December 30, 2008

WRT54GL as an 802.1x client (aka wrt54gl@eduroam)

… after a quite long time (again), here comes a simple HOWTO describing the process of running a Linksys WRT54GL as a wifi client with 802.1x authentication+wpa encryption, in this case for the international wifi educational network initiative – eduroam.


The Linksys WRT54g brand of wifi routers have become quite popular in the past years as many non-Linksys, but open firmware became available for this device. If you own a WRT54g router, you might be familiar with firmware files from dd-wrt or openwrt.

Basically, after flashing and thus replacing the genuine Linksys provided firmware on the WRT54g with the dd-wrt or the openwrt firmware you can get additional functionality available on commercial $1000 routers out of the $60 router. Like, the original Linksys firmware does not contain functionality even for a basic wifi client mode. The dd-wrt firmware is a ready to use firmware available in different flavors – with vpn functionality, with voip or just “basic” functionality. Compared to openwrt firmware, openwrt is in its basic form not so powerful. Openwrt in its basic form does contain only basic stuff, no additional functionality. On the other hand, the advantage of openwrt is that it is nicely customizable and you can pretty easily install additional applications and functionality with a simple apt-get like utility. For this reason I am more used to use the openwrt firmware as it gives me more control of the box.

Well, a step into the $subject: a friend of mine has asked me to help him with connecting his WRT54GL router as a client to our university wireless network. Our university wifi network uses mandatory 802.1x authentication + wpa or wpa2 encryption. Few years ago, even standard computers and laptops had issues with connecting to a 802.1x secured wireless network so what to expect from a small wifi router? Well, a lot :-)

The basic Linksys firmware does not even support wifi client mode on the WRT54GL. Obviously, the next step is to upgrade the firmware to something better. dd-wrt or openwrt? dd-wrt supports wifi client mode, even with static wep keys (maybe even wpa-psk?) but not with 802.1x authentiocation :-/ openwrt in it’s basic form does not support 802.1x, but fortunately a wpa_supplicant package is available already precompiled for this platform. Wpa_supplicant is an EAP supplicant with 802.1x authentication + wpa/wpa2 support.

Few steps to make it work:

  1. Download the openwrt firmware from Make sure to download a firmware based on 2.6 kernel, as the 2.4 version uses the proprietary “nas” Broadcom utility to manage the wireless connection and it does not support 802.1x. I used the openwrt 8.09_RC1 based openwrt-wrt54g-squashfs.bin file.
  2. Download and install the wpa_supplicant package:
    opkg install
    (or opkg update && opkg install wpa-supplicant)
    (the 8+ version of openwrt will use the “opkg” package management utility, pre 8 versions of openwrt used “ipkg”)
  3. Create a configuration file for the wpa_supplicant. The file may look like:
    root@OpenWrt:~# cat /etc/wpa_supplicant.conf
  4. Try it with
    wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf
    This command will start the wpa_supplicant, will scan for the “eduroam” ssid, connect to AP and try to authenticate as user@domain. If everything is OK, at the end will show some OK messages and will also activate the wifi interface – wlan0. If you start a dhcp client (udhcpc -i wlan0), you should get an IP address now, and you can start pinging the Internet.
  5. Wrap it up, create startup scripts that will at the bootup start the wpa_supplication, do the dhcp client, enable IP routing and NAT and there you go. Ready :-)

My startup scripts look like (not so cool but it works :):

root@OpenWrt:~# cat /etc/init.d/XStartEduroam
#!/bin/sh /etc/rc.common
# Jozef Janitor (c) 2008
# !!!
# make sure that this file has a +x (executable) flag
# enable this script with /etc/init.d/XStartEduroam enable
# dont't forget to disable the preinstalled openwrt firewall script
# !!!


start() {

# Basic filewall and SNAT
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -A INPUT -s -d -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i br-lan -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -j DROP

# Set time - otherwise the default WRT's time makes problems
# with a certificate validation in wpa_supplicant
date "`cat /etc/dateToSet`"
date "`cat /etc/dateToSet.backup`"

# Start 802.1x authentication
wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf &

# wait some time till the interface is authenticated
# and activated
sleep 5

# get the IP address from the DHCP server
udhcpc -i wlan0 &

# start the WatchDog to check if we have access
# to the Internet
/watchGW &

# sync time with the NTP server and store the local
# time into a file for reboot use
/updateDate &


root@OpenWrt:~# cat /watchGW
# Jozef Janitor (c) 2008
# This is a "watchdog" script that checks the IP connectivity to a specified destination.
# When it's not available, restart the device.

echo "Starting GW watchdog"
echo "If host ( is down, reboot"

# root@OpenWrt:/# ping -c 5
# PING ( 56 data bytes
# 64 bytes from seq=0 ttl=59 time=3.199 ms
# 64 bytes from seq=1 ttl=59 time=7.602 ms
# 64 bytes from seq=2 ttl=59 time=3.212 ms
# 64 bytes from seq=3 ttl=59 time=4.804 ms
# 64 bytes from seq=4 ttl=59 time=2.827 ms
# --- ping statistics ---
# 5 packets transmitted, 5 packets received, 0% packet loss
# round-trip min/avg/max = 2.827/4.328/7.602 ms

while true; do

   sleep 300

   out=`ping -c 5 2>&1`

   isFrom=`echo $out|grep "from"`

   if [ "x$isFrom" = "x" ]; then
      echo "!!!!!! REBOOTING !!!!!!!!!!" > /dev/tty
      sleep 5


root@OpenWrt:~# cat /updateDate
# Jozef Janitor (c) 2008
# Sync the actual time and store it in a file to be used after the reboot.

while true; do
        sleep 3600
        ntpclient -c 1 -h -s
        date "+%F %R" > /etc/dateToSet
        sleep 1
        date "+%F %R" > /etc/dateToSet.backup

October 28, 2008

Are you ready?

