed alot over the years from offering courses to consulting services, but the owner remains the same so it's probably the same company.
Two Frame Relay encapsulations: Cisco and IETF
Cisco is the default, and it means that you have a Cisco router on each end of the Frame Relay network. If you don’t have a Cisco router on the remote end of your Frame Relay network, then you need IETF encapsulation.
Frame Relay is a cost efficicient technology, for intermittent connection from LAN or between endpoints to major backbones or a public WAN. A permanent virtual circuit (PVC) is formed, enabling the customer to perceive a continous, dedicated connection without having to pay for a full-time leased line; the ISP determines the route each frame travels to its destination and can charge based on usage. Think of it as shared bandwidth, a portion of the dedicated paid bandwidth to allotted to each user; allows the user to exceed the guaranteed bandwidth if resources are available
However for a truly private network, Frame Relay would run over leased lines over T-1 lines. A dedicated connection during the transmission period is required, but without a steady flow of transmisions, so it is not often used for voice or video. The data units are in frames in variable sizes.
Packet based switching.
Frame relay is based on the older X.25 packet-switching technology which was designed for analog voice. Frame relay today is fast packet switching because it operates in the Layer 2 data-link layer and not so much Layer 3 network even though a frame can carry packets of Ethernet and X.25 Error checking or resending is up to to the endpoints to evaluate.
DLCI - Data Link Connection Identifier
I really like the description of a frame-relay map and how it joins an DLCI with an IP address much like ARP mapping MAC address to IP. See the IP-to-DLCI mappings with the command, show frame-relay map (IARP is default on Cisco routers).
Possible network topologies
Hub and Spoke: one hub many spokes used with sub interfaces
Partial Mesh or Hub and Spoke - routers do not have a VC to all other routers
Full Mesh: each router has a logical circuit to every other router
Hybrid: Two remote routers may have VC to each other providing full mesh connectivity between them and the hub. The other remote routers may have only one VC back to the hub.
Frame-Relay LMI
Frame-Relay used the Local Management Interface (LMI) protocol to generate keepalives and obtain a status on the virtual circuits. LMI message formats: Cisco (DLCI 1023), ANSI or Annex D (DLCI 0), and Q.933A or Annex A (DLCI 0?) containing info regarding -
- Keepalives
- Multicasting - Multicasting uses the reserved DLCIs from 1019 through 1022.
- Global addressing - This provides global significance to DLCIs, like a LAN
- Status of virtual circuits - This provides DLCI status.
Active - the circuit is up and running
Inactive - possible cause, circuit to CO (frame switch) is find but remote end is down
Deleted - circuit to CO not working, interface down or cabling issue, no LMI
Congestion Control in Frame-Relay
DE - Discard Eligibility, mark for packets exceeding the CIR
BECN - Backward Explicit Congestion Notification, tell source to slow down transmission
FECN - Forward Explicit Congestion Notification, tell destination there was congestion in the cloud
An excellent summary of everything you need to know about Frame Relay for Cisco CCNA, written like a study blog with network diagrams. The style of writing is like an instructor speaking. Click here.
usage: conf t
encapsulation frame-relay
Scenario
There are seven remote sites to connect and only one serial port on the router. Instead of seven leased lines, frame-relay might be a good soluction to statistically multiplex multiple logical circuits over one physical interface to save money.
Access rate The maximum speed that the Frame Relay serial interface can transmit.
CIR The maximum bandwidth of data guaranteed to be delivered. In reality, it’s the average amount that the service provider will allow you to transmit.
For example if the T1 is carrying an access rate of T1 (1.544Mbps) and you're paying for a CIR of 256Kbps. The first 256Kbps of traffic you send is guaranteed delivery. Beyond that, it's a “burst”— a transmission that exceeds the guaranteed 256Kbps rate and up to the T1 access rate (if that amount is in your contract). I believe this sounds like the whole discussion about paying for bandwidth usage and doing away with unlimited with the CRTC ruling??
Obviously if the combined committed burst (the CIR) and excess burst sizes, known as the MBR or maximum burst rate when combined, exceed the access rate, then the packets will be dropped, depending on the service provider.
ICND2 Flashcard: EIGRP
EIGRP = Enhanced Interior Gateway Routing Protocol
It is a Cisco proprietary, Advanced Distance Vector metric. Some folks may refer to it as a hybrid routing protocol, but it is truly not. EIGRP uses Hello packets, much like a link state protocol
Advertised distance - EIGRP metric for blank to reach network
Feasible distance - the metric to reach neighbor + the advertised distance
Features of EIGRP
Rapid convergence using Diffuse Update Algorithm (DUAL) guarantees loop free paths and backup paths. If the primary route in the table fails, the best backup route is added to the table immediately. If no route exists, EIGRP queries the neighbors.
Reduced bandwidth by not sending the entire database and instead using:
Partial updates: only include route changes, incremental updates and not the whole table
Bounded updates: only send updates to routers affected
Multiple Network Layer Support can do Appletalk, IP, IPv6, Novell (IPX)
Less Overhead by using multicast and unicast, not broadcast. The ip address 224.0.0.10 is listed in my notes
Classless Routing
The mask is advertised for each network as this provides smaller subnets and efficient use of IP addresses. The protocol can also support discontiguous subnets and VLSM (variable length subnet masks)
Load Balance
The protocol allows load balancing on equal (by default) and unequal cost paths. Caveat, for unequal cost paths, variance must be specified.
EIGRP does equal metric load balancing by default up to four equal metric routes. This means the variance value is 1 (default). The routing table can have 16 entries for the same destination.
Configuring EIGRP
usage: conf t
router eigrp 100 (automonous system 100, 1 to 65535 possible)
network 10.0.0.0
network 192.168.10.0 0.0.0.15 (the wildcard mask can advertise subnets now)
no auto-summary (what does this do?)
variance 2
Verifiy EIGRP
show ip route eigrp
show ip protocols
show ip eigrp interfaces
show ip eigrp int fa 0/0
show ip eigrp int 100
show ip eigrp topology
show ip eigrp topology all-links
show ip eigrp traffic (this command lists number of packets sent/ received; HELLO, updates, queries, replies, ack etc)
More about the Variance Command
This command allows unequal metric load balancing, metrics being
* bandwidth
* delay
* reliability - the most reliable based on keepalives
* load
* K value - calculation method and AS number must match
Troubleshoot EIGRP
show ip eigrp neighbors
show ip int brief (shows which interfaces are active)
show ip int fa 0/0 (see ip subnets)
show ip protocols (see routing for networks)
show ip eigrp int (check for the process id and the same K method)
debug eigrp packets
show ip route (displays all the routes and eigrp is labeled)
show ip eigrp topology (shows the router id with the highest IP address which should be the loopback 0)
It is a Cisco proprietary, Advanced Distance Vector metric. Some folks may refer to it as a hybrid routing protocol, but it is truly not. EIGRP uses Hello packets, much like a link state protocol
Advertised distance - EIGRP metric for blank to reach network
Feasible distance - the metric to reach neighbor + the advertised distance
Features of EIGRP
Rapid convergence using Diffuse Update Algorithm (DUAL) guarantees loop free paths and backup paths. If the primary route in the table fails, the best backup route is added to the table immediately. If no route exists, EIGRP queries the neighbors.
Reduced bandwidth by not sending the entire database and instead using:
Partial updates: only include route changes, incremental updates and not the whole table
Bounded updates: only send updates to routers affected
Multiple Network Layer Support can do Appletalk, IP, IPv6, Novell (IPX)
Less Overhead by using multicast and unicast, not broadcast. The ip address 224.0.0.10 is listed in my notes
Classless Routing
The mask is advertised for each network as this provides smaller subnets and efficient use of IP addresses. The protocol can also support discontiguous subnets and VLSM (variable length subnet masks)
Load Balance
The protocol allows load balancing on equal (by default) and unequal cost paths. Caveat, for unequal cost paths, variance must be specified.
EIGRP does equal metric load balancing by default up to four equal metric routes. This means the variance value is 1 (default). The routing table can have 16 entries for the same destination.
Configuring EIGRP
usage: conf t
router eigrp 100 (automonous system 100, 1 to 65535 possible)
network 10.0.0.0
network 192.168.10.0 0.0.0.15 (the wildcard mask can advertise subnets now)
no auto-summary (what does this do?)
variance 2
Verifiy EIGRP
show ip route eigrp
show ip protocols
show ip eigrp interfaces
show ip eigrp int fa 0/0
show ip eigrp int 100
show ip eigrp topology
show ip eigrp topology all-links
show ip eigrp traffic (this command lists number of packets sent/ received; HELLO, updates, queries, replies, ack etc)
More about the Variance Command
This command allows unequal metric load balancing, metrics being
* bandwidth
* delay
* reliability - the most reliable based on keepalives
* load
* K value - calculation method and AS number must match
Troubleshoot EIGRP
show ip eigrp neighbors
show ip int brief (shows which interfaces are active)
show ip int fa 0/0 (see ip subnets)
show ip protocols (see routing for networks)
show ip eigrp int (check for the process id and the same K method)
debug eigrp packets
show ip route (displays all the routes and eigrp is labeled)
show ip eigrp topology (shows the router id with the highest IP address which should be the loopback 0)
Thursday, March 15, 2012
Who are your online friends?
Ego-surfing
So I did a google search on myself because my colleagues claimed that they searched everywhere on the Internet for me, to find my phone number, but they could not find me. I'm not convinced because I am who I am. I run the search myself on my firstname lastname city; most hits on the first page are true, albeit outdated. A job I posted as a prospective employer, an old work email address that got too much spam, what I studied and where I went to school, my volunteer work at a professional organization, and my resume as a piano teacher resume. The part about me running a half marathon? That's not true. LOL I am registered for a mini-triathlon, but no I have never run that far in my life.
On the next page I see a Linked In profile for a girl with the same name as mine in Washington. She's American but not asian, with 30 years of experience in Law Enforcement, industry specific skills and two big stints in Interpol. Her photo is a really good looking chic, probably age 25. I'm nice so I decide to send her a friendly note to say... "hey we have the same name but your resume is so amazing! But the linked in profile is wide open to the public and you have security clearances, perhaps you could change the default privacy settings, but you don't have to friend me." I had to send the message like a "connection request" because that's the only way you can contact someone you are not actually connected to. Surprisingly, she accepts. I'm intrigued by this mysterious and successful persona with my name. I get frequent updates that she has new connections joining her from Northrop Grumman (US DOD contractor) and other interesting people. In the back of my mind, I have suspicions why someone has 30 years experience and looks 25 (but that cannot be a crime).
Managing your online relationships
I decide to talk to my old boss because he is in the IT Security industry, he would know what to say about these kind of sticky things I get myself into. He jokes that women with my name simply cannot be trusted. He sends me a link to this article about the famous Robin Sage Experiment. It's a good read about basic online security awareness and social engineering. The "girl" who duped military intelligence and top notch IT Security professionals.
He reassures me that he did some peripheral background checks on my new contact and the info in her resume does check out; and he even convinces me that based on her info if she is 46, well some women could still look that good. (So that confirms that he thinks she is good looking too) But he cautions me with something I should know already, as a general rule, be careful about being friends with someone you haven't actually met in real life.
Another time on Facebook, I accepted a friend request from a person who I assumed was a twenty-something year old friend of my sister because it was a name I thought I recognized. As soon as I accepted, she chatted me up and started her note with "hihi" and her writing style was very girly and teeny boppy and we talk about similarities with her hometown Vancouver and mine. Her friend list is full of really good looking asian chics, but no guyz. Well that's odd but I think nothing of it. Over the course of weeks we continue to talk, about Victoria Day long weekend, how cute the kids are with tulips. Soon after I get a friend request from her again because she told me her account got locked so she started a new one. This keeps happening on a weekly basis and I decide to forget about it. On a whim I search for her profile name and there are many many profiles (without a profile picture) with her name, but there was one with a photo of a really ugly looking guy. Reminds me of a guy who did too much boxing in the face, was my first impression. I was shocked to learn that my new "friend" was probably some kind of predator. What should've been my first clue? What kind of teeny-boppy girl doesn't have guy friends on the friend's list?
