dimanche 17 mai 2015
jeudi 14 mai 2015
Ping vs. Traceroute vs Pathping
One of the biggest misconceptions of all time in networking is the use of a traceroute to determine that your communication with a server has high latency. On windows, traceroute is the same command as tracert.
Many people beleive that when they see high latency such as 250ms+ in a single hop of a trace-route that it means that that device in the transit path is responsible for the degraded network performance when in fact it could not be more further from the truth.
First lets look at how ping works.
PING, is an application based on the ICMP protocol which is used to send echo packets to a destination and expecting to receive an echo response and it calculates the RTT (Round Trip Time) from when the packet was sent to when the echo response was received. Generally when using PING on a LAN network you can trust that what it is saying is accurate unless you have foreknowledge of network devices in the transit path that prioritize ICMP over mission critical TCP/UDP Traffic. This however is very common in networks that utilize unified communications, meaning voice and data on the same network. This is because QoS Policies are put in place to ensure voice traffic and other mission critical traffic is prioritized over ICMP thus indirectly affecting the RTT time of an ICMP ping test.
Trace-route is another method commonly used by technicians and engineers to diagnosis latency in the transit path however any engineer that has studied how trace-route works would know that its results are nearly always misleading.
Trace-route works in a manner similar to ping however it uses the TTL feature to make each successive hop in the transit path respond with an ICMP TTL Expired packet. Thus gives you the ability to determine which network devices the ICMP packet is traversing.
When you dig deeper into the operation of traceroute you will see that traceroute utilizes 3 probe packets for each successive hop by default unless you specify other wise. Each probe packet indirectly measures the latency between the source and the device where the TTL is declared expired. This latency calculation is a by product of its true intended purpose. Keep in mind even if you send probes to a device that is five hops away, random latency spikes in any four devices prior to the fifth hop can result in the fifth hop looking like it has high latency.
Also note that any Control Plane Policing policy enforced on any device in the transit path could result in ICMP being prioritized to the control plane of the transit device. ICMP is processed switched by most devices whereas TCP/UDP is express forwarded.
An example below of a traceroute on Windows 7;
C:\>tracert www.google.com -dTracing route to www.google.com [74.125.225.113]over a maximum of 30 hops: 1 1 msYou can see from the trace route shown above that there is 3 probes per hop between the source and destination and that it does not appear to have latency until traffic traverses 64.69.97.217
The whole point of this blog is to teach you how to interpret such data. Just because you see a spike in latency on the 5th hop does not mean that the 5th hop is causing latency. It can easily mean that the control plane in the device on the fifth hop is under marginal load and that the processor does not respond to the ICMP immediately due to other processes with priority.
Just because you see potential latency with trace-route, you should never expect that to be an accurate representation of latency for TCP/UDP traffic because ICMP and TCP/UDP traffic is treated completely different when it comes to the routers control/forwarding planes.
Most ISP’s use control-plane policing (CoPP) to prevent overwhelming ICMP flooding to a devices control plane. This type of flood prevention mechanism can also result in skewed data in trace routes.
Shown below is a simple CoPP Policy which can result in skewed trace route data.
!class-map match-all Catch-All-IP match access-group 124class-map match-all Management match access-group 121class-map match-all Normal match access-group 122class-map match-all Undesirable match access-group 123class-map match-all Routing match access-group 120!policy-map RTR_CoPP class Undesirable police 8000 1500 1500 conform-action drop exceed-action drop class Routing police 1000000 50000 50000 conform-action transmit exceed-action transmit class Management police 100000 20000 20000 conform-action transmit exceed-action drop class Normal police 50000 5000 5000 conform-action transmit exceed-action drop class Catch-All-IP police 50000 5000 5000 conform-action transmit exceed-action drop class class-default police 8000 1500 1500 conform-action transmit exceed-action transmit!access-list 120 permit tcp any gt 1024 10.0.1.0 0.0.0.255 eq bgpaccess-list 120 permit tcp any eq bgp 10.0.1.0 0.0.0.255 gt 1024 establishedaccess-list 120 permit tcp any gt 1024 10.0.1.0 0.0.0.255 eq 639access-list 120 permit tcp any eq 639 10.0.1.0 0.0.0.255 gt 1024 establishedaccess-list 120 permit tcp any 10.0.1.0 0.0.0.255 eq 646access-list 120 permit udp any 10.0.1.0 0.0.0.255 eq 646access-list 120 permit ospf any 10.0.1.0 0.0.0.255access-list 120 permit ospf any host 224.0.0.5access-list 120 permit ospf any host 224.0.0.6access-list 120 permit eigrp any 10.0.1.0 0.0.0.255access-list 120 permit eigrp any host 224.0.0.10access-list 121 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 eq telnetaccess-list 121 permit tcp 10.0.2.0 0.0.0.255 eq telnet 10.0.1.0 0.0.0.255 establishedaccess-list 121 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 22access-list 121 permit tcp 10.0.2.0 0.0.0.255 eq 22 10.0.1.0 0.0.0.255 establishedaccess-list 121 permit udp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 eq snmpaccess-list 121 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 eq wwwaccess-list 121 permit udp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 443access-list 121 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 eq ftpaccess-list 121 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 eq ftp-dataaccess-list 121 permit udp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 eq syslogaccess-list 121 permit udp 10.0.3.0 0.0.0.255 eq domain 10.0.1.0 0.0.0.255access-list 121 permit udp 10.0.4.0 0.0.0.255 10.0.1.0 0.0.0.255 eq ntpaccess-list 122 permit icmp any 10.0.1.0 0.0.0.255 echoaccess-list 122 permit icmp any 10.0.1.0 0.0.0.255 echo-replyaccess-list 122 permit icmp any 10.0.1.0 0.0.0.255 ttl-exceededaccess-list 122 permit icmp any 10.0.1.0 0.0.0.255 packet-too-bigaccess-list 122 permit icmp any 10.0.1.0 0.0.0.255 port-unreachableaccess-list 122 permit icmp any 10.0.1.0 0.0.0.255 unreachableaccess-list 122 permit pim any anyaccess-list 122 permit udp any any eq pim-auto-rpaccess-list 122 permit igmp any anyaccess-list 122 permit gre any anyaccess-list 123 permit icmp any any fragmentsaccess-list 123 permit udp any any fragmentsaccess-list 123 permit tcp any any fragmentsaccess-list 123 permit ip any any fragmentsaccess-list 123 permit udp any any eq 1434access-list 123 permit tcp any any eq 639 rstaccess-list 123 permit tcp any any eq bgp rstaccess-list 124 permit tcp any anyaccess-list 124 permit udp any anyaccess-list 124 permit icmp any anyaccess-list 124 permit ip any any!control-plane service-policy input RTR_CoPP!If you examine the CoPP policy in detail you will notice that all ICMP destined to the control plane is limited to 50000bps as shown below. It can bust up to 5000bps and if it conforms to the policy it is transmited, if it exceeds the policy the ICMP is dropped.
class Catch-All-IP police 50000 5000 5000 conform-action transmit exceed-action dropWith this in mind you should always use trace route for its intended purpose which is to determine the route traffic takes when traversing the transit path and that latency shown on the per hop probe basis is to be taken with at grain of salt when traversing public devices.
The intended purpose of the 3 probe count is to determine if the traffic traverses multiple routed paths due to route engineering, not to determine the latency 3 times.
I will conclude this blog with the pathping command. This command found on windows is a command similar to traceroute but it combines traceroute with ping to give you a better understanding of latency in the transit path.
Pathping works first by doing a traceroute to the destination then it uses ICMP to ping each hop in the transit path 100 times. This is used to verify latency between the source and destination via icmp echo per each hop. But remember what I said earlier, you cannot rely ICMP when public devices are involved. So you can run into cases where you see ICMP pings destined to one hop in the transit drop 40% of the traffic whereas the next hop has 100% success rate. This is due to CoPP.
Pathping in general is a much better tool to diagnosis latency from a specific source to destination with a relative degree of accuracy. Note that I said Relative, this is because latency is ALWAYS relative to your location on the network.
Shown below is an example of pathping in the works;
C:\>pathping www.google.com -nTracing route to www.google.com [74.125.225.116]over a maximum of 30 hops: 0 10.100.38.162 1 10.100.38.2 2 209.51.231.145 3 64.65.234.204 4 64.69.98.171 5 64.69.99.238 6 165.121.238.178 7 64.214.141.253 8 67.16.132.174 9 72.14.218.13 10 72.14.238.232 11 72.14.236.206 12 216.239.46.215 13 72.14.237.132 14 209.85.240.150 15 74.125.225.116Computing statistics for 375 seconds... Source to Here This Node/LinkHop RTT Lost/Sent = Pct Lost/Sent = Pct Address 0 10.100.38.162 0/ 100 = 0% | 1 1ms 0/ 100 = 0% 0/ 100 = 0% 10.100.38.2 0/ 100 = 0% | 2 0ms 0/ 100 = 0% 0/ 100 = 0% 209.51.231.145 0/ 100 = 0% | 3 4ms 0/ 100 = 0% 0/ 100 = 0% 64.65.234.204 0/ 100 = 0% | 4 6ms 0/ 100 = 0% 0/ 100 = 0% 64.69.98.171 0/ 100 = 0% | 5 22ms 0/ 100 = 0% 0/ 100 = 0% 64.69.99.238 0/ 100 = 0% | 6 10ms 0/ 100 = 0% 0/ 100 = 0% 165.121.238.178 0/ 100 = 0% | 7 34ms 0/ 100 = 0% 0/ 100 = 0% 64.214.141.253 0/ 100 = 0% | 8 37ms 0/ 100 = 0% 0/ 100 = 0% 67.16.132.174 0/ 100 = 0% | 9 35ms 0/ 100 = 0% 0/ 100 = 0% 72.14.218.13 0/ 100 = 0% | 10 --- 100/ 100 =100% 100/ 100 =100% 72.14.238.232 0/ 100 = 0% | 11 --- 100/ 100 =100% 100/ 100 =100% 72.14.236.206 0/ 100 = 0% | 12 --- 100/ 100 =100% 100/ 100 =100% 216.239.46.215 0/ 100 = 0% | 13 --- 100/ 100 =100% 100/ 100 =100% 72.14.237.132 0/ 100 = 0% | 14 --- 100/ 100 =100% 100/ 100 =100% 209.85.240.150 0/ 100 = 0% | 15 36ms 0/ 100 = 0% 0/ 100 = 0% 74.125.225.116Trace complete.C:\>As you can see from the pathping shown above there are some hops in the transit path that completely drop ICMP. You can also notice that the latency to hop 5 is higher then the latency is to hop 6. This shows that either Control Plane Policing is used on 64.69.99.238 or the process utilization on hop 5 is relatively higher.
You should know that there are other tools out there that are extremely useful when trying to diagnosis latency related problems. Most of these tools rely on ICMP and your decision to trust them is based on your understanding the transit path. One of these tools being Ping Plotter. There are several useful tools included in the Solarwinds Engineers Toolset however this toolset is extremely expensive. You can download a trial and check it out at Solarwinds Engineers Toolset
The most accurate tools depend on TCP however since TCP is a connection oriented protocol, both the source and destination must be willing to participate in the testing. Some tools are hardware based such as the Fluke Network EtherScope which cost several thousand dollars.
So in conclusion, your decision to trust and use data from ICMP based troubleshooting should be based on your relative understanding of the transit path. You should never take a traceroute that has high latency on it and say its a network issue just because hope 7 has latency greater then 250ms. This is no different the a doctor telling you your spleen is the result of your headaches without factual basis.
