Friday, November 1, 2013

Cisco: Reflecting the Change of Router-ID

It's rate to change the OSPF router ID but nice to know how to change a configured router ID.

OSPF's router ID is chosen based on the following criteria:

  1. Manually configured Router ID
  2. The highest IPv4 address on a loopback interface
  3. The highest IPv4 address on an active (up/up) interface

The router ID is elected when the ospf process starts. Once elected, a manual intervention in the OSPF process is necessary to reflect the change of the router ID. A text book says you need to issue "# clear ip ospf process" after changing the router ID, but in some cases, the command is not sufficient.

When explicitly configured with "(config-router)# router-id ROUTER_ID", "# clear ip ospf process" will work for you.

When implicitly configured with "a loopback interface" or "an active interface", you need to "#reload" the router to make the change effective.

Tuesday, October 22, 2013

TTL for BGP packets

By default, an eBGP message has IP TTL of 1. When neighbors do not have a common network, or an eBGP router uses its loopback interface as an update source, the TTL value needs to be adjusted.
(config-router)# bgp neighbor IP_ADDR ebgp-multihop TTL_VALUE
In contrast, iBGP message has TTL of 255, and there is no need for extra configuration when using a loopback interface as an update source.
eBGP OPEN Message

iBGP OPEN Message

Monday, October 21, 2013

Mac OS X: Path to 802.11 utility command

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport

"/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport" will display the usage.
Usage: airport <interface> <verb> <options>
<interface>
If an interface is not specified, airport will use the first AirPort interface on the system.
<verb is one of the following:
prefs If specified with no key value pairs, displays a subset of AirPort preferences for
the specified interface.
Preferences may be configured using key=value syntax. Keys and possible values are specified below.
Boolean settings may be configured using 'YES' and 'NO'.
DisconnectOnLogout (Boolean)
JoinMode (String)
Automatic
Preferred
Ranked
Recent
Strongest
JoinModeFallback (String)
Prompt
JoinOpen
KeepLooking
DoNothing
RememberRecentNetworks (Boolean)
RequireAdmin (Boolean)
RequireAdminIBSS (Boolean)
RequireAdminNetworkChange (Boolean)
RequireAdminPowerToggle (Boolean)
WoWEnabled (Boolean)
logger Monitor the driver's logging facility.
sniff If a channel number is specified, airportd will attempt to configure the interface
to use that channel before it begins sniffing 802.11 frames. Captures files are saved to /tmp.
Requires super user privileges.
debug Enable debug logging. A debug log setting may be enabled by prefixing it with a '+', and disabled
by prefixing it with a '-'.
AirPort Userland Debug Flags
DriverDiscovery
DriverEvent
Info
SystemConfiguration
UserEvent
PreferredNetworks
AutoJoin
IPC
Scan
802.1x
Assoc
Keychain
RSNAuth
WoW
P2P
Roam
BTCoex
AllUserland - Enable/Disable all userland debug flags
AirPort Driver Common Flags
DriverInfo
DriverError
DriverWPA
DriverScan
AllDriver - Enable/Disable all driver debug flags
AirPort Driver Vendor Flags
VendorAssoc
VendorConnection
AllVendor - Enable/Disable all vendor debug flags
AirPort Global Flags
LogFile - Save all AirPort logs to /var/log/wifi.log
<options> is one of the following:
No options currently defined.
Examples:
Configuring preferences (requires admin privileges)
sudo airport en1 prefs JoinMode=Preferred RememberRecentNetworks=NO RequireAdmin=YES
Sniffing on channel 1:
airport en1 sniff 1

LEGACY COMMANDS:
Supported arguments:
 -c[<arg>] --channel=[<arg>]    Set arbitrary channel on the card
 -z        --disassociate       Disassociate from any network
 -I        --getinfo            Print current wireless status, e.g. signal info, BSSID, port type etc.
 -s[<arg>] --scan=[<arg>]       Perform a wireless broadcast scan.
  Will perform a directed scan if the optional <arg> is provided
 -x        --xml                Print info as XML
 -P        --psk                Create PSK from specified pass phrase and SSID.
  The following additional arguments must be specified with this command:
                                  --password=<arg>  Specify a WPA password
                                  --ssid=<arg>      Specify SSID when creating a PSK
 -h        --help               Show this help

Thursday, October 17, 2013

Cisco IOS key bindings

Cisco IOS implements UNIX shell like key bindings. The following is what I often use. Once you get used to it, C-a or C-b is going to be your headache when connecting to a cisco device with GNU screen or a window multiplexer (e.g. tmux, byobu),  ;)

GENERAL
TAB key
Completes a partially typed CLI command
?
Displays help
C-p, Up arrow, C-n, Down arrow
Displays your previous command (history)
C-^
Breaks current processing command
C-r
Redisplays the current command line
C-z
Takes you back to privileged EXEC Mode