Managing your online profile
You ask yourself, Who am I? Well if you feel the need to do some ego-surfing and google yourself and if you don't like what you see, here is a good article I found about un-googling yourself and managing your online identity a little bit better. Un-google yourself!
Verify the privacy settings on your various social media websites, especially access policies to the photos you post of yourself and your own children! Google has recently updated their privacy policy, which makes it harder to delete your online search history. So, um don't google something criminal like that other guy, "where to hide a body".
So I did a google search on myself because my colleagues claimed that they searched everywhere on the Internet for me, to find my phone number, but they could not find me. I'm not convinced because I am who I am. I run the search myself on my firstname lastname city; most hits on the first page are true, albeit outdated. A job I posted as a prospective employer, an old work email address that got too much spam, what I studied and where I went to school, my volunteer work at a professional organization, and my resume as a piano teacher resume. The part about me running a half marathon? That's not true. LOL I am registered for a mini-triathlon, but no I have never run that far in my life.
On the next page I see a Linked In profile for a girl with the same name as mine in Washington. She's American but not asian, with 30 years of experience in Law Enforcement, industry specific skills and two big stints in Interpol. Her photo is a really good looking chic, probably age 25. I'm nice so I decide to send her a friendly note to say... "hey we have the same name but your resume is so amazing! But the linked in profile is wide open to the public and you have security clearances, perhaps you could change the default privacy settings, but you don't have to friend me." I had to send the message like a "connection request" because that's the only way you can contact someone you are not actually connected to. Surprisingly, she accepts. I'm intrigued by this mysterious and successful persona with my name. I get frequent updates that she has new connections joining her from Northrop Grumman (US DOD contractor) and other interesting people. In the back of my mind, I have suspicions why someone has 30 years experience and looks 25 (but that cannot be a crime).
Managing your online relationships
I decide to talk to my old boss because he is in the IT Security industry, he would know what to say about these kind of sticky things I get myself into. He jokes that women with my name simply cannot be trusted. He sends me a link to this article about the famous Robin Sage Experiment. It's a good read about basic online security awareness and social engineering. The "girl" who duped military intelligence and top notch IT Security professionals.
He reassures me that he did some peripheral background checks on my new contact and the info in her resume does check out; and he even convinces me that based on her info if she is 46, well some women could still look that good. (So that confirms that he thinks she is good looking too) But he cautions me with something I should know already, as a general rule, be careful about being friends with someone you haven't actually met in real life.
Another time on Facebook, I accepted a friend request from a person who I assumed was a twenty-something year old friend of my sister because it was a name I thought I recognized. As soon as I accepted, she chatted me up and started her note with "hihi" and her writing style was very girly and teeny boppy and we talk about similarities with her hometown Vancouver and mine. Her friend list is full of really good looking asian chics, but no guyz. Well that's odd but I think nothing of it. Over the course of weeks we continue to talk, about Victoria Day long weekend, how cute the kids are with tulips. Soon after I get a friend request from her again because she told me her account got locked so she started a new one. This keeps happening on a weekly basis and I decide to forget about it. On a whim I search for her profile name and there are many many profiles (without a profile picture) with her name, but there was one with a photo of a really ugly looking guy. Reminds me of a guy who did too much boxing in the face, was my first impression. I was shocked to learn that my new "friend" was probably some kind of predator. What should've been my first clue? What kind of teeny-boppy girl doesn't have guy friends on the friend's list?
Managing your online profile
You ask yourself, Who am I? Well if you feel the need to do some ego-surfing and google yourself and if you don't like what you see, here is a good article I found about un-googling yourself and managing your online identity a little bit better. Un-google yourself!
Verify the privacy settings on your various social media websites, especially access policies to the photos you post of yourself and your own children! Google has recently updated their privacy policy, which makes it harder to delete your online search history. So, um don't google something criminal like that other guy, "where to hide a body".
Monday, March 12, 2012
ICND 2 Flashcard: Routing OSPF
This material on link-state routing protocols is supposed to be ICND2 but I'm just gonna say that you should still study this for ICND1 because I said so, and wish I did. Hello!
OSPF Configuration Commands
usage: conf t
router ospf 100 (numbers 1 to 65535 valid)
log-adjacency-changes
network ipaddressofnetwork wildcardmask area number
network 10.1.1.0 0.0.0.255 area 0
router-id
Create a router's interface loopback 0 address first
Turn on OSPF
If the IP address ever changes, use the command, clear ip ospf proces
1) This part can be configured here, else
2) Choose the highest of loopback interfaces, else
3) Choose the highest of active interfaces
Verification of OSPF working
show ip route (shows all the routes the router knows and how they are learned, O = OSPF)
show ip protocols
show ip ospf (displays general information)
show ip ospf interface (area id, adjacency info)
show ip ospf neighbor ipaddress mask
The command, show ip route, is very useful because it also shows the interface of the learned routes. I had a scenario to set up two encrypted tunnels for redundancy. I did a show ip route from router2 and I noticed that all the networks I was looking and learned from OSPF were listed; I was quite perplexed that the routes were not learned from the secondary tunnel associated with router2. Everyone thought I was quite the wizard to get all the systems green again, high fives all around, and no one really cared to listen what I was still concerned about.
Eventually I figured out that the routes were obviously learned by OSPF through the interface to router1 whose tunnel is indeed up, which verifies OSPF learned routes to distant networks works but my intended secondary tunnel was not up. I did some digging and discovered I was missing the tunnel's source ip address in the interface tunnel configuration, what a silly rookie typo. But that's proof that OSPF was working so well I had fooled everyone (but not myself).
Logically, a hub and spoke topology or partial mesh? You be the judge.
Authentication of OSPF
service password-encryption (otherwise the key will be in plaintext)
ip ospf authentication-key plainpas
ip ospf authentication OR
area 0 authentication (you can choose md5)
Troubleshooting OSPF
Consider possible errors in neighbor adjacency's, routing table, and authentication.
The authentication methods are 0 = null, 1 = simple pssword, 2 = md5
OSPF means Open Standard Shortest Path First
- It is Classless IGP within a larger AS operating as a single OSPF network on Cisco
- A Link State protocol propagates the LSA's and not routing table updates
These are flood to all OSPF interfaces in the area
- the description of the interface
- advertises immediately state changes
- periodic update of entire database in 30 minutes
- forms a link state database
- calculates the shortest path using a SPF algorithm
- all routers in the area will have the same topological database; knowledge of distant routers
HELLO Protocol
- OSPF sends hello packets on an interface and confirms to OSPF routers the presence of another OSPF on the link, with each other
- bidirectional response
- adjacency is formed when two routers agree on area-id, hello/dead interval, authentication, stub, area flags
To reduce traffic there is one router chosen as the DR (designated router), a BDR (backup designated router) and the rest are DROTHERS. The multicast ip address is used 224.0.0.5 and the router id used is the loopback interface.
COST
To calculate the cost of the link, use the reference bandwidth/ interface bandwidth in bits per second. For link speed greater than 100 Mbps use the ospf auto-cost reference-bandwidth.
http://ccie11440.blogspot.com/2007/11/why-are-some-ospf-routes-in-database.html
OSPF Configuration Commands
usage: conf t
router ospf 100 (numbers 1 to 65535 valid)
log-adjacency-changes
network ipaddressofnetwork wildcardmask area number
network 10.1.1.0 0.0.0.255 area 0
router-id
Create a router's interface loopback 0 address first
Turn on OSPF
If the IP address ever changes, use the command, clear ip ospf proces
1) This part can be configured here, else
2) Choose the highest of loopback interfaces, else
3) Choose the highest of active interfaces
Verification of OSPF working
show ip route (shows all the routes the router knows and how they are learned, O = OSPF)
show ip protocols
show ip ospf (displays general information)
show ip ospf interface (area id, adjacency info)
show ip ospf neighbor ipaddress mask
The command, show ip route, is very useful because it also shows the interface of the learned routes. I had a scenario to set up two encrypted tunnels for redundancy. I did a show ip route from router2 and I noticed that all the networks I was looking and learned from OSPF were listed; I was quite perplexed that the routes were not learned from the secondary tunnel associated with router2. Everyone thought I was quite the wizard to get all the systems green again, high fives all around, and no one really cared to listen what I was still concerned about.
Eventually I figured out that the routes were obviously learned by OSPF through the interface to router1 whose tunnel is indeed up, which verifies OSPF learned routes to distant networks works but my intended secondary tunnel was not up. I did some digging and discovered I was missing the tunnel's source ip address in the interface tunnel configuration, what a silly rookie typo. But that's proof that OSPF was working so well I had fooled everyone (but not myself).
Logically, a hub and spoke topology or partial mesh? You be the judge.
Authentication of OSPF
service password-encryption (otherwise the key will be in plaintext)
ip ospf authentication-key plainpas
ip ospf authentication OR
area 0 authentication (you can choose md5)
Troubleshooting OSPF
Consider possible errors in neighbor adjacency's, routing table, and authentication.
The authentication methods are 0 = null, 1 = simple pssword, 2 = md5
OSPF means Open Standard Shortest Path First
- It is Classless IGP within a larger AS operating as a single OSPF network on Cisco
- A Link State protocol propagates the LSA's and not routing table updates
These are flood to all OSPF interfaces in the area
- the description of the interface
- advertises immediately state changes
- periodic update of entire database in 30 minutes
- forms a link state database
- calculates the shortest path using a SPF algorithm
- all routers in the area will have the same topological database; knowledge of distant routers
HELLO Protocol
- OSPF sends hello packets on an interface and confirms to OSPF routers the presence of another OSPF on the link, with each other
- bidirectional response
- adjacency is formed when two routers agree on area-id, hello/dead interval, authentication, stub, area flags
To reduce traffic there is one router chosen as the DR (designated router), a BDR (backup designated router) and the rest are DROTHERS. The multicast ip address is used 224.0.0.5 and the router id used is the loopback interface.
COST
To calculate the cost of the link, use the reference bandwidth/ interface bandwidth in bits per second. For link speed greater than 100 Mbps use the ospf auto-cost reference-bandwidth.
http://ccie11440.blogspot.com/2007/11/why-are-some-ospf-routes-in-database.html
Wiring Diagram Quiz
Quiz
Assign a type of equipment for each of the points in the network, switch, router etc
Assign a media to each link based on distance- copper, fibre, T1 etc
Post your answers in the comments and let's discuss it!
My colleague had mentioned that MPLS was in alot of the questions in the CCNA Security exam as well as Cisco SDM though he was more familiar with the CLI. I just grabbed this image from google because it has alot of components of a network carrying data, voice, media during my search for MPLS, wire speed!.
Saturday, March 10, 2012
Cisco Subnetting Game Solutions
I pulled excerpts from the discussion page, to verify my own results. It seems that you have to use the whole Class C space to make the subnets even if you don`t need all the hosts. The hint is don`t worry about wasted addressing space, it`s a game for fast subnet calculations and it gets very addicting.
It`s a race against time to subnet the networks for the buildings in Area 51 before the aliens attack!
The moderator writes:
A common mistake new players make is failing to set the correct subnet mask. Even if all of the subnets have a green arrow, you still must enter the correct subnet mask in order for the game to advance. For example, if the instructions ask you to designate 2 subnets, the mask must be set to 255.255.255.128
Also, remember to click the "Set" button after each entry.
Level 1 by C Byington
Janet Area
2 Areas = 255.255.255.128
1st room
Network 192.168.1.0
Broadcast 192.168.1.127
Router 192.168.1.1
2nd Room
Network 192.168.1.128
Broadcast 192.168.1.255
Router 192.168.1.129
J Vaagen has some tips:
Memorize the subnet masks and the associated number of networks.
Then work at the 8x multiplications all the way to 248.
A tip to use in the 224 mask;
network 192.168.0.0
last ip (gateway + 30 = 31)
gateway 192.168.0.1
a lot of the scenarios use 224 as the mask..
