I recently picked up two AIR-LAP1142N access points from eBay that had previously been used with a Cisco Wireless LAN controller. As such they were configured with CAPWAP and do allow for independent operation. Cisco access points have three different image types available:

• Lightweight (Files matching cXXX->k9w8.tar.xxx)
• Lightweight Recovery (Files matching cXXX-rcvk9w8.tar.xxx)
• Autonomous (Files matching cXXX-k9w7.tar.xxx)

In order to use the access point without a wireless LAN controller (WLC), the Autonomous image must be installed onto the access point. Thankfully there is a process to convert a lightweight access point to an autonomous one.

1. Connect to the AP with a serial cable, then connect the AP to a power source, be it via a POE Injector or a PoE switch. Once booted you will be able to authenticate.

   AP1234.5678.abcd>en
   Password: Cisco
   AP1234.5678.abcd#

2. Unfortunately many of the commands you’ll want to use, such as configure terminal will be unavailable. To enable the commands you’ll need issue the following commands:

   AP1234.5678.abcd#debug capwap console cli
   CAPWAP console CLI allow/disallow debugging is on

3. Download an autonomous image for your AP and place it on a TFTP server that is reachable from the access point. It should have obtained network address information using DHCP automatically. In the example below I’m using “c1140-k9w7-tar.152-4.JB4.tar” but this can be any suitable autonomous image.

   AP1234.5678.abcd#conf t
   Enter configuration commands, one per line.  End with CNTL/Z.
   AP1234.5678.abcd#archive download-sw /overwrite /reload tftp://TFTP SERVER/c1140-k9w7-tar.152-4.JB4.tar

   The access point will download the software and reboot into the new autonomous image. The default username and password are cisco/Cisco.

The post Convert Cisco Lightweight AP to Autonomous appeared first on Damn Technology.

Having accurate time configured on Cisco routers is important, if for nothing else being able to look through log files and understand when something happened is imperative. Configuring time on Cisco routers requires three different configuration elements:

• Configuring an external time source, usually NTP
• Configuring the device to adjust for summer time/daylight savings
• (Optionally) using the adjusted time in debugging and logs

Configuring a router to make use of NTP is straightforward, Browse the NTP Pool project website and locate a time source reasonably close to you. Once you have the address of a time server, issue the following configuration commands:

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ntp server uk.pool.ntp.org

The next step is to configure the timezone to be used on the router. To do this we give our timezone a name and specify the hour/minute offset from UTC:

Router(config)#clock timezone BST 0 0

If summer time is to be used, this can be configured with the “clock summer-time” commands. This assigns the adjustments to the timezone we created with the previous command. The command is a bit of a mouthful, but is fairly self explanatory. For the UK this is as follows:

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00

Finally, it’s likely you’ll want the adjusted time to appear in log files and debug output. This is configured with the following service options:

service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime

With everything configured issuing “show clock detail” will show that the device is synchronising with NTP and our summer time / daylight savings configuration:

Router#sh clock detail
18:22:29.839 BST Wed Apr 16 2014
Time source is NTP
Summer time starts 01:00:00 GMT Sun Mar 30 2014
Summer time ends 02:00:00 BST Sun Oct 26 2014

The post Cisco time synchronisation & summer time appeared first on Damn Technology.

I’ve recently completed a project to replace an old CX4-120 with a newer VNX series SAN. EMC charge an arm and a let for their sanitisation process, so after looking into the process I decided to go about it myself.

To begin, you’ll need to remove all LUNs and Raid Groups to sanitise disks. Once that’s done connect to your SAN (make sure it’s the right one!) using the NAVISphere CLI and get a list of disks and their “Zero Mark”. Assuming the disk has been used it will be a long number, 9 bytes long as a minimum:

C:\Windows\system32>naviseccli -h IP Address -User Username -Password Password -Scope 0 zerodisk -messner all getzeromark
Bus 0 Enclosure 0 Disk 0
Zero Mark: 279969800
Bus 0 Enclosure 0 Disk 1
Zero Mark: 279969800
Bus 0 Enclosure 0 Disk 2
Zero Mark: 279969800
Bus 0 Enclosure 0 Disk 3
Zero Mark: 279969800
Bus 0 Enclosure 0 Disk 4
Zero Mark: 279969800
Bus 0 Enclosure 0 Disk 5
Zero Mark: 279969800

In this case the above drives are those used to store FlareOS, with a production SAN you’ll end up with a long list of drives. Make a note of the Zerk Mark’s and proceed to sanitise the disks. You can either sanitise them individually or as a whole.

To sanitise individually pass the bus, enclosure and disk ID to the navicli command, the format is BUS_Encclosure_Disk, for example:

C:\Windows\system32>naviseccli -h IP Address -User Username -Password Password -Scope 0 zerodisk -messner 0_0_5 start

If you’re brave and want to sanitise everything, the command is slightly different.

C:\Windows\system32>naviseccli -h IP Address -User Username -Password Password -Scope 0 zerodisk -messner all start

If you choose to sanitise all disks any that have a LUN bound, or the vault disks, will be skipped.

