It's been a really long journey, but finally i have become CCNP R&S


Network Warrior, 2nd Edition

Dear networkers, The Network Warrior is the most naturally written book about networking. By far it's the only book written by human for humans. The rest are by nerds or teachers for: a -business people, b - nerds. When nerds or teachers hit these audiences, every engineer touched by the shock wave gets bored and falls asleep until the next attempt. This book is opposite. Author's language speaks instead of describing, wisdom comes from the author's stories, enlightenment follows as an aftershock. Moreover, the book is highly practical. I was 3 years in networking and saw stuff, but no any single written source had ever delivered so much wisdom to me popping numerous enlightenments on the way.

Needless to say, the book is highly practical. Network engineers got used to manuals, certification guides, RFCs and all other kinds of specifications and descriptions written in an emotionless mesmerising robot-like language. Network Warrior is different. It takes you through tasks, stories, applications, best practices, real world examples, all that multiplied by a talent of a high skilled speaker and a great teacher. You won't find any theory in the book, only practice, practice, practice, and the best practice.

The book is so amazingly better than any other network engineering manuscript out there that I wish every engineer gets hit with the author's energy stream and gets as passionate as the author is. Why do I wish so? Because I want every excited engineer out there to be inspirational. To create so much that creation won't be limited by a state of art network designs, but would fill the gazing gap of network engineering subculture with tons subcultural art, traditions, folklore.

How check what have caused failover on PIX or ASA

The failover is determined by execution of the following command

pix# show failover state

State Last Failure Reason Date/Time
This host - Primary
Active Ifc Failure 13:23:27 MET Aug 17 2012
Other host - Secondary
Standby Ready Ifc Failure 08:23:57 MET Aug 14 2012

====Configuration State===
Sync Done
Sync Done - STANDBY
====Communication State===
Mac set

You should observe FW log to check the reason of failover. Failover can be casued by User changes, software bugs and so on.

egrep '(\(Primary\)|User|Traceback)' pix.log

Otherwise, you can inverts search by excluding other info

egrep -v '(Built|Teardown|Deny|UDP|No tr|URL|No rou|TCP|ICMP|icmp|FTP|ARP)' pix.log

ICMP permitting ACL

object-group icmp-type functional_ICMP
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo-reply
icmp-object source-quench
icmp-object parameter-problem
  • Unreachable, time-exceeded - routing problem,
  • echo-reply - all OK
  • parameter-problem, source-quench - MTU Path discovery features

Cisco IOS replace running config instead of merge

By default, if you do

# copy startup-config running-config

the startup config would be merged to the running one. The same happens if you use tftp:// or flash:// instead of startup-config. Eventually, there is a way to replace the running config. The command is:

# configure replace

Bringing Cisco IOS CLI to Linux CLI

There are few people on the globe who loves to work with Cisco and Linux via CLI. These people might have issues with trying to apply Bash/Vim syntax to IOS and vice versa. I'm certainly one of them. That's why I can do the followng in my Bash:

$ show .bashrc | i return
[[ "$-" != *i* ]] && return
#     return 0
#     [[ -z $adir ]] && return 1
#   [[ $? -ne 0 ]] && return 1
#     [[ $? -ne 0 ]] && return 0
#   return 0

It's very handy for checking Cisco configs, stored on a Unix machines, without inverting your mind out. In fact, if you are in rush and tried to apply IOS syntax to Bash, you won't be distracted by an error message, but you'd get a result you reqired.

$ show samle_conf.cfg | i spanning-tree
spanning-tree mode rapid-pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
spanning-tree pathcost method long
 spanning-tree portfast
 spanning-tree portfast
 spanning-tree portfast
spanning-tree bpduguard enable

It's achieved very easily. You need to add some aliases to your ~/.bashrc file and relogin:

echo 'alias show="cat"' >> ~/.bashrc
echo 'alias i="grep --color"' >> ~/.bashrc

Fixing SSH access on cisco via SNMP

Sometimes you may ecounter a situation, when your SSH is not properly configured, for example, if you forgot to generate SSL certificate before enabling transport input ssh on all vty lines, as I recently did. In this situation you might be lucky enough to have SNMP RW community string configured. In this situation you can fix literally everything.

