Archive

Category Archives for "Networking"

Cisco Ironport WSA with WCCP and IP Spoofing

Recently I had to set up a transparent proxy with the Cisco Ironport Web Security Appliance (WSA) using WCCP on a Catalyst 6500 with a Sup720, with IP spoofing and web cache ACLs enabled. Like with many technologies, this turned out to be pretty simple but I couldn't find it documented all in one place. Perfect blog fodder!

The network topology looked like this (simplified, but not by much):



Normally when you set up a transparent proxy with WCCP, the IP address of the proxy server is used as the source of the HTTP requests. The problem in this topology is that I wanted the real source address of the client to appear in the firewall logs. The IP spoofing feature on the WSA allows this to happen, but it requires configuring bidirectional WCCP redirection on the Cat6k. If this had been a Cisco ASA firewall, we could have enabled WCCP there and saved some trouble, but in this case the network was using a firewall from another vendor that didn't support WCCP.

One important thing to realize about WCCP on the Catalyst 6500 with the Sup720 is that WCCP egress redirection is done with software switching rather than in Continue reading

Cisco IP Phone switchport voice vlan and CDP

I was under the wrong impression for quite a long time that Cisco IP phones require a 'switchport voice vlan ' command on the switchport that they connect to for the Phones to show up in cdp neighbors. The 'sw voice vlan ' command associates an auxilary VLAN to the port that is known as VVID (VLAN ID) for voice service. This VVID is associated with the phone during a cdp neighbor lookup. 

I thought if I didn't use 'sw voice vlan ' then my phone would not show up as a cdp neighbor on the switch. But I guess I was wrong. I set up the switchport as 'sw access vlan 80' where 80 was the Voice VLAN and I could see the phone come up, register, grab the right IP though DHCP and show up on cdp neighbors.


I had to do this because of a Cisco small business SG300 switch that we had to install in one of the maintenance offices that does not support the 'sw voice vlan id' command. 

As always, comments and feedback much appreciated!

ASA 5515-X ASDM/SSH fix

If you are planning on installing a new Cisco ASA 5515-X, or any other ASA from their 55X5-X line of ASAs, running 8.6 or above, you might run into a situation where you cannot SSH into the ASA or access ASDM.

Start off by verifying if you have activated the 3DES license. If not, grab the 3DES license key from cisco product license registration. Once Cisco emails you the activation key, console into your ASA and type 'activation-key ' under the global configuration mode. This will allow SSH version 2 on the ASA. You can verify this by doing a 'show version' on the ASA and checking the status next to 'VPN-3DES-AES'.

Next, create a username and password like you would.

username admin password cisco encrypted privilege 15

Then allow SSH on the inside and/or outside on all/specific subnets. Configure SSH version 2. 

ssh 10.0.10.0 255.255.255.0 inside
ssh timeout 5
ssh version 2

And finally allow LOCAL authentication.

aaa authentication ssh console LOCAL 

Next, you need to add an ssl encryption standard to the ASA. Most browsers and SSH/Telnet clients will reject the cipher that is present on the ASA by default.

Cisco 4500-X


At a recent new install, I had the opportunity to configure a 4500-X switch for the Data Center. It is a good alternative to a Nexus 5000 if you want 10G uplinks and are tight on budget. Of course, you will miss out on vPC and FEX which I configure are the most important features of the Nexus switches in the Data Center. But if you have 2 4500-X as redundant uplink switches, you can connect downstream devices such as UCS and SAN fabric over 10G uplinks.

Even though the 4500-X data sheets say the switch is a 32 10G SFP+ port, you have the option of using 1G or 10G GLC/SFP modules. I used a variety of copper/fiber modules to connect to routers, servers, switches and an ASA. The switch uses auto negotiation to drop down to 1G in case of copper connections. This link lists all compatible hardware for the Cisco 4500-X switch.

I had to set up a temporary fiber connection between this switch and HQ which routes to remote offices over MPLS. So for the time being, I set up a L3 port on the 4500 and set up basic static routing (ipbase does not support Continue reading

mDNS Gateway in the Cisco Wireless LAN Controller

I'm not sure why I've taken such an interest in mDNS, service discovery, and the Bonjour protocol, but I have. It probably has something to do with my not being able to use AirPlay at home for such a long time because, like any true network geek, I put my wireless devices on a separate VLAN from my home media devices. I mean, duh. So now I keep an eye out for different methods of enabling mDNS in the network in anticipation of my own experience in my home network becoming one of my customer's experience in their enterprise network.

Fixing iMessage on Hackintosh

Mid December 2012 Apple shut down the Messages Beta for Lion, soon after many hackintosh users started noticing issues with signing into iMessage. At some point in time, people far smarter than me managed to patch a little used bootloader called Clover to allow us to log into iMessage, but Clover is young and still full of random issues. Honestly, it never liked the system id on my partition, so I was never able to use it. But now, it seems that someone has patched our widely used Chameleon bootloader! I’ve tested it on my own hackintosh, and many users are also reporting success.

The instructions are simple enough, and should only take you 3 minutes + a reboot to implement and test!

  1. Download the following files to your hackintosh
  2. Execute the following commands

  3. sudo mkdir /Extra/modules
    cd /Extra/modules
    sudo unzip ~/Downloads/FileNVRAM.dylib.zip
    sudo rm -rf __MACOSX
    sudo rm -rf ACPICodec.dylib

    If you have ACPICodec.dylib in your /Extra/modules folder, you need to delete it.

