June 1, 2009

Amazing web site with VoIP protocols flow

If you are wondering what messages should follow the SIP INVITE message, you can take a look at the official SIP RFC, or you can go to www.tech-invite.com where you will find amazing protocol flows with nice explanations.

image

And you can find not only general VoIP protocols at www.tech-invite.com, but also other telco protocols.

image

Sh*t happens, even with Chrome

While writing a new email at gmail, I was disturbed with the following error message:

image

Fortunately, after following the instruction to restart Chrome (btw: Chrome is my new favorite web browser, and even my parents like it ;-)), all previously opened tabs were successfully recovered and I was able to recover my almost ready email message from the Drafts folder at gmail.

image

Oh, btw: few reasons why I like Chrome so much:

March 3, 2009

Packet Tracer 5.2 – Major update on security

image

I have just got my newsletter email from the Cisco Networking Academy. It talks about the upcoming version of Packet Tracer 5.2, which is going to be a huge and major change on a security and QoS line! Packet Tracer 5.2 is going to be a ready to use and an amazing tool that helps you to get ready for the new CCNA Security certification. Oh, btw, the CCNA Security curricula for the Cisco Networking Academy should be released already somewhere around this summer.

Right now (3.3.2009) I don’t have any additional information on this release. After a public beta version of PT5.2 will be released, I will drop some screenshots and a review here.

Check out the List of new IOS commands in PT5.2.

UPDATE (31.6.2009):

So finally I have dropped my hand on the new beta (4) version of PT 5.2. It seems to be pretty stable (so far). Some new features that I’ve just noticed concluded in few screenshots:

image

There is a kinda updated startup splash screen ;-)

image

It looks like new extensions are automatically detected and may be enabled with a simple user interaction.

image

image

What’s really new, is a new menu option available under Options->Algorithm Settings. It displays a window where you can set up some new security related features.

image

We can add to the list of the new features also the ability to change the device’s icon. So that we can have customized icons for different devices. I am already thinking about a real life usage of this feature while preparing new PT based assessments for my students.

image

You can also customize the security related settings even per device. I wonder why would I need per device fine tuning of these settings but hopefully I will find out soon ;-)

image

How could we talk about security without an AAA infrastructure. As you could have seen, PT was updated with new security related commands. Now you can do for example VTY access authentication against a central Radius server, export logging messages to a Syslog server, etc.

Packet Tracer is getting in this new release a really huge update on new protocols and features. If the development will continue like this, we can start teaching everything on PT ;-) But till then, we have a lot of real gears in our racks.

 

The new version of PT in version 5.2 should be release during this summer. Please do not ask me for download access. If you are a Cisco Networking Academy user, you will be able to download it from the academy connection website immediately after it will be released. If you are not a Cisco Networking Academy user, but want to access PT, contact the nearest Cisco Networking Academy in your area (or follow some older comments here ;-p).

December 30, 2008

WRT54GL as an 802.1x client (aka wrt54gl@eduroam)

… after a quite long time (again), here comes a simple HOWTO describing the process of running a Linksys WRT54GL as a wifi client with 802.1x authentication+wpa encryption, in this case for the international wifi educational network initiative – eduroam.

image

The Linksys WRT54g brand of wifi routers have become quite popular in the past years as many non-Linksys, but open firmware became available for this device. If you own a WRT54g router, you might be familiar with firmware files from dd-wrt or openwrt.

Basically, after flashing and thus replacing the genuine Linksys provided firmware on the WRT54g with the dd-wrt or the openwrt firmware you can get additional functionality available on commercial $1000 routers out of the $60 router. Like, the original Linksys firmware does not contain functionality even for a basic wifi client mode. The dd-wrt firmware is a ready to use firmware available in different flavors – with vpn functionality, with voip or just “basic” functionality. Compared to openwrt firmware, openwrt is in its basic form not so powerful. Openwrt in its basic form does contain only basic stuff, no additional functionality. On the other hand, the advantage of openwrt is that it is nicely customizable and you can pretty easily install additional applications and functionality with a simple apt-get like utility. For this reason I am more used to use the openwrt firmware as it gives me more control of the box.

