Periodically, I get a message from someone asking for troubleshooting help. The most recent of these went something like the following (paraphrasing)–
I have the following routers, R1 through R5, and I cannot ping R5 from R1. Please tell me what the problem is.
In these cases, I could review the configuration or import them into my lab. Inevitably, that might solve the problem for the individual. However, it doesn’t really help the individual solve problems in the future. I prefer to try to help others think through the problem and reach the solution on their own.
Given the symptom of R1 not being able to ping R5, what could that mean? My initial thoughts are– Continue reading
About a week ago, I took my wife’s van to the shop. The main issue was it was making a popping noise in the front end. I only observed the noise when steering sharply and the vehicle was in motion. Typically this occurred when parking. Although I was nearly certain this was an issue with a CV joint, I only told the mechanic about the symptoms we had observed.
The reason I didn’t lead the conversation to the CV joint is that I wanted the mechanic to look at the problem objectively. I knew he was the expert and I wanted him to solve the problem instead of replacing a part. In order to shift the responsibility, I needed the mechanic to diagnose the problem and create a plan of action.
Positioning IT Conversations to Solve Problems
At this point in my career, I have worked in various areas of technology. Over the years, I’ve had customers that tell me exactly what they think they need. In some cases, they’re correct. However, there are times that their solution does not fully solve the problem they are observing. On the other hand, some customers take a smarter approach and explain the problem they are trying to solve. Continue reading
A couple of months ago, Google announced that it had started using SSL as a factor in SEO ranking. Since the search giant is the referrer for most website traffic, this is the type of announcement that gets the attention of website owners.
Cloudflare, a popular and easy to implement Content Delivery Network, seems to be stepping up to this challenge. Even their free offering has an option to provide forward facing SSL services. As discussed on Packet Pushsers Priority Queue show 34, they are also modifying SSL in ways that allow them to provide services to organizations without the need to obtain the site owner’s private keys. The likely result of the offering is that many existing and many new Cloudflare customers will take advantage of their SSL services. Continue reading
Earlier today, I was listening to Risky Business show #341. In this show Matt Solnik discussed vulnerabilities that he attempted to share at BlackHat. I say attempted, because it sounds like they may have had some issues with audio/video during critical times of the presentation. Nonetheless, it seems like there are many vulnerable implementations of the open mobile administration device management (OMA-DM). I took a minute to dig up some of the videos published by Accuvant that makes this stuff real.
Over the Air Code Execution and Jailbreak
NIA-Based Lock Screen Bypass
Earlier this week I had breakfast with a very interesting group. One of those present had an extensive history with Cisco systems. We talked about his tenure and several of the projects that he had been involved in. For some reason, one that caught my attention was the sweep option that we find in the extended Ping utility. Although it is hard to believe, there was a point in time that this gem didn’t exist.
I’ve written a few articles about the challenges of path MTU discovery and the issues that arise when it misbehaves. Today’s article looks specifically at using a ping sweep and how it can be used to quickly identifying the path MTU ceiling. The topology used for testing is simple and shown below. Notice that the two top routers are connected by a link with a lowered MTU (1492).
Let’s step through the process that an administrator might go through when a networked application isn’t working correctly. He or she would likely determine the endpoints and confirm reachability. For this example, I am testing a connection between 192.168.1.1 and 192.168.4.4. The ping command is the tool of choice for confirming reachability. Continue reading
There is an occasional need for a DNS server in the absence of a dedicated host. This may occur in the following situations–
- Using PAT, Public DNS may return a non-RFC1918 address for internal server
- Lab/Demo Environment
- Other Name Resolution challenges in SOHO, SMB or Branch Office
When these corner-case challenges present, an IOS router may be beneficial by providing basic DNS functions. Assuming the router already has Internet connectivity, the configuration is straightforward–
//enable the dns server functionality
IOS-DNS(config)#ip dns server
//if public requests should be resolved, configure one or more name
//servers as resolvers and confirm domain-lookups are enabled
IOS-DNS(config)#ip name-server 188.8.131.52 184.108.40.206
Throughout this series, we have examined several fundamental building blocks of subnetting. In IP Subnetting Part 4, we looked at what was required to subnet a Class C network. This article takes the fundamentals one step further and looks at subnetting a Class A address. We will also add the complexity of crossing octet the octet boundary for both the subnet and the host portions of the address.
A Class A IP address has the following characteristics–
- I’s first octet begins with binary 0…….
- The first Octet will be in the range of 1 to 63 (0 is invalid)
- The first Octet (leftmost) represent the Network
- The last three Octets (rightmost) represents a Host on a network
You will also recall that a single network can be subnetting into multiple, smaller networks.
Using a consistent syntax, we could represent a Class A network as follows.
IP NAT is a very common configuration. One of the challenges that sometimes surfaces is the need for internal hosts to connect to the public address of a locally hosted server. Anyone who has tried to configure something like the following has likely faced this issue.
In this example, the top of the diagram represents the outside (Internet, ISP, or External Server), the left represents the DMZ area, and the bottom represents the inside. The goal is to enable dynamic port address translation for internal hosts and static port address translation for the host or hosts found in the DMZ area.
This configuration is fairly straightforward and typically covered in the CCNA curriculum. This includes identifying each interface as inside or outside and configuring the appropriate nat statements.
The Sourcefire NGIPS/NGFW solution is a way to quickly get some interesting information about traffic on a network. One of the things I like about the solution is that actionable information is almost immediately available after deployment.
There are five deployment modes for a Sourcefire Firepower appliance:
Passive and inline modes are the two deployment options for the Virtual versions of the Firepower appliances. Inline mode provides significant advantages over simple passive monitoring. Inline mode allows the appliance to block offending traffic or communications that violates the configured policy. Following the installation guide is straightforward and should allow a security engineer to quickly get this solution up and running.
At this point in the PacketU subnetting series, we have worked through the following–
This article takes the concept of subnetting to the next step. Today we are going to look at the concepts required to subnet a Class C network. As we reflect on the Classful IP rules, we recall that a Class C network has the following characteristics–
- First octet begins with binary 110…..
- The first Octet will be in the range of 192 to 223
- The first three (three leftmost) octets represent a Network
- The last (rightmost) octet represents a Host on a network
We also know that this single IP network can be further subdivided into multiple, but smaller, networks. This process is known as subnetting.
Continuing with the syntax used in previous articles, we might represent a Class C Network as follows– Continue reading
I just wanted to take a quick moment to share a site Dan DeBusschere has created. This site is a list of very useful config snippets, information and links. Most of the content is focused on Datacenter and UCS. If you support this type of environment, check it out.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may not reflect the position of past, present or future employers.
Today was a bittersweet day for me. It was my final day working with a great group of people at a prominent community bank. I have nothing but good things to say about the people, the organization, and the interesting projects I’ve been involved in. I’ll miss everyone a lot and plan to stay in touch.
Tomorrow I begin a new role as a Systems Engineer at Cisco Systems. I will be working with the SLED (public sector) sales team in Kentucky and West Virginia. In this role I hope to broaden my knowledge of networking components and spend time helping customers better position their technology infrastructures.
What this means for me–
I will be aggressively learning the Cisco Product lines, including areas that I previously had less exposure to. I will take advantage of the resources I have and marry my vision of the changing network industry to the components Cisco positions into higher education environments. My intentions include better understanding the roadmap and technical details as they pertain to the integration path from traditional networking to software defined approaches.
But what about…