Sunday, February 28, 2010

Next challenge, BGP

After passing CCDA, my next adventure will be BGP. I'll use 2 sources, both of them recommended from my 2 colleagues who are CCIE holders.

- Internet Routing Architectures

According to my colleagues this is the BGP bibles. I've been through the first 4 chapters, and I cant wait to finish it.

In meantime I'll do some labs and troubleshooting using the book below (you should expect  uploaded dynamips files and diagrams here in near future, unless I get extremely busy or lazy ;-) )

- Routing TCP/IP volume II

Jeff Doyle has a blog as well.

And off course I'll consult one of the best (if not the best one) networking blog from BGP/MPLS guru Ivan.

I'll keep you posted on this, I'm sure. In meantime if someone stumbled accross my messy blog, and have found another place with configuration tasks with solution in BGP, please leave a comment.

Thank you!

First design exam, Cisco CCDA

Earlier this week I vent on CCDA. It wasn't that easy as I expected, but I got somewhat lucky and I was able to pass it with 87%. Passing score is around 82,5%.

There were a lot of question from Security, Routing, VoIP, QOS and Wireless. Extensive amount of questions came from SONA and Hierarchical design methods (Access / Distribution / Core layers)   Some of the questions were tricky and took some 10 minutes calculation before answering.

I would like to share the books that I've used for preparation for this exam:

- Top-Down Network Design

I've been through this book page by page. I've enjoyed every second spent on it, as it tries to teach you how to think before designing some topology. Also the resources on the web page can be very helpful for the future. Highly recommended!

- CCDA Official Exam Guide

After top-down book, I've been through Wireless and VoIP chapters from this book, and briefly reviewed routing part. Last week before the exam, I've been through summary part of each chapter, and used the quick reference guide:

- CCDA Quick Reference Sheets.

Make sure that you're very well prepared before sitting on this exam. It is tricky, and it covers a lot of material.

Good Luck!

Tuesday, February 23, 2010


There are times when you think that access-list have some problems, and then you'll find out that the hitcounts are increasing. You're almost sure that the traffic is passing, but you cant find connection in the connection table? You've checked syslog and you've found one of those beautiful syslog messages:

%ASA-3-305005: No translation group found for tcp src inside: dst outside:

%ASA-3-305006: regular translation creation failed for tcp src inside: dst outside:

%FWSM-3-305005: No translation group found for tcp src inside: dst outside:

%FWSM-3-305006: regular translation creation failed for tcp src inside: dst outside:

We'll most probably you have nat-control enabled. You can verify it using the following command:

FWSM/CONTEXT# show runn nat-control

Well, what is nat-control then? Nat-control is feature on Cisco firewalls to maximise the security. When it is enabled, each packet MUST match a NAT rule in order to pass the firewall. It is important to keep in mind that even packets initiated from HIGHER security level interface (inside) MUST match a NAT rule in order for the packet to be processed to lower security interface (outside). Nat-control is disabled by default.

Saturday, February 6, 2010

Going aside - Network Design

I've started to get more responsibilities of proposal of new solutions to our customer, not only related to security, I've decided to go through some design books, and maybe attempt a design exam from Cisco as well.

About CCSE, I'll wait for Bobby video to came out in February, and I think that should fill the gap needed for me to pass CCSE.

In meantime few days I go, I came across this book. What I like about it that it is not exam oriented, like certification guides, but it is more oriented to teach you how to think as designer.

Also very useful resources on author book site.

For me now there are 2 path's:

1. CCSE, CCIE Security Written and CCIE lab.

2. CCDA, then BGP, a bit of voice, and then CCDP.

Will depends on what role I'll have in the future of the project. Anyway, I'm sure I'll enjoy both path's. 

Thursday, February 4, 2010

Portchanneling, or how to bring the LAN down

I had a lot of fun doing LAN refresh implementation on site for our client last 18 months. Sites were somewhere between 100 - 700+ users, and the number of switches were from 5 - 40. Gathering information's for their existing LAN, Preparing the design and configuration is one thing, on site implementation is something different, more challenging and more interesting.

Yesterday I've found out that is extremely easy to break such LAN remotely. With 1 move we've lost access to the core switch, whole site was down for 5-10 minutes, and after reloading of the core switch, and re-configuring everything was fine.

