Packet Tracer 5.2 – Major update on security

I have just got my newsletter email from the Cisco Networking Academy. It talks about the upcoming version of Packet Tracer 5.2, which is going to be a huge and major change on a security and QoS line! Packet Tracer 5.2 is going to be a ready to use and an amazing tool that helps you to get ready for the new CCNA Security certification. Oh, btw, the CCNA Security curricula for the Cisco Networking Academy should be released already somewhere around this summer.

Right now (3.3.2009) I don’t have any additional information on this release. After a public beta version of PT5.2 will be released, I will drop some screenshots and a review here.

Check out the List of new IOS commands in PT5.2.

UPDATE (31.6.2009):

So finally I have dropped my hand on the new beta (4) version of PT 5.2. It seems to be pretty stable (so far). Some new features that I’ve just noticed concluded in few screenshots:

There is a kinda updated startup splash screen ;-)

It looks like new extensions are automatically detected and may be enabled with a simple user interaction.

What’s really new, is a new menu option available under Options->Algorithm Settings. It displays a window where you can set up some new security related features.

We can add to the list of the new features also the ability to change the device’s icon. So that we can have customized icons for different devices. I am already thinking about a real life usage of this feature while preparing new PT based assessments for my students.

You can also customize the security related settings even per device. I wonder why would I need per device fine tuning of these settings but hopefully I will find out soon ;-)

How could we talk about security without an AAA infrastructure. As you could have seen, PT was updated with new security related commands. Now you can do for example VTY access authentication against a central Radius server, export logging messages to a Syslog server, etc.

Packet Tracer is getting in this new release a really huge update on new protocols and features. If the development will continue like this, we can start teaching everything on PT ;-) But till then, we have a lot of real gears in our racks.

 

The new version of PT in version 5.2 should be release during this summer. Please do not ask me for download access. If you are a Cisco Networking Academy user, you will be able to download it from the academy connection website immediately after it will be released. If you are not a Cisco Networking Academy user, but want to access PT, contact the nearest Cisco Networking Academy in your area (or follow some older comments here ;-p).

WRT54GL as an 802.1x client (aka wrt54gl@eduroam)

… after a quite long time (again), here comes a simple HOWTO describing the process of running a Linksys WRT54GL as a wifi client with 802.1x authentication+wpa encryption, in this case for the international wifi educational network initiative – eduroam.

The Linksys WRT54g brand of wifi routers have become quite popular in the past years as many non-Linksys, but open firmware became available for this device. If you own a WRT54g router, you might be familiar with firmware files from dd-wrt or openwrt.

Basically, after flashing and thus replacing the genuine Linksys provided firmware on the WRT54g with the dd-wrt or the openwrt firmware you can get additional functionality available on commercial $1000 routers out of the $60 router. Like, the original Linksys firmware does not contain functionality even for a basic wifi client mode. The dd-wrt firmware is a ready to use firmware available in different flavors – with vpn functionality, with voip or just “basic” functionality. Compared to openwrt firmware, openwrt is in its basic form not so powerful. Openwrt in its basic form does contain only basic stuff, no additional functionality. On the other hand, the advantage of openwrt is that it is nicely customizable and you can pretty easily install additional applications and functionality with a simple apt-get like utility. For this reason I am more used to use the openwrt firmware as it gives me more control of the box.

Well, a step into the $subject: a friend of mine has asked me to help him with connecting his WRT54GL router as a client to our university wireless network. Our university wifi network uses mandatory 802.1x authentication + wpa or wpa2 encryption. Few years ago, even standard computers and laptops had issues with connecting to a 802.1x secured wireless network so what to expect from a small wifi router? Well, a lot :-)

The basic Linksys firmware does not even support wifi client mode on the WRT54GL. Obviously, the next step is to upgrade the firmware to something better. dd-wrt or openwrt? dd-wrt supports wifi client mode, even with static wep keys (maybe even wpa-psk?) but not with 802.1x authentiocation :-/ openwrt in it’s basic form does not support 802.1x, but fortunately a wpa_supplicant package is available already precompiled for this platform. Wpa_supplicant is an EAP supplicant with 802.1x authentication + wpa/wpa2 support.