I haven’t been publishing here for a quite long time. I have got busy with some work and school stuff. But hopefully I will get onto this blogging road once again in a mean time :-)

Are you ready to see something BIG? Not yet? Well, that’s OK, you still have time to get ready till 11.11.2008.

On 11.11.2008 Cisco will announce something brand new – Don’t ask me what is it because I don’t know. I just found this information on the “Cisco Support Group for Uber User Internet Addicts” @ facebook. But as far as I know Cisco, it must be something GREAT & BIG :-)


October 16, 2008

Debian: Mark packages on hold

If you have installed some Debian/Ubuntu package, that you don’t wanna update trough apt-get upgrades, you can put a flag HOLD to that package.

The HOLD flag will prohibit accessing that package by regular apt-get upgrade_s. To put a package on HOLD, use the following command:

echo {PACKAGENAME} hold | dpkg --set-selections

root@recorder:~# echo vlc hold | dpkg --set-selections
root@recorder:~# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages have been kept back:
  vlc vlc-nox
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.

September 4, 2008

An amazing but unknown Linux command: apropos

When working in Linux, I read lot of man pages for different commands while looking for some helpful information on how to use the command. But sometimes it’s hard to find a correct man page, because you have to know the exact man page’s name. Apropos is a man page searcher that works like a little google search on your Linux box and let you find a man page that you are looking for.


I didn’t know about this amazing command while I haven’t found it in an article at

Google OS: it’s a browser - Google Chrome

image Google has yesterday published a public download of its own web browser – Google Chrome.

Google Chrome is a brand new web browser build from scratch and uses amazing new techniques.

For web pages rendering, Chrome uses Apple’s WebKit which is used in Safari and iPhone too. That makes loading of web pages really fast.

For JavaScript running it uses the V8 JavaScript virtual machine. V8 compiles javascript into a code that can run directly on a CPU so it makes a big speedup for processing JavaScript codes.

Each web page runs in its own process. That means that if a web page causes a browser crash (BUGs are everywhere), only a tab where that one web page was running will crash. It also means that memory leaks that are well known from other browsers does not affect Google Chrome. When you close a tab, you close a process and free all the memory that was reserved for that webpage. Isn’t it great? No more killing the whole browser just because it eats 1.1GB of your RAM.

As a developer you have access to a nice DOM tree, process manager, etc.

So far I really like it, even tho I am missing some great features from Firefox – plugins, rss handling, google bookmarks integration, etc.


You can download and learn more about Google Chrome from and don’t forget to read a nice animated story about Google Chrome at

August 9, 2008

Cool cold fire flame – in your hand

How To Make Fire Balls - Amazing videos are here

This is an amazing howto video of an amazing thing – how to hold and play with a fire flame in your hand and not get burned. I guess it might be pretty cool to show this trick to ppl on some parties. You will be the party hero who can hold fire in his hands :-D

August 6, 2008

Packet Tracer 5.0 has been released!

I have found today on the Cisco Academy Connection webpage a new icon in the left navigation toolbar. It was a link to a new version of Packet Tracer – PT 5.0. Finally, after almost 6 month of beta testing, the PT5.0 is now available for every Cisco Networking Academy member.

So are you a Networking Academy member? Don’t hesitate! Go ahead, click to and get download your copy of PT5.0.


A public advertising video about PT5.0 is available at

A list of new features in PT5.0 is available in my older post.

Here is a screenshot from the last version that was available only for beta testers:


And here goes a screenshot of a freshly released PT5.0, downloaded from the Academy Connection:

*(You can notice that there is still an “RC1” note in the PT window. So far I don’t have any more information about this release so I cannot say if this is the RTM (Ready to Manufacturing) final release. Anyway, it’s good that now everyone can access PT5.0 and use its amazing new features!)

** I have no information about the PT Portal (screenshot bellow) release date (or even if it will be ever released).


August 4, 2008

Pre-ISR routers discontinued in IOS :-(

The old Cisco battleships, the pre-ISR routers, are going to be discontinued in the next upcoming IOS versions, starting from 12.4(20)T.

I found this information while I was going through a presentation about new features that were implemented in the 12.4(20)T version of IOS:


So the last available IOS for pre-ISR routers will be the 12.4(15)T version. For more information, go to

July 29, 2008

Pocket commands guide

You must have seen those small “form factor” books named like “Handy command line guide”. Now you can make your own pocket commands guide for Cisco devices.

Well, there is an blog post at about a “show parser” command. The “show parser” displays all the commands and their syntax that are known and are available in the CLI. You can create a dump of all available commands, save it info a file, and then if you are looking for a command related to BGP, just grep the output file for BGP.

gw#show parser dump all tftp://s/ListOfCommands-124-15.T4.txt

I was trying to find of how many BGP commands are in the list:

jozjan@stargate:/tftpboot$ grep bgp ListOfCommands-124-15.T4.txt |wc -l

But WOW, there are more OSPF commands than BGP:

jozjan@stargate:/tftpboot$ grep ospf ListOfCommands-124-15.T4.txt | wc -l


Cisco: Remote CLI access without Login/Password

When I configure a bunch of Cisco gears in lab environment, just for fun or testing some new feature, I like the ability to get CLI access with telnet without having to authenticate myself with any username nor password. You can achieve this level of “insecurity” which is totally great for a lab only use simply by changing the VTY’s configuration.

In normal situations you configure VTY to allow remote CLI access to your device like:

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line vty 0 4
Router(config-line)#password Cisco

and then you login to your device ( with telnet like:

> telnet
Trying ... Open

User Access Verification

% No password set

(Don’t forget to set up enable password, otherwise you will not reach the privileged exec mode.)

