Monthly Archives: August 2009

Trying some video out.

Posted by on August 27, 2009 No comments

The lack of posts recently has its cause.

I have been playing around with a screencast. The problem boils down to compressing the video somehow. I made a recording, and unfortunally it was recorded in a too good of a quality, resulting in a pretty big filesize (~300Mb). I then tried several (read: ALOT) of different tools to somehow compress it. I have still to figure it out. But anyways, I uploaded it to youtube because i didnt know where else to put it. If anyone has any ideas for doing a better job, please let me know.

Anyways, here it is, an example of doing some binary network math. The issue came up on groupstudy, so the examples are expanded from there. Hope you find it informational:

[youtube=http://www.youtube.com/watch?v=tt_Fa0xywwQ]

Lab preparation thoughts.

Posted by on August 19, 2009 No comments

Here is the brainstorm about the preparation on the CCIE lab I have come up with so far. Remember that this is no final list or any “magic pill” of any sorts, it is just some thoughts I have been having.

Update:

Keith O’Rouke pointed out to me that the DocCD is my new best friend. I need to master it completely, and he is 100% right, therefor it is now added to my list.

1)      Scheduling of time is very important. Must use a calendar program to manage this.

2)      Discipline! This is really the key. Make sure you stick to the topics at hand and do them at the right time.

3)      Be flexible. If something happens that results in a time constraint, adjust the calendar.

4)      Make sure that family life agrees with this journey. You must be able to focus.

5)      Concentration is very important. Learned from the written and CCNP that at any time that involves 100% concentration is worth more than 3x the time in non-concentration.

6)      Investigate the technologies. This includes mini-labs focusing in on technologies that are giving problems. Write a synopsis for each lab, so you can go back to the technologies instead of keep re-creating them. This will make searching possible.

7)      Commands, Commands, Commands… Learn how to diagnose issues with the show commands. Learn what output the show commands will give you. There are no substitutes for lab time. Learn how to spot potential issues just from the show commands. Learn how to make the router prove that something is correct.

8)      A great part of this journey is keeping up both mentally and physically. Keep exercising, if for nothing else, then for the end goal! Meditation and physical exercise must be planned into this.

9)      Break things down into smaller pieces. It will be easier to digest these smaller pieces and put the entire technology together.

10)  If you for some reason you get stuck in something, do NOT keep on at it. Get up and away for some time and come back with fresh eyes. This has helped time and time again.

11)  Use idle time to listen to audio lectures and/or rewatching VOD. This will supplement “real” study-time. It might spark new ideas. It might also solidify some facts.

12)  I will need some additional books. I can see that from the blueprint I need some more on MPLS vpn’s. Maybe also find something about PPPoE. Additional books might come up when the first people have done the new exams. This will need to be accounted for in the study budget.

13)  Remember that troubleshooting is now a large portion of the lab exam. This means that a great deal of time will be spent debugging labs. Reading through and completing all scenarios in Troubleshooting IP Routing Protocols will be invaluable for L3 issues.

14)  I will need to create a timeline to have some labs complete and a fundamental understanding of ALL topics before going to a bootcamp.

15)  Bootcamp. Will need to goto a bootcamp at least once, maybe twice.

16) DocCD navigation and ease of use is a must. I need to start looking things up directly on the DocCD.

Thats all folks!

Authentication by Radius on a Cisco device.

Posted by on August 18, 2009 1 comment

Intro:

Authentication is a critical part of administrating your network devices. For the longest time, i know for a fact that alot of companies use a simple authentication mechanism. Namely a either a line password, or at best local user database authentication. The inherent problem of these is that they are static entries, and on top of that, you have to manually do it on all the devices in your network. If a change need to occur, it requires logging in to all of the devices and changing the password (and or username).

So for the fun of it, i decided to take a look at authenticating through a radius server. Most companies run Microsoft’s Active Directory service, which handles users and rights in a consistent manner across network boundaries. It would be a no-brainer not to use this service for authenticating against. That’s exactly what i am going to describe here.

Please note that alot of this information comes from here. I have included some of the information in the comments as well, because that seems to be nessecary to get it working in some scenarios. I cannot explain why some more configuration is needed in some cases, and not in others. Must be a Microsoft thing.

