Some OSPF and some more motivational issues.

I have been working on some OSPF scenarios lately. These was sparked by a post by Joe Astorino @ IPexpert. They are about the use of the forwarding address in Type 5 LSA’s generated by an ABR because of a Type 7 LSA in an NSSA area.

Alot of the questions i had in regard to the blog post, was that I couldnt recreate the scenarios at all. Turns out the whole thing was a bit tilted in how an ABR elected which ASBR to pick for the forwarding address. I am still trying to create a sort of matrix on what happens when. When I have this completed i will ofcourse post it here. But in the meantime, “Lab It Up Yourself ™” is the message of the day.

A note to authors of technical articles. Please admit when something is wrong and fix it. Joe did figure it out and fixed it (at least some of it), so its all good.

On another note. I have been having some pretty big motivational issues. I simply dont seem to be able to get into the material at all. I am not sure how I will overcome this obstacle, even though im sure I will. Maybe if you have some ideas on how to motivate yourself? Reading in the “Goals!” book gives some ideas, put putting them into action is the breaking point for me. The quote: “The road to hell is paved with good intentions” really makes me feel bad each day.

Next week, my boss will book the bootcamp with Narbik in london (just outside), which is GREAT. Im really looking forward to it. Its february 1st to the 6th. Will most likely travel over there on January 31st and stay until the 7th. Reading other blog posts about his prior students really increases my expectations of the entire thing. I just hope im up to it by then! health-wise and motivational wise.

Anyways, im back to figuring out how to get back into the game… /me putting on my helmet.

Remembering…

The link below is an excellent read from INE that you should really take the time to read.

I am working on a post about the OSPF forwarding address, as well as some MPLS stuff. Stay tuned

I just wanted to get the link out there.

http://blog.internetworkexpert.com/2009/03/22/how-to-study/

Lab V4 at first glance.

The new CCIE lab version is in effect. Called version 4.

The first guy on OSL (Online Study List) has been through it, and there’s certainly some changes.

First up, is the annoying OEQ (Open Ended Questions), these were on the retired version 3 as well. Lots of people have issues with them, so I wont bother commenting on them other than saying they scare me too

Second is the trouble-shooting section. According to feedback, this is a doable task, but not easy by any means. You are assigned trouble-shooting tickets which you have to resolve. Apparently its some kind of new user-interface which will be interesting to hear more about. Apparently between 6-12 tickets will be assigned to you.

Third is the lab section. This is as we know it, but scaled to be only 5,5 hours in length to give time for trouble-shooting section. Apparently the passing mark is now 80 instead of 70 which is of some concern. This is the 2nd most interesting thing for me to hear more about… The number one being:

You dont have lab workbooks in physical format

This is really bad if you ask me. To switch back and forth on the screen between your topology diagrams is a nightmare. It will certainly take out a good portion of your time, to recreate stuff on paper. I know that apparently the labs have large monitors, but still, a hassle none the less.

Another member of OSL is up for tomorrow. I really hope he pass it. I also hope he will provide some more insight into the new version of the CCIE lab.

Views and what it can provide for you.

This small post will be about a little feature called “views”.

This feature is used to create a sort of profile, for which you could have a certain user do certain things. As you might know, the only way to do this previously was to use the priviledge level command. This command would in effect set the command to be available at a certain priviledge level. This can be very cumbersome to maintain, especially if you work in a large enterprise environment or a service provider.

I will use an example of such a scenario to demonstrate the goal of the view feature. First off, a very small topology to ease our life a bit when trying out different commands:

View Topology

First of, a small config snippet on R1 to allow the telnet from R2:

R1(config-if)#line vty 0 4
R1(config-line)#pass cisco
R1(config-line)#login
R1(config-line)#

Check out that it works before we start anything:

R2#telnet 192.168.12.1
Trying 192.168.12.1 … Open
User Access Verification
Password:

R1>

Okay, great! we have a working telnet session.

Scenario:

Lets imagine that we work in an enterprise where we have multiple network folks around. Some of them are senior engineers, others are junior engineers. We might have a company policy that states that junior engineers are only allowed to login and view a routers interface status, view the local logging buffer and bounce the interfaces. Nothing else, nothing more.