Deleting an Input
C-u
Deletes all characters before the cursor
C-w
Deletes a word (behind the cursor)
C-h
Deletes a character (behind the cursor)

Moving the Cursor Quickly
C-a
Places the cursor at the beginning of a line
C-e
Places the cursor at the end of a line
C-f
Moves the cursor forward one character
C-b
Moves the cursor backward one character
Esc-f, Esc f, C-[ f
Moves the cursor forward one word
Esc-b, Esc b, C-[ b

Moves the cursor backward one word

Tuesday, October 15, 2013

strncpy and null termination

strncpy does not put \n if the length fits its destination array. Needs to assure the string is null terminated in some way.

Ref:
http://www.thinkage.ca/english/gcos/expl/c/lib/strncp.html

Sunday, October 13, 2013

Link: HTML5 Input Code Snippets

http://html5pattern.com/

Note: Don't trust what the user sent, and validate the input at the server side AGAIN. The client side process should be for reducing the response time. It's pretty easy to send arbitrary input value with an application such as WebScarab.

Saturday, October 12, 2013

HTML and CSS Validator

HTML
http://validator.w3.org/#validate_by_upload

CSS
http://jigsaw.w3.org/css-validator/#validate_by_upload

Monday, September 2, 2013

OWASP ESAPI encoder library

ESAPI is a library for user input cleansing for a web application. ESAPI encoder sanitizes user input so that the input can be safely displayed on a user's browser. ESAPI is a great help preventing code injection (inc. SQL injection) and XSS.

OWASP ESAPI (OWASP Enterprise Security API)
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

ESAPI supports
- Java, .NET, Python, Ruby, PHP, etc.
- Base 64 encoding/decoding is also supported.

P.S. For XSS prevention,
Set cookies HTTP access only and block Javascript access.

Thursday, August 29, 2013

Vim: Converting tabs into spaces

`set expandtab` option automatically converts tabs into spaces. However, the command does not affect the tabs existed before the option is set.

To convert such tabs into spaces, issue :retab

Ref:
Converting tabs to spaces
http://vim.wikia.com/wiki/Converting_tabs_to_spaces

Monday, August 19, 2013

GNS3 bug: %OSPF-4-ERRRCV: Received invalid packet: Bad Checksum

SYMPTOM:
I've got an error when testing a simple OSPF network with GNS3 0.8.4-RC4.
%OSPF-4-ERRRCV: Received invalid packet: Bad Checksum from X.X.X.X, INTERFACE_ID

WORKAROUND:
1. Open topology.net from an editor
2. Change "Sparsemem = True" to "Sparsemem = False"

NOTE
The problem seems to be fixed on dynamips-0.2.10. GNS3 0.8.5 and Dynamips-0.2.10 with sparsemem option does not cause a problem.

Saturday, August 17, 2013

Failure of injecting default route to EIGRP with "ip default-network"

"ip default-network" command seems not inject a default route. The behavior looks different from what is written on Wendell Odon's CCNP book.
  • "ip default-network" creates a default route on a router from which the "default-network" command is issued. However, other routers learns only a candidate default route (They have no default route set.).
  • "ip default-network" command needs to be issued from a router that is not directly connected to the target default route.
  • A router that is connected to a default route side (R3 in the following experiment) does not learn the candidate default route from the command.
Note: 192.0.0.1/24 on R2 is not used in the experiment
Misc: To reflect the result of `no ip default-network`, the target interface needs to be shut down. 

Used IOS: 15.0(1)M ADVENTERPRISEK9-M

CASE 1
*Topology*
R1 fa0/0 <---> R2 fa0/0

*Interfaces*
R1
fa0/0 10.0.0.1/8
lo0 128.0.0.1/16

R2
fa0/0 10.0.0.2/8
lo0 192.0.0.1/24

*Commands*
R1
eigrp 1
    net 10.0.0.0
    net 128.0.0.0
ip default-network 128.0.0.0

R2
eigrp 1
    net 10.0.0.0
    net 192.0.0.0

*Result*
"ip default-network" has no effect because it is issued on R1 where 128.0.0.0 network is directly connected.