Few steps to make it work:

1. Download the openwrt firmware from openwrt.org. Make sure to download a firmware based on 2.6 kernel, as the 2.4 version uses the proprietary “nas” Broadcom utility to manage the wireless connection and it does not support 802.1x. I used the openwrt 8.09_RC1 based openwrt-wrt54g-squashfs.bin file.
2. Download and install the wpa_supplicant package:
   opkg install http://downloads.openwrt.org/kam...s/wpa-supplicant_0.6.3-1_mipsel.ipk
   (or opkg update && opkg install wpa-supplicant)
   (the 8+ version of openwrt will use the “opkg” package management utility, pre 8 versions of openwrt used “ipkg”)
3. Create a configuration file for the wpa_supplicant. The file may look like:
   

   root@OpenWrt:~# cat /etc/wpa_supplicant.conf
   ctrl_interface=/var/run/wpa_supplicant
   ctrl_interface_group=0
   
   network={
          ssid="eduroam"
          scan_ssid=1
          key_mgmt=WPA-EAP
          eap=PEAP
          #ca_cert="/etc/eduroam-ca.crt"
          anonymous_identity="user@domain"
          identity="user@domain"
          password="ThisMustBeAReallyStrongPassword"
          phase1="peaplabel=0"
          phase2="auth=MSCHAPV2"
   }

4. Try it with

   wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf

   This command will start the wpa_supplicant, will scan for the “eduroam” ssid, connect to AP and try to authenticate as user@domain. If everything is OK, at the end will show some OK messages and will also activate the wifi interface – wlan0. If you start a dhcp client (udhcpc -i wlan0), you should get an IP address now, and you can start pinging the Internet.
5. Wrap it up, create startup scripts that will at the bootup start the wpa_supplication, do the dhcp client, enable IP routing and NAT and there you go. Ready :-)

My startup scripts look like (not so cool but it works :):

root@OpenWrt:~# cat /etc/init.d/XStartEduroam
#!/bin/sh /etc/rc.common
#
# Jozef Janitor (c) 2008
#
# !!!
# make sure that this file has a +x (executable) flag
# enable this script with /etc/init.d/XStartEduroam enable
# dont't forget to disable the preinstalled openwrt firewall script
# !!!

START=99

start() {

# Basic filewall and SNAT
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i br-lan -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -j DROP

# Set time - otherwise the default WRT's time makes problems
# with a certificate validation in wpa_supplicant
date "`cat /etc/dateToSet`"
date "`cat /etc/dateToSet.backup`"

# Start 802.1x authentication
wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf &

# wait some time till the interface is authenticated
# and activated
sleep 5

# get the IP address from the DHCP server
udhcpc -i wlan0 &

# start the WatchDog to check if we have access
# to the Internet
/watchGW &

# sync time with the NTP server and store the local
# time into a file for reboot use
/updateDate &

}

root@OpenWrt:~# cat /watchGW
#!/bin/sh
#
# Jozef Janitor (c) 2008
#
# This is a "watchdog" script that checks the IP connectivity to a specified destination.
# When it's not available, restart the device.
#

echo "Starting GW watchdog"
echo "If host (1.1.1.1) is down, reboot"

# root@OpenWrt:/# ping -c 5 1.1.1.1
# PING 1.1.1.1 (1.1.1.1): 56 data bytes
# 64 bytes from 1.1.1.1: seq=0 ttl=59 time=3.199 ms
# 64 bytes from 1.1.1.1: seq=1 ttl=59 time=7.602 ms
# 64 bytes from 1.1.1.1: seq=2 ttl=59 time=3.212 ms
# 64 bytes from 1.1.1.1: seq=3 ttl=59 time=4.804 ms
# 64 bytes from 1.1.1.1: seq=4 ttl=59 time=2.827 ms
#
# --- 1.1.1.1 ping statistics ---
# 5 packets transmitted, 5 packets received, 0% packet loss
# round-trip min/avg/max = 2.827/4.328/7.602 ms

while true; do

   sleep 300

   out=`ping -c 5 1.1.1.1 2>&1`

   isFrom=`echo $out|grep "from"`

   if [ "x$isFrom" = "x" ]; then
      echo "!!!!!! REBOOTING !!!!!!!!!!" > /dev/tty
      sleep 5
      reboot
   fi

done

root@OpenWrt:~# cat /updateDate
#!/bin/sh
#
# Jozef Janitor (c) 2008
#
# Sync the actual time and store it in a file to be used after the reboot.
#

while true; do
        sleep 3600
        ntpclient -c 1 -h ntp.ubuntu.com -s
        date "+%F %R" > /etc/dateToSet
        sleep 1
        date "+%F %R" > /etc/dateToSet.backup
done

Are you ready?

