evilrouters.net

Last Friday, I asked in anyone was aware of, or would be interested in, a mailing list for the discussion of topics related to CCNP certification and exam preparation. I still haven’t heard of (or found) any lists that really fit in with my idea, so I took the liberty of creating one.

A mailing list named, simply, “ccnp” has been created at FreeLists:

“…FreeLists, a service providing free, commercial-grade Internet mailing lists to all interested. Our lists are all internet and technology-related. Thus, we provide a free focal point for technology-inclined individuals and groups on the Internet. We do it all without the support of advertisements, ensuring the highest-quality mailing list experience for you and your users.”

I know (work with) the guy who runs this shop and it is a very well suited “home” for this list.

If you’re interested in participating, you may subscribe by sending an e-mail to “ccnp-request@freelists.org” with a subject of “subscribe”. You may unsubscribe by sending a mail with a subject of “unsubscribe” (and confirming your requests). I hope that this list can be a useful resource for those of us preparing for CCNP certification. As such, there are no formal rules, with one exception: I reserve the right to do whatever I want if you: spam, become annoying, post off-topic too much, etc.

After subscribing, you may post to the list by addressing your messages to ccnp@freelists.org. For those of us who like to filter these messages, you’ll notice that all posts have “[ccnp] ” prefixed to the Subject: line, making it trivial to do so. When you subscribe, feel free to send an “introduction” message (especially since I anticipate this will be a very small group at first).

Feel free to spread the word!

That’s all, see you on the list!

I’m aware of a few mailing lists for folks studying/preparing for the CCIE-level examinations, but haven’t been able to find anything useful for one working his or her way towards CCNP. I subscribe to some of the CCIE lists, but, to be quite honest, most of that stuff on the list is still way over my head.

Is anyone aware of mailing lists aimed at those working towards the various CCNP exams? Failing that, would be interested in one? If I can’t find any, I may just start one — nothing too in-depth, but basically a place where one can post questions/answers to various scenarios, study topics, etc.

I’d love to give credit for this because it’s awesome, but I have no idea where it originated.

'Twas the night before Christmas, when all through the LAN
No malware was stirring, not even LoveSan;
The firewalls were racked by the router with care,
In hopes that no hacker soon would be there;

The users were nestled all snug in their beds,
While visions of emails danced in their heads;
And me with my MacBook, and fresh packet cap,
Had just settled down for a long winter's nap,

When out from the pager there arose such a clatter,
I sprang to my desk to see what was the matter.
Away to the browser I flew like a flash,
Came through the VPN and refreshed the cache.

The sign on the certificate gave me to know
The session was safe, so I opened it - Lo!
When, what to my wondering eyes should appear,
But a miniature email, and in text that was clear,

With a new device driver, with a quick "ho ho ho",
I knew in a moment it was our CSO.
More rapid than eagles his memos they came,
And he whistled, and shouted, and called them by name;

"Now, firewall! now, filter! now, intrusion detection!
On, event correlation! deep packet inspection!
Build layered defense! to the top of the wall!
Now block away! block away! block away all!"

As alarms that before the wild network worm fly,
When they meet with my console, mount up to the sky,
So up to the network the sensors they flew,
With the rack full of gear, and the CSO too.

And then, with a twinkling, I heard on my cell
The custom ring-tone - the network was well.
As I drew in my hand, and was turning around,
Down to my inbox he came with a bound.

His message was brief, what was afoot?
Were servers and systems safe at the root?
A bundle of appliances stacked on his rack,
And he looked like a peddler just opening his pack.

Their lights -- how they twinkled! Their vendors - how merry!
They stopped all attacks, they paged my BlackBerry!
The poor little hackers were drawn up like a bow,
And tied up in knots in the honeypot below;

The stump of net packets held tight in our teeth,
With logs all analyzed, traceroutes were a breeze;
Our policies sound, vulnerabilities patched,
Our security systems just could not be matched.

