Tuesday, December 23, 2008

The Magical Forward Slash

I was on a Cisco TAC support case a couple of years ago where the support engineer created a WebEx session to gain control of a Cisco router to assist with troubleshooting an issue I had.

As he was looking through various parts of the configuration, he entered a 'show run' command and hit the forward slash key (/) with interesting results.

The engineer didn't want to give me any information about this apparently hidden command. So, I did some investigative testing.

As it turns out, the forward slash key works as a parser, teleporting you to the part of the configuration defined by the text entered after the forward slash.

For example, suppose you would like to see the configuration of the console port and VTY interfaces. You could type 'show run | b line con 0', or you could use the following example.

Enter 'show run' on a router or switch. Once the first page of the configuration is displayed, hit the forward slash key. The 'show run' command is paused and you are prompted with a new line preceeded by a forward slash. Type 'line con 0' and hit enter. The 'show run' command jumps to the line con 0 section and begins showing the configuration starting at that point.



This is an extremely useful feature that I find myself using all the time.

Monday, December 22, 2008

World's First Computer Rebuilt, Rebooted After 2,000 Years

A British museum curator has built a working replica of a 2,000-year-old Greek machine that has been called the world's first computer.

Check out the Antikythera at Wired.

Friday, December 12, 2008

Free Software Foundation sues Cisco

Read the Cisco Subnet blog post, regarding a Free Software Foundation law suit.

What Is a Web Application Firewall?

Check out Ivan Pepelnjak's blog on Fragments about Web Application Firewall.

What is a Web Application Firewall?

Monday, December 8, 2008

CheckFree Attack Caused By Compromised Network Solutions Credentials

Check out this Security Fix blog post by Brian Krebs regarding the CheckFree compromise. CheckFree's Network Solutions account was compromised, allowing their web site traffic to be redirected to servers in the Ukraine designed to install software to steal passwords.

It is scary to think that, even with secured perimeters, intrusion detection, and the like, there is always a weak link in the chain.

I wonder if Network Solutions, and other domain registrars are considering some other method of authentication, like two-form authentication tokens?

Digging Deeper Into the CheckFree Attack

Procrastinators really bug me!

Academics has invented a mathematical equation for why people procrastinate!

http://tinyurl.com/6f7e94

Sunday, November 30, 2008

Actually fixing network delays with the switchport host command - part deaux.

In one of my first postings, I wrote about fixing network delays with the switchport host command. But, I neglected to describe the switchport host command.

The switchport host command is a macro command that optimizes the port for a layer 2 host connection. It does this by enabling some features and disabling other features.

Entering the switchport host command on a switchport does the following things with a single command:
  1. sets switch port mode to access
  2. enables spanning tree Port Fast
  3. disables channel grouping

The switch port mode access command sets the port to access unconditionally and operates as a nontrunking, single VLAN interface that sends and receives nonencapsulated (non-tagged) frames. An access port can be assigned to only one VLAN.

As discussed in the previous article, the switchport host activates spanning tree port fast feature, so the switchport host command should only be used on ports that are connected to a single host. Connecting other switches, hubs, concentrators, or bridges to a fast-start port can cause temporary spanning-tree loops. This could cause the dreaded network melt down.

However, enabling the switchport host command decreases the time that it takes to start up packet forwarding from about 30 seconds to almost instantaneous. This is a real plus for the network users, and dramatically speeds up their ability to log onto the network and access resources.

Disabling channel grouping prevents the possibility of automatically creating an Etherchannel using PAgP (Port Aggregation Protocol).

Activating the switchport host command is as easy as selecting the port and entering the switchport host command.


For more information, see the Cisco Catalyst 3560-E switch command reference. This command has been around for awhile, at least since the 12.1 IOS code, so it should work on almost any switch in your infrastructure.

As a best practice, make the switchport host command part of your standard configuration for all of your workstation, printers, and non-virtualized server ports.

Happy trails...

Friday, November 21, 2008

Cisco Introduces VN-Link - Virtual Switch for VMWare

The details are still sketchy, and I'm not sure I understand all the pieces. But, Cisco has just introduced a product that replaces the built-in virtual switch within VMWare's ESX product. This new product is called the VN-Link, or Nexus 1000V.

This new software switch provides the glue between the virtual servers and the network. The magic behind the curtain is a new protocol called Network Interface Virtualization (NIV). Developed jointly by Cisco and VMWare, NIV has been presented to IEEE for ratification as an open standard.

NIV is used to communicate host moves from one physical server to another, in conjunction with the Nexus 5000 top-of-rack switch. Another feature called the N-Port Virtualizer (NPV) is a function currently available on the Cisco MDS 9000 family of multilayer switches that allows storage services to follow a virtual machine as it moves.

