HiddenOne

In May of this year, I marked the one year anniversary of obtaining my CCNA certification by passing the composite exam. The following are my thoughts, opinions, and observations one year out.

Use it or loose it!

As far as knowledge is concerned, I am a firm believer that what you do not user you loose. This was evident when I began planning for an IP address scheme change and I struggled with the first few subnets. Don’t expect to know every little detail or command off the top of your head, but do make sure you have a firm grasp on the core knowledge.

Continued Education

Certifications can be the equivalent of a final exam in school. For most of us once the exam has been passed the books and other study materials are placed on a shelf to be all but forgotten. Resist this urge!

Regardless of your choice to continue onto another technical certification, the learning should not stop. Topics that I use fairly regularly in my daily life are easily recalled, however the vast majority of the subject matter may not be topics that are covered on a regular basis. Once again, pick up your books and study materials to refresh what you learned. Chances are that when it comes time to recall that information (In real life or on another certification) you wont have to bang your head to remember something.

Real World Certification

Some debate the purpose of a technical certifications, particularly one sponsored by a technology company that benefits from people being familiar with their products. My take on this is that a certification is anything that you make of it. My opinion is that the CCNA is a good entry-level certification. The majority of the material covered is generic enough that it can be easily applied to equipment from just about any other vendor. The have been a few times when I have referenced my Cisco study material when configuring equipment from other vendors.

My personal goal with any certification is not to come out with just a certificate or specific knowledge of vendor “X”‘s equipment. I want to become a more well-rounded person who can adapt and apply my knowledge to any situation. I have witnessed a few cases where people with high level Cisco certifications proclaim “If it’s not Cisco, I don’t know it”. I question where they went wrong in their studies to not only adopt that mentality but also lack the confidence in their own knowledge and skills to be able to work with equipment from any vendor.

Recommended reading

There is no shortage of great reading material on networking, some of which I have had the pleasure of reading. Personally, I would suggest picking up a book on anything that interests you. Are you curious about BGP? Pick up a book! Sure there will be topics in the book that may be beyond you current knowledge, but for me that’s the best way to learn.

One book I would highly recommend for anyone that has obtained their CCNA certification is “Network Warrior“. The book holds true to its claim covering anything that wasn’t on the CCNA exam. It will give you a good intro to some more advanced topics and even covers some things such as how to avoid becoming an I.T. jerk!

Here’s to continued study and knowledge!

Our organization made the switch from a Microsoft based DHCP solution to an appliance based DHCP solution (Linux based). Recently, someone went to use Microsoft Remote Installation Service (RIS) and noticed that the process was broken.

The initial report was that the computer could not obtain a DHCP lease using PXE boot, which I found to be odd since no other devices were having issues obtaining a lease. A quick scroll through the DHCP server logs revealed that the computer was requesting a lease and the DHCP server was offering an address. Once I took a look at the affected computer, I noticed that the PXE boot client was returning an error code of “PXE-53″. This error indicates that the client was able to obtain an IP address, but was not able to download the needed file.

When using Microsoft RIS with a MS DHCP server, all needed configuration is taken care of automatically. Once you bring in a non-Microsoft solution into the mix, some manual configuration is required. Luckily this configuration is minimal. Below are the lines of code that you need to added to the dhcp.conf file in order to get an ISC compatible DHCP server to work with Microsoft RIS. I have tested this on an Infoblox 550A appliance, but the code should work on any ISC compatible DHCP server.

server-name “MY-RIS-SERVER”;
next-server 192.168.1.26;
filename “\\OSChooser\\i386\\startrom.com”;

The needed lines are fairly self-explanatory. “server-name” is the hostname of your RIS server, and “next-server” is the IP address of the same server. Finally, “filename” is the path of the file you want to boot with (In this case I choose to boot to the OS Chooser). Note that this path is relative to the default storage path for RIS, and the extra backslashes “\” are required for the config file to parse correctly.

After making these changes, save the config file and restart the DHCP daemon.

Static NAT is a function that is commonly used when you want to offer services on the Internet from a server that sits on a protected subnet that uses a private address scheme (RFC1918). In a previous article, I detailed the process of creating static NAT entries on a Fortigate 800 using the web interface. I will cover the same process, this time on a pair of Juniper SRX240H security gateways. The two gateways are configured as a cluster (HA); however this has a minimal effect on some of the commands that will be entered.