He was chubby and plump, a right jolly old elf,
And I laughed when I saw him, in spite of myself;
A wink of his eye and a twist of his head,
Soon gave me to know I had nothing to dread;

He spoke not a word, but went straight to his audit,
tested the firewalls; then turned to report it,
And laying his finger aside of his nose,
And giving a nod, up our T3 he rose;

He sprang to his limo, gave his consultants a whistle,
And away they all flew like the down of a thistle.
But I heard him exclaim, ere he drove out of sight,
"HAPPY CHRISTMAS TO ALL, AND TO ALL A GOOD-NIGHT!"

To whomever wrote this, thank you. Excellent piece.

If you were to e-mail me over the holidays, you’d get a response like this. Unfortunately, I had to “tone it down” a bit (couldn’t make it as funny as I would have liked). =)

---------- Original message ----------
Date: Tue, 23 Dec 2008 17:35:03 -0500
From: Jeremy L. Gaddis
Subject: Out of Office AutoReply:

[This message was generated by an automated system.]

Greetings and salutations!

I am out of the office and my current whereabouts are unknown.  Even I do not know
where I am.  I am not *really* on vacation (as in, I'm not really going anywhere far away),
but as far as responding to email is concerned, I appear to be well outside the solar system.

Other than December 29-30, I will not be around until January 5th.

Boiler plate:  If you have any special needs, please contact the Help Desk.  They will have
the tools and skills needed to get you back on track.

If you are the Help Desk, then please contact Kevin or Ben.

If you *ARE* Kevin or Ben:  stop, take a deep breath, and reassess things.  If you are still
hyperventilating, then go ahead and break the glass (a.k.a. call my Blackberry)!

Happy holidays!

I found myself recently setting up new HP ProCurve 5400 switches in production. Because I’m a network guy, I like to keep an eye on them (interface counters, traps, etc.), thus setting up SNMPv3 was necessary. In addition, these devices come (”out of the box”) with a default read-write community string set to — you guessed it — “public”, open to anywhere. That had to be taken care of first.

Setting up SNMPv3:

First, let’s set some basic information so we can track this device amongst all the others:

SWITCH1# conf
SWITCH1(config)# snmp-server location S123
SWITCH1(config)# snmp-server contact jlgaddis

Next, we’ll enable SNMPv3 which, on these 5400s, also has the effect of creating an “initial” user:

SWITCH1(config)# snmpv3 enable
SNMPv3 Initialization process.
Creating user 'initial'
Authentication Protocol: MD5
Enter authentication password: ******
Privacy protocol is DES
Enter privacy password: ******

User 'initial' is created
Would you like to create a user that uses SHA? n

User creation is done.  SNMPv3 is now functional.
Would you like to restrict SNMPv1 and SNMPv2c messages to have read only
access (you can set this later by the command 'snmp restrict-access'): y

What happened here is that an SNMPv3 user (with username “initial”) was automatically created for us. We were prompted for the authentication password and privacy password (note that the protocols were automatically chosen). At this point, I just entered “123456″ as I have plans to delete that user anyway. I went ahead and answered “y” to the last question, but I’ll be turning off SNMPv1 and SNMPv2 in a bit moment regardless.

Let’s configure our switch to only run SNMPv3 and go ahead a create a new SNMPv3 user as well:

SWITCH1(config)# snmpv3 only
SWITCH1(config)# snmpv3 restricted-access
SWITCH1(config)# snmpv3 user cacti auth sha AUTHPASS priv aes PRIVPASS

Here I was setting up a user so that my “graphing application” of choice, cacti, can communicate with the switch to retrieve interface statistics. Substitute your own authentication password and privacy passwords above (”AUTHPASS” and “PRIVPASS”). You can change the protocols as well, if you’d like, to MD5 and DES, respectively. I prefer to go the “high security” route whenever possible, however, so that’s what I opted for here. Be sure your management software is compatible with these settings!

