Tag: how-to

10 excuses you should avoid telling to your boss

I know, it’s not technical or related to Cisco, but it has everything to do with the industry in which we are network engineers are working. I found this great article by Justin James about the top 10 excuses a boss does not want to hear and I think it’s a good opportunity to share if with you. So look here what he’s saying:

“There are lots of reasons why a project might not be going well or may even fail. When your boss wants to know why, there is a world of difference between offering an excuse and providing a legitimate reason. In truth, most excuses only make your manager more upset and put the blame on you. Here are 10 common excuses that employees give their managers — and how you can turn them from weak excuses into a way of getting your supervisor to help you resolve the problems before your project is jeopardized.

1: I didn’t understand the assignment

Not every boss has great communication skills. And yes, having a manager who is not good at explaining what needs to be done makes life difficult. At the same time, using your boss’ inability to explain things as an excuse for not doing them just does not fly. If an assignment does not make sense, it’s your responsibility to find out what really has to happen. And if you find yourself in this situation more than once, it is a sign that you need to be extra careful when working with this particular person to get things fully understood.

2: The deadline was impossible

We all know this situation: A manager hands you an assignment with a deadline attached to it. You tell the manager that the deadline can’t be met and you’re told, “I don’t care; make it happen.” When the deadline is missed, you say, “But I told you the deadline was impossible!” and the boss is still angry. The disconnect here is that simply saying that the deadline is not possible is not good enough. As soon as the boss tells you to do it and you passively accept the ridiculous deadline, you make it your responsibility to meet it.

Your best defense is to negotiate a better deadline, and to do that, you need a project plan. The fact is, you always should be able to paint a picture of what a project will entail with some broad strokes anyway, and it is fairly easy to assign some rough estimates of the time to make each step happen. When you show your supervisor that even the most optimistic rough draft of a plan that omits a million minor details shows that it will take three months and they are demanding three weeks, guess what? It is now your manager’s responsibility to deal with the deadline issue. You have turned an opponent into an ally, and no sane boss can hold you accountable for the bad deadline anymore.”

Read the rest of the article here

Cisco: IP Policy Routing with IP SLA and EEM

Considering the same environment like in the post Cisco: Policy Routing with IP SLA, there is another way to achieve the same behavior using again IP SLA and EEM (Embedded Event Manager).

For those of you who are not so familiar with EEM please read http://www.cisco.com/en/US/products/ps6815/products_ios_protocol_group_home.html. You will find a nice explanation and some examples how to use EEM to achieve the desired result.

Now, going back to our example, please conside the same topology like in the previous post:

We start by configuring again the IP SLA (explanation in this post):

ip sla 5
icmp-echo 172.82.100.1 source-interface GigabitEthernet0/0
timeout 1000
frequency 2
ip sla schedule 5 life forever start-time now

We have the path measured. Instead of tracking this and applying the route based on tracking, we have now a different approach. We use EEM to check the conditions of IP SLA, and according to the result we configure the necessary IP routing. For EEM to work we need to know and Object name and the OID associated with it. In my example I will use the SNMP Object name rttMonCtrlOperTimeoutOccurred with OID value: 1.3.6.1.4.1.9.9.42.1.2.9.1.6

According to Cisco’s explanation “This object is set to true when an operation times out, and set to false when an operation completes under rttMonCtrlAdminTimeout. When this value changes, a reaction may occur, as defined by rttMonReactAdminTimeoutEnable

As a summary, we will check the IP SLA with EEM using a certain SNMP Object. When a change occur in the monitored IP SLA, EEM will apply a certain configuration defined by us:

event manager applet IP-SLA-5-TIMEOUT
event snmp oid 1.3.6.1.4.1.9.9.42.1.2.9.1.6.5 get-type exact entry-op eq entry-val 1 exit-op eq exit-val 2 poll-interval 5
action 1.0 syslog msg “172.82.100.1 not reachable – primary line NOK”
action 1.1 cli command “enable”
action 1.2 cli command “configure terminal”
action 1.3 cli command “ip route 0.0.0.0 0.0.0.0 10.10.10.1”

EEM is based on a SNMP event. It is monitoring the OID value explained above. You may notice that at the end of the OID value, has been added another value .5 This is important as it defines the relation between EEM and IP SLA. In my case this number is 5, as the IP SLA session is defined, but in your case it may be different. This is checking if the TruthValue is 1 (true) or 2(false), on a 5 second interval and it’s applying the defined configuration. The EEM triggers on value 1 (true), so when the timeout occurs in IP SLA.

