Useful:
http://www.packetlife.net/blog/2008/jun/9/ipv4-multicast-cheat-sheet/
Wednesday, June 11, 2008
Tuesday, April 08, 2008
Putty - but better
Most people will have likely come across PuTTY, the Open Source terminal emulator. It's quick, easy and pretty ubiquitous in it's accessibility (to devices).
One annoyance is that it is a single-window application, and that firing up multiple SSH or Telnet sessions created lots of individual windows. In these tabbed-app days, that seems a bit Windows95.
However, this somewhat stodgy way of working can now be relieved with the use of an application called PuTTY Connection Manager, which can fire up individual SSH or Telnet sessions as tabs. Additionally, your saved PuTTY sessions can be presented as a folder tree, which simplifies opening the individual sessions.
It still uses PuTTY as the underlying engine, but overlays the Connection Manager to give an easier working experience.
One annoyance is that it is a single-window application, and that firing up multiple SSH or Telnet sessions created lots of individual windows. In these tabbed-app days, that seems a bit Windows95.
However, this somewhat stodgy way of working can now be relieved with the use of an application called PuTTY Connection Manager, which can fire up individual SSH or Telnet sessions as tabs. Additionally, your saved PuTTY sessions can be presented as a folder tree, which simplifies opening the individual sessions.
It still uses PuTTY as the underlying engine, but overlays the Connection Manager to give an easier working experience.
Saturday, March 01, 2008
How Not To Use BGP
When the Pakistani government took umbrage at YouTube and unilaterally decided to block it's evil content from the innocent minds of the populace, some bright spark decided the best way would be for the Pakistani ISP(s) to highjack one of the YouTube IP prefixes, as advertised via BGP.
The result?
One of the biggest sites on the Internet blown out of the water, and millions of global web users sending their YouTube requests to the hapless Pakistani ISP(s).
An object lesson in how not use BGP.
The RIPE site has an excellent technical brief on this...
http://www.ripe.net/news/study-youtube-hijacking.html
The result?
One of the biggest sites on the Internet blown out of the water, and millions of global web users sending their YouTube requests to the hapless Pakistani ISP(s).
An object lesson in how not use BGP.
The RIPE site has an excellent technical brief on this...
http://www.ripe.net/news/study-youtube-hijacking.html
Friday, February 01, 2008
How to setup IAS to use radius to authenticate Cisco device
Rather than go out and buy the Cisco ACS server, and then have to setup a new user/device database, it's quite easy to use an existing Windows (Active Directory) user database.
The Cisco-preferred method is of course the Cisco ACS server and TACACS+ - nothing wrong with that; it works fine, is feature rich and is quite easy to set-up and get going. The downside is that someone has to manage the ACS server (or appliance, if you go down that road), and maintain the user database (although it's possible to get the user data from AD...)
I reckon it's better to:
However, it's not all a bed of roses - this isn't really a scalable solution for dozens of devices. There's no way to wild card Radius requests from your devices, so you need to add each router/switch/firewall/etc. individually, so it can be a bit laborious.
So how to set it up?
Firstly, the Cisco device (I'll call them switches from now on, and assume that we're running Cisco IOS, not ye olde Catalyst OS) will be using Radius to authenticate, not TACACS+. This part is quite easy, as the commands to set up Radius authentication is pretty straightforward.
Secondly, we need to set up the Windows IAS server. This is less straightforward, as it involves lots of mouse clicking and menus. It works fine, but needs careful attention to detail.
I won't go through the whole "how to set up IAS" thing, because there are other sites out there that have already done this work. See links below:
Cisco AAA login with Radius (MS IAS)
How to setup IAS to use radius to authenticate Cisco device
In our organisation, we have several AD Domain Controllers - a pair at head office and a pair at our data centre. So I installed IAS on all four, and as the majority of our kit is located at head office, the head office pair authenticate access to head office kit, and the data centre pair authenticate access to kit at the data centre and remote sites.
To set up the Cisco side, the following commands should entered from Exec mode:
aaa new-model
aaa authentication login default group radius local line
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
radius-server host [IP ADDRESS] auth-port 1812 acct-port 1813
radius-server host [IP ADDRESS] auth-port 1812 acct-port 1813
radius-server source-ports 1645-1646
radius-server retransmit 1
radius-server timeout 2
radius-server key [SECRET KEY]
radius-server vsa send accounting
radius-server vsa send authentication
and on the CON & VTY lines, make sure you add:
login authentication default
And that's it. Test drive before you go live.