Now, we need to assign our “cacti” user to a group that’s appropriate for the level of access we want it to have. I won’t describe all of the ones available (see Chapter 14 of the Management and Configuration Guide for that), but the one I want (in this case) is “operatorauth”. This group provides for “operator” level access (a.k.a. “unprivileged”) and requires authentication. We’ll also specify “sec-model ver3″ as an SNMPv3 access group should only use the ver3 security model:

SWITCH1(config)# snmpv3 group operator auth user cacti sec-model ver3

Okay, almost there! Now we just need to allow SNMP access to the switch from the host that cacti is running on. In my case, it’s 172.30.144.17:

SWITCH1(config)# ip authorized-managers 172.30.144.17 255.255.255.255 access operator access-method snmp

You can change that, of course, to your own IP address (or whole networks — be sure to change the netmask, however).

At this point, we should be good to go. We could add the device into cacti’s web interface and within a few polling cycles we’ll start to see interface traffic statistics, such as this (from another device):

Finally, there’s one more step that might be necessary, depending upon your switch’s configuration. Because my switch has a loopback address assigned to it, that’s the IP address I want to tell cacti to poll. This method will still allow the switch to be reachable if one (or more) of it’s interfaces go down (there are multiple routes to it). By default, the ProCurve 5400 will respond to SNMP requests with a source IP address of the interface that the requests were received on, and NOT a source IP matching the original destination of the requests:

SWITCH1(config)# snmp-server response-source dst-ip-of-request

…and that’s it! We can now “speak” SNMPv3 (and ONLY SNMPv3) to our switch. In addition, only the “cacti” user can access it, and only from 172.30.144.17.

That’s a helluva lot better than the default read-write “public” community string that’s accessible from anywhere, huh!?

UPDATE: I forgot the part where I deleted the “initial” user that was created automatically for us. Here’s how that’s done:

SWITCH1(config)# no snmpv3 user initial

Easy enough!

"A" is for Arrogance, properly done.
"B" is for Bastard, the New Zealand one.
"C" is for Cynic, jaded and tired;
    it's also for Caffeine, which keeps us all wired.
"D" for Delete, we'll do it to you;
"E" for 31337, the skr1pt-k1ddie's due.
"F" is for Format(1M), we use it on disks,
"G" is the middle name of the guy who does RISKS.
"H" for the Hubris that makes lusers luse;
"I"'m the Important one, the person who su(8)'s.
"J" is for Jaded, see "C" above;
"K" is for Kill(1), a command we all love.
"L" is for Luser, the sysadmin's bane,
"M" with a "4" keeps the mail gurus sane.
"N" is for No, whatever the question,
"O" is for Octal, the way of permissions.
"P" is for Password, have you changed yours lately?
"Q" is for Quotas, which simplify greatly.
"R" is for Random, a most useful quality,
"S" I can't tell you, it's against policy.
"T" is for TECO, a very old editor,
"U" is for Unix, which has no competitor.
"V" is the System whose Release 4 we wrestle with,
"W" is for W(1), to see who(1) we nestle with.
"X" is the windowing system from Hell,
"Y" do we use it?  The rest suck as well!
"Z" is for Zero, indicating success
    It terminates programs -- and alphabets, yes.

–Unknown

So this evening I’m minding my own business with a friend at a downtown location when a woman I met one night recently saw me and launched into a pitch that began with the most unusual opening line:

HER:  "JEREMY!  Hi, it's Gwen!  Remember?  I called you last week on your cell
phone and you said 'How did you get this number?' and hung up on me?"

ME:  "Um, oh, yeah.  I do remember."

HER:  "Yeah.  Well, anyway, I wanted to know..."

P.S. It didn’t go so well for her this time either.

I was bored so decided to play with hping3 a bit tonight.

[jlgaddis@bertram:~]$ sudo hping3 --udp -p 10000 --destport 10000 --flood 192.168.1.12
HPING 192.168.1.12 (eth0 192.168.1.12): udp mode set, 28 headers + 1400 data bytes
hping in flood mode, no replies will be shown

I have the same thing running 192.168.1.12 as well, for “bi-directional” traffic.

c1811# sh int fa7 | in put\ rate
  5 minute input rate 96657000 bits/sec, 8404 packets/sec
  5 minute output rate 93537000 bits/sec, 11389 packets/sec

-----Original Message-----
From: PCC-Americas
Sent: Friday, December 19, 2008 5:22 PM
To: Jeremy L. Gaddis
Subject:RE: en-us: Possible bug in K.13.45 (5400zl series)?

