Root cronjobs not running on Ubuntu 14.04

I recently ran into a very odd problem on my DigitalOcean virtual machine, which runs Ubuntu 14.04 LTS. None of the root-owned cron jobs were running. Jobs were running as other users, but not as root. I first noticed this because automysqlbackup puts a cron file in /etc/cron.daily, but the backups were never running. I could run it manually via sudo, but it just wouldn’t run under cron.

At first, troubleshooting this was rather difficult, as Ubuntu 14.04 doesn’t log cron events by default. This is easily fixed by uncommenting a following line in rsyslog’d config:

$ grep cron `/etc/rsyslog.d/50-default.conf`:
#cron.*                          /var/log/cron.log

After a quick service rsyslogd restart, messages from cron started showing up in the right place. A suspicious entry quickly became obvious. Lots of these:

Nov 30 10:09:00 xx CRON[1741]: Authentication token is no longer valid; new one required

A bit of Googling seemed to indicate that this was related to the password being expired for whatever user is trying to run the task. But wait, root’s password expired? That seems unlikely. BUT this led me to remember that I had recently rebuilt this droplet (DigitalOcean’s word for “VM”). When I rebuilt, I gave the control panel my existing SSH keys for authentication, so it didn’t email me a root password. Could it be that it didn’t actually set a root password?

I pulled up the handy encrypted file where I keep server passwords and whatnot, and did a quick sudo passwd root to reset the root password to the most recent one.

Fixed! Adding a test job to /etc/cron.d to run as root worked, and I soon started seeing regularly scheduled root jobs showing up in cron.log (e.g. php cleanup stuff).

tl;dr: if root crons aren’t running, make sure root has a password

Python Class and Object Attributes

In [1]: class Foo(object):
   ...:     bar = 123
   ...:

In [2]: Foo.bar
Out[2]: 123

In [3]: f = Foo()

In [4]: f.bar
Out[4]: 123

In [5]: f.bar = 234

In [6]: f.bar
Out[6]: 234

In [7]: Foo.bar
Out[7]: 123

In [8]: del f.bar

In [9]: f.bar
Out[9]: 123

Sort files with underscores first in Linux

On my work Linux box (Ubuntu 12.04, aka “Precise Pangolin”), the ‘ls’ command lists files beginning with an underscore intermixed with other files. In other words, the following four files will be displayed like so:

blanders@arya$ ls
a.txt  b.txt  _c.txt  d.txt

This is not what I want. I want files that begin with an underscore to be sorted first in the list. Fortunately, there’s an easy way to fix this. The sort order is controlled by the LC_COLLATE locale variable. By default, it’s set to:

blanders@arya$ locale | grep LC_COLLATE
LC_COLLATE="en_US.UTF-8"

If we override this to set LC_COLLATE to either ‘C’ or ‘POSIX’, Linux will do what I want:

blanders@arya$ LC_COLLATE=C ls
_c.txt  a.txt  b.txt  d.txt

I don’t want to override LC_COLLATE globally, since that may cause unexpected effects elsewhere, so let’s just override it for the ‘ls’ command:

alias ls='LC_COLLATE=C ls'

blanders@arya$ ls
_c.txt  a.txt  b.txt  d.txt

Excellent.

How Many Pingable Devices Do You Have?

A Google+ post from a colleague reads:

Make a tally of all Internet-connected devices in your home. Only count devices that ping (so dumb switches and such don’t count)

I decided to count mobile devices that are usually on the network when I’m at home, e.g. phones and tablets.

  • iMac 27” desktop
  • Macbook Pro laptop
  • iPad 2
  • iPhone 5
  • Playstation 3
  • Panasonic Viera TV
  • Foscam FI8910W wireless camera
  • Synology DS1511+ NAS
  • Buffalo LinkStation Pro Duo backup NAS
  • Withings internet scale
  • Cisco ASA 5505 firewall
  • Netgear WNDR3700 wireless AP
  • HP 2811 managed gigabit switch

Moved My Link Dump Posts

I’ve moved my frequent “Link Dump” posts over to my other blog at Broken Robot

Finally some raid drops!

After two solid weeks of nothing but gold from raiding, I finally got some upgrades this week!

I also finally got the last 2 drops of Sigil of Power to complete The Strength of One’s Foes. Now I just need to re-run ToES again next week to kill the Sha of Fear and get my Crystallized Horror.

I also broke down and bought Enchant Weapon - Jade Spirit and a full set of level upgrades for my Giorgio’s Caduceus of Pure Moods.

Only a couple more 400-level items to replace before I’m done with Chidori unless I start raiding for real. Don’t think that’s going to happen. I just don’t have time to get back into the grind more than I already have.