R1# sh ip route
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/8 is directly connected, FastEthernet0/0
L        10.0.0.1/32 is directly connected, FastEthernet0/0
 *    128.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C*       128.0.0.0/16 is directly connected, Loopback0
L        128.0.0.1/32 is directly connected, Loopback0
D     192.0.0.0/24 [90/156160] via 10.0.0.2, 00:16:24, FastEthernet0/0


R2# sh ip route
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/8 is directly connected, FastEthernet0/0
L        10.0.0.2/32 is directly connected, FastEthernet0/0
D*    128.0.0.0/16 [90/156160] via 10.0.0.1, 00:10:06, FastEthernet0/0
      192.0.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.0.0.0/24 is directly connected, Loopback0
L        192.0.0.1/32 is directly connected, Loopback0


CASE 2
*Topology*
R1 fa0/0 <---> R2 fa0/0

*Interfaces*
R1
fa0/0 10.0.0.1/8
lo0 128.0.0.1/16

R2
fa0/0 10.0.0.2/8
lo0 192.0.0.1/24

*Commands*
R1
eigrp 1
    net 10.0.0.0
    net 128.0.0.0

R2
eigrp 1
    net 10.0.0.0
    net 192.0.0.0
ip default-network 128.0.0.0

*Result*
R2 uses "128.0.0.0" as a default route.

R1
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/8 is directly connected, FastEthernet0/0
L        10.0.0.1/32 is directly connected, FastEthernet0/0
      128.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        128.0.0.0/16 is directly connected, Loopback0
L        128.0.0.1/32 is directly connected, Loopback0
D     192.0.0.0/24 [90/156160] via 10.0.0.2, 00:32:27, FastEthernet0/0
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, FastEthernet0/1
L        192.168.0.1/32 is directly connected, FastEthernet0/1


R2
Gateway of last resort is 10.0.0.1 to network 128.0.0.0

S*    0.0.0.0/0 [90/156160] via 10.0.0.1, FastEthernet0/0
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/8 is directly connected, FastEthernet0/0
L        10.0.0.2/32 is directly connected, FastEthernet0/0
D*    128.0.0.0/16 [90/156160] via 10.0.0.1, 00:00:39, FastEthernet0/0
      192.0.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.0.0.0/24 is directly connected, Loopback0
L        192.0.0.1/32 is directly connected, Loopback0


CASE 3
*Topology*
R3 fa0/1 <---> fa0/1 R1 fa0/0 <---> fa0/0 R2 fa0/1 <---> fa0/1 R4

*Interfaces*
R1
fa0/0 10.0.0.1/8
fa0/1 192.168.0.1/24
lo0 128.0.0.1/16

R2
fa0/0 10.0.0.2/8
fa0/1 172.0.0.1/16
lo0 192.0.0.1/24

R3
fa0/1 192.168.0.2/24

R4
fa0/1 172.0.0.2/16

*Commands*
R1
eigrp 1
    net 10.0.0.0
    net 128.0.0.0
    net 192.168.0.0

R2
eigrp 1
    net 10.0.0.0
    net 172.0.0.0
    net 192.0.0.0
ip default-network 128.0.0.0

R3
eigrp 1
    net 192.168.0.0

R4
eigrp 1
    net 172.0.0.0

*Result*
R2 uses "128.0.0.0" as the default route.
On R4, 128.0.0.0 is marked as a candidate default, but gateway of last resort is not set.
On R3, 128.0.0.0 is not even marked as a candidate defaut. 


R1
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/8 is directly connected, FastEthernet0/0
L        10.0.0.1/32 is directly connected, FastEthernet0/0
      128.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        128.0.0.0/16 is directly connected, Loopback0
L        128.0.0.1/32 is directly connected, Loopback0
D     172.0.0.0/16 [90/30720] via 10.0.0.2, 00:09:41, FastEthernet0/0
D     192.0.0.0/24 [90/156160] via 10.0.0.2, 00:50:24, FastEthernet0/0
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, FastEthernet0/1
L        192.168.0.1/32 is directly connected, FastEthernet0/1


R2
Gateway of last resort is 10.0.0.1 to network 128.0.0.0

S*    0.0.0.0/0 [90/156160] via 10.0.0.1, FastEthernet0/0
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/8 is directly connected, FastEthernet0/0
L        10.0.0.2/32 is directly connected, FastEthernet0/0
D*    128.0.0.0/16 [90/156160] via 10.0.0.1, 00:19:04, FastEthernet0/0
      172.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.0.0.0/16 is directly connected, FastEthernet0/1
L        172.0.0.1/32 is directly connected, FastEthernet0/1
      192.0.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.0.0.0/24 is directly connected, Loopback0
L        192.0.0.1/32 is directly connected, Loopback0
D     192.168.0.0/24 [90/30720] via 10.0.0.1, 00:12:43, FastEthernet0/0


R3
Gateway of last resort is not set

D     10.0.0.0/8 [90/30720] via 192.168.0.1, 00:10:24, FastEthernet0/1
D     128.0.0.0/16 [90/156160] via 192.168.0.1, 00:10:24, FastEthernet0/1
D     172.0.0.0/16 [90/33280] via 192.168.0.1, 00:06:37, FastEthernet0/1
D     192.0.0.0/24 [90/158720] via 192.168.0.1, 00:10:24, FastEthernet0/1
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, FastEthernet0/1
L        192.168.0.2/32 is directly connected, FastEthernet0/1