To check the status of the zeroing process, the following command can be used:

C:\Windows\system32>naviseccli -h IP Address -User Username -Password Password -Scope 0 zerodisk -messner all status

Bus 0 Enclosure 0  Disk 0
        Percent Done: Disk zeroing not in progress


Bus 0 Enclosure 0  Disk 1
        Percent Done: Disk zeroing not in progress


Bus 0 Enclosure 0  Disk 2
        Percent Done: Disk zeroing not in progress


Bus 0 Enclosure 0  Disk 3
        Percent Done: Disk zeroing not in progress


Bus 0 Enclosure 0  Disk 4
        Percent Done: Disk zeroing not in progress


Bus 0 Enclosure 0  Disk 5
        Percent Done: 77

Once zeroing a disk is complete you can check the zero mark again, this time the zeroed disk should show 69704:

C:\Windows\system32>naviseccli -h IP Address -User Username -Password Password -Scope 0 zerodisk -messner all getzeromark
Bus 0 Enclosure 0 Disk 0
Zero Mark: 279969800
Bus 0 Enclosure 0 Disk 1
Zero Mark: 279969800
Bus 0 Enclosure 0 Disk 2
Zero Mark: 279969800
Bus 0 Enclosure 0 Disk 3
Zero Mark: 279969800
Bus 0 Enclosure 0 Disk 4
Zero Mark: 279969800
Bus 0 Enclosure 0 Disk 5
Zero Mark: 69704

In my case, the results of the getzeromark command before and after zeroing were saved as evidence of zeroing. Whilst it may not be enough to satisfy auditors it’s enough for me to be confident to pass the SAN over to a recycling company who can then sanitise it.

The post Sanitising an EMC Clariion appeared first on Damn Technology.

Not too long ago I purchased a Zyxel GS1910-24HP for my home network. It suited my requirements well (12-24 ports, PoE, Gigabit, Rack-mountable and manageable). Unfortunately once I got it powered up I noticed how loud it was. Even though it sits in a small rack in my loft, it was still too loud. The Zyxel website has an FAQ article which states the noise could range from 28dB to 48dB!

Thankfully the GS1910 comes with some fairly standard fans, my model shipped with two 3-pin SUNON 80mm fans (model number KDE1205PHV3). Replacing these turned out to be fairly straightforward and in my case resulted in only a marginal increase in temperature. Before replacement, temperatures were as follows:

Temperature (°C)	Current	Threshold	Status
MAC Temperature		32	85		Normal
Board Temperature	30	85		Normal
PHY Temperature		28	85		Normal

FAN	Speed (RPM)	Current	Threshold	Status
FAN1	8640		500			Normal
FAN2	5040		500			Normal

After shopping around I settled on two Fractal Design Silent Series R2 40mm Case Fan as reasonable noise to airflow compromise. The one thing the original SUNON fans had going for them was their CFM, 13CFM compared to just 4.5CFM on the Fractal fan’s.

To replace simply open the case by removing what feels like an endless amount of screws and unscrew the two 80mm fans. The connector is a standard 3-pin making replacement straightforward. One thing I found is that the fans get mounted in reverse, meaning it can be difficult to drive the screws into them, so be careful not to damage the heads of the screws.

Once replaced, racked and left to run for an hour or two in similar conditions the new temperatures are as follows:

Temperature (°C)	Current	Threshold	Status
MAC Temperature		38	85		Normal
Board Temperature	35	85		Normal
PHY Temperature		35	85		Normal

FAN	Speed (RPM)	Current	Threshold	Status
FAN1	4740		500			Normal
FAN2	2580		500			Normal

Given the high thresholds, I’m not too concerned though it’s something I’ll keep an eye on through the summer.

The post Zyxel GS1910 Fan Replacement appeared first on Damn Technology.

I wrote instructions for how to configure Wake On Lan forwarding using a Cisco IOS device, this article will focus on how to configure a Cisco ASA firewall.

Wake On LAN is an Ethernet standard that allows for a device to be powered on when receiving a specially crafted “magic packet”. The “magic packet” is a broadcast frame consisting of 6 bytes of 255 (FF FF FF FF FF FF) followed by sixteen repetitions of the 48-bit MAC address. Turned off computers receiving the broadcast don’t actually process the message up the protocol stack, they are just looking out for a matching 102-byte string.

From what I can tell, unlike Cisco IOS the ASA doesn’t support “IP Directed Broadcasts”, likely to prevent Smurf Attacks. However with some clever NAT rules it’s possible to achieve something similar by using NAT to translate the inbound unicast packet and send it on to the broadcast address for your internal subnet.

The first step is to configure some object’s to help setup our NAT and ACL rules, we’ll begin with a definition to represent the Wake On Lan packet:

object service WakeOnLan
 service udp destination eq echo

The next object we need is the address from which we’ll allow these packets to originate from:

object network Remote-Management
 range 192.0.2.1 192.0.2.10

Finally we need an object group for the broadcast address for our subnet. Assuming your host is on the network 198.51.100.0 / 24 your broadcast address is 198.51.100.255:

object network Broadcast
 host 198.51.100.255

Next up, the actual work. We’re going to permit the traffic using an ACL and then use NAT (PAT) to translate the packet and send it to our broadcast address:

access-list OUTSIDE_IN_ACL extended permit object WakeOnLan object-group Remote-Management any
nat (outside,inside) source static any interface destination static interface Broadcast service WakeOnLan WakeOnLan unidirectional no-proxy-arp

You’ll then need to enable Wake on LAN on the device itself. Once that’s done you can use online services or free applications to wake your device.

The post How To – Enable Wake On Lan using a Cisco ASA appeared first on Damn Technology.

Cisco released their new ASAv virtual appliance, an updated virtual offering for the ASA platform. I suspect at least part of the driver for this is their work on Cisco Modeling Labs, a new tool to help build and simulate environments.

The ASAv copes well in terms of performance and allows for yet more physical devices to be virtualized, however it only supports VMware environments that make use of vCenter. This leaves those wishing to use the ASAv for their learning, or testing having to setup vCenter. For home labs this is going to eat up more memory and discourage some. Thankfully working around this if fairly straightforward if you have access to a vCenter environment to import and then export the VM from.

Warning: Doing what I discuss in this blog post is certainly unsupported by Cisco. Proceed at your own risk.

