Twittering but Which Networking Communities exist?

May 12th, 2009

Yes, this time I am asking you a question, so why don’t you just leave me a comment?

Fewer posts lately
First off, I would like to explain my lack of posts. I have had less creative input lately, so I can’t actually find anything interesting enough to write about to make it fun – and that’s a big part of maintaining this blog; having fun!
I’ve had some valuable input on my attempts to create a Web 2.0 IP Calculator, and I’ve had critics .. the bad, the good.

You inspire me!
I must say that the thing that inspire me the most to work is to see something I’ve created being used and from seeing Google searches hit this blog with articles directly related to the ‘googled’ issue, it gives me a good feeling inside.

Twitter
Lately, I’ve fell for the Twitter hype and you can find my tweets over at http://twitter.com/holmie, it would be fun to follow my readers on Twitter – so if you have a user there follow me!

Website statistics and the future
Anyhow, the good critics have been more visible to me than the bad ones – so I will continue this little blog experiment of mine. I can see on the traffic stats that I now have about 200 unique users every week day, except for weekends when the unique visitors drops to from 80 to 150, but there seems to be a lower bounce rate (People are reading articles about work on Sundays, preparing for Mondays?) But the traffic seems to be growing with the content, and that hopefully means that someone finds it useful!

But BACK TO THE QUESTION: Which Networking Communities exists?
I have found small forums, but where have you found study partners or other interesting networking people?
I was a member of groupstudy.com for a while, but the amount of mails where a bit overwhelming and my email client had issues with threading the mails – so I had to unregister. Maybe I will give it a second try!

Other mailing lists that I find interesting are:
cisco-nsp
extreme-nsp
foundry-nsp

Well, if you know of a good resource (a forum, website, anything!) shout it out in the comment box.

My next post will be more technical, I promise!

Manipulate Routed Traffic With A Route-map

May 6th, 2009

Sometimes.. when everything is failing, you’ll need to do some dirty hacks to get things the way you want. I’m going to show you how to modify the next-hop (where the packet is routed) with a route-map

Let’s say you want to redirect web-traffic to a local cache running for example squid, but let other traffic pass on to its intended destination. As usual I have created an imaginary scenario, but this time I have used my creative skills (yeah, right!) to draw a little network map in dia also.

squidroutemap

The idea is to let all TCP port 80 traffic from all the clients to be sent to the web cache server on 10.0.0.2
To achieve this, we need to create an access-list to match web traffic from the clients.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip access-list extended webtraffic
Router(config-ext-nacl)#deny tcp host 10.0.0.2 any eq www
Router(config-ext-nacl)#permit tcp 10.0.0.0 0.0.0.255 any eq www

To verify that this access-list now exists, run this command

Router#sh ip access-list webtraffic
Extended IP access list webtraffic
10 deny tcp host 10.0.0.2 any eq www
20 permit tcp 10.0.0.0 0.0.0.255 any eq www

As you can see, I have a deny on 10.0.0.2, this is because we can’t match traffic coming from the web caching server and redirect it to itself, that would create a loop.

The next thing we need to do is to create a route-map which uses the webtraffic access-list to match packets and do the intended modifications to it.

Router(config)#route-map webcache-redirect permit 10
Router(config-route-map)#match ip address webtraffic
Router(config-route-map)#set ip next-hop 10.0.0.2
Router(config-route-map)#route-map webcache-redirect permit 200

You can now verify this route-map by doing this

Router#sh route-map webcache-redirect
route-map webcache-redirect, permit, sequence 10
Match clauses:
ip address (access-lists): webtraffic
Set clauses:
ip next-hop 10.0.0.2
Policy routing matches: 0 packets, 0 bytes
route-map webcache-redirect, permit, sequence 200
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes

The last thing that needs to be done for this to have effect is to apply policy routing on the interface on which you receive the traffic from the clients (the interface which acts as a gateway for the clients, in this case the one with the IP address 10.0.0.1).

Router(config)#int vlan 1
Router(config-if)#ip policy route-map webtraffic-redirect

You can now use the sh route-map command again to see that your webtraffic now is being policy-routed.

Read about how to setup a squid as a transparent proxy here.

