CCNP SWITCH Exam Booked for August

24 06 2013




20 05 2013

Just packing – I’m moving house on Friday – and came across this.. Everyone has to start somewhere, I guess! 😉


Teaming with Broadcom NICs

25 04 2013

I’m in the process of installing new Cisco 3570 switches to replace some ageing Dell models. The setup for the servers will be a minimum of two network cards, each uplinked to a different node of the two node 3750 stack.

When everything is working this will mean 2Gbps aggregate bandwidth between the server and the switch, and any other servers or switches connected with at least a 2-port etherchannel, but if an individual switch in the stack or individual NIC fails, the network connectivity will drop to 1Gbps (kicking off lots of network monitoring alerts) but still function. Therefore there is no *single* point of failure.

My “practise” server had two Broadcom NICS, so I installed the BACS4 software available on the Broadcom site. I have BACS3 on another server already so was relatively familiar with the user interface.

However, try as I might, I could not get a context menu to appear when right-clicking on the “Teams” menu item to create a new team.

Short answer – this is caused by User Account Control (UAC), and can be remedied by launching the Broadcom Control Suite 4 from the Control Panel ‘As Administrator’.

While I’m writing about this, I may as well detail the settings.

I chose the “802.3ad Link Aggregation using Link Aggregation Control Protocol (LACP)” option in the BACS software. This is the industry-standard link aggregation protocol (as opposed to PAgP, for instance, the Cisco-proprietary link aggregation protocol).

On the Cisco switch end, I used the following config to create the Port-channel:

interface po X

switchport mode access

switchport access vlan XX

no shut

I then configured the individual switch ports as follows

int gi 1/0/XXX

switchport mode access

switchport access vlan XX

channel-group X active

no shut

int gi 2/0/XXX

switchport mode access

switchport access vlan XX

channel-group X active

The X in the “channel-group” command must match the number defined in the port-channel config in order to add the port to the port-channel.

A number of commands can be used to troubleshoot – firstly I’d use show int po X to get the standard interface statistics. This will give an indication of whether the port-channel has been configured properly, as it will show the full bandwidth in the first couple lines of output, for instance:

MTU 1500 bytes, BW 2000000 Kbit, DLY 10 usec,

Here, there are two * 1Gbps interfaces in the port-channel, so it shows 2000000 Kbps as the “bandwidth” (BW).

If you have more than one port in the port-channel, the bandwidth should reflect the combined bandwidth of all of the ports combined.

Other things to note of course, are pretty standard – all ports should be the same speed and type (access or trunk); LACP doesn’t support half-duplex, no individual transfer will ever be faster than the speed of one of the interfaces, in this case, 1Gbps.etc etc.

Now on to the “production” servers!

Check Point to Sonic Wall VPN tunnel

10 03 2013

Had an issue recently with a VPN tunnel from my Check Point cluster to a Sonic Wall device, not managed by me.

I have quite a few tunnels to Sonic Walls and most of the time they work just fine.. the issues we’ve had with them have been related to the troublesome SG82 devices I’ve written about previously, which were replaced with Check Point 4207s.

However in this instance, despite using the same VPN Community, I couldn’t get the tunnels to come up.

A check on Smartview Tracker showed that although the outbound IKE packets were going to the configured address from the Check Points, they were being returned from another address. The Check Points were Rejecting these packets.

This turned out to be another interface on the same device. Changing the properties of the Interoperable Device to reflect the IP address the device was replying from didn’t work.

The fix was to define another IP address in the topology of the Interoperable Device. I used the IP address as the ‘Name’, and ‘IP address’ fields, and although I could have asked, I used a whois query to determine what the subnet mask of the public IP block that this second IP address belonged to was, and used that for the subnet mask value.

Doing this immediately granted IP access to the subnets at the other end.

Check Point Learning materials

3 03 2013

Had to give a mention to eLearnCheckPoint – I’ve been trying for ages to find a decent Check Point book, but this is easier said than done.

The EBooks available on this site have quality, up-to-date info (R75.20 at the time of writing), and are incredibly good value for money, well worth it.

