Archive for the 'Work' category

Cisco EMEA Networkers2007

 | 7 Dec 2006 15:24

Just a quick note to say that I’m going to Networkers2007.

If you’re going as well and want to meet me then drop me a line, with a suggestion of when you’re free. I don’t think I’ll be able to intentionally run into anyone there, my schedule is way too busy for that.

Suggestions for surviving Networkers are welcome as I’ve never been before.

October update

 | 4 Oct 2006 20:48

For all those who check into this page and are wondering what I’ve been up to…

On the 22nd of September my second son was born, Joshua Marius Geurts. Since my last (and first) lab attempt I’ve been preparing for Joshua’s arrival by redoing the baby room and converting an old cupboard into a 2nd toilet.

Now that Joshua is here I’m busy with day to day life and trying to build a little reserve again. I hope to have to opportunity soon to start preparation again for my second lab attempt.

dot1x and port-security do not mix (or do they?)

 | 21 Sep 2006 15:02

[Cisco] IEEE 802.1X cannot be enabled on the port security enabled-port.

Sep 21 12:47:00.223: %LINK-3-UPDOWN: Interface GigabitEthernet2/6, changed state to up
Sep 21 12:47:01.223: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/6, changed state to up
Sep 21 12:47:20.198: %DOT1X-5-SECURITY_VIOLATION: Security violation on interface GigabitEthernet2/6, New MAC address 0012.3f09.3840 is seen on the interface in mode
Sep 21 12:47:20.198: %PM-4-ERR_DISABLE: security-violation error detected on Gi2/6, putting Gi2/6 in err-disable state
Sep 21 12:47:21.202: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/6, changed state to down
Sep 21 12:47:22.202: %LINK-3-UPDOWN: Interface GigabitEthernet2/6, changed state to down

Nice of CLI to state what mode it has trouble with!

Just found this on CCO

You can enable port security on an 802.1X port in either single- or multiple-host mode. (To do so, you must configure port security with the switchport port-security interface configuration command.) When you enable port security and 802.1X on a port, 802.1X authenticates the port, and port security manages the number of MAC addresses allowed on that port, including that of the client. Hence, you can use an 802.1X port with port security enabled to limit the number or group of clients that can access the network.

Now what happens when I use VoIP and plug my pc into the phone? The phone is compatible with CDP and as such is allowed into the voice vlan, the PC does dot1x and is allowed access by user credentials. However port-security will set the port to err-disabled due to something related to the phone:

Sep 21 14:49:57.550: PSECURE: swidb = GigabitEthernet2/6 mac_addr = 0800.0f1e.f7ad vlanid = 40
Sep 21 14:49:57.550: PSECURE: Adding 0800.0f1e.f7ad as dynamic on port Gi2/6 for vlan 40
Sep 21 14:49:57.550: PSECURE: Violation/duplicate detected upon receiving 0800.0f1e.f7ad on vlan 40: port_num_addrs 1 port_max_addrs 1 vlan_addr_ct 0: vlan_addr_max 2 total_addrs 0: max_total_addrs 3072
Sep 21 14:49:57.550: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0800.0f1e.f7ad on port GigabitEthernet2/6.
Sep 21 14:49:57.550: PSECURE: Security violation, TrapCount:33

One needs all three lines (if-config) if one wants to be propperly secure (this works btw):

switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security violation restrict

The restrict is to leave the phone working when a pc is denied access, nice DOS otherwise to down all phones in sight…

CCIE Routing and Switching Lab Score Report (#1)

 | 3 Aug 2006 11:28

CCIE Routing and Switching Lab Score Report

Candidate: Djerk Geurts
Lab Date: August 2 2006
Lab Site: Brussels

I really thought I passed, had time to spare, reloaded everything check the routing tables and complete connectivity. I quickly came down to earth when my wife phoned me back saying I’d received a mail from Cisco. Must say it’s pretty quick so I must have either annoyed the proctor or the script  that runs against the configs must have regarded my configs not enough Cisco compliant.

Sad thing is I have no idea what I did wrong and as there’s no way of getting any feedback I’m afraid I’ll make the sam mistakes next time. Maybe next time I’ll be a little more relaxed and focussed. Maybe I was too stressed, didn’t feel it, and missed some important things in the questions. I suppose I’ll never know.

