Labbing

FreeNAS is special edition of tuned-up FreeBSD, with GUI available over WWW to enable easy setup and maintenance. i had to migrate recently my old Synology 1815+ thanks to well known Intel SNAFU with Atom CPUs. interestingly enough, even Synology own service department declined to RMA the NAS, without even discussing the situation. so i managed to setup quickly 12x 3.5" bay server. i had five 3.5" 8TB HDDs from Synology that i wanted to rescue data from....

every two (or three, depending how desperate you are) years, in life of every CCIE and CCDE there is this looming deadline called ‘recertification’. panic is usually short lived and ends with ‘push’ - succesful recertification. in variable styles and techniques, but successful nonetheless. i had opportunity recently to execute this dance. and wise words people say, that if you loose daily connection with networking gear and technologies, you very quickly loose and forget expert level skills....

weekend at countryside kind of suprised me… :) so, Cisco 887VAGW+7-E-K9, a little configuration and here we are. ! chat-script gsm "" "AT!SCACT=1,1" TIMEOUT 15 "OK" ! interface Cellular0 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation slip load-interval 30 dialer in-band dialer idle-timeout 300 dialer string gsm dialer-group 1 async mode interactive ! ip nat translation timeout 60 ip route 0.0.0.0 0.0.0.0 Cellular0 ! dialer-list 1 protocol ip permit !...

it’s subject old as world (password-protected world, that is). i had to do some of cleanup on my devices and i hit a problem with 4096 bit keys. so, just as a reference that may be helpful somewhere for someone - you import keys to Cisco IOS without any special problems: router#conf t Enter configuration commands, one per line. End with CNTL/Z. router(config)#ip ssh pubkey-chain router(conf-ssh-pubkey)#username TEST router(conf-ssh-pubkey-user)#key-string router(conf-ssh-pubkey-data)#AAAAB3NzaC1yc2EAAAADAQABAAACAQDCiLBaopUwsFb9YJNhGqVYqBajlrH S/zwD6/yR6N8VcRzrpqMMNCFXe1q5GMGM[...]ANWInd9GHBjTzbJWVwavxy1ooQewii8ErofZuv1l/SXSdXLzfL p0zMoZ0L+BNPS0j4XBS0N3t8Vl8oVixqIeG2BNTCNaDDt6hx2Q== lukasz@bromirski....

…workstation requires two! ;) i had some time over Christmas to finally build myself following beast: Asus Z9PE-D8 WS (BIOS 5304, original 3304 had some interesting bugs Xeon E5 2660 (Sandy Bridge EP/EX) - 16 cores, 32 HT Corsair H80i for CPU cooling 64GB RAMu (8x 8GB DDR3 1600 ECC) OWC 480GB PCIe - has two 240GB blades in RAID0 Corsair Obsidian 900D 2x Seagate 4TB HDD [6x Samsung 2TB] LSI 9261-8i to drive those mechanical disks in RAID5 Creative SB ZX AMD Radeon 7970 connected to three Dell U2412 monitors Intel x520 NIC connected to Catalyst 2960S and to other workstation - Xeon 5670, 48GB RAMu, OWC 240GB as boot and two 2TB RAID0 disks as RAID0 for ESXi 5....

you spend a lot of time preparing OVA to save time in future and enable cloning. then, during importing to remote ESXi you get following error message: Failed to deploy OVF package: The task was canceled by a user.. i didnt’ cancel anything! it’s frustrating, and it seems its a small problem on import format side, not on user side. OVA is simple ZIP file that can be unpacked, so you should do so....

if you haven’t noticed by now, in the IOS 15M line we introduced IOS shell. firing it up is just as easy as doing: C2#conf t C2(config)#shell processing full now you have new, UNIX-like commands and options to chain them, including nested grep. C2#sh running-config | wc -l 163 C2#sh running-config | grep ip | grep 2001 ipv6 address 2001:DB8:10::10:254/64 ipv6 route ::/0 2001:DB8:10::10:1 if you by now are fun of such capabilities, having been working with IOS XR - it’s a nice touch :)

some time ago i’ve written a post about displaying live traffic that is going throught the router. also, i covered how it can be split based on autonomous system (with some sorting capabilities built in), thanks to Flexible NetFlow. recently, Flexible NetFlow was extended to use NBAR capabilities, and with that we have new options to sort traffic by application. with slightly modified flow record snippet, we can collect also the application name:...

