http://www.networkworld.com/community/node/46491
Scott Hogg article on IPv6 in IOS 15.
Monday, October 19, 2009
Friday, September 25, 2009
show tcam command for access lists
I was trying to use 'show access-list ' to find ACL hits from a local machine to a web server. I noticed I was only seeing the initial connection from the local device to the server hitting the inbound ACL on the VLAN interface but the outbound ACL on the VLAN interface was never reporting matches on the reciprocal ACE - even though the web connection was working.
After research I found a few features on newer IOSes (CBAC being the main one) which behave this way but the code on this device didn't support it and, even if it did, it wasn't configured for any such thing. Apparently, the culprit is hardware ACL processing. The 6500 was pushing the ACL processing to the TCAM and once the connection was hitting the first ACL, I never saw it again. It is possible (but I haven't tested this) that adding the 'log' statement to the ACE on the return ACL will force matches (or at least log entries) to show up. Either way, that isn't necessary. The show tcam interface acl ip shows basically the old-school 'show access-list ' output with the matches I was looking for.
Some of the information about this is (vaguely) documented here:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html
https://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/52sg/configuration/guide/secure.html
https://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml
http://www.elemental.net/~lf/undoc/#d0e59
After research I found a few features on newer IOSes (CBAC being the main one) which behave this way but the code on this device didn't support it and, even if it did, it wasn't configured for any such thing. Apparently, the culprit is hardware ACL processing. The 6500 was pushing the ACL processing to the TCAM and once the connection was hitting the first ACL, I never saw it again. It is possible (but I haven't tested this) that adding the 'log' statement to the ACE on the return ACL will force matches (or at least log entries) to show up. Either way, that isn't necessary. The show tcam interface
Some of the information about this is (vaguely) documented here:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html
https://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/52sg/configuration/guide/secure.html
https://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml
http://www.elemental.net/~lf/undoc/#d0e59
Thursday, August 6, 2009
FIRST security guides
Found a nice collection of guides for system security: http://www.first.org/resources/guides/
Thursday, April 2, 2009
Wednesday, April 1, 2009
Sunday, March 22, 2009
Do I get to study for the switching exam at work? Well, kind of. I was stuck doing a lot of Etherchannel configurations today. It reminded me of the ongoing issues at work from a few years back where slow Etherchannel connections on 6500 Catalyst switches were causing issues and how it all made sense once I read up on the module design issues for that switch. More is here - mainly under the 'Restriction' section about half way down the document. It states:
"The WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6148-GE-TX, and WS-X6148V-GE-TX modules have a limitation with EtherChannel."
This all seems to go back to the design on the module and how the onboard ASICs were capable of gigabit but 'managed' banks of 8 ports. Kind of the classic oversubscription model of the dotcom ISP days. I guess you have to get the 6748 (or better) modules to get over that hump.
It also made me wonder if the ongoing move to virtualize is going to hit Intel in a not-so-nice way. Will there be a generalized oversubscription module applied to servers hosting virtual machines? I would think virtualization itself would cause some hit to the demand for the 'biggest and bestest' CPU(s) on the market but if it is accompanied by some oversubscription model (especially in the 'cloud computing' arena), what hit does that end up making on market demand?
Separate from that, it seems to me that "virtual server hosting services" have the potential of being the new "web hosting services" which companies in the dotcom days were cashing in on. We went from 1998-2001 when a plethora of pre-teen and teenage girls* were putting up websites with glaring pictures, MIDI files, animated GIFs and weird-assed fonts which caused excessive eye strain to the potential of pre-teen and teenage girls (or boys) to not only host sites but manage servers. This is a bit scary to me.
* This is not intended to be sexist. It just always seemed to me that a HUGE majority of such sites - whether on tripod or geocities or whoever - were put up by girls - mostly 13-16 years old. Yes, some of the sites weren't bad. Sadly, I suspect the potential for those girls to have entered into the IT field crapped out partly because IT can be somewhat female-unfriendly and the dotcom bust made entering the IT field much less appealing.
"The WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6148-GE-TX, and WS-X6148V-GE-TX modules have a limitation with EtherChannel."
This all seems to go back to the design on the module and how the onboard ASICs were capable of gigabit but 'managed' banks of 8 ports. Kind of the classic oversubscription model of the dotcom ISP days. I guess you have to get the 6748 (or better) modules to get over that hump.
It also made me wonder if the ongoing move to virtualize is going to hit Intel in a not-so-nice way. Will there be a generalized oversubscription module applied to servers hosting virtual machines? I would think virtualization itself would cause some hit to the demand for the 'biggest and bestest' CPU(s) on the market but if it is accompanied by some oversubscription model (especially in the 'cloud computing' arena), what hit does that end up making on market demand?