David the Instructor:
The following table shows you possible subnet masks and why they are a certain value. Remember we borrow from the left and move to the right for more subnets.
bit 8 7 6 5 4 3 2 1
---------------------------------------------
weight 128 64 32 16 8 4 2 1
128 1 = 2 subnets
192 1 1 = 4 subnets
224 1 1 1 = 8 subnets
240 1 1 1 1 = 16 subnets
248 1 1 1 1 1 = 32 subnets
252 1 1 1 1 1 1 = 64 subnets
More hints about valid hosts and usable subnets, by Zose:
The formula 2^(number of bits) - 2 only applies to "host" bits. When determining the number of hosts in a network you use this formula. The "-2" comes from subtracting the Network Host (first IP address) and the Broadcast Host (last IP address).
When determining the correct number of subnets you do not subtract 2 normally. The only time you would subtract 2 to find the number of usable subnets is if the "ip subnet zero" command was in use (meaning the 1st subnet is not usable), and if the router is using a classful (IGRP, RIPv1) routing protocol. Usually this is not the case as both IGRP and RIPv1 are older protocols and are not commonly used any more. Instead classless protocols such as RIPv2, EIGRP, and OSPF are used.
Emmanuel has finished the game!
Okay. I've just finished the game with 32445 points. I understand your frustration cause the text is not so explicit. In this case, it means that for each of the initial subnets (8 subnets for a maximum of 16) you have to consider that this subnet could be extended in the future. So 16 subnets for the mask is the right answer (255.255.255.240) but you must leave one reserved subnet between two of these 8 initial subnets. For example suppose the network number is 192.168.1.0. With a /28 mask, the first subnet is 192.168.1.0 (With a broadcast of 192.168.1.15), the second is 192.168.1.32 (192.168.1.16 reserved for the first subnet and broadcast = 192.168.1.47), the third is 192.1.168.64 (With a broadcast of 192.168.1.79) ... Etc.
An answer with contiguous subnet numbers is wrong cause for a subnet to be extended in the future, the future reserved part must be contiguous with the initial part in order to get the possibility to migrate easier from or to the 255.255.255.224 mask (In this case we really have no more than 8 subnets but each subnet is equivalent of 2 initial subnets).
I've noticed you might have to solve this kind of problem in level 4 and 5 too with more text or no text. For the Aliens rooms there's no text and you have 8 rooms with devices. You have to imagine that aliens population will grow like the science fiction films
and therefore in this case other rooms or subnets would be necessary... I guess it's this concept of creating more subnets than showed on the screen which is the same problem for us, Jesse, David, James, Joel, Joseph and others : green everywhere except that the great "Finished" doesn't appear. I take this example of the aliens cause they are impredictible... Once you have been lucky to consider the same number of devices per room, next time you might have one alien room with 16 devices whereas 4 for another : Welcome VLSM ! Different situation and i understand why there is no text about what to do !
Applying these rules to solve your problem, i am sure you will successful in finishing the game. For me, the most difficult is the 32 subnets challenge in level 5 cause it needs to save time with the previous problems in typing correctly as fast as possible : in this question, you have to enter 32x3 numbers plus the subnet mask !
It`s a race against time to subnet the networks for the buildings in Area 51 before the aliens attack!
The moderator writes:
A common mistake new players make is failing to set the correct subnet mask. Even if all of the subnets have a green arrow, you still must enter the correct subnet mask in order for the game to advance. For example, if the instructions ask you to designate 2 subnets, the mask must be set to 255.255.255.128
Also, remember to click the "Set" button after each entry.
Level 1 by C Byington
Janet Area
2 Areas = 255.255.255.128
1st room
Network 192.168.1.0
Broadcast 192.168.1.127
Router 192.168.1.1
2nd Room
Network 192.168.1.128
Broadcast 192.168.1.255
Router 192.168.1.129
J Vaagen has some tips:
Memorize the subnet masks and the associated number of networks.
Then work at the 8x multiplications all the way to 248.
A tip to use in the 224 mask;
network 192.168.0.0
last ip (gateway + 30 = 31)
gateway 192.168.0.1
a lot of the scenarios use 224 as the mask..
David the Instructor:
The following table shows you possible subnet masks and why they are a certain value. Remember we borrow from the left and move to the right for more subnets.
bit 8 7 6 5 4 3 2 1
---------------------------------------------
weight 128 64 32 16 8 4 2 1
128 1 = 2 subnets
192 1 1 = 4 subnets
224 1 1 1 = 8 subnets
240 1 1 1 1 = 16 subnets
248 1 1 1 1 1 = 32 subnets
252 1 1 1 1 1 1 = 64 subnets
More hints about valid hosts and usable subnets, by Zose:
The formula 2^(number of bits) - 2 only applies to "host" bits. When determining the number of hosts in a network you use this formula. The "-2" comes from subtracting the Network Host (first IP address) and the Broadcast Host (last IP address).
When determining the correct number of subnets you do not subtract 2 normally. The only time you would subtract 2 to find the number of usable subnets is if the "ip subnet zero" command was in use (meaning the 1st subnet is not usable), and if the router is using a classful (IGRP, RIPv1) routing protocol. Usually this is not the case as both IGRP and RIPv1 are older protocols and are not commonly used any more. Instead classless protocols such as RIPv2, EIGRP, and OSPF are used.
Emmanuel has finished the game!
Okay. I've just finished the game with 32445 points. I understand your frustration cause the text is not so explicit. In this case, it means that for each of the initial subnets (8 subnets for a maximum of 16) you have to consider that this subnet could be extended in the future. So 16 subnets for the mask is the right answer (255.255.255.240) but you must leave one reserved subnet between two of these 8 initial subnets. For example suppose the network number is 192.168.1.0. With a /28 mask, the first subnet is 192.168.1.0 (With a broadcast of 192.168.1.15), the second is 192.168.1.32 (192.168.1.16 reserved for the first subnet and broadcast = 192.168.1.47), the third is 192.1.168.64 (With a broadcast of 192.168.1.79) ... Etc.
An answer with contiguous subnet numbers is wrong cause for a subnet to be extended in the future, the future reserved part must be contiguous with the initial part in order to get the possibility to migrate easier from or to the 255.255.255.224 mask (In this case we really have no more than 8 subnets but each subnet is equivalent of 2 initial subnets).
I've noticed you might have to solve this kind of problem in level 4 and 5 too with more text or no text. For the Aliens rooms there's no text and you have 8 rooms with devices. You have to imagine that aliens population will grow like the science fiction films
and therefore in this case other rooms or subnets would be necessary... I guess it's this concept of creating more subnets than showed on the screen which is the same problem for us, Jesse, David, James, Joel, Joseph and others : green everywhere except that the great "Finished" doesn't appear. I take this example of the aliens cause they are impredictible... Once you have been lucky to consider the same number of devices per room, next time you might have one alien room with 16 devices whereas 4 for another : Welcome VLSM ! Different situation and i understand why there is no text about what to do !Applying these rules to solve your problem, i am sure you will successful in finishing the game. For me, the most difficult is the 32 subnets challenge in level 5 cause it needs to save time with the previous problems in typing correctly as fast as possible : in this question, you have to enter 32x3 numbers plus the subnet mask !
ICND1 Take one
When you wake up from a dream and you want to write down every thought or random fleeting memory right away, but it evaporates in front of you too quickly. Here's my list: ARP vs DNS, default clock rate set? DTE/ DCE interface, cell switched? PVC, ATM, wiring solutions between midpoints, DSLAM, TCP headers, sequence numbers, HELLO, NAT, service password-encryption, WAN, T1.
I had enough time to do the exam, but it was one of those things where I wished I could go back and change the answer to a previous question. You can't do that on these exams.
About four questions in, on the first router simulation question I didn't realize that you had to click on the console computer graphic to launch the CLI of the router to access the running-config. I kept looking through all the windows for the console login, but I just didn`t clue in. Well duh, how else would you answer the questions. Anywayz I messed up that question probably worth 30 marks and made a guess on the int fa 0/1 address and the multi-part answers were all based on that first assumption which I probably got wrong.
I only practised subnetting questions in Class C, but in real time I had to do subnetting for Class B. Not a big deal because I think I got that part right but still a bit stressful under time pressure.
Another random fact - Routers breakup broadcast domains; each interface on the router is a separate network. Routers breakup collision domains too but a layer 2 switch can do that too.
WAN is an important topic. Frame relay is not supposed to be part of ICND1 but you still had to know enough about it to get some facts straight. I will need to clarify some aspects of Permanent Virtual Circuits.
Here's the breakdown of the modules tested and my score.
Describe the operation of data networks - 71%
* Implement a small switched network - 60%
Implement an IP addressing scheme and IP services to meet network requirements for a small branch office 80%
Implement a small routed network - 67%
* Explain and select the appropriate administrative tasks required for a WLAN - 0%
Identify security threats to a network and describe general methods to mitigate those threats - 100%
Implement and verify WAN links - 75%
So I end the exam with my score of 787 out of 1000. You need 804 to pass which means I missed it by a margin of 17. That makes me knowledgeable enough to be dangerous.
It is my own fault for not passing I`m sure, but I will still launch a complaint because I noticed a couple of peculiarities with my exam experience. I felt like I was doing question 9 and then I clicked the mouse one too many times and I was on question 13. So I probably missed a four part question. I was a bit perplexed, probably should`ve said something at the time but I was like whatever. I`m wondering if those are the WLAN questions I completely skipped over. I only remember doing two questions on that whole subject and they did not adequately cover the topic of Explain and select the appropriate administrative tasks required for a WLAN.
I have the Pearson Vue 1 800 number so I may lodge a complaint and try to ask Cisco for a rebate on the retake of the exam. But do I really want to do this again after 10 days. Do I really want to re certify in 3 years and do this again. Right now though, I just feel like I want to crawl under a rock and die, but I can`t help but pulling my books to... restudy! All the kids are napping so I have 2 hours!!!
I have the difficult task of explaining to my boss that I didn't pass the exam. Hopefully if I show him the report card with the marks broken down he can see that I passed the important stuff and even got a 100% on the network security portion (comforting). However I feel that I have temporarily lost my geek status so the blog will not be named Barbie Geek Tech Bytes for now...
I had enough time to do the exam, but it was one of those things where I wished I could go back and change the answer to a previous question. You can't do that on these exams.
About four questions in, on the first router simulation question I didn't realize that you had to click on the console computer graphic to launch the CLI of the router to access the running-config. I kept looking through all the windows for the console login, but I just didn`t clue in. Well duh, how else would you answer the questions. Anywayz I messed up that question probably worth 30 marks and made a guess on the int fa 0/1 address and the multi-part answers were all based on that first assumption which I probably got wrong.
I only practised subnetting questions in Class C, but in real time I had to do subnetting for Class B. Not a big deal because I think I got that part right but still a bit stressful under time pressure.
Another random fact - Routers breakup broadcast domains; each interface on the router is a separate network. Routers breakup collision domains too but a layer 2 switch can do that too.
WAN is an important topic. Frame relay is not supposed to be part of ICND1 but you still had to know enough about it to get some facts straight. I will need to clarify some aspects of Permanent Virtual Circuits.
Here's the breakdown of the modules tested and my score.
Describe the operation of data networks - 71%
* Implement a small switched network - 60%
Implement an IP addressing scheme and IP services to meet network requirements for a small branch office 80%
Implement a small routed network - 67%
* Explain and select the appropriate administrative tasks required for a WLAN - 0%
Identify security threats to a network and describe general methods to mitigate those threats - 100%
Implement and verify WAN links - 75%
So I end the exam with my score of 787 out of 1000. You need 804 to pass which means I missed it by a margin of 17. That makes me knowledgeable enough to be dangerous.
It is my own fault for not passing I`m sure, but I will still launch a complaint because I noticed a couple of peculiarities with my exam experience. I felt like I was doing question 9 and then I clicked the mouse one too many times and I was on question 13. So I probably missed a four part question. I was a bit perplexed, probably should`ve said something at the time but I was like whatever. I`m wondering if those are the WLAN questions I completely skipped over. I only remember doing two questions on that whole subject and they did not adequately cover the topic of Explain and select the appropriate administrative tasks required for a WLAN.
I have the Pearson Vue 1 800 number so I may lodge a complaint and try to ask Cisco for a rebate on the retake of the exam. But do I really want to do this again after 10 days. Do I really want to re certify in 3 years and do this again. Right now though, I just feel like I want to crawl under a rock and die, but I can`t help but pulling my books to... restudy! All the kids are napping so I have 2 hours!!!
