March 30, 2008

A world beyond network device simulators ...

You have probably already heard about different network device simulators like Boson NetSim, Cisco Packet Tracer, etc. All of these applications are capable of simulating few functions of network devices. The problem is that these applications are only simulators - they can only simulate features which were ported from real devices to algorithms into these simulators. And what's more, they will never be able to simulate real situations, as it would mean to rewrite the real codes from real devices to algorithms on simulators. This would be very expensive. On the other hand, there is one very big advantage of these simulators: you can pause, stop, restart, or do whatever with your simulated topology and simulated devices. You can even see animations of how are the packets flowing from point A to point B. In this way, network simulators are perfect tools for teaching network technologies as students learn not just the theory, but they can see how are these different packets exchanged between devices and what's happening to them.

So I think we can end this up by saying that network device simulators are great for teaching and for low level troubleshooting (e.g. CCNA level). When we face a situation, where the simulators are not enough for us (lack of supported commands, features, etc.), we can try to get some real devices with full features. If you work in a big networking company maybe you will find a way to get some spare devices from storage for testing, but generally it's a problem. Networking devices are sometimes very expensive and it's definitely hard to get in touch with higher level of devices like Cisco 38xx, 45xx, 5xxx, 65xx, 72xx, 12xxx, ...

There are some virtual laboratories provided by training partners, where the real devices are already interconnected into labs, and the console ports are shared via telnet or other type of remote CLI connection. You can then order and schedule these labs use them for your training. It's especially handy when you are preparing to get your next CC*P or CCIE :-)

The last option is to get a device emulator. Emulators "emulate" the real hardware like CPU, memory, interfaces, etc. VMWare, MS VirtualPC, VirtualBox are applications capable of emulating the X86 computers hardware. With these applications you can build up your virtual network of end devices. Maybe you have seen some emulators for game consoles like PlayStation emulators, SNES, etc which emulating special hardware. The only disadvantage of emulators is that because the emulators are emulating only the hardware, you will still need some operating system to run on this virtual hardware. This sometimes means additional licenses for operating systems and applications. And now comes the best: there is also an emulator for Cisco gears too!

Dynamips is an emulator for the MIPS CPU platform. Most of the Cisco routers are using MIPS CPUs. Dynamips is not only emulating the CPU, but the whole case with many different networking interfaces. It does support LAN and WAN interfaces like Ethernet cards, ATM, Serial, T1, etc. It supports emulation of the Cisco 7200, 3700, 3600 and 2600 series platforms. You can run Dynamips on Linux, Windows and even MacOS. You can even start Dynamips on more computers connected through a network and then connect together via IP sockets the dynamips emulated boxes. A pretty nice feature is also that you can connect the virtual interface of a router to a real interface of your PC. In this way you can connect a bunch of virtual routers even to real gears! Because Dynamips only emulates the Cisco case with CPU and stuff, if you want to really use it you will need the IOS file to run it on.


Dynagen is a wrapper around Dynamips which allows to create a topology based on emulated routers. Dynagen uses a connections definition in a special format saved in a lab file with ".net" extension.


For this topology, the .net file contents are:

# Fullmesh topology
# Serial + Frame Relay + Switch
autostart = false
ghostios = true
sparsemem = true


    idlepc = 0x6262a240
    ghostios = true
    mmap = true
    image = c7200.bin
    npe = npe-400
    ram = 160
    disk0 = 32

    [[ROUTER R1]]
    F0/0 = NIO_gen_eth:\Device\NPF_{312F26FF-F960-4442-AF71-2633843F88FD}
    F2/0 = SW1 1
    S1/0 = R2 S1/0
    S1/4 = R6 S1/4
    S1/2 = R3 S1/2
    S1/3 = R4 S1/3
    S1/6 = R5 S1/6
    S1/7 = F1 1
    #F0/0 = SW1 1

    [[router R2]]
    F0/0 = NIO_gen_eth:\Device\NPF_{312F26FF-F960-4442-AF71-2633843F88FD}
    F2/0 = SW1 2
    S1/1 = R3 S1/1
    S1/5 = R4 S1/5
    S1/4 = R5 S1/4
    S1/3 = R6 S1/3
    S1/7 = F1 2