  4. Unzip the Chameleon installer, and run it — make sure you install to your boot disk
  5. Reboot, and try to login to iMessage

Hopefully this will take Continue reading

Wildcard mask – What’s the difference from subnet mask?

How does the internet work - We know what is networking

What is Wildcard Masking? Wildcard mask is like any other computer IP address basically a group od zeroes and ones (o and 1). To be short, in wildcard mask all number one (1) mean “I don’t care about that position”, and all zeroes (0) mean “I care about that position in binary address”. Let’s take an example where Access list with […]

Wildcard mask – What’s the difference from subnet mask?

IPv6 over AToM pseudowire

The purpose of this lab is to show the flexibility of Layer2 VPN technology AToM (Any Transport over MPLS), which allows service providers to smoothly transit the core network from legacy layer2 technologies into a single MPLS infrastructure ready for customer IPv6 transport. Customer transition from IPv4 to dual stack is as easy as adding […]

Nexgen Storage (Part 2) – Hardware Overview

Last week I did an overview of the performance-minded storage solution that Nexgen has put together. In summary, by using SSD-based read AND write caching that’s moved in and out of the cache in an intelligent way, we can get better performance than traditional disk arrays with slower disks, and fewer of them. I’d like to do a quick tour of the hardware for their low-end model, the n5-50. It’s actually pretty straightforward and the internals are interesting enough that I decided to take some pictures and discuss their role in the solution.

Nexgen Storage (Part 2) – Hardware Overview

Last week I did an overview of the performance-minded storage solution that Nexgen has put together. In summary, by using SSD-based read AND write caching that’s moved in and out of the cache in an intelligent way, we can get better performance than traditional disk arrays with slower disks, and fewer of them. I’d like to do a quick tour of the hardware for their low-end model, the n5-50. It’s actually pretty straightforward and the internals are interesting enough that I decided to take some pictures and discuss their role in the solution.

Nexgen Storage (Part 2) – Hardware Overview

Last week I did an overview of the performance-minded storage solution that Nexgen has put together. In summary, by using SSD-based read AND write caching that’s moved in and out of the cache in an intelligent way, we can get better performance than traditional disk arrays with slower disks, and fewer of them. I’d like to do a quick tour of the hardware for their low-end model, the n5-50. It’s actually pretty straightforward and the internals are interesting enough that I decided to take some pictures and discuss their role in the solution.

Quiz #4 &#8211 BGP over ISP

Your company has more offices and each of them has a separate internet connection. The default route for each office points towards the ISP. Also, within each office you run iBGP using private AS numbers. You try to establish a BGP session between two offices, but the BGP does not come up. Why ?

Troubleshooting MAC-Flushes on NX-OS

An interesting client problem in one of our multi-tenant data centers came to my attention the other day. A delay sensitive client noticed a slight increase in latency (20 ms) at very intermittent intervals from his servers in our data center to specific off-net destinations. The increase in latency was localized to the pair of Nexus […]

Blast from the past: 10 reasons why JUNOS is better than IOS

Preface

Back in late 2009 I wrote my first ever blog post. It must have been ok because I got some comments, a few RT's on twitter and it made @Etherealminds Internets of Interest. Since technicast.net is no longer I thought I would post this here for future reference.

10 Reasons JUNOS is better than IOS - 7th July 2009

Last week I started on the JNCIA Fast-Track course and I was very impressed. JUNOS is a very good platform and I was amazed at the features and felt compelled to write this down. Maybe Cisco could take some pointers for the next incarnation of IOS…

1. The Candidate Configuration – While IOS has only a running and start-up configuration, JUNOS adds a candidate configuration to the equation. When you make changes, you make them to the candidate configuration. These changes must the be committed before they take effect. This means I can review all of my changes before writing them! (No more frantic notepad copy and pasting)

2. Handling of Multiple Shell Users – The candidate configuration also offer unique ways of handling multiple users wishing to edit a config. By default all users edit a common candidate Continue reading

Baby Bro, Part 2: Conditionals, Address Types

Bro has native types for addresses and networks, making it much easier to work with network data. Today's Baby Bro script shows global variable definition, the use of the address and subnet types, and a simple conditional:



 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# declaring global variables
# no need to put quotes around addr or subnet variable definitions
global ipv4_host:addr = 1.1.1.1;
global ipv4_net:subnet = 1.1.0.0/16;
event bro_init()
{
if (ipv4_host in ipv4_net)
{
# addr and subnet types are autoconverted to strings with fmt
print fmt("%s is in network %s",ipv4_host,ipv4_net);
}
else
{
print fmt("host %s is not in network %s",ipv4_host,ipv4_net);
}
}

Running this from the CLI, we get the expected output:

jswan@so12a:~/bro$ bro addr_net_types.bro
1.1.1.1 is in network 1.1.0.0/16


Bro also has several interesting built-in functions for working with network data that we'll explore in upcoming posts. For now, we'll take a look at the mask_addr function, which allows you to use Bro as an improvised subnet calculator. You can run a Bro Continue reading

Quiz #3 &#8211 NAT port redirection from inside to outside

As a network administrator, you've been requested to allow the internal clients to connect to a partner server 3.3.3.3 on port 12345. Unfortunately, you discover that your ISP blocks traffic on that TCP port 12345 and allows only some well-known ports, including 8080. How do you implement this ?