Friday, December 30, 2011

DHCP Based Security Part 3: Dynamic ARP Inspection

This post closes out a 3 post series on DHCP based security technologies for the Cat3560 (among others) switching platform.  We first took a look at DHCP Snooping, and then we built upon that with IP Source Guard.  Finally, we've come to Dynamic ARP Inspection, or just DAI.

DHCP Based Security Part 2: IP Source Guard

This is post two in a three post series on DHCP based switching security technologies.  Previously I looked at DHCP Snooping, and now I'm going to look at IP Source Guard.

Thursday, December 29, 2011

DHCP Based Security Part 1: DHCP Snooping

There's 3 related switching security technologies for which I've had draft posts sitting around for some time now. I'm finally getting around to publishing them as I study away for my second lab attempt. I know it's the silly little technologies like these ones that can show up on a Lab and cause grief, so hopefully I don't forget all this come Jan 13th.

The first one we're going to look at is DHCP Snooping. 

Thursday, December 22, 2011

Simple IPv6 Multicast Configuration

IPv6 Multicasting is something that's been confusing me a bit lately.  I think I finally have the basics figured out...  And I'm going to put there here so that you can read all about it.  Because you want to read all about it. Don't you?

I thought so.

Tuesday, November 15, 2011

Lab Attempt #1

As previously stated I had my first attempt at the CCIE Lab exam on Nov. 7.  I'm sure you've all likely figured out that I did not pass since there hasn't been any fanfare or celebration on my part.  But it was a learning experience and I don't really have any regrets about not being able to pass on the first go. 

During the  boot camp I took the week before Marko Milivojevic told me, and the rest of the class, that we all had a fighting chance of passing.  Well it turns out he was right.  I did have a fighting chance, but that was about it.  For me to have passed on the first go it would have required more luck than skill, and I don't really want this cert if it's because I'm lucky.

So, for those of you interested, here's how my day went.

Saturday, October 29, 2011

Living the Dream

At last.  It's time.

Tomorrow I fly out to San Jose. I'm doing a 5 day boot camp next week, and then Monday Nov.7 I'll be attempting the CCIE Lab exam.  The last year and a half is about to culminate in one intensely immersed few days of routing, switching, and general conf t awesomeness.

I'll see you all when I get back.


Friday, September 9, 2011

Interesting Colubris Hack

I got sent out on a hands and feet job today as a favour to another company who we have a customer in common with. I guess these guys have seen this before... The Colubris routers apparently sometimes incur a power supply failure that you can work around by connecting a regular pc power supply in its place. I thought this was pretty clever so I'm posting a picture.

Tuesday, August 30, 2011

Lab Date Booked

I've been rather terrible at updating this thing again...  I'm really a rather terrible blogger aren't I?

Don't answer that.

Well one thing I have been doing is putting the plan into motion, and to that end today I booked a Lab exam date.  Nov. 7 I'll be walking into Cisco in San Jose and finally taking this big bad test.

I have a lot of work to do between now and then.  Let the good times roll :)

Monday, July 11, 2011

IINS 640-553 OCG Winner!

Thanks to everyone that sent in a submission for my book giveaway.  It was actually a tough decision but in the end I've awarded the book to Martin, a CCNA from Slovakia who's interested in pursuing the CCNA Security to help him further his career.

It would also seem that Martin has talents out side of networking...  He has mentioned to me that it would be alright if I mention his website, so I figure I'll oblige him ;)

Good luck on the CCNA-Sec Martin!  I look forward to hearing about your progress in the coming months.

Sunday, June 19, 2011

1000 Page Views!

Sometime last night while I was sleeping the page view count for this month hit the 1000 mark.  While this is a very small number compared to any real site out there it is for this site I think a milestone that I'm going to make a post about.

I'm pretty sure that about half of the 1000 page views so far this month were wirerat trying to solve the Networking-Forum Easter Egg Contest.

If you read this blog regularly then thank you.  If you're just passing by then I hope you come back, but thanks for checking things out.

The previous monthly page view high mark was last month at 853.

IPexpert IOU Topology

IOU has been leaked.  L2IOU has been leaked. It was only a matter of time before someone did this...  Might as well be me :)

Here's a NETMAP file that recreates the IPexpert CCIE R&S topology, and a wrapper script to start it. And as my special gift, a bash script to convert the config files provided by IPexpert to a format that (L2)IOU can work with.

I might do up some diagrams at some point, but for now you'll have to figure it out from these text files. 