Separate from that, it seems to me that "virtual server hosting services" have the potential of being the new "web hosting services" which companies in the dotcom days were cashing in on. We went from 1998-2001 when a plethora of pre-teen and teenage girls* were putting up websites with glaring pictures, MIDI files, animated GIFs and weird-assed fonts which caused excessive eye strain to the potential of pre-teen and teenage girls (or boys) to not only host sites but manage servers. This is a bit scary to me.
* This is not intended to be sexist. It just always seemed to me that a HUGE majority of such sites - whether on tripod or geocities or whoever - were put up by girls - mostly 13-16 years old. Yes, some of the sites weren't bad. Sadly, I suspect the potential for those girls to have entered into the IT field crapped out partly because IT can be somewhat female-unfriendly and the dotcom bust made entering the IT field much less appealing.
Thursday, March 19, 2009
While digging through some search results on forcing IPSec features on IPv6 connections, I found out a few things about the arm-flailing method(s) of IPv6 compatibility offered by Microsoft. XP never had a default stack so the Advanced Networking Services pack had to be downloaded and installed. There were a lot of issues with it. The main ones were: no GUI for IPv6 configurations (MS's way of saying "go learn 'netsh'"), the firewall it claimed to have apparently was poo for IPv6, and my favorite, it apparently caused a nice memory leak when loaded. Every client I have ever installed it on started losing memory fairly rapidly (10-20 MB a day minimum) without fail. Oh, did I mention my favorite? Every client I ever loaded the Advanced Networking Services on seemed to randomly create new global IPv6 IP addresses. After a few days, ipconfig would list 5 or 6 (or more) global IPv6 addresses for the interface IPv6 was bound to. I have no idea where the hell these came from. And hard-coding an address was of no help. It seemed a reboot or uninstalling/reinstalling IPv6 was the only thing that would clear them out. Enough of my XP bitching.
2003 was a bit better in behavior. Still no GUI although there was a third-party GUI on some .jp site I saw way back which I never got to work. We still had the onerous netsh command with which to mess with IPv6 configuration. The IPv6 address 'generation' was much more stable, too. From testing, I know (despite reading otherwise somewhere) that Windows 2003 DNS had some support because a test XP system I had in an AD environment registered its link local address to DNS on one of the DCs - an IPv4-only DC at that. The main issue I had with server 2k3 is it had the old stacks and not the interesting stack tweaks MS put in Vista and Server 2k8. Not a huge issue because I am not sure the stack tweaks were made for anything but IPv4.
Server 2k8 does have a GUI for IPv6 and some interesting command-line tools as well. One I saw today (it was available in 2k3, too) which goes back to the IPSec issue is the ipsec6.exe tool. My server didn't have it anywhere on the system, though. Why? Well, despite the server defaulting to enabling IPv6, the ipsec6.exe executable apparently is sitting on the installation DVD. Nevermind I might need it since, well, IPv6 is installed. Thanks, MS. According to an IPv6 FAQ from MS (it currently shows it was last updated in 2008), a few items I would be interested in don't appear to be available features:
Q. Does the IPv6 protocol for Windows support Internet Protocol security (IPsec)?
A. IPsec for the IPv6 protocol for Windows Vista and Windows Server 2008 has full support for IPsec.
IPsec for the IPv6 protocol for Windows Server 2003 and Windows XP is supported, with the following limitations:
• The Authentication Header (AH) and Encapsulating Security Payload (ESP) are supported for both transport and tunnel modes. However, ESP for the IPv6 protocol for Windows does not support data encryption.
• IPsec in the IPv6 protocol for Windows does not support the use of Internet Key Exchange (IKE) to negotiate security associations (SAs). IPsec policies, SAs, and the keys to calculate the Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1) keyed hash for AH or ESP must be manually configured.
The first tells me there are no host-to-host encryption options in Windows IPv6. That would have been nice to test. Maybe the article is out-of-date but I will have to look into that further. The second just means MS is still making the IPv6 process overly manual. Again, possibly out-of-date...and I don't know if anyone offers IKE support for such SAs anyway.
Oh, and I found another 'proof that you have IPv6 working' site. Everyone seems to use kame.net but this one has a funnier animation: OCN (after all, the Japanese are pretty well know for animation).
2003 was a bit better in behavior. Still no GUI although there was a third-party GUI on some .jp site I saw way back which I never got to work. We still had the onerous netsh command with which to mess with IPv6 configuration. The IPv6 address 'generation' was much more stable, too. From testing, I know (despite reading otherwise somewhere) that Windows 2003 DNS had some support because a test XP system I had in an AD environment registered its link local address to DNS on one of the DCs - an IPv4-only DC at that. The main issue I had with server 2k3 is it had the old stacks and not the interesting stack tweaks MS put in Vista and Server 2k8. Not a huge issue because I am not sure the stack tweaks were made for anything but IPv4.