I haven’t been publishing here for a quite long time. I have got busy with some work and school stuff. But hopefully I will get onto this blogging road once again in a mean time :-)

Are you ready to see something BIG? Not yet? Well, that’s OK, you still have time to get ready till 11.11.2008.

On 11.11.2008 Cisco will announce something brand new – Don’t ask me what is it because I don’t know. I just found this information on the “Cisco Support Group for Uber User Internet Addicts” @ facebook. But as far as I know Cisco, it must be something GREAT & BIG :-)

Packet Tracer 5.0 has been released!

I have found today on the Cisco Academy Connection webpage a new icon in the left navigation toolbar. It was a link to a new version of Packet Tracer – PT 5.0. Finally, after almost 6 month of beta testing, the PT5.0 is now available for every Cisco Networking Academy member.

So are you a Networking Academy member? Don’t hesitate! Go ahead, click to cisco.com/go/netacad and get download your copy of PT5.0.

A public advertising video about PT5.0 is available at http://www.cisco.com/web/learning/netacad/packet_tracer/packet_tracer_03-4_web.html

A list of new features in PT5.0 is available in my older post.

Here is a screenshot from the last version that was available only for beta testers:

And here goes a screenshot of a freshly released PT5.0, downloaded from the Academy Connection:

 
*(You can notice that there is still an “RC1” note in the PT window. So far I don’t have any more information about this release so I cannot say if this is the RTM (Ready to Manufacturing) final release. Anyway, it’s good that now everyone can access PT5.0 and use its amazing new features!)

** I have no information about the PT Portal (screenshot bellow) release date (or even if it will be ever released).

Pre-ISR routers discontinued in IOS :-(

The old Cisco battleships, the pre-ISR routers, are going to be discontinued in the next upcoming IOS versions, starting from 12.4(20)T.

I found this information while I was going through a presentation about new features that were implemented in the 12.4(20)T version of IOS:

So the last available IOS for pre-ISR routers will be the 12.4(15)T version. For more information, go to cisco.com.

Pocket commands guide

You must have seen those small “form factor” books named like “Handy command line guide”. Now you can make your own pocket commands guide for Cisco devices.

Well, there is an blog post at ciscoblog.com about a “show parser” command. The “show parser” displays all the commands and their syntax that are known and are available in the CLI. You can create a dump of all available commands, save it info a file, and then if you are looking for a command related to BGP, just grep the output file for BGP.

gw#show parser dump all tftp://s/ListOfCommands-124-15.T4.txt

I was trying to find of how many BGP commands are in the list:

jozjan@stargate:/tftpboot$ grep bgp ListOfCommands-124-15.T4.txt |wc -l
1058

But WOW, there are more OSPF commands than BGP:

jozjan@stargate:/tftpboot$ grep ospf ListOfCommands-124-15.T4.txt | wc -l
1181

:-)

Cisco: Remote CLI access without Login/Password

When I configure a bunch of Cisco gears in lab environment, just for fun or testing some new feature, I like the ability to get CLI access with telnet without having to authenticate myself with any username nor password. You can achieve this level of “insecurity” which is totally great for a lab only use simply by changing the VTY’s configuration.

In normal situations you configure VTY to allow remote CLI access to your device like:

Router>
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line vty 0 4
Router(config-line)#password Cisco
Router(config-line)#login

and then you login to your device (10.0.0.1) with telnet like:

> telnet 10.0.0.1
Trying 10.0.0.1 ... Open

User Access Verification

Password:
Router>
Router>enable
% No password set

(Don’t forget to set up enable password, otherwise you will not reach the privileged exec mode.)