More explanation from Cisco's site -
This tight coupling of the virtual machine to both network and storage services enables policy and security to be managed at the virtual machine and for those services to follow the virtual machine as it moves when features such as VMware's dynamic resource management are used. Cisco VN-Link also provides visibility down to the virtual machine level, simplifying management, troubleshooting, and regulatory compliance. Further, Cisco VN-Link allows the server, storage, and network teams to collaborate more closely while still maintaining team autonomy. For example, the server administrator can add or move a server or virtual machine without having to call the network or storage team or to take on storage or network responsibilities. Similarly, each team can continue to use its favorite management and operations tools.
Ultimately, this provides a real Cisco switch inside the VMWare virtual environment, giving the network team the tool-set that we are accustomed to using in the physical network world.
Cisco VN-Link combines data-center class network security with operational segregation to meet the security challenges of today's virtual server environments. The Cisco Nexus 1000 and Nexus 5000 Series switches support roles-based access control (RBAC) and authentication, authorization, and accounting (AAA) to help ensure that proper change control can be implemented and audited. RBAC and AAA coupled with Cisco VN-Link provides operational separation between server and network administrators so that security policies can be enforced without sacrificing the flexibility of server administrators to rapidly provision VMs. Cisco VN-Link also supports ACLs and private VLANs, enabling server administrators to virtualize a whole new set of applications that would otherwise require dedicated physical servers for security.
The Nexus 1000V is the first installment of what will likely be some very interesting solutions to re-focus the blurred line between server virtualization and network connectivity/monitoring.

For more information about Cisco VN-Link, visit http://www.cisco.com/go/vnlink, and by watching TechWiseTV Episode 38: Accelerating Virtual Machines.

As more details become available, I will pass them along here. I welcome your comments.

Thursday, November 20, 2008

Secret German IP Addresses Leaked

From Bruce Schneier's blog: Secret German IP Addresses Leaked.

Original content found on WikiLeaks.

Proof that once it's leaked to the Internet, there is no taking it back!

IOSMap:Cisco router port scanner

From the Security4all blog: an interesting white paper was recently published by Robert VandenBrink in the SANS Reading Room related to using an NMAP'ish port scanner on Cisco router's. IOSMap is a TCL script application.

Interesting read - http://tinyurl.com/69vshg

Wednesday, November 19, 2008

Fix Switchport Delays with Spanning-tree Port Fast Command

Recently, I was engaged to assess a client's network and plugged my laptop into a switch port in their boardroom. After a couple of minutes, I finally got an IP address. I was surprised to learn that spanning-tree portfast was not enabled on any of the switch ports.

According to Cisco's reference guide:
"When the Port Fast feature is enabled, the interface changes directly from a blocking state to a forwarding state without making the intermediate spanning-tree state changes."
This basically means that the switch port automatically assumes a workstation will be attached, instead of another switch. Sounds great, huh? Everybody gets an immediate link light and an IP address.

Well, if a switch is attached to this port, it could create a topology loop and cause a data packet loop resulting in a network melt-down. But, another feature prevents the network melt-down worst case scenario, BPDU filter and guard.

BPDU is part of the Spanning-tree protocol. To learn more about BPDU, and Spanning-tree, visit Wikipedia -
http://tinyurl.com/5gsycd, or this Cisco link - http://tinyurl.com/yqfvhw.

BPDU filter
prevents the switch interface connected to end stations from sending or receiving BPDUs.

BPDU guard will place the interface that receives BPDUs into an error-disabled state. This prevents the possibility of creating a layer 2 loop.

So, let's get to the commands.

First, to activate the
spanning-tree portfast feature, there is a couple of ways to do it:
  1. On a per port basis, the command is spanning-tree portfast.
  2. On a global switch basis, the command is spanning-tree portfast default.
The default keyword on the end of the command activates portfast on all nontrunking interfaces.

Second, to activate BPDU filter in a global configuration mode, the command is
spanning-tree portfast bpdufilter default.

Third, to activate BPDU guard in a global configuration mode, the command is spanning-tree portfast bpduguard default.

Next time, we will discuss a macro command that activates spanning-tree portfast and a couple of other features that should be used on each switch access port.

Tuesday, November 18, 2008

The first day of the rest of my blog!

My very first blog post! Seems like a major commitment for somebody that has gotten used to Twitter.

Well, we'll see what happens.

I hope to have semi current posts related to Cisco, VMWare, general networking, and security.

With the wealth of information available, I'm not sure how original it will be. But, I consider this an experiment - an experiment to see if anybody will really be interested to read what I have to say.