Lets take a look at the things we need to do in order to create a successful radius authentication.

  1. We need to install the radius server.
  2. We need to setup  a list of clients (routers) that can authenticate against the server.
  3. We need to setup a list of criteria that must be met to authenticate.
  4. We need to setup a new group in Active Directory.
  5. We need to assign this group to an administrative user.
  6. We need to create the necessary Cisco configuration commands to tell the router to authenticate against the radius server.

This is the topology we are working with:

As can be seen, an administrator at the laptop in the bottom wants to log into the Managed Device. We want to be able to authenticate with the login/password of the administrator as he appears in the Active Directory.

Theory and Overview:

Before i go into the configuration itself, i want to provide a visual overview of whats going to happen as we complete the login procedure.

Lets run through the steps that the authentication process goes through in order to let the administrator into the managed device:

  1. The administrator telnet’s to the managed device. Upon which he is presented with a prompt, at this prompt he will enter his login information.

2. The administrator enters his credentials and these goes to the radius server. A note about sending the login/password here, is that radius only encrypts (optional) the password, not the entire packet. This is a debug of what the Managed Device sends to the radius server:

As can be seen, i entered in the username “imanadmin”, and entered in a bogus password. You can see the last line indicates a failure in the authentication process. This means that the user is not allowed in, and he will be able to try again with the new prompt that appears. Below you can see a successful attempt:

Awesome, we got access :)

3. The login information received by the radius server is then sent to the active directory service (AD), which can exists locally on the same server running the radius server, or it can be on a completely different server running the AD service. The login information is only sent to the AD if certain policies regarding the request has been obeyed. Among these are which device is sending the request (managed device). At this point you also provide some criteria to send along to the AD to verify. In our example we will create a group in AD which the user must be a member of to authenticate.

4. Now with authentication, all we want is a yes or no answer to our request to get access, so the AD only needs to say permit or deny. No matter what, it sends back one of these two answers to the radius server.

5. The radius server relays this information (permit or deny) back to the managed device.

6. The managed device will either permit or deny the user.

Configuration Part:

So lets get down to the details of the configuration itself.

First of, you need to install the radius server on the server you chosen for the task. This can be done by using the “Add Programs” part of the “Control Panel”. You need to go into “Add/Remove Windows Components”, in the list that appears you choose “Networking Services”. At this point you add “Internet Authentication Service”:

Once that is done you will have a new option in the “Administrative Tools” menu, which is accessible from the “Start Menu”. This option is called “Internet Authentication Service”. Once you start up “Internet Authentication Service” you will see something like this:

As mentioned before, we need to do a couple of things. One of these is to create an AD group. This group will include members that are allowed to access this device, IF they are authenticated with their login and password. So lets do that. You start up the “Active Directory Users and Computers”. For non-microsoft folks, this is where you manage your users and resources. Here you add a group:

Now we add the administrative user to this group:

The last part of the AD section is to toogle a certain parameter. This parameter is what I mentioned before. Sometimes it works without, and sometimes it needs to be there. Lets just set it no matter what. You need to toogle “Allow access” under the “Remote Access Permission” section. Here it is:

Now we are at the point where we have done all the AD work that we need to do. According to our steps outlined in the beginning, what we need to do is to configure the radius server itself along with configuring the Managed Device. Lets begin with the radius server setup.

Take a look at the main menu of the “Internet Authentication Service” first:

Go into the RADIUS Clients section, and right-click and select “New Radius Client”.:

In the “Friendly name”, you enter in the hostname of the device that requests radius authentication. In our case the Managed Device (which actually has a hostname of R1). In the “Client address (IP or DNS):” you type in the ip address of the interface that source the request. After you have completed this, click Next.

In this next section, in the “Client-Vendor:” field, you have to select “Cisco”, and in the “Shared secret:” field, you enter the password you will use for communication between the radius server and the managed device. Remember this for later on :)   After you are  done with this step, click Finish.