Monday, June 6, 2011

IPv6 for Enterprise Network Book Review

Networking-Forum and CiscoPress hooked me up with a promo copy of this new book in return for a review.  That review has no been published and you can find it at

Wednesday, June 1, 2011

So I have this book lying around doing nothing...

Right before I started this blog, and my path to the CCIE, I was a newly minted CCNP looking for my next step.  At the time I had thought that I wanted to go after a CCSP in the short term, with a CCIE after that.  Well, life doesn't always work out the way you think it will.  Instead of this path I ended up being head-hunted by my current employer who was looking to make me a CCIE.

Great story eh?  What does this have to do with you?  I'm glad you asked.

In preparation to go after the CCSP I bought myself a copy of the CCNA Security Official Exam Cert Guide (IINS 640-553).  I've never read it.  I've barely ever opened it.  The CD in the back is still sealed.  And it's extremely unlikely that I'm ever going to read it.

So I'd like you to have it.

Tuesday, May 31, 2011

IP Subnet-Zero

I thought it would be interesting to take a little stroll through history and look at something that really isn't relevant to today's network, but was something that you weren't allowed to use in days gone by.  As the blog title says, that something is IP Subnet-Zero.
What is IP Subnet Zero?  Well, it's a legacy command on Cisco routers the controls whether or not the use of the all zeros subnet is permitted.  What's the all zeros subnet?  To properly understand what the all zeros subnet is we need to first remember what classful networking was, and how things all got started in IP beginning with RFC 791

Tuesday, May 3, 2011

IOU Lab Topology #2

As I mentioned in my first IOU topology post I more frequently use another topology that has turned out to be better suited for my labbing needs than my first attempt.  Well, here is that topology.

Monday, May 2, 2011 CCNA Specialization Scholarship

Just like the previous NF CCNA Scholarship Steve is again offering up to provide someone with the materials and costs associated with obtaining a Cisco CCNA certification, but this time it's for one of the specialization tracks.  Are you already holding a valid CCNA? Do you want a CCNA Security?  Or voice?  Well here's your chance.

Good luck to everyone!

Saturday, April 30, 2011

IOU Lab Topology #1

Some time ago Cisco's IOU was leaked out to the web.  I was able to get a copy (don't ask where, I won't help you) and have managed to get it set up on a spare box at home.  There are a couple of really good tutorials on the Web that explain how to get it set up and working and how to build a lab topology.  I've built two topologies so far that I use to lab things up when needed, and I'd like to share the first with you now.

Monday, April 4, 2011

Lock-and-Key Security (Or how I learned to love the Dynamic ACL)

After a great February of blogs (for me anyway) I didn't manage to get a single post out in March.  Oddly enough March turned out to be a new record for pageviews...  Weird eh?

At any rate, I did do up another guest blog post for Steve on on Lock-and-Key security..  If you're interested I encourage you to head on over and check it out.

I hope you enjoy it.

Thursday, February 24, 2011

IPv6 Will Make You Think Differently: We Don't Need No Stinking FHRP

I got into a discussion about the availability of HSRP for IPv6 being in higher end Cisco platforms but not the lower ones.  I didn't think too much of the question when first saw it, but in reading up on IPv6 last night I came across some of the details in Neighbour Discovery that I thought might be a good replacement.  Deep within RFC 2461 lies section 6.3.6:

6.3.6.  Default Router Selection

   The algorithm for selecting a router depends in part on whether or
   not a router is known to be reachable.  The exact details of how a
   node keeps track of a neighbor's reachability state are covered in
   Section 7.3.  The algorithm for selecting a default router is invoked
   during next-hop determination when no Destination Cache entry exists
   for an off-link destination or when communication through an existing
   router appears to be failing.  Under normal conditions, a router
   would be selected the first time traffic is sent to a destination,

   with subsequent traffic for that destination using the same router as
   indicated in the Destination Cache modulo any changes to the
   Destination Cache caused by Redirect messages.

   The policy for selecting routers from the Default Router List is as

     1) Routers that are reachable or probably reachable (i.e., in any
        state other than INCOMPLETE) SHOULD be preferred over routers
        whose reachability is unknown or suspect (i.e., in the
        INCOMPLETE state, or for which no Neighbor Cache entry exists).
        An implementation may choose to always return the same router or
        cycle through the router list in a round-robin fashion as long
        as it always returns a reachable or a probably reachable router
        when one is available.

     2) When no routers on the list are known to be reachable or
        probably reachable, routers SHOULD be selected in a round-robin
        fashion, so that subsequent requests for a default router do not
        return the same router until all other routers have been

        Cycling through the router list in this case ensures that all
        available routers are actively probed by the Neighbor
        Unreachability Detection algorithm.  A request for a default
        router is made in conjunction with the sending of a packet to a
        router, and the selected router will be probed for reachability
        as a side effect.