    [[router R3]]
    F0/0 = NIO_gen_eth:\Device\NPF_{312F26FF-F960-4442-AF71-2633843F88FD}
    F2/0 = SW1 3
    S1/4 = R4 S1/4
    S1/3 = R5 S1/3
    S1/5 = R6 S1/5
    S1/7 = F1 3

    [[router R4]]
    F2/0 = SW1 4
    S1/0 = R5 S1/0
    S1/2 = R6 S1/2
    S1/7 = F1 4

    [[router R5]]
    F2/0 = SW1 5
    S1/1 = R6 S1/1
    S1/7 = F1 5

    [[router R6]]
    F2/0 = SW1 6
    S1/7 = F1 6

    [[ethsw SW1]]
    1 = dot1q 1
    2 = dot1q 1
    3 = dot1q 1
    4 = dot1q 1
    5 = dot1q 1
    6 = dot1q 1
#    7 = access 1
#    8 = dot1q 1 NIO_gen_eth:\Device\NPF_{312F26FF-F960-4442-AF71-2633843F88FD}

    [[FRSW F1]]
   1:102 = 2:201
   1:103 = 3:301
   1:104 = 4:401
   1:105 = 5:501
   1:106 = 6:601
   2:203 = 3:302
   2:204 = 4:402
   2:205 = 5:502
   2:206 = 6:602
   3:304 = 4:403
   3:305 = 5:503
   3:306 = 6:603
   4:405 = 5:504
   4:406 = 6:604
   5:506 = 6:605


For Dynagen you have to start the Dynamips in a "Hypervisor" mode:


and then open the lab .net file in Dynagen:


after entering the "telnet /all" command in the Dynagen's console, new telnet windows will be opened connected to console ports of emulated devices. Now you can start to configure your virtual devices :-)

One of my favorite features of Dynagen is the ability to capture packets into a Wireshark compatible file on a virtual wire that interconnects two emulated routers. In this way now you can sniff packets even on ATM or Serial interfaces! It's great for troubleshooting and learning more about networking.

clip_image002[10]GNS3 is like Dynagen on steroids :-D GNS3 is again a wrapper around Dynamips but towards Dynagen it has a graphical user interface and it's much easier to use. What's more, the new version of GNS3 has support also for Pemu which is a PIX emulator built on Qemu.




Afaik, the official statement from Cisco (well, read the IOS license) is that you cannot run IOS on different hardware than genuine Cisco. So it looks like it might be "not legal" to use all these emulator stuff. You should definitely not use them for production networks and don't try to sell it as a solution (virtual laboratories, etc.)

Router(config)# ip nat inside & outside ! at one interface

Let's face a situation. You have a network with 2 routers (one router and one L3 switch) as you can see on the this diagram:


The LAN network is using private addresses (RFC1918) and is routed to the Internet via the R2 L3 switch-router. L3 switch-routers as the R2 are generally not capable of doing NAT/PAT (it may be a L3 switch). So the switch-router R2 is just sending send each packet from the LAN network to the router R1 where we are going to do PAT (network + port address translation) for the private address range used in LAN.

This situation is a little bit tricky, as in a normal situation, where there is one interface on a router connected to a LAN and an another interface connected to the Internet, you can write down the "ip nat inside" to the LAN interface, and the "ip nat outside" command to the Internet interface, add some additional "ip nat source ..." commands to the configuration and the NAT/PAT router is ready.


Well, in our situation we have the router R1 with only one interface, which is connected to the Internet and is used to route the LAN traffic as well. If you try to put the "ip nat inside" and the "ip nat outside" to the same interface, only one of these command will remain in the interface configuration (the last entered). And as you know, the NAT process is applied only to packets, which are traveling through an inside to an outside interface.