On an amusing note: a Druid healer in last night’s raid got beat in healing on Sha of Fear by the DK main tank! That’s just sad.

Tiny WoW Update

Not a lot going on in the WoW world. Still raiding LFRs every week, but not a lot of useful drops. I did build up enough Valor points to get Ring of the Shado-Pan Assault, which was a nice upgrade.

Currently working on maxing out Valor points every week to get Wisp-Weave Pantaloons, or Bracers of Shielding Thought, depending on what drops I get in the mean time, but that’s going to take a while.

Hit an amusing milestone on my Warlock tailor this week: I’ve finally run out of new recipes to discover, I think. Three days in a row of no discovery when crafting Imperial Silk. Need to get one of the recipe addons to see which ones I’m still missing.

Another Productive Week of Raiding

Couple of nice pieces tonight from some ToT raiding:

Finally got enough Valor points last night to pick up Necklace of the Terra-Cotta Mender and replace my last blue.

Got Giorgio’s Caduceus of Pure Moods last night, but ended up not using it, since I also got Giorgio’s Caduceus of Pure Moods. Combined with Venomlord’s Totemic Wand, which I already had, main-hand/off-hand is a better mix than the staff.

Also got a nice robe upgrade with Robes of Static Bursts, although still several better slot items there to work towards in the future.

No More Blue Pants!

Maxed out on Valor for the week, and got Leggings of Shadow Infestation in LFR Heart of Fear. Woot. Bought a Greater Pearlescent Spellthread and gems for it, reforged a bit, and now I just need 1 trinket and 1 ring to get rid of all blues. Both need rep and Valor, so it’s going to be at least 2 weeks before I can get what I want.

Catching up on WoW

Ran a bunch of LFR instances this week, with a ridiculous amount of Gold drops. Only got one new piece: Durumu’s Captive Eyeball.

I did manage to hit Revered with the Klaxxi, which let me finally get my rid of my blue belt in favor of Klaxxi Lash of the Seeker.

Tonight’s goal is to do Heart of Fear to hopefully get a leg upgrade, and possibly Mogu’shan to try for an off-hand, although neither are huge upgrades. Mostly, I want to max out my Valor points for the week so I can get Soothing Talisman of the Shado-Pan Assault next week.

Throne of Thunder!

I’d been stuck at an ilvl of 470-478 for the past several days, which prevented me from doing Throne of Thunder LFR (minimum ilvl 480). Tonight I ran the first half of Mogu’shan Vaults and didn’t get a single drop, even using Mogu Runes of Fate for extra rolls. I was annoyed, since I was now saved to all available raid content.

Then, I had an inspiration: I bought a Golden Lotus rep ring, Simple Harmonius Ring, even though it couldn’t be equipped (I already have Leven’s Circle of Hope in that set). Just having the second ring in my bag, though, put me over 480.

All well and good, but I’ve now “wasted” 625 valor points on a ring I can’t wear. It would be slighly useful for offspec DPS, but I have all the stats I need there for doing dailies and scenarios.

Fortunately, now that I’m 480 I can LFR for Throne of Thunder, where ilvl 502 gear drops. Into the troll mines I go! Fortunately, the drop gods were very kind to me:

Once I got both drops, I hopped back to the Golden Lotus quartermaster (still within the 2hr cooldown) and sold back the unneeded ring to get my Valor Points back. Still 480, sweet!

I have two bosses left in ToT for the weekend, then I’m done raiding until Tuesday when things reset.

A productive few WoW days

Been spending a bunch of time playing WoW again. My priest is now 90 and geared enough through heroics to start doing LFR raid content. It’s been fun, but a serious drain on my sleep since I’ve been raiding until 1am or later every night. The only downside: take everything you hate about 5-man PUG instances and multiply it 5x. That’s a good description of an LFR run.

Since first getting into Mogu’shan Vaults and Heart of Fear over the weekend, I’ve basically replaced my entire gear set with purples and seriously upped my healing. Managed to get my ilvl up to 470 on Tuesday so I could start doing Terrace of Endless Spring as well. Still need about 4 more points before I can start running Throne of Thunder LFR.

The new hotness:

Plus some new reputation and AH gear

Along with some raid gear that’s been replaced already:

All in all, a very “productive” week. I’m also slowly grinding up Golden Lotus and Operation Shieldwall rep for some additional upgrades. It’s taking a while. I did finally hit Honored with Wrathion, so now I just need to collect enough Sigil of Wisdom and Sigil of Power drops to finish the questline and get my Crystalized Horror legendary gem.