Go into the “Remote Access Policies” in the Internet Authentication Service, create a new policy. First, click next. Choose to create a Custom policy. Give it a name, this name does not matter for operation. Click next. In the next section you will setup the criterias we went through earlier. The first one is to create a criteria that states what hostnames you would like to use this authentication policy. Click Add.  Select the Client-Friendly-Name from the list.

Here I have typed “R*”. What this means is that as long as the hostname begins with R, this criteria is met. Click OK. Do another Add, select “Windows Groups”, click Add, Here you select the group you previously defined in the AD:

Click Ok and Ok. Then click Next. The final step in the Internet Authentication Service Policy part is to tweak some things.

After you click next, you will have the option to Edit the profile, do that. Then goto the authentication tab:

This is how it appears before any changes, what you will do is set a mark in “Unencrypted authentication (PAP, SPAP). After this you click Ok and Finish.

The very last step (I promise), is to set a Cisco variable in all Windows Authentication. In your main Internet Authentication Service window, Click “Connection Request Policies”, on the right hand side pane, right click on the “Use Windows authentication for all users”, it will present you with the options for all requests requiring windows authentication. Click “Edit Profile”, in the new window that appears choose the Advanced tab and then click Add. This will give you a number of options to carry along in your radius request. Choose the “Cisco-Av-Pair”, then add the value “shell:priv-lvl=15″ so it will look like this:

Click Ok to all of it until you are at the Internet Authentication Service main window again.

We are now done with all the windows stuff (phew). The Cisco step is ALOT easier :)

Log into your managed device and enter configuration mode:

Enable AAA (Authentication, Authorization, Accounting):

R1(config)#aaa new-model

Specify the radius servers ip:

R1(config)#radius-server host 192.168.1.1

Specify the key we want to use to communicate with the radius server (the one i told you to remember):

R1(config)#radius-server key Pass1234

Last, specify that you want to use radius for all login attempts:

R1(config)#aaa authentication login default group radius

Thats all there is to it folks. Its the windows part that really takes the majority of time to configure.

Now, when the administrator telnets to the device, the device will query the radius server with login information. The radius server will ask the AD if this user is really allowed into the device. In this case, the action is to permit, so the AD responds to the radius server. The radius server relays this information back to the managed device, which lets the user in.

Be aware, that if your radius server is on a routed network with firewalls, you will need to open up UDP port 1812 and/or UDP port 1645 depending on what radius server you are using and what version. The RFC changed this port some time ago. Now the official port is 1812.

I hope i sparked at least some interest in this functionality. At least it will make your life easier if you have quite a few different devices and want some sort of reasonable control over them.

Take care!

Study and flashcards.

Posted by on August 15, 2009 No comments

I have mentioned it before, and i’ll do it again. Flash cards are great for remembering those pesky little details.

I wanted to share the flashcards I have created so far:

http://flashcarddb.com/cardset/24460-cisco-flashcards

Hopefully you can get some use out of them. Ofcourse they are some of the details I have a hard time remembering, but maybe you’ll have some use for them as well.

Enjoy!

On another note, I got access to another 3550 switch which should arrive sometime next week. That brings it to a total of 2x 3560′s and 2x 3550′s on the switch side. This should be able to cover the IPexpert R&S topology. Now I just need the remaining routers.

I also got access to a place where I can setup the lab when I relocate. This will put it on a permanent internet connection, so I can access it from everywhere. I have put down some  money to cover the costs of electricity for having it running 24×7 for the next 6 months at least.

All thats left is to get the rest of those USB NIC’s. I figure i need 12 more to make it complete. I have a guy who will check out if i can get a good discount on them when im buying that many. Hopefully i’ll get an answer to that sometime this week as well.

I am beginning to brainstorm some ideas regarding the study plan. I have also put away a decent amount of cash to pay for the bootcamp, which i hope i will be able to do in either december or january. This all depends on the material comming out from IPexpert on the new V4 blueprint.

Tomorrow is moving day, so no posts there, but hopefully ill get my USB 3G adapter sometime during the week, so I can access the wonderful lab from anywhere :) Its got a 5Gb cap on it, but just by ssh/telnet, i should come nowhere near that!

Now off to gather some more thoughts on the study plan!