So, to overcome the login screen, and to gain access without authentication it’s enough to turn off the “login”, simple as:

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line vty 0 4
Router(config-line)#no login

And then the telnet looks like this:

> telnet
Trying ... Open


Well, if you want to make your work even faster, configure a VTY line, so that you will be put directly into a privileged exec mode by setting a VTY’s privilege level to level 15. And don’t forget to turn on one of the greatest CLI feature – the “logging synchronous”. The final configuration then looks like:

Router#sh run | section line vty
line vty 0 4
privilege level 15
logging synchronous
no login

and a telnet login then looks like:

> telnet
Trying ... Open



Update (30.8.2008):

I forgot to add the “exec-timeout 0” command. By default, after 15 minutes of inactivity, the device will automatically disconnect your telnet session. With the “exec-timeout” command you can change the default value. If you set it to 0, the device will never try to disconnect your telnet session. It’s very useful on labs. So the final configuration would be:

Router#sh run | section line vty
line vty 0 4
privilege level 15
logging synchronous

no login



The battleship of VMWARE, the ESXi server has became a free product! You can download it directly from and you are free to use it. Without any restrictions and with all the ESX power!

Ready? Go! Virtualize :-)

July 18, 2008

HOWTO: Clear the DNS Cache

When you use DNS to resolve hostnames to IP addresses or services end point addresses, and you make a change in your domain zone configuration you have to reload the cached records on your devices so the new addresses will be used for processing. You have two options:

  • wait while the DNS cache of your device will expire and your device will send a new DNS query request
  • clear the cache manually

On Windows you can clear the DNS cache with the “ ipconfig /flushdns ” command.

On Cisco gears you can use the “ clear hosts * ” enable mode command.

July 15, 2008

Packet Tracer 5.0 – Unofficial release date

From some sources I’ve got an information that the new Packet Tracer 5.0 is planed to be officially released on Academy Connection on 28th of July 2008.


So on July 28th, be ready to find a new download icon on the left navigation toolbar on your academy connection site to download the final version of PT 5.0.


If you want to know more about new features in PT 5.0, read my previous post.

Access some pages that require higher level CCO without CCO

Today I came across some documentation on related to IP Telephony Express and was really disappointed to find that after clicking on the link that was there to find out more about some features, a higher level CCO (guest level was not enough) account was required to access them.

Here I prepared some screenshots:

Fig. 1 – Cisco Feature Navigator with a link to a Feature Guide

Fig. 2 – CCO account required to access the Feature Guide link from above

Fig. 3 – My guest level CCO account seems to be not enough :-(

So I started to think about it and got to a conclusion that why the hell I have to have higher level CCO to read a documentation that should be publicly available. I mean there is nothing confidential, is there?

So I started to compare URLs that do not require CCO at all, with this link that does required it. And I found a pretty nice “hack” :-)

As it’s shown on fig. 1, this is the link that required higher level CCO account to access it:

Well, I guess that there is some J2EE application server in the background that processes URLs and uses different modules based on what “commands” are in the URL (like en – English language, US – guess that some USA specific stuff, …). I found that if you do not use the “customer” module, then there is no authentication required and the requested page is directly served to you :-)

So the only thing that you have to do to access these kind of URLs even without any CCO account is to remove the “/customer” from the URL. And then it works. Try it:


July 1, 2008

First Day of July, the First Day of me as an Employee

Since today, I have became a member of thousands of people around a world who are employed in some companies. I am working as a “systems engineer” at Center of Computers (or what’s the official translation) at Technical University of Kosice. I am responsible there mainly for the VoIP Network and for backup systems.

June 26, 2008

CCNA Voice, CCNA Security, CCNA Wireless + new Cisco Learning Network

Cisco has today officially announced the release of three new associate level certifications:

  • CCNA Voice - validates skills in VoIP technologies such as IP PBX, IP telephony, handset, call control, and voicemail solutions. Candidates also get exposure to the Cisco Unified Communications architecture and design covering mobility, presence, and TelePresence applications.
  • CCNA Security - validates a candidate’s skills including troubleshooting  and monitoring of Cisco network devices to maintain integrity, confidentiality and availability of data.
  • CCNA Wireless - validates candidate’s skills in the configuration, implementation and support of wireless LANs, specifically those networks using Cisco equipment.

To help people in building of their IT carrier and gathering more information related to certifications, Cisco has started a new social networking web site that provides a platform for knowledge and experiences sharing, discussions, learning materials, guidelines and other cool stuff that might help you in your certification and IT carrier. Register, learn, blog, discuss and share your knowledge at

To find out more about Cisco certifications, go to

June 17, 2008

I am going crazy for the iPhone!

On the Apple Worldwide Developers Conference 2008, Steve Jobs introduced the new iPhone 3G with 3G support, GPS, Enterprise support (MS Exchange, Cisco VPN, etc.), additional languages support, the iPhone 3G will be officially sold now in 70 countries and many more new features!


But what really makes me crazy is THE PRICE!!!! For the 8GB version of the iPhone 3G it’s only $199 !!!!! WOW! Amazing! I can’t wait until I get my own iPhone 3G ;-)

image There is also a new SDK available that makes mobile application development as easy as never before.

I definitely recommend to watch the keynote from the WWDC conference.

Firefox 3.0 is out!

It’s still not available through (it will be from 10:00AM PDT {19:00 CET}) but it’s already available on the official FTP server.

Get it from

June 16, 2008

Graduation Informational Card

Here in Slovakia, there is a custom that graduates send small cards to their friends and relatives, to inform them about their graduation. This is usually just a small paper card with the university name, graduation ceremony place, … and it is usually sent by postal mail. Well, here is my card:


It’s in Slovak language, but the ENG translation could be: Jozef Janitor, is please to announce that after successful finishing of his studies at the Technical University of Kosice, at Faculty of Electrical Engineering and Informatics, he will be on 20th of June 2008 at 10:00AM in the House of Arts graduated to Engineer (MSc).

I have been awarded – Activity of the year 2007/2008

During the Annual Slovak and Czech Cisco Networking Academy conference (12.-14. June 2008) in High Tatras I have been awarded with the Activity of the year 2007/2008 in Slovakia.

