packetqueue.net

Musings on computer stuff, and things... and other stuff.

Cisco

New Post Delay…

Read­ing Time: 1 minute

For all of you pay­ing any atten­tion at all, I owe you an apol­o­gy on the com­plete lack of writ­ing the last week or so.  Last week, how­ev­er, a large pile of back­o­rdered Cis­co gear showed up at the office and need­ed to be staged *imme­di­ate­ly* or as close to that as could rea­son­ably be expect­ed.  We’re in the throes of a com­plete infra­struc­ture upgrade and every­thing sort of backed up unex­pect­ed­ly with the recent deliv­ery prob­lems from Cis­co.  I would ques­tion how that becomes my prob­lem, but after 16+ years doing this pro­fes­sion­al­ly, I already know the answer to that ques­tion.  At any rate, look for a new post in my series on 802.1x in the next day or so.

Share

802.1x

802.1x for Wired Networks (Part 1)

Read­ing Time: 3 min­utes

Most of you are prob­a­bly famil­iar with the IEEE 802.1x spec­i­fi­ca­tion, at least in gen­er­al terms, but are more than like­ly used to see­ing it applied in the con­text of wire­less net­works and ser­vices.  In this mul­ti-part series, I’m going to explore the use of 802.1x as it applies to wired net­works.  In part I we’ll begin with what 802.1x is and what it isn’t, fol­lowed by some basic con­fig­u­ra­tion adher­ing to Cisco’s cur­rent best prac­tices rec­om­men­da­tions.  Then, in part II we’ll fol­low-up with a more com­plex con­fig­u­ra­tion that you real­ly, real­ly don’t want to use but I put out as an aca­d­e­m­ic exam­ple of what can be done if you like the kind of com­plex­i­ty that will guar­an­tee you or your sup­port staff nev­er sleep again.  We’ll also talk about what hap­pens when you mix oth­er secu­ri­ty fea­tures with 802.1x.

Dot1x, as I’ll be refer­ring to it from now on, is at its most fun­da­men­tal lev­el sim­ply a method for ver­i­fy­ing that a device con­nect­ed to your net­work is who it appears to be.  If a com­pa­ny-owned com­put­er con­nects to the net­work, we let them have access to cer­tain resources.  If some­one con­nects an unau­tho­rized com­put­er (per­son­al lap­top, etc.) to the net­work, they have no access to any­thing.  This is the basic idea behind dot1x when we’re talk­ing about wired net­works.

Dot1x is not encryp­tion, and doesn’t pro­vide any kind of pri­va­cy or anti-replay pro­tec­tion like IPsec.  It isn’t intend­ed for that.  Think of dot1x as login secu­ri­ty for your switch ports.  If your switch ports are con­nect­ed through to wall jacks, with no authen­ti­ca­tion, then rogue machines have at least lim­it­ed (lay­er 1 and 2) access to, at min­i­mum, the VLAN or net­work that switch port is a part of.  Is that enough to cause dam­age to your net­work?  You’ll have to decide for your­self based on your own appetite for risk and inter­nal secu­ri­ty poli­cies.

So, what do we do to make it all work?  I’m glad you asked.  You’ll need to do four things, of which I’ll cov­er the two that hap­pen on the Cis­co side:

(1)    Con­fig­ure your switch to act as an authen­ti­ca­tor

(2)    Con­fig­ure indi­vid­ual switch ports to use dot1x

(3)    Con­fig­ure your Radius Serv­er to pro­vide authen­ti­ca­tion and autho­riza­tion to clients

(4)    Turn on dot1x authen­ti­ca­tion on your clients (Win­dows, Mac, Lin­ux, etc.)

