A rare moment…

Read in a book, explanation of PEAP, the Protected Extensible Authentication Protocol:

This EAP method was developed in a rare moment of enlightened cooperation between Microsoft, Cisco and RSA Security

Lab: Layer 3 Switching Pt.3 – Inter VLAN Routing with Switched Virtual Interfaces(SVI)

With Switched Virtual Interfaces, a Layer 3 Switch can forward packets between networks on its own – no external Router required.

Compared to a normal Router with FastEthernet or GigabitEthernet Interfaces, Layer 3 Switches using SVI can forward packets between VLANS at backplane speed! To get an idea how SVI works, take a look at this graphic:



In this example we have 3 VLAN on the Layer 3 Switch: Vlan 20, 30 and 40. To be able to forward packets, IP Routing first needs to be enabled on a Layer 3 Switch:

sw1(config)#ip routing

As we need a gateway for each VLAN, we simply assign the gateway IP address to the equivalent VLAN Interface. Note that I left out the subnet mask in the image due to space restrictions. After that we put the VLAN interface online using the no shut command. You should see IP Addresses assigned to your VLAN Interfaces when using the sh ip int brief command.

Once your VLAN Interfaces are up and running with an assigned IP Adress, your switch is ready to forward packets.

Note: SVIs are also used to provide Layer 3 connectivity to a switch – for example if you want to access the switch via SSH or Telnet (seriously, do no use Telnet if you can use SSH).

The advantages of using SVIs to forward packets between your VLANs compared to using a Router or Router on a Stick are pretty obvious: Speed and Port density.

The disadvantage of this method is pretty obvious as well: It requires a Layer Switch such as the 3750 im using in my lab.


Lab: Layer 3 Switching Pt.2 – Inter VLAN Routing with Router on a Stick


With the Layer 3 Switch set up in Pt.1  it is time to look at some basic concepts of Layer 3 Switching. The Router on a Stick concept is technically not Layer 3 Switching since the Packet Forwarding (Routing) requires a Router.

The basic concept of Router on a stick is implemented by creating subinterfaces on a single physical Router port. After the Switchport has been set to trunk mode (802.1q for you non-Cisco networkers), the subinterfaces can be assigned a VLAN by setting the trunk encapsulation to dot1q and a VLAN ID.






This concept should work with any switch that supports VLANs. Another advantage of this concept is the fact that only one Router port is required in order to forward Layer 3 packets between the VLANs. The downsides however are a single point of failure and possible congestion (depending on the amount of VLANs and bandwidth utilization).

Coming up next: Inter-VLAN Routing with Switched Virtual Interfaces (SVI) and Routed Ports which require Layer 3 switches.



Lab: Layer 3 Switching Pt.1 – Preparing vor v6 requirements

Preapring the Layer 3 Switch for v6

Before setting up the Lab Switches for some basic Layer 3 functions I will upgrade the IOS Images to make sure I can use v6 in the Lab environment as well.

3750-1#show boot
BOOT path-list : flash:c3750-ipbase-mz.122-25.SEB4/c3750-ipbase-mz.122-25.SEB4.bin

Since the 3750 is currently running an IP-Base Image I will neet to upgrade it to a IP-Services Image to be able to use advanced Layer 3 functions for v6 routing. In the BASE Versions of the 3750, only Staic v6 and RipNG are available.
So I grabbed the newest 3750 Image from the Cisco Web Page (requires a Login Account, but a Guest Account will suffice for the 3750 Image). Another benefit of an IOS Upgrade will be some improved security, since the current Image lacks some crypto functionality. This means no SSH – the lack of HTTPS can be neglected since we dont enable the http or the secure-server(https) on the device. The K6 tag in an Image name references to crypto features such as SSH some make sure your production equiptment supports it.
Since the Flash space was insufficient to store both the IP-BASE and IP-SERVICES Image I will have to delete the current IOS which can be done while the switch is running since the IOS image is in the RAM.
Make sure to back up your current IOS image to a TFTP server just in case.

3750-1#del /force /recursive c3750-ipbase-mz.122-25.SEB4#

The /force and /recursive options will delete the complete Image directory as well as bypass any confirmations on deleting files. You will want to use this feature in case you did in fact have the Webinterface set up since it will ask for confirmation on a huge amount of files.

#copy tftp:// flash:/
Loading c3750-ipservicesk9-mz.122-55.SE6.bin from (via Vlan123): !!!!!!!!!!!

Now would be a good time to grab a cup of coffee. Once this is done, we will boot the new image from global config mode:

3750-1(config)#boot system switch all c3750-ipservicesk9-mz.122-55.SE6.bin and reload from enable mode to boot into the new IOS image.

In the next part of the Lab, I will demonstrate Inter-VLAN-Routing using a trunk connection to a router (Router on a Stick) and Switch Virtual Interfaces (SVIs)

Final Preparations for the CCNA Exam / Building my CCNA/CCNP lab

So I finally decided to take the CCNA exam – 12 years after going through a great portion of the topics during my training as an IT professional.

Since my vocational college was (and still is) a Cisco Networking Academy (1999-2003) we used the Curriculum as a part of our daily lectures and they have given me both the knowledge and the motivation to dig into one of my favorite areas of IT engineering.

Back when I set up my first 10Base2 Local Area Network at the age of 15 – I knew practically nothing about IP Adresses and how to deploy them correctly. At some point, I got the thing right and Local Area Network gaming opened up a whole new world to us. Keep in mind, back then most of the kids our age had only limited access to the internet.

