More, more, and even more

Hello again

This week we’re getting hold of all the missing bits for Rack2, which means frantic ebay shopping for cables, memory expansion cards, NM modules, flash cards. It’s become a bit tedious because rack2 is basically a copy of rack1, so I thought that with each next rack, I’ll try to introduce small modifications. I’m thinking 2504 wireless controllers for rack3 and rack4 (April/May) and some voice equipment for rack5 and rack6 (September/October).

In the meantime, the 3560v2 with the 15.0 software have arrived but I don’t feel like taking stuff out of Rack1 again, so I’ll put them in Rack2 and Rack3. I also got those ginormous 3745s (so much space for modules!), 2821s and 2851s. They’re a bit heavy so I’ll use only one of those per rack. I didn’t actually calculate in their weight (ebay night shopping…when mind sleeps, hands order chunky routers) so in the future I’ll be ordering only small 8xx routers with 15.4+ IOS. Less power consumption, small and not as heavy, recent IOS.

 

Rack 1 ready to rumble

Just look at this: Isn’t this beautiful?  This is the rack that I’m going to use for demos:

1×3560

2×3550 (soon to be replaced by 3560v2 or 3560e)

2651xm + NM-32A (access server)

ASA 5520 (for vpn users)

1×2801

1×1921

5×1841

1x SRX210 (in case I want to draw a comparison with Junos)

In each rack there will be a small Edimax wifi router so that each group can connect to a separate SSID on a separate wifi band.

Big thanks to Kaziu!!! (”tak to by człowiek się w niedzielę obijał i chodził z kąta w kąt”)

dsc_0014

Blast from the past

Hello

Today I’m checking the 2509 access servers. I was a bit apprehensive because they’d been in my cupboard for a while and I don’t think I ever checked them when I bought them (cheaply!) Anyways, I powered them on and they both froze on bootup. I sent the break command and went into a very ancient ROMMON. I never thought I would use the o/r command again – life can be so funny sometimes. Anyways, the o/r 0x2142 <enter> i <enter> commands helped and I was able to boot the routers. I lucked out and found 8 async octal cables in the cupboard, too. Blimey, do I have useful stuff there!

This got me thinking if I would be able to start an Atari game if I bought one. Start+Option? Was that how you did it?

I’m now booting the 2651xm + NM-32A which will function as two more access servers. Keep your fingers crossed.

 

 

CiscoSEC 2016

Hello

Just a short post today because i’ve just come back from the CiscoSEC conference and I’m a tad tired. It was great to hear about all those new things happening in the security area: OpenDNS acquired by Cisco, ISE 2.1 with some really cool features like EasyConnect (eliminating problems with dot1x supplicants), posture&profiling enhancements, threat-centric NAC and so many others; finally the ubercool Cisco Stealthwatch… Then came the scary presentation showing how to use VBA (and social engineering) to take control of someone else’s computer. I’m never gonna click on anything anywhere. Even if it’s from my girlfriend 😉 Kudos to the guy from niebezpiecznik.pl who demonstrated that everything can be hacked.

On a more personal level, I joined ISSA Poland and invited them to come and see the demo of the courses I’m going to run together with WSB. I’m really looking forward to that event (Dec 8!)

New lab part 2 – network plan

schemat_sieci

This is how I planned out what the network will look like during our classes. As you can see on the left handside, I plan to have 5 routers, 3 switches, 1 console server and 2 power strips. In case we need more devices, we can insert them into the empty slots (it’s a 19U rack). There will be 5 routers in each rack so that we can do VPN tunnels between R1 and R3, where R2, R4, and R5 will simulate ISPs. 3 switches will represent a standard office network; they’re interconnected so that we can practise spanning tree and portchannels.

On the right handside I quickly sketched the bird’s eye view on the entire network (there can be more than 3 racks if needed for larger groups, of course). Home users will be able to vpn into their racks, while classroom users will be divided into groups. Each group will connect to their separate wifi network, which will allow them to connect to their console server.

Additionally, I can power up and down each rack remotely using Gembird power strips (not in the picture), because each power strip is connected to a managed power slot on the Gembird (two racks per one Gembird only even though Gembirds have 4 managed power slots because my walls are getting strangely warm 🙂

I spent the whole day putting more memory into the 1841 routers, checking flash cards, IOS etc. I fixed one fan and discovered that something must have eaten one of the fans in a 1841 router.

My homework is rather obnoxious in that I need to make some 2ocm crossover cables and patchcords and I’m a bit clumsy. More than a bit, actually.

That’s all folks!

 

 

New Lab part 1 – ZPAS cupboards

Hello

As i’ve said, I’m currently building a new lab that I will be using to teach Cisco courses. This is an ongoing project so some things may still change.