R4
Gateway of last resort is not set

D     10.0.0.0/8 [90/30720] via 172.0.0.1, 00:07:31, FastEthernet0/1
D*    128.0.0.0/16 [90/158720] via 172.0.0.1, 00:07:31, FastEthernet0/1
      172.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.0.0.0/16 is directly connected, FastEthernet0/1
L        172.0.0.2/32 is directly connected, FastEthernet0/1
D     192.0.0.0/24 [90/156160] via 172.0.0.1, 00:07:31, FastEthernet0/1
D     192.168.0.0/24 [90/33280] via 172.0.0.1, 00:07:31, FastEthernet0/1


CASE 4
*Topology*
R3 fa0/1 <---> fa0/1 R1 fa0/0 <---> fa0/0 R2 fa0/1 <---> fa0/1 R4

*Interfaces*
R1
fa0/0 10.0.0.1/8
fa0/1 192.168.0.1/24
lo0 128.0.0.1/16

R2
fa0/0 10.0.0.2/8
fa0/1 172.0.0.1/16
lo0 192.0.0.1/24

R3
fa0/1 192.168.0.2/24

R4
fa0/1 172.0.0.2/16

*Commands*
R1
eigrp 1
    net 10.0.0.0
    net 128.0.0.0
    net 192.168.0.0

R2
eigrp 1
    net 0.0.0.0
    net 10.0.0.0
    net 172.0.0.0
    net 192.0.0.0
ip default-network 128.0.0.0

R3
eigrp 1
    net 192.168.0.0

R4
eigrp 1
    net 172.0.0.0

*Result*
"net 0.0.0.0" has no effect.

R1
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/8 is directly connected, FastEthernet0/0
L        10.0.0.1/32 is directly connected, FastEthernet0/0
      128.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        128.0.0.0/16 is directly connected, Loopback0
L        128.0.0.1/32 is directly connected, Loopback0
D     172.0.0.0/16 [90/30720] via 10.0.0.2, 00:09:41, FastEthernet0/0
D     192.0.0.0/24 [90/156160] via 10.0.0.2, 00:50:24, FastEthernet0/0
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, FastEthernet0/1
L        192.168.0.1/32 is directly connected, FastEthernet0/1


R2
Gateway of last resort is 10.0.0.1 to network 128.0.0.0

S*    0.0.0.0/0 [90/156160] via 10.0.0.1, FastEthernet0/0
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/8 is directly connected, FastEthernet0/0
L        10.0.0.2/32 is directly connected, FastEthernet0/0
D*    128.0.0.0/16 [90/156160] via 10.0.0.1, 00:19:04, FastEthernet0/0
      172.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.0.0.0/16 is directly connected, FastEthernet0/1
L        172.0.0.1/32 is directly connected, FastEthernet0/1
      192.0.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.0.0.0/24 is directly connected, Loopback0
L        192.0.0.1/32 is directly connected, Loopback0
D     192.168.0.0/24 [90/30720] via 10.0.0.1, 00:12:43, FastEthernet0/0


R3
Gateway of last resort is not set

D     10.0.0.0/8 [90/30720] via 192.168.0.1, 00:10:24, FastEthernet0/1
D     128.0.0.0/16 [90/156160] via 192.168.0.1, 00:10:24, FastEthernet0/1
D     172.0.0.0/16 [90/33280] via 192.168.0.1, 00:06:37, FastEthernet0/1
D     192.0.0.0/24 [90/158720] via 192.168.0.1, 00:10:24, FastEthernet0/1
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, FastEthernet0/1
L        192.168.0.2/32 is directly connected, FastEthernet0/1


R4
Gateway of last resort is not set

D     10.0.0.0/8 [90/30720] via 172.0.0.1, 00:07:31, FastEthernet0/1
D*    128.0.0.0/16 [90/158720] via 172.0.0.1, 00:07:31, FastEthernet0/1
      172.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.0.0.0/16 is directly connected, FastEthernet0/1
L        172.0.0.2/32 is directly connected, FastEthernet0/1
D     192.0.0.0/24 [90/156160] via 172.0.0.1, 00:07:31, FastEthernet0/1
D     192.168.0.0/24 [90/33280] via 172.0.0.1, 00:07:31, FastEthernet0/1


CASE 5
*Topology*
R3 fa0/1 <---> fa0/1 R1 fa0/0 <---> fa0/0 R2 fa0/1 <---> fa0/1 R4

*Interfaces*
R1
fa0/0 10.0.0.1/8
fa0/1 192.168.0.1/24
lo0 128.0.0.1/16

R2
fa0/0 10.0.0.2/8
fa0/1 172.0.0.1/16
lo0 192.0.0.1/24

R3
fa0/1 192.168.0.2/24

R4
fa0/1 172.0.0.2/16

*Commands*
R1
eigrp 1
    net 10.0.0.0
    net 128.0.0.0
    net 192.168.0.0

R2
eigrp 1
    net 10.0.0.0
    net 172.0.0.0
    net 192.0.0.0
redistribute static
ip default-network 128.0.0.0


R3
eigrp 1
    net 192.168.0.0

R4
eigrp 1
    net 172.0.0.0


*Result*
"redistribute static" has no effect.