I’ll be focusing on DIY for the moment as I need to prepare for a new baby which is due to arrive soon. Stay tuned!…

Right, last updates done before D-day…

 | 31 Jul 2006 21:16

A nice relaxing day to write some last notes and relax, for my latest addtions have a look in the lab section of my CCIE R&S page. New topics:

  • Smurf/fraggle attacks
  • EIGRP bandwidth limitation
  • DHCP pool options
  • F/R with ‘dual’ QoS (thanks to the evil bastard for that one)Heinz Target
  • Redistribute BGP default into IGP

Will post again on wednesday evening (bad) or thursday (should be good)

CCIE R&S mocklab

 | 30 Jul 2006 18:46

Pfew, I’m typing this with the last little bit of energy left in me. I started this morning on the mocklab I screwed up during the bootcamp and I actually finished in time. I would not have had 100% score as there were two things I had to look up outside of the “univercd”.

So this has given me a last push to find little thing that I’d forgotten (already!) or hadn’t used yet. Like BGP and EIGRP authentication. I’ve written down some topics I want to work out on my CCIE R&S pages so stay tuned int the next two days.

Time for dinner now , ooh I’m soo happy that I managed this in 8 hours, the 1st mocklab I did took me 14 hours so this is a nice booster for this wednesday when it’s for real.

PS: I’ve bought a set of coloured pens, I really hope the proctor will allow me to use them as my drawings become a mess without them. I’ve used them the entire week and now have a nice colour coding scheme for different things like protocols and special notes. Also I’ve developed the habit of making a separate network drawings for BGP and Multicast, it really helps keeping the different forwarding planes separate and simple.

Virtual Tour – CCIE Lab

 | 29 Jul 2006 19:09

Found this 3 minute video showing the lab environment and detailing in simple terms what the 8 hour CCIE lab exam is.

My CCIE lab equipment

 | 03:56

My lab equipment can be seen here: PICT0012

My hardware: 3x 3640, 3620 (and a broken one), 2620XM, 2x 7204(VXR) NPE-200, 2x 2621, 7507 (dual RSP4), 3548XL, 2948G-L3 and a 2511.

BTW: The two 7304’s, two empty 3660’s and the 7204 under my laptop aren’t part of my CCIE lab.

autocommand access-enable (lock&key)

 | 02:31

Maybe this post will enable me to remember this feature. I hadn’t heard of it untill I was at Heinz’s CCIE R&S bootcamp last June.

The idea is that a user can log into a system and then that system will grant access to some traffic for a period of time. Nice heh, well be carefull it uses extended access-lists so the normal anti spoofing measures still need to be taken. So how do we do this then? Simply follow these steps:

# use a local account instead of the vty password:
line vty 0 4
login local
# User account to open the ACL dynamically:
username djerk password 123456
# User is allowed to open the ACL, sadly you can’t specify the ACL so all ACL’s will be opened by this user!
# The timeout value is the idle timeout!
username djerk autocommand access-enable host timeout 2
# The lock&key ACL:
ip access-list extended NACL-lock&key
remark *** Permit user:djerk to open this ACL (lock&key) ***
# Permit user access if he has to traverse this ACL
permit tcp host eq telnet
# Careful: timeout of the dynamic rule is in minutes
# The rule in the dynamic line will be installed into the ACL once the user has authenticated
dynamic DYN-lock&key timeout 10 permit tcp any any eq telnet
deny tcp any any eq telnet
permit ip any any
# Apply the ACL to the interface:
interface F0/0
ip access-group NACL-lock&key in

The idle timeout of the access list is configured in the autocommand. It is overridden by the absolute timeout in the dynamic access list.

The above config is from CCO minor changes and comments by me 🙂

F/R dual-FIFO

 | 00:04

frame-relay fragment
Enables dual-FIFO, but how to get VoIP into the voice queue? Is rtp heasder compression enough to do this or is LLQ needed with a priority class?

I’d be inclined to think that RTP header compression has no influence over FRF.12 fragmentation, unless it matches RTP traffic into the propper FIFO queue (dual-FIFO). Seeing that FRF.12 enables dual-FIFO I can only assume this matching to be the case, I’ve not yet found a doc stating this without doubt. So please leave a note if you do.

Anyway I think it’s good to know both options. Dual-FIFO applies fragmentation only to the ‘data’ queue, I know this from Multiclass Multilink PPP (MC-MLPPP) which is also dual-FIFO. I use MC-MLPoA for QoS on DSL lines.