If you do not have clear factual data when diagnosing a problem and you blame the network because of a traceroute, you may very well be completely missing the root cause of the problem. Think of it as getting tunneled vision when sh!t hits the fan and management is expecting answers and the first thing you notice is high latency on a traceroute. With out completely understanding traceroute you may be fixating on an issue that is really not an issue at all.
Cisco ASA Pre-8.3 NAT & Post-8.3 NAT
When Cisco made changes to the Cisco ASA software in 8.3, it completely shook the ASA engineering community. Major changes overhauled the operating system in how the Cisco ASA handles Network Address Translation.
Even today, these changes still surprise people when upgrading from 8.2 to 8.3 or later and many people have a hard time understanding these changes. However, these changes are actually a good thing as it gives you more granular control over the NAT function(s) that your Cisco ASA performs.
I have compiled a list of differences as shown below to help you understand the configurational differences between pre-v8.3 and post-v8.3 NAT configurations.
First we will start with STATIC NAT which is translation from one IP Address on the outside interface (203.0.113.20) to an IP Address on the inside interface (10.1.1.6)
Regular Static NAT 8.2 & Earlier
static (inside,outside) 203.0.113.20 10.1.1.6 netmask 255.255.255.255Regular Static NAT 8.3 & Later
object network obj-10.1.1.6 host 10.1.1.6 nat (inside,outside) static 203.0.113.20Next up is the Static PAT where we translate port 80 on the outside interface IP Address of 203.0.113.20 to inside IP 10.1.1.15 port 8080.
Regular Static PAT 8.2 & Earlier
static (inside,outside) tcp 203.0.113.20 80 10.1.1.15 8080 netmask 255.255.255.255Regular Static PAT 8.3 & Later
object network obj-10.1.1.15 host 10.1.1.16 nat (inside,outside) static 203.0.113.20 service tcp 8080 wwwNow we’ll take a look at Static Policy NAT where if the host IP Address 10.1.2.3 attempting to get to the subnet 10.75.7.0/27 gets NAT’d to 192.168.100.100 on the outside interface.
Static Policy NAT 8.2 & Earlier
access-list NET1 permit ip host 10.1.2.3 10.75.7.0 255.255.255.224!static (inside,outside) 192.168.100.100 access-list NET1Static Policy NAT 8.3 & Later
object network obj-10.1.2.3 host 10.1.2.3object network obj-192.168.100.100 host 192.168.100.100object network obj-10.75.7.0 subnet 10.75.7.0 255.255.255.224nat (inside,outside) source static obj-10.1.2.3 obj-192.168.100.100 destination static obj-10.75.7.0 obj-10.75.7.0CCIE Poaching and Sniping…
The CCIE Certification is an extremely sought after certification not just from an engineering perspective but also a Company perspective. In order for any company to become a Silver or Gold Certified Partner with Cisco, they must have 2 CCIE’s full time for Silver and 4 CCIE’s full time for Gold. This requirement cannot be waived and this makes the CCIE valuable to companies because when companies have Silver or Gold partnership status they get certain benefits from Cisco such as discounts, access and etc…
If you just passed the CCIE Lab exam there are several things you should know prior to jumping into the job market looking for that big fish job offer. Many people go after the CCIE certification for the six digit paycheck, some people do it for personal goals and the big challenge and some people just do it just because they can. In any case there are two terms that you should know as a CCIE prior to job hunting and you should also know how to protect yourself from companies that want to leech on your talent and asset(s).
The Anti-Poaching clauses that Cisco have implemented into their policy causes some unintended problems in the industry when it comes to talent acquisition. Cisco has put in a clause to the CCIE agreement and Partnership agreement that gives companies the ability to continue to use your CCIE number for partnership status for 12 months after you leave a company. This clause is vague and does not specify any reasoning for your departure.
So with all that said lets take a look at the two most important things you should know as a CCIE when job hunting.
What is CCIE Poaching?CCIE poaching is an industry term used to define the method at which companies attempt to recruit CCIE engineers from other Cisco Certified Silver and Gold Partners with the intent of becoming a Cisco Certified Silver or Gold partner themselves. The Anti-Poaching clause was added to the partnership agreement stating that companies had the right to use the CCIE number of any engineer departing the company for a period of 12 months.
This type of language makes it impossible for companies to recruit CCIE’s from other companies for the sole purpose of the CCIE number. However, it does not prevent the recruiting of talent but it prevent the use of the CCIE number in a partnership status.
As a CCIE, the big part of getting a job is because you have the CCIE and companies want your CCIE number to use for partnership eligibility. While this is not always the case, its typically the case when it comes to companies paying extremely big bucks for a CCIE because its something that need, not because its something they want.
Some companies hire CCIE’s just because they need them to become a silver or gold partner. Silver and Gold Cisco Certified Partnership gives the company several benefits such as discounts. If a company can hire four CCIE’s at 600k a year and they save 10 million a year in hardware/software cost because of the partnership than it is stupid not to hire them right? The company would make money just by employing those people and having them sit on their ass watching television but of course managers would never allow that to happen because of the greedy nature of humans in general. Ultimately the company gets a huge deal by having the Cisco Partnership and the expert level talent at their disposal while effectively not paying a penny if they balance their business right.
What is CCIE Sniping?CCIE Sniping is a term loosely used in the industry when it comes to the involuntary termination of a CCIE. Because of the anti-poaching clause in the Partnership Agreement, there is nothing to protect the engineer from malpractice from companies who are greedy and just want to get a leg up in the industry.
So what is to prevent a company from hiring a freshly minted CCIE and using their CCIE number for the silver or gold partnership status, only to let them go after the partnership status as been established? Because of the Cisco agreement, the newly minted CCIE cannot use his CCIE number at another company for another 12 months thus this puts the CCIE in a bad position as it prevents him from obtaining any jobs that REQUIRE the CCIE certification. Indirectly this method devalues the CCIE certification and it’s the fastest way to piss off a CCIE.
It is because of this industry malpractice, you must protect yourself from greedy snipers.
IE Sniping is not a common practice in the United States however it does happen on occasion. This type of business malpractice is more common in developing nations. In any case you need to protect your digits.
How to protect your digits!If you have recently passed the CCIE Lab exam or you have the CCIE number that has never been registered with a partner then prior to accepting a job you need to ensure that there is protection in the employment agreement for your CCIE number.
For example, the easiest way to protect yourself is to ensure that the employment agreement states that the company will relinquish the use of the CCIE number for partnership status in the event of a non-performance related involuntary termination. This is the safest way to ensure that you’re number is not at risk if the company decides to terminate you because you don’t like the color blue or because they just want to save money. If this type of agreement does not exist than your CCIE number can be tied up for 12 months regardless of the termination reason.
You should note that this does NOT protect you if you are terminated for performance related reasons. Performance related termination is an extremely fine line and its best to have performance based termination defined in the employment agreement.
For example, just because you’re late to work, does not mean that you’re not meeting performance requirements. As long as you complete all work and achieve all work related goals on time than legally speaking you have met the conditions of the agreement.
This type of agreement also protects you against non-performance related terminations. For example you’re terminated for inappropriate language, sexual harassment, stealing, so on and so forth. Rather or not the company policy was the reason for your termination, it is not a valid reason for continued use of the CCIE number as set forth in the employment agreement based strictly on performance therefore the company would be legally required to relinquish the use of the CCIE number. While I would advise you never to break company policy because that is just common sense, there are many cases where people have said something that was offensive to others that could be classified as sexual harassment and could lead to termination. For example, telling a racist or dirty joke at work.
You would not want your company to terminate your position because of your performance and not give you a warning to correct your performance related issues. Before accepting any position that requires the CCIE certification, you should make sure that any performance based termination requires a 30 day written warning prior to termination in the employment agreement so you have the ability to correct your problems and meet performance expectations. If the company terminates you without warning because of performance related reasons then the company must immediately relinquish your CCIE number from the partnership. This plugs up the loophole that exist by the
You must look at your employment agreement as a legal document and as such you must protect your own ass as much as the next guy.
The safest way to protect your CCIE number is to require that upon termination, voluntary or involuntary, the Company is required to relinquish your CCIE number from any partnership status. This however may make it harder to get a job requiring the the risk to the employer is higher and it indirectly shows that you’re more concerned about yourself then the job opportunity however this is your decision and this should be negotiated at the time of the employment offer and prior to signing the employment agreement with any company.
Opengear and the Stub Lab
The Stub Lab is a fully functional Cisco Lab provided as a free service to the community by Free CCNA Workbook. All you need to do to gain access to a top notch Cisco Lab that has ISR’s, Multi-layer switches, Cisco ASA’s and more is sign up at the Stub Lab Schedule Portal and reserve lab time. When your lab time comes you can log into the lab devices remotely using Telnet and have access to real Cisco hardware to perform educational labs on for the purposes of obtaining Cisco certifications.
For years though Free CCNA Workbook has received countless emails requesting information on how the Stub Lab operates. How does Free CCNA Workbook provide free lab time? How does the Schedule Portal work? How do you detect abusive commands and kick users from the lab? This blog entry is going to be very helpful for anyone looking to build their own publicly accessible Cisco Lab.
This blog entry will address all the questions previously asked regarding how all this cool stuff works… So lets get started shall we?
Stub Lab Schedule PortalFirst, lets start off with the Schedule Portal. The Stub Lab Schedule Portal is a custom designed PHP application that runs on top of RedHat 6 and integrates with MySQL and NET-SNMP. From the user perspective the schedule portal allows for users to register and set their timezone where they can then reserve lab time on the Stub Lab. When a user schedules a lab session the schedule portal then places that information into the back-end database for the schedule portal but also modifies the Free RADIUS database which also resides in MySQL.
Free RADIUS Controls the user authentication for the Stub Lab console server which is an OpenGear IM4216. Free RADIUS stores authentication information regarding the username, SHA1 password hash, date and time in which the lab session is permitted.
The back-end of the Schedule Portal, the Admin portal allows for more administrative control over the Lab operations. The Admin portal allows for staff members to control power for the device via SNMP, modify and/or delete schedule lab sessions, disable and/or delete user accounts and post announcements visible to everyone who logs into the portal.
Unfortunately Stub Lab Schedule Portal is a proprietary software development and is not available for free download.
Opengear Console Server OverviewThe Opengear IM4216 is the bread and butter of the Stub Lab. This console server manufactured by Opengear makes everything possible. One of the biggest limitations of the lab is to ensure that individuals that use the lab cannot perform specific commands that could be harmful to the lab such as format flash: or delete flash:/image.bin. Commands like this would make devices inoperable for other users and would require manual intervention to fix the problems created by users with malicious intent.
While the Stub Lab is free for anyone to use, there are individuals out there with malicious intent that want to ruin the lab experience for everyone else.
The Opengear Console server gives the ability to detect specific serial string patterns received by the Lab device and when received they will execute a specific function such as disconnect the user and run a script which will break the abusive command using the CTRL+C function then powering off the device.
Because the Opengear console server is based on linux, the console server can perform cron jobs which ultimately can execute scripts. From the Stub Lab’s perspective, a Cron job is executed once every 3 hours to disconnect all users and power off all devices to conserve electricity. Another cron job is executed 10 minutes before the end of each session warning users that are currently logged into the devices that the lab session will end in 10 minutes.
Another unique feature of the Opengear console server platform is the ability to control APC smart PDU’s which control the power to each lab device. This gives users of the lab the ability to power on and off devices remotely to perform password-recovery and any other lab that requires a power cycle. Once you log into the lab device, you can access the power menu by typing ~p. This will bring up a menu that looks like this;
Power Commands: O - Power ON P - Power OFF R - Power cycle off then on again s - Show current power status . - Exit power menu ? - Show this message[R1] Power >From this menu you can power control power to each lab device individually. To exit the power menu you would type period (.) and press enter.
