03 December 2008

Crazy Home Lab


Actually I found this site quite long time ago, I'm amazed by the craziness of the owner's home lab. You've probably seen this site before, since this site is quite famous.

This site is named Uber Geek, the owner of this site is Scott Morris. His resume alone is outstanding, he's a quadruple CCIE, meaning he owns all four of the CCIE tracks.
And he also wins all other networking certifications that you can dream of.

Once you see the lab he has, you'd understand what I'm saying:



I can't say anything but this lab is just crazy, not only Cisco devices but also Juniper, Sun, Dell, etc.
Some of the small ISPs in my country don't even have these kind of devices I think.

Of course with those four big racks and massive amount of devices comes a great requirements. From the heat come from the devices he made special air conditioning environment at his basement.

I know the idea to build this kind of lab is no where near possible for people that just want to pass certification exams like CCNA or even CCNP. Especially if you don't get enough income from your networking projects.
Nevertheless having a lab like this will make your future clients won't doubt about your expertise.

So I say, start building your home network lab, add in some Cisco or other devices one by one and maybe eventually you'll come close to Scott Morris' lab.

Read more!

02 December 2008

Configuring SSH for Cisco


In the CCNA level, we only know how to connect to Cisco devices using console connection and telnet connection.

We know that no one can tap on the console connection since it's directly connected to the Cisco device, but different story for the telnet connection.
Anyone can tap messages from the telnet session.

All messages send in clear text, so it's dangerous to leave default communication with Cisco devices just using telnet.

We can use SSH for secure connection to the Cisco devices. The SSH will encrypt all messages going from your computer to the Cisco devices.

First you're going to need Cisco IOS image that support SSH or IPSec, DES, or 3DES. How would you know that. Well you can just issue the following command:

router> ena
router# show ip ssh
% Invalid input detected at '^' marker.

If it's showing % Invalid input detected at '^' marker., then the IOS does not support SSH.

Now start with the configuration, you have to define a hostname for the Cisco device, and also the domain name for it.
In this example I use hostname of "netrouter" and domain name of "ciscolab.home".

router (config)# hostname netrouter
netrouter (config)# ip domain-name ciscolab.home

Next is to generate the rsa keypair used for the encryption, your device name plus the domain name will be the name of the key.
The modulus is the length of the key, the default value is 512 bits, Cisco recommends a length of 1024 bits.

netrouter (config)# crypto key generate rsa

The name for the keys will be: netrouter.ciscolab.home
Choose the size of the key modulus in the range of 360 to 2048
for your General Purpose Keys. Choosing a key modulus greater than
512 may take a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]

You can also configure some additional parameters for the SSH Connection:

netrouter (config)# ip ssh authentication-retries 5
netrouter (config)# ip ssh time-out 120
netrouter (config)# ip ssh version 2

The first command sets the number of retries if you failed or mistyped the username and password.
The second command sets the time out, the time required to enter the username and password in seconds.
The last command sets the version you want to use for the SSH.

Now we have generated keypair for the encryption, how will the Cisco device authenticates the users coming with SSH connection.
You can either use a AAA server like RADIUS or TACACS+ or you can just use the Cisco device local username and password. For now I'd just use local authentication, first set the username and password then configure the device to accept local authentication for the line vty connections.

netrouter (config)# username Cisco password homelab
netrouter (config)# line vty 0 4
netrouter (config-line)# login local

By now you have successfully configure SSH for Cisco, lets try the SSH, you can use putty for SSH connection, the default port for SSH is 22, you can use other port if you want by issuing ip ssh port 2000 from the global configuration mode.
Change the 2000 with other port ranging from 2000 to 10,000.

Here I'm using the default terminal from Macintosh:

Macintosh:~ krishananda$ ssh Cisco@192.168.1.1
Cisco@192.168.1.1's password:

netrouter>

There, the SSH is working. But the telnet session is also still working, now I want to restrict the Cisco device to only accept SSH connection and deny telnet connection.

WARNING!!!

Do not disconnect from your current connection especially if it's telnet session, in case you messed up with the configuration, you can always undo the changes.


netrouter (config)# line vty 0 4
netrouter (config-line)# transport input ssh

Now if I try to connect using telnet, the router will deny it:

Macintosh:~ krishananda$ telnet 192.168.1.1
Trying 192.168.1.1...
telnet: connect to address 192.168.1.1: Connection refused
telnet: Unable to connect to remote host

Hope this is useful for you.

TIPS:

If you're using macintosh, and you change the rsa key by issuing crypto key generate rsa again on the same device,
Your mac will deny the SSH connection, telling you a warning about a man in the middle attack or the rsa key has changed.
All you need to do is open your text editor, open a file /users/yourname/.ssh/known_hosts
wipe out the content of known_hosts file and save.
That should do the trick.


Read more!

01 December 2008

3 Books to Definitely Help You Pass CCNA Exam


You might be struggling to save money for joining the Cisco Networking Academy or other courses just to pass CCNA exam.

The Cisco Networking Academy is great, yet the other courses, well in my experience, I joined a CCNA course - not the Cisco academy - but to be honest the result was not as I expected.
I don't know if this happens in other countries or not, the instructors were not as qualified as they said, sure they passed the CCNA exam also but their experiences in handling Cisco devices were just poor.