R1
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/8 is directly connected, FastEthernet0/0
L        10.0.0.1/32 is directly connected, FastEthernet0/0
      128.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        128.0.0.0/16 is directly connected, Loopback0
L        128.0.0.1/32 is directly connected, Loopback0
D     172.0.0.0/16 [90/30720] via 10.0.0.2, 00:09:41, FastEthernet0/0
D     192.0.0.0/24 [90/156160] via 10.0.0.2, 00:50:24, FastEthernet0/0
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, FastEthernet0/1
L        192.168.0.1/32 is directly connected, FastEthernet0/1


R2
Gateway of last resort is 10.0.0.1 to network 128.0.0.0

S*    0.0.0.0/0 [90/156160] via 10.0.0.1, FastEthernet0/0
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/8 is directly connected, FastEthernet0/0
L        10.0.0.2/32 is directly connected, FastEthernet0/0
D*    128.0.0.0/16 [90/156160] via 10.0.0.1, 00:19:04, FastEthernet0/0
      172.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.0.0.0/16 is directly connected, FastEthernet0/1
L        172.0.0.1/32 is directly connected, FastEthernet0/1
      192.0.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.0.0.0/24 is directly connected, Loopback0
L        192.0.0.1/32 is directly connected, Loopback0
D     192.168.0.0/24 [90/30720] via 10.0.0.1, 00:12:43, FastEthernet0/0


R3
Gateway of last resort is not set

D     10.0.0.0/8 [90/30720] via 192.168.0.1, 00:10:24, FastEthernet0/1
D     128.0.0.0/16 [90/156160] via 192.168.0.1, 00:10:24, FastEthernet0/1
D     172.0.0.0/16 [90/33280] via 192.168.0.1, 00:06:37, FastEthernet0/1
D     192.0.0.0/24 [90/158720] via 192.168.0.1, 00:10:24, FastEthernet0/1
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, FastEthernet0/1
L        192.168.0.2/32 is directly connected, FastEthernet0/1


R4
Gateway of last resort is not set

D     10.0.0.0/8 [90/30720] via 172.0.0.1, 00:07:31, FastEthernet0/1
D*    128.0.0.0/16 [90/158720] via 172.0.0.1, 00:07:31, FastEthernet0/1
      172.0.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.0.0.0/16 is directly connected, FastEthernet0/1
L        172.0.0.2/32 is directly connected, FastEthernet0/1
D     192.0.0.0/24 [90/156160] via 172.0.0.1, 00:07:31, FastEthernet0/1
D     192.168.0.0/24 [90/33280] via 172.0.0.1, 00:07:31, FastEthernet0/1



Monday, July 8, 2013

EtherChannel "on" mode can cause a bridging loop.

I thought EtherChannel's "on" mode was a good thing, in which no opportunity for unexpected malfunction, but it's not true.

Misconfigured EtherChannel can form a bridging loop, and STP EtherChannel Misconfig Guard cannot stop all bridging loops scenarios. It's recommended to use PAgP or LACP's negotiation (use "desirable non-silent" or "active") for inter-switch connections and prevent misconfigured ports from being active.

Reference:
How does a loop form in a misconfigured Etherchannel?

Understanding EtherChannel Inconsistency Detection

Friday, June 14, 2013

Small tips on bash

Famous tips but I didn't know before.

1. Oh, I forgot to type sudo and got permission error...
Type
$ sudo !!

Here, !! refers to the previous command issued.


2. I don't wanna type that lengthy command or arguments or whatever again...
Type first several letters of the command and hit ^r (Control - r). If the completed command is not what you want, type ^r again and again until you get what you want.

^r searches command history and complete the command line. You can see your command line history with "history" command. Each command line history has an index, and a command can be reissued by typing ! followed by a index number. (e.g. $ !1)

Sunday, June 2, 2013

Updated: Installing wireshark & GNS3 & QEMU on Ubuntu 12.04 x86 64 on VMware Fusion 5

The following procedure installs the latest GNS3 and QEMU as of June 2, 2013.
# The procedure for a physical Ubuntu box should be the same as the following.