Well, a step into the $subject: a friend of mine has asked me to help him with connecting his WRT54GL router as a client to our university wireless network. Our university wifi network uses mandatory 802.1x authentication + wpa or wpa2 encryption. Few years ago, even standard computers and laptops had issues with connecting to a 802.1x secured wireless network so what to expect from a small wifi router? Well, a lot :-)

The basic Linksys firmware does not even support wifi client mode on the WRT54GL. Obviously, the next step is to upgrade the firmware to something better. dd-wrt or openwrt? dd-wrt supports wifi client mode, even with static wep keys (maybe even wpa-psk?) but not with 802.1x authentiocation :-/ openwrt in it’s basic form does not support 802.1x, but fortunately a wpa_supplicant package is available already precompiled for this platform. Wpa_supplicant is an EAP supplicant with 802.1x authentication + wpa/wpa2 support.

Few steps to make it work:

  1. Download the openwrt firmware from openwrt.org. Make sure to download a firmware based on 2.6 kernel, as the 2.4 version uses the proprietary “nas” Broadcom utility to manage the wireless connection and it does not support 802.1x. I used the openwrt 8.09_RC1 based openwrt-wrt54g-squashfs.bin file.
  2. Download and install the wpa_supplicant package:
    opkg install http://downloads.openwrt.org/kam...s/wpa-supplicant_0.6.3-1_mipsel.ipk
    (or opkg update && opkg install wpa-supplicant)
    (the 8+ version of openwrt will use the “opkg” package management utility, pre 8 versions of openwrt used “ipkg”)
  3. Create a configuration file for the wpa_supplicant. The file may look like:
    root@OpenWrt:~# cat /etc/wpa_supplicant.conf
    ctrl_interface=/var/run/wpa_supplicant
    ctrl_interface_group=0
    
    network={
           ssid="eduroam"
           scan_ssid=1
           key_mgmt=WPA-EAP
           eap=PEAP
           #ca_cert="/etc/eduroam-ca.crt"
           anonymous_identity="user@domain"
           identity="user@domain"
           password="ThisMustBeAReallyStrongPassword"
           phase1="peaplabel=0"
           phase2="auth=MSCHAPV2"
    }
  4. Try it with
    wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf
    This command will start the wpa_supplicant, will scan for the “eduroam” ssid, connect to AP and try to authenticate as user@domain. If everything is OK, at the end will show some OK messages and will also activate the wifi interface – wlan0. If you start a dhcp client (udhcpc -i wlan0), you should get an IP address now, and you can start pinging the Internet.
  5. Wrap it up, create startup scripts that will at the bootup start the wpa_supplication, do the dhcp client, enable IP routing and NAT and there you go. Ready :-)

My startup scripts look like (not so cool but it works :):

root@OpenWrt:~# cat /etc/init.d/XStartEduroam
#!/bin/sh /etc/rc.common
#
# Jozef Janitor (c) 2008
#
# !!!
# make sure that this file has a +x (executable) flag
# enable this script with /etc/init.d/XStartEduroam enable
# dont't forget to disable the preinstalled openwrt firewall script
# !!!

START=99

start() {

# Basic filewall and SNAT
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i br-lan -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -j DROP

# Set time - otherwise the default WRT's time makes problems
# with a certificate validation in wpa_supplicant
date "`cat /etc/dateToSet`"
date "`cat /etc/dateToSet.backup`"

# Start 802.1x authentication
wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf &

# wait some time till the interface is authenticated
# and activated
sleep 5

# get the IP address from the DHCP server
udhcpc -i wlan0 &

# start the WatchDog to check if we have access
# to the Internet
/watchGW &

# sync time with the NTP server and store the local
# time into a file for reboot use
/updateDate &

}

root@OpenWrt:~# cat /watchGW
#!/bin/sh
#
# Jozef Janitor (c) 2008
#
# This is a "watchdog" script that checks the IP connectivity to a specified destination.
# When it's not available, restart the device.
#

echo "Starting GW watchdog"
echo "If host (1.1.1.1) is down, reboot"

# root@OpenWrt:/# ping -c 5 1.1.1.1
# PING 1.1.1.1 (1.1.1.1): 56 data bytes
# 64 bytes from 1.1.1.1: seq=0 ttl=59 time=3.199 ms
# 64 bytes from 1.1.1.1: seq=1 ttl=59 time=7.602 ms
# 64 bytes from 1.1.1.1: seq=2 ttl=59 time=3.212 ms
# 64 bytes from 1.1.1.1: seq=3 ttl=59 time=4.804 ms
# 64 bytes from 1.1.1.1: seq=4 ttl=59 time=2.827 ms
#
# --- 1.1.1.1 ping statistics ---
# 5 packets transmitted, 5 packets received, 0% packet loss
# round-trip min/avg/max = 2.827/4.328/7.602 ms

while true; do

   sleep 300

   out=`ping -c 5 1.1.1.1 2>&1`

   isFrom=`echo $out|grep "from"`

   if [ "x$isFrom" = "x" ]; then
      echo "!!!!!! REBOOTING !!!!!!!!!!" > /dev/tty
      sleep 5
      reboot
   fi

done

root@OpenWrt:~# cat /updateDate
#!/bin/sh
#
# Jozef Janitor (c) 2008
#
# Sync the actual time and store it in a file to be used after the reboot.
#

while true; do
        sleep 3600
        ntpclient -c 1 -h ntp.ubuntu.com -s
        date "+%F %R" > /etc/dateToSet
        sleep 1
        date "+%F %R" > /etc/dateToSet.backup
done

October 28, 2008

Are you ready?