Exercising with some work switches.

Posted by on August 12, 2009 No comments

One of my last tasks at work before I stop, is to create a new switched network for a location in Estonia. It will be a 10 switch network. The company is reusing two 3560 switches which I still need to receive.

However, I got 8 new switches today, all 2960 switches, one of them being a 2960G switch, which is a very nice L2 switch. I just finished setting them up on my desk so I can start configuring them. It will be good practice with some switch commands. I need to know from the project manager what features he wants to use on them considering the requirements of the topology.

Among these are:

  • DAI (Dynamic ARP Inspection).
  • IGMP snooping, whether multicast is required on the network, I am not sure if Microsoft’s configuration manager supports mcast.
  • Security level for administrators. (Views).
  • Vlan assignment, included in this is whether or not to use VTP.
  • What sort of logging thats required.
  • What spanning-tree requirements there are, placement of root switch and so forth.
  • Portchannels, how many links and what sort of load balancing methods will be used, this will depend on the VMware ESX server setup.

Heres a picture I took for the fun of it. (Sorry about the quality (iPhone camera really sucks)).

I hope I can get some of the questions answered shortly (At all). The company is not very specific when it comes to implementation details.

I am still jotting down ideas on what to include in my study plan for the lab exam. I got tons of ideas, but they need to come down into a condensed form. I will ofcourse post both the ideas, and its final form.

Have a great day!

Update:

Heres a picture of the home-made patch panel I made to convert from LC to SC – SC to LC, so I could test out the fiber connection since the real patch panels are already mounted in Estonia.

Basecamp reached.

Posted by on August 11, 2009 No comments

Lately I havent been keeping up my chores on the blog. Theres a good reason for this.

I have really been studying hard to do the written exam again. Done lots of practice tests, a lot of technology focused labs on especially some edge areas where I wasnt 100% sure of things. And especially a lot of Cisco documentation. Every time I reached a snag I looked up the documentation from Cisco and read through what it was supposed to do and how.

All this results in having passed the CCIE (R&S) written exam (version 3 blueprint), which is what I wanted to do before the switchover to the new version 4 blueprint in october. Now ofcourse I cant do the version 3 lab exam, simply not enough time to prep and I doubt there are any seats left.

Now the new goal, is to have a lab shot sometime next year, probably around summertime on the new version 4 lab exams.

To that extent I need a few new items:

  • Another 3550 switch.
  • More books on MPLS.
  • A few more routers.
  • Quite a few more NIC’s.

I know that the new blueprint uses only 3560 switches, but I simply cant afford any more of these. They are way overpriced as they are still used and sold. They are more than $1000 as far as I can see. Money i would rather spend on other equipment (like a new laptop). So i am aiming for another 3550 switch which will do 98% of the stuff required anyways. There are a few settings on the 3560 that’s different than the 3550, such as the setting on trunks (auto compared to desirable on the 3550).

As everyone thats going down this rabbit-hole knows, its very costly financially (and mentally + social wise). I need to start saving up for the items i need, as well as travel expenses and bootcamp costs. I also need to strike a balance between personal life and study time. I need more discipline in this area. I know from experience, that once i set my mind to learn a topic, and if i dont quite get it, i will spend all my awaken time figuring it out, no matter what social arrangements i have going on. This needs to be rectified somehow.

I am still physically exercising by playing basketball and taking long walks. I will need to turn up the knob on this and start running again. It simply gives you the edge you need for this sort of journey and will hopefully keep my illness from reappearing in full scale.

I will post something about my gameplan for prepping to the lab…

Advertising on wordpress.com?

Posted by on August 4, 2009 No comments

Sorry for the lack of updates lately. I have been very busy with real-life things as well as reading a bunch of stuff.

Does anyone know if it is legal to advertise on wordpress.com? I cant find any guidelines regarding this in the terms-of-service. Also, if it IS legal, how do you do it? I have been searching around and cant find any widgets that allow me to insert an advertisement?

Regarding the real life stuff. We now have two appartments, at least until the end of january. This means I will be spending most of my time in the big city, but in a very small appartment. But hey, thats how life throws you a curve-ball once in a while.