Book Notes: Secrets of the Javascript Ninjas

This post will cover chapters 3 and 4 of “Secrets of the JavaScript Ninjas”, by John Resig. It will not be an exhaustive set of notes, but rather only the important points that I want to remember.

  • Chapter 3: Functions are fundamental
  • Chapter 4: Wielding functions
  • Chapter 5: Closing in on closures

Scoping and Functions

Scopes in JavaScript are declared by functions, not by blocks. A variable declared inside a block does not terminate when the block ends.

Named functions are in scope within the entire function they’re declared in.

Function Invocation

Excess arguments (not matching function parameters) are silently discarded.

Parameters with no corresponding arguments are set to undefined.

All function invocations get 2 extra parameters: this and arguments.

The arguments parameter is an array-like object (accessed by index) of all passed arguments. It is not a real array. It has a property length like an array, and a property callee which is a reference to the function itself.

Note that callee is deprecated as of ECMAscript 5.

The this parameter is the function context for the invocation and its value depends on how the function was invoked.

Invocation as a function

    function foo() {
  
    }
    foo();

this is the global context (e.g. the window object)

Invocation as a method

    var obj = { foo: function() {} };
    obj.foo();

this is the object containing foo, e.g. obj

Invocation as a constructor

    function Ninja() { 
      this.foo = function() { return this; }
    }
    var a = new Ninja();
    a.foo();

this is a brand new object passed to the constructor (and returned from it implicitly if no explicit return is called).

Invocation with apply() and call()

    function foo() {
  
    }
    foo.apply(obj, 1, 2, 3)

this is whatever object is explicitly passed in along with the arguments.

Inline Functions

    var ninja = {
      chirp: function signal(n) {
     return n > 1 ? signal(n - 1) + "-chirp" : "chirp";
      } 
    };

Useful for recursive calls, since it divorces the function invocation from the name of the property.

Note that the name does not exist outside the inline function itself.

Functions can have properties

    function foo() {
      return arguments.callee.bar;
    }
    foo.bar = 1234;
    foo()

Can be used to create self-memoizing functions:

    function foo(x) {
      var me = arguments.callee;
      if (!me.cache) { me.cache = {}; };

      if (me.cache[x] != null) {
        return me.cache[x];
      }
      return me.cache[x] = expensive_operation();
    }

Function overloading

How to add methods to an object that do different things based on the number of arguments passed in:

    function addMethod(object, name, fn) {
      var old = object[name];
      object[name] = function(){
        if (fn.length == arguments.length)
          return fn.apply(this, arguments)
        else if (typeof old == 'function')
          return old.apply(this, arguments);
      };
    }
    var ninja = {};
    addMethod(ninja,'whatever',function(){ /* do something */ });
    addMethod(ninja,'whatever',function(a){ /* do something else */ });
    addMethod(ninja,'whatever',function(a,b){ /* yet something else */ });

Check for a function’s existence

    function isFunction(fn) {
      return Object.prototype.toString.call(fn) === "[object Function]";
    }

Binding a function to a specific context

    // Exists natively in JavaScript 1.8.5
    if (Function.prototype.bind === undefined) {
      Function.prototype.bind = function(){
        var fn = this, args = Array.prototype.slice.call(arguments),
          object = args.shift();
        return function(){
          return fn.apply(object,
            args.concat(Array.prototype.slice.call(arguments)));
        };
      };
    }
    var o = {};
    var f = function() {...}.bind(o);

Partially applied functions

    Function.prototype.partial = function() {
      var fn = this, args = Array.prototype.slice.call(arguments);
      return function() {
        var arg = 0;
        for (var i = 0; i < args.length && arg < arguments.length; i++) {
          if (args[i] === undefined) {
            args[i] = arguments[arg++];
          } 
        }
        return fn.apply(this, args);
      };
    };
    var delay10seconds = setTimeout.partial(undefined, 10);
    delay10seconds(function() {
      alert("Hi!")
    });

    var bindBodyClick = document.body.addEventListener.partial(
      "click", undefined, false);
    bindBodyClick(function() {
      alert("Hi!")
    });

Using a closure to memoize functions

    Function.prototype.memoize = function(){
        var fn = this;
        return function(){
          return fn.memoized.apply( fn, arguments );
        };
    };

Wrapping a function

    function wrap(obj, method, wrapper) {
      var fn = object[method];   // save old function
      
      return object[method] = function() {
        return wrapper.apply(this, [fn.bind(this)].concat (
          Array.prototype.slice.call(arguments)));
      };
    }

Immediate functions and JQuery safety

    (function($) {
      
      // Now we can safely assume $ is jQuery no matter what other code
      // is included in the page that might redefine it.
      $('foo').bar();
      
    })(jQuery);

Also useful for doing a bunch of work on a really long reference name:

    (function(v) {
      
      v.foo()
      v.bar()
      v.baz()
      
    })(really.long.object.reference.thats.a.pain.to.use)

Can work around closure issues in loops

    for (var i=0; i < 10; i++) (function(n) {

      // n will now always be the loop counter's correct value

    })(i);

Useful for library creation

(function () {
  var jQuery = window.jQuery = function() {

    // our local 'jQuery' will always be consistent, no matter what happens
    // outside to the global version.
    