As they said, it was for my long time work with Packet Tracer publication, emulation and simulation software reviews, teaching, deploying and presenting IP telephony courses in Slovakia, Ukraine, Poland and Czech republic and for leading the development of the NCTT NetAcad Curricula Translation Tool. I was quite surprised and I started smiling when I heard all these activities in a row and I knew that at the end there must be my name :-) And it was :-D

Thank you very much Cisco Networking Academy!

image image

From left: Karol Kniewald (AAM CZ),Me,John Edwards (Cisco EMEA),Frantisek Jakab (AAM SR)

June 4, 2008


6 years of university master’s studies are finished. Today at 3:00PM I have successfully graduated with A A A grades.

Best regards,
   Ing. Jozef Janitor

June 3, 2008

(hopefully) The last night as non-Ing. (non-M.Sc.)

Hopefully, tomorrow I will finish my MSc studies at the Technical University of Kosice, Faculty of Electrical Engineering and Informatics, Department of Computers and Informatics with an MSc degree :-D Here in Slovakia the MSc studies are called “engineer” studies, so my official degree will not be “M.Sc.” but “Ing.”as an acronym for a word “Inžinier” (Engineer).

The last 6 years of my studies at the university now look like as if I have had began my first semester just recently. It was really quick, and if someone will ask me what was the university about, what has it given to me, I would probably answer that new thinking, ideas, skills and friends. The university wasn’t really about learning how to write programs in Java or C#, or how to configure a Cisco device. It was more about theoretical ideas, finding out how things are really working, what’s in the background behind technologies; it was about learning to think with open mind and learning to learn. Now staying here at the end, I have to say that it was a pretty good time (some things could be maybe different, but nothing is ideal) :-)

I would like to send a big Thanks to everyone who has helped me through my studies and my life at the university. A big Thanks goes to the Computer Networks Laboratory, its members and Mr. Frantisek Jakab. A big Thanks goes also to my family!

Thank you.

My Master’s Thesis were about VoIP. The title was “Efficient VoIP Solution for the Environment of the Technical University of Kosice”. In the thesis I described differences between VoIP and TDM networks, outlined some aspects of VoIP technologies like QoS, Security, etc. If you are interested in reading it, you will find it at

Unofficial Cisco Wiki :-)

Heyyaaaa! It seems that there are new wikis opening in every second :-) I was just writing about the official Cisco Wiki pages and yet there is an unofficial wiki for Cisco products. Ivan Pepelnjak has started a wiki that seems to be open to contribute after filling our a registering form. Ivan’s blog and his articles at are one of my favorites. Hopefully this new wiki site will be very successful. Already, there are some very interesting pages about BGP, EEM, TCL, etc.

Go ahead and check out

And don’t forget, we are more powerful together, that we ever could be apart :-)

Official Cisco Wiki



Did you know that there is an official Cisco Wiki page? It’s at It seems that this wiki is not as open as the Wikipedia is and probably it’s edited only by Cisco employees :( You can contribute on this wiki by logging in (login link at the top of the page) with your CCO account (guest level is enough).

I have already found there some interesting tips and solutions. I definitely recommend to check it out and contribute on it :-)

Because we are more powerful together, that we ever could be apart.

Run Linux (or Windows) in your Cisco ISR Router

Sounds good isn’t it? :) I remember the times when I flashed a Cisco 2500 series router with a ucLinux image. It was nice to see Linux booting on a Cisco router, even tho’ it was unusable :-( The interfaces didn’t work at all, the only thing that was working was a console access to the Linux CLI.

But this time I wanted to write about something different. Cisco was already using Linux as a base operating system on several products like Wireless LAN Controllers, ASA, etc. Cisco has lately announced a new Network Module (Cisco Application eXtension Platform (AXP)), available for Cisco ISR series routers, that contains a small motherboard with CPU, RAM, and a Hard Disk Drive.


The great thing about the AXP module is that there is preinstalled a fully functional Linux (and I have heard that there is also a Windows 2008 Server version) operating system with basic tools. What’s more, there is an API that allows you to create your own Linux applications that will directly interact with your Cisco ISR router. And as Cisco ISR routers are designed to be used in Branch Offices, now you can pretty easily integrate your email server, or whatever simple Linux (or perhaps Windows (Domain Controller)) application into a single box, thus saving space, electricity power and making your network services management much more simpler!

To find out more about AXP, please go to

HOWTO: Paste clipboard contents to a CMD.exe window

It was screwing me that when I was working in Windows Command Line interface (cmd.exe) I couldn’t use the CRTL+V or Shift+Insert combination to paste a text from the clipboard. I always had to use the mouse pointer, right click and the paste option from a contextual menu. That was really annoying :-(

Fortunately I found a solution that makes this paste process much more simple:

It’s a bit tricky, and it may take some time while you get that combination into your fingers, but it works :-) So the “magic” keys combination is: “ALT+Space e p”. That is, first press the ALT and the Space key at the same time. A window menu will be shown:


Then press the “e” key. That will move the selected menu option to the Edit>. And finally press the “p” key to paste a text from the windows clipboard.


It’s just that simple. Made by Microsoft to be user-friendly :-)

May 12, 2008

Computer Tomography - CT

I have been on CT few weeks ago. It was my first "experience" and and I was a bit exited about it. When I arrived to the hospital, to the CT station, I had to wait for about a half an hour to get my turn. The CT "machine" looked like a big circle (it was bigger then me I guess) and at the top it had a logo of Philips (let's make things better). Unfortunately I didn't take any picture of it :-(

Well, the CT itself took just about 2 or less minutes and I have got the results on CD. You may guess what was the first thing that I had done with that CD :-D I had my laptop with myself, so I woke it up (I don't remember when was the last time when I clicked on the Shutdown button in Windows as I always just put my laptop to Sleep or Hibernate mode) and checked what's on the CD. There was some application for viewing the results so I started it. And wu-ala, I was looking at my head from inside :)

My head from side.

My head in layers from front.