Environment
HW: rMBP Mid 2012
OS: OS X 10.8.2
VMware Fusion: 5.0.2
VM OS: Ubuntu 12.04 x86 64

1. Wireshark installation
Installing the wireshark package
$ sudo apt-get update
$ sudo apt-get upgrade -y
$ sudo apt-get install wireshark
Setting a permission to dumpcap to use wireshark from a non-root user
$ sudo groupadd wireshark
$ sudo usermod -a -G wireshark USERNAME
$ sudo chgrp wireshark /usr/bin/dumpcap
$ sudo chmod 750 /usr/bin/dumpcap
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

2. QEMU installation
Updated: The following procedure instals Qemu 1.5. If you want to run ASA on GNS3, you need UDP tunnel patched qemu 0.11 or 0.14 instad of the latest Qemu.

# Download UDP tunnel patched qemu 0.11 or 0.14, unpack the tar, and run the installation script after reading README.
# http://sourceforge.net/projects/gns-3/files/Qemu/Linux/

2.1. Enabling vmx on VMware Fusion 5 (only for Fusion 4 and later with a capable physical CPU)

Edit the file when the VM is shut down.
$ cd /Users/USERNAME/Documents/Virtual\ Machines.localized
$ vim MACHINE_NAME.vmwarevm/MACHINE_NAME.vmx

Adding the folloing line to the MACHINE_NAME.vmx file
vhv.enable = "TRUE"

Check the cpuinfo
$ cat /proc/cpuinfo | grep vmx

2.2. Installing dependencies for GNS3 and QEMU
texinfo is for QEMU's man. QEMU requires autoconf and libtool to make
$ sudo apt-get install zlib1g-dev libsdl1.2-dev libpcap-dev texinfo autoconf libtool
$ sudo apt-get install qt4-dev-tools

# If gcc is not installed
# $ sudo apt-get install build-essential

2.3. Installing QEMU 1.5
$ wget http://wiki.qemu-project.org/download/qemu-1.5.0.tar.bz2
$ tar jxvf qemu-1.5.0.tar.bz2
$ cd qemu-1.5.0
$ ./configure --prefix=/usr/local
$ make
$ sudo make install

3. GNS3 0.8.3.1 Installation
$ wget http://downloads.sourceforge.net/project/gns-3/GNS3/0.8.3.1/GNS3-0.8.3.1-src.tar.bz2
$ tar jxvf GNS3-0.8.3.1-src.tar.bz2
$ sudo mv GNS3-0.8.3.1-src /opt/GNS3
$ wget http://downloads.sourceforge.net/project/gns-3/Dynamips/0.2.8-RC3-community/dynamips-0.2.8-RC3-community-x86_64.bin
$ chmod 750 dynamips-0.2.8-RC3-community-x86_64.bin
$ sudo mv dynamips-0.2.8-RC3-community-x86_64.bin /opt/GNS3
$ sudo chown -R root:root /opt/GNS3

4. Setting GNS3
General -> General Settings tab
Untick "Launch the project dialog at startup"
General -> Terminal Settings tab
Use Gnome Terminal
General -> GUI Settings
Tick "Always use manual mode when adding links"
Dynamips -> Dynamips
Set "Executable path to Dynamips:" to "/opt/GNS3/dynamips-0.2.8-RC3-community-x86_64.bin"
Tick "Enable sparse memory support"
Qemu -> Qemu Guest
Use "-no-acpi" option for LinuxMicroCore that is provided by GNS3 official site

5. Notes
- GNS3 from apt-get is too old to run some of the IOS images that should be able to run on it.
- QEMU 1.5 (QEMU1.1 and later) includes patches for UDP tunnel and multicast provided by GNS3 official site
- There is no notable differences between qemu and qemu-kvm from 1.3 (See the release note for QEMU 1.3)
- autoconf and libtool are necessary to compile qemu 1.5
- QEMU's KVM support works only "when running a target architecture that is the same as the host architecture".

6. Reference
Enabling Intel VT on VMware
http://communities.vmware.com/docs/DOC-8970
About QEMU patches
http://brezular.wordpress.com/2012/02/12/installation-solaris-sparc-2-6-sunos-5-6-on-qemu-part-1-qemu-installation/


Friday, May 31, 2013

Solarized, Uniform Color Scheme

I've switched my vim's color scheme from oceandeep to solarized. Oceandeep is an eye-friendy dark color scheme great for people who prefer not to be distracted by highlighted text. However, it makes you feel a bit awkward when you launch vim from a console because it supports only gvim. I got hungry for "uniformity", and solarized came in.

Solarized - Precision colors for machines and people
http://ethanschoonover.com/solarized

Solarized is a color scheme maintained by Ethan Schoonover provides uniformity to your environment; it supports not only editors (not limited to vim!) but also other system development tools like terminal emulators and IDEs.