 

Unlike the process on the Fortigate, I will be configuring static NAT on the Juniper devices using the command line. There are several reasons for not using the Juniper web interface (Jweb) for configuring static NAT. First, I could not find a location on the Jweb interface to configure static NAT. Second, in my opinion, the Jweb interface is clumsy and slow. It might be good in certain situations, but for the majority of the work I do on all equipment is done using the command line.

Keep in mind that any static NAT rules that are created for an internal host will apply to both inbound and outbound traffic to and from that host. This means that any static NAT rules will also take precedence over your NAT overload rule. It’s a good idea to keep that in mind when troubleshooting.

Within Junos static NAT is achieved with a rule set that is made up of multiple rules. In this case I will create a rule set named MY-COMPANY-STATIC. Within that rule set there will be rules for the mail server (R-MAIL) and the web server (R-WEB). In reality you can split your rule sets and rules up any way you like.

First, drop into static NAT configuration mode using the command.

{primary:node0}
chris@SRX240H-01> configure
warning: Clustering enabled; using private edit
warning: uncommitted changes will be discarded on exit
Entering configuration mode

{primary:node0}[edit]
chris@SRX240H-01# edit security nat static

{primary:node0}[edit security nat static]
chris@SRX240H-01#

Next, create the rule set and define the zone in which the outside world (the Internet) exists. In this case the “untrust” zone is the Internet.

{primary:node0}[edit security nat static]
chris@SRX240H-01# set rule-set MY-COMPANY-STATIC from zone untrust

The configuration of the zone can be a source of confusion as some people take this to mean that the rules will only apply in one direction. Always keep in mind that static NAT rules apply to both inbound and outbound traffic.

The next two commands will create a rule for a particular destination. The first line of the rule defines the destination address that the rule should match in inbound traffic. Since the untrust zone is connected to the Internet, the destination address is set to the public IP address of the host (The mail server in this case).

{primary:node0}[edit security nat static]
chris@SRX240H-01# set rule-set MY-COMPANY-STATIC rule R-MAIL match destination-address 1.2.3.4/32

The second line of the rule defines the IP address that the destination should be translated to. In this case this is the private IP address of the server that resides in the trust zone of the SRX.

{primary:node0}[edit security nat static]
chris@SRX240H-01# set rule-set MY-COMPANY-STATIC rule R-MAIL then static-nat prefix 192.168.1.100/32

Both lines of the R-MAIL rule point to a specific host as is indicated by the 32-bit mask (/32).

Now you must configure proxy ARP for the IP addresses you will be translating. In this case we will be configuring proxy ARP for the public IP addresses that reside in the untrust zone.

To configure proxy ARP you have to be in the “edit security nat” section.

{primary:node0}[edit security nat static]
chris@SRX240H-01# up

{primary:node0}[edit security nat]
chris@SRX240H-01#

Now the set proxy-arp command is used. This command is fed the interface through on which you want to configure proxy ARP as well as the IP address for which proxy ARP will be performed.

{primary:node0}[edit security nat]
chris@SRX240H-01# set proxy-arp interface reth0.0 address 1.2.3.4

The interface reth0.0 is used because these configurations are being made on a pair of SRX240H’s that are in cluster mode. On a single SRX you would use an interface name such as ge-0/0/0.0.

At this point the static NAT configuration is complete. Most likely you will have to create firewall policies for inbound and outbound traffic from the host (if you have not already done so).

Recently I ran into an issue when the need arose to provide temporary wireless connectivity for a single room in one of our buildings.

 

The task was easy enough: use one of our spare HP MSM422 access points along with a 1-port power injector since this building has older (non-PoE) switching equipment. Against my better judgement I told my boss I was going to run and install the AP after one of our meetings, because it “wouldn’t take more then a few minutes”. Past experiences have told me never to put a short time limit on any task (not matter how simple). I had already tested and provisioned the AP at my desk and I was confident in my ability to properly connect a few cables.

The problem was an interesting one as the AP was getting power from the power injector but it was not able to communicate with the controller to grab it’s config and other needed information. After 10 minutes of troubleshooting the AP at the remote building, I decided to bring the equipment back to the lab and see what was causing this issue. After working in the lab for a few minutes, the cause was clear and painfully simple.