Back in the day, you would have to create a set of rules governing your policy regarding what priviledge level you wanted certain commands in. Administratively this is a nightmare.

Lets accomplish the above criteria using views!

First of, AAA is required in order to use views, lets enable it:

R1(config)#aaa new-model

Secondly, to start off with, you need an enable password:

R1(config)#enable secret blah

Then you enable the root view using the enable password:

R1#enable view root
Password:

R1#

Now, what we can do is to issue commands to the parser. Lets create a new profile:

R1(config)#parser view Junior
R1(config-view)#
*Mar  1 00:15:20.415: %PARSER-6-VIEW_CREATED: view ‘Junior’ successfully created.

So, we created the Junior view. Lets assign a password to enter this new view:

R1(config-view)#secret imajunior

Great. Now lets see what the effect is, if we telnet into R1 from R2:

R2#telnet 192.168.12.1
Trying 192.168.12.1 … Open
User Access Verification
Username:

Oops! Remember that we enabled AAA on R1. This means that we must now have a username/password combination. Lets fix this on R1:

R1(config-line)#
R1(config-line)#username jeng secret Weee

Lets try R2 again :

R2#telnet 192.168.12.1
Trying 192.168.12.1 … Open
User Access Verification
Username: jeng
Password:
R1>

Cool. We are onto the router. Now this is where the views come into play:

R1>ena view Junior
Password:

Now we are logged into the router, with the view Junior. Lets see what commands are available to us:

R1#?
Exec commands:
<1-99>      Session number to resume
credential  load the credential info from file system
enable      Turn on privileged commands
exit        Exit from the EXEC
show        Show running system information

Not a whole lot

Lets add some functionality so the Junior Engineer can actually get some work done:

R1(config)#parser view Junior

R1(config-view)#commands exec include show interfaces

What this means, is that from the exec level prompt, the command “show interfaces” is allowed.

Lets try again from R2:

R1#show interfaces
FastEthernet0/0 is administratively down, line protocol is down
Hardware is Gt96k FE, address is c200.0ed4.0000 (bia c200.0ed4.0000)
MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00

Great! that was one of our objectives. Now for the remaining two (show local logging and bounce interfaces):

R1(config-view)#commands exec include show logging

R1(config-view)#commands exec include configure terminal

R1(config-view)#commands configure include interface

R1(config-view)#commands interface include shutdown
R1(config-view)#commands interface include no shutdown

R1(config-view)#commands configure include interface s0/0

Next, include the command “show logging” from the exec prompt. Allow us to use the command “configure terminal”, again from the exec prompt. Now from the configure prompt lets be able to use the interface command. This command needs both the “interface” by itself, and also the interface you will allow it to include commands under. At the interface level, we want to include both a shutdown and a no shutdown command.

And now, lets verify it:

R1#sh logging
Syslog logging: enabled (12 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int s0/0
R1(config-if)#?
Interface configuration commands:
exit      Exit from interface configuration mode
no        Negate a command or set its defaults
shutdown  Shutdown the selected interface
R1(config-if)#

Great! thats it. We can now create any username/password combination and tell the Junior engineer to use the view Junior in able to do the tasks at hand.

Please note that this is in my opinion a pretty buggy feature at times. For some commands, you must log out and back in again, and others you dont need to. It seems inconsistent sometimes, so use with care.

Hope that sheds some light on the View feature. Take care!

uRPF behavior

I want to show the behavior of the uRPF feature. Unicast Reverse Path Forwarding.

Basically this is a security feature, to prevent spoofed source IP address (very basic). Its function is to prevent a router from processing a packet comming from an unknown source/wrong interface.

So there are two modes of uRPF: Loose and Strict.

Loose Mode: This mode says, that as long as we have a route to the source IP address, its okay to route/process this packet. It doesnt matter what interface the packet comes in on. Please note, that default, it does not accept a default route as a valid return path. We will change this behavior later on.