There were about 400 photos taken and the provided application can create nice animations of those photos. Unfortunately I don't have any screen recording application installed here on my laptop so I cannot show it to you :-(

Write Code: Mind Wide Open

I was talking with a friend of mine about some programming stuff. He has got a school assignment to develop a simple game in C#. Well, the first thing that students usually start with, is that they buy a book about C#. They read the book, and when the last page is over, they start with the development of their fabulous application. Now they know a lot of C# commands, structures, objects, we could maybe say that some of them are now even C# gurus (at least they know a bunch of commands). Now there is a problem. Many times I face people that even tho' they know HOW to write code, they do not know WHAT to write!

Many times they are missing the essential imagination of the application's building blocks, relations, dependencies, application flow, etc. My suggestion for this case is to grab a pencil and paper, forget everything you know about C#, open your mind and start drawing and designing your application.

You can start with the user interface. If you know that the game will be the minesweeper, draw a basic window, control objects, the minefield, etc. Then start with the application analysis. Within the analysis you have to understand what must your application exactly do. After finishing the analysis part, you should have an activity diagram, that will clearly display what actions may happen in you application and how to handle them. This part was the platform independent analysis. For this part it is not necessary to know anything about C#. As you will go deeper and deeper, your drawing will became more and more platform dependent, and for this game it should end up at the .net and C# platform.

So continue with deeper analysis and create the architecture of you application. Start thinking about building blocks of you application - basic classes, interfaces, methods, their relations, dependencies, etc. Draw everything to your paper and take notes. Supporting applications like MindManager or FreeMind may help you to collect your ideas and don't forget anything.

After having completed all these steps, remember all the things that you learned about programming in C#, take a look at your drawings and notes, and now you should know HOW and WHAT to write to your source code!


A successful analysis at the beginning is about complete understanding of the application and it ensures that at the end of your application development you should not end up in such a situation as it is displayed on this ^ picture :-)

April 30, 2008

Packet Generator

Are you looking for a powerful packet generator? You need nothing more but a Windows XP machine:


I made this screenshot maybe a year ago from a computer running Windows XP SP2. The screen says that there were in 1 hour 20 minutes 19.262.375.378.395 packets sent out from a network card. It must have been caused by some bug or a hardware error, but anyway, it's  still funny :-)

April 29, 2008

There is No Internet Anymore! Now we are all Alone :-(

Just imagine it. How horrible it is to even think about it. What if there would be no more Internet service?

What would you do then? What would you do without your emails, instant messages, life 2.0? What would you do without skype, youtube, google, myspace and your best friends (those you have never met IRL (in real life)) on facebook?

And there is no Internet to find out (e.g. google) why there is no Internet.

Well, finding out the answer for this simple question is not easy. But the South Park creators have been smart enough to show us what would happen if there would be no more Internet (at least in the South Park town):

South Park: Season 12: Over Logging - part 1

South Park: Season 12: Over Logging - part 2

March 30, 2008

A world beyond network device simulators ...

You have probably already heard about different network device simulators like Boson NetSim, Cisco Packet Tracer, etc. All of these applications are capable of simulating few functions of network devices. The problem is that these applications are only simulators - they can only simulate features which were ported from real devices to algorithms into these simulators. And what's more, they will never be able to simulate real situations, as it would mean to rewrite the real codes from real devices to algorithms on simulators. This would be very expensive. On the other hand, there is one very big advantage of these simulators: you can pause, stop, restart, or do whatever with your simulated topology and simulated devices. You can even see animations of how are the packets flowing from point A to point B. In this way, network simulators are perfect tools for teaching network technologies as students learn not just the theory, but they can see how are these different packets exchanged between devices and what's happening to them.

So I think we can end this up by saying that network device simulators are great for teaching and for low level troubleshooting (e.g. CCNA level). When we face a situation, where the simulators are not enough for us (lack of supported commands, features, etc.), we can try to get some real devices with full features. If you work in a big networking company maybe you will find a way to get some spare devices from storage for testing, but generally it's a problem. Networking devices are sometimes very expensive and it's definitely hard to get in touch with higher level of devices like Cisco 38xx, 45xx, 5xxx, 65xx, 72xx, 12xxx, ...

There are some virtual laboratories provided by training partners, where the real devices are already interconnected into labs, and the console ports are shared via telnet or other type of remote CLI connection. You can then order and schedule these labs use them for your training. It's especially handy when you are preparing to get your next CC*P or CCIE :-)

The last option is to get a device emulator. Emulators "emulate" the real hardware like CPU, memory, interfaces, etc. VMWare, MS VirtualPC, VirtualBox are applications capable of emulating the X86 computers hardware. With these applications you can build up your virtual network of end devices. Maybe you have seen some emulators for game consoles like PlayStation emulators, SNES, etc which emulating special hardware. The only disadvantage of emulators is that because the emulators are emulating only the hardware, you will still need some operating system to run on this virtual hardware. This sometimes means additional licenses for operating systems and applications. And now comes the best: there is also an emulator for Cisco gears too!

Dynamips is an emulator for the MIPS CPU platform. Most of the Cisco routers are using MIPS CPUs. Dynamips is not only emulating the CPU, but the whole case with many different networking interfaces. It does support LAN and WAN interfaces like Ethernet cards, ATM, Serial, T1, etc. It supports emulation of the Cisco 7200, 3700, 3600 and 2600 series platforms. You can run Dynamips on Linux, Windows and even MacOS. You can even start Dynamips on more computers connected through a network and then connect together via IP sockets the dynamips emulated boxes. A pretty nice feature is also that you can connect the virtual interface of a router to a real interface of your PC. In this way you can connect a bunch of virtual routers even to real gears! Because Dynamips only emulates the Cisco case with CPU and stuff, if you want to really use it you will need the IOS file to run it on.


Dynagen is a wrapper around Dynamips which allows to create a topology based on emulated routers. Dynagen uses a connections definition in a special format saved in a lab file with ".net" extension.


