October 02, 2005

NSSA (ABR+ASBR)

Sometime you face to a router in OSPF which is an ASBR NSSA and it's an ABR as well so in this situation you've two external LSAs on that router, one is LSA type 7 which is advertised to NSSA area and other is LSA type 5 which is advertised to other not stub area.
now in some case you don't need to advertise LSA 7 in NSSA area and you need the router acts as ABR router for NSSA area so to prevent advertising LSA 7 to NSSA area at Cisco routers you can use the following command under ospf process :
area area_id nssa no-redistribution
nssa-ospf.gif
at the above scenario you can see a router which is an ASBR NSSA router and an ABR router so to prevent IGRP advertisements (external routes) to NSSA area you should do by the below commands :
router ospf 100
area 1 nssa no-redistribution

Posted by Mehrdad at 10:20 AM

July 18, 2005

Active directory demotion

A trick when you're going to uninstall active directory on win2000 and the demotion failed! through dcpromot or dcpromot /forceremove commands
At regedt32 modify the following key from lanmanNT to serverNT :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\control\ProductOptions\ProductType
when you done it, restart your server then delete NTDS directory after that you should change server from member domain to member of workgroup.
after this alteration you must restart server , now your active directory is demoted and you can install a fresh DC or forget it ;-)

Posted by Mehrdad at 01:10 PM | Comments (0)

April 04, 2005

NAT Traversal

natt.jpg
Probably you heard IPSEC ESP doesn't work through PAT connection because when the PAT wants to modify ESP layer 4 header it faces to problem. why? because it's encrypted and PAT can't change source port. don't worry the RFC 3948 written by four major companies (F-Secure Corporation, Microsoft, Cisco and Nortel) at jan.2005, can help us but what's your VPN vendor? because all vendor haven't implemented yet.
How does it work?
In fact this protocol defines methods for encapsulate and decapsulate ESP packet inside the UDP for traversing through network address translators.

nattp.jpg

It's so good for any network which are using PAT and they want to have IPSEC ESP from any hosts of its network.really this protocol help to limitation IP V4 (special thanks to the IETF (Internet Engineering Task Force) for fix this problem in working ESP through PAT)

See detail of this protocol from the following URL :
UDP Encapsulation of IPsec ESP Packets RFC
http://www.faqs.org/rfcs/rfc3948.html

Posted by Mehrdad at 05:39 PM

March 29, 2005

QoS , P2P and NBAR

Data classification is one of more important things in QoS but how we can classified data flow through cisco devices (with proper IOS)?and in this days what's important to prioritize?
Data classification depends on each network data flow, for example when you're using voice,video,citrix application and so on , you should plan a strategy for your classification data.

Generally data network is classified to following :
- Voice
- Mission critical (application like citrix)
- Transactional (E-commerce)
- Best-effort (web,email and ...)
- Less-Than-Best-effort (P2P)
*Note : Cisco recommend that your classification doesn't exceeded from 4 or 5 categorize.

These days Peer 2 Peer file sharing applications are a issue for any network which is connected to internet, because it has many data traffic for instance video,mp3 and other larg files so it cause bad situation when the newtrok has congestion.what do you think when you haven't QoS and all of data flow has same priority? yes ofcourse your voice and other low latency data are experienced loss data.
Cisco content networking architecture help you to classified data in later 4-7, it called Network Based Application Recognition (NBAR) so it can regognition some P2P application like Kazza however it depends on PDLM (packet description language module) which is loaded in your cisco device.
You should download the latest PDLM from Cisco web site to up to date application signatures.

In another aspects NBAR can recognize the HTTP GET packets contain the URL through hostname, mime type as well as it has protocol discovery analyzes application traffic pattern in real time and discovery which traffic is running on the network.it uses SNMP to provide that information.

