RawCode

We have tools to track latency across networks. You give it an IP address or hostname, it pings it periodically and displays the results on a pretty graph. Easy to understand, easy to use!

Why is there not an application that does the same thing but for DNS Queries? It would be a script or a compiled binary that performs a few basic functions:

1. Allows you specify a few different name servers to query and a query rate. (Time Interval)
2. Also allows you to specify domains to query for, and/or random domains. (Random domains pulled from google or some other method)
3. Logs all the results into a database or other file format for records and analysis.
4. Graphing of the response time of your specified name servers.

Seems like it would be pretty simple and common place, but I am having a hard time find such an application. I see plenty of stuff for statistics of the DNS server itself, (i.e. CPU usage, memory usage, queries per second and so on) but none for a client to measure DNS performance.

I did find one project out there called DNS Tester over at CodeProject.com. It is pretty basic, but it would at least show everyday users how DNS latency would affect them when they are browsing the web. Not all name servers are created equal.

So while I continue my search for an application that performs this function, I have tasked my Wireshark install to watch my DNS traffic for me. I have it set with the following capture filter:

port 53 and (host (primary name server ip) or host (secondary name server ip))

And then within these results, I have a display filter to further filter what I am looking for:

dns.time > .5

With these two filters, I am looking at any DNS traffic between my network and my ISPs name servers. And then I am specifically looking for DNS responses that take longer than .5 seconds to complete. It works, and I can compute my own statistics based on my data collection.

But it still is not as pretty as a graph.

Filed by RawCode at 3:34 am under Networking
Comments Off

I passed the Cisco CCNP Switching exam! I got an 825 out of a thousand, passing was 755. I feel freaking great!

Filed by RawCode at 6:02 pm under Cisco, Networking
1 Comment

The Cisco PIX is a totally different beast from the more common Cisco router. A lot of people forget the correct process for allowing traffic through a pix. Here is a quick break down.

1. Figure out which direction the traffic is going in relation to the security ratings of the interfaces. Higher(100) -> lower (0)? Nothing needs to be done. Lower(0) to higher(100)? You will need an ACL to permit the traffic.

2. Now that you know that you need an ACL, you need to decide what type of traffic it is. IP, TCP, UDP or ICMP? Any specific src or dst ports or addresses? Do you know what ICMP type you need?

3. Now are out using NAT? If your are trying to port forward, the ACL only allows the traffic into the PIX, but it still has no idea what to do with it. So you need to create a static statement, to map your src IPs or ports onto your dst IPs or ports.

And that is it. Just a quick how-to on permitting traffic on a PIX.

Filed by RawCode at 8:52 am under Cisco, Networking
Comments Off

Check it out at the Cisco 7200 Simulator Wiki.

Seems pretty darn cool since I hace yet to see anything like this for other Cisco devices. I will give it a good try in the next few days to see what it is all about.

Filed by RawCode at 8:04 am under Cisco, Networking
Comments Off

If you know anything about linux, you know ssh is a necessity. It is the same for routers if you do not want everything you do passed in cleartext across the net. Problem is that alot of people use a cisco router as their firewall with NAT enabled. So when you try to ssh to your linux box from work (or elsewhere) via port 22, it will hit the router instead. So you have two options:

• Configure PAT so you move your ssh traffic to a different public port, say 2222, and it will redirect it to port 22 on the inside of your network.
• Configure a rotary group and move the router’s ssh port to a different port, say 2222.

This post will cover the latter.

It is a pretty simple config, but it takes awhile to find it on Cisco’s web site due to the amount of information they have on there. It is two lines total:

ip ssh port 2222 rotary 1

This line moves the ssh service to port 2222, and makes it part of rotary group 1. A rotary group allows you to define attributes, services and features of lines that reference the group. In this case, any line that is part of rotary group one will have ssh on port 2222.

line vty 0 4
rotary 1
This set of commands places vty lines 0 through 4 in rotary group 1. So these vtys will take on all the features you have configured for that group. In this case, ssh has been moved to port 2222 on vty lines 0 through 4.

And that is it.

Filed by RawCode at 5:55 am under Cisco, General IOS, Networking
5 Comments

Here are some useful SNMP strings for cisco devices. I have used these to graph the various information in Cacti.

Cisco Pix:
CPU:
5 Minute: 1.3.6.1.4.1.9.9.109.1.1.1.1.5.1
1 Minute: 1.3.6.1.4.1.9.9.109.1.1.1.1.4.1
5 Second: 1.3.6.1.4.1.9.9.109.1.1.1.1.3.1
Memory:
Free: 1.3.6.1.4.1.9.9.48.1.1.1.6.1
Used: 1.3.6.1.4.1.9.9.48.1.1.1.5.1


Cisco Router:
CPU:
5 Minute: 1.3.6.1.4.1.9.9.109.1.1.1.1.8.1
1 Minute: 1.3.6.1.4.1.9.9.109.1.1.1.1.7.1
5 Second: 1.3.6.1.4.1.9.9.109.1.1.1.1.6.1
Old MIB CPU:
5 Minute: 1.3.6.1.4.1.9.2.1.58.0
1 Minute: 1.3.6.1.4.1.9.2.1.57.0
5 Second: 1.3.6.1.4.1.9.2.1.56.0
Memory:
Free: 1.3.6.1.4.1.9.9.48.1.1.1.6.1
Used: 1.3.6.1.4.1.9.9.48.1.1.1.5.1