The first step is fair­ly straight for­ward, and that is to tell your switch you want to do dot1x authen­ti­ca­tion.  In order for this to work you have to have AAA enabled which is going to change your entire login method, so def­i­nite­ly play around with in a lab if you’re not famil­iar with it already.  So, the com­mands we want look like this, entered from Glob­al Con­fig mode:

! Turn on aaa authentication
aaa new-model
! Define our Radius server, port, and shared secret (must match
! with our server setup)
radius-server host 10.0.0.1 auth-port 1812 key abc123
! Here we tell the switch that our default authentication method is to
! use the Radius host we defined above
aaa authentication dot1x default group radius
! Enable dot1x on the switch
dot1x system-auth-control

 

Now that we have the switch set to authen­ti­cate clients to our Radius (Remote Authen­ti­ca­tion Dial-in User Serv­er) Serv­er, we have to make sure the Radius serv­er has some poli­cies defined.  This is beyond the scope of what I’m going to cov­er in this post, though if I get enough com­ments request­ing it I can cov­er that por­tion in anoth­er post.  Basi­cal­ly you’re just telling your Radius serv­er (typ­i­cal­ly IAS or NPS on some ver­sion of Win­dows Serv­er) that the switch will be con­tact­ing it for client authen­ti­ca­tion, and what that client can and can’t do once authen­ti­cat­ed (the autho­riza­tion piece.)

The next step is to con­fig­ure your clients to use dot1x authen­ti­ca­tion, and this is dif­fer­ent for each client OS you use.  Win­dows clients need to have a ser­vice turned on which is not on by default, where­as Mac­in­tosh has the ser­vice turned on but not con­fig­ured.  For Lin­ux and all man­ner of mobile devices, there are as many options as there are devices, so I’ll leave that as an exer­cise for the read­er.  As above with the Serv­er sec­tion, if I get enough com­ments I can cov­er the Win­dows and Mac­in­tosh con­fig­u­ra­tion piece in anoth­er post.  Mobile devices and Lin­ux I have lim­it­ed expe­ri­ence with as per­tains to dot1x set­up.

The last step in this whole busi­ness is to turn on dot1x authen­ti­ca­tion on a per port or port-range basis.  Keep in mind that you’ll want to test this before turn­ing on carte-blanche as I’ve seen a lot of mis­con­fig­u­ra­tion in the ini­tial set­up and the last thing you want is a horde of scream­ing users look­ing for your head on a stick.  There­fore, to turn on one port, pre­sum­ably for test­ing, we do like so from inter­face con­fig­u­ra­tion mode:

dot1x port-control auto
! kind of anti-climactic isn’t it

 

That is the basic con­fig­u­ra­tion of dot1x on a Cis­co switch.  In part II of this series, I’ll explore some more com­plex con­fig­u­ra­tions, as well as some less-than-ide­al ram­i­fi­ca­tions of com­bin­ing oth­er secu­ri­ty fea­tures with dot1x.  As with any­thing you con­fig­ure in the realm of secu­ri­ty in par­tic­u­lar, it is always a trade-off between secu­ri­ty and usabil­i­ty and dot1x is no excep­tion.  Test, test, and test some more.

Share

DS3

TELCO FAIL

Read­ing Time: 5 min­utes

Last Thurs­day after­noon, at approx­i­mate­ly 2:25pm, there was a loud suck­ing sound that can only be heard by net­work engi­neers con­di­tioned to expect bad, ugly things to hap­pen at inop­por­tune times, and all upstream con­nec­tiv­i­ty to our cor­po­rate office died.

*Ka-phoot*

Pre­dictably, IT was imme­di­ate­ly assist­ed by many, many help­ful peo­ple wan­der­ing by our area, send­ing emails, mak­ing phone calls, or stop­ping us in the hall to ask if we knew that the net­work was down.  Usu­al­ly in these sit­u­a­tions the first cou­ple of peo­ple get a good expla­na­tion of what we think the prob­lem is, and what an ETA might be.  After the 10th per­son, how­ev­er, my respons­es tend to devolve a bit and I either end up giv­ing a curt one-word answer, or feign­ing shock and amaze­ment.