I haven’t been publishing here for a quite long time. I have got busy with some work and school stuff. But hopefully I will get onto this blogging road once again in a mean time :-)

Are you ready to see something BIG? Not yet? Well, that’s OK, you still have time to get ready till 11.11.2008.

On 11.11.2008 Cisco will announce something brand new – Don’t ask me what is it because I don’t know. I just found this information on the “Cisco Support Group for Uber User Internet Addicts” @ facebook. But as far as I know Cisco, it must be something GREAT & BIG :-)

image

October 16, 2008

Debian: Mark packages on hold

If you have installed some Debian/Ubuntu package, that you don’t wanna update trough apt-get upgrades, you can put a flag HOLD to that package.

The HOLD flag will prohibit accessing that package by regular apt-get upgrade_s. To put a package on HOLD, use the following command:

echo {PACKAGENAME} hold | dpkg --set-selections

root@recorder:~# echo vlc hold | dpkg --set-selections
root@recorder:~# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages have been kept back:
  vlc vlc-nox
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.

September 4, 2008

An amazing but unknown Linux command: apropos

When working in Linux, I read lot of man pages for different commands while looking for some helpful information on how to use the command. But sometimes it’s hard to find a correct man page, because you have to know the exact man page’s name. Apropos is a man page searcher that works like a little google search on your Linux box and let you find a man page that you are looking for.

image

I didn’t know about this amazing command while I haven’t found it in an article at http://www.debian-administration.org/articles/614

Google OS: it’s a browser - Google Chrome

image Google has yesterday published a public download of its own web browser – Google Chrome.

Google Chrome is a brand new web browser build from scratch and uses amazing new techniques.

For web pages rendering, Chrome uses Apple’s WebKit which is used in Safari and iPhone too. That makes loading of web pages really fast.

For JavaScript running it uses the V8 JavaScript virtual machine. V8 compiles javascript into a code that can run directly on a CPU so it makes a big speedup for processing JavaScript codes.

Each web page runs in its own process. That means that if a web page causes a browser crash (BUGs are everywhere), only a tab where that one web page was running will crash. It also means that memory leaks that are well known from other browsers does not affect Google Chrome. When you close a tab, you close a process and free all the memory that was reserved for that webpage. Isn’t it great? No more killing the whole browser just because it eats 1.1GB of your RAM.

As a developer you have access to a nice DOM tree, process manager, etc.

So far I really like it, even tho I am missing some great features from Firefox – plugins, rss handling, google bookmarks integration, etc.

image

You can download and learn more about Google Chrome from http://www.google.com/chrome and don’t forget to read a nice animated story about Google Chrome at http://www.google.com/googlebooks/chrome/

August 9, 2008

Cool cold fire flame – in your hand


How To Make Fire Balls - Amazing videos are here

This is an amazing howto video of an amazing thing – how to hold and play with a fire flame in your hand and not get burned. I guess it might be pretty cool to show this trick to ppl on some parties. You will be the party hero who can hold fire in his hands :-D

August 6, 2008

Packet Tracer 5.0 has been released!

I have found today on the Cisco Academy Connection webpage a new icon in the left navigation toolbar. It was a link to a new version of Packet Tracer – PT 5.0. Finally, after almost 6 month of beta testing, the PT5.0 is now available for every Cisco Networking Academy member.

So are you a Networking Academy member? Don’t hesitate! Go ahead, click to cisco.com/go/netacad and get download your copy of PT5.0.

image

A public advertising video about PT5.0 is available at http://www.cisco.com/web/learning/netacad/packet_tracer/packet_tracer_03-4_web.html

A list of new features in PT5.0 is available in my older post.

Here is a screenshot from the last version that was available only for beta testers:

image

And here goes a screenshot of a freshly released PT5.0, downloaded from the Academy Connection:

image 
*(You can notice that there is still an “RC1” note in the PT window. So far I don’t have any more information about this release so I cannot say if this is the RTM (Ready to Manufacturing) final release. Anyway, it’s good that now everyone can access PT5.0 and use its amazing new features!)