I have the difficult task of explaining to my boss that I didn't pass the exam. Hopefully if I show him the report card with the marks broken down he can see that I passed the important stuff and even got a 100% on the network security portion (comforting). However I feel that I have temporarily lost my geek status so the blog will not be named Barbie Geek Tech Bytes for now...
Friday, March 9, 2012
Confreg 2142 Password Recovery and Config Wipeout
HOW TO force into ROM MON mode:
Press Break on the terminal keyboard within 60 seconds of power up in order to put the router into ROMMON.
An alternate break sequence is to setup the Hyperterminal session on a wrong baud rate, say 1200. About 10 to 15 seconds after power up, keep pressing the space bar (for about 10 seconds till you feel silly doing that). Close the Hyperterminal and reconnect at the correct baud rate of 9600 and you should see the ROMMON prompt.
If the break sequence does not work, refer to Standard Break Key Sequence Combinations During Password Recovery for other key combinations.
You're in ROMMON and you're really messed up. You can't even do tftpdnld because you don't have a tftp server nor a proper IOS config file. It's bad!
I think I even tried the password recovery mode, which would erase the running config file and all that.
ROMMON 1> confreg 2142
ROMMON 2> reset
The router should boot up in the skeleton configuration with no startup or no running, factory defaults to build up from scratch.
Well that didnt' seem to work so I swapped flash cards with another unit (don't know why I had to do that) but I was desparate and it worked. Now what will happen to the unit with the wrong flash?? Whatever.
So the recovered unit is now in the state of - revert to password recovery mode. You will lose the original configuration. The router will have no login, enable password nor telnet
do show version
Most important remember to change the confreg to 0x2102 (otherwise it will go back to 2142)
reload
The factory default setting for the configuration register is 0x2102. This indicates that the router should attempt to load a Cisco IOS Software image from Flash memory and load the startup configuration with a console speed of 9600 baud. For most purposes, the factory default setting of the configuration register is the most appropriate. To change the configuration register to this setting, issue the configuration-register 0x2102 command, as shown:
Router(config)#config-register 0x2102
Tuesday, March 6, 2012
Circuit Switched Networks
Here are some quick facts lifted from a CCNA online quiz
Three accurate descriptions of Circuit Switched Networks
* With circuit switching a dedicated physical circuit is established, maintained and terminated through a carrier network for each communication session
* Circuit switching allows multiple sites to connect to the switched network of a carrier and communicate with each other
* ISDN is a circuit switched network
Three statements for PSTN
* Other than a modem, no additional equipment is required
* Relatively lost cost associated with the implementation of a PSTN connection link
* The maintenance of a public telephone network is very high quality with a few instances in which lines are not available
Three statements describe PPP
* A point to point (or serial) comms link provides a single preestablished WAN communications path from the customer premises through the carrier network ie telephone company to a remote network
* Carriers lease point to point lines usually, so they're often called leased lines
* For a point to point line, the carrier dedicates fixed transport capacity and facility hardware to the line of a customer
Three statements describe WAN bandwidth
* North American standard to describe bandwidth in DS numbers (DS0, DS1...) that refers to the rate and format of the signal
* Bandwidth on a serial connection can be incrementally increased to accommodate the need for faster transmission
* Bandwidth refers to the rate at which data is transferred over the comms link
HDLC
* Includes support for both PPP and multipoint configurations
* Cisco HDLC there is no windowing or flow control
* HDLC specifies an encapsulation method for data on synchronous serial data links using frame character and checksum
Function of PPP
* twist: Authentication phase of PPP session is not necessarily required
* PPP originally emerged as an encapsulation protocol for transporting IP traffic over PPP links
* PPP provides router to router and host to network connections over synchronous and asynchronous circuits
* The LCP in PPP is used for establishment, configuration and testing the data-link connection
Considerations for PPP
* PPP links require minimal expertise to install and maintain
* usually offer a high quality of service
* provide permanent dedicated capacity that is always available
Three accurate descriptions of Circuit Switched Networks
* With circuit switching a dedicated physical circuit is established, maintained and terminated through a carrier network for each communication session
* Circuit switching allows multiple sites to connect to the switched network of a carrier and communicate with each other
* ISDN is a circuit switched network
Three statements for PSTN
* Other than a modem, no additional equipment is required
* Relatively lost cost associated with the implementation of a PSTN connection link
* The maintenance of a public telephone network is very high quality with a few instances in which lines are not available
Three statements describe PPP
* A point to point (or serial) comms link provides a single preestablished WAN communications path from the customer premises through the carrier network ie telephone company to a remote network
* Carriers lease point to point lines usually, so they're often called leased lines
* For a point to point line, the carrier dedicates fixed transport capacity and facility hardware to the line of a customer
Three statements describe WAN bandwidth
* North American standard to describe bandwidth in DS numbers (DS0, DS1...) that refers to the rate and format of the signal
* Bandwidth on a serial connection can be incrementally increased to accommodate the need for faster transmission
* Bandwidth refers to the rate at which data is transferred over the comms link
HDLC
* Includes support for both PPP and multipoint configurations
* Cisco HDLC there is no windowing or flow control
* HDLC specifies an encapsulation method for data on synchronous serial data links using frame character and checksum
Function of PPP
* twist: Authentication phase of PPP session is not necessarily required
* PPP originally emerged as an encapsulation protocol for transporting IP traffic over PPP links
* PPP provides router to router and host to network connections over synchronous and asynchronous circuits
* The LCP in PPP is used for establishment, configuration and testing the data-link connection
Considerations for PPP
* PPP links require minimal expertise to install and maintain
* usually offer a high quality of service
* provide permanent dedicated capacity that is always available
Cisco ICND1 Flashcard: A Brief History of the Internet
The US DOD researchers figured out a way to break up messages into smaller parts, and sending each part to the destination, whereupon reassembly of the original message would be possible. This is called the packet system.
In 1972, ARPANET developers created the first email message software for the purpose of communicating and coordinating projects
In 1984, DNS was introduced to give the world domain endings like .edu, .com, .gov, .org and other country codes.
A 3-way handshake
send-SYN
SYN-ACK
TCP ACK
In 1972, ARPANET developers created the first email message software for the purpose of communicating and coordinating projects
In 1984, DNS was introduced to give the world domain endings like .edu, .com, .gov, .org and other country codes.
A 3-way handshake
send-SYN
SYN-ACK
TCP ACK
Monday, March 5, 2012
HVAC and Power Rating Calculators
A quick link to find a Dell Energy Star rating calculator for heat generation and cooling requirements for Dell models for 48U, 42U or 24U Poweredge racks.
I was actually looking for the rating for one machine but it makes sense the application is making the calculations based on an entire rack. Launch the page for Dell Star Online here.
Another important factor to consider is how many units you can fit into the rack given the power available to the rack. Here is a useful answer for Dell Poweredge Server Power Requirements rated for PE 2950 as a starting point.
Check again for more information about Water Cooled Racks or High Performance Cooling solutions.
Whitepaper for Watts and Volt-Amps
I was actually looking for the rating for one machine but it makes sense the application is making the calculations based on an entire rack. Launch the page for Dell Star Online here.
Another important factor to consider is how many units you can fit into the rack given the power available to the rack. Here is a useful answer for Dell Poweredge Server Power Requirements rated for PE 2950 as a starting point.
Check again for more information about Water Cooled Racks or High Performance Cooling solutions.
Whitepaper for Watts and Volt-Amps
Doing My Own Cisco Tech Support
Cisco has a really good tech support hot line. I put in a TAC request for a pretty simple question about not being able to configure the serial port.
Create Serial Sub Interface Cisco 2811
"Hi. I can't access the serial port, was trying to configure serial 1/0 on my router cisco 2811 but I guess it does not exist?
The cisco online help says to try
Controller t1 0/0/0
Framing esf
Linecode b8zs
Channel-group 0 timeslots 1-24 speed 64
I did show controllers and all kinds of hardware descriptions pop up but not t1 specifically
The router didn't know what to do with the controller command, I checked the hardware but it does not have a serial port. Is that possible?"
I guess I could pause next time, and give the guy a chance to talk or take notes. Anyway I couldn't immediately provide the serial number on the unit cuz I wasn't logged in and I didn't have the service contract searchable right in front of me. So I mention that I will login and write up the TAC online. While clicking online and trying to find the TAC gui, I stumble upon the link for T1 HWIC cards, like the one that is NOT even plugged into to my unit. There is no WAN interface and link connected, the T1 truly does not exist!
I didn't even have a Cisco T1/ E1 WAN Interface Cards
Anywayz I feel rather silly about calling in the first place but now I have confirmed that the show controller command really works! Once again it is the USER error.
Create Serial Sub Interface Cisco 2811
"Hi. I can't access the serial port, was trying to configure serial 1/0 on my router cisco 2811 but I guess it does not exist?
The cisco online help says to try
Controller t1 0/0/0
Framing esf
Linecode b8zs
Channel-group 0 timeslots 1-24 speed 64
I did show controllers and all kinds of hardware descriptions pop up but not t1 specifically
The router didn't know what to do with the controller command, I checked the hardware but it does not have a serial port. Is that possible?"
I guess I could pause next time, and give the guy a chance to talk or take notes. Anyway I couldn't immediately provide the serial number on the unit cuz I wasn't logged in and I didn't have the service contract searchable right in front of me. So I mention that I will login and write up the TAC online. While clicking online and trying to find the TAC gui, I stumble upon the link for T1 HWIC cards, like the one that is NOT even plugged into to my unit. There is no WAN interface and link connected, the T1 truly does not exist!
I didn't even have a Cisco T1/ E1 WAN Interface Cards
Anywayz I feel rather silly about calling in the first place but now I have confirmed that the show controller command really works! Once again it is the USER error.
CCNA, ICND1 and ICND2 Practice Exams
I found a really good link on the Cisco Learning Network website for practice questions here.
There are questions for the six modules:
Module 1: OSI Layer and IP questions
Module 2: Hardware, bridges, Hubs
Module 3: WLAN
Module 4: IP addressing, IOS Commands, Routing basics
Module 5: WAN, nat
Module 6: cdp, hardware and memory
There are tabs and links to study modules, 15-20 training videos and lab simulations.
At the login page I also found an ad for a new "game". Cisco Aspire CCNA Edition! Practice for your Cisco CCNA exam by solving realistic networking problems. Seriously? That's a game?
The website Cisco Tests dot org also has a timed exam with pretty realistic questions! It's not for the ICND1 and ICND2 but it would cover the similar line of questioning if you just wanted a timed practise exam experience.
CCNA
There are questions for the six modules:
Module 1: OSI Layer and IP questions
Module 2: Hardware, bridges, Hubs
Module 3: WLAN
Module 4: IP addressing, IOS Commands, Routing basics
Module 5: WAN, nat
Module 6: cdp, hardware and memory
There are tabs and links to study modules, 15-20 training videos and lab simulations.
At the login page I also found an ad for a new "game". Cisco Aspire CCNA Edition! Practice for your Cisco CCNA exam by solving realistic networking problems. Seriously? That's a game?
The website Cisco Tests dot org also has a timed exam with pretty realistic questions! It's not for the ICND1 and ICND2 but it would cover the similar line of questioning if you just wanted a timed practise exam experience.
CCNA
Sunday, March 4, 2012
Ask Siri to Sing Happy Birthday
At a friend's birthday party dinner this evening in a very fancy Italian restaurant as we all finished dinner and everyone somehow felt it was appropriate to whip out that iPhone and start texting the buddies at the other long end of the table, the guy beside me suggested let's play Ask Siri!
I don't have an iPhone, I don't even own a cell phone really. I'm very curious who is Suri (I didn't even know how to spell it). The "Industry Canada RF Bandwidth Allocation Committee member" rolls her eyes and says, you folks are wasting bandwidth! I suppose this is true, asking age old questions like why did the chicken cross the road, what is the meaning of life, who's your daddy, and How big is the Pacific Ocean? (that's a good one) Siri gives the answers in Liters with extra information about the comparative volume, 51% of the all the earth's oceans. I'm hooked. I ask, What is Pippa Middleton wearing? Siri displays button to perform a website for that. I'm giggling too much at the idea of asking a computer for answers. I get one of the guyz to ask, what are you wearing Siri? But I miss the answer because it's just too funny.