I should explain here that the way the archi­tec­ture of our net­work works, we have our IP provider, SIP Trunks, Point-to-Point cir­cuits, VPN end-points, and all of our exter­nal-fac­ing servers in a very robust tele­com hotel–The West­in Build­ing, for those keep­ing score–in down­town Seat­tle.  From there, we move every­thing over our DS3 to our cor­po­rate head­quar­ters not far from Seat­tle.  We also have many oth­er ded­i­cat­ed cir­cuits, IPsec tun­nels, and assort­ed bal­ly­hoo to oth­er loca­tions around the world, but for dis­cus­sion here just keep in mind the three loca­tions I’ve described.

So the DS3 that is our life­line was down.  It was after hours in our Cana­di­an loca­tion so with any luck nobody would notice all night–they use a lot of crit­i­cal ser­vices across anoth­er DS3, but that also routes through Seat­tle first.  Addi­tion­al­ly, it was a par­tic­u­lar­ly nice day in Seat­tle (rare) and a lot of peo­ple were already out of the office when this link went down.  Hope­ful­ly we could file a trou­ble tick­et and get this resolved fair­ly quick­ly.

With­in just a few min­utes of fil­ing said trou­ble tick­et, I had a rep­re­sen­ta­tive of the pro­vi­sion­ing tele­com on the line who said that, yes, they saw a prob­lem and would be dis­patch­ing tech­ni­cians.  There were some oth­er calls fol­low­ing that, but  the short ver­sion is that by 5:30pm “every­thing was fixed” accord­ing to the tele­com and would we please ver­i­fy so they could close the tick­et.  Unfor­tu­nate­ly, the prob­lem was not fixed.

Now the fun began.  To appease the tele­com rep­re­sen­ta­tive, I accept­ed the pos­si­bil­i­ty that my DS3 con­troller card had coin­ci­den­tal­ly died or locked the cir­cuit or some oth­er bunch of weird pseu­do-engi­neer guess­ing from the tele­com rep­re­sen­ta­tive.  This meant I had to dri­ve to our data cen­ter in Seat­tle, in rush hour traf­fic, to per­son­al­ly kick the offend­ing router in the teeth.

After an hour or so of typ­i­cal­ly nasty Seat­tle rush-hour traf­fic I arrived at the dat­a­cen­ter and began test­ing.  Our DS3 con­troller was show­ing AIP on the line, so more tech­ni­cians were dis­patched to find the offend­ing prob­lem.  Mean­while, I wan­dered over to the Icon Grill to get some din­ner and an après-ski bev­er­age or two.

Fast for­ward a few hours and the AIP con­di­tion on the DS3 con­troller was gone, but I now had an inter­face sta­tus of “up up (looped)” which is less than ide­al, shall we say.  I decid­ed at this point to cut my loss­es and head home and pos­si­bly get some sleep while the tele­com engi­neers and their cohort tried to fig­ure out how this might be my fault.

With some three hours of sleep or so, I woke up at 5am and start­ed look­ing at all of my emails, lis­ten­ing to all of my voice­mails, and gen­er­al­ly curs­ing any­one with­in earshot–mostly con­sist­ing of the cats–as my wife was still asleep.  At this point I got on a con­fer­ence bridge with the Pres­i­dent of the tele­com bro­ker we use and togeth­er we man­aged to drag a rep in from the pro­vi­sion­ing com­pa­ny who could then drag in as many engi­neers as need­ed to get the prob­lem solved.  Not, how­ev­er, before I was rather point­ed­ly told by said pro­vi­sion­ing woman that I would have to pay for all of this cost since the prob­lem was “obvi­ous­ly with my equip­ment, since her soft­ware showed no loops in the cir­cuit.”