Stub Lab Console Server Deep DiveSo now that you have a basic understanding of how the Stub Lab works, lets take a deep dive into the operations of the Opengear console server. In this section we will discuss how you can setup your very own Opengear Console Server to provide free public access to users around the world.
First we’ll start off with Serial Port and RPC Configuration then Bash scripting and followed by Auto-Response.
Serial Port and Remote Power Control (RPC) ConfigurationAfter you have configured the basics of the Opengear Console Server such as the IP Address, authentication, time settings (NTP) and so on you will the need to configure the Serial Ports. The Serial Port configuration gives you the ability to specify a Name on a per port basis and the operating parameters of each port such as the baud rate, data bits, parity, stop bits and flow control. Other parameters that can be configured in this section is the serial port operational mode. There are 5 modes that the port can operate in. The first “Console Server Mode” which is what you’ll use to access Lab devices allows for users to remotely access the console ports of a connected device remotely via TCP/IP using Telnet and/or SSH.
Device Mode, can be used to specify exactly what type of device is connected to the console server to allow for more advanced controls of the connected device such as a Battery Backup (USP), or Smart PDU, known as an RPC (Remote Power Controller) or an environmental sensor used to detect and report environmental statistics such as humidity and temperature.
SDT (Secure Desktop Tunneling) Mode if a feature developed by Opengear which allows for Secure desktop tunneling of VNC or RDP through the use of an SSH Tunnel over the internet to authenticated endpoints.
Terminal Server Mode gives the console server the ability to interconnect to a terminal server using the configured terminal type.
And lastly, Serial Bridged mode is used to bridge serial over TCP/IP and is commonly used in hospital environments where specialized label printers operate using Serial ports and not parallel or native TCP/IP.
When building your own Stub Lab you will be using the Console Server mode. If you have an APC 7901 or 7902 you can then use the Console Server to control the power to this device by configuring the RPC via SNMP in Network Host(s) first. Once you have defined the RPC Network Host you must then define the RPC Connection settings. This is where you’ll name the RPC and provide the SNMP community string and label the outlets. Shown below is a screenshot of the Network Host configuration page.
Once you have the RPC defined and configured you must then define each “Managed Device”. This is where you will pair up the Serial Port with the RPC Outlet. You must doe this for every device in the lab. Once completed you then have the ability to enable the “Power Menu” function on the Serial Port configuration page.
After all the configuration has been completed properly you’ll be able to control the power of each device independently through Telnet and/or SSH.
Auto-Response ConfigurationOne of the obstacles in the way of providing free access to a Cisco lab is the ability to prevent people from executing harmful commands such as format flash. Fortunately, Opengear gives you the ability to prevent users from executing commands using the “Auto-Response” function. The Auto-Response function is very powerful as in it has the ability to recognize serial pattern strings and execute a specific action once the string has been detected.
The Stub Lab makes use of this function by preventing users from executing abusive commands. When a user executes a command that is harmful to the lab environment, the console server will automatically disconnect the user immediately before they can continue to execute the command. After the user has been disconnected it will then execute a bash script which will be discussed in the next section which sends the CTRL+C command to the port which the user executed the abusive command on and finally powering off the device.
When it comes to the Stub Lab, the Auto-Repsonse is used to detect Rx (Receive data) serial strings and execute a function upon being triggered. Because all abusive commands when executed will prompt you for additional confirmation, we can use this to our advantage and trigger an action when detected by the console server. Below is a list of (Rx) strings that are used.
Abusive CommandRx StringDebug AllThis may severely impact network performance.Format OperationFormat operation mayErase Flash:Erasing the flash filesyIOS Upgrade AttemptSource filename \[.*\]:Delete BIN FileDelete filename \[.*\.bin\]\?Save File to FlashDestination filename \[(?!(running|startup)-config\]).*\?ASA Erase FlashErase operation may take a while. Continue\?No SVC Password RecoveryExecuting this command will disable password recWhen the Auto-Response is triggered based on Rx string detection it will execute a trigger function. On the stub lab, trigger executes a customized bash script that is provided in the next section. However the configuration of the trigger must pass an Argument to the bash script so the bash script knows which port the abusive command was executed on and can take action on that specific port only.
Provided below is a screenshot;
The Argument $AR_DEV_REF is a very special argument which passes the port configuration label into the bash script. You can of course pass your own defined arguments but this one is used to define which port the auto-response was triggered on.
Bash ScriptingBecause the Opengear console servers are built on top of Linux, you have the ability to execute Bash scripts which make the console extremely powerful. The Stub Lab makes use bash scripting to help with the management of the lab. Provided below is a summary of each script and the script its self to help you build your own stub lab.
The following script “abusive_cmd.sh” is used by the Auto-Response to send 3x CTRL+C’s to break any abusive command executed. This script also powers off the device.
#!/bin/sh#The $AR_DEV_REF variable feeds the #port info from the config location #config.ports.port# into $1#Strip down to just the port number get_port=$(echo $1 | sed 's/[^0-9]*//g')#Pad the 1-9 ports with a 0 number=`printf "%02d" $get_port`#Execute three CTRL+C to Cancel Command and display message.printf "\003\003" > /dev/port$number#Power Off Device After Command Canceledpmpower -r 172.16.28.8 -c private -o $get_port offUp next is the “10min_warning.sh” Script which executes a set of echo commands to all ports in the Bash array warning the user the lab session will end in 10 minutes;
#!/bin/bash### WHICH PORTS TO ECHO 10 MINUTE WARNING ON ###PORTS=( 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 );### EXECUTE LOOP TO ECHO WARNING ON EACH PORT IN $PORTS ARRAY ###for PORT in "${PORTS[@]}"doecho -en " ################################################### #### YOUR LAB SESSION WILL END IN 10 MINUTES #### #### PLEASE ERASE ALL LAB DEVICE CONFIGS #### ###################################################" > /dev/port$PORTdoneThe next script used is the “end_session.sh” script which will disconnect all current telnet and ssh sessions on the lab devices defined in the bash array.
#!/bin/bash### DEFINE WHICH PORTS TO EXECUTE SESSION TERMINATION ON ###PORTS=( 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 17 )### EXECUTE SESSION TERMINATION LOOP ON EACH PORT DEFIEND IN $PORTS ARRAY ###for PORT in "${PORTS[@]}"do### Find process ID(s) of pmshell for port, if any ###procs=`ps aux | grep pmshell | grep port$PORT | awk '{print $1}'`### KILL PIDS ###for pid in $procsdokill $piddonedone### EXECUTE KILL POWER SCRIPT ###/bin/sh /etc/config/scripts/kill_power.shThe “kill_power.sh” script which is used by the “end_session.sh” script makes use of the pmpower command on the Opengear to send an SNMP SET query to the RPC to turn off the outlet(s).
#!/bin/shpmpower -r 172.16.28.8 -c private -o 1 offpmpower -r 172.16.28.8 -c private -o 2 offpmpower -r 172.16.28.8 -c private -o 3 offpmpower -r 172.16.28.8 -c private -o 4 offpmpower -r 172.16.28.8 -c private -o 5 offpmpower -r 172.16.28.8 -c private -o 6 offpmpower -r 172.16.28.8 -c private -o 7 offpmpower -r 172.16.28.8 -c private -o 8 offpmpower -r 172.16.28.8 -c private -o 9 offpmpower -r 172.16.28.8 -c private -o 10 offpmpower -r 172.16.28.8 -c private -o 11 offpmpower -r 172.16.28.8 -c private -o 12 offpmpower -r 172.16.28.8 -c private -o 13 offpmpower -r 172.16.28.8 -c private -o 14 offpmpower -r 172.16.28.8 -c private -o 15 offpmpower -r 172.16.28.8 -c private -o 16 offThe next script which is executed automatically by the opengear console server when a user successfully authenticates to a lab device is the “/etc/config/pmshell-start.sh” script. This script is designed to prevent ROOT access to the console lines and it will also display a welcome msg and login banner to authenticated users;
#!/bin/sh################################################################## ## OPENGEAR CONSOLE SERVER (ver 3.10.0) PMSHELL START SCRIPT ## Published by: Matthew George, Free CCNA Workbook ## #################################################################### DECLARE VARIABLES ###PORT="$1"USER="$2"LABEL=$(config -g config.ports.port$PORT.label | cut -f2- -d' ')### PROHIBIT ROOT USER AUTHENTICATION ON CONSOLE PORTS ###if [ "$USER" == "root" ]; thenecho "Permission denied for Super User"exit 1fi### DISPLAY SWITCH BANNER PASSWORD WARNING AFTER AUTHENTICATION ###if [[ $PORT = [6-9] ]]; thenecho ""echo ""echo "####################################################################"echo "# #"echo "# WARNING: LEAVING PASSWORDS ON LAB SWITCHES WILL RESULT IN A BAN #"echo "# #"echo "####################################################################"fi### DISPLAY WELCOME AFTER AUTHENTICATION ###if [ -z "$LABEL" ]; thenecho ""echo ""echo "Welcome $USER, you are connected to Port $PORT"echo ""echo ""elseecho ""echo ""echo "Welcome $USER, you are connected to Port $PORT ($LABEL)"echo ""echo ""fiAnd the last script which is not really script is the CRONTAB configuration. The Stub Lab is provides free lab access using 3 hour sessions. Every 3 hours the CRON process will execute a script. First it will execute the “/etc/config/scripts/10min_warning.sh” script informing users that they have 10 minutes left before their lab session ends. Then once the lab session ends, it will execute the “/etc/config/scripts/end_session.sh” script which will disconnect the user from all lab devices and power off the entire lab to save energy.
### SESSION 1 ###50 2 * * * /etc/config/scripts/10min_warning.sh0 3 * * * /etc/config/scripts/end_session.sh### SESSION 2 ###50 5 * * * /etc/config/scripts/10min_warning.sh0 6 * * * /etc/config/scripts/end_session.sh### SESSION 3 ###50 8 * * * /etc/config/scripts/10min_warning.sh0 9 * * * /etc/config/scripts/end_session.sh### SESSION 4 ###50 11 * * * /etc/config/scripts/10min_warning.sh0 12 * * * /etc/config/scripts/end_session.sh### SESSION 5 ###50 14 * * * /etc/config/scripts/10min_warning.sh0 15 * * * /etc/config/scripts/end_session.sh### SESSION 6 ###50 17 * * * /etc/config/scripts/10min_warning.sh0 18 * * * /etc/config/scripts/end_session.sh### SESSION 7 ###50 20 * * * /etc/config/scripts/10min_warning.sh0 21 * * * /etc/config/scripts/end_session.sh### SESSION 8 ###50 23 * * * /etc/config/scripts/10min_warning.sh0 0 * * * /etc/config/scripts/end_session.shWith the following scripts provided you should have enough to get your own Opengear Console Server configured to allow for free remote access without having to worry about people screwing up your hardware.
While some of the scripts are not perfect, they are indeed functional and work as intended. I have however made a feature request to Opengear requesting that Opengear build a function that would allow for the console server to receive a RADIUS A/V Pair such as “Session-End” = “Date/Time” which would automatically execute a script in /etc/config/scripts/ to provide the functionality of allowing for more diverse lab session management without using the CRON function.
Our Appreciation!Last but not least, Free CCNA Workbook and on the behalf of all the registered users of the Stub Lab would like to thank Opengear for sponsoring the Stub Lab by providing us with a free Opengear IM4216. Without this gracious sponsor, free access to the Stub Lab would not be possible.