Cisco Switch:
CPU:
5 Minute: 1.3.6.1.4.1.9.9.109.1.1.1.1.8.1
1 Minute: 1.3.6.1.4.1.9.9.109.1.1.1.1.7.1
5 Second: 1.3.6.1.4.1.9.9.109.1.1.1.1.6.1
Old MIB CPU:
5 Minute: 1.3.6.1.4.1.9.2.1.58.0
1 Minute: 1.3.6.1.4.1.9.2.1.57.0
5 Second: 1.3.6.1.4.1.9.2.1.56.0
Memory:
Free: 1.3.6.1.4.1.9.9.48.1.1.1.6.1
Used: 1.3.6.1.4.1.9.9.48.1.1.1.5.1


Filed by RawCode at 6:22 am under Cisco, General IOS, Networking
Comments Off

Well I passed my CCDA exam. I got 888/1000 with 825 being the required score to pass. I didn’t do to bad at all. By the end of the exam I was pretty sure that I failed. I just awnsered as best as I could for each question. Since it is an exam about network design, I was constantly trying to figure out what I would choose versus what Cisco would choose. (Since they are different sometimes) I am just happy I got it out of the way.

Now onto other books to devour and absorb. (Most likely VoIP) Thanks to all that gave me support and encouragement.

Filed by RawCode at 3:07 am under Banter, Cisco
Comments Off

For 2pm on the 26th of August. I ahve been studying for this test for awhile, buying two different books and a set of flash cards to assist. I feel confident in my ability to pass, but we will see as most of the test is case questions. They basically setup a scenario in which you have to recommend the correct solutions and what technologies you will use to implement the solutions.

It is considered much harder than the CCNA as it is more than just how to configure a specific technology. It is about how you use multiple technologies in a specific solution to a customers goal. Like VoIP, or improved network performance.

How do you increase network performance? Is all the cable plant is up to spec and documented? Are you going to use Cat 5 or Optical fiber (single mode or multi mode?) Does the physical network have a good hierarchy, or is it a total mess of devices? What versions of IOS does the present gear have? Should you upgrade gear/software for your upgrade? Do you implement vlans, turn on Spanning tree protocol, or Rapid STP? How big should your VTP domain be? Are you going to run layer two or three in your Distribution or core layers? What routing protocols do you need? How is your ip address space utilized? Does it have a hierarchy or is it random? What security measures are you going to have? Firewalls? ACL’s? NBAR? Netflow? Is CEF a good idea?

It just ties together all the technologies you would use to provide a solution for a customers goal. Hard stuff.

Filed by RawCode at 7:13 am under Cisco, Networking
1 Comment

How to setup SSH access on a non standard (alternate) port.

There is two steps to setup ssh on a non standard port.

1. Declare which port SSH will be on and what rotary group it is in.

2. Configure vty’s to accept ssh and to use the rotary group created in step one.

Step one – This command defines what port the router will be monitoring for incoming ssh sessions. The rotary group is needed for grouping this command with a vty line. Until the vty is configured to refer to the rotary group, this command has no effect.
ip ssh port 2222 rotary 1


Step Two – These commands just allow local login, specify the password, what rotary group to bind to, and to turn on ssh only. No telnet here. Without the rotary command, ssh would normally be running on port 22, which if you are running NAT at home, it would intercept your attemped ssh sessions into your *nix boxes. Once you give it the rotary command, the vty interface will take on the properties of that rotary group. In this case, what we defined in step one.
line vty 0 4
login
password 0 blah
rotary 1
transport input ssh
transport output all


Filed by RawCode at 3:31 am under Cisco, Networking, Security
Comments Off

In a broad scope, there is two steps to Proper QoS implementation. Tagging and Policy.

Tagging – Tagging allows you to classify the various flows of traffic on your network. The are many different criteria on which a flow can be classified. IP address, TCP ports, Session based information (telnet, ssh, http, ftp), even URLs. Once a flow has been classified, it is handled in accordance of how your policy dictates. Note that the classes are arbitary and only serve to idenitify the various flows in the network.

Policy – Your policy will define how to handle the classified traffic. Which class does it drop first once congestion is encountered? Which classes get prefrerental or expididted treatment over other classes? Which class receives less than best effort handling? What applications are “mission critical”? In a large company, they might have over 3000 different apps on the network. Put too many in the mission critical catergory and the classification is no longer mission critical. This will be the hardest task of implementing QoS. The technical stuff is easy compared to writing up a policy on what to drop first.

For actual configuration of QoS, I suggest End-to-End QoS Network Design : Quality of Service in LANs, WANs, and VPNs or just Cisco Solution Reference Network Designs.

Filed by RawCode at 3:35 am under Cisco, Networking
2 Comments