     3) If the Default Router List is empty, assume that all
        destinations are on-link as specified in Section 5.2.

Let's take a look at how we can use this to our advantage.

Monday, February 21, 2011

What the Heck is EIGRP Named Configuration?

While doing some MPLS labbing this week I came across something that I'd never seen before.  I decided that I wanted to use EIGRP as my PE-CE routing protocol, and I was using one router to simulate 4 CE's.  My line of thinking was that I'd just create four VRFs and it'd be no problem.  For some reason it never occurred to me that I could use 4 separate EIGRP instances in my config...  I instead just assumed that I could do a VRF aware EIGRP config without any trouble.  Well, I was wrong.  At least I was wrong in the way I originally tried to get it working.  So after a 'no router eigrp 1' I headed over to the DocCD and found me some EIGRP Named Configuration.

Sunday, February 6, 2011

Tips and Tricks: Saving Device Configs with Mac OS X Terminal

One of the age old techniques to save your device config is to simply issue a "sh run" (or equivalent on non-Cisco devices) and copy and paste the resulting output into a text file.  This method certainly works in the absence of at TFTP server, but it's kind of a pain and when you have a few devices it becomes time consuming in a hurry.

In a Windows environment I use PuTTY.  PuTTY has a built in feature that allows you to save the terminal session you're working on.   At home I have a Mac.  To that end, here's how I save configs if there isn't a TFTP server available.

Tuesday, February 1, 2011

How IOS Cheats When Using the Network Command

When you type a command into the IOS CLI you normally expect IOS to execute your instruction as typed.  You don't expect IOS to modify what you typed, or to assume you meant something other than what you actually typed in.  In fact, to me that behavior is extremely undesirable.  I understand there are some assumed defaults where if you omit certain keywords then IOS imposes on for you.  That's fine.  But sometimes IOS changes what you typed in to something completely different.  The network command contains one such example.

Wednesday, January 26, 2011

Book Review: CCIE Routing and Switching Certification Guide 4th Edition

As part of studying for the CCIE R&S Written exam I got myself a copy of the CCIE Routing and Switching Certification Guide 4th edition by Wendell Odom, Rus Healy, and Denise Donahue.  This is the newly revised version for the CCIE R&S v4 written exam that came out very shortly after the new version of the exams did, and it's also the updated version of a book that's been around for a very long time.

I used this book extensively in my written exam preparation, and now that that piece is completed, I wanted to briefly reflect on this text and the role it played.  It was certainly a love/hate experience, and if you are considering this text in your own studies then you should definitely be aware of a few things prior to purchasing this book. 

Saturday, January 22, 2011

Retro Post: Session Initiation Protocol: Evolution in IP Telephony Signalling

Since I'm into retro posts this morning, here's another oldie circa 2005.  This was an assignment from when I was in school.  Looking back it's not very useful...  But hey, what the heck, right?

Retro Post: An Introduction to Subnetting

Back in about 2003/4 I wrote a tutorial on subnetting.  I posted it up on a couple forums that I frequented at the time and then forgot about it.  I came across it about again about a year ago, and then today I actually dug it up to reference it in a post I was making.

Since its mine, I decided that I would post it up here now.  I think it's fun to go back to when I was getting my start in Networking and see some of the sorts of things I wrote back then.  So without further ado, get into the time machine and enjoy this old, very basic tutorial.

Wednesday, January 19, 2011

Written down. Lab to go.

I passed the 350-001 CCIE Routing and Switching Written test today.

Onwards to the lab!

Sunday, January 9, 2011

The Mess that is QoS in Layer 2

Since I looked at QoS Classification and Marking in the IP Header I figure I might as well finish it off and go over the same topic at Layer 2.  I kept the title, but in reality it's not that bad here.  There's a lot more consistency between the various Layer 2 technologies and things seem to translate pretty well.  The only real challenge comes into play when you need to start translating a Layer 2 marking to a Layer 3 marking, and vice versa.  I'll get to that in a bit, but first lets look at what we have to work with.

Saturday, January 8, 2011

The Mess that is QoS in the IP Header

If there's a group of people out there that should be drug out into the street and shot it's the jackasses that designed QoS classification and marking in the IP . More specifically, the jackasses that decided we needed multiple definitions of the same bits and different bits at different layers. I sometimes wonder if the only reason that QoS classification and marking is this way is so that vendors, like Cisco, can test you on it.

At any rate, things are the way they are and we must learn it.