Random passwords, NIST guidelines, and entropy

Happy 1234567890 Day!

What is 1234567890 day?

Today, Friday, Feb 13 at exactly 6:31:30 PM (EST), the UNIX time will equal 1234567890. What is UNIX time you might ask? Head here to find out. Why is this important in a networking blog? Beacause Cisco routers use UNIX time for some of their operations such as secured OSPF among other things.

Enjoy!

The Obama Bump (in traffic)

Contrary to what you might think of the headline, this is not a political post. It’s a post about how you need to keep in touch with your user base and how external elements (as unrelated as they may seem) can affect your network operations in a very real way. The image below shows 48 hours worth of traffic volumes from a firewall interface connected to the outside world. This is the primary link of the world and the vast majority of business (and apparently non business related traffic) passes through it.

Weathermap and Cacti

For those of you not familiar with it,  Cacti is a graphing solution for network traffic, cpu usage and pretty much anything other imformation that can be gathered from SNMP.  I have configured Cacti on various entreprise networks a few times over my career and I’ve always found it a valuable resource. The product is open source and it’s a very powerful tool in trending long term behaviour on a network. While not as powerful as a NetFlow collector and analyzer, Cacti has a dedicated user community and a deep resouce pool of wikis, plugins and resources that make is a great value especially since the program is free.

JUNOS vs. IOS BGP setup

A few days ago I got into an discussion with a friend about configuring BGP on Cisco vs. Juniper boxes. He kept insisting that a basic Cisco setup takes much longer than a Juniper one. So I decided to post the MINIMUM configuration required for a BGP neighbour relationship in IOS and JUNOS. This assumes that the remote peer has already been configured. Here we go:

GNS3 and multi-workstation topologies

GNS3 is a great graphical network simmulator for Cisco devices. One drawback of it however, it that every simmulated device eats up a significant chunk of resources from the host machine.  The solution to this problem is to run GNS on multiple machines distributing the CPU and memory load. Brainbumb has a great tutorial on how to accomplish this which you can find here. I usually have a few older machines laying around and I know I’ll put them to good use now.

Book Correction: CatOS vs. IOS interfaces at a glance

This is a very trivial issue, but while reading ‘Network Warrior‘ by Gary A. Donahue – a great book by the way – I came across a rather glaring error. In a nutshell, Gary states that there is no way to get the equivalent output of the CatOS show port command in native IOS.

Web Cache Communication Protocol

The WCCP (the protocol’s short name) is a Cisco developed protocol for web filtering. The good news is that most content filtering and caching products have adopted it as well and it integrates nicely within the existing infrastructure.

WCCP is set up, in a nutshell, as following:

1. Set up and configure the content cache product.

2. You configure a router to talk to the cache engine via WCCP.

3. Add an access list that tells the router what hosts it should point to the cache engine.

AAA configuration gotchas

Recently, while setting up a new router in my lab, I came across a peculiar bug in Cisco’s configuration of AAA. The issues is that any aaa configuration commands dissapear from the running configuration when disabling AAA, but re-appear once the AAA is re-enabled. This is important when trying to remove a previous  AAA configuration and put in a new one without negating all the aaa config lines.

Route Maps and NAT

Recently I encountered a problem where a site-to-site router was being used to terminate both inside trusted tunnels and outside vendor tunnels. The end result of this “multiple trick” approach was that a NAT set for vendor traffic was getting in the way of inside trusted traffic. Sometimes budget constrains get in the way of good design and a workaround is necessary. In this case, the workaround is using route maps to filter out certain traffic from being processed by the NAT rules.