——- (Without FRTS)
# One config:
Int S0/0
frame-relay fragment 40 end-to-end
Int S0/0.1
frame-relay interface-dlci 1
frame-relay ip rtp header-compression

——- (With FRTS)
# Other config:
Class-map match-any voip
match protocol rtp audio
Policy-map FR-voip
class voip
# Enable PQ so the router can differentiate between flows (dual-FIFO)
class class-default
map-class FR-voip+FRF12
service-policy output FR-voip
frame-relay fragment 40
Int S0/0
frame-relay traffic-shaping
Int S0/0.1
frame-relay interface-dlci 1
class FR-voip+FRF12

CCO: VoIP o F/R with QoS

OSPF filtering

 | 28 Jul 2006 17:39

In OSPF you can’t filter routes. This is only true inside an area, due to OSPF being a Link State protocol. LSA’s are flooded throughout the area and the protocol is based upon everyone in the area having the exact same database. There are no such things as communities like in BGP to aid in something of a route installment selection process.

What is available is filtering on an ABR or ASBR. ABR filtering is somewhat less known but here’s how it works on Cisco:

Let’s create a range (OSPF summary) and filter the summarised routes so that only the range is advertised to the other areas.

Router_A(config-router)#do srr
router ospf 1
# Filtering the range’s subnets (type 3 LSA filter) when they enter area 0
area 0 filter-list prefix PFL- in
# The range to create the summary:
area 1 range

router ospf 1
# Filtering the range’s subnets (type 3 LSA filter)
area 0 filter-list prefix PFL-subnets in

# On both:
ip prefix-list PFL-subnets description *** Filter subnets out of the range ***
ip prefix-list PFL-subnets seq 5 deny ge 9
ip prefix-list PFL-subnets seq 10 permit le 32

Cisco’s NTP authentication is b0rked

 | 25 Jul 2006 11:35

ntp authentication-key 14 md5 ladida
ntp authenticate (see comment below)
ntp source Loopback0
ntp master
ntp server source FastEthernet0/0
ntp trusted-key 14 (see comment below)

ntp authentication-key 14 md5 ladida
ntp authenticate
ntp source Loopback0
! ntp trusted-key 14 (only required when not specifying a key on the line below)
ntp server key 14

Debug on the client:

21:05:03: NTP: rcv packet from to on Loopback0:
21:05:03: leap 0, mode 4, version 3, stratum 2, ppoll 64

21:05:03: Authentication key 0
21:05:03: NTP: packet from failed validity tests 10
21:05:03: Authentication failed
21:06:06: NTP: xmit packet to
21:06:06: leap 3, mode 3, version 3, stratum 0, ppoll 64

21:06:06: Authentication key 14

The Client does send authenticated packets but the Master doesn’t. Mind you configuring a ‘peer’ is symmetric (same stratum) and ‘server’ is asymmetric (ntp stratum hierarchy). Apparently Cisco knows about it for years but it’s too low a priority to fix it, so don’t bother running to TAC with this…

Even configuring peers so one can set the key on the master doesn’t help. The authentication error disappears but no association forms.

Just like the bootcamp

 | 23 Jul 2006 14:16

The weather is hot, I’m studying hard and BBQ for lunch. Now where’s my wine and the quad?

My lovely wife knows I like a German Riessling to that’s cold in the fridge for tonight and my oldtimer moped should be insured next week. Almost there… 😉

Oooh, I hate cosmetic bugs!

 | 10:29

C7500(config-router-af)#$-map D-list_EIGRP13_r2_in in f5/1/0.201
% Access-list filter exists, de-config first

I got this notification when trying to work my way around what I thought was a config line that did not generate an error nor ended up in configuration. When trying to configure a different distribute-list, this time with a route-map, it told me that I’d have to remove the old list first. So it should be in config and active.

Show me more… »

Final approach

 | 09:27

Sounds very definite doesn’t it. Well I know that on average it should take me 3 labs to pass but hey you can’t blame me for having a positive attitude. Last friday I started my last ‘week’ of studying before my 1st lab attempt. I’m curently working on the last ‘few’ lines of config to my own lab environment. Was counting on remote lab access to Heinz’s lab (delayed ‘one week access’ after the bootcamp). But due to a miscommunication it was scheduled for the week of my exam which isn’t very usefull as obviously I’ll be resting and taking the exam that week.

Anyway, I’ll get there myself as long as I don’t find any other dead Ethernet interfaces. The 7500 in my lab is upgraded to 12.4(8) Enterprise and is happily running VRF-lite on all routing protocols. As such I’m using it to simulate about 7 routers, only problem is that it’s config has become enormous but at the moment it’s working fine.

For those who still wonder were I’ve disappeared to this week, I’ve locked myself in my attick to get some serious studying done. I’ll be out on the 31st in an attempt to relax in preparation of the 2nd (of Aug) which is my lab date.