Dear Jeremy,

Thank you for contacting HP ProCurve Networking.

It seems that you have discovered an anomaly.  We would like to
investigate this for you.  At your convenience, would you mind
collecting the textual output of the command, "show tech all" as
issued within the CLI of the switch?  Please follow-up the text
capture by again issuing the "show ip igmp config" command.

We will work with our engineers to reproduce this issue, and
identify its root cause.

Thank you very much for contacting HP ProCurve Networking Support.
We hope to hear form you soon.

Sincerely,
Linda
HP ProCurve Networking

Here’s what I was seeing (serial numbers of my installed GBICs “sanitized”). This was on a HP ProCurve 5406zl:

SWITCH# show ip igmp config

 IGMP Service

                       IGMP     Forward with   Querier  Querier
  VLAN ID VLAN Name    Enabled  High Priority  Allowed  Interval
  ------- ------------ -------- -------------- -------- ---------
  1       DEFAULT_VLAN No       No             Yes      125
  2       VLAN2        No       No             Yes      125
  14      VLAN14       No       No             Yes      125
  16      VLAN16       No       No             Yes      125
  20      VLAN20       No       No             Yes      125
  30      VLAN30       No       No             Yes      125
  31      VLAN31       No       No             Yes      125
  32      VLAN32       No       No             Yes      125
  36      VLAN36       No       No             Yes      125
  38      VLAN38       No       No             Yes      125
  41      VLAN41       No       No             Yes      125
  42      VLAN42       No       No             Yes      125
  43      VLAN43       No       No             Yes      125
  64      VLAN64       No       No             Yes      125
        GBIC 1 (  Port A1): J4858C               XXXX2EK3W9
        GBIC 2 (  Port A2): J4858C               XXXX2EK3X4
        GBIC 3 (  Port A3): J4858C               XXXX2EK1Z2
        GBIC 4 (  Port A5): J4858C               XXXX2EK1RT
        GBIC 5 (  Port A7): J4858C               XXXX2EK2G4
        GBIC 6 (  Port A9): J4858C               XXXX2EK3FM
        GBIC 7 ( Port A11): J4858C               XXXX2EK3WD
        GBIC 8 ( Port A13): J4858C               XXXX2EK2NF
        GBIC 9 ( Port A14): J4858C               XXXX2EK4YD
        GBIC 10 ( Port A15): J4858C               XXXX2EK1HG
        GBIC 11 ( Port A16): J4858C               XXXX2EK5HA
        GBIC 12 ( Port A17): J4858C               XXXX2EK2CG
        GBIC 13 ( Port A18): J4858C               XXXX2EK2GH
        GBIC 14 ( Port A20): J4858C               XXXX2EK1RP
        GBIC 15 ( Port A21): J4859C               XXXX0EL04Y
        GBIC 16 ( Port A22): J4859C               XXXX0EL06W
        GBIC 17 ( Port A23): J4859C               XXXX4EL053
        GBIC 18 ( Port A24): J4859C               XXXX4EL02X
  78      VLAN78       No       No             Yes      125
  79      VLAN79       No       No             Yes      125
  80      VLAN80       No       No             Yes      125
  94      VLAN94       No       No             Yes      125
  96      VLAN96       No       No             Yes      125
  101     VLAN101      No       No             Yes      125
  110     VLAN110      No       No             Yes      125
  112     VLAN112      No       No             Yes      125
  128     VLAN128      No       No             Yes      125
  172     VLAN172      No       No             Yes      125
  192     VLAN192      No       No             Yes      125
  202     VLAN202      No       No             Yes      125
  4011    VLAN4011     No       No             Yes      125
  4012    VLAN4012     No       No             Yes      125
  4030    VLAN4030     No       No             Yes      125
  4040    VLAN4040     No       No             Yes      125
  4050    VLAN4050     No       No             Yes      125
  4060    VLAN4060     No       No             Yes      125
  4070    VLAN4070     No       No             Yes      125

Geez, an “anomaly”? Ya think? =)

It’s been a looooong time since I posted any networking stuff that wasn’t Cisco-centric, but I’m sitting here at home configuring an HP ProCurve 5406zl so I thought I’d take the opportunity.

