I just received the official word last week that I will be attending Cisco Live 2012 in San Diego, CA this year. This is a conference that I have been looking to attend for some time now so I am excited to finally be able to take part in it. I figured I would post my schedule on here for the generally curious and in the off chance that someone reading this might want to connect while there.
A few weeks back I posted about attending training for my CCNP studies. I had started/stopped studying for the ROUTE exam several times over the past year and was kicking off what I was hoping would be my final attempt at getting some momentum on this exam. I am very pleased to share that last tuesday I took the ROUTE exam and passed the test with a healthy score.
For the most part the test was fair in the topics covered. In typical Cisco fashion, I felt like someone who speaks english as a second or third language wrote the exam questions. I much preferred the simulation questions as there are clear objectives and verifiable results. Now that I have cleared the hurdle of ROUTE I have already started down the path of SWITCH and I am looking forward to the challenge that lies ahead.
I’m quite excited as this week I will be re-initiating my pursuit of the CCNP route and switch certification. This is something that I have started a couple times but has been sidelined due to various personal and work related reasons. I am hoping that this time around I can get some momentum behind me and am happy to be kicking it off with some instructor lead training. I am typically more of a self-learner (more of necessity rather than desire) but this time around my work is providing for me to attend the ROUTE class at Global Knowledge.
I picked ROUTE first as this is the area I have the least amount of experience in and will most likely take the most effort to achieve. I was previously responsible for a number of larger campus/metro networks that relied heavily on switching concepts and little on routing. In fact…when I started at the company everything in the network was controlled with static routes…in 2005…
Moving forward to the current day I am still a bit surprised that I’m here. When I made the move to my current employer about 9 months ago it was as a SysAdmin with a focus on Virtualization. I have never been a “Network Engineer” in the truest sense since I have never had a job exclusively focused on packet manipulation. My manager knew I had some skills in the area but it took my friend Jeff Fry leaving the organization to even give me the opportunity to do work on the network side of things. Talk about some large shoes to fill…
I’m hoping the the uninterrupted time, combined with some live instruction, is just what is needed to get me moving towards my CCNP.
I am currently building out a Dell m1000e blade chassis for a new datacenter build and ran across a problem that was far more difficult than necessary due to a lack of decent documentation. One of the fabrics in the blade enclosure contains Dell M8024-k 10Gb/s PowerConnect switches. These switches had a recent firmware release that enabled stacking functionality similar to what is capable with Cisco 3750 switches, but instead of using a special stacking cable, these switches will stack with any number of standard 10Gb/s ethernet connections. This was ideal for our situation as the upstream equipment we are connecting to is a pair of Nexus 5548s and we were particularly interested in using vPC for the connectivity to the chassis. After multiple failed attempts, and several conversations with Dell engineers, I have found the correct process for configuring these switches for stacking.Continue reading
This one is a pretty obvious selection as they publish the official exam study guides for all of the Cisco certification exams. I’m currently reading CCNP Route but have also gone through ICND1 and ICND2 for my CCNA studies. One really great thing about Cisco Press is that they have a an eBook deal of the day which often features the Cisco Press certification guides for CCNA and CCNP tests (in many disciplines, not just R&S). It’s pretty hard to beat picking up a cert guide eBook for $10. The only thing to watch out for is that some of the discounted eBooks come with DRM that only allows them to be read on a computer and not on a mobile device like an smart phone or tablet. They have answered this concern by providing watermarked eBooks but you have to verify which version of the material you are purchasing.
This resource goes far beyond just studying for certifications and I can’t recommend having a subscription enough. Safari is an online library of technical manuals/guides containing just about every technology you could think of. They have different tiers of access that make it accessible for an occasional user like myself to obtain without corporate backing. They also publish an iPad application that allows you to access the content from your tablet.
This is a surprisingly convenient tool when studying for certifications. Having an independent display (on the go) that can house reference material or lab guidelines leaves your primary laptop/computer free for labbing or note taking. I also use mine quite regularly to read the certification guides when I’m not sitting at a desk or have my laptop handy. It’s definitely not a necessity but it has many great uses while studying.
