networking

Funny bugfixes in Nortel 6.2.4 ERS software release

There are few nice bugs in Nortel 6.2.4 ERS release (release notes). There are update surprises:

After Upgrading from 6.1.1 to 6.2.1, QoS configurations were lost (wi00838747)
Some links get disabled after upgrade from 5.1.x to 6.x (wi00731564)
Stack upgrade failure from 6.1.4.011s to 6.2.1.003s with a large config file (wi00882592)
After upgrading from 5.1.4 to 6.2.1 EDM routing/IGMP/SNOOPING table expanded indefinitely causing high CPU utilization (wi00886347)

Weird issues, which can be explained by lack of objects interoperability:

Unable to add static route under certain conditions, adding the route required a reboot (wi00937754)
With autosave enabled on 5632FD, if the power is recycled the fiber connectivity to 470-48T switch is lost (wi00941175)
Autonegotiation could not be disabled (wi00824799)
Ping or Telnet to any DNS hostname would sometimes cause loss of connectivity to the management VLAN requiring a reboot of the stack (wi00933202)

Very weird bugs, which cause many wtf-like questions on the source code:

Using show running-configuration with 744 VLANs configured, spiked the CPU utilization to 100% for about 12-15 minutes (wi00907462)
Switch does not learn MAC of format xx:59:xx:xx:xx:xx (wi00870510)
Cannot give an IP address to the switch with the last octet as “0″ (wi00872983)

I can explain the third bug by an error of checking network address in classless notation. I suppose, the code was checking an IP address in a classful way, i.e. if IP ends by zero, it’s a network address, hence can not be assigned.

How could they create bugs 1 and 2? They should’ve had hard coded numbers 744 and 0×59 (dec89). Why? what was the purpose? What was the algorithm? Can you guess an algorithm by knowing the information above?

January 18, 2012 Comments (0)

Juniper Netscreen Tunnel Interface Remove Sequence

1. Delete all routes for all VR’s

set route 10.0.0.0/24 interface tunnel.1 preference 20
set route 10.0.0.0/24 interface tunnel.1 preference 20

2. Delete all policy entries

set policy id 1 name "Policy Name" from "Trust" to "Untrust"  "Local" "Remote" "HTTPS" permit
set policy id 1
set service "Remote-services"
exit
set policy id 2 from "Untrust" to "Trust"  "Remote" "Local" "ANY" permit
set policy id 2
set dst-address "Trust-networks"
exit

3. Delete all policy elements

set address "Untrust" "Network Name" 10.63.194.0 255.255.255.0

4. Delete all interface bindings (autoKey IKE)

set vpn "PH2_Policy" id 0x1b9 bind interface tunnel.1

5. Delete AutoIKE entry

set vpn "PH2_Policy" gateway "PH1_Policy" no-replay tunnel idletime 0 sec-level standard
set vpn "PH2_Policy" monitor source-interface ethernet0/1 optimized rekey
set interface tunnel.1 ip unnumbered interface ethernet0/1

6. Delete the tunnel Interface

set interface "tunnel.1" zone "Untrust"

January 17, 2012 Comments (0)

Bringing Cisco IOS CLI to Linux CLI

There are few people on the globe who loves to work with Cisco and Linux via CLI. These people might have issues with trying to apply Bash/Vim syntax to IOS and vice versa. I’m certainly one of them. That’s why I can do the followng in my Bash:

$ show .bashrc | i return
[[ "$-" != *i* ]] && return
#     return 0
#     [[ -z $adir ]] && return 1
#   [[ $? -ne 0 ]] && return 1
#     [[ $? -ne 0 ]] && return 0
#   return 0

It’s very handy for checking Cisco configs, stored on a Unix machines, without inverting your mind out. In fact, if you are in rush and tried to apply IOS syntax to Bash, you won’t be distracted by an error message, but you’d get a result you reqired.

$ show samle_conf.cfg | i spanning-tree
spanning-tree mode rapid-pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
spanning-tree pathcost method long
 spanning-tree portfast
 spanning-tree portfast
 spanning-tree portfast
spanning-tree bpduguard enable
...

It’s achieved very easily. You need to add some aliases to your ~/.bashrc file and relogin:

echo 'alias show="cat"' >> ~/.bashrc
echo 'alias i="grep --color"' >> ~/.bashrc

October 27, 2011 Comments (0)

Fixing SSH access on cisco via SNMP

Sometimes you may ecounter a situation, when your SSH is not properly configured, for example, if you forgot to generate SSL certificate before enabling transport input ssh on all vty lines, as I recently did. In this situation you might be lucky enough to have SNMP RW community string configured. In this situation you can fix literally everything.