The workaround for this situation is to create a loopback interface, which will be used by PBR as a next hop interface for packets coming from the LAN network to the Ethernet interface of the router R2 (PBR - Policy Based Routing). The loopback will be configured with the "ip nat inside" command. After the packets go through the loopback interface, they will go through the "ip nat inside" configuration, and continue their journey to the Internet. The path to the Internet is over the Ethernet connection where we can put the "ip nat outside" configuration command. Now that means, when the packets from the LAN network will arrive to the router R1, they will go through the loopback interface where they will turn back but use the "nat inside" settings. On the way back (to the Internet by default route) then they will leave the router on the "nat outside" Ethernet interface. Obviously now we can apply the NAT/PAT process to these packets.


R1's configuration:

R1#sh run
!Building configuration...
! The special loopback interface used for turning packets around inside the router
interface Loopback0
 description NATLO
! This IP address can be any, just update the next hop in PBR
 ip address
! Let's mark packets going through this interface as packets with nat inside flag
 ip nat inside
! This is the actual real interface used for incomming and outgoing traffic as well
interface Ethernet1/0
 description Inet
! should be public IP address
 ip address
! disable ICMP redirect messages - may be useful
 no ip redirects
! Finaly when we get a packet flagged with "nat inside", the router can apply the NAT/PAT process
 ip nat outside
! Route incomming packets from LAN by PBR rules
 ip policy route-map toNat
! The default router to Internet (ISP)
ip route
! ACL for PBR and NAT/PAT
access-list 1 remark LAN_IPs
access-list 1 permit
! PAT as always
ip nat inside source list 1 interface Ethernet1/0 overload
! and the PBR 
route-map toNat permit 10
 match ip address 1
! The next hop should be an IP address from the Lo 0 IP network (except the Lo0 address!)
 set ip next-hop
R1#debug ip nat
*Mar 30 00:56:14.019: NAT: s=>, d= [90]
*Mar 30 00:56:14.119: NAT: s=, d=> [132]
R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global

You can find more information about this topic pretty well documented in the Cisco's paper called "Network Address Translation on a Stick". Enjoy :-)

March 29, 2008

Router(config)# banner ?

There are 3 different banner types on Cisco gears. Sometimes it might be a bit confusing when will be the configured banner type displayed to the user who is connecting to the router. There is a nice description of banners at:

Banner Command Option


SSH v1 only

SSH v1 and v2

SSH v2 only

banner login

Displayed before logging into the device.

Not displayed.

Displayed before logging into the device.

Displayed before logging into the device.

banner motd

Displayed before logging into the device.

Displayed after logging into the device.

Displayed after logging into the device.

Displayed after logging into the device.

banner exec

Displayed after logging into the device.

Displayed after logging into the device.

Displayed after logging into the device.

Displayed after logging into the device.

March 22, 2008

Http file upload with a progress bar indicator

I was looking for a solution for uploading a file through a web browser with a progress bar indicator. First I was thinking about AJAX with PHP. Unfortunately it looks like PHP does not provide any information about the file which is just being uploaded. So most of the AJAX solutions are based on different CGI scripts.

I was almost ready to give it up, when I found a brilliant solution: Flash!

Flash has more programming possibilities than JavaScript and AJAX. And what's more, new Flash versions have support for external calls and events handling via JavaScript! So you can include into your web page a flash object and control it through JavaScript calls which can be bound to buttons or any other HTML object. There are even frameworks which are combining AJAX and Flash together :)

image SWFUpload is a Flash object for uploading files to a web server. As it was said above, it has support for events handling through JavaScript and can be used to create a fancy and eye-candy file uploader with progress bar indicator. And the best thing is that you don't have to change almost nothing on your server side. The same scripts, the same features.


March 21, 2008

URL filtering and redirection with squid proxy server

A friend of mine who is working at one high school asked me to help him with url filtering for student's PCs. Many times students are just chatting or looking at some nasty web pages which he wanted to block.

The school is connected to the Internet through a Linux server which acts as a router with NAT. For historical reasons there was also a squid proxy running in transparent mode on the server. This made the solution simpler. Without a proxy I would probably started to play with l7-filters and iptables.

Squid offers different methods to filter urls. You can customize the squid.conf file where the configuration is stored and create ACLs to block some urls. Or you can use external applications which will redirect the URL based on different settings.