So, to overcome the login screen, and to gain access without authentication it’s enough to turn off the “login”, simple as:

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line vty 0 4
Router(config-line)#no login

And then the telnet looks like this:

> telnet 10.0.0.1
Trying 10.0.0.1 ... Open

Router>

Well, if you want to make your work even faster, configure a VTY line, so that you will be put directly into a privileged exec mode by setting a VTY’s privilege level to level 15. And don’t forget to turn on one of the greatest CLI feature – the “logging synchronous”. The final configuration then looks like:

Router#sh run | section line vty
line vty 0 4
privilege level 15
logging synchronous
no login

and a telnet login then looks like:

> telnet 10.0.0.1
Trying 10.0.0.1 ... Open

Router#

 

Update (30.8.2008):

I forgot to add the “exec-timeout 0” command. By default, after 15 minutes of inactivity, the device will automatically disconnect your telnet session. With the “exec-timeout” command you can change the default value. If you set it to 0, the device will never try to disconnect your telnet session. It’s very useful on labs. So the final configuration would be:

Router#sh run | section line vty
line vty 0 4
privilege level 15
exec-timeout
logging synchronous
no login

HOWTO: Clear the DNS Cache

When you use DNS to resolve hostnames to IP addresses or services end point addresses, and you make a change in your domain zone configuration you have to reload the cached records on your devices so the new addresses will be used for processing. You have two options:

• wait while the DNS cache of your device will expire and your device will send a new DNS query request
• clear the cache manually

On Windows you can clear the DNS cache with the “ ipconfig /flushdns ” command.

On Cisco gears you can use the “ clear hosts * ” enable mode command.

Packet Tracer 5.0 – Unofficial release date

From some sources I’ve got an information that the new Packet Tracer 5.0 is planed to be officially released on Academy Connection on 28th of July 2008.

So on July 28th, be ready to find a new download icon on the left navigation toolbar on your academy connection site to download the final version of PT 5.0.

If you want to know more about new features in PT 5.0, read my previous post.

Access some Cisco.com pages that require higher level CCO without CCO

Today I came across some documentation on cisco.com related to IP Telephony Express and was really disappointed to find that after clicking on the link that was there to find out more about some features, a higher level CCO (guest level was not enough) account was required to access them.

Here I prepared some screenshots:

 
Fig. 1 – Cisco Feature Navigator with a link to a Feature Guide

 
Fig. 2 – CCO account required to access the Feature Guide link from above

Fig. 3 – My guest level CCO account seems to be not enough :-(

So I started to think about it and got to a conclusion that why the hell I have to have higher level CCO to read a documentation that should be publicly available. I mean there is nothing confidential, is there?

So I started to compare URLs that do not require CCO at all, with this link that does required it. And I found a pretty nice “hack” :-)

As it’s shown on fig. 1, this is the link that required higher level CCO account to access it:

http://www.cisco.com/en/US/customer/products/ps6441/products_feature_guide09186a00804a878f.html

Well, I guess that there is some J2EE application server in the background that processes URLs and uses different modules based on what “commands” are in the URL (like en – English language, US – guess that some USA specific stuff, …). I found that if you do not use the “customer” module, then there is no authentication required and the requested page is directly served to you :-)

So the only thing that you have to do to access these kind of URLs even without any CCO account is to remove the “/customer” from the URL. And then it works. Try it:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00804a878f.html

CCNA Voice, CCNA Security, CCNA Wireless + new Cisco Learning Network

Cisco has today officially announced the release of three new associate level certifications:

• CCNA Voice - validates skills in VoIP technologies such as IP PBX, IP telephony, handset, call control, and voicemail solutions. Candidates also get exposure to the Cisco Unified Communications architecture and design covering mobility, presence, and TelePresence applications.
• CCNA Security - validates a candidate’s skills including troubleshooting  and monitoring of Cisco network devices to maintain integrity, confidentiality and availability of data.
• CCNA Wireless - validates candidate’s skills in the configuration, implementation and support of wireless LANs, specifically those networks using Cisco equipment.