1. Begin by logging into your Cisco account and downloading the ASAv OFA. An OVA is a virtual appliance compressed into a single file for ease of deployment
2. Once downloaded login to the vCenter environment and click “File” then “Deploy OVF Template” and follow the wizard
3. Once you’ve completed the small wizard configuring the ASAv, power it up and give your inside interface an IP address:

   ciscoasa(config)# interface GigabitEthernet0/1
   ciscoasa(config-if)# description Inside
   ciscoasa(config-if)# nameif inside
   ciscoasa(config-if)# security-level 100
   ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0

4. Once an IP address has been assigned you should provide your license key, if you miss this step the VM will fail to start up after it has been exported. To license your ASA check the serial number using the “show version” command:

   ciscoasa> sh ver | inc Serial
   Serial Number: 0AAA0AA000A

5. Armed with the serial number and the PAK from your license certificate login to your CCO account and authorize the key. You will be presented with an activation key, to license simply use the activation-key command:

   ciscoasa# activation-key aa00aa00 0a00a0aa 00a0a00a 00000000 00000000

6. Finally, save the configuration of your device and power it down
7. Rather than export the device, download the folder containing the vmdk, vmx, vmdk-flat etc to your local computer using the datastore browser
8. Upload to your standalone ESXi host using the datastore browser and right-click the VMX file and choose “Add to Inventory”
9. Power on the virtual machine and it will boot successfully

Be warned, at any time erasing the configuration or removing the license key the ASAv will fail to boot on the standalone ESXi host.

In terms of performance, I’m pleasantly surprised. On a low-spec E3-1220v2 using 1500byte frames I’m getting 600Mbps+ using NAT and ACL’s.

The post Cisco ASAv on ESXi Standalone appeared first on Damn Technology.

In deploying a number of Cisco 2960X Switch Stacks containing between 4 and 8 members I’ve observed the following error message logged:

Failed to send hrpc non blocking message

The issue appeared after upgrading from 15.0(2)EX2 to 15.0(2)EX3 and persists through to 15.0(2)EX5. Following extensive troubleshooting both internally and with Cisco, the problem was narrowed down to the device classifier. Whenever a new MAC is learned the switch will create a new device classifier session and associate a corresponding session ID. This needs to be synchronised across all stack members. Due to issues with the device classifier the switches are unable to maintain this synchronisation.

The issue was introduced in 15.0(2)EX3 as the device classifier is turned on by default in releases since then. There are two options to mitigate the issue:

• Upgrade to 15.2(2)E where the device classifier is once more disabled by default
• Disable the device classifier with the “no macro auto monitor” command

Unfortunately Cisco seemed unwilling to create a bug ID for this issue. However if anyone else experiences the issue please get in touch and I’ll gladly share the Cisco TAC Case ID.

The post Cisco 2960X Failed to send hrpc non blocking message appeared first on Damn Technology.

Earlier this year I moved home, unfortunately during the process of installing a new telephone line a problem arose that led to me lodging a formal complaint with my ISP. After a few months this complaint required alternative dispute resolution (ADR) with CISAS. This blog post is going to summarize the process and document some of my experiences with ADR.

The ADR process seems to be poorly documented, so at a high level the process with CISAS is as follows:

1. Complain to your ISP
2. Exhaust your ISP’s complaint process and reach a deadlock. Request a deadlock reference number.
3. Complain to the company providing an alternative dispute resolution (ADR) service. This will be either CISAS or the communication ombudsman
4. Once the complaint is submitted and accepted, the ISP has 10 working days to issue a response
5. Once a response from the ISP is received, you have 5 working days to provide comments on their response. No new evidence can be submitted
6. Once any comments have been submitted, or 5 days have passed, it will take up to 3 weeks for a decision to be made
7. Once the decision has been made you have 6 weeks to either accept or reject the decision

The application to CISAS

When registering your complaint with CISAS the application form asks for details of your complaint. This is your opportunity to provide as much detail as possible relating to your complaint, based on my experience it is best to:

• Explain your complaint as clearly as possible, be concise;
• Refer to evidence wherever possible. This can be in the form of photos, screenshots, copies of support tickets or just about anything that can be used to prove your point;
• Review your ISP’s terms of service, this is likely what they will use in their rebuttal. If there’s a clause in there you can take advantage of then do so;

The ISP’s response

In my own CISAS complaint I received a three page rebuttal and evidence consisting of their terms of service, partial copies of support tickets and copies of select e-mails exchanged during the complaint process with my ISP. This may not be how all ISP’s respond, but with the only further course of action being going to court it makes sense that the ISP will have their legal teams involved at this point.

Receiving three pages of legalese can be disconcerting, be sure to read it carefully and take some time before submitting any comments.

Providing closing comments

Your opportunity to provide further comments is limited, this is to ensure there is not a back and forth between the customer and ISP. You can however comment on the ISP’s defence and offer clarification on any points they have raised. Unfortunately new evidence cannot be accepted at this point.

The post Complaining to CISAS about your ISP appeared first on Damn Technology.

Over the holiday season I started looking at whether my boiler, a Worcester Bosch Greenstar 28i, was compatible with the Nest thermostat. After some Googling I began to wonder whether I could make my own controller and began investigating how the existing wireless programmer might function. The programmer currently in use is a British Gas WR1, which looks to be a re-branded Drayton Digistat device.

After removing the programmer from its wall mounting plate I immediately noticed a sticker indicating it operated using 433MHz. Thankfully this is part of the unlicensed spectrum meaning transmitters are likely to be readily available. Sure enough, there are 433MHz transmitter/receiver pairs available in the UK for just £2 on eBay. I immediately bought myself an Arduino, some cables, a breadboard and waited eagerly for everything to arrive.