For this topology, the .net file contents are:

# Fullmesh topology
# Serial + Frame Relay + Switch
autostart = false
ghostios = true
sparsemem = true


    idlepc = 0x6262a240
    ghostios = true
    mmap = true
    image = c7200.bin
    npe = npe-400
    ram = 160
    disk0 = 32

    [[ROUTER R1]]
    F0/0 = NIO_gen_eth:\Device\NPF_{312F26FF-F960-4442-AF71-2633843F88FD}
    F2/0 = SW1 1
    S1/0 = R2 S1/0
    S1/4 = R6 S1/4
    S1/2 = R3 S1/2
    S1/3 = R4 S1/3
    S1/6 = R5 S1/6
    S1/7 = F1 1
    #F0/0 = SW1 1

    [[router R2]]
    F0/0 = NIO_gen_eth:\Device\NPF_{312F26FF-F960-4442-AF71-2633843F88FD}
    F2/0 = SW1 2
    S1/1 = R3 S1/1
    S1/5 = R4 S1/5
    S1/4 = R5 S1/4
    S1/3 = R6 S1/3
    S1/7 = F1 2

    [[router R3]]
    F0/0 = NIO_gen_eth:\Device\NPF_{312F26FF-F960-4442-AF71-2633843F88FD}
    F2/0 = SW1 3
    S1/4 = R4 S1/4
    S1/3 = R5 S1/3
    S1/5 = R6 S1/5
    S1/7 = F1 3

    [[router R4]]
    F2/0 = SW1 4
    S1/0 = R5 S1/0
    S1/2 = R6 S1/2
    S1/7 = F1 4

    [[router R5]]
    F2/0 = SW1 5
    S1/1 = R6 S1/1
    S1/7 = F1 5

    [[router R6]]
    F2/0 = SW1 6
    S1/7 = F1 6

    [[ethsw SW1]]
    1 = dot1q 1
    2 = dot1q 1
    3 = dot1q 1
    4 = dot1q 1
    5 = dot1q 1
    6 = dot1q 1
#    7 = access 1
#    8 = dot1q 1 NIO_gen_eth:\Device\NPF_{312F26FF-F960-4442-AF71-2633843F88FD}

    [[FRSW F1]]
   1:102 = 2:201
   1:103 = 3:301
   1:104 = 4:401
   1:105 = 5:501
   1:106 = 6:601
   2:203 = 3:302
   2:204 = 4:402
   2:205 = 5:502
   2:206 = 6:602
   3:304 = 4:403
   3:305 = 5:503
   3:306 = 6:603
   4:405 = 5:504
   4:406 = 6:604
   5:506 = 6:605


For Dynagen you have to start the Dynamips in a "Hypervisor" mode:


and then open the lab .net file in Dynagen:


after entering the "telnet /all" command in the Dynagen's console, new telnet windows will be opened connected to console ports of emulated devices. Now you can start to configure your virtual devices :-)

One of my favorite features of Dynagen is the ability to capture packets into a Wireshark compatible file on a virtual wire that interconnects two emulated routers. In this way now you can sniff packets even on ATM or Serial interfaces! It's great for troubleshooting and learning more about networking.

clip_image002[10]GNS3 is like Dynagen on steroids :-D GNS3 is again a wrapper around Dynamips but towards Dynagen it has a graphical user interface and it's much easier to use. What's more, the new version of GNS3 has support also for Pemu which is a PIX emulator built on Qemu.




Afaik, the official statement from Cisco (well, read the IOS license) is that you cannot run IOS on different hardware than genuine Cisco. So it looks like it might be "not legal" to use all these emulator stuff. You should definitely not use them for production networks and don't try to sell it as a solution (virtual laboratories, etc.)

Router(config)# ip nat inside & outside ! at one interface

Let's face a situation. You have a network with 2 routers (one router and one L3 switch) as you can see on the this diagram:


The LAN network is using private addresses (RFC1918) and is routed to the Internet via the R2 L3 switch-router. L3 switch-routers as the R2 are generally not capable of doing NAT/PAT (it may be a L3 switch). So the switch-router R2 is just sending send each packet from the LAN network to the router R1 where we are going to do PAT (network + port address translation) for the private address range used in LAN.

This situation is a little bit tricky, as in a normal situation, where there is one interface on a router connected to a LAN and an another interface connected to the Internet, you can write down the "ip nat inside" to the LAN interface, and the "ip nat outside" command to the Internet interface, add some additional "ip nat source ..." commands to the configuration and the NAT/PAT router is ready.


Well, in our situation we have the router R1 with only one interface, which is connected to the Internet and is used to route the LAN traffic as well. If you try to put the "ip nat inside" and the "ip nat outside" to the same interface, only one of these command will remain in the interface configuration (the last entered). And as you know, the NAT process is applied only to packets, which are traveling through an inside to an outside interface.

The workaround for this situation is to create a loopback interface, which will be used by PBR as a next hop interface for packets coming from the LAN network to the Ethernet interface of the router R2 (PBR - Policy Based Routing). The loopback will be configured with the "ip nat inside" command. After the packets go through the loopback interface, they will go through the "ip nat inside" configuration, and continue their journey to the Internet. The path to the Internet is over the Ethernet connection where we can put the "ip nat outside" configuration command. Now that means, when the packets from the LAN network will arrive to the router R1, they will go through the loopback interface where they will turn back but use the "nat inside" settings. On the way back (to the Internet by default route) then they will leave the router on the "nat outside" Ethernet interface. Obviously now we can apply the NAT/PAT process to these packets.