To help people in building of their IT carrier and gathering more information related to certifications, Cisco has started a new social networking web site that provides a platform for knowledge and experiences sharing, discussions, learning materials, guidelines and other cool stuff that might help you in your certification and IT carrier. Register, learn, blog, discuss and share your knowledge at cisco.com/go/learnnetspace

To find out more about Cisco certifications, go to cisco.com/go/certification

I have been awarded – Activity of the year 2007/2008

During the Annual Slovak and Czech Cisco Networking Academy conference (12.-14. June 2008) in High Tatras I have been awarded with the Activity of the year 2007/2008 in Slovakia.

As they said, it was for my long time work with Packet Tracer publication, emulation and simulation software reviews, teaching, deploying and presenting IP telephony courses in Slovakia, Ukraine, Poland and Czech republic and for leading the development of the NCTT NetAcad Curricula Translation Tool. I was quite surprised and I started smiling when I heard all these activities in a row and I knew that at the end there must be my name :-) And it was :-D

Thank you very much Cisco Networking Academy!

 
From left: Karol Kniewald (AAM CZ),Me,John Edwards (Cisco EMEA),Frantisek Jakab (AAM SR)

Unofficial Cisco Wiki :-)

Heyyaaaa! It seems that there are new wikis opening in every second :-) I was just writing about the official Cisco Wiki pages and yet there is an unofficial wiki for Cisco products. Ivan Pepelnjak has started a wiki that seems to be open to contribute after filling our a registering form. Ivan’s blog and his articles at nil.com/ipcorner are one of my favorites. Hopefully this new wiki site will be very successful. Already, there are some very interesting pages about BGP, EEM, TCL, etc.

Go ahead and check out wiki.ioshints.info

And don’t forget, we are more powerful together, that we ever could be apart :-)

Run Linux (or Windows) in your Cisco ISR Router

Sounds good isn’t it? :) I remember the times when I flashed a Cisco 2500 series router with a ucLinux image. It was nice to see Linux booting on a Cisco router, even tho’ it was unusable :-( The interfaces didn’t work at all, the only thing that was working was a console access to the Linux CLI.

But this time I wanted to write about something different. Cisco was already using Linux as a base operating system on several products like Wireless LAN Controllers, ASA, etc. Cisco has lately announced a new Network Module (Cisco Application eXtension Platform (AXP)), available for Cisco ISR series routers, that contains a small motherboard with CPU, RAM, and a Hard Disk Drive.

The great thing about the AXP module is that there is preinstalled a fully functional Linux (and I have heard that there is also a Windows 2008 Server version) operating system with basic tools. What’s more, there is an API that allows you to create your own Linux applications that will directly interact with your Cisco ISR router. And as Cisco ISR routers are designed to be used in Branch Offices, now you can pretty easily integrate your email server, or whatever simple Linux (or perhaps Windows (Domain Controller)) application into a single box, thus saving space, electricity power and making your network services management much more simpler!

To find out more about AXP, please go to cisco.com/go/axp

A world beyond network device simulators ...

You have probably already heard about different network device simulators like Boson NetSim, Cisco Packet Tracer, etc. All of these applications are capable of simulating few functions of network devices. The problem is that these applications are only simulators - they can only simulate features which were ported from real devices to algorithms into these simulators. And what's more, they will never be able to simulate real situations, as it would mean to rewrite the real codes from real devices to algorithms on simulators. This would be very expensive. On the other hand, there is one very big advantage of these simulators: you can pause, stop, restart, or do whatever with your simulated topology and simulated devices. You can even see animations of how are the packets flowing from point A to point B. In this way, network simulators are perfect tools for teaching network technologies as students learn not just the theory, but they can see how are these different packets exchanged between devices and what's happening to them.

So I think we can end this up by saying that network device simulators are great for teaching and for low level troubleshooting (e.g. CCNA level). When we face a situation, where the simulators are not enough for us (lack of supported commands, features, etc.), we can try to get some real devices with full features. If you work in a big networking company maybe you will find a way to get some spare devices from storage for testing, but generally it's a problem. Networking devices are sometimes very expensive and it's definitely hard to get in touch with higher level of devices like Cisco 38xx, 45xx, 5xxx, 65xx, 72xx, 12xxx, ...