The ProCurve 5400zl series have a USB port on them that you can use to transfer files, in addition to TFTP and SCP/SFTP. Since I had a few of these to upgrade and they were in a lab environment (e.g. not connected to any “real” networks), I didn’t want to bother with setting up a TFTP server. The upgrade process is pretty straightforward and is similar to doing an upgrade via TFTP.

We can find the latest software for our ProCurve switches on the “Software for switches” page. Software (”firmware”) updates do not require that you have a valid login or service contract, unlike Cisco. I grabbed the latest version (at the time of writing), which is K.13.45 (be sure to read the Release Notes that accompany each release as well, prior to performing an upgrade). Save the .downloaded file to your USB flash drive and plug the flash drive into the switch.

To check what version of the software is currently running, issue the “show version” command:

SW1# show version
Image stamp:    /sw/code/build/btm(t3a)
                Aug  4 2008 15:08:24
                K.13.25
                93
Boot Image:     Primary

We can see that we’re running version K.13.25 and that we booted from the primary flash. We can see the current contents of flash, as well as our USB drive:

SW1# show flash
Image           Size(Bytes)   Date   Version
-----           ----------  -------- -------
Primary Image   : 7442476   08/04/08 K.13.25 
Secondary Image : 6782942   12/07/07 K.12.57 
Boot Rom Version: K.12.12
Default Boot    : Primary

SW1# dir

Listing Directory /ufa0:
-rwxrwxAwx  1 0       0          7442476 Nov  3  2008 K_13_25.SWI 
-rwxrwxAwx  1 0       0          7494786 Oct 30  2008 K_13_45.SWI 
SW1#

Because I’ve been running K.13.25 and it’s been stable, I’m going to copy it to secondary flash and then overwrite the primary with the new software. We’ll then reboot the switch with the new software (keeping the previous version in secondary as a “backup” in case anything goes wrong).

SW1# copy flash flash secondary

This command isn’t real intuitive (and it takes a while as well), but here we’re basically copying from flash, to flash, with the secondary as our destination. In this case, the contents of the primary flash will be copied to the secondary. “copy flash flash primary” would copy the contents of the secondary into the primary. Let’s verify what we have now:

SW1# show flash
Image           Size(Bytes)   Date   Version
-----           ----------  -------- -------
Primary Image   : 7442476   08/04/08 K.13.25 
Secondary Image : 7442476   08/04/08 K.13.25 
Boot Rom Version: K.12.12
Default Boot    : Primary

We can see that the contents of the primary have now been copied to the secondary as well. Let’s copy the K1345.SWI image from the USB drive to primary flash:

SW1# copy usb flash K_13_45.SWI primary
The Primary OS Image will be deleted, continue [y/n]?  y

After a moment, we’ll see this message:

Validating and Writing System Software to the Filesystem ...

When the copy has completed, we need to reload the switch with the new software:

SW1# boot system flash primary
System will be rebooted from primary image. Do you want to continue [y/n]?  y

The switch will take a minute to reboot (I won’t bother pasting the complete bootup process) and then we can, again, use “show version” to verify that we’re now running the latest software:

SW1# show version
Image stamp:    /sw/code/build/btm(t3a)
                Oct 17 2008 20:03:02
                K.13.45
                706
Boot Image:     Primary

See, wasn’t that easy!? We’ve successfully upgraded the firmware, and we’ve also kept a backup copy of the previous software in case things go badly. If that happens, just issue the “boot system flash secondary” command to reload the switch with the previous software.

This “upgrade via USB” method can come in handy at times, e.g. when the switch is in a lab and you don’t have a server handy to load the files from. For the switches in my production network, I would use SFTP to ugprade them instead of having to visit each switch individually to plug in and remove the USB drive. Yes, you can SFTP to the switch and upload a new version of firmware. It rocks. =)