R1's configuration:

R1#sh run
!Building configuration...
! The special loopback interface used for turning packets around inside the router
interface Loopback0
 description NATLO
! This IP address can be any, just update the next hop in PBR
 ip address
! Let's mark packets going through this interface as packets with nat inside flag
 ip nat inside
! This is the actual real interface used for incomming and outgoing traffic as well
interface Ethernet1/0
 description Inet
! should be public IP address
 ip address
! disable ICMP redirect messages - may be useful
 no ip redirects
! Finaly when we get a packet flagged with "nat inside", the router can apply the NAT/PAT process
 ip nat outside
! Route incomming packets from LAN by PBR rules
 ip policy route-map toNat
! The default router to Internet (ISP)
ip route
! ACL for PBR and NAT/PAT
access-list 1 remark LAN_IPs
access-list 1 permit
! PAT as always
ip nat inside source list 1 interface Ethernet1/0 overload
! and the PBR 
route-map toNat permit 10
 match ip address 1
! The next hop should be an IP address from the Lo 0 IP network (except the Lo0 address!)
 set ip next-hop
R1#debug ip nat
*Mar 30 00:56:14.019: NAT: s=>, d= [90]
*Mar 30 00:56:14.119: NAT: s=, d=> [132]
R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global

You can find more information about this topic pretty well documented in the Cisco's paper called "Network Address Translation on a Stick". Enjoy :-)

March 29, 2008

Router(config)# banner ?

There are 3 different banner types on Cisco gears. Sometimes it might be a bit confusing when will be the configured banner type displayed to the user who is connecting to the router. There is a nice description of banners at:

Banner Command Option


SSH v1 only

SSH v1 and v2

SSH v2 only

banner login

Displayed before logging into the device.

Not displayed.

Displayed before logging into the device.

Displayed before logging into the device.

banner motd

Displayed before logging into the device.

Displayed after logging into the device.

Displayed after logging into the device.

Displayed after logging into the device.

banner exec

Displayed after logging into the device.

Displayed after logging into the device.

Displayed after logging into the device.

Displayed after logging into the device.

March 22, 2008

Http file upload with a progress bar indicator

I was looking for a solution for uploading a file through a web browser with a progress bar indicator. First I was thinking about AJAX with PHP. Unfortunately it looks like PHP does not provide any information about the file which is just being uploaded. So most of the AJAX solutions are based on different CGI scripts.

I was almost ready to give it up, when I found a brilliant solution: Flash!

Flash has more programming possibilities than JavaScript and AJAX. And what's more, new Flash versions have support for external calls and events handling via JavaScript! So you can include into your web page a flash object and control it through JavaScript calls which can be bound to buttons or any other HTML object. There are even frameworks which are combining AJAX and Flash together :)

image SWFUpload is a Flash object for uploading files to a web server. As it was said above, it has support for events handling through JavaScript and can be used to create a fancy and eye-candy file uploader with progress bar indicator. And the best thing is that you don't have to change almost nothing on your server side. The same scripts, the same features.


March 21, 2008

URL filtering and redirection with squid proxy server

A friend of mine who is working at one high school asked me to help him with url filtering for student's PCs. Many times students are just chatting or looking at some nasty web pages which he wanted to block.

The school is connected to the Internet through a Linux server which acts as a router with NAT. For historical reasons there was also a squid proxy running in transparent mode on the server. This made the solution simpler. Without a proxy I would probably started to play with l7-filters and iptables.

Squid offers different methods to filter urls. You can customize the squid.conf file where the configuration is stored and create ACLs to block some urls. Or you can use external applications which will redirect the URL based on different settings.

First I tried the external redirector. SquidGuard is one option but it sounded like a hammer to a fly. So I refreshed my perl coding skills and created a perl redirector script. The script allows to store the blocked URLs list in a file, as well as the list of source addresses which have full Internet access.

redirector script:

$ cat /usr/local/bin/
#!/usr/bin/perl -w


while (<>) {
        my @X = split;
        my $url = $X[0];
        my $src = $X[1];

        open(DAT, $db_white) || die($url);

        foreach $wip (@white_data) {
                $wip =~ s/\s+$//;
                if ($src =~ m/$wip/) {
                        print "$url\n";
        if ($found == 0) {
                open(DAT, $db_block) || die($url);
                foreach $burl (@blocked_data) {
                        $burl =~ s/\s+$//;
                        if ($url =~ m/$burl/i) {
                                print "302:\n";
                if ($found == 0) {
                        print "$url\n";

blacklist file:

$ cat /usr/local/lib/squid_blocker.list

whitelist file:

$ cat /usr/local/lib/squid_blocker_white.list

squid configuration for redirector:

$ grep squid_blocker /etc/squid/squid.conf
redirect_program /usr/local/bin/

Unfortunately this solution turned out to be slow. It took for a standard web page 3 times more time to load when the redirector was used. And for some weird reasons, some parts of web pages didn't load at all :-( The advantages of this solution were that after updating the blocked urls and allowed source IPs files it was not necessary to restart the proxy server and the blocked URLs were redirected to an another website. Next time I will try to write the redirector in C. It should has better performance then :)

I moved to the first mentioned option - ACL in squid.conf. You can define an ACL which contents will be stored in an external file. So you don't have to write the blocked URLs directly into the squid.conf file.

squid configuration with ACL:

$ grep black /etc/squid/squid.conf
acl blacksites url_regex "/etc/squid/blacksites"
acl blacksites_wip src "/etc/squid/blacksites_wip"
http_access deny blacksites !blacksites_wip

blacklist file:

$ cat /etc/squid/blacksites

whitelist file:

$ cat /etc/squid/blacksites_wip

This solution works with the best performance, but after each update in the blacklist or the whitelist file it is necessary to restart the squid proxy server.


I have just heard an interesting story, which sounds a bit like a Spielberg movie script, that I want to share with you:

It's year 2010. There are people living on the world. One person, somewhere in a small city in India (or wherever else) suddenly became ill. It looks like it's just a flu. We face flu every year, we have powerful medicaments, so what? Nothing special, the person will get some antibiotics and he hopes that he will be again healthy in one week. But his health is getting worst and worst. The antibiotics are not helping. He has to go immediately to a hospital.

The doctors are starting to became worried that's maybe it's something new, something unknown yet. And they are right. A researcher finds out in the laboratory that the virus is a new flu mutation. Doctors are trying to help the ill person but they are hopeless. The ill person dies in the next 3 days. There was no cure for him. Unfortunately, that's not yet the end. It's just the beginning (of the end). The virus has already started it's journey among other people. First the nurses who were taking care of the ill person, then some friends of him, then the city where he was living and where the hospital was located.