  };
})();

Monitoring Unsaved IOS Device Changes with Nagios

It never fails:  you make a bunch of important changes to a network device, then a phone call or urgent issue interrupts you before you ‘copy run start’.  Your device runs happily along until the next unexpected power outage or IOS crash, at which point your changes go poof.  Not good if the old configuration no longer lets you access the device remotely (you do have out-of-band access, right?)

After the most recent incident of this at $DAYJOB, I wrote a plugin for our Opsview server (which runs on top of Nagios) to check the “last changed” and “last saved” times of a device using SNMP.

It’s not perfect:  notably because IOS updates the “last changed” time every time you enter/exit config mode, whether you actually made any changes or not.  This is a recipe for false positives.  Unfortunately, there’s no easy way around this without the plugin actually downloading the device configs and comparing them.  Given the multitude of authentication and other challenges this would present, I’m happy to let tools like Rancid and Solarwinds NCM solve them instead of making the plugin much more complex.

Available on GitHub here.

vMotion I/O Errors with HP NC522 10gb NIC

We recently spun up a new VMware ESXi 4.1 cluster at $DAYJOB, running on some nice new HP DL380 G7 servers. We’re using the onboard 1gb NICs for the management network and an HP NC522SFP dual-port 10gb NIC for production, vMotion, and IP storage. Everything went smoothly until we started testing vMotion between hosts. It would consistently fail at between 10% and 40% with an I/O error:

I/O Error

After praying to the Google deity for a while, we hit upon the following KB article: vMotion fails on ESX/ESXi 3.5 and 4.0 with some versions of nx_nic and unm_nic drivers.  The issue only seems to crop up if you have VLAN tagging enabled on the vSwitch to which the NIC is connected, and are using TCP segmentation offload (which is enabled by default).

The fix is to either create a new vmKernel interface for vMotion with TSO disabled (and without using VLAN tagging), or to upgrade the NIC driver in ESX/ESXi itself.  In our case, since this was a new environment, we decided to fix it for good and do the upgrade.  A quick download and a little vMA magic, and vMotion is now working flawlessly over 10gb.

Automatically Generate CME ephone Configs

While spinning up a new Callmanager Express site, I needed to configure a ton of phones from a spreadsheet of names, DID’s, and phone MAC addresses. To make this easier, I hacked together a quick Perl script to automatically generate the proper IOS configs.

You can find it on my Hacks page: here

ThunderChicken is Go!

VCAP-DCA or Bust!

Who Needs Sleep?

Because I clearly don’t ever want to sleep again, I’ve decided to attack the goal of becoming a VCAP-DCA (VMware Certified Advanced Professional - Data Center Administration).  I’ll be documenting my progress, along with my study notes and whatever tips I come across.

VCP

A prerequisite for the VCAP-DCA certification is first becoming a VCP on vSphere 4.  This requires taking an official VMware training course and passing a standard question/answer-based exam administered by Pearson VUE.  Since I do a fair amount of VMware work at $DAYJOB, I’m reasonably far along in my preparation already and just need to fill in the gaps.  The study material I’ll be using includes:

  • VMware vSphere: Fast Track [V4] course.  Already attended earlier this year via online classroom. Will be reviewing the class slides and my own notes.

  • Mastering VMware vSphere 4 by Scott Lowe.  While not an official certification guide, this book is very well-written and covers all of the major topics on the VCP4 blueprint.

  • VCP VMware Certified Professional on vSphere 4 Study Guide from Sybex.  Written specifically to cover the exam blueprint, and not (IMHO) as good as Scott’s book, but it never hurts to have a second source.

  • Configuration Maximums for VMware vSphere 4.1 (PDF) and ESX/vCenter Server Installation Guide (PDF)- there’s some debate about whether the current VCP exam covers details unique to 4.1, so it’s best not to take chances.  It’s all information that’s good to know eventually, anyway.

    • Note: VMware has stated on the forums that they are not testing new features from 4.1 (e.g. NIOC and SIOC), but they haven’t come out and explicitly said they’re not updating things like min/max and hardware requirements. They do explicitly say several times “when preparing, use the docs for the latest version.”