My plan was to create a single channel logic analyser as described in Steven Hale’s excellent blog post, using the soundcard in my laptop to capture what my existing programmer transmits. My soldering ability leaves a lot to be desired, so I’ll spare you a photo and include a diagram that is likely to be much more useful:

With my logic analyser built I then proceeded to install Audacity and begin trying to record the data sent by my wireless programmer. I started recording and turned up the heating, it was immediately apparent that something had recorded as once transmission completed there was a 100ms radio silence:

According to the Steven Hale, the same person who provided the details for creating the logic analyser, these little 433MHz radios have gain control – once they detect nothing they try to boost the signal which is why we get the 100ms radio silence and then noise. If you try to reproduce this recording, you are looking for three repeats of the same transmission. Since the wireless programmer has no receive capability it must blindly transmit and hope for the best, so it does this three times.

To make things a bit easier it’s best to set Audacity to use 192KHz sampling (bottom right, set “project rate”). You’ll also want to view the track as a waveform (click the down arrow by the words “Audio track” and select “Waveform (dB)”.

Zooming in yet further I could finally see the transmission data:

The next step was to count the number of samples to determine how long I needed my radio to transmit for, requiring yet more zooming.

in and selecting a portion of the on/off state. I counted the number of samples and repeated this until the 100ms of radio silence at the end:

I then multiplied these values by 5.2083333 to get the number of microseconds (μs). I ended up with 60 values for “heating on” and 62 values for “heating off”. The next step was then to wire up the 433MHz transmitter I bought from eBay to my Arduino and try and reproduce these signals.

I ran some code I wrote in the days leading up to delivery and to my surprise it worked first time, a sample version of this can be found below.

const uint16_t arrOn[] = {
  632, 491, 0,0,0,0 // Put the values you recorded here.
};
const int nOnLen = sizeof(Heating::arrOn)/sizeof(int);
const uint16_t arrOff[] = {
  1599, 521, 0,0,0,0 // Put the values you recorded here.
};
const int nOffLen = sizeof(Heating::arrOff)/sizeof(int);
const int nTxPin = 2; // Arduino digital pin you're using for radio data.


/**
* Transmits a signal on the specified PIN according to a pattern described by
* the start[] array.
* @param start[] Array in on/off pairs for how long in microseconds to
* transmit and then wait for. N.B. Microsecond is 1/1,000,000 of a second.
* @param arrLen Lengh of the array - usually sizeof(array)/sizeof(int).
* @param txPin Digital pin the transmitter data pin is connected to.
*/
void transmitArray(const uint16_t start[], int arrLen, int txPin)
{
  // Loop over objects in an array.
  for(int i = 0; i < arrLen; i = i + 2)
  {
    // Turn on the transmitter
    bitWrite(PORTD, txPin, 1);

    // Wait (transmitting) for the duration specified.
    delayMicroseconds(start[i]);

    // Turn of off the transmitter.
    bitWrite(PORTD, txPin, 0);

    // Wait (not transmitting) for the duration specified.
    delayMicroseconds(start[i+1]);
  }
}


/**
 * The setup() function is called when a sketch starts. Used  to initialize
 * variables, pin modes, start using libraries, etc. The setup function will
 * only run once, after each powerup or reset of the Arduino board.
 */
void setup()
{
  pinMode(nTxPin, OUTPUT);

  Serial.begin(9600);
  Serial.println("Press 0 to turn off heating");
  Serial.println("Press 1 to turn on heating");

}


/**
 * The loop() function loops consecutively, allowing the program to change and
 * respond. Used to actively control the Arduino board.
 */
void loop()
{
  if (Serial.available() > 0)
  {
    int nIncomming = Serial.read();
    if (nIncomming == 49) // char code for 1
      transmitArray(arrOn, nOnLen, nTxPin);

    if (nIncomming == 48) // char code for 0
      transmitArray(arrOff, nOffLen, nTxPin);
  }
}

Pressing 0 turns off the heating and 1 will turn it on.

The next steps are to setup an ethernet connection and have the Arduino run some webservices and a temperature sensor, which I can consume from another device.

The post Controlling a British Gas WR1 Receiver with an Arduino appeared first on Damn Technology.

Cisco Device Info, my popular SNMP application for getting information from Cisco network devices has now been released as free software. It is now free to use at home, and in commercial environments. Further to that change I have licensed the software under the LGPL 2.1, allowing developers to contribute to the code and make...

Continue reading...

The post Cisco Device Info now open source appeared first on Damn Technology.

If you’ve thin-provisioned a VMDK under ESXi and need to reduce it for whatever reason, the official VMware documentation suggest to migrate the VM to another datastore using VMware converter which is not always practical, thankfully an alternative exists.

If you have enabled Change Block Tracking (CBT) be sure to disable it by adjusting the ctkEnabled option on the virtual machine and consolidating disks before you begin.

To reclaim space you need to fill all unallocated space with zeros. On Windows you can use SDelete or the following command on Linux:

cat /dev/zero > zero.dat;sync;sleep 1;sync;rm -f zero.dat

Once the space has been filled with zeros you can shrink the partition as required. I usually use GParted for this. With your partitions shrunk the next step is to reclaim the space, shut-down the VM and SSH into your ESXi host. “CD” to the directory containing the VM and identify the file you need to shrink for example:

# cd /vmfs/volumes/SXi01-local/SRVGEN02
/vmfs/volumes/53930418-064abd7c-45c9-002590dbfde4/SRVGEN02 # ls -lsah
total 119558160
     8 drwxr-xr-x    1 root     root        2.6K Feb 21 11:01 .
  1024 drwxr-xr-t    1 root     root        2.6K Jan 15 13:27 ..
  8192 -rw-------    1 root     root        7.5M Feb 21 11:00 SRVGEN02-000001-ctk.vmdk
  1024 -rw-------    1 root     root      244.0K Feb 21 11:00 SRVGEN02-000001-delta.vmdk
     0 -rw-------    1 root     root         387 Feb 21 11:00 SRVGEN02-000001.vmdk
  8192 -rw-------    1 root     root        7.5M Feb 21 10:59 SRVGEN02-ctk.vmdk
119531520 -rw-------    1 root     root      120.0G Feb 21 10:59 SRVGEN02-flat.vmdk
  1024 -rw-------    1 root     root        8.5K Feb 21 10:59 SRVGEN02.nvram
     0 -rw-------    1 root     root         589 Feb 21 10:59 SRVGEN02.vmdk
     0 -rw-r--r--    1 root     root          77 Feb 21 11:01 SRVGEN02.vmsd
     8 -rwxr-xr-x    1 root     root        3.0K Feb 21 11:00 SRVGEN02.vmx
     0 -rw-r--r--    1 root     root         263 Jan 17 13:55 SRVGEN02.vmxf
  1024 -rw-r--r--    1 root     root      353.9K Feb 21 10:52 vmware-10.log
  1024 -rw-r--r--    1 root     root      182.9K Feb 21 10:59 vmware-11.log
  1024 -rw-r--r--    1 root     root      182.2K Feb 19 18:53 vmware-6.log
  1024 -rw-r--r--    1 root     root      182.3K Feb 19 19:01 vmware-7.log
  1024 -rw-r--r--    1 root     root      182.3K Feb 19 19:10 vmware-8.log
  1024 -rw-r--r--    1 root     root      183.2K Feb 21 10:46 vmware-9.log
  1024 -rw-r--r--    1 root     root      104.2K Feb 21 10:59 vmware.log

Next, run “vmkfstools –punchzero DISK_NAME.vmdk” to actually shrink the file. How long this takes will depend on the underlying storage, on a reasonably fast SSD this took less than ten minutes for me to shrink 110GB:

/vmfs/volumes/53930418-064abd7c-45c9-002590dbfde4/SRVGEN02 # vmkfstools --punchzero SRVGEN02.vmdk
vmfsDisk: 1, rdmDisk: 0, blockSize: 1048576
Hole Punching: 100% done.

The post Shrink a thin-provisioned VMDK appeared first on Damn Technology.

The IOS DHCP server can be configured to provide different address information to clients based on information they provide via DHCP option 60.

DHCP Option 60 is the “vendor class identifier option” that allows the DHCP client to identify its type so that custom configuration can be applied.

Configuring the DHCP Client

For custom address configuration to be applied the client must specify option 60. This is configured with the “ip dhcp client class-id XXX” command, where XXX is an ASCII label to use. For example:

interface Vlan10
  description ** Corporate LAN - Management Address **
  ip dhcp client class-id CUSTOM_CLASS
  ip address dhcp
  end

Configuring the DHCP Server

To configure the IOS DHCP server you must specify a default class and then a class that will match against DHCP option 60. When matching against option 60 you must convert the ASCII string the client sends (e.g. “CUSTOM_CLASS”) to hexadecimal.

ip dhcp class DEFAULT
  remark IP addresses for devices not providing a class-id
!
ip dhcp class CUSTOM_CLASS
  remark IP addresses for devices providing "CUSTOM_CLASS"
  option 60 hex 435553544f4d5f434c415353

With the matching setup the DHCP pool configuration can be split into the custom class and a default:

ip dhcp pool LAN
  network 192.168.0.0 255.255.255.0
  default-router 192.168.0.254
  class CUSTOM_CLASS
    address range 192.168.0.210 192.168.0.220
  class DEFAULT
    address range 192.168.0.0 192.168.0.200

If this doesn’t work the following debug commands may be helpful in identifying the cause of the problem:

debug ip dhcp server class
debug ip dhcp server packet detail

The post Configure Cisco IOS DHCP to use vendor class IDs appeared first on Damn Technology.

For some time now Gigabit has been the de-facto speed for networking equipment. The days of vendors getting away with selling Gigabit at premium is mostly gone. The only real exception to that seems to be Cisco, who inside on providing Fast Ethernet (100Mb) ports on many of their devices and charging a premium for Gigabit.

Ten Gigabit is becoming more widely available in enterprise environments, but comes at a cost that is out of reach of many home labs and those on a tight budget. Depending on what you need to achieve there are low-cost options for getting your feet wet with 10Gb or faster.

Those on a tight budget are likely to consider LACP to aggregate multiple GbE connections in order to provide more available bandwidth. Unfortunately this isn’t always suitable, especially so if you need a single connection to consume much of the bandwidth. Thankfully assuming you only need to connect two hosts together there is a better way.

The most cost effective option will depend on what is available in your country. eBay lists everything I mention below and most sellers are open to “Best Offers” allowing you to haggle over price. There are two basic options:

• Mellanox Infiniband ConnectX-2 adapters provide 40Gb/s and are a cheap option at circa $40 USD per NIC. A cable will cost about another $35 USD. Two directly connected hosts will result in a total expenditure of about $115 USD.
• Brocade 1020 CNA (Converged Network Adapters) adapters provide 10Gb/s and can be had for $35 USA per NIC. A cable with cost about another $30 USD. Two directly connected hosts will result in a total expenditure of about $100 USD.

Mellanox Infiniband ConnectX-2 (10Gb/40Gb)

For 10GB/s Infiniband the single-port Mellanox MHQH19B cards are the most cost effective option. If you’re after even more speed the Mellanox MHQH29B cards will take you to 40Gb/s.