If you are interested in learning more about Opengear products such as the Console Server or Infrastructure Manager, please check out Opengear Products page. If you are interested in inquiring about products for educational classroom purposes you can reach out to the Opengear VP of Sales, Todd Rychecky at 303-346-6853. Please let him know that Matthew George from Free CCNA Workbook referred you.
How to make a T1 Crossover Cable
For years people have used the old and untrusty DB60 DCE to DB60 DTE cables to simulate WAN connectivity between Cisco Routers using WIC-1T modules; and what I mean by untrusty is that these cables have a tendency to go bad after you move them around a lot in a lab environment.
While the WIC-1T cards are extremely cheap, the DB60 DTE to DB60 DCE cables can cost anywhere between $5.00 to $15.00 each which can add up really fast in a lab that has more than 5 routers.
Another common alternative is to use the WIC-1DSU-T1 which is dirt cheap and supported in the older Cisco 1700, 2600, 3600 series routers however WIC-1DSU-T1 is NOT supported in the newer ISR routers such as the 1800, 2800 and 3800 Series. For the newer routers you’ll need the second generation card known as the WIC-1DSU-T1-V2 which can also be commonly found on eBay for under $10.00
As for the WIC-1DSU-T1-V2, it will also work in the older routers with the latest Cisco IOS software.
Shown below is a picture of the WIC-1DSU-T1-V2
The difference between the WIC-1T and the 1DSU cards is that the 1DSU cards have an integrated DSU and does not require an external box to be connected via synchronous serial. The 1DSU cards can be cabled using standard unshielded twisted pair cable (Cat3, Cat5, Cat6, etc..)
Unfortunately a simple ethernet cable will not magically make the WIC-1DSU-T1’s cards talk to each other because the pin-out schematic is different than a standard patch or crossover.
You can make your very own T1 crossover for pennies on the dollar however you will need 2 RJ-45 jacks, some Cat5 cable and a crimper tool; all of which can be picked up at your local hardware store such as Lowe’s, Home Depot, Ace Hardware, etc… (If you’re in the United States).
And now for a fun fact… The most common color you will see used for T1’s in the industry is either white or yellow.
Before you start, it’s a good idea to modify the RJ-45 Jacks a little bit. Using a small flat head screw driver or pocket knife remove pins 3, 6, 7 and 8 from the jack so that it looks like this;
This way only the wires that are needed to be connected to the T1 WIC card are actually connected. Other wires in the RJ45 connector are not used for anything and this will also help you easily identify the type of cable in the future. Keep in mind this is not a mandatory requirement to make the cable, its just good practice.
Once the RJ-45 connectors have been modified you can then proceed to building the cable, one side at a time of course. In a standard T1 cable, wires 1,2 and 3,4 will be swapped at each end of the cable looking like the following;
As for the color of the wires that go into pins 3, 6, 7 and 8; these can be any color you choose. Sometimes its easier to make the cable using certain colors in different spots.
Once the cable has been successfully crimped on both ends you can test it out between two WIC-1DSU-T1’s. If the cable was made correctly the CD (Carrier Detect) LED should light up on both WIC’s. At that point you can assign IP addresses to the serial interfaces and verify IP connectivity between the two WIC’s.
Below I have provided an example verification;
R1#show interface serial0/0Serial0/0 is up, line protocol is up Hardware is PQUICC with Fractional T1 CSU/DSU Internet address is 10.255.212.1/24 MTU 1500 bytes, BW 1536 Kbit/sec, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1651 packets input, 107752 bytes, 0 no buffer Received 605 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 1661 packets output, 109224 bytes, 0 underruns 0 output errors, 0 collisions, 7 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out 3 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up R1#R1#ping 10.255.212.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.255.212.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msR1#Hope this blog was helpful ^_^ Please be sure to share!
Poll: Which WAN Interface Card (WIC) Do you prefer to use in your Cisco lab? WIC-1T WIC-2T WIC-1DSU-T1 WIC-1DSU-T1-V2View Results
Loading …
WAN Technologies and Link Speed Charts
The following blog has been compiled to provide information for the different type(s) of WAN Technologies. Keep in mind that Ethernet is a fast growing WAN technology with companies moving to deploy VPLS, MPLS and TLS Circuits for WAN connectivity. As a Cisco network engineer you will still encounter legacy WAN connections.
Digital Subscriber Line (DSL) technologies are fairly common in the United States and other developing nations that provide broadband to customers over existing telephone wire infrastructure. The is however the limitation of distance which basically means the subscriber can be so far from the DSLAM (DSL Access Multiplexer) which is commonly known as the “central office”.
Common NameStandards NameDownstream RateUpstream RateExt. DownEst. UpaDSLG.992.1 G.DMT12Mbit/s1.3Mbit/s1.5MB/s166KB/saDSL+ITU G992.4/524Mbit/s1.0Mbit/s3MB/s128KB/sHDSLG.991.12.048Mbit/s2.048Mbit/s262KB/s262KB/sSHDSLG.991.22.265Mbit/s2.265Mbit/s290KB/s290KB/sVDSLG.933.152Mbit/s19.2Mbit/s6.5MB/s2MB/sVDSL2G.991.2250Mbit/s250Mbit/s21.25MB/s21.25MB/sIDSLANSI T1.601144Kbit/s144Kbit/s18KB/s18KB/sRADSL*ANTI TR598Mbit/s8Mbit/s1MB/s1MB/sNOTE: Bandwidth is shown at maximum theoretical speed using the latest standard.*RADSL – Rate-Adaptive Asymmetric Digital Subscriber Line – Adjusts the upstream/downstream bandwidth in a tradeoff.Integrated Services Digital Networks (ISDN)
ISDN Lines have seen their glory in the 90’s and is now considered a legacy technology however you may encounter this technology in third world countries where the hardware is extremely cheap to acquire and deploy.
Link TypeLink BandwidthEst. ThroughputAdditional InformationBRI128Kbit/s16KB/s2x 64Kb B Channels & 1x 16k D ChannelPRI – NA (AKA: T1)1.544Mbit/s197KB/s23x 64Kb B Channels & 1x 64k D ChannelPRI – EU (AKA: E1)2.048Mbit/s262KB/s30x 64Kb B Channels & 1x 64k D ChannelT CarriersLink TypeLink BandwidthEst. ThroughputAdditional InformationT1 (DS1)1.544Mbit/s197KB/s24 DS0 ChannelsE1 (DS1EU)2.048Mbit/s262KB/s30 Channels + 2DT1c (DS1c)3.152Mbit/s403KB/s48 ChannelsT2 (DS2)6.312Mbit/s808KB/s96 Channels (uncommon)T3 (DS3)44.736Mbit/s5.59MB/s672 ChannelsT4 (DS4)274.176Mbit/s34.3MB/s4032 ChannelsOptical CarriersLink TypeLink BandwidthEst. ThroughputAdditional InformationOC-1 / STS-151.84Mbit/s6.48MB/sOC-3 / STS-3155.52Mbit/s19.44MB/sOC-9 / STS-9*466.56Mbit/s58.32MB/sOC-12 / STS-12622.08Mbit/s77.76MB/sOC-18 / STS-18*933.12Mbit/s116.64MB/sOC-24 / STS-24*1244.16Mbit/s155.52MB/sOC-36 / STS-36*1866.24Mbit/s233.28MB/sOC-48 / STS-482488.32Mbit/s311.04MB/sUsed in USAOC-96 / STS-96*4976.64Mbit/s622.08MB/sOC-192 / STS-1929953.28Mbit/s1.24GB/sInternet BackboneOC-256 / STS-25613.271Gbit/s1.659GB/sInternet BackboneOC-768 / STS-76839.813Gbit/s4.977GB/sInternet BackboneOC-3072 / STS-3072159.252Mbit/s19.44GB/sNOTE: * Several of the listed links are not standardized and/or commonly used including 9, 18, 24 and 36.Building an IPSEC GRE Tunnel
So there is a little bit of confusion on the interwebz when it comes to understanding an IPSEC GRE tunnel. First off lets look at how it actually works.
GRE works by encapsulating IP traffic inside of an IP packet and sends it across the wire to its destination where it is decapsulated and the inner-packet is than routed. GRE is commonly used to bridge two routed domains over a network outside of your administrative control.
When using GRE over the public internet, security is a concern and therefore you would want to encrypt the traffic, this is where IPSEC comes in.
IPSEC GRE tunnels are GRE tunnels that are encapsulated inside of an IPSEC payload and sent across a public network. If you were to capture such traffic using Wireshark you would see only ESP (Encapsulating Security Payload) and not GRE as depicted below;
To get a better understanding this concept the following diagram should help;
Okay so how do I configure it?Now on to the fun part, configuration. First off lets take a look at the diagram we’ll be using to demonstrate this technology;
The following configuration demonstration was performed on the Stub Lab. If you like, you can also do this configuration on the Stub Lab which is a freely accessible Cisco Lab. All ya gotta do is sign up and reserve lab time!
First off we need to configure the INET router. This router will simulate the internet connectivity between the NYC and ATL routers. The following initial configuration has been provided to make this quickly achievable;
!####################################!# IPSEC GRE TUNNEL - INET ROUTER #!####################################!enableconfigure terminal!hostname INETno ip domain-lookup!interface Serial0/0/0 description Link to R2 Se0/1/0 ip address 198.51.100.33 255.255.255.252 no fair-queue no cdp enable no shut!interface Serial0/1/0 description Link to R1 Se0/0/0 ip address 203.0.113.129 255.255.255.252 no cdp enable no shut!interface FastEthernet0/0 shutdown!interface FastEthernet0/1 shutdown!line con 0 logging sync no exec-timeout!endNow we can go ahead and configure the basics on the NYC and ATL routers. We’ll setup a loopback interface on each router to simulate LAN connectivity and than EIGRP to route over the tunnel.
Router con0 is now availablePress RETURN to get started.Router>enableRouter#config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname NYCNYC(config)#no ip domain-lookupNYC(config)#interface Loopback0NYC(config-if)#description Simulated LAN ConnectionNYC(config-if)#ip add 10.1.0.1 255.255.255.0NYC(config-if)#exitNYC(config)#interface Serial0/0/0NYC(config-if)#description Link to InternetNYC(config-if)#ip address 203.0.113.130 255.255.255.252NYC(config-if)#exitNYC(config)#router eigrp 1NYC(config-router)#no auto-summaryNYC(config-router)#network 10.1.0.1 0.0.0.0NYC(config-router)#exitNYC(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.129NYC(config)#Router con0 is now availablePress RETURN to get started.Router>enableRouter#config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname ATLATL(config)#no ip domain-lookupATL(config)#interface Loopback0ATL(config-if)#description Simulated LAN ConnectionATL(config-if)#ip add 10.2.0.2 255.255.255.0ATL(config-if)#exitATL(config)#interface Serial0/1/0ATL(config-if)#description Link to InternetATL(config-if)#ip address 198.51.100.34 255.255.255.252ATL(config-if)#exitATL(config)#router eigrp 1ATL(config-router)#no auto-summaryATL(config-router)#network 10.2.0.2 0.0.0.0ATL(config-router)#exitATL(config)#ip route 0.0.0.0 0.0.0.0 198.51.100.33ATL(config)#Now that the basic config is out of the way we can now setup the basic GRE tunnel interface and enable EIGRP routing on the tunnel interface which should allow the two simulated LAN segments to communicate with each other unencrypted over the public internet.