There are some virtual laboratories provided by training partners, where the real devices are already interconnected into labs, and the console ports are shared via telnet or other type of remote CLI connection. You can then order and schedule these labs use them for your training. It's especially handy when you are preparing to get your next CC*P or CCIE :-)

The last option is to get a device emulator. Emulators "emulate" the real hardware like CPU, memory, interfaces, etc. VMWare, MS VirtualPC, VirtualBox are applications capable of emulating the X86 computers hardware. With these applications you can build up your virtual network of end devices. Maybe you have seen some emulators for game consoles like PlayStation emulators, SNES, etc which emulating special hardware. The only disadvantage of emulators is that because the emulators are emulating only the hardware, you will still need some operating system to run on this virtual hardware. This sometimes means additional licenses for operating systems and applications. And now comes the best: there is also an emulator for Cisco gears too!

Dynamips is an emulator for the MIPS CPU platform. Most of the Cisco routers are using MIPS CPUs. Dynamips is not only emulating the CPU, but the whole case with many different networking interfaces. It does support LAN and WAN interfaces like Ethernet cards, ATM, Serial, T1, etc. It supports emulation of the Cisco 7200, 3700, 3600 and 2600 series platforms. You can run Dynamips on Linux, Windows and even MacOS. You can even start Dynamips on more computers connected through a network and then connect together via IP sockets the dynamips emulated boxes. A pretty nice feature is also that you can connect the virtual interface of a router to a real interface of your PC. In this way you can connect a bunch of virtual routers even to real gears! Because Dynamips only emulates the Cisco case with CPU and stuff, if you want to really use it you will need the IOS file to run it on.

Dynagen is a wrapper around Dynamips which allows to create a topology based on emulated routers. Dynagen uses a connections definition in a special format saved in a lab file with ".net" extension.

For this topology, the .net file contents are:

# Fullmesh topology
# Serial + Frame Relay + Switch
#
autostart = false
ghostios = true
sparsemem = true

[localhost]

    [[7200]]
    idlepc = 0x6262a240
    ghostios = true
    mmap = true
    image = c7200.bin
    npe = npe-400
    ram = 160
    disk0 = 32

    [[ROUTER R1]]
    F0/0 = NIO_gen_eth:\Device\NPF_{312F26FF-F960-4442-AF71-2633843F88FD}
    F2/0 = SW1 1
    S1/0 = R2 S1/0
    S1/4 = R6 S1/4
    S1/2 = R3 S1/2
    S1/3 = R4 S1/3
    S1/6 = R5 S1/6
    S1/7 = F1 1
    #F0/0 = SW1 1

    [[router R2]]
    F0/0 = NIO_gen_eth:\Device\NPF_{312F26FF-F960-4442-AF71-2633843F88FD}
    F2/0 = SW1 2
    S1/1 = R3 S1/1
    S1/5 = R4 S1/5
    S1/4 = R5 S1/4
    S1/3 = R6 S1/3
    S1/7 = F1 2

    [[router R3]]
    F0/0 = NIO_gen_eth:\Device\NPF_{312F26FF-F960-4442-AF71-2633843F88FD}
    F2/0 = SW1 3
    S1/4 = R4 S1/4
    S1/3 = R5 S1/3
    S1/5 = R6 S1/5
    S1/7 = F1 3

    [[router R4]]
    F2/0 = SW1 4
    S1/0 = R5 S1/0
    S1/2 = R6 S1/2
    S1/7 = F1 4

    [[router R5]]
    F2/0 = SW1 5
    S1/1 = R6 S1/1
    S1/7 = F1 5

    [[router R6]]
    F2/0 = SW1 6
    S1/7 = F1 6

    [[ethsw SW1]]
    1 = dot1q 1
    2 = dot1q 1
    3 = dot1q 1
    4 = dot1q 1
    5 = dot1q 1
    6 = dot1q 1
#    7 = access 1
#    8 = dot1q 1 NIO_gen_eth:\Device\NPF_{312F26FF-F960-4442-AF71-2633843F88FD}

    [[FRSW F1]]
   1:102 = 2:201
   1:103 = 3:301
   1:104 = 4:401
   1:105 = 5:501
   1:106 = 6:601
   2:203 = 3:302
   2:204 = 4:402
   2:205 = 5:502
   2:206 = 6:602
   3:304 = 4:403
   3:305 = 5:503
   3:306 = 6:603
   4:405 = 5:504
   4:406 = 6:604
   5:506 = 6:605