You might wonder, what will happen when the primary line is working. Well nothing in this conditions, because EEM is not configure for the case when the primary line is OK. In other words, EEM will not retract the backup default IP route. For this we need another EEM to be configured with a small modification:

event manager applet IP-SLA-5-OK
event snmp oid 1.3.6.1.4.1.9.9.42.1.2.9.1.6.5 get-type exact entry-op eq entry-val 2 exit-op eq exit-val 1 poll-interval 5
action 1.0 syslog msg “172.82.100.1 is reachable – primary line OK”
action 1.1 cli command “enable”
action 1.2 cli command “configure terminal”
action 1.3 cli command “no ip route 0.0.0.0 0.0.0.0 10.10.10.1”

Now the EEM is triggered on the value 2 (false), so when no timeout occurs in IP SLA.

You might be interested in another EEM configuration, which send an e-mail notification when a certain condition occur. Check it here.

How to use a Cisco router as Frame-Relay switch


For this tutorial you can use  a low cost Cisco router and of course you need some serial interfaces available on this router. I will use a 7206 with 3 serial interfaces. This router I will call R6 and the rest of the three routers connected to R6, will be R2, R5 and R9. In this way it will be easier for you to understand how the frame-relay routing is achieved.

If we have a look to R6’s (the router used as frame-relay switch) interfaces:

r6-c7206#sh int desc
Interface                      Status         Protocol       Description
Fa0/0                            up                down
Fa0/1                             up                down
Se5/0:1                         up                up                    TO_R2
Se5/1:2                         up                up                    TO_R5
Se6/0                            down          down
Se6/1                             up                up                    TO_R9

you’ll notice that we have 3 active serial interfaces, each being connected to one of the three routers R2, R5 and R9.

Very important, before you begin define a scalable range for your DLCI numbers, otherwise you will have a complete mess when troubleshooting is needed. I like to define them after formula Rx0Ry. In the middle you have the number zero. In this idea, we will have something like R20R5 and from this resul the DLCI 205 for the Frame-Relay connection between R2 and R5. Below you have the DLCI numbers used in this tutorial:

R2 -> R5: DLCI 205
R2 -> R9: DLCI 209
R5 -> R2: DLCI 502
R5 -> R9: DLCI 509
R9 -> R2: DLCI 902
R9 -> R5: DLCI 905

Now that we have defined the DLCI numbers lets configure R6 router as frame-relay switch.

First of all, you need to enable frame relay switching on the router:

r6-c7206#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r6-c7206(config)#frame-relay switching

This command enable the switching  of packets based on the data?link connection identifier (DLCI) inside your router.

Next, we have to configure the frame-relay routing on the physical interface. We will start with interface S5/0:1 where R2 router is connected and apply the following configuration

interface Serial5/0:1
description TO_R2
no ip address
encapsulation frame-relay
! the frame-relay switch is the DCE and the other end is the DTE
frame-relay intf-type dce
frame-relay route 205 interface Serial5/1:2 502
frame-relay route 209 interface Serial6/1 902

With frame-relay route command we tell to frame-relay switch where to forward the packets based on the DLCI number. If we take a look to the first frame-relay route command, than the path to DLCI 502 is interface Serial5/1:2. If you feel confuse, please check again above the interface connection to the router and the assigment scheme for DLCI numbers.

The same like for interface S5/0:1, we will configure the interfaces connected to R5 and R9:

interface Serial5/1:2
description TO_R5
no ip address
encapsulation frame-relay
frame-relay intf-type dce
frame-relay route 502 interface Serial5/0:1 205
frame-relay route 509 interface Serial6/1 905

interface Serial6/1
description TO_R9
no ip address
encapsulation frame-relay
frame-relay intf-type dce
frame-relay route 902 interface Serial5/0:1 209
frame-relay route 905 interface Serial5/1:2 509

Having a look to S5/1:2, first frame-relay route command, here we configure the path back from R5 to R2, by telling the frame-relay switch to chose interface S5/0:1 to send packets to DLCI 205 (R2).

This is the basics of how to configure a Cisco router as a frame-relay switch. If you need help, please don’t hesitate to use the comment form below.