You need one…period. These are technical certifications and I imagine they would be pretty hard to pass without some sort of laptop or computer to work on. If you are going to be doing virtual labbing with a tool like GNS3 then make sure it isn’t weak. You can never have too much RAM.
If you are going to read any document on the iPad it is an absolute must. It makes reading large PDF files easy, remembers where you were when you leave the file/app and can sync files from 3rd party storage locations like dropbox. It’s $5 in the app store and is worth every penny.
Mental Case is a flash card application for the mac, iPhone and iPad. Greg Ferro from packetpushers had tweeted a recommendation about it so I picked it up for my iPad…well worth it. You can create your own question sets or use public sets available for download from FlashcardExchange.com and Quizlet.com. The application tracks which questions you have answered correctly and incorrectly and can revisit questions you got wrong automatically. This definitely another fantastic app that is well worth the money.
GNS3 is an emulated routing environment that supports running Cisco IOS and Juniper JunOS. It’s a godsend for labbing as you no longer need to have physical equipment in order to learn how to configure software components. It certainly gives greater flexibility in setting up disparate media/connectivity types without needing a drawer full of interface cards and multple routers sitting in your garage/basement. Unfortunately, emulating IOS is a grey area when it comes to licensing. Technically every version of IOS you run should be licensed (which is tied to a piece of hardware) and Cisco does not provide a short term trial or limited version of their software for testing/studying. Cisco isn’t alone in that as Juniper and the other major network vendors have similar stances on licensing but the reality is that you don’t need 4 to 6 routers running in your house and drawing power when it can be emulated at far lest cost/aggravation…not to mention the benefits of bringing your lab with you wherever you go. As far as I know Cisco has not ever pursued any type of punitive action against those using IOS outside of the normal contract for studying purposes (which has to be in the thousands) but you do so at your own risk.
If you do choose to go the emulation route this website is a great resource. Rene Molenaar runs this site which provides labs for the different technologies learned while going through the study guides. Some labs are better than others but having free access to lab guides can help validate that you’ve learned the material and provide the practice necessary to really commit it to memory. Additionally there are many videos on YouTube explaining how to complete the lab requirements.
I recently came across an issue with WSUS that ended up requiring an entire rebuild of the servers, databases and configuration at the organization I currently work for. As is true for most organizations, WAN traffic for us is a limited resource. With locations all over the world latencies tend to add up pretty quickly as well. Transferring files between the US and Asia can be a pretty mind numbing and time consuming process so I wanted to configure our remote replica WSUS installations to pull down their own updates from Microsoft instead of from the upstream server. What I found was pretty simple and I thought I would document it here in case others were looking to do the same. Here goes.
- Open up the Windows Server Update Services mmc (Start->Administrative Tools->Windows Server Update Services) on the server you want to configure.
- Navigate to the Options window
- Click on Update Files and Languages
- Check the Download files from Microsoft Update; do not download from upstream server box
- Click on OK
That’s it…very simple to do bot not necessarily the most intuitive place to put the configuration (I was looking for the setting in Update Source and Proxy Server)
As most of you probably know, I have been studying for my CCNP certification lately. I’m currently working through the EIGRP protocol and one of the topics that keeps coming up (and I continually seem to forget one of the steps for) is EIGRP authentication using key chains. This is just a quick how-to for those who might be in the same spot.
Step 1: Create the key chain
Key chains have three necessary components and two optional componenets. The necessary components are the key chain name, key number and key string (aka password). Optionally you can include an accept-lifetime and a send-lifetime parameter that will dictate which keys on the key chain are used when. Lets get started on the initial configuration…
You’ll need to start in global configuration mode and then enter the following command where <unique_key_chain_name> is any name of your choosing:
key chain <unique_key_chain_name>
You should now be in key chain configuration mode. Create a key with the following command:
The number you choose here is important as the sequence of keys play into what keys will be used for particular functions. Assuming that this is a new key chain you will almost always start with key 1. The last step that needs to be accomplished for a functioning key chain is setting the key string. This is essentially the same thing as a shared secret phrase or a password and will need to match the key-strings configured on neighboring routers:
Of all of the above components the two thing that need to match identically to neighboring devices is the key number and key string. The key chain name is only locally relevant and is not used in the authentication process. So long as the key number and key-string match authentication should work correctly.
