It’s been a really long journey, but finally i have become CCNP R&S
Tag: cisco
Network Warrior, 2nd Edition
Dear networkers, The Network Warrior is the most naturally written book about networking. By far it’s the only book written by human for humans. The rest are by nerds or teachers for: a -business people, b – nerds. When nerds or teachers hit these audiences, every engineer touched by the shock wave gets bored and falls asleep until the next attempt. This book is opposite. Author’s language speaks instead of describing, wisdom comes from the author’s stories, enlightenment follows as an aftershock. Moreover, the book is highly practical. I was 3 years in networking and saw stuff, but no any single written source had ever delivered so much wisdom to me popping numerous enlightenments on the way.
Needless to say, the book is highly practical. Network engineers got used to manuals, certification guides, RFCs and all other kinds of specifications and descriptions written in an emotionless mesmerising robot-like language. Network Warrior is different. It takes you through tasks, stories, applications, best practices, real world examples, all that multiplied by a talent of a high skilled speaker and a great teacher. You won’t find any theory in the book, only practice, practice, practice, and the best practice.
The book is so amazingly better than any other network engineering manuscript out there that I wish every engineer gets hit with the author’s energy stream and gets as passionate as the author is. Why do I wish so? Because I want every excited engineer out there to be inspirational. To create so much that creation won’t be limited by a state of art network designs, but would fill the gazing gap of network engineering subculture with tons subcultural art, traditions, folklore.
How check what have caused failover on PIX or ASA
The failover is determined by execution of the following command
pix# show failover state State Last Failure Reason Date/Time This host - Primary Active Ifc Failure 13:23:27 MET Aug 17 2012 Other host - Secondary Standby Ready Ifc Failure 08:23:57 MET Aug 14 2012 ====Configuration State=== Sync Done Sync Done - STANDBY ====Communication State=== Mac set
You should observe FW log to check the reason of failover. Failover can be casued by User changes, software bugs and so on.
egrep '(\(Primary\)|User|Traceback)' pix.log
Otherwise, you can inverts search by excluding other info
egrep -v '(Built|Teardown|Deny|UDP|No tr|URL|No rou|TCP|ICMP|icmp|FTP|ARP)' pix.log
ICMP permitting ACL
object-group icmp-type functional_ICMP icmp-object unreachable icmp-object time-exceeded icmp-object echo-reply icmp-object source-quench icmp-object parameter-problem
- Unreachable, time-exceeded – routing problem,
- echo-reply – all OK
- parameter-problem, source-quench – MTU Path discovery features
Cisco IOS replace running config instead of merge
By default, if you do
# copy startup-config running-config
the startup config would be merged to the running one. The same happens if you use tftp:// or flash:// instead of startup-config. Eventually, there is a way to replace the running config. The command is:
# configure replace ftp://192.168.1.1/dyn1_bgp
Bringing Cisco IOS CLI to Linux CLI
There are few people on the globe who loves to work with Cisco and Linux via CLI. These people might have issues with trying to apply Bash/Vim syntax to IOS and vice versa. I’m certainly one of them. That’s why I can do the followng in my Bash:
$ show .bashrc | i return [[ "$-" != *i* ]] && return # return 0 # [[ -z $adir ]] && return 1 # [[ $? -ne 0 ]] && return 1 # [[ $? -ne 0 ]] && return 0 # return 0
It’s very handy for checking Cisco configs, stored on a Unix machines, without inverting your mind out. In fact, if you are in rush and tried to apply IOS syntax to Bash, you won’t be distracted by an error message, but you’d get a result you reqired.
$ show samle_conf.cfg | i spanning-tree spanning-tree mode rapid-pvst spanning-tree etherchannel guard misconfig spanning-tree extend system-id spanning-tree pathcost method long spanning-tree portfast spanning-tree portfast spanning-tree portfast spanning-tree bpduguard enable ...
It’s achieved very easily. You need to add some aliases to your ~/.bashrc file and relogin:
echo 'alias show="cat"' >> ~/.bashrc echo 'alias i="grep --color"' >> ~/.bashrc
Fixing SSH access on cisco via SNMP
Sometimes you may ecounter a situation, when your SSH is not properly configured, for example, if you forgot to generate SSL certificate before enabling transport input ssh on all vty lines, as I recently did. In this situation you might be lucky enough to have SNMP RW community string configured. In this situation you can fix literally everything.
There are no many configurable settings on cisco can be done via SNMP. But you can copy a prepared config to device via TFTP, RCP etc. You may download current device’s config to tftp server, edit necessary lines and upload it back. You may upload it to either running config, startup config or a flash file.
To download running config:
snmpset -v 1 -c rw_community hostname ccCopyProtocol.13 i 1 snmpset -v 1 -c rw_community hostname ccCopySourceFileType.13 i 4 snmpset -v 1 -c rw_community hostname ccCopyDestFileType.13 i 1 snmpset -v 1 -c rw_community hostname ccCopyServerAddress.13 a tftp_serv_ip snmpset -v 1 -c rw_community hostname ccCopyFileName.13 s "file_name" snmpset -v 1 -c rw_community hostname ccCopyEntryRowStatus.13 i 1
Edit on the server, and upload it back by the following commands. Be careful! If you upload to startup-config, IOS will not merge the uploaded config and the startup one, it will replace it instead. Do not upload partial sets of commands!. TO be on a safe side always I recommnd to never upload partial configs. Only necessary lines should be added/cancelled/corrected and the whole config should be uploaded.
snmpset -v 1 -c rw_community hostname ccCopyProtocol.13 i 1 snmpset -v 1 -c rw_community hostname ccCopySourceFileType.13 i 1 snmpset -v 1 -c rw_community hostname ccCopyDestFileType.13 i 4 snmpset -v 1 -c rw_community hostname ccCopyServerAddress.13 a tftp_serv_ip snmpset -v 1 -c rw_community hostname ccCopyFileName.13 s "file_name" snmpset -v 1 -c rw_community hostname ccCopyEntryRowStatus.13 i 1
If you ecountered situation with SSH with no generated certificate, You config might look like this:
line vty 0 4 length 0 transport input ssh line vty 5 15 transport input ssh exit
You should fix it to:
line vty 0 4 length 0 transport input telnet line vty 5 15 transport input telnet exit
Some commands can be cancelled with “no ” statment before the command. Some, as in above case, not.
CCNA Security Official Exam Certification Guide (Exam 640-553)
Book is good guide for CCNA security exam preparation. It introduces you into First and third parts are easily readable and perfectly understandable, second part is not. Second part is really bad – it covers basics of 5 unrelated topics and covers them poorly. However, I can not blame the book – most likely it’s been dictated by exam topics.
Generally, the book is comprehensive guide for IINS exam preparation. I would recommend it to everybody who is willing to take the exam regardless of reader’s background expertise. For ones, who does not want to take the exam, but wants to use it for self education, below is the list of topic and my opinion about their coverage level.
Book covers Well:
– Firewalls theory and technologies
– Cryptography technologies, hashing and PKI organization
– AAA
– Network security attacks theory
– Switch port security and EAPOL
Book covers poorly:
– Endpoint security
– VPN tunnels
– SAN security
– VoIP security
– NAC
– Firewall applications: Zone-based and CBAC
Trip to Moscow
I went to Moscow to buy wool socks and hunt some bears lately. I didn’t buy the socks and was unlucky to kill any bear – they all ran away. It disappointed me and I went to take CCNA security exam. I have passed it.
As a bonus, I went to polytechnic museum (nice exposition), saw Resident Evil 4 movie (awesome action) and took a walk with fiskus (appeared to be a nice guy).