NYC(config)#interface Tunnel0NYC(config-if)#description IPSEC GRE TUNNEL TO ATLANTANYC(config-if)#ip address 10.12.0.1 255.255.255.0NYC(config-if)#tunnel source Serial0/0/0NYC(config-if)#tunnel destination 198.51.100.34NYC(config-if)#exitNYC(config)#router eigrp 1NYC(config-router)#network 10.12.0.1 0.0.0.0NYC(config-router)#exit%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.12.0.2 (Tunnel0) is up: new adjacencyNYC(config)#exitNYC#%SYS-5-CONFIG_I: Configured from console by consoleNYC#ATL(config)#interface Tunnel0ATL(config-if)#description IPSEC GRE TUNNEL TO ATLANTAATL(config-if)#ip address 10.12.0.2 255.255.255.0ATL(config-if)#tunnel source Serial0/1/0ATL(config-if)#tunnel destination 203.0.113.130ATL(config-if)#exitATL(config)#router eigrp 1ATL(config-router)#network 10.12.0.2 0.0.0.0ATL(config-router)#exit%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.12.0.1 (Tunnel0) is up: new adjacencyATL(config)#exitATL#%SYS-5-CONFIG_I: Configured from console by consoleATL#Now that a basic GRE tunnel has been established, we can verify the operational status of the tunnel by pinging the other end.
NYC#ping 10.12.0.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.12.0.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 msNYC(config)#Also you should have noticed that the NYC and ATL became EIGRP neighbors and you should now have the ability to ping Atlanta’s simulated LAN segment from New York as demonstrated below;
NYC#ping 10.2.0.2 source loopback0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:Packet sent with a source address of 10.1.0.1 !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 msNYC#Now we’re ready to configure the IPSEC portion of the IPSEC GRE tunnel. First you must define an ISAKMP policy. ISAKMP policies are used to define the phase 1 negotiations of an IPSEC tunnel. When it comes to IPSEC GRE, the ISAKMP policy is very simple. The policy must be defined on both routers.
NYC#config terminalNYC(config)#crypto isakmp policy 10NYC(config-isakmp)#authentication pre-shareNYC(config-isakmp)#exitNYC(config)#ATL#config terminalATL(config)#crypto isakmp policy 10ATL(config-isakmp)#authentication pre-shareATL(config-isakmp)#exitATL(config)#Next we need to need to define the pre-shared key on a per peer basis;
NYC(config)#crypto isakmp key 0 CISCO address 198.51.100.34ATL(config)#crypto isakmp key 0 CISCO address 203.0.113.130than we need to configure the transform-set which will actually be used to encrypt the data. For this demonstration we’re going to use AES128 and SHA hashing.
NYC(config)#crypto ipsec transform-set TRANS_IPSEC_GRE esp-aes esp-sha-hmac ATL(config)#crypto ipsec transform-set TRANS_IPSEC_GRE esp-aes esp-sha-hmacNext we’ll need to build the ipsec profile that will be applied to the GRE tunnel interface;
NYC(config)#crypto ipsec profile IPSEC_GRENYC(ipsec-profile)#set transform-set TRANS_IPSEC_GREATL(config)#crypto ipsec profile IPSEC_GREATL(ipsec-profile)#set transform-set TRANS_IPSEC_GREFinally once all the IPSEC configuration is completed we can assign the IPSEC profile to the tunnel interface as shown below;
NYC(ipsec-profile)#interface Tunnel0NYC(config-if)#tunnel protection ipsec profile IPSEC_GRENYC(config-if)#%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONNYC(config-if)#^ZNYC#ATL(ipsec-profile)#interface Tunnel0ATL(config-if)#tunnel protection ipsec profile IPSEC_GREATL(config-if)#%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONATL(config-if)#^ZATL#And now for the ultimate verification! We’ll ping the Atlanta simulated LAN segment (Loopback0: 10.2.0.2) from the NYC simulated LAN Segment (Loopback0: 10.1.0.1) and verify that the packets are being encrypted and decrypted by viewing the ipsec security-association;
NYC#ping 10.2.0.2 source loopback0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:Packet sent with a source address of 10.1.0.1 !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 msNYC#NYC#show crypto ipsec sa peer 198.51.100.34interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 203.0.113.130 protected vrf: (none) local ident (addr/mask/prot/port): (203.0.113.130/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (198.51.100.34/255.255.255.255/47/0) current_peer 198.51.100.34 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 79, #pkts encrypt: 79, #pkts digest: 79 #pkts decaps: 79, #pkts decrypt: 79, #pkts verify: 79 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 203.0.113.130, remote crypto endpt.: 198.51.100.34 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0 current outbound spi: 0xE15A5BAE(3780795310) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x67D027CC(1741694924) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2007, flow_id: NETGX:7, sibling_flags 80000046, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4590179/3282) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE15A5BAE(3780795310) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2008, flow_id: NETGX:8, sibling_flags 80000046, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4590178/3282) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:NYC#We have successfully build an IPSEC GRE tunnel that can route EIGRP between two locations over the internet securely. Post your comments and questions below!
Cisco IOS Radius Authentication with Windows Server 2012 NPS
Configuring Cisco devices to authenticate management users via RADIUS is a great way to maintain a centralized user management base. Traditionally this has been done using the Cisco Access Control Server (ACS) which of course is fairly expensive and is typically out of the price range for most small & medium sized businesses.
If you are like most businesses you may already have an Active Directory infrastructure deployed and thus you already have the necessary software and licenses required to setup a basic RADIUS server using Network Policy Server (NPS) which can be used to authenticate network administrators on your Cisco IOS equipment for management purposes. The main benefit you get from RADIUS authentication is a centralized management console for user authentication and the ability to control which users have access to the Cisco CLI. So look at it this way; if your company hires or fires an employee than whatever changes are applied in Active Directory will take affect immediately. Such as disabling a user account in AD would result in failed authentication attempts for that username when attempting to log into a Cisco device. Also if you have a new employee, you can easily give their username access to Cisco network devices just by adding them into a Security Group in active directory.
This blog will discuss and demonstrate the configuration of Network Policy Server which is included with Windows Server 2008 and greater however will blog concentrate on Windows Server 2008 R2.
Active Directory ConfigurationFirst there are a few small task you must complete in Active Directory. You must create two Security Distribution Groups called Network Engineers and Network Support Technicians
Network Engineers will have level 15 privileges and thus have full read/write permissions to the Cisco Command Line interface after successfully authenticating to Cisco routers and Switches.
Network Support Technicians however will only have Read Only privileges.
Next you will need to assign users to these groups. For the purposes of this blog I have created two users, John Doe and John Smith.
John Doe (Username: jdoe) is a Network Engineer and John Smith (Username: jsmith) is a Network Support Technician. These users will be used to verify the configuration and operational status of NPS.
Once you have completed the basic Active Directory configuration you can move on to the NPS config. Please note that the Security Groups can be named whatever you like.
Windows Network Policy Server ConfigurationPrior to configuring NPS it must first be installed and authorized in Active Directory. To install NPS add the “Network Policy and Access Services” role to your server.
After you have authorized NPS in Active Directory you’re ready to add the first RADIUS Client. To add the client you must expan the RADIUS Clients and Servers line and right click on RADIUS Clients and click “NEW”.
You’ll be prompted to enter the Friendly Name and Address, IP address and Shared Secret. Enter this information as required. For this blog we’re using R1 which had the IP address of 172.16.22.215 and the secret of CISCO as shown below;
Note that ND_ is used as a prefix to the device friendly name, this will be used later in the configuration of the NPS Policy which can identify network devices.
Next, click the Advanced Tab across the type and select “Cisco” as the vendor name from the drop down list and click ok;
If you added the client correctly you should see the client friendly name, IP address and other information listed in the RADIUS Clients section;
Now you’re ready to configure the network policy which will authenticate users in the specific active directory groups and grant them access.
to create a new policy you need to expand the Policies item in the left list and right click on “Network Policies” and click NEW.
You must enter a name for the policy, in this case we’re going to use “Network Engineers (Cisco LEVEL 15)”
After you have provided a policy name you must than configure the conditions which are required to match in order to successfully authenticate. You will need to create two conditions;
Configure a User Group to match the Network Engineers security group and the Client Friendly Name to match “ND_?” which denotes the device authenticating has a friendly name starting with ND_
Once you’ve successfully added these conditions you should see the following;
Click next and you’ll be prompted to specify the access permission, leave this as the default “Access Granted” and click next.
Cisco only supports the “Unencrypted authentication (PAP, SPAP) methods. Uncheck everything and check “Unencrypted authentication (PAP, SPAP) as shown below and click next;
After configuring the Authentication Methods you will be prompted to configure the Constraits, you can skip this section and just click next.
When prompted to configure settings, remove the Framed-Protocol and edit the Service-Type and set it to “Login” which is under “Others” as shown below;
Next you will need to add a Vendor Specific Attribute by clicking on “Vendor Specific” under the left side settings and clicking the Add… button
Scroll down the list and select “Cisco-AV-Pair” and click add. You will be prompted to add the Attribute Information, here you will click Add… and set the attribute value as shell:priv-lvl=15
This specifies which privilege level is returned to the authenticating user/device after successful authentication. For Network Engineers this would be shell:priv-lvl=15 and the Network Support Technicians would use shell:priv-lvl=1
When added successfully you should see the following;
After you click next you will be presented a summary of the new network policy that you just created as shown below;
Click finish and you’re ready co configure the Cisco Routers and Switches to authenticate to the NPS Radius Server. Please note that you will need to create another policy for the Network Support Technicians and any other privilege levels you wish to use.
Cisco IOS AAA ConfigurationThe very first thing we need to do prior to configuring AAA is to setup a local user account so that when the RADIUS server has failed, you have the ability to still log into the device. This is done using the username command as demonstrated below;
R1 con0 is now availablePress RETURN to get started.R1>enableR1#config terminalEnter configuration commands, one per line. End with CNTL/Z.R1(config)#username NORAD priv 15 secret R@du3F@1ledR1(config)#Now we can enable AAA new model and configure the radius server group and default authentication list as demonstrated below;
R1(config)#username NORAD priv 15 secret R@du3F@1ledR1(config)#aaa group server radius NPS_RADIUS_SERVERSR1(config-sg-radius)#server-private 172.16.22.228 auth-port 1812 acct-port 1812 key CISCOR1(config)#aaa authentication login default group NPS_RADIUS_SERVERS localR1(config)#aaa authorization exec default group NPS_RADIUS_SERVERS local if-authenticatedR1(config)#aaa authorization consoleINFO: Users will ONLY authenticate to the RADIUS servers if the RADIUS server is alive when defining the default aaa authentication list using group NPS_RADIUS_SERVERS followed by local. If you are attempting to log into the device using a local account and the Radius servers are accessable than it will reject the authentication unless the local account used to log in also exist in Active Directory and are member(s) of the Network Engineers or Network Support Technicians security group.
And that’s it for the basic Cisco IOS AAA config. You can however get into some more advanced configurations by using AAA list and applying a radius authentication list to the VTY lines and local authentication only to the console line.
VerificationNow for the fun part, verification. If you completed all the steps correctly you should be able to log in using the jdoe username and be automatically placed into privilged mode as demonstrated below;
And also if you configured the second policy for Network Support Technicians, you should be able to authenticate as jsmith and be placed into user mode as shown below;
If you have any questions or suggestions please comment 
Private Internet Access via L2TP IPSEC Cisco IOS Client
So with the NSA, the CIA and the FBI sucking up every bit they possibly can on the internet at countless locations around the world you wonder how could you possibly become anonymous on the interwebz? Of course it’s not just the United States Government that feels the need that you as an individual should sacrifice your liberty for security, this practice is becoming quite common all around the globe from the United Kingdom all the way down under in the land of the happy kangaroos (Australia of course). Just for the record I’m sure the kangaroo’s don’t give a shit because they don’t feel their privacy is violated.