The Cisco-preferred method is of course the Cisco ACS server and TACACS+ - nothing wrong with that; it works fine, is feature rich and is quite easy to set-up and get going. The downside is that someone has to manage the ACS server (or appliance, if you go down that road), and maintain the user database (although it's possible to get the user data from AD...)
I reckon it's better to:
- Utilise an existing user database, freeing up network guys to do what they do best - networking stuff.
- Let the server bods worry about looking after server stuff - the server itself , Windows updates, Anti Virus, etc. etc.
- Leverage something that comes free - in this case Windows IAS (Internet Authentication Service), thus saving dosh for more interesting things
However, it's not all a bed of roses - this isn't really a scalable solution for dozens of devices. There's no way to wild card Radius requests from your devices, so you need to add each router/switch/firewall/etc. individually, so it can be a bit laborious.
So how to set it up?
Firstly, the Cisco device (I'll call them switches from now on, and assume that we're running Cisco IOS, not ye olde Catalyst OS) will be using Radius to authenticate, not TACACS+. This part is quite easy, as the commands to set up Radius authentication is pretty straightforward.
Secondly, we need to set up the Windows IAS server. This is less straightforward, as it involves lots of mouse clicking and menus. It works fine, but needs careful attention to detail.
I won't go through the whole "how to set up IAS" thing, because there are other sites out there that have already done this work. See links below:
Cisco AAA login with Radius (MS IAS)
How to setup IAS to use radius to authenticate Cisco device
In our organisation, we have several AD Domain Controllers - a pair at head office and a pair at our data centre. So I installed IAS on all four, and as the majority of our kit is located at head office, the head office pair authenticate access to head office kit, and the data centre pair authenticate access to kit at the data centre and remote sites.
To set up the Cisco side, the following commands should entered from Exec mode:
aaa new-model
aaa authentication login default group radius local line
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
radius-server host [IP ADDRESS] auth-port 1812 acct-port 1813
radius-server host [IP ADDRESS] auth-port 1812 acct-port 1813
radius-server source-ports 1645-1646
radius-server retransmit 1
radius-server timeout 2
radius-server key [SECRET KEY]
radius-server vsa send accounting
radius-server vsa send authentication
and on the CON & VTY lines, make sure you add:
login authentication default
And that's it. Test drive before you go live.
Wednesday, January 30, 2008
Dynamips, dynagen and GNS3
I've recently been playing around with these router emulators, and I can honestly say I've been impressed. I've tried the three above-mentioned applications in various combinations on differing platforms (Windows XP and Ubuntu Linux), and have had some degree of success in simulating a new project I'm currently working on.
In terms of application, dynamips and dynagen on both XP and Ubuntu are pretty solid. I've tested various platforms (7200, 2600, etc.) and various WAN and LAN scenarios and have been happy with the results.
GNS3 I've only played with on XP, and whilst it's extremely useful, I found it a bit buggy and crash prone. But I guess it's early days for that application, so I won't be too harsh - and I've recomended it to colleagues to try out, which is a kind of endorsement.
What did this help me with? Well, we're in the process of moving from a single ISP to dual ISP configuration, each providing 100Mbps circuits, and we are therefore getting 'provider independent' IP address space and our own BGP ASN.
So I plotted out a scenario with two local internet routers, connecting to two separate ISP routers and an Internet mesh behind them. Internal BGP, external BGP, firewalling and dynamic failover of Internet. All tested on a single XP machine. It makes that test rig I built almost redundant...
Links:
Dynamips
Dynagen
GNS3
In terms of application, dynamips and dynagen on both XP and Ubuntu are pretty solid. I've tested various platforms (7200, 2600, etc.) and various WAN and LAN scenarios and have been happy with the results.
GNS3 I've only played with on XP, and whilst it's extremely useful, I found it a bit buggy and crash prone. But I guess it's early days for that application, so I won't be too harsh - and I've recomended it to colleagues to try out, which is a kind of endorsement.
What did this help me with? Well, we're in the process of moving from a single ISP to dual ISP configuration, each providing 100Mbps circuits, and we are therefore getting 'provider independent' IP address space and our own BGP ASN.
So I plotted out a scenario with two local internet routers, connecting to two separate ISP routers and an Internet mesh behind them. Internal BGP, external BGP, firewalling and dynamic failover of Internet. All tested on a single XP machine. It makes that test rig I built almost redundant...
Links:
Dynamips
Dynagen
GNS3
Subscribe to:
Posts (Atom)