VCAP-DCA

This is a 3-4 hour “practical” exam similar in spirit to the CCIE lab, consisting of 40 “live lab activities” (each with multiple tasks) and a brief pre-exam survey.  The blueprint is extensive and covers just about anything you’d ever be expected to do in a VMware environment in the real world.

In terms of preparation materials, everything from the above VCP list along with documentation, documentation, and more documentation.  Kendrick Coleman has put together an extensive list of links to both VMware and 3rd party materials covering each section of the blueprint.  It’s now my browser home page.

The Home Lab

The most important step to becoming a VCAP-DCA is to have extensive hands-on experience with the blueprint topics.  For that, you need a lab environment.  Fortunately, ESX and ESXi run quite nicely on inexpensive “white box” hardware, and can themselves be virtualized.  This allows a quite large lab environment for not a lot of investment.  My lab is based heavily on the BabyDragon from Phillip Jaenke and the vTARDIS from Simon Gallagher.

Server #1

  • Supermicro X8SIL-F motherboard

  • Intel Xeon X3450 Retail (2.53GHz, 4 Cores, 8 Threads)

  • Kingston 12gb (3x4gb) DDR3 1066 ECC Registered memory

  • WD SiliconEdge Blue 128gb SSD

  • WD VelociRaptor 300gb 10,000rpm HD

  • Lian-Li V352A MicroATX case

  • Seasonic X Series 400W power supply

  • VMware ESX 4.1

Update: I ended up getting two of the above servers. Rough cost from NewEgg was about $1,300 each (I already had the VelociRaptors from another project). Could probably have done a little better by shopping around, but with shipping it probably averages out.

Server #2 / Workstation

  • Apple iMac 27”

  • Intel Core i7 (2.8ghz, 4 cores, 8 Threads)

  • 16gb RAM

  • WD VelociRaptor 300gb 10,000rpm HD (via Firewire 800)

  • VMware Fusion 3.0

Storage

  • Iomega (EMC) IX4-200d NAS, 4 x 1TB RAID 5

  • EMC Celerra “Uber VSA” virtual NAS, 100gb allocated

  • Netapp Simulate ONTAP 8.0 7-Mode virtual filer

Some of the above is still with my friends at UPS on its way from Newegg, so I can’t start playing quite yet. At the moment I’m working on setting up the Celerra VSA and Netapp sim, along with building a Windows 2008 R2 domain controller VM.

More to come!

Cisco ACE: SSL Offload

SSL offload (or SSL termination) is when your load balancer handles SSL connections from clients and then hands off unencrypted connections to the backend servers. This lessens the CPU load on the servers and can dramatically increase application performance, since the load balancer frequently has dedicated hardware to handle the encryption/decryption of traffic.

These are the basic steps to configure SSL offload on the Cisco ACE. This assumes you already have an existing HTTP load balancer configuration. See my Basic Load Balancing post for details.

**(option one) Import an existing SSL certificate and private RSA key. **

crypto import tftp 192.168.1.100 mykey.pem mykey.pem
crypto import tftp 192.168.1.100 mycert.pem mycert.pem

(option two) Generate a new SSL certificate signing request (CSR) and key.

! should NOT be marked "non-exportable" if you're running an HA pair
crypto generate key 2048 mykey.pem

crypto csr-params MY_PARAMS
  common-name myservice.example.com
  country US
  state Georgia
  locality Atlanta
  organization-name My Company
  organization-unit IT Operations

crypto generate csr MY_PARAMS mycsr.pem

Once you receive the signed certificate from your CA, you’ll need to import it.

crypto import sftp 1.1.1.1 mysftpuser /home/user/cert.pem mycert.pem
  OR
crypto import terminal mycert.pem

Create the SSL Proxy service

ssl-proxy service MY_SSL_OFFLOAD
  key mykey.pem
  cert mycert.pem
!

Create a VIP to handle HTTPS traffic

class-map match-all HTTPS_VIP
  2 match virtual-address 10.210.7.10 tcp eq https
!

Update your load balancing policy map to apply the SSL service to the new VIP

policy-map multi-match VIPs
  class HTTPS_VIP
    ssl-proxy MY_SSL_OFFLOAD
    sticky-serverfarm HTTP_FARM
!

Maybe sleep now?