First I tried the external redirector. SquidGuard is one option but it sounded like a hammer to a fly. So I refreshed my perl coding skills and created a perl redirector script. The script allows to store the blocked URLs list in a file, as well as the list of source addresses which have full Internet access.

redirector script:

$ cat /usr/local/bin/
#!/usr/bin/perl -w


while (<>) {
        my @X = split;
        my $url = $X[0];
        my $src = $X[1];

        open(DAT, $db_white) || die($url);

        foreach $wip (@white_data) {
                $wip =~ s/\s+$//;
                if ($src =~ m/$wip/) {
                        print "$url\n";
        if ($found == 0) {
                open(DAT, $db_block) || die($url);
                foreach $burl (@blocked_data) {
                        $burl =~ s/\s+$//;
                        if ($url =~ m/$burl/i) {
                                print "302:\n";
                if ($found == 0) {
                        print "$url\n";

blacklist file:

$ cat /usr/local/lib/squid_blocker.list

whitelist file:

$ cat /usr/local/lib/squid_blocker_white.list

squid configuration for redirector:

$ grep squid_blocker /etc/squid/squid.conf
redirect_program /usr/local/bin/

Unfortunately this solution turned out to be slow. It took for a standard web page 3 times more time to load when the redirector was used. And for some weird reasons, some parts of web pages didn't load at all :-( The advantages of this solution were that after updating the blocked urls and allowed source IPs files it was not necessary to restart the proxy server and the blocked URLs were redirected to an another website. Next time I will try to write the redirector in C. It should has better performance then :)

I moved to the first mentioned option - ACL in squid.conf. You can define an ACL which contents will be stored in an external file. So you don't have to write the blocked URLs directly into the squid.conf file.

squid configuration with ACL:

$ grep black /etc/squid/squid.conf
acl blacksites url_regex "/etc/squid/blacksites"
acl blacksites_wip src "/etc/squid/blacksites_wip"
http_access deny blacksites !blacksites_wip

blacklist file:

$ cat /etc/squid/blacksites

whitelist file:

$ cat /etc/squid/blacksites_wip

This solution works with the best performance, but after each update in the blacklist or the whitelist file it is necessary to restart the squid proxy server.


I have just heard an interesting story, which sounds a bit like a Spielberg movie script, that I want to share with you:

It's year 2010. There are people living on the world. One person, somewhere in a small city in India (or wherever else) suddenly became ill. It looks like it's just a flu. We face flu every year, we have powerful medicaments, so what? Nothing special, the person will get some antibiotics and he hopes that he will be again healthy in one week. But his health is getting worst and worst. The antibiotics are not helping. He has to go immediately to a hospital.

The doctors are starting to became worried that's maybe it's something new, something unknown yet. And they are right. A researcher finds out in the laboratory that the virus is a new flu mutation. Doctors are trying to help the ill person but they are hopeless. The ill person dies in the next 3 days. There was no cure for him. Unfortunately, that's not yet the end. It's just the beginning (of the end). The virus has already started it's journey among other people. First the nurses who were taking care of the ill person, then some friends of him, then the city where he was living and where the hospital was located.

After one week the virus is on each continent of the world. Doctors and researchers throughout the world are trying to find the cure. But they are not lucky. Nothing works. They are becoming hopeless. The last hope is to find someone who is resistive against the virus. People are starting to visit hospitals to give a sample of their blood. Hopefully someone will have in his blood some antigens against the virus.

There is a little 8 year old boy standing outside on the hospital's yard with his father waiting for their blood results. He asks his father "When are we going back home?" "Well son, I think it's not worth to wait here. Let's go home." answers his father when a doctor is running in their direction and he is saying out loud "Sir!, Sir!, wait please, please wait for a second". He stops where their are standing and with a big smile he says that they have found the antigen which is resistive against the virus. He continues saying "Your son is resistive. His blood has something which protects him against the virus. Please, come back with me, we have to make some additional tests!" Booth father and son starts to smile at each other and they are running back with the doctor to the hospital. There are already about 10 doctors waiting for them and they starts to make some tests with the blood of the boy. "Yes! Yes! Yes! Yes! We have really found it!" starts yelling a doctor who is looking into his microscope. He seems to be very happy. Definitely he is. They have just found something what will rescue the whole mankind from death.