Once the engi­neers start­ed hook­ing up testers to the circuit–physically this time–they could see a loop, but at the Seat­tle side (the side report­ing the loop.)  Anoth­er engi­neer saw a loop on the head­quar­ters side, and still a third saw no loop at all.  As it turns out, the cir­cuit was pro­vi­sioned by com­pa­ny “A” who then hand­ed off to com­pa­ny “B” and final­ly to com­pa­ny “C” who ter­mi­nat­ed the cir­cuit at the demar­ca­tion point at our head­quar­ters.  All for less than 20 miles, but I digress.  Final­ly we all agreed to have Com­pa­ny “C” come onsite, inter­rupt the cir­cuit phys­i­cal­ly at the demar­ca­tion equip­ment and look back down the link to see what he could see.  As a pre­cau­tion at this point, and tired of being blamed for ridicu­lous things, I and my staff phys­i­cal­ly pow­ered down our routers on either side of the link.  Since the loop stayed, that was the last time I had any­one point the fin­ger my way.  Small mir­a­cles and all of that.

Once the rep from Com­pa­ny “C” got onsite and inter­rupt­ed the cir­cuit for tests, he was still see­ing “all green” down the line.  Since the oth­er engi­neers mon­i­tor­ing were still see­ing a loop, they asked him to shut down the cir­cuit.  He did, and they still saw a loop.  This was one of those “Aha” moments for all of us except the engi­neer from Com­pa­ny “C” who just could­n’t fig­ure out what the prob­lem might be.  All of us sus­pect­ed that the loop was between the Fujit­su OC‑3 box at our Demarc, and the upstream OC-48 Fujit­su Mux a cou­ple of miles away and we final­ly con­vinced this guy to go check out the OC-48.  Sure enough, a few min­utes after he left our cir­cuit came back on again.  And we all rejoiced, and ate Robin’s Min­strels.

At the end of the day, we end­ed up with just short of 24 hours of down­time,  for a DS‑3 from a major tele­com provider that every­one here would rec­og­nize; 23 hours and 5 min­utes, to be exact.  So what was the prob­lem, and the solu­tion?  Any tele­com guys want to stop read­ing here and take a guess?

As it turns out, the orig­i­nal cause of our link going down was this same engi­neer pulling the cir­cuit by mis­take.  When the trou­ble tick­et was orig­i­nal­ly filed, he rushed out and “fixed” his mis­take.  But, what he had­n’t noticed the first time is two crit­i­cal things:

(1)    The cir­cuit had failed over to the pro­tect pair.  DS3 cir­cuits use one pair of fiber for the nor­mal­ly used (or work­ing) cir­cuit, and a sep­a­rate fiber pair for the fail-over (or pro­tect) cir­cuit.

(2)    The pro­tect pair at the OC‑3 box at the demar­ca­tion point had­n’t ever been installed.

For lessons learned here, the main thing that comes to me is that we absolute­ly have to find a way to get true redun­dan­cy on this link, even if it means con­nect­ing our own strings between tin-cans.  I should explain, by the way, that redun­dan­cy to this head­quar­ters build­ing is very dif­fi­cult due to loca­tion: the last mile provider is the same no mat­ter who we use to pro­vi­sion the cir­cuit.  In addi­tion, with one major fiber loop in the area, even if we could get redun­dan­cy on the last mile we would still be at the mer­cy of that loop.  We are at this point, after this inci­dent, look­ing at a fixed LoS wire­less option that has recent­ly become avail­able.  Appar­ent­ly we can get at least 20Mb/s although I haven’t heard any claims on the laten­cy, so we’ll see.

I’m also shocked and appalled that three major tele­coms, all work­ing in con­cert, took almost a full day to run this prob­lem to ground.  I’m prob­a­bly naive, but I expect more.  The only sav­ing grace in all of this is the lev­el of pro­fes­sion­al­ism and sup­port I received from the tele­com bro­kers we use.  They were absolute­ly on top of this from the begin­ning, shep­herd­ed the whole process along, even facil­i­tat­ing com­mu­ni­ca­tions between the play­ers with their own con­fer­ence bridge for the bet­ter part of a day.  If any­one needs any tele­com ser­vices bro­kered, any­where in the world I’m told, con­tact Rick Crabbe at Thresh­old Com­mu­ni­ca­tions.