Server 2k8 does have a GUI for IPv6 and some interesting command-line tools as well. One I saw today (it was available in 2k3, too) which goes back to the IPSec issue is the ipsec6.exe tool. My server didn't have it anywhere on the system, though. Why? Well, despite the server defaulting to enabling IPv6, the ipsec6.exe executable apparently is sitting on the installation DVD. Nevermind I might need it since, well, IPv6 is installed. Thanks, MS. According to an IPv6 FAQ from MS (it currently shows it was last updated in 2008), a few items I would be interested in don't appear to be available features:
Q. Does the IPv6 protocol for Windows support Internet Protocol security (IPsec)?
A. IPsec for the IPv6 protocol for Windows Vista and Windows Server 2008 has full support for IPsec.
IPsec for the IPv6 protocol for Windows Server 2003 and Windows XP is supported, with the following limitations:
• The Authentication Header (AH) and Encapsulating Security Payload (ESP) are supported for both transport and tunnel modes. However, ESP for the IPv6 protocol for Windows does not support data encryption.
• IPsec in the IPv6 protocol for Windows does not support the use of Internet Key Exchange (IKE) to negotiate security associations (SAs). IPsec policies, SAs, and the keys to calculate the Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1) keyed hash for AH or ESP must be manually configured.
The first tells me there are no host-to-host encryption options in Windows IPv6. That would have been nice to test. Maybe the article is out-of-date but I will have to look into that further. The second just means MS is still making the IPv6 process overly manual. Again, possibly out-of-date...and I don't know if anyone offers IKE support for such SAs anyway.
Oh, and I found another 'proof that you have IPv6 working' site. Everyone seems to use kame.net but this one has a funnier animation: OCN (after all, the Japanese are pretty well know for animation).
Tuesday, March 17, 2009
Hardware virtualization issue with VMWare ESXi
So...after a good deal of monkeying around, I downloaded the ISO for ESXi to try it on a VM in VMWare Server 2. It was giving me problems...mainly just getting to a 'Vmkernel loaded successfully' screen and halting. I tried a few tweaks but nothing wanted to make it run. I did find a blog entry detailing how someone else made it run. It turns out I am missing one apparently important feature - support for Intel's hardware virtualization technology. I found this by loading up their utility found here.
At this rate, I have become very disenchanted with the Dell Vostro 200. The chipset apparently has an issue with memory (32 bit memory addressing) (while the BIOS can recognize 8GB which does me no good) and now the nice dual-core processor with 64 bit support (again, not much help with the chipset/memory issue) has no Intel VT support.
At this rate, I have become very disenchanted with the Dell Vostro 200. The chipset apparently has an issue with memory (32 bit memory addressing) (while the BIOS can recognize 8GB which does me no good) and now the nice dual-core processor with 64 bit support (again, not much help with the chipset/memory issue) has no Intel VT support.
Sunday, March 15, 2009
I have been playing with VMWare Server for some time and really dug in more after I ordered a test server several months ago. I really need to learn more about VMWare's HyperVisor. It keeps popping up and work but I am curious to see the virtual switch features...mainly to see what you can do with them and how potentially disruptive they may be since in many cases sysadmins will be controlling them.
Saturday, March 14, 2009
My old LotD and a new one...
I set this up as a replacement for the Link of the Day which I had quite often found I was updating weekly with multiple 'daily' entries. It was getting a bit tiresome to manually set up the RSS and the HTML (one or the other was ok) but I had pretty much wanted to move to something more automated for some time. Truth be told, blogger.com was something I had briefly considered and it seems like a viable option now.
I did want to make a few changes to how I do this. Instead of the daily updates, I wanted to just do updates as they come on whatever time-basis I have at the time. Some days I seem to find a half dozen interesting items, other times I might not see anything too interesting for a few days. Given that, I think this will end up more as a Link(s) of the Moment work-in-progress. Since there will be some ability for people to comment (assuming anyone reads this), it would help potentially steer what I end up posting. Regardless, I am sure well over 90% of the links will end up being tech-related.
I did want to make a few changes to how I do this. Instead of the daily updates, I wanted to just do updates as they come on whatever time-basis I have at the time. Some days I seem to find a half dozen interesting items, other times I might not see anything too interesting for a few days. Given that, I think this will end up more as a Link(s) of the Moment work-in-progress. Since there will be some ability for people to comment (assuming anyone reads this), it would help potentially steer what I end up posting. Regardless, I am sure well over 90% of the links will end up being tech-related.
Subscribe to:
Posts (Atom)