Strict Mode: This mode will further enforce the uRPF check, so that the incomming interface of the packet, must be the correct one, as dictated by the routing table.

This is the topology I will use to demonstrate the functionality:

uRPF Topology

This topology is set up, so that R1 will have the IP address of .1 in the end on each subnet, R2 will have .2 and finally R3 will have .3. A loopback on each of the spoke routes have been set up with the ip address of 10.0.0.100/32. This is the IP address we will use to “spoof”. No routing protocols will be in effect at all. Output will be from “debug ip packet”.

First, lets ping the R1 IP address of 192.168.12.1 from R2’s loopback interface, without any configuration on s0/0 on R1:

R1#
*Mar  1 00:02:36.867: IP: tableid=0, s=10.0.0.100 (Serial0/0), d=192.168.12.1 (Serial0/0), routed via RIB
*Mar  1 00:02:36.867: IP: s=10.0.0.100 (Serial0/0), d=192.168.12.1 (Serial0/0), len 100, rcvd 3
*Mar  1 00:02:36.871: IP: s=192.168.12.1 (local), d=10.0.0.100, len 100, unroutable

As can be seen, R1 actually receives the packet and tries to route it accordingly. Since there’s no route to return the traffic its unroutable. The important thing to remember here, is that the router will try to route the traffic. Something we dont want in the case of a spoofing attack.

Now we enable the uRPF loose mode feature on s0/0:

R1(config-if)#ip verify unicast source reachable-via any
R1(config-if)#^Z
R1#

We try to ping from R2 again:

R1#

Nothing at all. R1 does not have any route to reach the source IP address of 10.0.0.100 address, so it wont even try to route it! great!

Lets try to make a route back to R2 from R1 and do a ping from R2 to R1 again:

R1(config)#ip route 10.0.0.0 255.255.255.0 192.168.12.2

*Mar  1 00:05:30.307: IP: tableid=0, s=10.0.0.100 (Serial0/0), d=192.168.12.1 (Serial0/0), routed via RIB
*Mar  1 00:05:30.307: IP: s=10.0.0.100 (Serial0/0), d=192.168.12.1 (Serial0/0), len 100, rcvd 3
*Mar  1 00:05:30.311: IP: tableid=0, s=192.168.12.1 (local), d=10.0.0.100 (Serial0/0), routed via FIB
*Mar  1 00:05:30.311: IP: s=192.168.12.1 (local), d=10.0.0.100 (Serial0/0), len 100, sending

Everything  works out! We have a route match, and uRPF allows the traffic to pass through.

If we now enable uRPF on s0/1 on R1, and ping from R3:

R1(config)#int s0/1
R1(config-if)#ip verify unicast source reachable-via any

Watch R2:

*Mar  1 00:08:30.603: IP: tableid=0, s=192.168.13.1 (Serial0/0), d=10.0.0.100 (Loopback0), routed via RIB
*Mar  1 00:08:30.603: IP: s=192.168.13.1 (Serial0/0), d=10.0.0.100, len 100, rcvd 4

What happens here, is actually the spoof attack itself, even though we have loose mode on. R3 pings to R1 with the source of 10.0.0.100. R1’s uRPF checks if it has a route. It does! so everything is fine as far as uRPF is concerned. Now we route it accordingly, which means sending it to R2! By doing this manipulation we are actually sending traffic to R2, from R3. This is certainly not what we want.

Now, instead of using the loose mode, lets use the strict mode and try pinging from R3 again:

R1(config-if)#ip verify unicast source reachable-via rx

R1#

Nothing! since the traffic from R3, with the IP address of 10.0.0.100 does not match the interface where R1 expects it, it drops it immediately, and does not try to route it at all! We have, by using the strict mode, prevented the spoofing attack.

