Overview
I have been seeing a number of articles on the Internet trying to persuade Cisco to offer some kind of real-time emulation software for their IOS. I remember Greg Ferro from Etherealmind started a petition a while back and I have yet to see any development on that…
The fact that the matter is, Cisco already have such platform called IOU, which is designed to emulate their IOS to a near hardware experience for their internal testing environment. (Don’t quote me on this, but this is pretty good from what I have heard, or researched)
Currently we have Dynamips, which is one of the resource hungry Cisco Hardware emulation platform where testing can be done to a certain extend but it is nowhere near perfect, and here are some facts.
• Dynamips does require a Lot of resources.
• This is extremely processor heavy.
• QoS does not work very well.
If you want to have a detailed explanation on, please have a look at the following post by Wendell Odom who explains thoroughly on the NWW.
What puzzles me is the fact that Cisco goes out of their way to promote their Educational sector, yet they are reluctant to offer some kind of Software Emulation to accommodate their IOS.
[click to continue…]
I have been working on some xDSL sync issues and and here are some of my findings to boost the xDSL Sync rate and have a stable line.
Option 1
First of all, make sure which standard your ISP’s DSLAM running on. This is important because some standards have limitations which will create a bottleneck when it comes to the hardware you are using. First rule of thumb for people who are not sure is to use the ISP’s provided hardware.
For example ITU G.992.5 (ADSL2+) will have an upload limitation of 1.3 Mbps, you might have a line which is capable of handling more than 1.3 Mbps but the hardware you use will cause a limitation. This is why you need to make sure which standard the ISP is running the DSLAM on. If the ISP happen to run ITU G.992.5 Annex M (ADSL2+ M) you are likely to get an upload speed of more than 1.3 Mbps, thus having a router which is capable of supporting Annex M will be beneficial.
[click to continue…]
This procedure is quite simple and the following is done on Linux. When you have an uncompressed IOS, you don’t need to wait for it when it comes to loading it on Dynamips.
unzip -p c3725-adventerprisek9-mz.124-25.bin > c3725-adventerprisek9-mz.124-25.image
You can see both compressed and uncompressed versions below.
Workstation IOS # ls -ltrh |grep 3725
-rw-r--r-- 1 root root 38M 2010-11-29 16:47 c3725-adventerprisek9-mz.124-25.bin
-rw-r--r-- 1 root root 79M 2010-11-29 20:23 c3725-adventerprisek9-mz.124-25.image
Workstation IOS #
Before you read through this post, I assume you have got at least the basic understanding of BGP and how it works.
Here are some facts:
BGP is a path vector Routing Protocol works on TCP port 179.
Neighbor with the lowers IP address will establish the connection to the Remote Peer on TCP port 179 with a random source port.
In this case, the Remote Peer will become the Server and the Local Peer will become the client. This peering relationship will change when we clear the BGP process on either peer or the underlying BGP connection get severed for any reason.
In case you want to specifically want to set one Peer as the Server and one as the Client, the IOS does support it.
This is how it is done…
[click to continue…]
I have came across a lot of BGP configurations where there are lot of the configurations can be optimized. But having said that, this is not always the case when the Network is being built gradually.
Here is a couple of them, called Peer Session Templates and Peer Policy Templates; which we can use in such BGP configuration optimisations, when we…
- Design a Network from scratch.
- Design with a future overview.
These configurations can be used when it comes to commands which are session specific.
- description
- disable-connected-check
- ebgp-multihop
- exit peer-session
- inherit peer-session
- local-as
- password
- remote-as
- shutdown
- timers
- translate-update
- update-source
- version
I wouldn’t personally set password on a template, because…
- You might want to have a different password for a specific peer because it is controlled by some other Administrative body.
- In my opinion, it is best practice to set the password per peer than to have it under a template.
Here is an example configuration from Cisco and also take a look at the Peer Policy Templates which is used under address-family. I would strongly advise you to read through the whole document.
[click to continue…]
As of 5th May 2010 All 13 DNS ROOT Server will consist of a signed digital signature with every replied query. This has been ruled out to tackle any man-in-middle attack similar to Dan Kaminsky’s exploit.
Is it going to break the internet?
It is only going to affect if the firewalls & FWSM are not configured correctly to allow DNSSEC signed packets.
The answer being, as we already know DNS uses UDP packets for query replies; and most firewalls are going to drop any packets larger than 512bytes.
Having been said, the DNSSEC signed replies are going to have an extra layer of encryption, thus increasing the packet size up to 4KB (4096) and the firewalls & FWSMs needs to be configured to allow such larger packets through.
What needs to be configured on the Firewall?
The firewall needs to have the following settings to allow larger UDP packets through…
message-length maximum 4096
We can either hard-code the maximum-length or use other methods to tackle this issue.
More info about DNSSEC can be found on http://www.root-dnssec.org or simply typing the word on Google.