Regarding to this article see the following commands :
ip nbar pdlm pdlm-file
class-map [match-all | match-any] class-name
policy-map policy-name
class class-name
service-policy output
service-policy input
match protocol protocol-name (like kazza)
match protocol fasttrack file-transfer "regular-expression"
ip nbar protocol-discovery
snmp-sever enable traps cndp

Posted by Mehrdad at 08:48 PM

August 31, 2004

Juniper OS :: JUNOS and JUNOSe

junos_293_thumb.gif I'm intersted in oprating system it means their managements for instance process management,memory management and so on also on deadlock detection/avoidance,file system,scheduling strategies and .... I think freeBSD has the best managements and works properly although other OS like SUN Solaris is powerful but FreeBSD is categurised in non-commercial operating system and it comes with full source code. in fact i wanna talk about JUNOS that based on the FreeBSD , first of all please don't pronounce JUN-OS ,you should pronounce just in one syllable.Juniper appliances have JUNOS as operating system which based on the FreeBSD they've modified the freeBSD,extracted some modules and imported specially modified modules and some engines on it. the JUNOS has some parts contain : JKernel (The operating system package) JRoute (The routing engine software) JPFE (The PFE software) JDocs (Updated online reference documentation) Jcrypto (Security software (U.S. domestic only)) Jbase (Additions to JUNOS) Totally they called Jbundle.

Juniper Networks releases several new versions of JUNOS software each year. you can see some feature of JUNOS : - Modularity - JUNOS software employs a modular software design, providing superior resilience and ensuring that new capabilities such as IPv6 can be easily integrated - Routing expertise - Juniper Networks IP routing expertise delivers a full complement of production-hardened routing protocols - Standards-based - thoughtful adherence to industry standards for routing, MPLS, and availability mechanisms such as Protocol Graceful Restart translates to improved stability and reduced operational complexity for customers - Security - JUNOS software combines intelligent packet processing with superior performance to offer customers a potent IP security toolkit - Service richness - whether individual subscriber, enterprise business, or service provider, JUNOS IP services portfolio enables customers to deliver assured experiences to end users of any profile - Policy and control - Juniper Networks SDX and NMC platforms allow customer to invoke and control these powerful JUNOS capabilities; in addition, Juniper Networks JUNOScript XML interface simplifies and accelerates OSS integration Modular software architecture The Juniper appliences load JUNOS from flash memory but they have hard disk for other purpose like syslogs,Backup and so on thereby when they want to become shutdown they should be manually turned off from OS it means execute halt command (request system halt). there isn't any concern about blackout without the shutting down command because at next boot , maybe it takes a few time for checking file system on hard disk drive so if it fails in the worst situation the applience will boot successfully and works properly because the JUNOS is on flash and in this case we don't have backup and logs and so on. Another OS from Juniper is JUNOSe,it's the operating system that powers Juniper Networks market-leading E-series family of edge routers.the Juniper web site said "twenty of the top twenty-five service providers in the world use JUNOSe in their production networks, delivering profitable service to end-user customers. Major publicly announced deployments include: Bell Canada, Cable & Wireless, Deutsche Telekom, France Telecom, Korea Telecom, PCCW, Telstra, Telefonica, XO, and many others.JUNOSe is specifically architected to help service providers migrate from traditional “best effort” IP services to enhanced IP services based on the infranet model." Totally JUNOSe is specifically architectured to address and overcome the challenges that's service provider face at the edge. Some new service in JUNOSe : - Hierarchical QoS capabilities to deliver a voice and data service. - Virtual router and MPLS 2547 VPN technologies. - rolling out IPTV and Video on Demand - A service provider using the per-VLAN queuing, rate limiting, and policy. and .... You can get more information about JUNOS and JUNOSe at the Juniper web site : http://www.juniper.net

Posted by Mehrdad at 10:29 PM

August 18, 2004

Virtual Private LAN service

As you know Ethernet is simple,flexible and scaleable bandwith also it has been revolition in MetroEthernet.Virtual Private LAN service (VPLS) allows service providers to deliver VPN service base on ethernet and it's one of the most inovation of providing Ethernet/MPLS VPN.
it uses Martini encapsulation standard and empowers service providers Ethernet networks with scalability and availability. Without VPLS, the scalability of Ethernet networks is limited to the number of unique identifiers or VLAN IDs used to provide services, and the availability of Ethernet networks is limited by the poor resiliency characteristics of mechanisms such as Spanning Tree Protocol.Some limitation such as QinQ solves and VPLS networks can support over a million unique identifiers.
VPLS is based on an Internet Engineering Task Force (IETF) draft called Lasserre-V. Kompella, written by Marc Lasserre of Riverstone Networks Inc. and Vach Kompella of TiMetra Networks, now owned by Alcatel. VPLS is expected to be a fully ratified standard by the end of this year, but several service providers are already deploying the service because they feel it’s stable enough for commercial use, says Newell.