The father is waiting in the hall when another doctor came out with a paper and a pen in his hand. He doesn't seem to be very happy and he starts saying "Sir, we have found out that the blood of your son can help us to create an antivirus." "That's great! So when can we go home?" the father asks. "Well, to create the antivirus we need more of your son's blood. But because he is so young, the amount of blood we need to transfer from his body will kill him. I am here to ask you to sign this paper which will allow us to this blood transfer. Your son will help to cure all people on the world from this illness. I know it's a big price but that's the only way. Please help us, help to all other people!" The father is first very confused, he has to sacrifice his own son to help to everyone, even to himself. After a long thinking and considering every other chance, he agrees and signs the paper. He is going to visit his son for the last time when they have already started the blood transfer. His son is smiling at him and asks him once again "When are we going back home?". His father drops on the bed where his son is lying and starts crying.

One year after the cure was found and the world became back to normal, people all around the world create a celebration for this little boy who was sacrificed for them. During the celebration people are drinking, they start to argue with each other on different pointless topics, they start to fight, and they absolutely forget about the little boy. When the father sees this, he feel sorry for sacrificing his son for all these people.

What would you sacrifice for mankind?

What's wrong with the weather???

About 3 weeks ago we had here for a few days a very nice sunny weather with +15°C outside.

But during the last week or so, the weather here is terrible :-( It's windy, rainy, cold and it's just about 6°C outside. What's happening to the weather?

During the last autumn and the beginning of the winter I was studying in Finland. I always thought that the weather in Finland will be pretty cold, I was ready to face the -30°C outside in December. But to my big surprise, the weather was not so cold there. Really, even when I was leaving on 21st of December, it was +1°C and it was not snowing but raining! Fortunately they have got some snow and colder weather in the beginning of the new year. But anyway, still not -30°C. On the other hand, they told me that few years ago it was normal that during the winter it was about -30°C, but the last years are still warmer.

I remember when I was younger (not that I am old now, I hope) we had here white snow during each X-mas, Easter was sunny and warmer, the summer was nicely warm from the beginning to the end without high temperatures that can kill ppl. I hope that the actual climate changes are only temporary and the weather will became back to normal. Otherwise I will get afraid about the future :-(

March 20, 2008

Howto build a CCNA rack?

This is how we do it at Regional Cisco Networking Academy at Technical University of Kosice, Slovakia:

March 14, 2008

Skype into Pidgin

Eion Robb has created a plugin for Pidgin which integrates Skype contacts into Pidgin. After installing and setting up the plugin in Pidgin, you can use Pidgin to talk with your friends on Skype. I love it!




OpenDNS is a service providing free DNS imageresolvers and a bit more in some additional services. If you register at OpenDNS, you will get a username which is then used to manage the behavior of the DNS resolving process. You can for example block access to some web sites, or create aliases so you don't have to remember or bookmark long Internet addresses, etc.

So if you are looking for a pretty good DNS service, maybe better than your service provider offers to your, give a try to OpenDNS.

OpenDNS DNS servers are available at address: and

Launch your Launchy

I have included a Launchy called application in my previous blog post about my favorite Windows applications. And I think it's even worth to write a custom blog post about this fabulous application launcher.

Launchy is an interactive application launcher for Windows. It's like the Start->Run menu on very powerful steroids, and maybe even a bit more. After the first launch of Launchy, it created an index of applications in your Start menu and Desktop. When the indexing is complete, you can press the hot keys combination (by default ALT+SPACE) to bring Launchy's window into the front. It will bring up a nice looking window where it's enough to type just few starting letters of your application and it will start it. I really recommend to give to this application at least a try :-)


Cisco Network Assistant

Have you just got into a smaller business and your network is Cisco based? However you are not very experiences with Cisco devices and you are looking for some easy to use management tool which would be free? Well, you have just found it :-)

Cisco Network Assistant is a free management tool for small networks based on Cisco devices. It allows dynamic network discovery, ports and features management, monitoring, etc. It can set up CCIE level features just by clicking on some buttons, which can be in some cases very useful even for a skilled technician. With Cisco Network Assistant you can manage your smaller network from one application and from one place.