CCIE Security -- DMVPN Phase 1

Notes

  • Tunnel network: 172.16.1.0 / 24

  • NBMA network: 8.7.6.0 / 24

  • No spoke-to-spoke tunnels in DMVPN Phase 1

Hub

crypto isakmp key 0 cisco address 8.7.6.0 255.255.255.0
!
crypto isakmp policy 100
  encryption aes 256
  hash sha
  authentication pre-share
!
crypto ipsec transform-set AES256_SHA esp-aes 256 esp-sha-hmac
  mode transport
!
crypto ipsec profile DMVPN
  set transform-set AES256_SHA
!
interface serial0/0
  ip address 8.7.6.100 255.255.255.0
!
interface Tunnel100
  ip address 172.16.1.100 255.255.255.0
  ip nhrp map multicast dynamic
  ip nhrp network-id 1
  tunnel source Serial0/0
  tunnel mode gre multipoint
  tunnel key 1
  tunnel protection ipsec profile DMVPN
  no ip split-horizon eigrp 100
  no ip next-hop-self eigrp 100
!
router eigrp 100
  network 172.16.1.100 0.0.0.0
  no auto-summary
!

Spoke

crypto isakmp key 0 cisco address 8.7.6.1
!
crypto isakmp policy 100
  encryption aes 256
  hash sha
  authentication pre-share
!
crypto ipsec transform-set AES256_SHA esp-aes 256 esp-sha-hmac
  mode transport
!
crypto ipsec profile DMVPN
  set transform-set AES256_SHA
!
interface Serial0/0
  ip address 8.7.6.50 255.255.255.0
!
interface Tunnel100
  ip address 172.16.1.50 255.255.255.0
  ip nhrp map multicast 8.7.6.100
  ip nhrp map 172.16.1.100 8.7.6.100
  ip nhrp server 172.16.1.100
  ip nhrp network-id 1
  tunnel source Serial0/0
  tunnel destination 8.7.6.100
  tunnel key 1
  tunnel protection ipsec profile DMVPN
!
router eigrp 100
  network 172.16.1.50 0.0.0.0
  no auto-summary
!

CCIE Security Notes -- EzVPN with Radius

  • Group attributes:

    • [006] Service-Type = Outbound

    • [064] Tunnel-Type (1) = ESP

    • [069] Tunnel-Password = my_group_key

    • Need to create an ACS user “GROUP_NAME” with password “cisco” in addition to actual users. Both should be in the group in which you set the above attributes.

    • AV-Pairs for EzVPN:

    ipsec:tunnel-type=ESP ipsec:key-exchange=IKE ipsec:inacl=MY_SPLIT_ACL ipsec:save-password=1 ipsec:addr-pool=MY_POOL

IOS EzVPN Client with VTI

crypto ipsec client ezvpn EZCLIENT connect manual group REMOTE key cisco mode client peer 1.2.3.4 virtual-interface 2 username cisco password cisco xauth userid mode local ! interface Virtual-Template2 type tunnel ip unnumbered FastEthernet0/1 tunnel mode ipsec ipv4 ! interface Fast0/1 crypto ipsec client ezvpn EZCLIENT outside ! interface Fast0/0 crypto ipsec client ezvpn EZCLIENT inside !

IOS EzVPN Server with RSA Certificates and VTI

  • EzVPN clients will get addresses on the 2.0.0.0/24 network

    • EzVPN clients will have access to only the 3.0.0.0/24 network

    • The server will accept clients with certificates from the CA on host 1.2.3.4

    • The server will allow users with OU=EZVPN

    aaa new-model aaa authentication login EZ_AUTHEN local aaa authorization network EZ_AUTHOR local ! username cisco password cisco1234 ! clock timezone GMT 0 ntp server 1.2.3.4 ! crypto pki trustpoint CA enrollment url http://1.2.3.4 subject-name ROUTER.example.com revocation-check none ! crypto pki authenticate CA crypto pki enroll CA ! crypto isakmp policy 1 encryption 3DES hash SHA authentication rsa-sig group 2 ! crypto isakmp identity dn ! ip local pool EZ_POOL 2.0.0.1 2.0.0.254 ! ip access-list extended EZ_ROUTES permit 3.0.0.0 0.0.0.255 ! crypto isakmp client configuration group EZVPN pool EZ_POOL acl EZ_ROUTES ! crypto isakmp profile EZ_PROFILE match identity group EZVPN client authentication list EZ_AUTHEN isakmp authorization list EZ_AUTHOR client configuration address respond virtual-template 1 ! crypto ipsec transform-set 3DES_SHA esp-3des esp-sha-hmac ! crypto ipsec profile EZ_IPSEC_PROFILE set transform-set 3DES_SHA set isakmp-profile EZ_PROFILE ! interface Virtual-Template 1 type tunnel ip unnumbered FastEthernet0/1 tunnel mode ipsec ipv4 tunnel protection ipsec profile EZ_IPSEC_PROFILE !