In terms of cabling it’s best to stick to known working cables, the Mellanox QSFP MC2206130-001 cable is a low-cost compatible option.

Directly connecting more than two devices will increase cost significantly, the most cost effective 40GBps InfiniBand switch I can find is the “Mellanox Voltaire GridDirector 4036″ at around $900 USD.

Brocade 1020 Converged Network Adapter (10Gb)

The Brocade 1020 cards provide 10Gb/s connectivity using either SFP+ modules and fiber or a directly attached cable of up to 5m.

If you need a cable length of greater than 5m then buying the SFP+ modules is your only option. Unfortunately these adapters will only accept Brocade branded SFP’s, though re-branded SFP’s by the likes of HP or Dell may work.

Directly attached cables consist of fixed SFP’s and cable as one item, these adapters will only accept a Brocade branded Twinax cable. Thankfully a compatible cable, the Brocade 58-1000027-01, is cheap and widely available.

Summary

There are a number of low-cost options available, the Brocade CNA’s seem to have the greatest operating system support at the trade-off of increased cost should you need to connect more than two devices together. Companies like Zyxel and D-Link are starting to provide some lower-cost 10Gb switches which may be worth considering.

The post Faster than Gigabit on a budget appeared first on Damn Technology.

There are times when you want to quickly log-off a number of terminal services sessions without having to log on to the server itself, perhaps because of the following error:

The terminal server has exceeded the maximum number of allowed connections.

Microsoft provide two useful command-line tools to view and terminate sessions, qwinsta (Query WINdoes STAtion) and rwinsta (Reset WINdows STAtion).

qwinsta is used to list sessions, simply use the “server” parameter to specify the server you’re interested in. See below for sample usage, replacing SERVER_NAME with the name of your server.

C:\>qwinsta /server:SERVER_NAME
 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 ica-tcp#8         JBloggs1                  2  Active  wdica
                   JBloggs2                  3  Disc
 ica-tcp#1         JBloggs3                  4  Active  wdica
                   JBloggs4                  5  Disc
 ica-tcp#3         JBloggs5                  6  Active  wdica

Armed with either the sessionname or the id from the qwinsta you can now log-off the remote session using the rwinsta command:

c:\>rwinsta 3 /server:SERVER_NAME

If all goes well the user will be logged-off and the command will execute with visible output. If you don’t have access to the server you will likely see the following error:

Could not reset session ID 3, Error code 5
Error [5]:Access is denied.

If this happens make sure the account the command prompt is running under has suitable rights on the remote server. In an Active Directory environment this probably means just running the command prompt as a different user. If the server is not a member of the domain you may first need to access the server using a UNC path such as the c$ share.

The post Log-off terminal services session remotely appeared first on Damn Technology.

A week or two ago I became aware of DN42, a private network run to teach people how to use BGP. DN42 users connect to each other using site-site VPNs and then use BGP to exchange routing information. As someone who learns best from hands-on activity I simply couldn’t resist.

This blog post will discuss getting connected to the DN42 network using a Cisco router, be it physical or in a virtualisation solution such as GNS3/VIRL. At a high level there are three main steps:

1. Create a number of “objects” in order to allocate a network address that you advertise in BGP;
2. Configure your router so it can access the internet;
3. Locate a suitable network to establish a VPN with and then form a BGP adjacency;

I’ll try and cover off the various DN42 specifics, but do not plan on covering basic router configuration tasks.

Creating DN42 registry objects

In the real world you would pay to become an LIR, creating a number of objects in the RIPE database. These objects are administrative, but with DN42 are used to manage allocation of autonomous system numbers (ASNs) and IP address information.

There are five records you need to create before configuring any devices, a process that should take about ten minutes to complete.

You should begin be choosing the names you will use, you will need to decide on:

• Organisation name. For example NWTRADERS;
• Contact name. For example JBLOGGS;
• Maintainer name. Typically the organisation name with “-MNT” appended. For example NWTRADERS-MNT;
• NIC Handle (nic-hdl). The name of a specific person or role. For example JBLOGGS-DN42;

Once you’ve decided you can head over to the DN42 Registry and create the records as described below.

Maintainer object

The maintainer (mntner) object is the most important object you’ll create. It’s a set of credentials that you will use in creating and maintaining all other objects. The password you enter is the plain-text version, it will be encrypted and stored.

Create your maintainer object, appending “-MNT” to the organisation name you chose earlier.

Mntner:		NWTRADERS-MNT
Desc:
sha512-pw:	this is a password you will use, so save it!
admin-c:	DUMMY-DN42
tech-c:		DUMMY-DN42
mnt-by:		NWTRADERS-MNT

Person object

This will be a contact record containing information about you as an individual. It’ll be used to refer to a technical and administrative contact so people know how to reach you.

When creating your object append “-DN42″ to the contact name you’ve chosen and specify it as the nic-hdl.

person:		Joe Bloggs
contact:	twitter:DaveHope
bitcoin:
nic-hdl:	JBLOGGS-DN42
mnt-by:		NWTRADERS-MNT

By specifying the mnt-by as your mntner object you’ll be able to update this person object at a later date.

Once the person object is created, go back to your maintainer object and update the admin-c and tech-c to the nic-hdl you’ve created.

Organisation object

The organisation object provides some information about the group creating these records and running the network. It’s fairly basic so create it as follows:

organisation:	ORG-NWTRADERS
org-name:	damn.technology
admin-c:	JBLOGGS-DN42
tech-c:		JBLOGGS-DN42
mnt-by:		NWTRADERS-MNT

aut-num object

Finally we’re getting onto the interesting records! The autonomous system number is a globally unique identifier for your network. This will be used in configuring BGP.