With this sum­ma­tion done, my vent­ing com­plete, and every­thing right with the world, I’m off for a bev­er­age.

Share

Cisco

2960‑S 1st Impressions

Read­ing Time: 4 min­utes

Just notic­ing some dif­fer­ences in this 2960‑S mod­el switch; things I haven’t seen before in this prod­uct line. One thing is the con­sole port is now two ports: tra­di­tion­al and a small mini-USB. Also, there is a clas­sic USB plug onboard these now too, pre­sum­ably for IOS updates and what­not. These are also stack­able, which makes sense giv­en Cis­co’s new direc­tion in their SWITCH course train­ing mate­r­i­al eschew­ing Span­ning-Tree and try­ing to push Layer‑3 every­where.

1st boot-up below, more impres­sions lat­er.

Using dri­ver ver­sion 1 for media type 1
Base eth­er­net MAC Address: a8:b1:d4:64:8f:00
Xmo­dem file sys­tem is avail­able.
The pass­word-recov­ery mech­a­nism is enabled.
Ini­tial­iz­ing Flash…
mifs[2]: 0 files, 1 direc­to­ries
mifs[2]: Total bytes : 1806336
mifs[2]: Bytes used : 1024
mifs[2]: Bytes avail­able : 1805312
mifs[2]: mifs fsck took 1 sec­onds.
mifs[3]: 0 files, 1 direc­to­ries
mifs[3]: Total bytes : 3870720
mifs[3]: Bytes used : 1024
mifs[3]: Bytes avail­able : 3869696
mifs[3]: mifs fsck took 0 sec­onds.
mifs[4]: 5 files, 1 direc­to­ries
mifs[4]: Total bytes : 258048
mifs[4]: Bytes used : 9216
mifs[4]: Bytes avail­able : 248832
mifs[4]: mifs fsck took 0 sec­onds.
mifs[5]: 5 files, 1 direc­to­ries
mifs[5]: Total bytes : 258048
mifs[5]: Bytes used : 9216
mifs[5]: Bytes avail­able : 248832
mifs[5]: mifs fsck took 1 sec­onds.
mifs[6]: 559 files, 19 direc­to­ries
mifs[6]: Total bytes : 57931776
mifs[6]: Bytes used : 14971392
mifs[6]: Bytes avail­able : 42960384
mifs[6]: mifs fsck took 14 sec­onds.
…done Ini­tial­iz­ing Flash.
done.
Load­ing “flash:/c2960s-universalk9-mz.122–53.SE2/c2960s-universalk9-mz.122–53.SE2.bin”…@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
File “flash:/c2960s-universalk9-mz.122–53.SE2/c2960s-universalk9-mz.122–53.SE2.bin” uncom­pressed and installed, entry point: 0x3000
exe­cut­ing…

Restrict­ed Rights Leg­end

Use, dupli­ca­tion, or dis­clo­sure by the Gov­ern­ment is
sub­ject to restric­tions as set forth in sub­para­graph
© of the Com­mer­cial Com­put­er Soft­ware — Restrict­ed
Rights clause at FAR sec. 52.227–19 and sub­para­graph
© (1) (ii) of the Rights in Tech­ni­cal Data and Com­put­er
Soft­ware clause at DFARS sec. 252.227‑7013.

cis­co Sys­tems, Inc.
170 West Tas­man Dri­ve
San Jose, Cal­i­for­nia 95134–1706

Cis­co IOS Soft­ware, C2960S Soft­ware (C2960S-UNIVERSALK9‑M), Ver­sion 12.2(53)SE2, RELEASE SOFTWARE (fc3)
Tech­ni­cal Sup­port: http://www.cisco.com/techsupport
Copy­right © 1986–2010 by Cis­co Sys­tems, Inc.
Com­piled Wed 21-Apr-10 06:08 by prod_rel_team
Image text-base: 0x00003000, data-base: 0x01B00000