As the world awakens to the vast over reach of Government around the globe people are looking for new and innovative ways to retain and/or regain their privacy. As a network engineer I wanted to share one of many methods I use to remain anonymous on the internet.
So first lets ask a big question. Why would you want to remain anonymous on the internet? Think about that for a minute.
As a network engineer or an individual aspiring to become a network engineer you will quickly realize or learn that you can easily be singled out on the internet with just an IP address. Your IP Address can be used to locate you geographically speaking.
For example lets say your computer is infected with a virus and you become an unwilling participate in a hack that is orchestrated by individuals attempting to gain access into classified computer networks to gather information. You personally would be held responsible, after all it is your IP Address that is doing the hacking. Your IP address along with the date and time included in subpoena sent to your ISP could easily identify you and the home address related to the service. Next thing you know you have the SWAT team busting your door down while you’re watching reality TV of SWAT teams busting peoples door down. How is that for irony?
So how do you solve this problem? Through the use of VPN technology. There are several VPN providers on the internet who’s sole purpose is to provide anonymity online. You pay for the service and they provide you with the credentials to connect to a VPN. After you’ve connected all your internet traffic traverses their network and any internet request that are made are made through the VPN. So now your public IP Address is not the IP Address provided to you by your ISP which can be used to identify you but rather the public IP address used by the anonymous VPN service.
While using Anonymous VPN services can be used to commit illegal crimes such as downloading and distributing copyrighted material or perhaps even other nefarious actions, Free CCNA Workbook does not promote or endorse any of these actions. With that being said anything you do on anonymous vpn services is at your own risk.
Beyond the BasicsTraditionally anonymous VPN services are typically used via Dialer interfaces on common operating systems such as Windows and Linux. While this configuration works, it only works for a single PC unless you want to configure a Windows Server with connection sharing which of course is a huge pain in the @$$.
Using a Cisco IOS router you can than allow multiple PC’s to use the VPN service by changing the default gateway on the PC(s) to the inside interface of the VPN Client. You can even go a step further by setting up a separate SSID on your wireless access point(s) so that you have a dedicated wireless SSID which only uses the anonymous VPN service as its connection to the internet.
There are tons of Anonymous VPN Providers out there however this blog is going to demonstrate the configuration of an L2TP IPSEC using Private Internet Access
So enough with all the jibble jabble lets dive in to the config shall we?
The L2TP IPSEC Tunnel ConfigurationWell I’m not going to explain every single line of configuration however if you are experienced enough in Cisco IOS and VPN technologies this should all make sense. If you have questions you can post a comment with your question.
Before you get started you’re going to need the credentials for your VPN Authentication. The credentials you got in your email when you signed up with Private Internet Access is NOT the credentials you’ll be using to connect to the VPN. You must log into the Client Support Page and generate new vpn credentials which will be used. Once you have the credentials you’ll need the peer IP address which you’ll be connecting to.
You can obtain this by pinging the DNS name of the VPN gateway you wish to connect to. In this case we’re going to use East US Gateway “us-east.privateinternetaccess.com” At the time of this blog this name resolves to 108.61.152.251. This of course will probably change by the time you read this.
Once you have all this information you’re ready to start configuration. Go ahead and configure hostname, ssh, credentials, IP addresses, etc…
You’re also going to need a PUBLIC IP address for this configuration, for this blog we’re using 73.41.232.21 on FastEthernet0/0
First up we need to configure Phase 1 of the IPSEC Tunnel by defining the ISKMP policies and peer pre-shared key.
!crypto isakmp policy 10 encr aes 256 authentication pre-share group 5!crypto isakmp key mysafety address 108.61.152.251!Now lets define the first sequence in the crypto map which will be used to build the security association;
!crypto map PIA_VPN 10 ipsec-isakmp set peer 108.61.152.251 set transform-set ESP-AES256-SHA1 match address PIA_EAST_US!You’re going to need to build out the transform set referenced in the crypto map “ESP-AES256-SHA1″;
!crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac mode transport!Now you need to configure the ACL referenced in the crypto map “PIA_EAST_US”. In this case the source and destination UDP port is going to be 1701. You’ll also need to use the public IP address which should be static as the source IP Address int he ACL. In this case 73.41.232.21 is the IP address assigned to the outside interface FastEthernet0/0 whereas 108.61.152.251 is the VPN Gateway IP Address.
!ip access-list extended PIA_EAST_US permit udp host 73.41.232.21 eq 1701 host 108.61.152.251 eq 1701!Once the IPSEC Configuration has been completed you’ll need to assign the crypto map to the public facing IP Address, in this case FastEthernet0/0;
!interface FastEthernet0/0 crypto map PIA_VPN!Before we can configure the L2TP virtual tunnel interface we first need to define the pseudowire class configuration. The encapsulation will be set to l2tpv2 and the local interface should be defined as the public facing interface;
!pseudowire-class PIA_L2TP encapsulation l2tpv2 ip local interface FastEthernet0/0!Now we can define the virtual tunnel interface, in this case its going to be a Virtual-PPP Interface;
interface Virtual-PPP1 description Tunnel to PIA EAST US ip address negotiated ip nat outside ip virtual-reassembly ppp eap refuse ppp chap hostname x4108222 ppp chap password 0 8Mz1wHgZDJ ppp ipcp address accept no cdp enable pseudowire 108.61.152.251 1 pw-class PIA_L2TPAnd thats it for the L2TP IPSEC Tunnel configuration. You should now be able to verify that Phase I and Phase II have established successfully as shown below;
PIA-GATEWAY#show crypto isakmp saIPv4 Crypto ISAKMP SAdst src state conn-id status108.61.152.251 73.41.232.21 QM_IDLE 1001 ACTIVEIPv6 Crypto ISAKMP SAPIA-GATEWAY#PIA-GATEWAY#show crypto ipsec sainterface: FastEthernet0/0 Crypto map tag: PIA_VPN, local addr 73.41.232.21 protected vrf: (none) local ident (addr/mask/prot/port): (73.41.232.21/255.255.255.255/17/1701) remote ident (addr/mask/prot/port): (108.61.152.251/255.255.255.255/17/1701) current_peer 108.61.152.251 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 305, #pkts encrypt: 305, #pkts digest: 305 #pkts decaps: 294, #pkts decrypt: 294, #pkts verify: 294 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 73.41.232.21, remote crypto endpt.: 108.61.152.251 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xC4E6F422(3303470114) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x97AF5057(2544848983) transform: esp-256-aes esp-sha-hmac , in use settings ={Transport, } conn id: 2001, flow_id: NETGX:1, sibling_flags 80000006, crypto map: PIA_VPN sa timing: remaining key lifetime (k/sec): (4580055/1730) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xC4E6F422(3303470114) transform: esp-256-aes esp-sha-hmac , in use settings ={Transport, } conn id: 2002, flow_id: NETGX:2, sibling_flags 80000006, crypto map: PIA_VPN sa timing: remaining key lifetime (k/sec): (4580054/1730) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:PIA-GATEWAY#If you are having problems with Phase I or Phase II you can use the debug crypto isakmp and debug crypto ipsec command(s) to help you better understand why. Google any errors you may receive
If your configuration is correct thus far the Virtual-PPP1 interface should be up/up with an IP Address as shown below;
PIA-GATEWAY#show interface virtual-ppp1Virtual-PPP1 is up, line protocol is up Hardware is Virtual PPP interface Description: Tunnel to PIA EAST US Internet address is 10.10.1.3/32 MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Open Open: IPCP, loopback not set Keepalive set (10 sec) DTR is pulsed for 1 seconds on reset Last input 00:05:43, output never, output hang never Last clearing of "show interface" counters 00:50:30 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 417 packets input, 5892 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 339 packets output, 6217 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out 0 carrier transitionsPIA-GATEWAY#If your Virtual-PPP1 interface is failing to obtain an IP Address and shows UP/DOWN than you can use the debug ppp authentication command to ensure that your credentials are correct.
Routing and NAT ConfigurationBefore the clients on the inside can access the internet via the L2TP IPSEC VPN you need to setup two static routes and NAT.
The first static route you’ll need is a route to the VPN Gateway via your ISP default gateway. In this case 108.61.152.251 needs to be routed to 73.41.232.1
!ip route 108.61.152.251 255.255.255.255 73.41.232.1!Next is going to be the default route for all traffic to reach the internet, send it through the tunnel;
!ip route 0.0.0.0 0.0.0.0 Virtual-PPP1!Next up you need to define the inside and outside NAT zones;
!interface FastEthernet0/1 ip nat inside!interface Virtual-PPP1 ip nat outside!Once NAT zones have been defined you’ll need to define an ACL which will be used by NAT overload to translate multiple inside machines to the IP address of the virtual-ppp interface. In this case our inside network is 192.168.0.0/24
!ip access-list standard NAT permit 192.168.0.0 0.0.255.255!Finally we need to define the source NAT statement so that inside hosts referenced by the named acl “NAT” will be overloaded to the Virtual-PPP1 interface.
!ip nat inside source list NAT interface Virtual-PPP1 overload!Now you’re golden. To test your NAT configuration you can do a traceroute sourced from your inside interface, in this case FastEthernet0/1 to 4.2.2.2 as demonstrated below;
PIA-GATEWAY#traceroute 4.2.2.2 source FastEthernet0/1 probe 1 numericType escape sequence to abort.Tracing the route to 4.2.2.2 1 10.10.1.1 48 msec 2 * 3 184.75.211.129 64 msec 4 38.88.240.133 88 msec 5 69.31.143.24 60 msec 6 154.54.3.93 76 msec 7 4.69.155.208 128 msec 8 4.2.2.2 112 msecPIA-GATEWAY#As you can see from the traceroute provided above the next hop IP address is going to be 10.10.1.1 which is the IP address of the VPN gateway.
To allow machines on your network to access the internet via this newly build L2TP IPSEC VPN Gateway you just need to change the default gateway on your machines to the inside interface of the newly configured vpn gateway router.
After which you can test your public facing IP address using IP Chicken!
Download the final Configuration!Click the button below to download the final configuration!
VPN-GATEWAY Final ConfigurationIf you have any questions or comments please post a comment below! Enjoy….
Job Advice for Aspiring Network Engineers
Well I figured I would write a new type of blog regarding a question that I see get posted on the facebook page all the time. What kind of job can you get with the CCNA? Well in order to answer this question accurately you’ll need to provide a little bit more information.
In general as a CCNA who is new to the networking industry and have limited IT experience than you should not be expecting much as you will find it hard to get your foot in the door. You’ll do countless interviews most likely and eventually someone will feel that they can trust you (Mold you into what they want) enough to offer you a job in which case they’re going to offer you a very low salary.
Yeah its nice to get an hourly position but in America you only see those types of employment with contracting which would also NOT include benefits such as vacation, health insurance, etc…
Most companies are smart not to pay their engineers hourly because they know it saves them thousands of dollars a year to just pay you salary. As a network engineer you may find yourself working 40-80 hours a week. Why? Because most changes that occur to the network occur after hours and this does not include the time you’re required to be at your cube 8:00AM to 5:00PM.
So let me be blunt, if you’re going to become a network engineer you’re most likely going to end up as a cube slave. I say this as an engineer who has been in the field for 12 years and 10 of those 12 years have been spent in a cube. The last two years I’ve worked from home full time. So with this in mind you should embrace your inner cube personality and get some nice decorations because without an MBA or a management position your chances of getting your own office are very slim in most cases.