So, not satisfied with the result, I browsed the internet and found these three books are valuable to help me passed the CCNA exam.

CCNA: Cisco Certified Network Associate Study Guide: Exam 640-802


The first book is CCNA study guide from Todd Lammle. If you search for CCNA guide from google then you'd find the name of Todd Lammle popping up everywhere.

Todd Lammle successfully authored books that can easily understand even by newbies, you can find all topics covered in the CCNA exam.

You can buy the book from amazon for US$ 31 for the new one and for the old one you can get for US$ 26.56.
I also provide the links to the amazon, you can click on the link above or the image to straightly go to the amazon site.

CCNA Practice Questions (Exam 640-802) (3rd Edition) (Exam Cram)


Now this is interesting, I bought this book because it is authored by Jeremy Ciaora, my all time favorite Cisco mentor.

Jeremy Ciaora authored successful series of video tutorials from CBTNuggets, and without any hesitation I bought this book, turns out great.

I practiced with questions provided in this book and the best part that it does not contain illegal materials according to certguard, I've checked.

I read the materials in the Todd Lammle's book and after I got myself deep in the subject I switched back to cram myself in exam questions in Jeremy Ciaora's book. This method works great for me.

Cisco Access Lists Field Guide


You might or might not need this book, but for me I had some difficulties in understanding about Cisco access list before the exam.

I bought this book and happily found that this book offers more than Cisco access list subject in CCNA exam.

I learned much more, time-based access list, encryption and IPSec, QoS, and others that help me in configuring my Cisco home lab and also preparing for the next CCNP exams.

Some people say that this book is not that great and blah blah, for me, I really like this book.

Those are the books that help me got through the CCNA exam, with budget of US$ 76.98 for new books and much less if you buy used ones in amazon you can prepare well for the CCNA exam.


Read more!

25 November 2008

Handy Commands for Cisco Initial Configuration


I found the following handy Cisco commands are very useful for initial configuration of Cisco devices.
I always use these commands to configure Cisco devices from fresh configuration.

router> enable
router> configure terminal
router (config)# no ip domain-lookup

The no ip domain-lookup is very useful, what this command does is tell the Cisco device not to do a domain lookup when you mistype something in the CLI. For example if you do this without the no ip domain-lookup:

router# pign
Translating "pign"... domain server (255.255.255.255)
%unknown command or computer name, or unable to find computer address


The Cisco device will try to find the computer name of pign, it doesn't know that you mistyped ping. This process could take a very long time.
If you apply the no ip domain-lookup, the Cisco device won't try to do the domain lookup.

The second command is the alias command. This command makes an alias of a command that you use frequently.
For example you often use the command show ip interface brief, you can make an alias of it to be "ship".

router (config)# alias exec ship show ip interface brief

You configure it by entering alias first, followed by which mode the command resides in - in this example the show command resides in the exec mode - type in the alias for the command, then you enter the full commands that you want to make alias.
Now you just have to type in ship instead of the long show ip interface brief command.

Next command is useful when you connect to the Cisco devices and you need a very long time to configure it.
The Cisco devices have a default time of how long you're allowed to get connected to them. Sometimes you don't want to reconnect again all the time, but mind you that the time limitation is set because of security concern.

router (config)# line vty 0 4
router (config-line)# no exec-timeout

The above commands tell the router to give you all the time that you need when configuring the router from the telnet session, it won't cut your connection. You can also configure it for the console connection.

Last one is my favorite one, you know when you're configuring a Cisco device sometimes you'd get some notifications from the device which is great, it tells you things going on in it.
But it gets annoying when you're trying to configure it and the notifications just cut down your halfway written command.
The following command tells the router to write back the command you entered before the notifications cut it:

router (config)# line vty 0 4
router (config-line)# logging synchronous

I hope these commands are useful for you.

Read more!

21 November 2008

Handy Cisco Command - Interface Range


There are many handy Cisco commands that you can use to help you in configuring Cisco devices, these commands well not exactly secret commands but you might not get it from the CCNA curriculum.

One of these handy commands I already posted it at my previous post. But I want to cover it again in case you missed the post.

This one is the interface range command. What this command does is to select a range of interfaces and apply the same commands to them.
This is very handy especially in a Cisco switch environment where you might want to set some ports to be access ports or apply the same security to those ports instead of doing it one by one for each interface.

For example, I want to select the interfaces fastethernet 0/2 to 0/8, with the interface range command I'd just do it like this:

2950> enable
2950# configure terminal
2950 (config)# interface range fa0/2 - 8
2950 (config-if-range)#

There, you notice that instead of displaying 2950 (config-if)# where you can get when you issue interface fa0/2, you'd get the 2950 (config-if-range)# prompt that shows you that you are selecting a range of interfaces.

When you want to select interfaces that are not in sequential order, like when you want to select interfaces fa0/2 to fa0/8, then interfaces fa0/10 to fa0/16, and the interface fa0/24 then you can do it like this:

2950 (config)# interface range fa0/2 -8, fa0/10 - 16, fa0/24
2950 (config-if-range)#

I'll be posting more handy Cisco commands again next time, hope this one is useful for you.

Read more!