After one week the virus is on each continent of the world. Doctors and researchers throughout the world are trying to find the cure. But they are not lucky. Nothing works. They are becoming hopeless. The last hope is to find someone who is resistive against the virus. People are starting to visit hospitals to give a sample of their blood. Hopefully someone will have in his blood some antigens against the virus.

There is a little 8 year old boy standing outside on the hospital's yard with his father waiting for their blood results. He asks his father "When are we going back home?" "Well son, I think it's not worth to wait here. Let's go home." answers his father when a doctor is running in their direction and he is saying out loud "Sir!, Sir!, wait please, please wait for a second". He stops where their are standing and with a big smile he says that they have found the antigen which is resistive against the virus. He continues saying "Your son is resistive. His blood has something which protects him against the virus. Please, come back with me, we have to make some additional tests!" Booth father and son starts to smile at each other and they are running back with the doctor to the hospital. There are already about 10 doctors waiting for them and they starts to make some tests with the blood of the boy. "Yes! Yes! Yes! Yes! We have really found it!" starts yelling a doctor who is looking into his microscope. He seems to be very happy. Definitely he is. They have just found something what will rescue the whole mankind from death.

The father is waiting in the hall when another doctor came out with a paper and a pen in his hand. He doesn't seem to be very happy and he starts saying "Sir, we have found out that the blood of your son can help us to create an antivirus." "That's great! So when can we go home?" the father asks. "Well, to create the antivirus we need more of your son's blood. But because he is so young, the amount of blood we need to transfer from his body will kill him. I am here to ask you to sign this paper which will allow us to this blood transfer. Your son will help to cure all people on the world from this illness. I know it's a big price but that's the only way. Please help us, help to all other people!" The father is first very confused, he has to sacrifice his own son to help to everyone, even to himself. After a long thinking and considering every other chance, he agrees and signs the paper. He is going to visit his son for the last time when they have already started the blood transfer. His son is smiling at him and asks him once again "When are we going back home?". His father drops on the bed where his son is lying and starts crying.

One year after the cure was found and the world became back to normal, people all around the world create a celebration for this little boy who was sacrificed for them. During the celebration people are drinking, they start to argue with each other on different pointless topics, they start to fight, and they absolutely forget about the little boy. When the father sees this, he feel sorry for sacrificing his son for all these people.

What would you sacrifice for mankind?

What's wrong with the weather???

About 3 weeks ago we had here for a few days a very nice sunny weather with +15°C outside.

But during the last week or so, the weather here is terrible :-( It's windy, rainy, cold and it's just about 6°C outside. What's happening to the weather?

During the last autumn and the beginning of the winter I was studying in Finland. I always thought that the weather in Finland will be pretty cold, I was ready to face the -30°C outside in December. But to my big surprise, the weather was not so cold there. Really, even when I was leaving on 21st of December, it was +1°C and it was not snowing but raining! Fortunately they have got some snow and colder weather in the beginning of the new year. But anyway, still not -30°C. On the other hand, they told me that few years ago it was normal that during the winter it was about -30°C, but the last years are still warmer.

I remember when I was younger (not that I am old now, I hope) we had here white snow during each X-mas, Easter was sunny and warmer, the summer was nicely warm from the beginning to the end without high temperatures that can kill ppl. I hope that the actual climate changes are only temporary and the weather will became back to normal. Otherwise I will get afraid about the future :-(

March 20, 2008

Howto build a CCNA rack?

This is how we do it at Regional Cisco Networking Academy at Technical University of Kosice, Slovakia:

March 14, 2008

Skype into Pidgin

Eion Robb has created a plugin for Pidgin which integrates Skype contacts into Pidgin. After installing and setting up the plugin in Pidgin, you can use Pidgin to talk with your friends on Skype. I love it!




OpenDNS is a service providing free DNS imageresolvers and a bit more in some additional services. If you register at OpenDNS, you will get a username which is then used to manage the behavior of the DNS resolving process. You can for example block access to some web sites, or create aliases so you don't have to remember or bookmark long Internet addresses, etc.

So if you are looking for a pretty good DNS service, maybe better than your service provider offers to your, give a try to OpenDNS.

OpenDNS DNS servers are available at address: and

Launch your Launchy

I have included a Launchy called application in my previous blog post about my favorite Windows applications. And I think it's even worth to write a custom blog post about this fabulous application launcher.

Launchy is an interactive application launcher for Windows. It's like the Start->Run menu on very powerful steroids, and maybe even a bit more. After the first launch of Launchy, it created an index of applications in your Start menu and Desktop. When the indexing is complete, you can press the hot keys combination (by default ALT+SPACE) to bring Launchy's window into the front. It will bring up a nice looking window where it's enough to type just few starting letters of your application and it will start it. I really recommend to give to this application at least a try :-)


Cisco Network Assistant

Have you just got into a smaller business and your network is Cisco based? However you are not very experiences with Cisco devices and you are looking for some easy to use management tool which would be free? Well, you have just found it :-)

Cisco Network Assistant is a free management tool for small networks based on Cisco devices. It allows dynamic network discovery, ports and features management, monitoring, etc. It can set up CCIE level features just by clicking on some buttons, which can be in some cases very useful even for a skilled technician. With Cisco Network Assistant you can manage your smaller network from one application and from one place.

^ Network topology view in Cisco Network Assistant

^ Switch status

^ Information about devices

^ Security configuration wizard

You can download the Cisco Network Assistant at For downloading you will need a guest level CCO account.

For those of you who don't want to use Cisco Network Assistant for centralized management, but looking for an easy way of configuration of Cisco devices, there may be an option. If you have got an ISR series router, you will definitely have available also a tool called Cisco Security Device Manager or SDM.

^ SDM's main interface

SDM is a Java based configuration and monitoring tool which is usually stored in the device's flash, and it's accessible through a web interface of a device. Just enable a web server on your router (Router(config)# ip http server) and put your web browser to the address of your router.

For more info about SDM go to