Posted by Mehrdad at 12:11 PM

August 11, 2004

Fragment Collision

Today one of my friends ask a question about Fragment Collision (short/runt frames) so i'm going to write brief of it in this section.
As you know a collision occurs when two stations begin transmission simultaneously when they detect silence on the network so at that time they stop transmission and send a JAM signal and back off for a while (Random amount of time)
The mechanism requires that stations be close enough together for each station to see any possible attempted transmisstion before the first 64 bytes of its frame have been transmitted.(This is because 64 bytes is the minimum frame size for an Ethernet network).
The IEEE specification defines the term fragment collision for that .
the below picture is a frame as Fragment collision .
fragmentcol.jpg

Posted by Mehrdad at 01:31 PM

August 08, 2004

IEEE 802.1Q-in-Q VLAN Tag (QinQ)

The IEEE 802.1Q-in-Q VLAN Tag is purpose to expand the VLAN space by tagging the tagged packets, thus producing a "double-tagged" frame. The expanded VLAN space allows the service provider to provide certain services, such as Internet access on specific VLANs for specific customers, and yet still allows the service provider to provide other types of services for their other customers on other VLANs.

qinq.jpg

For more information you can see the below link :
IEEE 802.1Q-in-Q VLAN Tag Termination

Posted by Mehrdad at 05:07 PM

July 30, 2004

Virtual Fragmentation Reassembly

The Virtual Fragmentation Reassembly (VFR) is important Firewall feature for identify the contents of the IP fragments. without VFR causes most of fragments packets pass through the firewall without any access control.many vendors have implemented VFR feature like Cisco and NetScreen.in this Case we focus about the Cisco PIX firewall and IOS Firewall feature set.The Fraguard is one of Cisco guards (like DNS,Mail and so on) and enhanced IP fragment protection from version 5.1 it performs full reassembly all ICMP Error messages and virtual fragmentation of the reminding IP fragments that Routed through the PIX firewall.

Also from version 5.1 the PIX check two additional security check on IP packet in addition to the security check Recommended by RF 1858 against the many IP fragment-style attacks: teardrop, tiny, land, and so on.


The first security check requires that each non-initial IP fragment (all fragments within a fragment set. except the initial fragment) be associated with an already-seen valid initial IP fragment (First fragment within a fragment set, this fragment should have a layer 4 header and should have an offset of zero). As of PIX OS version 5.1, an initial fragment is not required. This is because fragments may arrive out of order. For the second security check, IP fragments are rated 100 full IP fragmented packets per second to each internal host.


Also VFR is responsible to detecting and preventing Tiny fragment attack, Overlapping fragment attack and Buffer overflow attack in Cisco IOS feature set but there are some restriction that you can see the following :


 


Performance Impact :


VFR will cause a performance impact on the basis of functions such as packet copying, fragment validation, and fragment reorder. This performance impact will vary depending on the number of concurrent IP datagram that are being reassembled.


 


VFR Configuration Restriction:


VFR should not be enabled on a router that is placed on an asymmetric path. The reassembly process requires all of the fragments within an IP datagram. Routers placed in the asymmetric path may not receive all of the fragments, so the fragment reassembly will fail.


 


SIP and RTSP Limitation:


The Session Initiation Protocol (SIP) and the Real-Time Streaming Protocol (RTSP) do not have the ability to parse port information across noncontiguous buffers. Thus, virtual fragmentation reassembly may fail. (If the application fails, the session will be blocked.)