We're at a birthday party so buddy asks, Siri would you sing happy birthday to my friend please?
Siri answers, Daisy, daisy, give me your answer do.
It wasn't quite the answer I was searching for. People keep texting each other or playing Angry Birds, but I desire an explanation! The Cisco guy at the end of the table explains that it is a cultural reference to the IBM computer that became the first computer to sing Daisy Bell.
In the late 1950's a computer sung a song for the first time. Here is a nice clip from YouTube.
Daisy, daisy, give me your answer do.
I'm half crazy all for the love of you.
It won't be a stylish marriage -
I can't afford a carriage,
But you'd look sweet on the seat
Of a bicycle built for two.
This is quite a cute response. I guess it's an AI joke that's preprogrammed in, but it's still very cute. Well here are some other questions to ask Siri though personally I think people should really talk to their friends at a party and not play with their phones too much. Tweet tweet.
I don't have an iPhone, I don't even own a cell phone really. I'm very curious who is Suri (I didn't even know how to spell it). The "Industry Canada RF Bandwidth Allocation Committee member" rolls her eyes and says, you folks are wasting bandwidth! I suppose this is true, asking age old questions like why did the chicken cross the road, what is the meaning of life, who's your daddy, and How big is the Pacific Ocean? (that's a good one) Siri gives the answers in Liters with extra information about the comparative volume, 51% of the all the earth's oceans. I'm hooked. I ask, What is Pippa Middleton wearing? Siri displays button to perform a website for that. I'm giggling too much at the idea of asking a computer for answers. I get one of the guyz to ask, what are you wearing Siri? But I miss the answer because it's just too funny.
We're at a birthday party so buddy asks, Siri would you sing happy birthday to my friend please?
Siri answers, Daisy, daisy, give me your answer do.
It wasn't quite the answer I was searching for. People keep texting each other or playing Angry Birds, but I desire an explanation! The Cisco guy at the end of the table explains that it is a cultural reference to the IBM computer that became the first computer to sing Daisy Bell.
In the late 1950's a computer sung a song for the first time. Here is a nice clip from YouTube.
Daisy, daisy, give me your answer do.
I'm half crazy all for the love of you.
It won't be a stylish marriage -
I can't afford a carriage,
But you'd look sweet on the seat
Of a bicycle built for two.
This is quite a cute response. I guess it's an AI joke that's preprogrammed in, but it's still very cute. Well here are some other questions to ask Siri though personally I think people should really talk to their friends at a party and not play with their phones too much. Tweet tweet.
Saturday, March 3, 2012
Would you like a slice of Raspberry Pi?
10,000 units sold out in minutes, a $35 programmable GNU/ Linux mini computer the size of credit card. I gotta get one of those on the next batch they bake. It was created in Toronto and manufactured in the UK!
It's so sweet that the inventors initially created this device to be accessible in cost and available one per person with the intention that kids could learn programming.
 |
| Image Source |
It's so sweet that the inventors initially created this device to be accessible in cost and available one per person with the intention that kids could learn programming.
Thursday, March 1, 2012
Mobile IPv6 for earth
Studying for the CCNA Exam and the next topic is ipv6. I remember my teacher explaining that the last ipv4 address was given out in November 2011, and the number one reason was the proliferation of smart phones requiring an IP address. Did some reading on cell phones in general, curious on what's new because I don't even own one myself, and my brother keeps bugging me that I'm missing out (What, on Angry Birds?) and they mentioned about mobile IP and I put the two ideas together.... well they must be using IP v6!
Mobility driving the requirement to maintain the same IP address while moving seamlessly across different networks. That's pretty cool. Read all about Mobile IP.
So do all the addresses really start with 2 (for planet earth?). The prof also had a few other wacky ideas too, like he could write a book about IPv6 in less than page, and that to make millions in IT just sign up to be the IPv6 networking guy. It would be easier job ever. Really? So I guess this is my book on IPv6: (Be careful with the use of colons, they mean something!)
The IPv6 address is formed from 32 bits of hex.
The global unicast begins with 2000
The Link Local Address refers to the physical link
- not for forwarding datagrams
- for neighbor discovery and route discovery
- begins with FE80 <internal mac address> or FFEE
The Loopback address is ::1 which means all preceding zeros.
Unspecified address
- a host looking for his own address
0:0:0:0:0:0:0:0 or ::
Stateless Autoconfiguration
prefix + interface ID
Stateless DHCP
HOW TO Enable IPv6 on a router
usage: ipv6 unicast routing
usage: ipv6 address 2001:db8:c18:1:: 64
(the first part was the global address, no need to write sequential or preceding zeros, the 64 means eui-64)
* Specify the 64 bit prefix by using eui-64 if you want the router to derive interface ID portion from mac addres
* You can automatically get the link-local address FE80:
show ipv6 int ethernet 0
RIP based on RIPv2
* uses the multicast group FF02::9
QUIZ
Do you want to be IPv6 Certified by Hurricane Internet Services? Here is a quick link to a neat service. I think they are a web hosting service.
Mobility driving the requirement to maintain the same IP address while moving seamlessly across different networks. That's pretty cool. Read all about Mobile IP.
So do all the addresses really start with 2 (for planet earth?). The prof also had a few other wacky ideas too, like he could write a book about IPv6 in less than page, and that to make millions in IT just sign up to be the IPv6 networking guy. It would be easier job ever. Really? So I guess this is my book on IPv6: (Be careful with the use of colons, they mean something!)
The IPv6 address is formed from 32 bits of hex.
The global unicast begins with 2000
The Link Local Address refers to the physical link
- not for forwarding datagrams
- for neighbor discovery and route discovery
- begins with FE80 <internal mac address> or FFEE
The Loopback address is ::1 which means all preceding zeros.
Unspecified address
- a host looking for his own address
0:0:0:0:0:0:0:0 or ::
Stateless Autoconfiguration
prefix + interface ID
Stateless DHCP
HOW TO Enable IPv6 on a router
usage: ipv6 unicast routing
usage: ipv6 address 2001:db8:c18:1:: 64
(the first part was the global address, no need to write sequential or preceding zeros, the 64 means eui-64)
* Specify the 64 bit prefix by using eui-64 if you want the router to derive interface ID portion from mac addres
* You can automatically get the link-local address FE80:
show ipv6 int ethernet 0
RIP based on RIPv2
* uses the multicast group FF02::9
QUIZ
Do you want to be IPv6 Certified by Hurricane Internet Services? Here is a quick link to a neat service. I think they are a web hosting service.
Monday, February 27, 2012
Cisco Port Security
Use port security to manage the ingress of traffic from dynamically learned and static MAC address. When a secure MAC address is assigned to a secure port, the port will not forward traffic from any other MAC address outside the defined MAC Address.
There is a security violation if one of these infractions occur
1) When access is attempted by a MAC addresses that is different from any of the identified secure MAC addresses, port security applies the configured violation action or mode.
There is a security violation if one of these infractions occur
1) When access is attempted by a MAC addresses that is different from any of the identified secure MAC addresses, port security applies the configured violation action or mode.
2) If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN, port security applies the configured violation action or mode. It is a move violation!
Possible actions are:
switchport port-security violation {protect | restrict | shutdown}
protect—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
restrict— the same, but causes the SecurityViolation counter to increment.
shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.
To bring a secure port out of the error-disabled state, in global configuration mode
usage: errdisable recovery cause violation_mode command
or manually reenable it usage: shutdown and no shut down interface configuration commands
To prevent overtaxing the CPU, use the port security command with rate limiting
usage: errdisable recovery cause violation_mode command
or manually reenable it usage: shutdown and no shut down interface configuration commands
To prevent overtaxing the CPU, use the port security command with rate limiting
Methods of MAC address configuration
Static
How to statically configure all secure MAC addresses?
Dynamic
Dynamiclly configure secure MAC addresses?
1) You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.
2) You can statically configure a number of addresses and allow the rest to be dynamically configured by sticky!
Sticky MAC addresses
These can be learned dynamically. Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.
Remember to write memory (wr is the shortcut) or copy running-config startup-config command, then port security with sticky MAC addresses saves dynamically learned MAC addresses in the startup-config file. Theport does not have to learn addresses from ingress traffic after bootup or a restart.
Friday, February 24, 2012
Where does TV come from?
I had the same discussion with my child the other day, and I managed to explain about digital off the air and rabbit ear antennas, and the converter; plus since we're still old school, the good old CRT TV.
Now I'm contemplating the absurdity yet logic of a friend's post, "
Now I'm contemplating the absurdity yet logic of a friend's post, "
ICND2 Topic: Access Lists, Standard and Extended
A topic for the practical CCNA Exam, but it is only in the ICND2. This will be discussed in greater detail when the article is more complete. For starters,
Setting up an access list on a brand new Cisco router, here are a few key points to remember:
IMPORTANT: Create the ACL before applying to an interface. An empty ACL applied will permit all traffic.
Access Lists inspect criteria for permit or deny rules based on source address, destination address, protocols, and port numbers. They operate on the principle of inbound rules process packets before routing to outbound.
Special handling required to identify
Checks for the source on entire protocol suite
Standard IP ACL 1 to 99 & 1300 to 1999
Here is an example from Cisco Tests:
access-list 10 deny 172.16.3.10 0.0.0.0
access-list 10 permit any
access-list 10 remark Stop all traffic whose source IP is Bob
Extended Access List
Checks both source and destination address, protocols and port numbers.
Extended IP ACL 100 to 199 & 2000 to 2699
access-list 110 remark Stop Bob to FTP Server and Larry to WWW Server
access-list 110 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp
access-list 110 deny tcp host 172.16.2.10 host 172.16.1.100 eq www
access-list 110 permit ip any any
Dynamic ACL - telnet
Reflexive ACL - allows outbound, limits inbound. These are defined as a extended by named IP ACL not a numbered one like the standard.
Time based ACL - can be used with standard and extended ACL
usage:
ip access-list standard TROUBLEMAKER
permit ....
deny ....
remark .... a good idea to explain what the rule is for!
HOW TO Apply the IP Access List to an Interface
int eth 0
ip access-group TROUBLEMAKER out
show access-lists
no ip access-list extended
access-list resequence
Removing the Access List
conf t
int eth 0
no ip access-group # in
exit
no access-list #
In a lab setup, you'll have to really trust your neighbors not to lock you out.
Use the host keyword when you are specifying a single machine.
host 172.16.10.2 means the same as 172.16.10.2 0.0.0.0
Use the any keyword to specify 0.0.0.0 255.255.255.255 wild card masking.
Use when you don't care about source or destination addresses because you are filtering on other parameters.
me: access-list 1 permit host 10.10.10.8 (need to permit own wokstartion)
buddy1: access-list 1 permit host 10.0.0.101
buddy2: access-list 1 permit host 10.0.0.106
buddy1: access-list 1 permit 30.3.3.0 0.0.0.255
buddy2: access-list 1 permit host 80.8.8.0 255.255.255.255
How to apply the access-list on a vty interface
usage: access-class 1 in
How to create an IP named standard access-list?
usage: ip access-list standard name
syntax:
access-list [number] [permit or deny] [protocol] [source] [destination] [port]
Setting up an access list on a brand new Cisco router, here are a few key points to remember:
- Implicit deny at the end of access lists; you must permit administrative traffic or you will block yourself out of the router
- Order matters, place the most restrictive rules first, or the more restrictive rules will never get a hit
- Issue one access list per direction or interface
- Standard access lists are placed closest to the destination
- Extended access lists closest to the source, purpose being to eliminate undesirable traffic across network
IMPORTANT: Create the ACL before applying to an interface. An empty ACL applied will permit all traffic.
Access Lists inspect criteria for permit or deny rules based on source address, destination address, protocols, and port numbers. They operate on the principle of inbound rules process packets before routing to outbound.