So that is all good…we now have a key chain and it is configured with a key and key-string but it doesn’t do us much good until we apply that to something and that brings us to step 2…
Step 2: Apply the key chain to an interface
Authentication is configured in interface configuration mode (not router configuration mode as you might expect). Any interface that has authentication configured on it will not form neighbor relationships out that interface unless the neighbor passes the authentication process. To apply key chain authentication on an interface you must issue the following two commands in interface configuration mode:
ip authentication mode eigrp <ASN> md5
ip authentication key-chain eigrp <ASN> <unique_key_chain_name>
**Note: While configuring authentication, if a neighbor relationship already exists it will be torn down when the first of these two commands is issued on an interface. The neighbor relationship will only re-establish itself when authentication is removed from the interface or the neighbor is configured with a complementary authentication scheme.**
So that’s it for the basics of how to configure EIGRP authentication for neighbor relationships. Let’s take a look at the entire configuration start to finish and then cover some additional configuration items as well as some of the caveats of how the authentication works:
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#key chain JKM
R1(config-if)#ip authentication mode eigrp 61 md5
*Mar 1 00:30:49.987: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 61: Neighbor 192.168.1.2 (FastEthernet0/0) is down: authentication mode changed
R1(config-if)#ip authentication key-chain eigrp 61 JKM
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#key chain HEM
R2(config-if)#ip authentication mode eigrp 61 md5
R2(config-if)#ip authentication key-chain eigrp 61 HEM
*Mar 1 00:32:57.723: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 61: Neighbor 192.168.1.1 (FastEthernet0/0) is up: new adjacency
Accept-lifetime and Send-lifetime
The accept-lifetime and send-lifetime are configuration parameters that are available while configuring a key of a key string. These two commands are pretty self-eplanitory but essentially they establish a time frame for the validity of a key. One of the primary uses for expiring keys is to change key combinations for security reasons. By configuring multiple keys with different expiration time frames you can configure the key change in advance without impacting your current authentication methods. The proper way to configure the commands are:
accept-lifetime 01:00:00 Nov 7 2011 13:00:00 Nov 7 2011
send-lifetime 01:00:00 Nov 7 2011 13:00:00 Nov 7 2011
The above commands would use make the key valid between 1AM and 1PM on November 7th only. This process is obviously very dependent on synchronized clocks between routers. If you are going to set accept-lifetime and send-lifetime values for your authentication keys it is highly recommended to make use of a central time server to ensure clock synchronization. To understand completely what happens when multiple keys are valid at the same time we need to take a look at how EIGRP selects the keys to use when authenticating.
When authentication is configured EIGRP identifies potential neighbors and then goes directly into the authentication process. To select which key it sends to it’s neighbor, the router looks through it’s entire list of keys and sends the key-string of the lowest key number that is currently valid. Assuming that today is November 8th, 2011, key 2 and key 3 would be the only valid keys of the four keys in the chart below. Since key 2 is the lowest numbered key, this is the key that will be used to attempt authentication with the neighboring router.
Based on the same information above, if this router were to receive a key string as part of the authentication process, it would try to validate that key against the same key number in it’s own key chain. If the received key matches the same key number then the authentication would have been validated and the neighbor relationship would be established.
If you have been checking here occasionally, as I know some of you have, I apologize for the false start. I do still intend to get this blog rolling but there just are other things that need my attention at the moment. Thank you for your support.
First, let me forewarn you that this post is not even remotely technical in nature. I have had a couple of significant events happening int he background that have been my priority over the past couple of weeks and wanted to give an update here on why things have been stale (if that’s even possible with only one technical post).