Opsview Slaves and "Host key verification failed"

This is mostly for my own benefit. When setting up a new Opsview slave server, make sure ~nagios/.ssh/known_hosts has an entry for the FQDN of the slave, not just the short name.

Otherwise you’ll spend an hour beating your head against the wall trying to figure out why ssh slavehost date works, but send2slaves -t slavehost doesn’t.

IOS 12.4T: Management-Plane Protection

While working through a CCIE Security practice lab, I came across a task that read (in essence): “Only allow SSH and SNMP access to the router through interface Gig0/1.  Do not use an interface or VTY ACL to accomplish this.”   A search through the IOS configuration guides and command references was unhelpful, including the last-resort tactic of “go to the Master Index and use Ctrl-F to search for likely keywords.”  Finally, I resorted to asking on GroupStudy.  Within minutes, the answer came back:  use management-plane protection.  What on earth is that?  To quote Cisco:

The Management Plane Protection (MPP) feature in Cisco IOS software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces. Device management traffic is permitted to enter a device only through these management interfaces. After MPP is enabled, no interfaces except designated management interfaces will accept network management traffic destined to the device.

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htsecmpp.html

This feature was added in 12.4(6)T but only seems to be documented under Feature Guides, not in the main IOS command reference or configuration guides.  Gee, thanks Cisco!

A configuration example (based on the practice lab task above):

control-plane host
  management-interface GigabitEthernet0/1 allow ssh snmp
end

When this configuration is applied to the router (assuming SSH has been previously configured), remote SSH and SNMP connections to the router will only be accepted when entering through Gi0/1.  This is based on the interface, not on the IP address.  SSH and SNMP connections to Gi0/1’s IP address entering through other interfaces will fail.  In addition, other management traffic (telnet, etc.) entering through Gi0/1 will also fail.  The complete list of what IOS considers management traffic is:

  • SSH v1 and v2

  • telnet

  • HTTP / HTTPS

  • FTP

  • SNMP (all version)

  • TFTP

  • BEEP (Blocks Extensible Exchange Protocol)

Note that other traffic destined for the router (such as routing protocols and ARP) are not affected, nor is traffic routed through the management interface.  This is different from the management-interface functionality on an ASA, where the designated port can only be used for management traffic.

In summary, it is quite annoying that Cisco doesn’t seem to have actually documented this feature properly, since it has the potential to be a very useful tool in the network administrator’s toolbox.  Depending on the network design, enabling MPP makes it less likely that a management protocol becomes accessible on an interface connected to a hostile network, while simplifying interface ACLs needed to properly secure the device.

Cisco ACE: Basic HTTP Load Balancing

The ACE (Application Control Engine) is Cisco’s replacement for the CSS and CSM load balancers in their data center product line.  It comes in both a module (or “blade”) for the Catalyst 6500 switch and as a standalone appliance.  This post will cover the basics of configuring an ACE to load-balance a farm of HTTP servers.  Subsequent posts will cover advanced features such as session persistence, health checks, and more.

Assumptions

  1. The ACE has been configured (possibly using the setup wizard) with interface and trunking options.

  2. You are deploying the ACE in “routed mode”, e.g. the ACE is the default gateway for the backend servers and the VIPs live on a different network on the “outside” interface.

  3. You have three web servers, WEB1, WEB2, and WEB3 all listening on port 80.

Configuration

Unlike a router, the ACE is a “deny by default” device.  You must explicitly permit any traffic entering the ACE from the network.  Thus, we need an access list (ACL) to allow traffic to our HTTP virtual IP (VIP).

access-list VLAN1 extended permit tcp any host 1.1.1.100 eq www

Next, we need to define our backend servers.  The “inservice” keyword is the ACE equivalent of the “no shutdown” command for an interface.  If you forget it, things won’t work.

rserver host WWW1
  ip address 2.2.2.101
  inservice

rserver host WWW2
  ip address 2.2.2.102
  inservice

rserver host WWW3
  ip address 2.2.2.103
  inservice

Now we need to define a health check, so that the ACE can determine if each backend server is functional and should receive traffic.  We’ll use a very basic HTTP service check at this point. We configure the probe to check each server every 10 seconds and accept the default behavior of marking a server as “failed” if it fails 3 checks. Also by default, the ACE will use an HTTP GET request for the root or “/” URL. That’s fine for this example. Finally, we tell the ACE that a server must respond for at least 60 seconds before it is marked as “back up” after a failure.