UPDATE: Eirik Hjelle poked me and told me that the squid tutorial that I am refering to is outdated, and it sure is!
The basics of the squid.conf should be (was not going to cover it here, since it’s a cisco blog, but since Eirik was a nice fellow and just gave me a paste of the required I’ll include it:

http_port 3128 transparent
acl internal_network src 10.0.0.0/24
http_access allow internal_network

The traffic will still be directed to port 80 so it might be needed to change the http_port to

http_port 10.0.0.2:80 transparent

How Traceroute Works Its Magic

March 6th, 2009

Do you wonder about how traceroute works? Here is how the traditional traceroute works…

TTL
Time To Live (TTL) is a part of the IP header, it is designed to prevent packets from looping forever.
When you send a packet, each router (hop) on the way will decrement the TTL value by one.
When the TTL value reaches zero (0), the packet is said to be ‘expired’ and is discarded.
The router that discards this packet will send an ICMP ‘Time Exceeded’ back to the sender.

By launching a ‘traceroute’ in linux you will send a series of UDP packets towards your target with an TTL starting at 1, and increased with 1 until the target is reached.

Fully explained, let us say you have this path to 10.0.1.2

  1. 10.0.5.1
  2. 172.16.1.1
  3. 10.0.0.3
  4. 192.168.100.1
  5. 172.16.18.9
  6. 10.0.1.2

By sending a packet with TTL one, then 10.0.5.1 will send you an ICMP Time Exceeded – and you have the first line in the traceroute.
TTL is set to 2 on the next packet, 172.16.1.1 will reply with ICMP Time Exceeded and you can see hop number two.

This method of tracerouting depends on the practise of sending ICMP packets back when the TTL has expired and the packet is discarded, when the packet it only discarded you will often see just a * * * in the traceroute, this also happens if the path is down. That’s usually when you do not reach your target.

Secure your Network: How ARP Spoofing Works

March 6th, 2009

You wonder how hackers got to your packets? Might it have been arp spoofing?

ARP Basics
ARP is a layer 2 protocol, its full name is actually “Address Resolution Protocol”.
Like the name indicates, ARP is used to resolve the layer 3 IP addresses to layer 2 MAC addresses.

It works pretty easy, if a host on the segment wants to talk to another host, but does not know its MAC address it will send a frame to broadcast (FF:FF:FF:FF:FF:FF) where it will say “who has 10.0.0.1”, then the host on 10.0.0.1 will see this request and reply with “10.0.0.1 is at ab:cd:ef:ab:cd:ef” then the ARP table will be updated with the corresponding information, and the two hosts will talk directly from now on.

Security problems in ARP
Usually most hosts will update their ARP table when they see a ‘10.0.0.1 is at’ ARP reply, even if it hasn’t requested it.
This keeps network traffic to the low, because the MAC address may be in the ARP table because some other host spoke to the server your computer wanted to talk to and your computer saw the ‘is at’ reply, hence making no need for an ARP request.

What if someone flooded your network with fake ARP replies ‘10.0.0.1 is at fa:ke:ad:dr:es’?
Exactly, the hosts will update their ARP table and start sending packets to the wrong host.
The machine at ‘fa:ke:ad:dr:es’ can then accept all packets and forward the correct ones to the actual 10.0.0.1 gateway (because the attacker does not poison its own arp table, the attacker will still be sending packets to the real IP address).

Imagine on a Wireless network how easy it is to become ‘attached’ to the network, they can also send spoofed ARP replies.

Tools
dsniff includes tools to arp spoof
ettercap is capable of doing arp poisoning too.
The package ‘arpalert’ on Ubuntu can notify you of changes in the ARP table.

To enable forwarding of packets in linux:

linux:~# echo 1 > /proc/sys/net/ipv4/conf/all/forwarding

Munin Website Traffic Graph Plugin for Awstats

March 5th, 2009

I wanted a better view of my web traffic, so I decided to make a plugin for munin that can make my visitors more visual.

I know it’s not directly related to Cisco, but sharing is caring – and it may improve your craving for stats!
I have just run it for a day or two, and I am not sure if it will always be pretty low and look a little hard to measure this way – in that case you might want to remove the lines with “.type COUNTER” in the script and run the real values, this will make wavy graphs that will fold every day at midnight.

The most important thing here is the concept of getting the numbers out of awstats from perl.

I have put it under download, the url is http://www.gho.no/download/awstats_

8 Great Resources that Every Computer Technician Should Know About

March 3rd, 2009

This post is a must read for computer technicians, and the resources can be used by both amateurs and professionals. I hereby share some of my clues for knowledge!