What should I expect in pay?Well as a newly minted CCNA network engineer who has little to no experience (less than 2 years) you should not expect 75,000 a year. You would get laughed at by the hiring manager soon as you’ve walked out of the door from the interview.
Why do I know this? Because I’ve done this myself on countless occasions. No hiring manager in their right mind would hire a CCNA with 1 year experience in the USA @ 75k a year with benefits and vacay unless they’re extremely desperate or you’ve managed to “WOW” them in the interview.
Realistically you should expect between 25,000 to 50,000 Salary with limited experience. Keep in mind you’re only going to get an offer like this if you don’t make yourself look like an idiot in the job interview. You’re probably thinking in your head “how would I look like an idiot”.
Well if you brain dumped the CCNA exam than you’re going to get laughed at. If the hiring manager asks you a simple question that any network engineer with the CCNA should know and you answer it with “i don’t know” they’re gonna think you’re not worth it.
An example question would be, “how is the root bridge elected in spanning tree?”
What type of job should I look for?Well as a CCNA you’re job opportunities are going to be limited and often times you’re going to be limited to larger companies who feel they can “mold” you into what they want you to become. At this stage your chances of getting a startup company position or small business position is slim unless you know someone or you have other skills needed by that company.
In either case a CCNA engineer with less than 3 years experience is not going to be doing very much engineering. You’re gonna start out as a switch tech or triage engineer (level 1) support. As your experience and skills advance you’ll work your way up the ladder. How fast you climb is completely up to you!
What type of company should I work for?Well this is the million dollar question and this is the type of question that should be asked before accepting ANY position.
Speaking form experience most large companies (publicly traded companies, etc..) Your engineering experience will become extremely limited. This is because at large corporate companies you have to learn the politics involved. This includes Change Control, Change Management, Auditing, Approval Processes, documentation, etc… If you’ve never read Dilbert comic strips I would suggest you start there. Dilbert is a GREAT representation of what happens in most corporate environments on a day to day basis.
Most large corporate companies will often times have “too many Chiefs and not enough Indians.” What I mean by this is that you have too many managers that don’t know shit and very few engineers that actually do the work, in which case the managers claim credit for. This is typical among corporate environments.
Also if you accept a corporate environment position then don’t expect to work from home too often as “most” managers and VP’s that work in corporate environments are “old school” which pretty much equates to be at your desk at 8:00AM and not not leave before 5:00PM or I’m going to fire your ass type. This of course is slowly changing as young talent is moving up and this way of management is not the most efficient anymore due to the world becoming so connected with internet, mobile devices, etc…
There are however several benefits from working at large corporations which include job security and benefits.
As an entry level network engineer you may only get offers from large corporate environments in which case it is a learning experience. If you want my advice, stay there for a year or two and find another job.
Why find another job so quickly? Because 3% raise is nothing compared to doubling your salary in a single move after you have 2-3 years good experience and you need to be realistic, most corporate companies are not going to try to keep your talent however other companies may want what you have to offer and would be willing to offer significantly more pay with better benefits.
For example you start working at Widgets Inc making $30,000 a year, after 2 years you’re making about $35k a year after raises and bonuses based on performance. Maybe you get paid on call as well who knows. At this point you’re 2 years in with your CCNA and you’re probably already working on your CCNP or perhaps you’ve already passed the 3 CCNP Exams (Route, Switch and TShoot) in which case you’re ready to make a move as a CCNP with 2-3 years experience making 35k a year not doing yourself any service. If you have the experience and skills to pass the CCNP exams without dumps and can prove those skills in a job interview than you should not have a hard time finding another job around the 50-70k range in the United States. (This depends on job density and where you live of course).
At which point a single jump and you’ve effectively doubled your salary. Now you can afford to get rid of that 1995 Honda accord and buy something decent as your paychecks should be around $1,800 a bi-weekly. Ultimately at this point you should be clearing around $3,500 a month.
Working for the little guys!As you have evolved your skills and experience and obtained other certifications along your journey you now have more opportunities and can be picky when it comes to what type of jobs you can apply for and potentially get offers from.
Once you have worked in the Corporate environment for a year years you may like it or you may hate it. Most people hate it but must have the job security as they may have a mortgage, children, etc… If you have flexible and have the ability to take a little bit of risk than your reward is going to be greater.
I’ve worked in corporate environment(s) for years and after all these years I would never return to the corporate environment. Why? Because I hate playing corporate politics and ultimately I’m an engineer, not a paper pusher.
At smaller companies you have the ability to become more hands on whereas larger corporations, over 80% of your work is nothing but paperwork. Again if you like job security that is great! But if you want to be able to develop your engineering skills than large environments are not the place to be. Keep in mind they only refresh their network 3-5 years and when they do it takes an act of congress to get it done because of all the Chief’s and not enough Indians rule. Most managers in corporate environment(s) feel the need to micro manage that of which they have no understanding. Again, read some Dilbert.
Working for smaller companies often times may pay a little less and you may have a little less job security but you typically have more flexibility, more freedom and just a better quality of life due to less stress and you wont feel like just another number to HR. Everyone in the company would know your name.
In my humble option as a network architect with the CCIE Routing and Switching certification, working for start up companies are the best jobs ever because you get to do all the engineering and build from the ground up. Such a rewarding learning experience and often times rewarding financially if you have stock options and company goes public. Lets say you’ve worked for a start up for 5 years and you have 12,000 shares and the company goes public at $23.00 a share you’ve just made $276,000 dollars.
However if you work for a start up you must be willing to work your ass off because if you start slacking you’ll get laid off real fast. Companies cant afford to keep slackers on the payroll.
Obtaining the CCIE and finding a job!So if your long term goal is to obtain the CCIE certification and make the big bucks than there are several things you will learn along the way. One of the more important things to know regarding job opportunity and job security is the ability to set conditions on accepting a job offer(s)
As a CCIE, if you’re offered a job from any Partner that wants to use your CCIE number for partnership status (Silver, Gold Partner) than you should ALWAYS include a relinquishment clause in your offer.
In a nutshell the relinquishment clause will state that in the event of an involuntary termination, the company effectively relinquishes rights to use the CCIE number for partnership use at the effective termination date and time.
If they do not add this to the employment offer than you are taking a risk accepting the offer. Why?
Well ask yourself what is to stop them from hiring you and using you for 90 days just to associate your CCIE number with the company and letting you go shortly after and still being able to use your CCIE number for partnership status for 12 months? There is a term for this called “CCIE Poaching”
Now you’re a CCIE who cannot associate your CCIE number with another company thus effectively limiting your job opportunities. Because your CCIE number is in use, other companies may not extend offers to you because they cannot use your number until a year later.
It is your responsibility to protect your CCIE Number from poachers in which case the relinquishment clause is a “legally binding” agreement upon accepting the offer of employment stating that if the company involuntarily terminates you for any reason than they relinquish the right to use your CCIE number for partnership use.
Other QuestionsIf you have any other questions not answered in this blog entry feel free to post a comment and I’ll respond ^_^
dimanche 10 mai 2015
CCNA Wireless Chapter 1 and Chapter 2 Exam Answers
1.With radio frequencies, the goal is…
to send as much data as possible
as far as possible
as fast as possible2.The IEEE wireless standard is…
802.113.The FCC defines (4 things)
Unlicensed frequencies
Power @ which frequencies can be transmitted at
Transmission technologies which can be used
Locations WLAN dev’s can be deployed4.The European equivalent of the FCC is called
ETSI: European Telecommunications Standards Institute5.To achieve bandwidth from RF, an _____________ method is needed, for example ______________
emission method
example: spread spectrum6.To place data on RF signals, a __________ method is required
modulation method7.Modulation is…
The addition of data to a carrier signal8.As data is placed on a signal, more ______________ aka _________________ is used
frequency spectrum or bandwidth9.In wireless terminology, bandwidth refers to…
The width of the RF channel10.Hertz can be described as…
Cycles /second11.Extremely low frequency range = 3-30hz12.Super low frequency range = 30-300hz13.Ultra low frequency range = 300hz-3khz14.Very low frequency range = 3khz-30khz15.Low frequency range = 30khz-300khz16.Medium frequency range = 300khz-3mhz17.High frequency range = 3mhz-30mhz18.Very high frequency range = 30mhz-300mhz19.Ultra high frequency range = 300mhz-3ghz20.Super high frequency range = 3ghz-30ghz21.Extremely high frequency range = 30ghz-300ghz22.The 900mhz band’s range is 902mhz-928mhz23.The 2.4ghz band is used by which 3 wireless standards?
802.11b,g, and n24.The 2.4ghz band’s range is
2.400ghz – 2.4835ghz25.The 2.4ghz band has ____ channels
1126.The 2.4ghz band’s channels are _____ wide
22mhz27.Which channels in the 2.4ghz range do not overlap?
1, 6 and 1128.The 2.4ghz band uses _______ modulation
DSSS: direct sequence spread spectrum modulation29.What standards use the 5ghz band?
802.11a and n30.The data rate range of 802.11a is
6-54mbps31.In the 5ghz band, channels are _____ wide
20mhz32.The 5ghz band has _______ channels
2333.The 5ghz band uses _________ modulation
OFDM34.The data rates available inside the 5ghz band are:
6,9,12,18,24,36,48 and 54mbps35.Define modulation:
Varying in a signal or a tone called a carrier signal36.Define encoding:
When data is added to that signal37.A modulated waveform consists of 3 parts
1) amplitude; strength of signal
2) phase; the timing of signal between peaks
3) frequency; how often signal repeats /sec38.In DSSS, the transmitted signal is spread
across the entire channel39.Every data bit in DSSS is sent as a
chip stream40.How many bits need to change in a chip stream before the bit is miscommunicated
5 or more41.802.11 1 & 2 mbps use which encoding method?
barker code42.802.11 5.5 and 11mbps use which encoding method?
cck: complimentary code keying43.How many key words does cck have?
6444.Each key word in cck communicates how many bits?
up to 645.802.11b uses DBPSK and DQPSK modulation, what are these?
These are methods of representing information by changing the phase of the signal46.What is DBPSK?
Two phases are separated by 180 degrees, DBPSK modulates 1 bit per symbol47.In DBPSK, a 180 degree phase shift = 148.In DBPSK, a zero degree phase shift = 049.Is OFDM considered a spread spectrum technology?
no50.Channels in OFDM are divided into 20mhz, each subcarrier within these channels is 312.5hz wide51.MIMO is used by
802.11n52.As distance from AP increases, data rates
decrease53.What is DRS?
Dynamic rate shifting
The data rate can be dynamically shifted without the connection being dropped54.CSMA/CD uses a ___________ field to tell other transmitters how long it needs the channel for
duration field55.The FCC is the federal communications commission56.Cisco antennae use the __________ connector which stands for
RP-TNC (reverse polarity thread neil concelman connector)57.What is the measurement for the power emitted by an antenna?