As at April 2015 the autonomous system number (aut-num) you create should be in the range 4242420000-4242423999. Choose a number and prepend “AS”to the start of it:

aut-num:	AS4242422222
as-name:	NWTRADERS
admin-c:	JBLOGGS-DN42
tech-c:		JBLOGGS-DN42
mnt-by:		NWTRADERS-MNT

netnum object

The final record you need to create is the netnum object, this will allocate address space to you. To find available space use the DN42 Open Netblocks site. Once you’ve found a network find out the range rather than just the prefix length, you’ll use that for the inetnum record.

You should also specify the country you’ll announce this from and a name for the network.

inetnum:	172.23.220.128 - 172.23.220.255
netname:	NET-NWTRADERS-000
country:	GB
admin-c:	JBLOGGS-DN42
tech-c:		JBLOGGS-DN42
mnt-by:		NWTRADERS-MNT
nserver:	dummy.dn42
status:		ASSIGNED

Router configuration

As someone who predominantly uses Cisco equipment I’ll be using a Cisco router in my example, the DN42 network doesn’t have a particularly large routing table so you shouldn’t need much processing power or memory.

Configure your router as you would any other, assigning a hostname, domain-name and giving it an IP address on an interface that can reach the internet. Once that’s done the next step will be to forward ipsec traffic to the router so that it can deal with the ipsec/gre tunnels required to connect to other networks.

Once your router is able to reach the internet and the relevant ports forwarded (if required), proceed to find a peer and get connected.

IPsec configuration

To get connectivity to the DN42 network you will need at least one peer who is willing to provide transit in the form of a tunnel and a BGP adjacency. The best way to go about it is to either use the DN42 peer finder or ask in the IRC channel.

I use ipsec and gre for my peerings and find the following config works well:

router(config)#crypto isakmp policy 10
 encr aes
 hash md5
 group 5
 lifetime 28800
crypto isakmp keepalive 30 periodic
crypto ipsec transform-set TSET_DN42 esp-aes esp-sha-hmac
 mode transport
crypto ipsec profile PROF_DN42
 set security-association lifetime kilobytes disable
 set transform-set TSET_DN42

Once you’ve found a peer you should configure the router to use public keys for ipsec authentication. First generate yourself an RSA keypair, the “exportable” flag is optional but useful it you expect to need to change your network at a later date:

router(config)#crypto key generate rsa general-keys modulus 2048 exportable
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be exportable...

Once created, send your newly found peer the public key part:

router#sh crypto key mypubkey rsa
% Key pair was generated at: 14:25:20 BST Apr 11 2015
Key name: router.local
Key type: RSA KEYS
 Storage Device: private-config
 Usage: General Purpose Key
 Key is exportable.
 Key Data:
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  DEADBEEF 0001
% Key pair was generated at: 08:25:12 BST Apr 12 2015

You will receive a key (hopefully in a similar format) from your peer, to import it do the following:

router(config)#crypto key pubkey-chain rsa
 addressed-key PEERS-PUBLIC-IP
  key-string
   PASTE-PEERS-KEY-STRING-HERE
   quit

The final step in establishing connectivity is to create a GRE tunnel interface. For your first peer it’s easiest if your peer can provide the addressing for the transit network.

router(config)#interface Tunnel0
 ip address TUNNEL-ENDPOINT-IP TUNNEL-NETMASK
  tunnel source EXTERNAL-INTERFACE-NAME
  tunnel destination PEERS-PUBLIC-IP
  tunnel protection ipsec profile PROF_DN42

Assuming your peer has matched the local & remote ids and phase1+phase2 parameters your tunnel should come up:

router#sh crypto ses br
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
        K - No IKE
ivrf = (none)
           Peer     I/F        Username          Group/Phase1_id   Uptime Status
PEERS-PUBLIC-IP     Tu0                          PEERS-PUBLIC-IP 03:40:47    UA

If this doesn’t come up, one thing you may need to tweak is the phase 1 ID – especially so if one end of the network is behind a NAT device.

The next step is to configure BGP.

BGP configuration

A basic BGP configuration is straightforward, you need to configure the BGP process with your AS number (the one you created in the registry) and the network you will be advertising:

router(config)#router bgp YOUR-AS-NUMBER
  address-family ipv4
    network YOUR-NETWORK-ID YOUR-NETWORK-NETMASK

You also need to specify a neighbor statement so BGP knows who it should exchange routing information with. You will also need to know the AS number of your peers network. In most cases this will be the other end of end of the transit network. It’s best to ask your peer to be sure.

router(config)#router bgp YOUR-AS-NUMBER
 neighbor PEERS-BGP-IP remote-as PEERS-AS-NUMBER

Once your peer has completed this you should see a BGP adjacency:

router#sh ip bgp sum | beg Nei
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
PEERS-BGP-IP    4   XXXXXXXXXX   18309    2030    13903    0    0 23:34:03      365

As this point you should be able to reach most of the DN42 network, including the IPv4 anycast DNS resolver (172.22.0.53).

The post Getting started with DN42 appeared first on Damn Technology.

Earlier today I released an open-source (GPL 2) PHP class for interacting with Hikvision IP Cameras, you can find the code on GitHub.

The PHP Class works with Hikvisions IP Camera index files which get created whenever video footage is stored on SD, SMB/CIFS or NFS. It’s needed since Hikvision stores multiple recordings (known as segments) inside a number of MP4 (H.264 – MPEG4-AVC) files.

This will allow you to read the index file (usually named “index00.bin”) and extract information about the files that have been created along with the recording segments they contain. You can then extract the video and thumbnails you’re interested in.

A sample application is included that allows you to search recordings and extract footage.

The post OpenSource PHP Class for working with Hikvision cameras appeared first on Damn Technology.