 

For Dynagen you have to start the Dynamips in a "Hypervisor" mode:

and then open the lab .net file in Dynagen:

after entering the "telnet /all" command in the Dynagen's console, new telnet windows will be opened connected to console ports of emulated devices. Now you can start to configure your virtual devices :-)

One of my favorite features of Dynagen is the ability to capture packets into a Wireshark compatible file on a virtual wire that interconnects two emulated routers. In this way now you can sniff packets even on ATM or Serial interfaces! It's great for troubleshooting and learning more about networking.

GNS3 is like Dynagen on steroids :-D GNS3 is again a wrapper around Dynamips but towards Dynagen it has a graphical user interface and it's much easier to use. What's more, the new version of GNS3 has support also for Pemu which is a PIX emulator built on Qemu.

 

 

Afaik, the official statement from Cisco (well, read the IOS license) is that you cannot run IOS on different hardware than genuine Cisco. So it looks like it might be "not legal" to use all these emulator stuff. You should definitely not use them for production networks and don't try to sell it as a solution (virtual laboratories, etc.)

Router(config)# ip nat inside & outside ! at one interface

Let's face a situation. You have a network with 2 routers (one router and one L3 switch) as you can see on the this diagram:

The LAN network is using private addresses (RFC1918) and is routed to the Internet via the R2 L3 switch-router. L3 switch-routers as the R2 are generally not capable of doing NAT/PAT (it may be a L3 switch). So the switch-router R2 is just sending send each packet from the LAN network to the router R1 where we are going to do PAT (network + port address translation) for the private address range used in LAN.

This situation is a little bit tricky, as in a normal situation, where there is one interface on a router connected to a LAN and an another interface connected to the Internet, you can write down the "ip nat inside" to the LAN interface, and the "ip nat outside" command to the Internet interface, add some additional "ip nat source ..." commands to the configuration and the NAT/PAT router is ready.

Well, in our situation we have the router R1 with only one interface, which is connected to the Internet and is used to route the LAN traffic as well. If you try to put the "ip nat inside" and the "ip nat outside" to the same interface, only one of these command will remain in the interface configuration (the last entered). And as you know, the NAT process is applied only to packets, which are traveling through an inside to an outside interface.

The workaround for this situation is to create a loopback interface, which will be used by PBR as a next hop interface for packets coming from the LAN network to the Ethernet interface of the router R2 (PBR - Policy Based Routing). The loopback will be configured with the "ip nat inside" command. After the packets go through the loopback interface, they will go through the "ip nat inside" configuration, and continue their journey to the Internet. The path to the Internet is over the Ethernet connection where we can put the "ip nat outside" configuration command. Now that means, when the packets from the LAN network will arrive to the router R1, they will go through the loopback interface where they will turn back but use the "nat inside" settings. On the way back (to the Internet by default route) then they will leave the router on the "nat outside" Ethernet interface. Obviously now we can apply the NAT/PAT process to these packets.

R1's configuration:

R1#sh run
!Building configuration...
! The special loopback interface used for turning packets around inside the router
interface Loopback0
 description NATLO
! This IP address can be any, just update the next hop in PBR
 ip address 172.16.255.253 255.255.255.252
! Let's mark packets going through this interface as packets with nat inside flag
 ip nat inside
! This is the actual real interface used for incomming and outgoing traffic as well
interface Ethernet1/0
 description Inet
! should be public IP address
 ip address 5.0.0.1 255.255.255.0
! disable ICMP redirect messages - may be useful
 no ip redirects
! Finaly when we get a packet flagged with "nat inside", the router can apply the NAT/PAT process
 ip nat outside
! Route incomming packets from LAN by PBR rules
 ip policy route-map toNat
! The default router to Internet (ISP)
ip route 0.0.0.0 0.0.0.0 5.0.0.2
! ACL for PBR and NAT/PAT
access-list 1 remark LAN_IPs
access-list 1 permit 192.168.1.0 0.0.0.255
! PAT as always
ip nat inside source list 1 interface Ethernet1/0 overload
! and the PBR 
route-map toNat permit 10
 match ip address 1
! The next hop should be an IP address from the Lo 0 IP network (except the Lo0 address!)
 set ip next-hop 172.16.255.254
!
R1#debug ip nat
*Mar 30 00:56:14.019: NAT: s=192.168.1.2->5.0.0.1, d=1.1.1.1 [90]
*Mar 30 00:56:14.119: NAT: s=5.0.0.2, d=5.0.0.1->192.168.1.2 [132]
R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 5.0.0.1:18        192.168.1.2:18     1.1.1.1:18         1.1.1.1:18