First, I’ll start with the racks. We’ve decided we’re going to use silent cupboards from ZPAS:

http://zpasgroup.pl/szafka-sjb-19-biurowa-silent.html

I’ve bought two sets, together with the power strips, wheelsets, and shelves. What was missing from the set was the M6 mount screws (40 PLN for 100 screws from allegro), the fan power plug was not made, but overall I love it! It’s really silent when I close the door and it actually looks nice in the living room a.k.a. my interim lab.

zpas_cupboard

News news news

Hello

It’s been a hectic few months but it’s been worth it.

  1. We now have a new website http://humanity.pl where you can buy our IT courses. This is something that I’ve been working on for the last 18 months but I never had time to actually make it real. Now me and my new business partner Dariusz Fedyk are working hard to get everything ready in time. If you buy now, you get a huge discount (>50%) so hurry up while stocks last 🙂
  2. We will be doing Cisco courses at WSB in Wroclaw. The first course starts in January but there’s also a demo that you can come and see still in December, see more details at http://www.wsb.pl/wroclaw/kandydaci/szkolenia/lista-szkolen/podstawy-sieci-komputerowych-kursy-dla-poczatkujacych?schedule=0
  3. We’re building a larger lab for our students: this is such a cool project and I will be posting more about the progress soon.
  4. I’ve passed CCNP Security! this took me about 18 months and while the exams themselves are not particularly well written, the experience overall was very good. I learnt a lot and I feel ready to take on CCDP in March next year (just before Junior is born.. which is even better news than this whole blog post put together)
  5. I quit my previous full-time job in June, which wasn’t surprising for anyone who knows me. My new job gives me much more freedom and the network is huge with 1000+ routers that I’m directly responsible for and which gives me plenty of room for self-improvement.

 

 

 

Logging discriminator on routers and switches, logging lists on ASA

 

If your routers/switches send useless but high-level messages to your syslog server, you can use a logging discriminator to eliminate some unwanted log messages.

 

This is an example of a cisco bug message on a Cisco 881 router. It doesn’t mean anything and can only be fixed with an ios upgrade. You can also choose not to do anything about it because nothing is actually broken, but the syslog has a critical class and looks ugly in your kiwi logs.

734605: Jul 15 12:33:26.295 CEST: %SYS-2-CHUNKINVALIDHDR: Invalid chunk header type 1 for chunk 8419EBA4, data 8419FEEC -Process= „Net Background”, ipl= 3, pid= 27,  -Traceback= 0x8084F720 0x80037078 0x8034D438 0x8170FA3C 0x8170D6AC 0x8170D978 0x816E6BD0 0x8190F7CC 0x8190FDC0 0x80C13514 0x8144F354 0x803241D4 0x80C1370C 0x8144F354 0x80B3B538 0x81450CC8

To eliminate this critical syslog entry, use a logging discriminator.

logging discriminator NOCHUNK severity drops 2 facility drops SYS mnemonics drops CHUNKINVALIDHDR

logging console discriminator NOCHUNK

logging monitor discriminator NOCHUNK

logging trap warnings

logging host 10.0.0.1 discriminator NOCHUNK

 

On firewalls, you need a different approach, because the discriminator has not been implemented on ASA.Therefore, you need to add messages on top of a specific logging level.

Logging message 111111 level errors (find message number in cisco documentation)

or use lists:

logging list my_critical_messages level 1
logging list my_critical_messages message 611101-611323
logging trap  my_critical_messages

 

 

 

IT security nightmares

Hi

Today just a list of things you should never do as a network engineer

  • putting guests on the corporate network
  • having the same preshared keys for 5 years
  • not having descriptions on interfaces
  • not having labels on patch panels
  • not having any network documentation
  • using swearwords as passwords
  • whole datacenter connected with one cable to the core switch
  • core switch with CPU spiking to 100% hundred times a day
  • terminal server connecting to that almost-dead core switch
  • having no change management

Much as i hate these things, fixing them makes me feel like a superman / wise rabbi figure. I give myself extra points if i manage to stay calm, too.

 

 

Building a home lab

Howdy

Been a bit busy with my home lab. Here’s what i’ve managed so far:

  • got a public IP from Polkomtel
  • installed the sim card in a Huawei 593s
  • used an old 48 port Dell switch to connect to the Huawei router
  • created a basic 10-router, 6 switch topology to practise configurations for my new job
  • plugged all equipment into my new wonderful GemBird IP PDUs so that I can power on my equipment from the Internet
  • installed two new Cisco terminal servers 2509
  • ordered a second-hand 2621xm + NM-32 terminal server to plug in more devices in the future

I’m still missing a rack (cashflow!) but September looks promising.

Other than that, I’ve been preparing my crowdfunding campaign at http://www.polakpotrafi.pl. It will take a while to cook cause of all the account verifications, but I might be able to actually launch the campaign late July / early August. Leaflets and posters are ready for printing, so this, too, waits for my next salary. Doesn’t everything…

Exam update: I’ve passed JNCIS-ENT. I’m taking SISAS on Wednesday. SITCS needs to wait until end of September or until I do more paid overtime 🙂

Tomorrow I’m finishing the lab so you may expect some diagrams and basic configs.