Yesterday I encountered a problem with an Office 365 hybrid environment where mail suddenly began looping back and forth between the on premise environment and office 365 for all remote mail users. No changes had been made to the environment.

Mail was transferred successfully to Office 365 using the correct connector, but office 365 was then passing the mail back to on premise. This resulted in a mail loop and users sending e-mail to office 365 accounts receiving an NDR with the following:

servername.local #<servername.local #5.4.6 smtp;554 5.4.6 Hop count exceeded - possible mail loop>

Following a support call with Microsoft lasting around 4 hours, it turns out an internal change has been made to the way Microsoft deal with wildcard certificates. By changing the Office 365 inbound connector to use the SubjectAlternativeName of the wildcard certificate rather than the subject, our issue was resolved:

Before

PS C:\> Get-InboundConnector "Inbound" | fl Id,Tls*
Id                       : Inbound 2
TlsSenderCertificateName : <I>CN=COMODO RSA Organization Validation Secure Server CA, O=COMODO CA Limited, L=Salford,
S=Greater Manchester, C=GB<S>CN=*.domain.co.uk, OU=PremiumSSL Wildcard,
O=Organisation, STREET=Road Name, L=Location,
S=County, PostalCode=Postal Code, C=GB

After

PS C:\> Get-InboundConnector "Inbound" | fl Id,Tls*
Id                       : Inbound 2
TlsSenderCertificateName : *.domain.co.uk

The subject of the certificate had been automatically used by the hybrid configuration wizard and been working for at least the past three months.

Updated 3rd November

Microsoft have now provided the following update, though no such incident appears in the Office 365 portal (for me at least).

Current Status: Engineers have confirmed with some customers that the workaround resolves the issue. Currently, engineers are developing and testing a long-term fix for the code defect, which is expected to take an extended period of time to complete. User Impact: Users with mailboxes hosted on-premises are receiving an error message when attempting to send email to Office 365-hosted users. As a workaround, administrators can enable IP-based inbound on-premises connectors in Office 365 to successfully send email. Customer Impact: Your organization is affected by this event. Impact is specific to a subset of your users. Engineers have received a few isolated customer reports of this issue. Incident Start Time: Monday, November 2, 2015, at 8:53 AM UTC Preliminary Root Cause: A code defect caused an issue with a certificate-based connector. Next Update by: Wednesday, November 4, 2015, at 8:00 PM UTC

The post Office 365 “A local loop was detected” appeared first on Damn Technology.

This blog post discusses extracting a private key from Cisco IOS’s private-config file. I recently generated a keypair on an IOS router and had forgot to flag it as “exportable”, making it difficult to backup. As the key-pair was used for IPSec authentication it was an important key to backup.

The first step is to recover private-config from the device, which I’m not going to cover in this post. Opening the file in a text editor, locate the section that begins “crypto RSA-key-pair” and save the hexadecimal values to a text file, the section will look like this:

crypto RSA-key-pair MyKey 0 1440004978
308204BC 02010030 0D06092A 864886F7 0D010101 05000482 04A63082 04A20201
00028201 0100DE8D 63241465 57356A77 57FC2C3D BBDD8454 F25B6B1A DB487C6D
AA0C1157 F665AF18 08EFC785 C23D3185 06F3D51A 42C94F06 5A97756A C83693C6
...

When saving to a text file, omit the section beginning “crypto RSA-key-pair”, only the hexadecimal values are required.

With the certificate saved to a text file the next step is to convert the above to a DER encoded file that can be used with tools like OpenSSL. The following Perl script should do the job:

#!/usr/bin/perl
foreach (<>) {
s/[^a-fA-F0-9]//g;
print join("", pack("H*", $_));
}
./hex2.der.pl < priv.hex > priv.der

Now convert the DER encoded file to PEM format using OpenSSL:

openssl rsa -in priv.der -inform der > priv.pem

Next generate a public out from the private key:

openssl rsa -in priv.pem -pubout

The final step is to protect the private key with a password. This will be required before you can import the key to another IOS device:

openssl rsa -in priv.pem -des

You can now import the key once more using “crypto key import rsa priv.pem pem term YourPassword”

The post Extract private key from Cisco private-config appeared first on Damn Technology.

Active Directory Federation Services, AD-FS, is the de facto identity provider in a Microsoft environment. Many organizations will be using it to authenticate Office 365 users to an on-premise Active Directory. Support amongst cloud service providers is growing, allowing you to authenticate not just O365 users but users of a variety of business applications.

In certain circumstances, you may want to require multi-factor authentication (MFA). Out the box, AD-FS only provides support for X.509 certificates. Thankfully there’s the concept of Authentication Adapters, allowing you to develop your own MFA plug-in. I’ve developed a quick RADIUS plugin that allows you to prompt users to enter a one-time PIN and send the response to a RADIUS server, along with the accounts userPrincipalName, for validation.

The software is open-source and licensed under the GPL and relies on the excellent Radius.Net library.

Download

I strongly recommend compiling your own version rather than downloading a DLL and installing it into your AD FS servers. If you’re comfortable with the risks of that, you can download it from the links below.

Download Sourcecode (C#, 4.5)
Download Binaries (Version 1.0).

Installation

The below instructions cover installation into AD FS and make no attempt to document any RADIUS/NPS configuration.

1. Extract the zip file to a convenient location and open install.ps1 in your favorite editor;
2. Ammend the variables in install.ps1 to match your RADIUS server, shared key and any ports needed;
3. From an elevated PowerShell prompt, run install.ps1
4. Restart the AD FS service to complete registration
5. If you have multiple AD FS servers in your farm, repeat the process on each but press CTRL-C when promtped to register the authentication adapter

The post Using RADIUS with AD FS MFA appeared first on Damn Technology.