Allow-Default:

Lets delete the route we created on R1, and install a default route instead:

R1(config)#no ip route 10.0.0.0 255.255.255.0 192.168.12.2

R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2

Pinging from R2 to R1 now doesnt succeed! Remember that by default, default routes are not considered valid for uRPF check. We can disable this by using the “allow-default” parameter:

R1(config-if)#ip verify unicast source reachable-via any allow-default

R1#
*Mar  1 00:33:37.971: IP: tableid=0, s=10.0.0.100 (Serial0/0), d=192.168.12.1 (Serial0/0), routed via RIB
*Mar  1 00:33:37.975: IP: s=10.0.0.100 (Serial0/0), d=192.168.12.1 (Serial0/0), len 100, rcvd 3
*Mar  1 00:33:37.975: IP: tableid=0, s=192.168.12.1 (local), d=10.0.0.100 (Serial0/0), routed via FIB
*Mar  1 00:33:37.979: IP: s=192.168.12.1 (local), d=10.0.0.100 (Serial0/0), len 100, sending

And we have reachability again

I hope this little post has shed some light on the uRPF command. A little overseen, but pretty cool feature.

Multicast – Designated Router (DR)

The role of the designated router has been bothering me every now and again. I always end up forgetting its role, where its present, and how its elected. So  i thought i would post some info on it, maybe to keep my own mind fresh

In any lan environment, a designated router will be elected by PIM (Protocol Independent Multicast). Its role is to handle joins in a sparse-mode environment, and if IGMP version 1 is used, to elect the querier of the lan. If version 2 (or 3) is being used, the lowest IP address will be the lan querier.

The DR will also be the one that sends a source-register message to the rendevouz point, on behalf of a source.

By default, your DR will be the one with the highest IP address. In newer IOS releases, a priority can be set on the interface level to change which one will be the DR. The command is “ip pim dr-priority <priority-level>”. Default priority is 1.

I hope this small post will provide some useful information, at least for reference. I certainly hope it will for me.

Do you trust your social networking site?

This topic has been bothering me for a while actually. In the last couple of years we have seen a wave of so called “social networking” sites. Those are sites such as MySpace, Facebook, Twitter and LinkedIn.

What these sites are supposed to bring you is a sense of being closer connected to your friends, family and peers. Noone can argue that this goal has not been reached, but i keep asking myself, at what cost?

I myself, use all of the above except MySpace. I have friends and family in all of them. In all of them there are small pieces of information, that when looked at from above, will basically map out my entire life. When thinking this through, my entire life history on what schools i have attended, what my lifestyle is like, what i like to eat, where i like to go on vacation, what movies i like to watch, is all mapped out electronically.

An outsider being presented with this information in a condensed form, will have all the information nessecary to make certain assumptions about me. They can then use those assumptions for whatever good or evil they have in mind. Now that is total control!

An argument against this type of paranoia is often presented in the form of: “It will be too hard to gather all that information” or “they wont do that” or “my life is not interesting enough for that”.

The “too hard” part is easily debunked. Any programmer I know have the ability to create search functions that can go across sites, look into their databases, and basically create a web of people, associating whatever they want with those people, like creating a top 10 list of whether they prefer their steak medium or rare. This wont even take them very long to do. Its technically not very hard to do these days.

The next one is “they wont do that”. Why wouldnt they? If a marketing agency of a travel-corporation had a bigh enough of a budget, they would be able to pursuade some of these social networking sites, to give up information on what locations around the world are the most prefered. A direct marketing campaign could then be addressed to these folks, based on already implementented function on these social networking sites, or even directly to these folks, through email or even physical snail mail. The privacy agreements on these sites is a joke to most privacy lawyers (ianal).

Some say their life is not interesting enough. Well, if you are living in the 21st century and you are a consumer of any sort, then your life is interesting to someone out there. If its monetarily feasible to figure out what you are into (and it is based on the easy nature of data mining this information), then you are a potential “buyer”.

So why do we do it?

Instinct. Its in our very nature to be social creatures in some form or another. We want to be able to know what we are doing, and to participate in it in any way we can. Even if this means giving up some (alot!) of our privacy. It all comes down to a choice: Live socially or live privately. But this decision is not one that most people have consioucly made. The choice has been pure instinct.

Do I like social networking sites? Yes… Do I like the data-mining? No! no-one does. What im urging is for you to make the choice with your reasonable-brain instead of your animal instinct.