The power injector I was using was one that we purchased from HP Procurve three or four years back. I could not locate the old part number, however when you order a 1-port power injector from HP they ship injectors made by PowerDsine. The particular model all of my testing was performed with was a 3001.

It turns out that this particular power injector has trouble with 1Gbps switchports. If you look at the switchport that the injector’s data port connects to, you will notice that link is never established. The way around this is to manually set the switchport that is being used with the injector to 100Mbps or 10Mbps.

Additionally, the current HP Procurve 1-port power injector (HP Part # J9407A) uses PowerDsine model number 3001G, which according to the documentation does support 1Gbps ports.

Problem: You are trying to build a new Blackberry Enterprise Server on top of Windows Server 2008 and your mail server is running Exchange 2003. The BES prerequisites state that you need to install the Exchange 2003 management tools on the BES, but they will not install on Windows Server 2008

Solution: Follow this link to download the “Exchange Server 2003 MAPI CDO 1.2.1″. I verified with Blackberry Technical Support that the installation of the MAPI CDO will satisfy the BES requirements.

Solution Tested On: Windows Server 2008 R2 (x64)

Note: Windows Server 2008 R2, is not yet offically supported by RIM. The support representatives I spoke with where kind enough to help me out anyway. Keep in mind that if they are unable to resolve your issue, your case may not be escilated if the server is running Windows Server 2008 R2. RIM is currently testing this platform, so it will be come offically supported at some point.

The past month I have been slowly going through the test material for the CCNA Voice exam (640-460). You can take the CVOICE exam to obtain the CCNA Voice certification, however since I did not have much knowledge of voice topics I stuck with the 640-460 track. The Official Exam Certification Guide was just what I was looking for an even provides a refresher on some CCNA topic in case you’re a bit rusty.

Attached is a PDF document with the notes I took while reading. They are fairly lengthy, but this is an important part of the study process for me particularly when the majority of the topics are brand new (again, for me).

CCNA Voice IIUC 640-460 Notes

After much anticipation, the changes to the CCNP certification track have been officially announced. You can view the official certification options on Cisco’s website.

Essentially the information that has been floating around the Internet (and covered here) regarding the changes has been spot on. Pre-orders for some of the Cisco Press books have started popping up, with expected delivery dates around the middle of February.

Over the long weekend, I caught up on some much needed network maintenance at several of our buildings. I was able to upgrade most of the switch software without any trouble, but there is only that one bad apple!

The culprit switch started acting odd after I copied the current software image (which was stable for months) from primary to secondary flash. After doing so, the option to download a new image from TFTP was not available. A reboot left me with a switch that was still moving traffic and showed as “Up” in our NMS, but I was unable to remotely manage the switch via SSH or Telnet.

On my way home, I stopped by the building where the trouble switch was located thinking I could fix the issue quickly. After about 15 minutes of trying various methods of transferring a new image onto the switch (including TFTP and USB), I resulted to using Xmodem.

Xmodem is a last resort method of bringing a switch back from a usually inoperable state. The process below details a few ways to use Xmodem with an HP Procurve 5400zl switch.

The first topic you need to know is baud rate, and what type of impact it has on your transfer speeds when using Xmodem. The console port on most network equipment is set to a baud rate of 9600. This is fine for most normal console management needs. However, if you try to transfer an image using that standard baud rate, you are going to be waiting for a while!

In both scenarios below, I set the baud on the console port of the switch to 115200 (the maximum in this case of the switch I was using). The difference it made was clear by the transfer time estimates. At 9600 baud, it was estimated that the 10MB image would take 3.5 hours to transfer. At 115200 baud the same image only took 40 minutes. 40 minutes is still a long time compared to the transfer times of TFTP or SCP, but it is the lesser of two evils in this case.

Xmodem within Software

Your first option for transferring a software image is to use Xmodem after the switch has fully booted the current software image. The image on my switch was in a broken but semi-functional state, so I was able to attempt this.

First enter configuration mode and set the baud rate on the console port.

configure terminal

console baud-rate 115200

Save the configuration and reboot the switch (This is required for the baud rate change to take effect).

write memory

reload

While the switch begins to reboot, terminate your current console session and start a new one using the new baud rate (115200 in this case). Don’t be alarmed if you do not see the usual information scrolling across the screen as your switch boots. Eventually you will again be presented with your usual login prompt.