** I have no information about the PT Portal (screenshot bellow) release date (or even if it will be ever released).

image

August 4, 2008

Pre-ISR routers discontinued in IOS :-(

The old Cisco battleships, the pre-ISR routers, are going to be discontinued in the next upcoming IOS versions, starting from 12.4(20)T.

I found this information while I was going through a presentation about new features that were implemented in the 12.4(20)T version of IOS:

image

So the last available IOS for pre-ISR routers will be the 12.4(15)T version. For more information, go to cisco.com.

July 29, 2008

Pocket commands guide

You must have seen those small “form factor” books named like “Handy command line guide”. Now you can make your own pocket commands guide for Cisco devices.

Well, there is an blog post at ciscoblog.com about a “show parser” command. The “show parser” displays all the commands and their syntax that are known and are available in the CLI. You can create a dump of all available commands, save it info a file, and then if you are looking for a command related to BGP, just grep the output file for BGP.

gw#show parser dump all tftp://s/ListOfCommands-124-15.T4.txt

I was trying to find of how many BGP commands are in the list:

jozjan@stargate:/tftpboot$ grep bgp ListOfCommands-124-15.T4.txt |wc -l
1058

But WOW, there are more OSPF commands than BGP:

jozjan@stargate:/tftpboot$ grep ospf ListOfCommands-124-15.T4.txt | wc -l
1181

:-)

Cisco: Remote CLI access without Login/Password

When I configure a bunch of Cisco gears in lab environment, just for fun or testing some new feature, I like the ability to get CLI access with telnet without having to authenticate myself with any username nor password. You can achieve this level of “insecurity” which is totally great for a lab only use simply by changing the VTY’s configuration.

In normal situations you configure VTY to allow remote CLI access to your device like:

Router>
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line vty 0 4
Router(config-line)#password Cisco
Router(config-line)#login

and then you login to your device (10.0.0.1) with telnet like:

> telnet 10.0.0.1
Trying 10.0.0.1 ... Open

User Access Verification

Password:
Router>
Router>enable
% No password set

(Don’t forget to set up enable password, otherwise you will not reach the privileged exec mode.)

So, to overcome the login screen, and to gain access without authentication it’s enough to turn off the “login”, simple as:

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line vty 0 4
Router(config-line)#no login

And then the telnet looks like this:

> telnet 10.0.0.1
Trying 10.0.0.1 ... Open

Router>

Well, if you want to make your work even faster, configure a VTY line, so that you will be put directly into a privileged exec mode by setting a VTY’s privilege level to level 15. And don’t forget to turn on one of the greatest CLI feature – the “logging synchronous”. The final configuration then looks like:

Router#sh run | section line vty
line vty 0 4
privilege level 15
logging synchronous
no login

and a telnet login then looks like:

> telnet 10.0.0.1
Trying 10.0.0.1 ... Open

Router#

 

Update (30.8.2008):

I forgot to add the “exec-timeout 0” command. By default, after 15 minutes of inactivity, the device will automatically disconnect your telnet session. With the “exec-timeout” command you can change the default value. If you set it to 0, the device will never try to disconnect your telnet session. It’s very useful on labs. So the final configuration would be:

Router#sh run | section line vty
line vty 0 4
privilege level 15
exec-timeout
logging synchronous

no login

VMWARE ESXi is now FREE!

image

The battleship of VMWARE, the ESXi server has became a free product! You can download it directly from vmware.com and you are free to use it. Without any restrictions and with all the ESX power!

Ready? Go! Virtualize :-)

July 18, 2008

HOWTO: Clear the DNS Cache

When you use DNS to resolve hostnames to IP addresses or services end point addresses, and you make a change in your domain zone configuration you have to reload the cached records on your devices so the new addresses will be used for processing. You have two options:

  • wait while the DNS cache of your device will expire and your device will send a new DNS query request
  • clear the cache manually

On Windows you can clear the DNS cache with the “ ipconfig /flushdns ” command.

On Cisco gears you can use the “ clear hosts * ” enable mode command.

July 15, 2008

Packet Tracer 5.0 – Unofficial release date

From some sources I’ve got an information that the new Packet Tracer 5.0 is planed to be officially released on Academy Connection on 28th of July 2008.

image

So on July 28th, be ready to find a new download icon on the left navigation toolbar on your academy connection site to download the final version of PT 5.0.

image

If you want to know more about new features in PT 5.0, read my previous post.