Ini­tial­iz­ing flashfs…
Using dri­ver ver­sion 1 for media type 1
mifs[3]: 0 files, 1 direc­to­ries
mifs[3]: Total bytes : 1806336
mifs[3]: Bytes used : 1024
mifs[3]: Bytes avail­able : 1805312
mifs[3]: mifs fsck took 0 sec­onds.
mifs[3]: Ini­tial­iza­tion com­plete.

mifs[4]: 0 files, 1 direc­to­ries
mifs[4]: Total bytes : 3870720
mifs[4]: Bytes used : 1024
mifs[4]: Bytes avail­able : 3869696
mifs[4]: mifs fsck took 1 sec­onds.
mifs[4]: Ini­tial­iza­tion com­plete.

mifs[5]: 5 files, 1 direc­to­ries
mifs[5]: Total bytes : 258048
mifs[5]: Bytes used : 9216
mifs[5]: Bytes avail­able : 248832
mifs[5]: mifs fsck took 0 sec­onds.
mifs[5]: Ini­tial­iza­tion com­plete.

mifs[6]: 5 files, 1 direc­to­ries
mifs[6]: Total bytes : 258048
mifs[6]: Bytes used : 9216
mifs[6]: Bytes avail­able : 248832
mifs[6]: mifs fsck took 0 sec­onds.
mifs[6]: Ini­tial­iza­tion com­plete.

mifs[7]: 559 files, 19 direc­to­ries
mifs[7]: Total bytes : 57931776
mifs[7]: Bytes used : 14971392
mifs[7]: Bytes avail­able : 42960384
mifs[7]: mifs fsck took 1 sec­onds.
mifs[7]: Ini­tial­iza­tion com­plete.

…done Ini­tial­iz­ing flashfs.

POST: MA BIST : Begin
FC 1 MBIST Test Passed.
DP Sg1 MBIST Test Passed.
DP Xg1 MBIST Test Passed.
NI 1 MBIST Test Passed.
FC 0 MBIST Test Passed.
DP Sg0 MBIST Test Passed.
DP Xg0 MBIST Test Passed.
NI 0 MBIST Test Passed.
UPB MBIST Test Passed.
POST: MA BIST : End, Sta­tus Passed

POST: TCAM BIST : Begin
POST: TCAM BIST : End, Sta­tus Passed

front_end/ (direc­to­ry)
extract­ing front_end/fe_type_4 (78476 bytes)
extract­ing front_end/front_end_ucode_info (43 bytes)
extract­ing ucode_info (77 bytes)
Wait­ing for Stack Mas­ter Elec­tion…
POST: Ther­mal, Fan Tests : Begin
POST: Ther­mal, Fan Tests : End, Sta­tus Passed

POST: Por­tA­SIC Stack Port Loop­back Tests : Begin
POST: Por­tA­SIC Stack Port Loop­back Tests : End, Sta­tus Passed

POST: Por­tA­SIC Port Loop­back Tests : Begin
POST: Por­tA­SIC Port Loop­back Tests : End, Sta­tus Passed

POST: EMAC Loop­back Tests : Begin
POST: EMAC Loop­back Tests : End, Sta­tus Passed

Elec­tion Com­plete
Switch 1 boot­ing as Mas­ter
Wait­ing for Port download…Complete

This prod­uct con­tains cryp­to­graph­ic fea­tures and is sub­ject to Unit­ed
States and local coun­try laws gov­ern­ing import, export, trans­fer and
use. Deliv­ery of Cis­co cryp­to­graph­ic prod­ucts does not imply
third-par­ty author­i­ty to import, export, dis­trib­ute or use encryp­tion.
Importers, exporters, dis­trib­u­tors and users are respon­si­ble for
com­pli­ance with U.S. and local coun­try laws. By using this prod­uct you
agree to com­ply with applic­a­ble laws and reg­u­la­tions. If you are unable
to com­ply with U.S. and local laws, return this prod­uct imme­di­ate­ly.