You can find more information about this topic pretty well documented in the Cisco's paper called "Network Address Translation on a Stick". Enjoy :-)

Router(config)# banner ?

There are 3 different banner types on Cisco gears. Sometimes it might be a bit confusing when will be the configured banner type displayed to the user who is connecting to the router. There is a nice description of banners at: http://www.cisco.com/warp/public/707/ssh.shtml#banners

Banner Command Option	Telnet	SSH v1 only	SSH v1 and v2	SSH v2 only
banner login	Displayed before logging into the device.	Not displayed.	Displayed before logging into the device.	Displayed before logging into the device.
banner motd	Displayed before logging into the device.	Displayed after logging into the device.	Displayed after logging into the device.	Displayed after logging into the device.
banner exec	Displayed after logging into the device.	Displayed after logging into the device.	Displayed after logging into the device.	Displayed after logging into the device.

Howto build a CCNA rack?

This is how we do it at Regional Cisco Networking Academy at Technical University of Kosice, Slovakia:

Cisco Network Assistant

Have you just got into a smaller business and your network is Cisco based? However you are not very experiences with Cisco devices and you are looking for some easy to use management tool which would be free? Well, you have just found it :-)

Cisco Network Assistant is a free management tool for small networks based on Cisco devices. It allows dynamic network discovery, ports and features management, monitoring, etc. It can set up CCIE level features just by clicking on some buttons, which can be in some cases very useful even for a skilled technician. With Cisco Network Assistant you can manage your smaller network from one application and from one place.

 
^ Network topology view in Cisco Network Assistant

^ Switch status

^ Information about devices

^ Security configuration wizard

You can download the Cisco Network Assistant at http://www.cisco.com/en/US/products/ps5931/index.html. For downloading you will need a guest level CCO account.

For those of you who don't want to use Cisco Network Assistant for centralized management, but looking for an easy way of configuration of Cisco devices, there may be an option. If you have got an ISR series router, you will definitely have available also a tool called Cisco Security Device Manager or SDM.

^ SDM's main interface

SDM is a Java based configuration and monitoring tool which is usually stored in the device's flash, and it's accessible through a web interface of a device. Just enable a web server on your router (Router(config)# ip http server) and put your web browser to the address of your router.

For more info about SDM go to cisco.com/go/sdm

Let's play the game

Learning by playing is a pretty good teaching method. It makes the student's learning more enjoyable and it's especially powerful when you teach younger people. While teaching some networking courses (CCNA, etc.) you can utilize this method very easily. For example you can create a topology with a central core router which will use a routing protocol unknown to the students. They will have to find out if there is RIP or OSPF or EIGRP or something else, and the first who finds the answer will put an ACL to prohibit access for other students :-) This challenging contest will make your class more entertaining :-)

One another good example comes directly from Cisco. It's a flash based game aimed at kids. Kids can learn thought the game about different cultures, people in need, and also about data networks. It's a very good combination :) The game that I am talking about is the Peter Packet game.

Peter Packet is a game where the main hero called "Peter Packet" saves (again) the World. Peter is a data network packet and he always carries some important piece of data (email, etc.). He has to survive in a dangerous world of data networks where viruses and hackers are trying to steal and destroy the important information that he is carrying. Players will learn about packets, routers, wifi, ...

You can find Peter Packet as well as other games at http://www.cisco.com/warp/public/779/edu/packetville/pr.html

And the last but definitely not least, the Warriors of the Net movie. The movie of a network which shows the functionality of network devices, Internet, firewalls, etc and the network journey from a source application to a destination server.