There are no many configurable settings on cisco can be done via SNMP. But you can copy a prepared config to device via TFTP, RCP etc. You may download current device's config to tftp server, edit necessary lines and upload it back. You may upload it to either running config, startup config or a flash file.

To download running config:

snmpset -v 1 -c rw_community hostname ccCopyProtocol.13 i 1 
snmpset -v 1 -c rw_community hostname ccCopySourceFileType.13 i 4 
snmpset -v 1 -c rw_community hostname ccCopyDestFileType.13 i 1 
snmpset -v 1 -c rw_community hostname ccCopyServerAddress.13 a tftp_serv_ip
snmpset -v 1 -c rw_community hostname ccCopyFileName.13 s "file_name" 
snmpset -v 1 -c rw_community hostname ccCopyEntryRowStatus.13 i 1

Edit on the server, and upload it back by the following commands. Be careful! If you upload to startup-config, IOS will not merge the uploaded config and the startup one, it will replace it instead. Do not upload partial sets of commands!. TO be on a safe side always I recommnd to never upload partial configs. Only necessary lines should be added/cancelled/corrected and the whole config should be uploaded.

snmpset -v 1 -c rw_community hostname ccCopyProtocol.13 i 1 
snmpset -v 1 -c rw_community hostname ccCopySourceFileType.13 i 1 
snmpset -v 1 -c rw_community hostname ccCopyDestFileType.13 i 4 
snmpset -v 1 -c rw_community hostname ccCopyServerAddress.13 a tftp_serv_ip
snmpset -v 1 -c rw_community hostname ccCopyFileName.13 s "file_name" 
snmpset -v 1 -c rw_community hostname ccCopyEntryRowStatus.13 i 1

If you ecountered situation with SSH with no generated certificate, You config might look like this:

line vty 0 4
 length 0
 transport input ssh
line vty 5 15
 transport input ssh

You should fix it to:

line vty 0 4
 length 0
 transport input telnet
line vty 5 15
 transport input telnet

Some commands can be cancelled with "no " statment before the command. Some, as in above case, not.

Cisco is Good

After I passed my CCNA Security certification I was suppose to receive 2 papers: the CCNA certificate and a CNSS 4011 recognition. I've received the latter one only. I waited for months for the first one but I never received it.

Being sure I'll never receive the expected certificate, I referred to cisco certification support persuading them to resend me the certificate because it was lost under the circumstances I could neither control nor influence. I didn't have a hope to make them resend the certificate to me, but I decided to insist a bit. After a week of letters exchange they agreed to give me a PDF certificate for free, after 3 weeks of letters exchange they agreed to send me a paper version for free. After another month I finally received the desired package. Imagine, they could just just deny my request blaming me in lie or on behalf of some other reasons, but they didn't, they believed me and fulfilled my request. Good, eh?

CCNA Security Official Exam Certification Guide (Exam 640-553)

Book is good guide for CCNA security exam preparation. It introduces you into First and third parts are easily readable and perfectly understandable, second part is not. Second part is really bad - it covers basics of 5 unrelated topics and covers them poorly. However, I can not blame the book - most likely it's been dictated by exam topics.

Generally, the book is comprehensive guide for IINS exam preparation. I would recommend it to everybody who is willing to take the exam regardless of reader's background expertise. For ones, who does not want to take the exam, but wants to use it for self education, below is the list of topic and my opinion about their coverage level.

Book covers Well:
- Firewalls theory and technologies
- Cryptography technologies, hashing and PKI organization
- Network security attacks theory
- Switch port security and EAPOL

Book covers poorly:
- Endpoint security
- VPN tunnels
- SAN security
- VoIP security
- Firewall applications: Zone-based and CBAC

Trip to Moscow

I went to Moscow to buy wool socks and hunt some bears lately. I didn't buy the socks and was unlucky to kill any bear - they all ran away. It disappointed me and I went to take CCNA security exam. I have passed it.

As a bonus, I went to polytechnic museum (nice exposition), saw Resident Evil 4 movie (awesome action) and took a walk with fiskus (appeared to be a nice guy).