Laptop / BackTrack Linux Install

16 01 2013

So, the laptop arrived, exactly when expected (thanks Amazon), and it seems that the timing of the purchase was actually pretty good – the model is no longer on sale through Amazon.
It seems that 2013 is the year of the demise of the Netbook form factor, so retailers are getting rid of their existing stock and no (at least, very few) new models will be built.
The idea of this laptop was always to install BackTrack Linux on it – I’m learning about Penetration Testing as part of my role, in order to help defend my network against hackers.
There is plenty of info out there about installing BackTrack – lots of people have issues with it in terms of graphics, but to be fair this isn’t specific to BT, and seems to be the case with a lot of distributions.
The issue I had was that after installing the OS, the screen would go black after displaying “Ubuntu 10.4”.. I couldn’t even get a command line prompt. This is a very common problem. I spent around 4 hours scouring the web for answers to this, and through trial and error, managed to get not only the cmd prompt, but successfully get to the GUI. I heavily documented my steps during the build process, and I have just reinstalled the OS, adding notes where relevant. This process took less than 30 minutes, and is below. It is more for my future reference than anything – no warranty implied / responsibility taken for screwed up installs as a result of following this.

  1. Boot to the BackTrack LiveDVD
  2. On the Samsung NC110P I had to disable the “Fast BIOS” setting in the BIOS, otherwise the machine boots from HDD before initialising the external DVD drive
  3. Press “Return” when prompted, then “Return” again when the graphics options are offered
  4. Choose option 9 – the highest resolution VESA option. The reason I worked out the fix was that I noticed that the higher resolution options in this menu were all VESA instead of VGA
  5. When at the command line, type “startx” to load the GUI
  6. With BT 5R3, which is the distribution I was using, and the latest at time of writing, there is a shortcut to “Install Backtrack” on the desktop. Start the install from here
  7. Go though the installation options – it’s pretty self-explanatory for anyone who’s installed an OS before
  8. Once installation has completed, reboot, waiting to be prompted before removing the external DVD drive
  9. When the OS booted on the Samsung NC110P, I noticed that the scrolling text during boot was displayed at a much lower resolution than when boooting from the LiveDVD and selecting option 9, as per the above
  10. “Ubuntu 10.4” displays, and then disappears, leaving a blank screen
  11. At this stage, I had to manually power down the machine due to no display
  12. Boot from the LiveDVD again, following the instructions above to get to the command prompt. Default login details are root / toor
  13. Type “mkdir /mnt/hdd” to create a mount point for the Hard Drive
  14. Type “mount /dev/sda1 mnt/hdd”
  15. Type cd “/mnt/hdd/etc/default”
  16. Backup the grub file – cp grub grub.old
  17. Edit the Grub file – “vi grub” – “I” to enter “Insert” mode
  18. Find the line containing “splash vga=791” (or some variation of it) and replace everything after “splash” with xforcevesa
  19. Press “Escape”, then “:wq” to write the changes and quit the app
  20. Enter “cd /boot/grub” and backup boot.cfg – “cp boot.cfg boot.cfg.old”
  21. Open boot.cfg with vi – “vi boot.cfg”
  22. Make the same change, replacing everything after “Splash” (a reference to vga again in this case) with “xforcevesa”
  23. Unmount the hard disk – “umount /mnt/hdd” after using “cd /” to change directory to “/” – if you’re still inside a folder on the hard disk, it’s classed as “in use” so will not unmount
  24. Enter “reboot”, removing the optical drive when prompted

This should get you a login prompt once booted, and using “Startx” will get you in to the GUI environment.

New laptop – Samsung NC110P

14 12 2012

Ordered a new netbook today. I thought my iPad 2 did away with the need for a netbook, which are admittedly going out of fashion (I couldn’t find any models in the PC World / Currys branch in town – I have remote access and network diagnostics and monitoring apps installed on it and I make use of the Kindle and iBooks apps for EBooks, and watch my CBT videos on there.

But there is a very specific plan for this.. Installing Back Track Linux for use as my Pen Testing box, something the iPad is not suited to.

It has an HDMI port, dual core CPU, 1GB RAM (soon to be upgraded to 2GB), wireless-N, and a 320GB HDD.

Ordered it from Amazon, on next day delivery, it’s due tomorrow. I’ve already burnt the Back Track ISO to DVD in anticipation!

Can’t wait 😉