A sum­ma­ry of U.S. laws gov­ern­ing Cis­co cryp­to­graph­ic prod­ucts may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require fur­ther assis­tance please con­tact us by send­ing email to
[email protected].

cis­co WS-C2960S-48TS‑L (Pow­er­PC) proces­sor (revi­sion A0) with 131072K bytes of mem­o­ry.
Proces­sor board ID FOC1425W1J7
Last reset from pow­er-on
1 Vir­tu­al Eth­er­net inter­face
1 FastEth­er­net inter­face
52 Giga­bit Eth­er­net inter­faces
The pass­word-recov­ery mech­a­nism is enabled.

512K bytes of flash-sim­u­lat­ed non-volatile con­fig­u­ra­tion mem­o­ry.
Base eth­er­net MAC Address : A8:B1:D4:64:8F:00
Moth­er­board assem­bly num­ber : 73–11909-05
Pow­er sup­ply part num­ber : 341‑0327-01
Moth­er­board ser­i­al num­ber : FOC14251HQ7
Pow­er sup­ply ser­i­al num­ber : DCA1413P1BF
Mod­el revi­sion num­ber : A0
Moth­er­board revi­sion num­ber : A0
Mod­el num­ber : WS-C2960S-48TS‑L
Daugh­ter­board assem­bly num­ber : 73–11933-04
Daugh­ter­board ser­i­al num­ber : FOC14232S4V
Sys­tem ser­i­al num­ber : FOC1425W1J7
Top Assem­bly Part Num­ber : 800–30950-01
Top Assem­bly Revi­sion Num­ber : A0
Ver­sion ID : V01
CLEI Code Num­ber : COMGF00ARA
Daugh­ter­board revi­sion num­ber : A0
Hard­ware Board Revi­sion Num­ber : 0x01

Switch Ports Mod­el SW Ver­sion SW Image
—— —– —– ———- ———-
* 1 52 WS-C2960S-48TS‑L 12.2(53)SE2 C2960S-UNIVERSALK9‑M

Share

Cisco

Putty

Read­ing Time: 2 min­utes

When I think of all of the tools I use on a reg­u­lar basis to do my job more effec­tive­ly, there are a hand­ful that stand out as being the most use­ful of all. As I get the chance, I plan on writ­ing a least a short homage to each one in turn. In my line of work, it is much more com­mon to notice the things that break, or go wrong, or just don’t work as adver­tised; it is much less com­mon to appre­ci­ate the things that just work.

With that in mind, it is only fit­ting that I start with one of the most use­ful and reli­able pro­grams I have ever used: Put­ty. Most of you are prob­a­bly famil­iar with this lit­tle gem, but for those of you who aren’t: a lit­tle infor­ma­tion is in order.

Put­ty is a com­bi­na­tion SSH, Tel­net, and Rlogin client, as well as ter­mi­nal emu­la­tion soft­ware. I first dis­cov­ered this pro­gram at some point back when I start­ed hating–with a blind rage–Microsoft’s built-in Hyper­t­er­mi­nal appli­ca­tion. I soon had switched to Put­ty full-time, and haven’t ever had the urge to even inves­ti­gate oth­er options. I don’t know if the writ­ers of Put­ty are rich, but if they aren’t they damn well deserve to be.

To wit:

I use Put­ty dai­ly for doing all of my Cis­co con­sole work, as well as for all SSH con­nec­tions to both Cis­co and Unix devices. On the Cis­co side, it just works nice­ly allow­ing for a vari­ety of cus­tomiza­tions as well as easy cut­ting-and-past­ing of code to and from Notepad or what­ev­er you use (Com­plex ACL edit­ing, etc.) On the *nix side, one of the nicest fea­tures is the X‑11 for­ward­ing which allows you to tun­nel back X11 appli­ca­tions, via SSH, to your local client (assum­ing you are run­ning *nix local­ly, or have an X11 win­dow man­ag­er of some sort run­ning. We hap­pen to use Exceed, but there are free ver­sions avail­able.)