  1. The MAC address vendor search lets you identify the vendor for a MAC address, it is very helpful when troubleshooting ARP tables. Just insert the MAC address such as 00-00-01, you will see that it is identified as XEROX.
  2. Ever been on the lookout for a BGP looking glass? Wonder what your network look like on the Internet? Need to traceroute yourself? Thomas Kernen maintains traceroute.org, which is a public looking glass listing service. Alternatively you can use routeviews.org which also provides an excellent service!
  3. Need Cisco documentation? Ciscos own site can be a very good source for information, at least when you learn to find your way around. You can find an article about mostly every technology in a Cisco box on their website!
  4. Need something that can calculate your subnets on the fly? I have an Online IPv4 and IPv6 IP Calculator, and I also made an AJAX version of it which is available on ipv6calculator.net, it can be faster to use in some situations.
  5. The RIRs (Regional Internet Registry) can give you information about IP addresses, you can find out mostly anything you would like to know about the EU IP address space from querying for example RIPEs Whois Database.
    Here is a list of the RIRs and their respective Whois Database

    • RIPE Serves the EU Region
    • ARIN Serves the US Region
    • LACNIC Serves Latin America and the Carribean
    • AfriNIC serves the African Region
    • APNIC serves the Asian Region
    • If you just want to query one time, here is a free whois proxy
  6. To monitor your BGP announced prefix from the outside you can use the service BGPmon, which will monitor your prefixes and alert you in case of path changes.
  7. Dynamips is a Cisco emulator, it successfully emulates Cisco 7200, 3600 (3620, 3640 and 3660), 2691, 3725, 3745 and the 2600 platform. You can for example use it for testing network scenarios before deploying it!
  8. New software! Fresh meat! Check out freshmeat.net, this has been around forever now. New versions of open software projects are announced there, and it is also a browsable site for Open Software.

Now it is time for you to do your homework, let me know which sites you find useful or funny in your work or sites that you use on a daily basis, GO COMMENT!

I Tried to Make a Fancy IP Calculator

February 27th, 2009

Heyhey, I have been playing around with Ajax and Javascript and I made a more fancy IP Calculator.

I have one available on this site (in the menu to the right, use it in case you don’t have javascript enabled).
If you want to try out my fancy version just go to ipv6calculator.net.

I haven’t had the chance to try the design in Internet Explorer, so if anyone can email me a screenshot or something it would be just awesome! (It is probably totally broken, because I am not a designer.)

Well, that’s that, enjoy it!

Using Tcpdump in Linux to Analyze Network Traffic

February 25th, 2009

Have you ever needed to see traffic in front of your eyes? There exists a tool in linux to do this. You can see it all, even .. passwords.

I will just give you the commands to see different types of traffic, use it for what you want.
You will not see network traffic going between other devices on the network, only to your workstation – assuming you are on a switched network, on a WLAN things are different.
If you want to monitor a network port, you can use a ‘mirror port’ in Cisco, configuration is as follows:

monitor session 1 source interface fastethernet 0/1
monitor session 1 destination interface fastethernet 0/2 encap ingress vlan 1

This will mirror all network traffic on FastEthernet 0/1 to FastEthernet 0/2.
There also exists methods for injecting ARP to a switched network to make network devices believe you are the gateway, so that you can inspect the packets before passing them on to the gateway.

Tcpdump commands
So back to tcpdump, to look at for example web traffic
Always remember that if you want to see the traffic as ASCII, just apply the argument ‘-A’ to tcpdump

I am assuming you are using eth0, -n turns off DNS.

tcpdump -i eth0 -n port 80

Now a little more fancy, using egrep – this will show all your web requests in real time!

tcpdump -i eth0 -A -n port 80 | egrep -i \(GET.\/\|POST.\/\|Host:\)

Did you know you can tcpdump for a subnet by just excluding the last octet?

tcpdump -i eth0 -n port 80 and host 10.0.5

You can see I used ‘and’ here to specify more filter, you can also use or
For example port 80 or port 81

If you forgot your pop3 password, but have it stored in the client

tcpdump -i eth0 -n port 110 -A | egrep -i \(user\|pass\)

This also applies to passwords for the web, I have used this a lot instead of the ‘forgot password’ mechanism.

If I forgot to mention anything, please let me know.

Configuring errdisable behaviour

February 19th, 2009

When was the first time you learned that errdisable exists? Here is a short introduction!

I learned this the hard way, I had a network setup in a lab when I had a port shutdown and never come up again… You can say I am glad I learned about it before that happened in the field, but do you know what it is and how you can configure it?

What is errdisable?
Errdisable is a mechanism in Cisco equipment that will for example shutdown or suspend network ports where traffic is looping, ports with unidirectional traffic and various other causes.  This renders the port useless and no traffic is passed over it, the LED on the switch or router turns orange.