There are no many configurable settings on cisco can be done via SNMP. But you can copy a prepared config to device via TFTP, RCP etc. You may download current device’s config to tftp server, edit necessary lines and upload it back. You may upload it to either running config, startup config or a flash file.

To download running config:

snmpset -v 1 -c rw_community hostname ccCopyProtocol.13 i 1
snmpset -v 1 -c rw_community hostname ccCopySourceFileType.13 i 4
snmpset -v 1 -c rw_community hostname ccCopyDestFileType.13 i 1
snmpset -v 1 -c rw_community hostname ccCopyServerAddress.13 a tftp_serv_ip
snmpset -v 1 -c rw_community hostname ccCopyFileName.13 s "file_name"
snmpset -v 1 -c rw_community hostname ccCopyEntryRowStatus.13 i 1

Edit on the server, and upload it back by the following commands. Be careful! If you upload to startup-config, IOS will not merge the uploaded config and the startup one, it will replace it instead. Do not upload partial sets of commands!. TO be on a safe side always I recommnd to never upload partial configs. Only necessary lines should be added/cancelled/corrected and the whole config should be uploaded.

snmpset -v 1 -c rw_community hostname ccCopyProtocol.13 i 1
snmpset -v 1 -c rw_community hostname ccCopySourceFileType.13 i 1
snmpset -v 1 -c rw_community hostname ccCopyDestFileType.13 i 4
snmpset -v 1 -c rw_community hostname ccCopyServerAddress.13 a tftp_serv_ip
snmpset -v 1 -c rw_community hostname ccCopyFileName.13 s "file_name"
snmpset -v 1 -c rw_community hostname ccCopyEntryRowStatus.13 i 1

If you ecountered situation with SSH with no generated certificate, You config might look like this:

line vty 0 4
 length 0
 transport input ssh
line vty 5 15
 transport input ssh
exit

You should fix it to:

line vty 0 4
 length 0
 transport input telnet
line vty 5 15
 transport input telnet
exit

Some commands can be cancelled with “no ” statment before the command. Some, as in above case, not.

October 18, 2011 Comments (0)

IPv4 free address pool is empty. No reason to panic.

What Happened?

ICANN announced there are no more IPv4 addresses. What they said was IANA have delegated the last blocks to RIR’s. Does it mean you can no longer get a public block of addresses? No. You still can get a brand new block from your local RIR. Or yet unallocated block from your local ISP. Meaning, there is NO reason to panic.

How IP address allocation works?

For ones, who does not know how IP addresses are given out. The process is the following. The original holder of the whole free address space for both IPv4 and IPv6 is IANA. IANA registers and delegates IP address blocks to Regional Internet Registries (RIR’s). RIR’s alocate IP addresses and IP address blocks to end customers. If you want to get an IP address, you have to allocate a block by registering it in your local RIR. Upon successful registration the block is allocated to you and you can do whatever you want with it, including reselling it. Currently most IP blocks are allocated to ISPs and big corporations. End users are mostly getting addresses from their ISPs.

The allocation works as follows:

ICANN (IANA) -> RIR -> Organization (ISP, corporation) -> End user

What really happened?

What really happened is IANA’s “IPv4 allocation department” is going to be renamed to “IPv6 allocation department”. They’ve done their job with IPv4 – they have delegated all of them to RIR’s, they announced it, they had a fierce party. These are the processes behind allocating the last block.

Currently whole free IPv4 address space (not so big – 16 000 000 managed by each of 5 RIR’s) is managed by RIR’s and ISP’s worldwide. Meaning, IPv4 addresses space is going to be really exhausted soon. Not yet, but it’s approaching. Still there is nothing to fear. Even if it fully exhausts, the only problem of yours is not getting a pretty 4-octet address. Internet will remain running. Moreover, IPv4 addresses are a subset of IPv6 address. Even if whole Internet except you migrates to IPv6, you’ll still be available on an Intenet.

The ICANN’s announcement shall be considered as a last warning and a last call for IPv6 migration.

February 5, 2011 Comments (0)

Trip to Moscow

I went to Moscow to buy wool socks and hunt some bears lately. I didn’t buy the socks and was unlucky to kill any bear – they all ran away. It disappointed me and I went to take CCNA security exam. I have passed it.

As a bonus, I went to polytechnic museum (nice exposition), saw Resident Evil 4 movie (awesome action) and took a walk with fiskus (appeared to be a nice guy).

September 17, 2010 Comments (7)

Frame, packet and segment sizes or TCP/IP without fragmentation

It appeared to be really complicated to find relative information about sizes of transmission units in different levels of TCP/IP stack and completely impossible to find a united chart with their comparison. So, here it is.

