Monthly Archives: October 2013

Layer 1 – Physical

Fiber

  • Multimode Fiber
  • Singlemode Fiber
  • Fiber Connectors
    • SC
    • ST
    • LC
  • Fiber Interfaces
    • GBIC
    • SFP
  • Fiber transmitter/receivers
    • SX
    • LX
    • ZX
    • WDM
  • Copper Ethernet
    • Panels – 568A
    • Straight-through – 568B
    • Modern switches/cards don’t require crossover cables.

 

OSI Layers

Layer 1 – Physical

  • Wiring
  • Fiber
  • Network Cards
  • Hubs

Layer 2 – Data-link

  • Ethernet frames
  • Network card and drivers
  • PPP
  • Switches
  • Bridge
  • MAC addresses
  • Layer 2 network maps include the physical layer 1 port
  • Translates data frames into bits for Layer 1 processing

Layer 3- Network

  • Involves subnets and routers
  • IP Addresses
  • Packets
  • ARP
  • ICMP

Layer 4 – Transport

  • Packets: RAW, TCP (segments), UDP (datagrams)
  • end-to-end management of the message
  • responsible for getting the entire message (fragmentation, out of order packets, etc)

Layer 7 – Application

  • SMTP, DNS, FTP
  • Specific format for the program

Steps:

  1. The OS is notified by the network card that there’s data (Layer 1 & 2)
  2. The network card driver unwraps the Layer 2 frame and hopefully exposes a Layer 3 packet
  3. If the OS decides to keep the packet, it unwraps it into a Layer 4 packet.
  4. Depending on what the packet is (TCP, UDP, etc) it sends it to the proper subsystem.
  5. The subsystem will then unwrap the Layer 7 data and send it to the proper application with the designated port.
  6. Going the opposite way, routers will peek inside the packets to see where it’s destined for. If it is destined for a system on the subnet, the OS will simply send an ARP instead of going through the router.

Variable Length Subnet Mask (VLSM) Example

Subnetting allows you to create multiple logical networks that exist within a single Class A/B/C network.

You are tasked to setup a network given a 172.29.0.0/16 address. We have 16 bits to work with for subnetting.

  • 15 states
  • 6 data centers in each state
  • 50 servers per data center

Capture

Keep in mind we need point-to-point connections from HQ to the 15 regions and from the regions to each data center. That means we need at least 2 x 15 = 30 WAN IPs in the first subnet division.

# of Hosts (3rd octet) Subnet Mask
128 /17
64 /18
32 /19
16 /20
8 /21
4 /22

So we need to borrow 3 bits from the 255.255.0.0 mask for a /19 mask with 32 hosts.

State Network
CA 172.29.0.0/19
MN 172.29.32.0/19
WA 172.29.64.0/19
CO 172.29.96.0/19
NJ 172.29.128.0/19

I’m not showing all the states but each network will be at increments of 32. Let’s take a look at the Colorado (172.29.96.0/19) network. There are 6 data centers. This means at least we need a subnet with at least (2×6) 12 hosts. Luckily we need a minimum of 50 hosts per subnet anyway. Depending on their growth intent (subnets vs more IPs). If the customer decides 50 clients are enough per data center, but they may add additional data centers, we should make sure we can accommodate the clients first. We’ll need to borrow 2 bits from the 4th octet (64 hosts), so our mask will be /26

# of Hosts Subnet Mask
128 /25
64 /26
32 /27
16 /28
8 /29
4 /30

The six data center networks:

172.29.96.0/26
172.29.96.64/26
172.29.96.128/26
172.29.96.192/26
172.29.97.0/26
172.29.97.64/26

Each center has a router that needs to be linked to the Colorado router. The point-to-point connections total to (5 x 2) 10 IPs. We can start from 172.29.97.128/26.

WAN IPs:

172.29.97.128/30
172.29.97.132/30
172.29.97.136/30
172.29.97.140/30
172.29.97.144/30
172.29.97.148/30

You can use this calculator to check:
http://www.vlsm-calc.net/
Capture2

Capture

Cisco ASA 5505 – ASDM Interface Giving 404 HTTP Error

If you’re getting a:

HTTP: processing GET URL ‘/admin/public/index.html’ from host error from the browser. These are the steps the check.

First run: show flash
You should see the asdm image there.
If you don’t, you’ll need to use tftp and grab the image from another ASA or from Cisco if you have a service contract. Make sure it works with the compatibility matrix: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

Enable mode: en
Configure terminal: config t
make sure the current configuration makes sense: show run http (This is an access list)
enable the server: http server enable
Designate the ASDM image file: asdm image [location of asdm image file]
Write to memory: wr m
Reload: reload

If that doesn’t work the following might help: ssl encryption aes256-sha1 aes128-sha1 3des-sha1

asdm-callhome asdm-icedtea-javaws asdm-launch asdm-login

Restoring Cisco ASA 5505 to Factory Defaults

Go into enable mode: en
Configure terminal: config t
Set to factory default: config factory-default
Hit the space bar at each of the “more” prompts.
Now write to memory: wr
Confirm with: show start

If you see an error:
ERROR: command can only be executed in single router mode

Erase the startup config: wr erase
Then reload (Don’t save current config): reload

cisco-factory-default

How-to Connect to the Cisco ASA 5505 with Ubuntu 12.04 LTS

This Adaptive Security Appliance device is designed for SOHO and remote branches. It works out of the box with Ethernet 0/0 being the Outside Interface to the Internet (DHCP from ISP) and Inside Interfaces (Ethernet 0/1 to 0/7) are assigned IPs from DHCP (default 192.168.1.1/24).  The ASDM interface can be accessed from the 192.168.1.0 network.

8-port, 10/100 switch

  • Last two ports are PoE, which can be used by IP Phones or other PoE devices.
  • These are only Layer 2 ports. You cannot configure Layer 3 IP address on each interface. Must use the “interface VLAN” command.
  • Your license determines how many active VLANs you can have. The defaults: VLAN is Ethernet 0/0 and all other switch ports are VLAN1.
  • Ethernet 0/0 is the Outside interface (Internet) and the rest are trusted Inside interfaces (Ethernet 0/1 to Ethernet 0/7).
  • Base license allows you to configure 3 VLANs (Inside, Outside, DMZ). Security Plus license allows you to configure for failover redundancy, 20 VLANs, Trunk ports, no communication restrictions between VLANs. Also supports Active/Standby (non-stateful) firewall failover redundancy and Backup ISP Connectivity (Dual ISP)

Attach the console cable to the serial port on your computer. If your computer doesn’t have a serial port, you’ll need a compatible usb-to-serial converter.

My setup is done in Ubuntu 12.04 LTS Desktop. It has been tested on 11.04. You’ll need to get the minicom application:

  • apt-get install minicom
  • Once done enter: minicom -s
  • Go to “Serial port setup”
  • Hit “E” to set baud to 9600 8N1 (option “C”)
  • Hit “F” to change Hardware Flow Control to “No”
  • Hit “A” to change Serial Device to “/dev/ttyS0”
  • Go back to the main menu and hit “Save setup as dfl”
  • Then select “Exit minicom”
  • Now you should be back at the shell prompt. Type “minicom” and you should be inside the ASA CLI.

minicom-setup