To determine if a port is in errdisable state you can issue the command:

Switch#sh int gigabitEthernet 1/0/25 status
Port Name Status Vlan Duplex Speed Type
Gi1/0/25 mynetwork err-disabled 1 auto auto 1000BaseSX SFP

Additionally to see all errdisabled interfaces that will be enabled you can use

Switch# show errdisable recovery

This command will show all errdisable causes with enabled recovery and all interfaces that will be enabled on the next timeout.

Configuration
To configure errdisable recovery, you will use exactly that command

Switch#conf t
Switch(config)#errdisable recovery cause bpduguard
Switch(config)#

That command will enable recovery for the bpduguard (STP loop) cause.

errdisable recovery timer

Switch(config)#errdisable recovery interval 30

This will set a 30 second interval between timeouts, for every timeout cycle – all interfaces which are shutdown because of errdisable will be re-enabled.

If the reason for the errdisable status persists, the interface will then be shutdown and set to status errdisable again. If you set the timeout too low, you may use a lot of CPU because the interface will effectively be flapping.

Multiple Area OSPF Networks on Cisco – Part 2 of 2

January 30th, 2009

Had a nice week everyone? I’ve been writing a lot and working a lot, but anyways here is part 2 of 2!

Link State Database / Topology Table
What’s that? you may ask – maybe only because I forgot to mention it in the previous article, well it’s a database which contains data on how the routers ‘see’ the network topology (link states), all the routers in an AS will have a copy of this table.
This table is getting changed as the network topology changes, as for example if a prefix is moved or an interface goes down.

VLSM
One time during this week I suddenly realized that I should probably mention that OSPF supports VLSM (Variable length Subnet Masks), that some people still stick to the usage of routing protocols that does not support VLSM is way beyond my understanding.

LSAs and LSA Types
There are 7 types of LSA (Link state advertisements) in OSPF;

  1. Router Link Advertisements, generated by each router and is flooded in a single area.
  2. Network Link Advertisements, flooded throughout the network and is generated by the DRs. Describes a set of routers connected to a network.
  3. Type 3 are summary link advertisements. These are generated by the Area Border Routers and describes Inter-area routes, generating a quad zero route by the command default information originate also generates a type 3 LSA.
  4. Type 3 and type 4 is very often described at the same time, the type 4 LSA describes routes to an ASBR.
  5. These are generated by the ASBR, and describes routes that are redistributed into OSPF from AS’s or routing protocols.  These are flagged in the routing table with O E1 and O E2 (external type 1 or 2) and are flooded to all areas except for stub areas.
  6. Group membership link entry LSAs are generated by multicast OSPF routers.
  7. Type 7 LSAs are only flooded to not-so-stubby-areas and are generated by ASBRs. When external routes are injected to areas other than the backbone area 0 are type 7, these are converted to type 5 by area border routers before they are injected into the backbone area.

Route summarization
My feeling is that at least once (a day?) in every network administrators life they’d wish the routing table was smaller and had a bunch of fewer prefixes, but what can we do?

We can use route summarization to make the routers summarize all routes in an area.

The configuration is as follows

Router(config-router)# network 10.0.0.0 0.0.0.255 area 0
Router(config-router)# network 10.0.1.0 0.0.0.255 area 1
Router(config-router)# area 0 range 10.0.0.0 255.255.255.0
Router(config-router)# area 1 range 10.0.1.0 255.255.255.0

This router will act as an area border router (ABR) between area 0 and area 1, the area areaid range command tells the router to summarize all routes that area to that summary address before advertising them in another area.

Multiarea OSPF Configuration on Cisco IOS

The scenario are 4 routers, preconfigured with IP addresses and daisy chained.
R1: Area 0
R2: Area 0
R3: Area 0 and area 1
R4: Area 1

Area 0 = 10.0.0.0/24
Area 1 = 10.0.1.0/24

We will use route summarization.

To configure R3 to be both in area 0 and area 1, let us say we use /30-ranges for connecting the routers.

R3(config-router)#network 10.0.0.0 0.0.0.3 area 0
R3(config-router)#network 10.0.1.0 0.0.0.3 area 1
R3(config-router)#area 0 range 10.0.0.0 255.255.255.0
R3(config-router)#area 1 range 10.0.1.0 255.255.255.0

Configure all the other routers as usual, but R4 should be configured as only area 1.
I configured all routers to redistribute connected and static subnets.

To verify that you see the area 1 as 10.0.1.0/24 instead of (now) 10.0.1.0/30.

R1#sh ip route
Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/30 is directly connected, FastEthernet0/0
O IA 10.0.1.0/24 [110/2] via 10.0.0.2, 00:01:56, FastEthernet0/0

There you go!