Special handling required to identify
- type of traffic to be encrypted on VPN
- identify a router
- route filtering, which route to include in updates
- policy based routing
- NAT
Checks for the source on entire protocol suite
Standard IP ACL 1 to 99 & 1300 to 1999
Here is an example from Cisco Tests:
access-list 10 deny 172.16.3.10 0.0.0.0
access-list 10 permit any
access-list 10 remark Stop all traffic whose source IP is Bob
Extended Access List
Checks both source and destination address, protocols and port numbers.
Extended IP ACL 100 to 199 & 2000 to 2699
access-list 110 remark Stop Bob to FTP Server and Larry to WWW Server
access-list 110 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp
access-list 110 deny tcp host 172.16.2.10 host 172.16.1.100 eq www
access-list 110 permit ip any any
Dynamic ACL - telnet
Reflexive ACL - allows outbound, limits inbound. These are defined as a extended by named IP ACL not a numbered one like the standard.
Time based ACL - can be used with standard and extended ACL
usage:
ip access-list standard TROUBLEMAKER
permit ....
deny ....
remark .... a good idea to explain what the rule is for!
HOW TO Apply the IP Access List to an Interface
int eth 0
ip access-group TROUBLEMAKER out
show access-lists
no ip access-list extended
access-list resequence
Removing the Access List
conf t
int eth 0
no ip access-group # in
exit
no access-list #
In a lab setup, you'll have to really trust your neighbors not to lock you out.
Use the host keyword when you are specifying a single machine.
host 172.16.10.2 means the same as 172.16.10.2 0.0.0.0
Use the any keyword to specify 0.0.0.0 255.255.255.255 wild card masking.
Use when you don't care about source or destination addresses because you are filtering on other parameters.
me: access-list 1 permit host 10.10.10.8 (need to permit own wokstartion)
buddy1: access-list 1 permit host 10.0.0.101
buddy2: access-list 1 permit host 10.0.0.106
buddy1: access-list 1 permit 30.3.3.0 0.0.0.255
buddy2: access-list 1 permit host 80.8.8.0 255.255.255.255
How to apply the access-list on a vty interface
usage: access-class 1 in
How to create an IP named standard access-list?
usage: ip access-list standard name
syntax:
access-list [number] [permit or deny] [protocol] [source] [destination] [port]
Cyber Defense Engineering Rant
I read up on some recent SANS White papers and a topic caught my eye, toting the weakness of Defense in Depth Alright, I'm taking notes. Companies spend millions of dollars on ITS and they are still getting hacked, well the ones worth hacking into anyway. Sony PS3 customer credit card data, Citibank, US military drones, like really run targets! So what are some alternatives, what are the weaknesses and strengths of technologies today?
The author seems to promote the fact that Defense in Depth is not employed properly by governments and IT departments doing IT Security and Cyber Defence. The Layered defense approach works for the physical and kinetic world (as they call earth). Even an armed intruder cannot walk through walls of fire (clever). However all kinds of cyber threats can be "encapsulated" and shift silently through one layer to the next, both OSI Layer and Layers of Security I presume. Frequency of attack is increasing, and skill level required for success attack is decreasing. IT departments have limited people, process and technology. Hackers can launch attacks as effectively and quickly overseas as next door with limitless power, process and technology. Actions cross international boundaries and legal jurisdictions.
Analogies of common approaches
1) Fire prevention - more like the use of a fire extinguisher or incident handling when an intrusion occurs
2) Nuclear Energy - the core is highly reactive. Clarification please?
3) Engineering - many redundancies built in, failover and contingency plans
4) Online gaming - chance encounters, attack by attrition, using up resources until they're gone
Defense in Breadth was a complementary initiative, involving multiple vendors not competing but rather collaborating. Perhaps something as simple as preventing the attackers from getting back out the internet with the stolen sensitive electronic information. Threat detection, intrusion detection, network baseline monitoring, anomalous behaviour tracking.
Cyber Siege Defense sounds cool but I couldn't quite capture it in notes. Rather I got out of it one really good idea about Managing the Attacker with strategies like
1) Understand the mindset and motivation
2) Feed false information by setting up honeypots or false data
3) Increase the attackers level of effort
4) Drive up their costs, combine defensive technologies to increase complexity
5) Deprive the profits they seek
6) Damage their reputation
What does this all mean? The whole point I got out of it was rather dismal, the hackers know everything that is commercially available and it's weaknesses. Some professionals have to take the SANS course to even learn what the weaknesses are. How do you know that hackers aren't on the same course and laughing at everyone in the back of the room?
Now it's too late, you're already under attack. I found some notebook ideas here useful for incident handling on Windows anyway. Here's a link to a CIRT Whitepaper. Well that is SAN safe link, but how do you know it's really safe, and it's not downloading malicious code? That's what I mean that the weakest security is the OSI Layer 8, the Between Chair and Monitor Error, desktop USER.
More fuel to the fire that IT Security is defenceless... even CEO's agree.
The author seems to promote the fact that Defense in Depth is not employed properly by governments and IT departments doing IT Security and Cyber Defence. The Layered defense approach works for the physical and kinetic world (as they call earth). Even an armed intruder cannot walk through walls of fire (clever). However all kinds of cyber threats can be "encapsulated" and shift silently through one layer to the next, both OSI Layer and Layers of Security I presume. Frequency of attack is increasing, and skill level required for success attack is decreasing. IT departments have limited people, process and technology. Hackers can launch attacks as effectively and quickly overseas as next door with limitless power, process and technology. Actions cross international boundaries and legal jurisdictions.
Analogies of common approaches
1) Fire prevention - more like the use of a fire extinguisher or incident handling when an intrusion occurs
2) Nuclear Energy - the core is highly reactive. Clarification please?
3) Engineering - many redundancies built in, failover and contingency plans
4) Online gaming - chance encounters, attack by attrition, using up resources until they're gone
Defense in Breadth was a complementary initiative, involving multiple vendors not competing but rather collaborating. Perhaps something as simple as preventing the attackers from getting back out the internet with the stolen sensitive electronic information. Threat detection, intrusion detection, network baseline monitoring, anomalous behaviour tracking.
Cyber Siege Defense sounds cool but I couldn't quite capture it in notes. Rather I got out of it one really good idea about Managing the Attacker with strategies like
1) Understand the mindset and motivation
2) Feed false information by setting up honeypots or false data
3) Increase the attackers level of effort
4) Drive up their costs, combine defensive technologies to increase complexity
5) Deprive the profits they seek
6) Damage their reputation
What does this all mean? The whole point I got out of it was rather dismal, the hackers know everything that is commercially available and it's weaknesses. Some professionals have to take the SANS course to even learn what the weaknesses are. How do you know that hackers aren't on the same course and laughing at everyone in the back of the room?
Now it's too late, you're already under attack. I found some notebook ideas here useful for incident handling on Windows anyway. Here's a link to a CIRT Whitepaper. Well that is SAN safe link, but how do you know it's really safe, and it's not downloading malicious code? That's what I mean that the weakest security is the OSI Layer 8, the Between Chair and Monitor Error, desktop USER.
More fuel to the fire that IT Security is defenceless... even CEO's agree.
Thursday, February 23, 2012
Career Choices 101
Reitman's a women's clothing line for everyday wear has a catchy advertising tagline, "You have a job evaluation everyday" and there's a poster size image of a woman dressed in a business suit looking ready for a job interview. Well obviously you have to be qualified for the job, well in some jobs looks are part of the qualifications!
 |
| Boothbabe |
Wikipedia has an interesting article on "promotional models". The caption for this photo indicates that the woman is a "booth babe" at a defense industry trade show. (Not the fat dude in combats) Well maybe but what if she was an HR Rep for the company, or even an Engineering Manager. I've never heard of that word before but then again, how many defense industry trade shows have I been too.
For some jobs, good looks are implied - Flight Attendant, Supermodel, etc. Looked at recent job postings where they specifically noted looks as a requirement. A Swedish hospital posted a hiring ad looking for Hot Looking Nurses, a hiring campaign that was well received. You still had to have a nursing degree and job related qualifications to apply.
There are alot of google search results for Import Car Model or how to become an import car model. The general opinion was that most import car models were asian, and I didn't realize that because I thought a requirement was actually being naturally blonde and tall. Turns out I'm wrong, the hottest import car model in Canada is Steph Ly, I was suprised to learn is the sister of a childhood friend who studied accounting and moved on to life in/on fast cars. It was tough to find a webpage that was not blocked by the firewall at work. Another popular asian model is Min Hee Hwang from South Korea. They call her the race queen so I thought she was a race car driver like Danica Patrick.. but drivers are usually in the drivers seat right? There aren't nearly as many photos or web posts dedicated to her (in English). I would categorize her look as classic authentic beauty, stoic, with Japanime-qualities, but not like Kat von D hot. But what do I know. I like looking at the cars in TunerZine.com; I learned alot about my new car featured this month actually, newer Toyota Prius, and the Engineering features behind that. I finally clicked Model because I was looking for a new car. Well anyway they weren't talking about a model number for a car... so that's how this whole article got started.
Whatever career you choose though, make sure it is something you are passionate about. Engineering is a broad field that starts out with Electrical, Mechanical, Chemical, Civil and then they start branching off into various specialties like Aerospace, Environmental, Bio Medical, Bio Mechanical, Process, Manufacturing, Geomatics, Computer and so on. Automobile Engineer, design the fastest and sexiest car on the planet! Personally I wish I had chosen Mining Engineering instead, to look for all those sparkly diamonds!
So are there good looking girls and boys in Engineering? Yah a few for sure. I read a cartoon before that touched on this issue. There's a girl sitting at a desk between two guys. The guy on the left leans over and says "Being a girl in engineering, your odds are good." She looks over at the guy on the right and says "The odds are good, but the goods are odd." I did a google search on "engineers good looking" and it's funny there are not too many photos of people but just machines. Now that's funny.
 |
| Big Bang Theory - Howard Walowitz the Engineer. |
Monday, February 20, 2012
Superpowers in the Super Computing Race
Forget the arms race, it's all about supremacy in super computers and math skills. I saw a desktop CRAY computer running the simulations for certain DSP solution for Matlab and Simulink, and it got me thinking, well what if I had a business case and I could ask my boss to buy me one? First off though, I would have to clearly explain what is 786 gigaflops, and if it will run Linux.
A teraflop is a measure of a computer's computing speed or processing power, based on the acronym FLOPS - Floating Operations Per Second. A teraflop is a trillion or 10 to the 12th-power flops (Note the use of the plural, no need for an additional "s"), available on the market for most affordable parallel computing solutions. And of course, within the realm of possibility or imagination is a computer capable of petaflops, a thousand teraflops or a quadrillion (thousand trillion) flops.
Supercomputers are capable of so many amazing tasks, previously to discover new elements, detect dark matter components. simulate nuclear chain reaction or particle collisions. At present, they can model climate change, crack codes, model protein behaviours and drug reactions. Therefore it's obvious that the top buyers include the biosciences, computer aided engineering and defense industries. Hewlett-Packard, Dell and IBM are all competitors in the market. This CRAY system came out in 2008, so I'm a bit 2000-and-late but in this world, by the time you've already built and deployed the number one system, someone has already imagined something 20 times better.
Canada
As of Nov 2011, Canada did not have a system listed within the public top 500 supercomputer list. Boo.
However we do see Supercomputers on the trading floor at the Toronto Stock Exchange (perhaps the server room) called electronic traders. Math geeks design the algorithms (users input parameters like selling or holding thresholds) or dark pools (when trades have to be hidden from algorithms).
Computation resource allocation on the SciNet, another system at the University of Toronto is very competitive though. The Compute Canada's Resource Allocation Committees are in charge of connecting researchers with computational and personnel resources to run calculations for biomedical research, climate change modeling and even galaxy formation simulations.
Japan
Japan ranks number one. As of Nov 2011, the K Computer, based at the Riken Advanced Institute for Computational Science in Japan was the first to clear 10 petaflops, beating its own record. Hardware includes 705,024 Fujitsu Sparc64 processor cores.
Read more: http://news.cnet.com/8301-30685_3-57324194-264/japanese-supercomputer-first-to-clear-10-petaflops/#ixzz1mwp3L6yU
US
The Blue Gen/L can do 0.5 Quadrillion operations per second, the most powerful in 2005-2008. The Blue Gen is deployed at Livermore, San Francisco where 263 supercomputers from the Top 500 list also reside.