Once you have logged into the switch issue the copy command. The command below tells the switch to download the image from Xmodem and write it to the primary flash storage.

copy xmodem flash primary

If this is successful, reboot your switch and ensure it boots the new image properly. To ensure your switch boots from primary flash storage, issue the following command:

boot system flash primary

After you are done, be sure to reset the baud rate on the console to 9600 and then reboot the switch again.

configure terminal

console baud-rate 9600

write memory

reload

Xmodem from RoMon

In my case, I was not able to successfully transfer an image using the previous method because of the broken state of the software image. For this reason, I resorted to using RoMon.

RoMon mode must be selected before your switch begins to boot the software image. In the case of the 5400zl RoMon mode is option “0” on the boot screen.

Once you enter RoMon mode, you will be presented with a prompt. The first thing you want to do is set the baud rate on the console port using the sp command.

sp 115200

After doing this, you will need to restart your console session using the new baud rate.

Now, issue the “do” command to initiate the download utility (you will be prompted to confirm).

do to start download utility

After you confirm, you can initiate the Xmodem transfer using your console program of choice. Since I was using SecureCRT used the “Transfer” menu to select “Send Xmodem”. After doing so, the transfer process will begin. Once the transfer completes, the image will be verified and then saved to the flash location you choose. If everything works, the switch will reboot using the new image.

I finally got around to uploading some of the pictures I took at my current place of employment. They are not great quality, since I took them with my Blackberry. Below are a few of my favorites and the stories behind them. You can view the rest of the pictures here.

First up is a piece of equipment that was a major piece of the network infrastructure at our largest building. We started getting complaints of poor network performance in the back 1/4 of the building, I was quickly able to confirm these reports with my own testing. I had only been in my position for a short while, so I wasn’t familiar with all of the nuances of the network. Luckily the building tech was with me and mentioned that there was a “switch” in the ceiling in that part of the building, however none of my network maps or scans showed this device. We go to the spot, I climb into the ceiling and there is a 10 Mb with all of its lights (activity and collision) lit! Apparently this thing had been there for years!

Next we have a switch that was mounted to the wall in a room. This is pretty common, but what really got me was instead of removing the switch to paint the wall they just painted around it! Even after I removed the screws that held it to the wall, I had to pry it off with a screwdriver since the multiple layers of purple paint where acting as an adhesive.

While you can’t help but laugh at some of this, it really has been a great opportunity as a network administrator. All seven of our buildings had networks in similar states depicted in the pictures above. This has given me numerous opportunities to put my network design skills to good use.

A while back I talked about building a VMware whitebox to run VMware ESX on inexpensive equipment. That was over a year ago and a few things have changed, so I figured an update was in order.

For the whitebox build I purchased a new motherboard, processor, and memory. This was based on the requirements that at the time ESX required a SAS chipset on the whitebox motherboard. Over the past year ESX’s support of SATA chipsets has improved, so you may be able to save some money on the motherboard. Below is a complete list of the hardware used in my build.

• Enclosure: Lian Li PC-V6000B ATX Mid Tower
• Processor: Intel Xenon X3230 Kentsfield (Quad Core)
• Motherboard: Asus P5BV-E/SAS
• Memory: 4 x Wintec AMPX 2GB DDR2-800
• Storage: Western Digital Caviar WD5000AAKS 500GB 7200 RPM 16MB Cache SATA-II
• Hard drive Enclosure: Athena Power BP-SATA3051B 5-bay hot-swap SATA backplane
• Power Supply: Enermax Noisetaker II EG425P-VE 420W
• Enclosure: Lian Li PC-V6000B ATX Mid-Tower

As you can probably tell, this used to be a file server that I built but decommissioned when a motherboard failure also took my data with it. One 500GB hard drive has been sufficient for both the ESXi installation and the storage of the all of the virtual machines (thin provisioning works very well).

Initially I installed Ubuntu 64-bit as the host operating system, with VMware Server running on top of that. Additionally I used GNS3 on the host to connect back to my lab equipment via the second NIC. Since then, VMware has made ESX (ESXi) freely available. I decided to install VMware ESXi 4.0 in place of the host OS, so that ESX can better manage allocation of the physical resources to each VM.

So far everything has been working out well. I have configured another Vswitch which connects to the second physical NIC and will be used to connect the VMs to the lab equipment. In the coming weeks, I will be creating a Linux VM and installing Dynagen to handle virtualization of some Cisco routers.