How to emulate ASA in Ubuntu 9.10 and GNS3

Cisco ASA

Brainbump.net has an excellent and very complete how to emulate ASA using just the following components:

  • Ubuntu 9.10 – 32 bit Edition
  • GNS3 v0.7 RC1 tgz
  • Dynamips 0.2.8-RC2 binary for Linux x86 platforms
  • Qemu-0.11.0 tar.gz
  • Qemu-0.11.0 Patch
  • ASA Binary Version 8.0(2) – (asa802-k8.bin)

How-to is divided in 3 video tutorial parts for easy understanding and start with the most basic installation on GNS3 under Ubuntu 9.10 and continue with the actually configuration on the emulation.
If you are interested in security or you just want to test ASA and don’t have access to real hardware you definetely will want to try Brainbump.net tutorial.

READ THE FULL TUTORIAL on Brainbump.net


Cisco PPP Authentication

As a network engineer, you most probably already had to do with PPP authentication at least once or two times in your daily operation.  Even more, if you are going for a Cisco certification (and not only) you should know some stuff about PPP authentication. For today, I’ve planned to deal with back-to-back PPP authentication.

For this back to back scenario, we have the following simple topology:

When we talk about PPP authentication on a end-to-end line we are dealing with 3 major authentication method:

PAP

CHAP

EAP

Now, when we think at security, we can easily observe that PAP is the less secure one and CHAP or EAP are the strongest one.

PAP (Password Authetication Protocol) transmits unencrypted ASCII passwords over the network and is therefore considered insecure. It should be used only as a last resort when the remote server does not support a stronger authentication protocol, like CHAP or EAP.
CHAP (Challenge-Handshake Authentication Protocol) is a more secure protocol as it uses a three-way handshake and the shared secret (password) is never sent on the wires. Instead a MD5 hash checksum is calculated based on the share secret and this one is sent as a challenge to the other peer.
EAP (Extensible Authentication Protocol) is an authentication framework, not a specific authentication mechanism. It provides some common functions and negotiation of authentication methods called EAP methods. There are currently about 40 different methods defined.

When we think of PPP authentication direction there are 2 types:

– one way authentication

– two ways authentication

Pretty obvious, no?

OK, enough with the theory. If you need some more deep understanding of PPP, there is always Internet. Next, I will show you some simple example with PPP authetication using PAP, CHAP and EAP.

PAP type authentication

Let’s assume that in the scenario above, R1 is sending a challenge to R2. Very important! From PPP authentication configuration, you don’t have to do anything to response to a challenge. This is done automatically.

R1
username R2 password cisco
int s0/0
encapsulation ppp
ppp authentication pap

R2
int s0/0
encapsulation ppp
ppp pap sent-user R2 password cisco

Actually that’s it. As I said, pretty simple. You configure R1 to send an authentication challenge to R2 with “ppp authentication pap”. R2 has to reply to this challenge with a username and a password defined with “ppp pap sent-user R2 password cisco”. This username and password have to be defined on R1. No matter what user and password you define on challenged part to be sent back, that information you have to define on challenger.

CHAP authentication type

Configuring CHAP is even easier. In the example below, I will configure R2 to send a CHAP challenge to R1

R1
username R2 password cisco
int s0/0
encapsulation ppp

R2
username R1 password cisco
int s0/0
encapsulation ppp
ppp authentication chap

By default, CHAP is sending the router hostname the user in the three-way handshake process, so there is no need to specify what user to send like in PAP method. As I said before, this method is more secure than PAP.

EAP authetication type

To be honest I didn’t saw too many PPP connections being authenticated with EAP, but is there and I saw some CCIE lab topics so, you should keep an eye on it. Like the other two method this one is easy to implement and is offering more secure level of authetication than PAP.

R1
username R2 password cisco
int s0/0
encapsulation ppp
ppp authentication eap
ppp eap identity R1
ppp eap password cisco
ppp eap local

R2
username R1 password cisco
int s0/0
encapsulation ppp
ppp authentication eap
ppp eap identity R2
ppp eap password cisco
ppp eap local

I believe that the command syntax is telling pretty much all there is. With “identity” you define the user to be send to the peer, “password” it what word is saying and last option “local” is the quite important. By default EAP needs a RADIUS server for authentication. If you don’t have one (exams, quick testing…) then you want EAP to use local database instead of RADIUS.

This  are the basics of PPP authentication. Even if there are not so much in use, try to remember this small steps as you might need them sometimes.

Other Authentication Related Articles in Internet