EIRP: effective isotropic radiated power58.P2MP rules:
36dbm EIRP max
30dbm transmitter power
6db gain of antenna and cable combined
A 1:1 ratio of power to gain
اكمل القراءة
to send as much data as possible
as far as possible
as fast as possible2.The IEEE wireless standard is…
802.113.The FCC defines (4 things)
Unlicensed frequencies
Power @ which frequencies can be transmitted at
Transmission technologies which can be used
Locations WLAN dev’s can be deployed4.The European equivalent of the FCC is called
ETSI: European Telecommunications Standards Institute5.To achieve bandwidth from RF, an _____________ method is needed, for example ______________
emission method
example: spread spectrum6.To place data on RF signals, a __________ method is required
modulation method7.Modulation is…
The addition of data to a carrier signal8.As data is placed on a signal, more ______________ aka _________________ is used
frequency spectrum or bandwidth9.In wireless terminology, bandwidth refers to…
The width of the RF channel10.Hertz can be described as…
Cycles /second11.Extremely low frequency range = 3-30hz12.Super low frequency range = 30-300hz13.Ultra low frequency range = 300hz-3khz14.Very low frequency range = 3khz-30khz15.Low frequency range = 30khz-300khz16.Medium frequency range = 300khz-3mhz17.High frequency range = 3mhz-30mhz18.Very high frequency range = 30mhz-300mhz19.Ultra high frequency range = 300mhz-3ghz20.Super high frequency range = 3ghz-30ghz21.Extremely high frequency range = 30ghz-300ghz22.The 900mhz band’s range is 902mhz-928mhz23.The 2.4ghz band is used by which 3 wireless standards?
802.11b,g, and n24.The 2.4ghz band’s range is
2.400ghz – 2.4835ghz25.The 2.4ghz band has ____ channels
1126.The 2.4ghz band’s channels are _____ wide
22mhz27.Which channels in the 2.4ghz range do not overlap?
1, 6 and 1128.The 2.4ghz band uses _______ modulation
DSSS: direct sequence spread spectrum modulation29.What standards use the 5ghz band?
802.11a and n30.The data rate range of 802.11a is
6-54mbps31.In the 5ghz band, channels are _____ wide
20mhz32.The 5ghz band has _______ channels
2333.The 5ghz band uses _________ modulation
OFDM34.The data rates available inside the 5ghz band are:
6,9,12,18,24,36,48 and 54mbps35.Define modulation:
Varying in a signal or a tone called a carrier signal36.Define encoding:
When data is added to that signal37.A modulated waveform consists of 3 parts
1) amplitude; strength of signal
2) phase; the timing of signal between peaks
3) frequency; how often signal repeats /sec38.In DSSS, the transmitted signal is spread
across the entire channel39.Every data bit in DSSS is sent as a
chip stream40.How many bits need to change in a chip stream before the bit is miscommunicated
5 or more41.802.11 1 & 2 mbps use which encoding method?
barker code42.802.11 5.5 and 11mbps use which encoding method?
cck: complimentary code keying43.How many key words does cck have?
6444.Each key word in cck communicates how many bits?
up to 645.802.11b uses DBPSK and DQPSK modulation, what are these?
These are methods of representing information by changing the phase of the signal46.What is DBPSK?
Two phases are separated by 180 degrees, DBPSK modulates 1 bit per symbol47.In DBPSK, a 180 degree phase shift = 148.In DBPSK, a zero degree phase shift = 049.Is OFDM considered a spread spectrum technology?
no50.Channels in OFDM are divided into 20mhz, each subcarrier within these channels is 312.5hz wide51.MIMO is used by
802.11n52.As distance from AP increases, data rates
decrease53.What is DRS?
Dynamic rate shifting
The data rate can be dynamically shifted without the connection being dropped54.CSMA/CD uses a ___________ field to tell other transmitters how long it needs the channel for
duration field55.The FCC is the federal communications commission56.Cisco antennae use the __________ connector which stands for
RP-TNC (reverse polarity thread neil concelman connector)57.What is the measurement for the power emitted by an antenna?
EIRP: effective isotropic radiated power58.P2MP rules:
36dbm EIRP max
30dbm transmitter power
6db gain of antenna and cable combined
A 1:1 ratio of power to gain
CCNA Wireless Chapter 3, 4 and 5 Exam Answers
1.Wavelength can be described as…
The distance between successive crests of a wave2.What is the wavelength of AM radio waves?
400-500M3.What is the wavelength of satellite waves?
1MM4.As frequency increases, distance travelled
Decreases5. 1mhz is 1 million cycles per second6. 1ghz is 1 billion cycles per second7. Gain provided by antennae helps to cancel out ___________ from cabling
Loss8.The EIRP calculation is…
EIRP = transmitter O/P power – cable loss + antenna gain9.Free path loss is a result of attenuation and not interference10. As amplitude increases range increases11.Reduction of amplitude is aka absorption12.Absorption creates heat13.The main issue presented by reflection is Multi path interference14.What is multipath interference?
When two copies of the same signal arrive out of phase with eachother, and weaken or cancel eachother out15.What is scattering
When a signal is reflected by objects which are reflective but have jagged edges16.What is refraction
The changing or bending of a wave as it passes through something of a different density17.Dryness refracts signals away from earth18.Humidity refracts signals towards earth19.RSSI is received signal strength indicator20.A potential replacement for RSSI is receive channel power indicator21.What is SNR?
Signal to noise ratio, how much stronger a received signal is than the underlying noise, it is measured in dB22.What is link budget?
Value which accounts for gains/losses between tx and rx23.What is the link budget equation?
Received power (dBm) = (tx power + gains – losses)24.3 types of polarization for antennae are:
1) Vertical
2) Horizontal
3) Circular25.In an electromagnetic field, the magnetic field is perpendicular to the electric field26.Cisco antennae all have vertical polarization27.What is diversity?
The use of two antennae for each radio to increase the odds of a better signal28.What has to be the same about each antennae in a diversity scenario?
Their orientation29.Diversity is used to fight…
Multi path interference issues30. 2 main types of antennae are
1) Directional
2) Omnidirectional31. The h-plane of an antenna is aka
The azimuth32.The e-plane shows how a signal would propagate vertically33.The 2.2 dBi dipole antenna is aka the rubber ducky antenna34.The loss incurred by a cable is usually referred to as the cable loss specification35.3 types of antenna connectors are…
1) RP-TNC
2) N-connector
3) SMA (2 types)36.2 subtypes of SMA connectors are
RP-SMA and SMA-RS37.Attenuators reduce signal38.Amplifiers add active gain to compensate for cable loss39.Active gain means gain is added without focus change40.What shunts lightning surges before they reach the wired LAN lightning arrestors41.Do lightning arrestors protected against direct strikes?
no42.What are used to send a signal in two different directions?
Splitters43.The range of a WPAN would be..
<5-10m, or 20 feet44.WPAN’s use the 2.4ghz spectrum45.Bluetooth is an example of a WPAN46.Bluetooth uses what for an emission method
FHSS47.Generally, clients in a WLAN are _______ or less from the access point
100m48.An example of a WMAN is WiMAX49.WiMAX could possibly replace T1 AND T3 technologies50.Is it ideal for a WMAN to use ISM frequencies?
no51.Do WWAN’s have high data rates?
no52.The most popular versions of WWAN’s are… (2)
1) GSM
2) CDMA53.Two original versions of 802.11 topologies:
1) Ad-hoc, no central point
2) Infrastructure, has a central point54.The coverage area of an AP is called the
BSA55.The wired network is aka the…
Distribution system56.2 or more BSA’s make an…
ESA57.The process of clients moving AP’s called…
Roaming58.An SSID is a combination of what two things
MAC address and network name59.AP’s can have up to __ SSID’s
1660.An AP offering more than one NW called a
MBSSID61.What is an AWGB
Connects to upstream AP’s and allows wired ethernet clients to connect as non-standard clients62.What is an UWGB
Allows single wired device to be bridged upstream to an AP as a standard device63.Overlap needed for a wireless repeater is…
50%64.Original AP in a repeated wireless network is called…
The root device65.Outdoor wireless bridges operate at what layer of the OSI model
L266.What is used to determine the best path in a wireless mesh network?
AWPP protocol
اكمل القراءة
The distance between successive crests of a wave2.What is the wavelength of AM radio waves?
400-500M3.What is the wavelength of satellite waves?
1MM4.As frequency increases, distance travelled
Decreases5. 1mhz is 1 million cycles per second6. 1ghz is 1 billion cycles per second7. Gain provided by antennae helps to cancel out ___________ from cabling
Loss8.The EIRP calculation is…
EIRP = transmitter O/P power – cable loss + antenna gain9.Free path loss is a result of attenuation and not interference10. As amplitude increases range increases11.Reduction of amplitude is aka absorption12.Absorption creates heat13.The main issue presented by reflection is Multi path interference14.What is multipath interference?
When two copies of the same signal arrive out of phase with eachother, and weaken or cancel eachother out15.What is scattering
When a signal is reflected by objects which are reflective but have jagged edges16.What is refraction
The changing or bending of a wave as it passes through something of a different density17.Dryness refracts signals away from earth18.Humidity refracts signals towards earth19.RSSI is received signal strength indicator20.A potential replacement for RSSI is receive channel power indicator21.What is SNR?
Signal to noise ratio, how much stronger a received signal is than the underlying noise, it is measured in dB22.What is link budget?
Value which accounts for gains/losses between tx and rx23.What is the link budget equation?
Received power (dBm) = (tx power + gains – losses)24.3 types of polarization for antennae are:
1) Vertical
2) Horizontal
3) Circular25.In an electromagnetic field, the magnetic field is perpendicular to the electric field26.Cisco antennae all have vertical polarization27.What is diversity?
The use of two antennae for each radio to increase the odds of a better signal28.What has to be the same about each antennae in a diversity scenario?
Their orientation29.Diversity is used to fight…
Multi path interference issues30. 2 main types of antennae are
1) Directional
2) Omnidirectional31. The h-plane of an antenna is aka
The azimuth32.The e-plane shows how a signal would propagate vertically33.The 2.2 dBi dipole antenna is aka the rubber ducky antenna34.The loss incurred by a cable is usually referred to as the cable loss specification35.3 types of antenna connectors are…
1) RP-TNC
2) N-connector
3) SMA (2 types)36.2 subtypes of SMA connectors are
RP-SMA and SMA-RS37.Attenuators reduce signal38.Amplifiers add active gain to compensate for cable loss39.Active gain means gain is added without focus change40.What shunts lightning surges before they reach the wired LAN lightning arrestors41.Do lightning arrestors protected against direct strikes?
no42.What are used to send a signal in two different directions?
Splitters43.The range of a WPAN would be..
<5-10m, or 20 feet44.WPAN’s use the 2.4ghz spectrum45.Bluetooth is an example of a WPAN46.Bluetooth uses what for an emission method
FHSS47.Generally, clients in a WLAN are _______ or less from the access point
100m48.An example of a WMAN is WiMAX49.WiMAX could possibly replace T1 AND T3 technologies50.Is it ideal for a WMAN to use ISM frequencies?
no51.Do WWAN’s have high data rates?
no52.The most popular versions of WWAN’s are… (2)
1) GSM
2) CDMA53.Two original versions of 802.11 topologies:
1) Ad-hoc, no central point
2) Infrastructure, has a central point54.The coverage area of an AP is called the
BSA55.The wired network is aka the…
Distribution system56.2 or more BSA’s make an…
ESA57.The process of clients moving AP’s called…
Roaming58.An SSID is a combination of what two things
MAC address and network name59.AP’s can have up to __ SSID’s
1660.An AP offering more than one NW called a
MBSSID61.What is an AWGB
Connects to upstream AP’s and allows wired ethernet clients to connect as non-standard clients62.What is an UWGB
Allows single wired device to be bridged upstream to an AP as a standard device63.Overlap needed for a wireless repeater is…
50%64.Original AP in a repeated wireless network is called…
The root device65.Outdoor wireless bridges operate at what layer of the OSI model
L266.What is used to determine the best path in a wireless mesh network?
AWPP protocol
Inscription à :
Articles (Atom)