^ Network topology view in Cisco Network Assistant

^ Switch status

^ Information about devices

^ Security configuration wizard

You can download the Cisco Network Assistant at For downloading you will need a guest level CCO account.

For those of you who don't want to use Cisco Network Assistant for centralized management, but looking for an easy way of configuration of Cisco devices, there may be an option. If you have got an ISR series router, you will definitely have available also a tool called Cisco Security Device Manager or SDM.

^ SDM's main interface

SDM is a Java based configuration and monitoring tool which is usually stored in the device's flash, and it's accessible through a web interface of a device. Just enable a web server on your router (Router(config)# ip http server) and put your web browser to the address of your router.

For more info about SDM go to


No, there is no space missing between the "and" and the "Linux". The andLinux is a Ubuntu based Linux distribution which is very special in one way - it runs directly on Windows. How? Well, here is the answer: the project is based on coLinux (cooperative Linux).

CoLinux is an older project which has ported the Linux kernel to a windows executable file. So you can start the Linux kernel as a standard win32 file, and with some special additions you can add disk storage, networking, etc. Sounds good, doesn't it? :-) In this way you can start your Linux system whenever you want, while you are in Widnows. No need to reboot to Linux (e.g. dualboot), or start vmware or other virtualization technique.

Well, so the guys behind the andLinux project has created a Ubuntu installation which runs on top of coLinux. But not just that. They have also added some additional tools from their own garage, like they have added sound and graphics support (x11) and even more - you can for example open PDF files on your Windows's My Documents folder with a xpdf started trough andLinux. And the best thing is that it's all packaged into a nice, user-friendly windows installation package so even a non computer geek can install it without bigger issues. It's really amazing! Guys, you have done a really great job!


You can access andLinux at

Let's play the game

Learning by playing is a pretty good teaching method. It makes the student's learning more enjoyable and it's especially powerful when you teach younger people. While teaching some networking courses (CCNA, etc.) you can utilize this method very easily. For example you can create a topology with a central core router which will use a routing protocol unknown to the students. They will have to find out if there is RIP or OSPF or EIGRP or something else, and the first who finds the answer will put an ACL to prohibit access for other students :-) This challenging contest will make your class more entertaining :-)


One another good example comes directly from Cisco. It's a flash based game aimed at kids. Kids can learn thought the game about different cultures, people in need, and also about data networks. It's a very good combination :) The game that I am talking about is the Peter Packet game.

Peter Packet is a game where the main hero called "Peter Packet" saves (again) the World. Peter is a data network packet and he always carries some important piece of data (email, etc.). He has to survive in a dangerous world of data networks where viruses and hackers are trying to steal and destroy the important information that he is carrying. Players will learn about packets, routers, wifi, ...

You can find Peter Packet as well as other games at

And the last but definitely not least, the Warriors of the Net movie. The movie of a network which shows the functionality of network devices, Internet, firewalls, etc and the network journey from a source application to a destination server.

March 4, 2008

From Today, Life On The Network Will Be Better For Everyone

Few days ago I wrote a blog post about Cisco's plan to release on March 4th something new that will make the life on the networks better.

So the big news is: Cisco has released today a new powerful SP/Enterprise Edge Router - the Cisco ASR1000 Series Router.

The ASR1000 is an all-in-one solution for enterprises and service providers which brings together voice, video and data with QoS, security, high availability and high performance. All this is possible because of a new Cisco QuantumFlow network CPU chip developed by Cisco, which now delivers with the ASR1000 the most powerful enterprise edge router on the world! A brilliant development pf ASR1000 concentrated devices which were before consuming a space of one full rack into one small form factor solution which is only few Us of size. The smaller version has just 2U size.


The ASR1000 is not just a router, you can turn it into a Firewall, IDS, IPS, VPN, QoS, SBC, etc. All these features at Gbit speeds! For more info follow information available the product's page.

Welcome to the network, where the network becomes an AnyPlay infrastructure!