The up and coming Sequoia is being built by IBM, for end 2012, capable of 20 quadrillion operations per second, that's 20 petaflops. The main challenges being to write software to run across all the chips amounting to 1.6 million processors 96 racks of 32 slim servers
I like the supercomputer made from many old model Sony PS3's in parallel used by the US Air Force for satellite imagery analysis, demonstrated years ago. Many researchers have already done the same though this is no longer possible with newer generation PS3.
China
In Nov 2010 China was number one with the Tianhe-1A doing 2.5 Quadrillion operations per second
by Dawning Information Industry Ltd. Tianhue means "The Milky Way", although surpassed within six weeks by Japan. Another amazing fact, China owns 74 of the 500 biggest supercomputers in the world
By 2020 the Chinese have something in the works to rival 500x Sequoia and 8x power of Tianhe
Cisco
Anyway it's not supercomputing but here is the fastest Cisco switch ever. http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6021/product_data_sheet0900aecd8017a72e.html I'm bringing this up simply because one has to consider connectivity to these super computers and all the glorious applications.
A teraflop is a measure of a computer's computing speed or processing power, based on the acronym FLOPS - Floating Operations Per Second. A teraflop is a trillion or 10 to the 12th-power flops (Note the use of the plural, no need for an additional "s"), available on the market for most affordable parallel computing solutions. And of course, within the realm of possibility or imagination is a computer capable of petaflops, a thousand teraflops or a quadrillion (thousand trillion) flops.
Supercomputers are capable of so many amazing tasks, previously to discover new elements, detect dark matter components. simulate nuclear chain reaction or particle collisions. At present, they can model climate change, crack codes, model protein behaviours and drug reactions. Therefore it's obvious that the top buyers include the biosciences, computer aided engineering and defense industries. Hewlett-Packard, Dell and IBM are all competitors in the market. This CRAY system came out in 2008, so I'm a bit 2000-and-late but in this world, by the time you've already built and deployed the number one system, someone has already imagined something 20 times better.
Canada
As of Nov 2011, Canada did not have a system listed within the public top 500 supercomputer list. Boo.
However we do see Supercomputers on the trading floor at the Toronto Stock Exchange (perhaps the server room) called electronic traders. Math geeks design the algorithms (users input parameters like selling or holding thresholds) or dark pools (when trades have to be hidden from algorithms).
Computation resource allocation on the SciNet, another system at the University of Toronto is very competitive though. The Compute Canada's Resource Allocation Committees are in charge of connecting researchers with computational and personnel resources to run calculations for biomedical research, climate change modeling and even galaxy formation simulations.
Japan
Japan ranks number one. As of Nov 2011, the K Computer, based at the Riken Advanced Institute for Computational Science in Japan was the first to clear 10 petaflops, beating its own record. Hardware includes 705,024 Fujitsu Sparc64 processor cores.
Read more: http://news.cnet.com/8301-30685_3-57324194-264/japanese-supercomputer-first-to-clear-10-petaflops/#ixzz1mwp3L6yU
US
The Blue Gen/L can do 0.5 Quadrillion operations per second, the most powerful in 2005-2008. The Blue Gen is deployed at Livermore, San Francisco where 263 supercomputers from the Top 500 list also reside.
The up and coming Sequoia is being built by IBM, for end 2012, capable of 20 quadrillion operations per second, that's 20 petaflops. The main challenges being to write software to run across all the chips amounting to 1.6 million processors 96 racks of 32 slim servers
I like the supercomputer made from many old model Sony PS3's in parallel used by the US Air Force for satellite imagery analysis, demonstrated years ago. Many researchers have already done the same though this is no longer possible with newer generation PS3.
China
In Nov 2010 China was number one with the Tianhe-1A doing 2.5 Quadrillion operations per second
by Dawning Information Industry Ltd. Tianhue means "The Milky Way", although surpassed within six weeks by Japan. Another amazing fact, China owns 74 of the 500 biggest supercomputers in the world
By 2020 the Chinese have something in the works to rival 500x Sequoia and 8x power of Tianhe
Cisco
Anyway it's not supercomputing but here is the fastest Cisco switch ever. http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6021/product_data_sheet0900aecd8017a72e.html I'm bringing this up simply because one has to consider connectivity to these super computers and all the glorious applications.
Cisco Self Defending Network Strategy
I found a CCNA test question on the Cisco Self Defending Network Strategy so I looked it up.
Cyber Security
Trust and Identity Management, responsible for security of critical assets
Threat Defence, respond to problems caused by security outbreaks
Physical Security
Potential security breaches should be evaluated.
Asses the potential impact of stolen netwokr resources and equipments
Secure Connectivity, ensures privacy and confidentiality
Properties of a Self Defending Network
Network Availability: remain active when under attack
Ubiquitous Access: provide secure access from any location
Admission Control: authenticate all users, devices and their posture
Application Intelligence: extend application visibility controls into the network
Day-Zero Protection: ensure endpoints are immune to new threats
Infection Containment: rapidly identify & contain virulent attacks
Network Monitoring:
Monitoring Analysis Response System (MARS) provides security monitoring for networks and hosts
Key Components and Necessary Behaviours
Summary of Cisco Threat Detection Technologies
IPS Sensor Application
Adaptive Security Appliance (ASA)
Cisco Security Agent (CSA)
Cisco PIX Firewall
FWSM Catalyst 6500 Firewall Services Module
IOS Firewall (feature of Cisco IOS)
IPS (feature of Cisco IOS)
Movies on Network Security
War Game (script kiddies break into the Pentagon computers)
Hackers (Angelina Jolie, 1995. Hacking, dial-up modems, social engineering, dumpster diving)
The Net (not so much hacker movie, but privacy issues online)
Mission Impossible 4: Ghost Protocol (breaking network security and halting a nuclear disaster)
Cyber Security
Trust and Identity Management, responsible for security of critical assets
Threat Defence, respond to problems caused by security outbreaks
Physical Security
Potential security breaches should be evaluated.
Asses the potential impact of stolen netwokr resources and equipments
Secure Connectivity, ensures privacy and confidentiality
Properties of a Self Defending Network
Network Availability: remain active when under attack
Ubiquitous Access: provide secure access from any location
Admission Control: authenticate all users, devices and their posture
Application Intelligence: extend application visibility controls into the network
Day-Zero Protection: ensure endpoints are immune to new threats
Infection Containment: rapidly identify & contain virulent attacks
Network Monitoring:
- Syslog maintans a lot of data, feature of Cisco IOS
- Simple Network Management Protocol (SNMP) Cisco IOS feature for network management
Monitoring Analysis Response System (MARS) provides security monitoring for networks and hosts
- Netflow provides packet level stats
- Cisco Traffic Anomaly Detector Module - detects high speed DoS attacks
- Firewall and IDS - IPS Sensor Application, Adaptive Security Appliance (ASA) and Cisco Security Agent (CSA)
Key Components and Necessary Behaviours
- 100% Network Up Time. Keep functioning in the presence of viruses and related infections.
- Network Admission Control (NAC) program. NAC allows customers to determine what level of network access to grant to an endpoint based on its security posture
- Infection Containment as a third-order dampener to the virus and worm propagation effect.
- Adaptive Threat Defense (ATD) capabilities, which enhances the ability of a network to respond to threats based on a new set of Anti-X technologies.
- Network Intrusion Detection Systems (NIDS), integrate NIDS into its router and switching platforms and transforms aspects of into an intrusion prevention system (IPS) with inline filtering capabilities.
- Beyond endpoints, apply to points of presence (POPs) in the network (firewalls, network intrusion detection systems -NIDS, routers, switches, and hosts) with context while learning the L2 and L3 network topology.
Summary of Cisco Threat Detection Technologies
IPS Sensor Application
Adaptive Security Appliance (ASA)
Cisco Security Agent (CSA)
Cisco PIX Firewall
FWSM Catalyst 6500 Firewall Services Module
IOS Firewall (feature of Cisco IOS)
IPS (feature of Cisco IOS)
Movies on Network Security
War Game (script kiddies break into the Pentagon computers)
Hackers (Angelina Jolie, 1995. Hacking, dial-up modems, social engineering, dumpster diving)
The Net (not so much hacker movie, but privacy issues online)
Mission Impossible 4: Ghost Protocol (breaking network security and halting a nuclear disaster)
Friday, February 17, 2012
HOW TO do Remote Access to Computers
There are several commands to do remote access to computers.
Telnet - The least secure, unencrypted.
SSH - Secure Shell
Putty - SSH emulator for Windows.
VNC and RDP will be discussed in more detail below.
VNC
Virtual Network Computing. You have to use the vnc viewer to emulate a workstation display over a remote login connection.
The local machine will run the vnc server
vncserver is used to start a VNC (Virtual Network Computing) desktop. vncserver is a Perl script which simplifies the process of starting an Xvnc server.
The remote computer will run vnc viewer
At the pop up the command is issued, local ip: channel ID
Launching vncviewer
This is a good summary of using vnc from the real authors.
To close the vnc window
usage: service vncserver stop
To port the display over
setenv DISPLAY server2:1.0
setenv DISPLAY localhost:1.0
RDP
Remote Desktop Protocol. More to follow!
Telnet - The least secure, unencrypted.
SSH - Secure Shell
Putty - SSH emulator for Windows.
VNC and RDP will be discussed in more detail below.
VNC
Virtual Network Computing. You have to use the vnc viewer to emulate a workstation display over a remote login connection.
The local machine will run the vnc server
vncserver is used to start a VNC (Virtual Network Computing) desktop. vncserver is a Perl script which simplifies the process of starting an Xvnc server.
The remote computer will run vnc viewer
At the pop up the command is issued, local ip: channel ID
Launching vncviewer
This is a good summary of using vnc from the real authors.
To close the vnc window
usage: service vncserver stop
To port the display over
setenv DISPLAY server2:1.0
setenv DISPLAY localhost:1.0
RDP
Remote Desktop Protocol. More to follow!
Thursday, February 16, 2012
Are you ready for Rsync?
How many times have you set up a file transfer by FTP over the weekend because it was a massive file that would take four days, and you find out that somwhere along the way there was an unexplained drop in the network connection, and your file transfer is incomplete with bits lost in the ether.
Enter rsync and you'll be much happier with the delivery guarantee. What do you call this UDP or TCP? Tricky... must be TCP because you're looking for better late than never, as opposed to be never than late.
Rsync is actually a backup/mirroring tool, but I suppose it is also good for a one time transfer. Step by step instructions are here.
http://www.thegeekstuff.com/2010/09/rsync-command-examples/
http://everythinglinux.org/rsync/
Enter rsync and you'll be much happier with the delivery guarantee. What do you call this UDP or TCP? Tricky... must be TCP because you're looking for better late than never, as opposed to be never than late.
Rsync is actually a backup/mirroring tool, but I suppose it is also good for a one time transfer. Step by step instructions are here.
http://www.thegeekstuff.com/2010/09/rsync-command-examples/
http://everythinglinux.org/rsync/
Do I need a Host Table?
I didn't quite see the need to create the host table for the little lab network with a data server talking to a recording device, because I thought the switch in between would be enough. Anyway I decided to do some digging.
Linux
Obviously the host table is located in the “/etc/hosts” file, containg IP addresses and hostnames. Here's a sample below:
$ cat /etc/hosts
# Table of IP addresses and host names
127.0.0.1 localhost
192.168.1.2 myserver aliasname anotheralias
Windows
Windows 95/98/Me c:\windows\hosts
Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
Windows XP Home c:\windows\system32\drivers\etc\hosts
The host table is useful when you have a small number of servers in the group and you want to use some alias, and/ or there is no DNS or connection to the internet. The host table simple converts IP addresses to host names and the reverse.
It gets tricky when the host table is long and it gets messy.
Linux
Obviously the host table is located in the “/etc/hosts” file, containg IP addresses and hostnames. Here's a sample below:
$ cat /etc/hosts
# Table of IP addresses and host names
127.0.0.1 localhost
192.168.1.2 myserver aliasname anotheralias
Windows
Windows 95/98/Me c:\windows\hosts
Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
Windows XP Home c:\windows\system32\drivers\etc\hosts
The host table is useful when you have a small number of servers in the group and you want to use some alias, and/ or there is no DNS or connection to the internet. The host table simple converts IP addresses to host names and the reverse.