I've changed color schemes for vim and iTerm2, and they look coordinated. Awesome.

Sunday, May 19, 2013

How to upgrade IOS version/feature set on Cisco 3560

Assumption
1. The switch to be updated is in a factory default configuration.
2. IP address of the switch is 10.240.0.2/24.
3. IP address of the tftp/scp server is 10.240.0.3/24.
4. User name for scp server is switchadmin.
5. The feature set will be upgraded from ipbase to ipservice.
6. The switch will be updated to c3560-ipservicesk9-mz.122-55.SE7.bin.
7. The switch does not require a web console.

Procedure
1. Configure a ssh server or tftp server

2. Assign an IP address to a switch
> en
#conf t
(config)#int vlan 1
(config-if)#ip add 10.240.0.2 255.255.255.0
(config-if)#no sh
(config-if)#^z

3. Check whether the device can hold both current and new IOS images in the flash.
3.1. Check the new images size
3.2. Check a free space on the flash.
#dir flash:

If the switch has enough space, go to step 5

4. If the flash does not have sufficient free space, delete the current IOS image.
Delete the image file with "delete flash:/filename" or "delete /force /recursive flash:/dir_name"

5. Transfer the new image
! Assume the image is stored on tftp root directory.
! "copy " part can be omitted, in some IOS version.
! Don't use scp since it takes more time than you thought.
#copy tftp://10.240.0.3/c3560-ipservicesk9-mz.122-55.SE7.bin flash:

6. Verify the transfered image
! verify command was released 12.2(4)T, 12.0(22)S
#verify /md5 flash:/c3560-ipservicesk9-mz.122-55.SE7.bin

7. Change boot image
#conf t

! Just specify the path to the boot image.
(config)#boot system flash:/c3560-ipservicesk9-mz.122-55.SE7.bin
(config)#^z

! Verify boot configuration
#sh boot

! Save changes
#wr me

8. Reboot the switch
#reload

Note
1. If the boot loader needs update, it will be done automatically when the first time the switch is booted up with the new image (, and it causes a reboot).

2. Almost equivalent of step 5 to 7 is
! Assume the image is stored on "flash:/c3560-ipserviceslmk9-tar.122-55.SE7.tar/c3560-ipservicesk9-mz.122-55.SE7.bin"
#archive download-sw /imageonly /leave-old-sw tftp://10.240.0.3/c3560-ipserviceslmk9-tar.122-55.SE7.tar
(If the switch shows a feature set incompatibility error, add "/allow-feature-upgrade" option when upgrading/downgrading a feature set.)

Consideration
1. This method is faster than upgrading IOS with archive command since unnecessary files are not transfered. (=> The tar archive contains files for the web console as well.)

2. Downloading an image is a quite high load task. The CPU usage went up between 84%-77% while transferring. It should be done in a maintenance window.

Reference:
Catalyst 3750 Software Upgrade in a Stack Configuration with Use of the Command-Line Interface
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a00804799d7.shtml

Upgrading a Cisco 3750 IOS from a .bin image file
http://thias.marmotte.net/2008/11/upgrading-a-cisco-3750-ios-from-a-bin-image-file/

MD5 File Validation
http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_md5_ps6350_TSD_Products_Configuration_Guide_Chapter.html

Saturday, May 18, 2013

How to use UC-SGT on Mac OS X Mountain Lion 10.8.2 (15' rMBP 2012)

It's been ages since a serial port disappeared from a laptop PC. Nevertheless, network devices requires a serial connection as a our-of-band connection. I grabbed a USB serial adapter UC-SGT, but my laptop (15' rMBP 2012, Mountain Lion) needed a trick to recognize it.
  1. Download a driver from a prolific's website
    http://prolificusa.com/pl-2303hx-drivers/
  2. Install the driver following README
  3. Add an entry for UC-SGT to the driver
    cd /System/Library/Extensions/ProlificUsbSerial.kext/Contents
    sudo cp -p Info.plist Info.plist.ori
    sudo vim Info.plist Info.plist.ori

    * Insert the following entry before the entry for <key>067B_2303</key>
             <key>056E_5004</key>
             <dict>
                 <key>CFBundleIdentifier</key>
                 <string>com.prolific.driver.PL2303</string>
                 <key>IOClass</key>
                 <string>com_prolific_driver_PL2303</string>
                 <key>IOProviderClass</key>
                 <string>IOUSBInterface</string>
                 <key>bConfigurationValue</key>
                 <integer>1</integer>
                 <key>bInterfaceNumber</key>
                 <integer>0</integer>
                 <key>idProduct</key>
                 <integer>20484</integer>
                 <key>idVendor</key>
                 <integer>1390</integer>
             </dict>

  4. Rebuild kext cache
    sudo touch /System/Library/Extentions/
    sudo reboot
Caution: kext cache needs to be rebuilt; otherwise, you need to issue kextload /System/Library//Extensions/ProlificUsbSerial.kext  command every time you boot the box.