Layer	Protocol	Header Size	Recommended size with header included without protocol extensions, ensuring no segmentation on all underlying layers	Maximum size of transmission unit with protocol extensions
Transport	TCP	20-60B	1480 B	1 GB
	UDP	8 B	1480 B	65535 B
Network	IPv4	20 B – 60 B	1500 B*	65535 B
	IPv6	40 B – infinite	1500 B	4 GB
Data link	10/100 Ethernet	18 B	1542 B	1542 B
	1/10 GB Ethernet	18 B	1542 B	9000 B**
	10/100 GB Ethernet	18 B	1542 B	64000 B***
	802.11 (WIFI)	34 B	2312 B	2312 B

* Fragmentation is widely used in IP protocols

** Jumbo frames are used on high-rate data link protocols, like Gigabit Ethernet or higher

*** is called Super jumbo frame. Not practically used and may not be profitable on a links lower than 10Gbit Ethernet

March 28, 2010 Comments (0)

IPv4 intermediate zeros omitting

Eventually, intermediate zeros can be omitted in IPv4 also.

[slava@tiamat ~]$ ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.068 ms
— 127.0.0.1 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1398ms
rtt min/avg/max/mdev = 0.040/0.054/0.068/0.014 ms
[slava@tiamat ~]$ ping 127.1
PING 127.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.060 ms
— 127.1 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1314ms
rtt min/avg/max/mdev = 0.060/0.065/0.070/0.005 ms

Apparently, it inserts maximum possible amount (1 or 2) of intermediate zeros before last octet:

[slava@tiamat ~]$ ping 127.255
PING 127.255 (127.0.0.255) 56(84) bytes of data.
64 bytes from 127.0.0.255: icmp_seq=1 ttl=64 time=0.064 ms
— 127.255 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2786ms
rtt min/avg/max/mdev = 0.063/0.065/0.068/0.002 ms

[slava@tiamat ~]$ ping 198.41.4
PING 198.41.4 (198.41.0.4) 56(84) bytes of data.
64 bytes from 198.41.0.4: icmp_seq=1 ttl=56 time=155 ms

— 198.41.4 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1514ms
rtt min/avg/max/mdev = 155.323/155.361/155.400/0.396 ms

March 23, 2010 Comments (0)

Dynamips, Dynagen and GNS3 as a Best Free Tools for Cisco IOS Learning

Boson NetSim and Packet Tracer are two examples of good Cisco networks emulators. They provide you with an opportunity to build networks of switches and routers, interconnect them and deploy several features of IOS. Good enough for beginners, but they have a huge drawback – their IOS simulation is limited. It does not implement a real set of functions real IOS has on board.

Several years before, the only opportunity to play with IOS was interconnection of real Cisco switches/routers. I still consider it was and still is a best way to learn Cisco. Unfortunately, not many people have access to networking hardware and even if they have it, the hardware is usually quite old or outdated. It means that you can run old versions of IOS there.

There is another approach of getting access to operational IOS – running it on a virtual machine. Emulating router’s hardware is not a straightforward task – Cisco uses different architectures in their devices. However, the task was accomplished in Dynamips/Dynagen project. It emulates Cisco hardware in a way so you can real IOS images on top of it. It is suitable to support 3600, 3700 and 2600 series hardware. Both pieces of software are closely interrelated and running together, providing users with a robust CLI interface.

Do not be frightened – CLI is not the only way of controlling your Cisco virtual machines. The tools have a graphical interface – GNS3. GNS3 runs on the top of Dynamips/Dynagen packages and provides GUI for controlling every virtual machine, machines interconnection, their modules and graphical network topology representation. It simply does everything that other graphical simulators can do.

December 11, 2009 Comments (0)

Cracking a WEP on HP Pavillion dv6k, Powered by Fedora 10

Introduction.

I was interested in wireless security since I have read some articles in “Xakep” magazine several years ago. They were saying “Most wireless networks are vulnerable and can be cracked within a day”. It was quite embarrassing that such a security threat can exist and really wanted to check whether it was true or not. Those years I did not not have any piece of needed experience. The task to crash test WEP stayed in my mind for years. Recently I have tried it.

Disclaimer.

All material is presented for educational purposes only. Do not apply this material’s guidelines in real life on real networks. Especially the ones, which do not belong to you.

This in not a how-to. This is a description of my experience. I do not guarantee, that process and steps, described here, will be applicable in your case and that it will work for you as well as it worked for me. I am not in charge of your failures.

System used.

I have used HP laptop with Intel 3945 wifi card installed, powered by fedora 10.
Read More »

June 28, 2009 Comments (0)