The task was to move a server from one VLAN to another, and to force that server to communicate with the site through the firewall installed on site. The routing function for the new VLAN is done by an UTM-1 Egde firewall, which is connected to the core switch. The server was connected on Access switch (same as the WAN router). I've made a step-by-step explanation for my colleague who had to perform the task, and I've made 1 mistake about portchanneling. I've asked him to modify the physical interfaces, instead of portchanneling interface. As soon as he started with the change, I got call from him that the site is down. I vent to his PC and I see the putty session with last command entered: "switchport trunk allowed vlan add 201" as instructed. Everything was down, so we called on site, they confirmed that site is down, and we asked the switch to be reloaded. It took 5-10 minutes, and we checked the command reference for portchanneling in meantime. One of the mistakes was that switchport configuration was edited on PHYSICAL interface, instead of virtual PORTCHANNEL (Po5) interface. After reload my colleague added the new VLAN on the Portchannel interface of the Access Switch first, and then added it on the Portchannel interface of Core switch, and everything vent ok. (the physical interfaces config got updated automatically as expected). Change vent fine, that server was migrated, and all the NATted connections towards the server were working as expected.

The "mystery" remained... why the heck we lost access to the Core switch? The Core switch have loopback interface and even that was not reachable until the switch got rebooted. I was enlighten by one of our colleagues, a CCIE R&S holder.

On 158 of the 160 sites, the WAN Router (Provided by ISP) is directly physically connected to the Core Switch. On 2 of the sites (I got this info today) the WAN router wasn't placed in the same room as the Core switch, and then we use portchannel bundled with 4 or more Gigabit physical interfaces, between the Core switch and the "Access" switch which is physically connected to the WAN router. Off course I didn't check if this was the case. So the logical L3 diagram was like :WAN->CORE---->ACCESS, but physically they were like: WAN->ACCESS---->CORE. By breaking the portchannel between the Core and Access switch, we lost access to the Core Switch, as the Core Switch wasn't physically connected to the WAN router.

Lessons learned:

1. Verify the network diagram. Verify if the configuration of the device corresponds to the diagram. (This should take less then 10 minutes, you can find outputs below)

2. Check the command reference and/or examples in case you haven't done the task recently (add vlan on a port-channel)

3. Do not make too many assumptions.

CORE#show ip route
S* [1/0] via

CORE#show arp | inc
Internet   24   0000.0c07.ac01  ARPA   Vlan100

CORE#show mac address-table | inc 0000.0c07.ac01
100    0000.0c07.ac01    DYNAMIC     Po5

CORE#show int po5 | inc Members
  Members in this channel: Gi1/0/5 Gi1/0/6 Gi2/0/5 Gi2/0/6

CORE#show cdp nei Gi1/0/5
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port
ACCESS           Gig 1/0/5             120           S I      WS-C3750- Gig 1/0/1

Tuesday, February 2, 2010

Change password on non-admin user in SPLAT

Unbelievable, but true.

Passwd command is used by Checkpoint to change ONLY expert password :-)

Do not try to use "passwd <username>" as that wont do the job :-)

[Expert@nd00001]# passwd
Enter new expert password:
[Expert@nd00001]# passwd user
Enter new expert password:

After a bit of scratching my head I got this:

[Expert@nd00001]# which passwd
alias passwd='/bin/expert_passwd'
[Expert@nd00001]# more /bin/expert_passwd

******** /bin/expert_passwd: Not a text file ********

Luckily there is still good old passwd stored in /usr/bin/:

[Expert@nd00001]# /usr/bin/passwd test
Changing password for user test.
New UNIX password:
BAD PASSWORD: it is too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

This strangely reminds me on the good old "su" hack. Lessons learned from that hack is: "Make sure you ALWAYS use full path to your binaries!!!"

Checkpoint confirmed that in a bit strange way ;-)

Download backup from SmartCenter using SCP

SFTP didn't worked on R62, and I decided to try SCP. I had to check CPUG in order to get this done :-)

Basically this is what you need to do:

1. Download PSCP

2. Edit /etc/scpusers file, adding your username into the file, 1 user per line

3. Change the shell to /bin/bash for your user in /etc/passwd

4. Restart ssh deamon: "service sshd restart"

5. Use command similar to:

C:\Documents and Settings\USER\Desktop>pscp -scp
user@'s password:
backup_hostname.domain.com_2 | 236672 kB | 9466.9 kB/s | ETA: 00:02:15 |  15%

That's all!

P.S. Don’t forget to check md5 checksum after you got that file transferred ;-)