The amount of cus­tomiza­tion you can do to Put­ty, from auto-mag­i­cal win­dow label­ing, to key-strokes and short­cuts, to saved ses­sion infor­ma­tion, etc. is a beau­ti­ful thing. At home, for lab work, I have set­tings saved for all of my con­sole-serv­er con­nec­tions so that I just have to “point-and-click” to open any of my myr­i­ad devices.

I could prob­a­bly go on and on, but suf­fice it to say that this lit­tle gem of a pro­gram should be in your arse­nal if it isn’t already. It is one of the first pro­grams I install on any machine from which I plan on doing seri­ous work.

Put­ty can be found at: Put­ty Down­loads Page and is well worth a look.

Share

Uncategorized

ASA TU

Read­ing Time: 2 min­utes

You ever have one of those weeks where every­thing that can go wrong, does? And even things that can’t go wrong, still do? Last week was that week for me. But more on that lat­er.

I’m final­ly relax­ing with a beer in my home office, Fri­day after­noon, after said hell-week, when sud­den­ly I notice that my desk phone has mys­te­ri­ous­ly pow­ered off. Beyond the visu­al cue of no screen dis­play, and a nag­ging sus­pi­cion that some­thing was still not right in the world, I also heard it when it shut down (The Cis­co 7940 mod­els in par­tic­u­lar seem to make some noise when turn­ing on and off.) Since this phone is using PoE from a Cis­co ASA 5505, I glanced over at the 5505 to see what might be caus­ing all of the unhap­pi­ness. Imme­di­ate­ly I noticed that some­thing was­n’t right, as the sta­tus light was orange for a sec­ond, then the whole unit reboot­ed. At that point the dis­play lights go all green, then amber, then anoth­er reboot… ad nase­um.

What the @#$!?

Try­ing to log in via either SSH or ASDM yields no love at all, so I hook up a con­sole cable. There it is: the ASA appar­ent­ly does­n’t have any OS to boot.

Again with the @#$!?

So, I take the cov­er off and pull out the *cough* expen­sive-as-hell *cough* flash card to dou­ble-check things on desk­top com­put­er. Sure enough, the com­put­er reports that the flash card is not for­mat­ted. So I for­mat­ted it, rein­stalled the OS and license infor­ma­tion from–wait for it–the back­up I had made recent­ly. At this point I could have used this as anoth­er learn­ing expe­ri­ence and re-con­fig­ured the unit from scratch, just to test myself, but at the time I was try­ing to get some movie tick­ets pur­chased and had just got­ten done with a very, very tir­ing week. Not sur­pris­ing­ly then, I took the easy way out and restored the con­fig­u­ra­tion as well.

After a quick rein­stall, the unit came back up and every­thing is fine.

My main les­son learned here–and I’m won­der­ing if this is some­thing that has hap­pened to oth­er peo­ple, or hap­pens fre­quent­ly with the ASA units–is that the Cis­co ASAs seem to occa­sion­al­ly wipe out the installed flash card (cards plur­al if you have 5510s or big­ger.) Either that, or the ridicu­lous­ly expen­sive (like $300 or some­thing) Cis­co-brand­ed 512mb flash cards are flakey as hell. I don’t tend to go with that last option, how­ev­er, sim­ply because when flash cards go bad they’re not usu­al­ly amenable to being re-for­mat­ted and work­ing prop­er­ly again: it’s usu­al­ly game-over, buy anoth­er one.

So, anoth­er ran­dom prob­lem at least solved in the short-term. I’ll keep every­one post­ed on whether or not this hap­pens again. I haven’t seen any­thing indi­cat­ing that this is a known issue, but admit­ted­ly I haven’t real­ly been look­ing. Auto-mag­i­cal­ly wip­ing out the entire boot OS, con­fig­u­ra­tion, licens­es, etc. would seem to be a fair­ly non-use­ful type of bug to have–even by, say, Microsoft stan­dards… let alone Cis­co.

So, has any­one seen this before?

Share