Together with the GNU/Linux Operating System networks not only became my profession, but also my passion.

The last few years I spent with designing, implementing and troubleshooting medium sized networks in a university campus environment. After recently planning and deploying a medium sized wireless network (130 Lightweight Access Points) my next 2 candidates on the list of exploration (and at some point perhaps mastering) will be BGP and MPLS at a CCNP level, so I might as well take the CCNA on my path and then go for the CCNP. Even with many years of experience the CCNA exam will definitely not be a cakewalk since there are always some gaps that need to be filled (Frame-Relay, y u no go extinct!) and the exam yet has a reputation to be hard.

My Lab is still missing some WIC-1T cards + DCE/DTE crossover cables but then i should be good to go.




Hacking Customer Quality Assurance

So I recently bought some (refurbished) Cisco equipment for my CCNA/CCNP lab, a 2620 and a 2621 to be precise. I bought both of them from the same company although there was a small, but important difference.

The 2620 placed in my first order went to my home address, but since I am building the Lab at my office I decided to have the 2621 shipped to my company address to spare me the logistics. Turned out this decision made quite a difference when both products arrived. (I bought the 2620 about 5 days ahead).

The 2620 could not boot the default IOS due to the following error:

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 16384 Kbytes of main memory

program load complete, entry point: 0x80008000, size: 0x403b9c
Self decompressing the image : #####....]
I/O memory percentage cannot be adjusted.

Checking the Cisco IOS Image downloads I noticed the requirements for the IOS Image on the shipped 2620 requires at least 32MB DRAM, like any other 2620 image listed there (bare minimum is 32MB Dram,8 MB flash). However the Router was only equipped with 16MB of DRAM making the Router unusable, even with the minimum feature IOS for the 2620.

Now since the Hardware was probably refurbished, it is clear that some memory was replaced/removed but not in a fashion that allows the Router to boot the IOS Image. Looks like somebody did not even boot up the Router to see if it works. Probably a mistake (to err is human, after all).

When my 2621 arrived (addressed to my company address) the package also included a “Testing Protocol” – basically a show version printed on a piece of paper. Someone actually took the time to boot it up, connect to the console port and copy & paste the output to add the print along with the product. As a customer, this ensures me that someone took the time to verify the functionality of the Router.

I do not now if that was just coincidence but it does seem to verify that depending on the shipping address quality assurance is handled differently. I will post an update on the situation.

But looks like the tl;dr of the whole story is: Use a corporate address if you can.



Pinpointing an Access Point in a Cisco WLC environment

Managing a large amount of Wireless Access Points (100+) in a campus environment can be a real hassle. Luckily, nowadays large scale Wirelesse deployments are backed by Semi-Intelligent Infrastructure like Wireless Controllers like the WLC5508 by Cisco.

Inventory of your access points is important in order to improve your response time in case of an outage or when serious RF issues occur. In a well deployed environment these types of incidents hardly matter due to redundancy but depending on your wireless coverage this may reduce performance for users when connecting to a different access point.

Since network environments, like all infrastructure components in an IT environment are constantly growing to maintain scalability, documentation and inventory might be neglected making it hard to locate certain equiptment. Access points should always contain some sort of human-readable identifier with information on the location (building, floor, room etc.)

Lets say you have a Cisco AP with the AP Name AP45678321 and need to locate it. Here are some ways to track it down.

  • connected users are an indicator on the rough position of the access point. If Bob and Alice are connected to the specific AP and you know where they are located in a building, you should be able to determine a rough estimate on the Switch the AP is connected to
  •  If you roughly know which switch to check on, use CDP (if enabled) to find the Port it is attached to

 show cdp neighbors

  • You can also use the human discovery process to locate a specific AP by placing it into debug mode and flashing the LED

On the WLC, enter

debug ap enable AP45678321

to enable debug and flash the LED using

debug ap command “led flash seconds(use a value from 1-3600)” AP45678321


This should help you find a specific Access Point without going completely mad.

Visualizing the Internet takedown in Egypt with bgplay

BGP ist often used in order to Censor the Internet on behalf of the government.

From the technical side this is an interesting process when asking yourself “How would a government shutdown the Internet if they had/want to – and is this even possible?”

Well, the current situation in Egypt shows that a goverment backened takedown is possible.

From the bgpmon blog: http://bgpmon.net/blog/?p=450

Different media are reporting that Internet and other forms of electronic communications are being disrupted in Egypt. Presumably after a government order in response to the protests. Looking at BGP data we can confirm that according to our analysis 88% of the ‘Egyptian Internet’ has fallen of the Internet. In this post I’ll share some observations I made with regards to the reachability of Egyptian networks and providers.

The article lists the biggest ISPs in Egypt and the current prefix changes made. Using the Autonomous System Nr. (ASN), you can visualize the BPG route announcements.

The most noteable prefix changes involve AS8452 AS24863 and AS36992.

Go to http://bgplay.routeviews.org (requires Java) and set the timeframe around 2011-01-27 at around 10PM and watch.
With all prefixes removed, LINKdotNET-AS using AS24863 and the Prefix shows the greatest impact.

By the way, one of the most noteable events in the last years involving BGP was the failed censorship of youtube by Pakistan Telecom. I recommend watching this video before looking at the Egypt situation because it includes commentary on what is happening.