Posted by Mehrdad at 06:10 PM

July 17, 2004

Wrapped Sequence

Have you thought about sequence wrapped (cycled) in TCP connection yet?
In fact it can threaten TCP reliablity if we have high transfer rate , the sequence numbers may eventually be reused in the same connection at the short time and it causes duplicate sequence numbers.
we need a life time for segment which it should be shorter than the time it takes to cycle the sequence space.The maximum segment lifetime (MSL) defined 2^31 / B > MSL (secs) , B is bandwidth byte per second for prevent wrapped sequence .

you can see the following table which explains MSL for some important bandwidth :

Network B*8 B Twrap
bits/sec bytes/sec secs
_______ _______ ______ ______

ARPANET 56kbps 7KBps 3*10**5 (~3.6 days)

DS1 1.5Mbps 190KBps 10**4 (~3 hours)

Ethernet 10Mbps 1.25MBps 1700 (~30 mins)

DS3 45Mbps 5.6MBps 380

FDDI 100Mbps 12.5MBps 170

Gigabit 1Gbps 125MBps 17

Posted by Mehrdad at 10:32 PM

July 13, 2004

TCP Tahoe and Reno

Sometime when you read about TCP you'll see some TCP variant , in fact because there are some algorithm for instance Tahoe,Reno,New-Reno & so on.
I'll explain the much brief of Tahoe and Reno but if you're interested in so i recommend that read the details.Tahoe by Jacobson assumed the one way of detecting a loss packet in TCP is using timeout, it known as the round trip time (RTT) which named Retransmit time out (RTO).if the ack isn't received before this RTO then the sender should be sure that the packet is lost and must
retransmit. another way to detect loss packet in TCP Tahoe is sending duplicate acknowledgments, it means when the receiver don't get packet sequence n , it send duplicate acknowledgments for that sequence number.
Typically, after two acknowledgments TCP Tahoe knows the packet is lost and after three acknowledgments it retransmit the packet to the receiver.
This algorithm is called Fast Retransmit and it doesn't deal when more than one packets lost within a single window of data.

TCP Reno improvements over Tahoe by changing the way. The idea is that the only way for a loss to be detected via a timeout and not via the receipt of a duplicate ack is when the flow of packets and acks has completely stopped also Reno introduce a mechanism called Fast recovery which governs the re-transmission of new data until non-duplicate acks are received.

Posted by Mehrdad at 05:51 PM

July 12, 2004

Day

SysAdminDayCake_small.jpg

They're good people :-), and do lot of work to keep network up all the time.
I think sometime they live like commando ! ;-) can you guess we're talking about who?
Yes, exactly they're network administartors.
People only notice network administrators when something goes wrong (bad latency or something like that) but when the network work properly ,no one thinking about them totally!
Anyway, please don't forget Friday,july 30th 2004 , it's System administrator appriciation day include: Network,Computer,Webmaster,Telephone(PBX),Voice-Mail,Database,Email administrators.
you can send ecard for them from
123Greetings

Posted by Mehrdad at 03:12 PM

July 10, 2004

Total solution box

Fortinet.gif

Sometime you need total solution for your network which connects to the Internet particularly for small or medium office , it means not enterprise but
Maybe you want.
You think about IDS,Firewall,Antivirus,NAT,VPN and so on but how much do you
Have budget for your solution, if you want to buy everything then you should pay for them a lot of money.it's not cost effective.

The fortigate is a product of the Fortinet that's total solution for your network.
Recently i've configed it for a network contain 70 clients in the building with 6
Floors,it connects to the internet by wireless connection with around 2M bits/s Bandwidth.

See the following feature that it's doing in that building with the FortiGate-60:

- Intrusion Detection and Prevention (Live update)
- Firewall (with 3 zone : Inside,Outside and DMZ)
- Anti Spam
- Anti Virus (Live update)
- NAT
- IP Virtual
- Content Filtering
- MAC binding (you can bind a ip address with a MAc address)
- Traffic shaping
- Auditing and reporting
- SNMP

In-fact it has many features like VPN that i didn't use it but it can.
they said about powerful ASIC that they are using with their OS which named
FortiOS. for more information you can see their web site at www.fortinet.com or
If you have question about this box , feel free to contact me.

Posted by Mehrdad at 08:11 AM

June 02, 2004

Internet Protocol

It's good idea that we start with RFC 791 that explains "Internet Protocol"

The Internet Protocol is designed for use in interconnected systems of
packet-switched computer communication networks. Such a system has
been called a "catenet" . The internet protocol provides for
transmitting blocks of data called datagrams from sources to
destinations, where sources and destinations are hosts identified by
fixed length addresses. The internet protocol also provides for
fragmentation and reassembly of long datagrams, if necessary, for
transmission through "small packet" networks.

Posted by Mehrdad at 07:29 AM