Change #1 – New Daughter
That’s right, on 5/23 my second daughter, Lydia Joy, was born around 8:30 AM. Everything went as smooth as possible and like many others before me, this week has been a week of settling in and adjusting to the demanding schedule that a newborn requires. This time around was a lot easier from a preparation standpoint as we already had all of the necessities from our first. That being said, my wife and I took the more traditional route and didn’t know the gender before birth. I guess we lucked out as their was no required mad rush to the store to buy boys clothing. I’m enjoying the process a little more this time as it is familiar and couldn’t be more excited that Hannah (our first) wants nothing more than to be a great helper. I’ll spare you any more details and just post the picture like any proud father should:
Change #2 – New Job
After 6 years at my current employer, KidsPeace, I have decided that the timing is right to pursue new opportunities elsewhere. I am extremely grateful for the opportunities I’ve had while working at KidsPeace and am excited to bring the experience I have gained there to new projects and challenges. As I’m sure you can imagine, the past two weeks have been daunting with transitioning current responsibilities to my team members and having a baby during the process. It certainly has not been boring and am glad that the bulk of the craziness is done for a while. I will be joining the systems team at kgb starting tomorrow which I’m sure will bring a bevy of new topics to cover on this blog. I am still planning on pursuing my CCNP (even though it falls out of the purview of my new responsibilities) and even possibly VCP in the near future as virtualization will be a large component of my position.
So now that the news is out of the way, I promise that my next post will be a technical one. Until then…
Recently I had an interesting problem that arose regarding a rollout of Citrix Receiver to all corporate computers. The issue was that the rollout was going to be done by subnet (a limitation introduced by the thin clients in use) and not by some of the other typical grouping logic that has been used in the past. Due to the problem that our users are not administrators of their machines, we could not just ask them to install the software themselves. Additionally, since our OUs do not mimic our subnet structure, this created and issue when doing an application push to everyone using group policy.
So what I needed to find was a way to apply an installation script to all computer accounts that only executed the install if your computer was a member of one of the targeted subnets. I had batch scripting and vbscript as options as this was being done through Active Directory and powershell is not installed on most workstations. Here’s are the scripts that ended up accomplishing the task:
Script 1: receiver-install.bat
Script 2: receiver-install-2.bat
File 1: subnets.txt
So let’s break this down a bit and look at what is actually happening…
First, an Active Directory GPO is applied to the top level of your computers OU that executes receiver-install.bat. Since our users are not administrators, we did this as a computer startup script since that is run as the SYSTEM user. If your users have installation privileges this could just as easily be applied as a login script for the user using loopback processing of group policy objects.
Once the script is running as an administrator, it reads a file named subnets.txt line by line. This file should be maintained on a central file share and will be the file used to control which subnets are targeted for installation. Each line of the subnets.txt file is read into a variable and then receiver-install-2.bat is called with that subnet as an argument.
Here is where things get interesting. We need to verify that the machine is currently a member of one of the target subnets using only commands available to us in batch scripting. Here is where a little command line kung-fu can help. Most of us know that issuing the ipconfig command will list out all of the IP addresses a machine is currently using. This command also give us quite a bit of additional information that isn’t required for our purposes.
In order to pare this down we’re going to use the pipe (|) and the find command to identify the line we are looking for. The actual command in the script looks like this: ipconfig | find /i “IPv4 Address” An output of that command is in the window below:
“IPv4 Address” is specific to Vista and Windows 7 machines so we also check for “IP Address” which is the heading used by 2000/XP machines as well. We then run another find against the line that is returned and if we find that the subnet matches the one used in calling the script we continue to the installation portion. Otherwise we gracefully exit the script and try the next subnet.
From here on out anything can be placed in the installation portion of the script. As stated above, we were using the script to install receiver. We run a couple of checks to see if it is already installed, and if it isn’t, we run the installation.
I hope this can help some of you who may find yourself in a similar situation. I’m sure there are far more graceful and elegant ways to handle this specific scenario and I would love to hear them if you have them.