Note: TU-S9 from TRENDnet works on prolific's driver without changing plist.

Friday, May 17, 2013

How to transfer files from/to cisco devices

There are several options for transferring files to a cisco device. Tftp is a traditional way. Scp is also supported by IOS from 12.3(2)T, 12.2(14)S (encryption needs to be supported by the feature set). If no in-band connection is available, xmodem will become an option for it.

scp
Pro: Transfered files are encrypted
Con: Not supported by all platforms, in-band connection is necessary

tftp
Pro: Supported by all platforms
Con: Files are transfed in plain text, tftp protocol does not have authentication, in-band connection is necessary

xmodem
Pro: Supported by all platforms, No need for in-band connection
Con: Slow transmission

Whenever transferring a start-up configuration, it's better to think about using scp in favor of tftp since not a few passwords are on the config in a plain text or in an obscured form. Type 7 encryption is just an obfuscation that is cracked within a second, and even type 5 encryption can be decrypted with a massive computation power since the salt is also on the same file.


Reference:
Cisco IOS Configuration Fundamentals Command Reference
http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_c1.html#wp1064741

Cisco Password Cracker (For type 5 encryption)
https://www.google.com/search?q=cisco+type+7+crack&ie=utf-8&oe=utf-8&aq=t

Decrypting Cisco type 5 password hashes
http://retrorabble.wordpress.com/2011/02/09/decrypting-cisco-type-5-password-hashes/

Thursday, May 16, 2013

How to enable native tftpd on Mac OS X Mountain Lion 10.8.2

I needed to tftp server to update IOS images for switches in my home lab. Mac OS X has its native tftp daemon and will do for the purpose.

To launch tftpd,
$ sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist
# Default tftp root directory, in which data files are stored, is /private/tftpboot/

To check tftp is up and running,
$ lsof -i:69

To stop tftpd
$ sudo launchctl unload /System/Library/LaunchDaemons/tftp.plist
or reboot the system.

Note:
1. tftpd will not start next time the system is booted. To make tftpd persistant, issue
$ sudo launchctl load -w /System/Library/LaunchDaemons/tftp.plist
1.1. -w option erases <key>Disabled</key> entry in tftp.plist and launch tftpd.
1.2. If you want to make tftpd persistant, think about security concerns since there is no authentication in tftp protocol. (i.e. at least adding -l option to tftpd.plist for logging, caring about permissions for files/directories.


To disable it,
$ sudo launchctl unload -w /System/Library/LaunchDaemons/tftp.plist

2. -F option is needed since /System/Library/LaunchDaemons/tftp.plist has <key>Disabled</key> entry.

3. The owner of /private/tftpboot/ is root and its permission is 755.

Reference:
man tftpd
man launchctl
man launchd.plist


Wednesday, May 15, 2013

How to enable sshd on Mac OS X Mountain Lion 10.8.2

It's an easy step with GUI.

1. Go to System Preferences => Sharing => Remote Login
2. Turn on Remote Login
3. Check sshd is running
$ sudo lsof -i:22

Note: The firewall on the system is automatically adjusted to pass an incoming ssh connection.

Tuesday, May 14, 2013

How to rebuild kext cache on Mountain Lion 10.8

kext cache rebuild is just a two-step task.
  1. sudo touch /System/Library/Extensions/
  2. sudo reboot

It's NOT recommended to execute kextcache manually.
KEXTCACHE(8)              BSD System Manager's Manual             KEXTCACHE(8)
Caution: Incorrect use of kextcache can render a volume incapable of startup.  Installers and administrators should not use this program to
     update system kext caches.  Instead they should run touch(1) on the /System/Library/Extensions/ directory of the installation target volume
     after they have finished, which invalidates the existing caches and causes the system to update all necessary kext caches.

Friday, February 22, 2013

Monday, January 7, 2013

Cisco type 5 encryption (MD5) is not strong enough to secure passwords on the configuration file

The salt is put on top of the password string. That means it's quite easy to make a rainbow table for it or simply try every possibilities. You see the importance in storing the configuration file in a secure manner (with an access control and an encryption) when the configuration file is stored out of the box. Remember, there is no mechanism protecting passwords from a massive amount of attempt.

References:
Decrypting Cisco type 5 password hashes
http://retrorabble.wordpress.com/2011/02/09/decrypting-cisco-type-5-password-hashes/

Interesting reading:
25-GPU cluster cracks every standard Windows password in <6 hours
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/