Sorry for the rant, but I just dont like for any single entitiy to be able to obtain a print-out of my entire life!

See you on twitter?

Landed a new job.

I have just landed a new job. It is a networking company, doing alot of security, ip telephony and general network consulting. The company can be found here. It is called NetIP. The company is located about 30km from where I live, so a little drive in each direction is nessecary. I will start Thursday the 1st of October. I am looking forward to it. My last day at the previous job was yesterday, and it went by okay. Ofcourse its sad to loose some coworkers, some of which i have been working with for close to 9 years. But life goes on.

The job thing has taken up quite alot of time from my studying routine. I will need to get back on track again as soon as possible. Hopefully Narbik Kocharian will announce a date for the next bootcamp in the UK within the next couple of weeks. The new work is very supportive of my effort to attain the CCIE, which im very pleased with, so when the bootcamp opens up for registration, i will take a week off (on my own dime though) and fly out to the UK to attend the bootcamp. Right now though, its all VOD from IPexpert. Its been really good so far.

I have managed to get a full replication of the IPexpert workbook lab going. Unfortunally im waiting for a new internet connection to be installed. Until then I cant access it from the global internet.

I will try and make a post about BGP regular expressions. They are very interesting, but also very confusing at the same time, so when i have un-confused them myself, i will try and explain it to others

Until then, take care!!

Been a while.

Its been a while, and for that im sorry.

I have been very busy watching VOD (Video On Demand) classes from IPexpert. Scott Morris has done these videos, and he is pretty good at it in my opinion. There are alot of new stuff as well. Things such as Multilink Frame-relay (FRF.16) and PPP over frame-relay. IRB (Integrated Routing and Bridging) was also new for me. Basically you can extend your L2 over a L3 ip routed network. All very interesting stuff.

I have also spent quite some time picking up my physical exercise plans. I am beginning to notice a difference in my attention span and general tiredness. Attention span going up while tiredness going down. This is good

Last time, i wrote about putting together a home lab compared to renting lab time, and what options you would have. I would like to give some more information on this here.

As far as i see it, first of all you need to figure out what sort of budget you are working on. Using rack-rental is more flexible budget wise, in that you can purchase the time you need, and nothing more. This will probably save you in the long run. The big drawback of this solution is that you can only use your allotted time on the rack. That means that if you have a slot for 8 in the evening until midnight, thats when you will practice your technologies. If you dont feel like it, or are not prepared to do it at that time, you waste the slot you paid for. You cant study something, and then wanting to test it out quickly, right there and then. As mentioned, this is a big drawback, at least for me.

The other option is to build your own home lab, where you can practice everything, and physically touch it! (at least some of it). This option is far more expensive no matter how good you are at finding the right stuff and the right price.

On a side note, if Cisco really wanted to help students out, they should have a rental plan in place. You would be able to rent the physical gear from them for a period of time, and return it after you are done with it. Ofcourse there are some costs involved in this, but it would mean you could get physical access to the exact gear thats being tested on the lab exam.

I chose to build my own lab. The main reason for this, is that i like to have gear available to me when i need it, and not go about selecting when i think i might need it. The last piece of this puzzle should arrive any day now. Will elaborate more when i get everything running.

After this, I need to relocate the lab to a different location, since my internet connection at home will be down for a while. I will then have access to the entire rack remotely at any time.

Right now… back to VOD.

L2protocol-tunnel

So a simple concept right?

Tunnel your L2 protocols through a switched network? I agree, but as usual, i put more complication into it. Basically a VOD from IPexpert on L2protoco-tunnel used to create a trunk connection. In the video it is shown that you can create a trunk by using a l2protocol-tunnel (STP in particular). Through extensive testing and discussion on OSL, this is possible, but you will only get the native-vlan traffic through.

I will assemble my thoughts on this and elaborate with some diagrams shortly. But the conclussion will still be the same. If you need to pass data from more than one vlan over a switched SP network, use Q-in-Q. Use l2protocol-tunnel to pass the L2 protocols, CDP, STP and VTP, but dont rely on it for anything else.