It gets tricky when the host table is long and it gets messy.
Cisco ICND1 Flashcard: Wireless LAN Implementation and Security
The Wireless Access notes for the CCNA Exam in short form.
The topic of Wireless LAN is covered in the ICND1 Exam
Wireless access is a half duplex CSMA/ CA (Carrier Sense Multiple Access - Collision Avoidance) half-duplex type of signal that uses RTS (ready to send) and CTS (clear to send) protocols. Yes I know it is wierd to place the acronym ahead of the definition at first use. For every packet sent, an RTS/CTS and acknowledgment must be received.
About the RF Wireless Signal
While setting up the Access Point, the following parameters are configured. Basic IP address (static or DHCP), subnet mask, default gateway; the wireless protocol being used could be 802.11a, b, g, n; channel adjustments namely channel 1, 6, 11 and a power adjustment. Security parameters include SSID which identifies the network, authentication scheme (WPA, WPA2 PSK) and the encryption method (TKIP, AES).
2.4 GHz used by the 802.11b and g, using DSSS. Max data rate of 11 Mbps (for 802.11g when using DSS) Other rates possible 1,2, 5.
5 GHz used by 802.11a, using OFDM data rate of 6, 9, 12, 18, 24, 36, 48 Mbps to 54 Mbps, 12 non-overlapping frequency channels. When 802.11g operates on OFDM the max data rate of 54 Mbps can be achieved.
The FCC has released three unlicensed bands for public use: 900MHz, 2.4GHz, and 5.7GHz. The 900MHz and 2.4GHz bands are referred to as the Industrial, Scientific, and Medical (ISM) bands, and the 5-GHz band is known as the Unlicensed National Information Infrastructure (UNII) band.
802.11a operating in the 5GHz radio band, makes it immune to interference from devices operating in the 2.4GHz band, like microwave ovens, cordless phones, and Bluetooth devices.
Quiz: Which two 802.11 standards have the highest data rate?
802.11a and 802.11g both up to 54 Mbps
Quiz: Which standards are most widely used today?
802.11b/g being the most widely used wireless network found today. 802.11b operates in the 2.4GHz unlicensed radio band, delivers a maximum data rate of 11Mbps
802.11g 400m 140m
802.11b 40m 140m
802.11a 35m 100m
802.11n 70m 250m
Modulation
802.11a and 802.11g uses OFDM
802.11b uses Direct Sequence Spread Spectrum (DSSS)
though 802.11g is DSSS/ OFDM
802.11n supports more channels using spatial division multiplex and more transmittes to reach a higher data rate of 600Mbps. It also uses OFDM (I need more info) and is backward compatible with 802.11a,b,g
802.11b
It is more accessible, has a higher CCK and data rate. There are 14 channels each 22MHz wide with a 5MHz separation. To completely avoid overlapping, the signalling requires a 5-channel separation; therefore only Channels 1, 6, and 11 are in use.
Wifi Equipment
The Wifi Alliance is a non government, no profit, industry trade organization that promotes interoperability between wifi product manufacturers, and promotes wireless growth. As for securing wireles networks, the evolution of encryption algorithms have come a long way.
The IEEE writes out the technical standards or Engineering specs, publishes technical documentation or journals.
ITU-R is the international union that regulates RF usage bands including wireless.
Quiz: Who created WPA?
Answer: WPA was created by the Wifi Alliance based on the IEEE 802.11i standard
Common standards dealing with wireless client authentication, coding something from plaintext into ciphertext.
The AP encapsulates any 802.1x traffic that is bound for the authentication server and sends it to the server
Modes of Operation
Ad Hoc Mode
IBSS - Client directly connects to the server peer to peer, no access point.
Infrastructure Mode
BSS - clients connect to each other through a network resource. The BSSID is the MAC address of the RF interface card; B for basic.
ESS - Two or more BSS are connected by a common distibution system. E for extended. SSID is the wireless network advertised, user configured.
More than one BSS will form an ESS, that means when a group of BSS (or many AP's) in the WLAN have the same SSID, the client can be mobile and authenticate with the various AP's in the same BSS.
Wireless Zero Configuration
Three basic wireless access point parameters: SSID, authentication, RF channel with optional power. Microsoft has a feature that does all this automatically. Though most Wireless NIC vendors have their own software GUI as well.
Cisco’s Wireless Control System (WCS) actually requires zero configuration. This means the AP will automatically configure itself based on the controller’s information, check for channel overlap and interference and move to a non-overlapping channel; lower its transmitting level to limit interference called by Cisco as "auto RF controls."
I found a really good reference for the Wireless LAN topic. I'd hazard to say that I found nuggets of information that I had missed on the exam from my notes! Lookup the Cisco Tests blog.
The topic of Wireless LAN is covered in the ICND1 Exam
Connecting to a Wireless Network
This is how it happens at Starbucks, MacDonald's, the hotel offering free wireless internet, or your own home. Wireless Access Points send out beacons announcing the SSID, data rates and other information. The client's laptop wifi network card scans all channels while listening for beacons and responses from the AP. Then the client will associate to the AP with the strongest signal. Client repeats the scan if the signal becomes slow to associate to another AP while roaming. During the association phase, SSID, MAC address, and security settings are sent from the client to AP, and verified by the AP. The basic service area is the physical area of RF coverage provided by the AP.Wireless access is a half duplex CSMA/ CA (Carrier Sense Multiple Access - Collision Avoidance) half-duplex type of signal that uses RTS (ready to send) and CTS (clear to send) protocols. Yes I know it is wierd to place the acronym ahead of the definition at first use. For every packet sent, an RTS/CTS and acknowledgment must be received.
About the RF Wireless Signal
While setting up the Access Point, the following parameters are configured. Basic IP address (static or DHCP), subnet mask, default gateway; the wireless protocol being used could be 802.11a, b, g, n; channel adjustments namely channel 1, 6, 11 and a power adjustment. Security parameters include SSID which identifies the network, authentication scheme (WPA, WPA2 PSK) and the encryption method (TKIP, AES).
IBSS - Independent Basic Service Set Identifier, users connected in ad hoc mode without an AP
BSSID - Mac Address of the RF Interface Card
BSSID - Mac Address of the RF Interface Card
SSID - Net Admin configured network identified that is broadcast, sent in the clear
The frequencies of the unlicensed bands are:
900 MHz 2.4 GHz used by the 802.11b and g, using DSSS. Max data rate of 11 Mbps (for 802.11g when using DSS) Other rates possible 1,2, 5.
5 GHz used by 802.11a, using OFDM data rate of 6, 9, 12, 18, 24, 36, 48 Mbps to 54 Mbps, 12 non-overlapping frequency channels. When 802.11g operates on OFDM the max data rate of 54 Mbps can be achieved.
The FCC has released three unlicensed bands for public use: 900MHz, 2.4GHz, and 5.7GHz. The 900MHz and 2.4GHz bands are referred to as the Industrial, Scientific, and Medical (ISM) bands, and the 5-GHz band is known as the Unlicensed National Information Infrastructure (UNII) band.
802.11a operating in the 5GHz radio band, makes it immune to interference from devices operating in the 2.4GHz band, like microwave ovens, cordless phones, and Bluetooth devices.
Quiz: Which two 802.11 standards have the highest data rate?
802.11a and 802.11g both up to 54 Mbps
Quiz: Which standards are most widely used today?
802.11b/g being the most widely used wireless network found today. 802.11b operates in the 2.4GHz unlicensed radio band, delivers a maximum data rate of 11Mbps
Facts to consider: This is the sort of thought process in an exam question, the 802.11g standard delivers the same 54Mbps maximum data rate as 802.11a but runs in the 2.4GHz range—the same as 802.11b
Data rates for Indoor and Outdoor ranges.802.11g 400m 140m
802.11b 40m 140m
802.11a 35m 100m
802.11n 70m 250m
Modulation
802.11a and 802.11g uses OFDM
802.11b uses Direct Sequence Spread Spectrum (DSSS)
though 802.11g is DSSS/ OFDM
IEEE 802.11 was the first, original standardized WLAN at 1 and 2Mbps, running in the 2.4GHz
802.11n the New Wireless Standard802.11n supports more channels using spatial division multiplex and more transmittes to reach a higher data rate of 600Mbps. It also uses OFDM (I need more info) and is backward compatible with 802.11a,b,g
802.11b
It is more accessible, has a higher CCK and data rate. There are 14 channels each 22MHz wide with a 5MHz separation. To completely avoid overlapping, the signalling requires a 5-channel separation; therefore only Channels 1, 6, and 11 are in use.
Wifi Equipment
Access points, wireless controllers, wireless LAN client adapters, security and management servers, wireless management devices, wireless integrated switches and routers—even antennas and accessories
Key Players in WifiThe Wifi Alliance is a non government, no profit, industry trade organization that promotes interoperability between wifi product manufacturers, and promotes wireless growth. As for securing wireles networks, the evolution of encryption algorithms have come a long way.
The IEEE writes out the technical standards or Engineering specs, publishes technical documentation or journals.
ITU-R is the international union that regulates RF usage bands including wireless.
Quiz: Who created WPA?
Answer: WPA was created by the Wifi Alliance based on the IEEE 802.11i standard
Quiz: What is a rogue access point? An unsecured AP that has been placed on the WLAN.
WIFI EncryptionCommon standards dealing with wireless client authentication, coding something from plaintext into ciphertext.
- WEP is a bit outdated and too easy to break, very basic and static.
- Cisco adds CKIP and MIC to protect keys.
- Enhancements are TKIP MIC (Per Packet Keying Message Integrity Check)
- TKIP 802.1x EAP
- WPA uses TKIP/ MIC Encryption
- 802.11i/ WPA2 is the strongest level of WLAN security
- WPA2 includes a AES counter with CBC-MAC Protocol (AES-CCMP)
- Enhancement to TKIP is AES 128 bit, 192 bit, and 256 bit.
- LEAP uses TCP handshake like EAP-TLS and Radius
The AP encapsulates any 802.1x traffic that is bound for the authentication server and sends it to the server
Modes of Operation
Ad Hoc Mode
IBSS - Client directly connects to the server peer to peer, no access point.
Infrastructure Mode
BSS - clients connect to each other through a network resource. The BSSID is the MAC address of the RF interface card; B for basic.
ESS - Two or more BSS are connected by a common distibution system. E for extended. SSID is the wireless network advertised, user configured.
More than one BSS will form an ESS, that means when a group of BSS (or many AP's) in the WLAN have the same SSID, the client can be mobile and authenticate with the various AP's in the same BSS.
WPA
Enterprise mode
used for Business, Education, Government and a term for products tested to be interoperable for authentication in PSK + IEEE 802.1x EAP
Personal mode
for SOHO, home, personal and interoperable in PSK mode of operation only
Issues with Roaming
- Consider the range of combined calls form an extended service area
- Allow 10-15% overlap to allow users to roam without losing RF connection
- Configure three access points with the same SSID so user can roam wirelesly without dropping connectivity
- Allow the range of 15-20% overlap for wireless voice
- Shift the data rate while moving: 11 Mbps, 5.5 Mbps, 2 Mbps
- The higher data rate requires stronger signals at the receiver; a lower data rate, the range is longer
- The clients want the highest data rate
- If there are transmission errors, reduce the data rate
Wireless Zero Configuration
Three basic wireless access point parameters: SSID, authentication, RF channel with optional power. Microsoft has a feature that does all this automatically. Though most Wireless NIC vendors have their own software GUI as well.
Cisco’s Wireless Control System (WCS) actually requires zero configuration. This means the AP will automatically configure itself based on the controller’s information, check for channel overlap and interference and move to a non-overlapping channel; lower its transmitting level to limit interference called by Cisco as "auto RF controls."
I found a really good reference for the Wireless LAN topic. I'd hazard to say that I found nuggets of information that I had missed on the exam from my notes! Lookup the Cisco Tests blog.
Subscribe to:
Posts (Atom)