…hit me again (in a positive way). i was experimenting in my lab and wanted to define a lot of queues (and i mean a lot of them) in ALTQ. unfortunately, very quickly during parsing of pf.conf pfctl barked out following information: pfctl: DIOCADDALTQ: Cannot allocate memory to overcome the problem, you only need to modify those three files: /usr/include/altq/altq_hfsc.h /usr/src/sbin/pfctl/missing/altq/altq_hfsc.h /usr/src/sys/contrib/altq/altq/altq_hfsc.h where #define HFSC_MAX_CLASSES 64 is defined - to requested value....

working remotely on Windows via Remote Desktop if you’re hanging off GRPS or 3G connectivity somewhere in the mountains (for example) isn’t optimal. as I had to access some such servers remotely. you can find cygwin useful (there’s also VanDyke V-Shell, a bit pricey and for non-commercial use). cygwin package installs UNIX environment, and that - yes - may include OpenSSH plus some tools (like scp for example) you just need to download, and then run installation, selecting cygrunsrv and openssh....

long, long time ago, playing with BGP was reserved for secret group of people, that somewhat alike Lems Trurl and Klapaucjusz were laughing from mere mortals but didn’t share the knowledge. then, a lot of things changed, trainings, certifications appeared, and then bootcamps and finally massive, open-for-all intro courses. and now, BGP is everywhere and is configured by anyone - you’ll find typical home wives running it as well, as without it they couldn’t upload new contact via bluetooth it seems....

i was stubborn - and while from the very first moment we’ve had a lot of challenges with the hotel infrastructure, i was able to run xTR routers during last PLNOG for LISP. no, it’s not about programming Cisco routers with LISP, but about new concept of Location/ID Split, that is new concept enabling you to treat traffic engineering in internet differently. in short - we still serve traffic like we always did (backward compatibility), but by assigning users and companies IPv4 and IPv6 addressing from special pools, we can treat this traffic in a different manner....

if you’re peering with somebody else using one of available IXPs, prediction of traffic flow changes and optimization of paid services is crucial for proper traffic engineering. one of the more popular and easier tools, that is able to visualize traffic exchanged between ASes is AS-Stats. to properly doing its work, AS-Stats needs proper link definition in knownlinks file. NetFlow probes exported to collector will contain only the id and AS-Stats needs to match it....

it seems that more and more things are landing in our homes. couple of people that created nTop project with cooperation with Intel, built a device driver for Linux that can forward traffic using Intel X520 directly with 32 thousands of rules applied. 32 thousands is quite a number to serve real-life aggregation or core router, but at the same time it’s more than needed to serve as home firewall. similar things were done in the past in NVidia nForce chipset....

those of you frequently visiting my home site noticed that it wasn’t available for some time. unfortunately, that’s because of interesting RAID 5 failure in my server that hosts also my web page. FreeBSD relentlessly tried to serve web traffic from filesystem that was failing apart because of hardware problems, but then, 30 minutes after first failure, second hard disk failed in the same array! temperature was finely tuned, but it seems that after 5 years of continous work they had to fail....

if you haven’t seen my practical demonstration at SecureCON 2007, you can see extended version on this thursday - i’ll be visiting AGH in Cracow at 7:45pm to do “show & tell” session as part of netWork sessions. session will be extended as we’ll have more time. photos can be found here and more information about the session itself can be found here.

i came back yesterday from Brussels and today at 5:30am the verdict came in - definitely “PASS” :) so… let me share some advice and tips for those of you preparing to take CCIE SP practical exam (without breaking NDA of course). first of all - if you have that luxury of training on any software version - please try to check with the current Cisco page and align. software is quite “specific”, and you may be hit with interesting behavior that may be a little bit different from mainline versions....

6 people responded to my call for a Cisco FAQ PL conversion idea up until today… but unfortunately there are no results so far. well, maybe it’s time to roll up your sleeves and do it yourself … in unrelated, but more optimistic news - a week ago i finished delivering SMB Bootcamp for Cisco partners. there was a lot of work (3 days, 12-14 hours each). you can read a bit about it in the link above on the CCIE....

for the next two-three weeks there will be no new posts. i’m preparing move of my server from Białystok to Warsaw. old, tired IBM PII-233 will be replaced by new IBM x306. if everything goes well, you’ll see no change. in the meantime i should be able to push new revision of Cisco FAQ PL plus some other stuff.

IANA announced on 3rd of november, that it passed over 80/8, 81/8, 82/8, 83/8 and 84/8 control over to RIPE. thats nice, but the problem is lazy network and security admins obviously didn’t yet update their ACLs and firewall rules, which means new Neostrada+ TP S.A. users have problems reaching anything in the internet from 83.0.0.0/11 address space. do your job, admins! missing such announcement for over 90 days doesn’t look good!...