An important note: the HTTP probe must have an expected status code or range of codes defined. If you omit this statement, your backend servers will never come up!

probe http HTTP_PROBE
  interval 10
  passdetect interval 60
  expect status 200

Now that we have our backend servers defined, as well as a probe to check their status, we can join them together into a server farm. Again, don’t forget to “inservice” each rserver, or it won’t come up.

serverfarm host HTTP_FARM
  probe HTTP_PROBE
  rserver WWW1
    inservice
  rserver WWW2
    inservice
  rserver WWW3
    inservice

We need to tell the ACE about the virtual IP (VIP) on which we want it to listen. This is done with a class-map.

class-map match-all HTTP_VIP
  2 match virtual-address 1.1.1.100 tcp eq www

Next, we need to define our load-balancing policy, to tell the ACE what to do with traffic once it hits the VIP. In this case, we just direct it to the server farm defined above.

policy-map type loadbalance http first-match HTTP_POLICY
  class class-default
    serverfarm HTTP_FARM

The last piece we need is something to tie the policy to the VIP. We do this with a policy-map of type “multi-match”. For convenience, we configure the VIP to respond to ICMP echo request (pings) as long as at least one backend server is up.

policy-map multi-match VIPs
  class HTTP_VIP
    loadbalance vip inservice
    loadbalance policy HTTP_POLICY
    loadbalance vip icmp-reply active

Finally, we need to apply our policy to the “outside” interface of the ACE, bringing up our VIP. We also need to apply the ACL we created above to allow the HTTP requests inbound.

interface vlan 1
  description Public Network
  ip address 1.1.1.1 255.255.255.0
  access-group input VLAN1
  service-policy input VIPs
  no shutdown

That’s the end! You can grab the full configuration here.

BGP Route Manipulation

At $DAYJOB, one of our sites has two WAN circuits from the same provider. Both learn our full global routing table via BGP, and both inbound and outbound traffic are load-balanced using BGP multi-path. In some cases, however, we want specific traffic to always prefer one path over the other (mostly for latency reasons). We could use static routes, but we also want traffic to fail over to the other link in the case of an outage.

In this example, we want to manipulate the routing as follows:

  • Traffic between the 192.168.1.0/24 local network and 10.0.1.0/24 remote network should prefer PATH #1

  • Traffic between the 192.168.2.0/24 local network and 10.0.2.0/24 remote network should prefer PATH #2

Note: for the purpose of this example we will assume that the specified local and remote networks only talk to each other. We don’t need to consider traffic between 192.168.1.0/24 and other remote networks, for example.

router bgp 65000
  network 192.168.1.0 mask 255.255.255.0
  network 192.168.2.0 mask 255.255.255.0
  !
  neighbor 1.1.1.1 remote-as 65534
  neighbor 1.1.1.1 send-community
  neighbor 1.1.1.1 route-map PATH1-LEARN in
  neighbor 1.1.1.1 route-map PATH1-ADVERTISE out
  !
  neighbor 2.2.2.2 remote-as 65534
  neighbor 2.2.2.2 send-community
  neighbor 2.2.2.2 route-map PATH2-LEARN in
  neighbor 2.2.2.2 route-map PATH2-ADVERTISE out
!

First we need to define our ACLs to specify which traffic prefers which path

ip access-list standard PREFER-PATH1-LOCAL
  permit 192.168.1.0 0.0.0.255
!
ip access-list standard PREFER-PATH1-REMOTE
  permit 10.0.1.0 0.0.0.255
!
ip access-list standard PREFER-PATH2-LOCAL
  permit 192.168.2.0 0.0.0.255
!
ip access-list standard PREFER-PATH2-REMOTE
  permit 10.0.2.0 0.0.0.255
!

As we learn routes, we raise the local preference on routes coming from the preferred path, so they are chosen over the same routes learned on the other path with a default of 100.

The permit 999 ensures all routes are still learned from both peers, even if they’re not being manipulated.

route-map PATH1-LEARN permit 10
  match ip address PREFER-PATH1-REMOTE
  set local-preference 110
!
route-map PATH1-LEARN permit 999
!
route-map PATH2-LEARN permit 10
  match ip address PREFER-PATH2-REMOTE
  set local-preference 110
!
route-map PATH2-LEARN permit 999
!

For incoming traffic, we need to influence the ISP’s routing decisions. There are several ways of doing this, including the MED. In our case, we’ll use the ISP’s pre-defined community values to force them to set a local preference on certain routes.

Again, the permit 999 rules ensure that we’re still sending all our routes to both peers, even if they don’t get tagged.

route-map PATH1-ADVERTISE permit 10
  match ip address PREFER-PATH1-LOCAL
  set community 65534:110
!
route-map PATH1-ADVERTISE permit 999
!
route-map PATH2-ADVERTISE permit 15
  match ip address PREFER-PATH2-LOCAL
  set community 65534:110
!
route-map PATH2-ADVERTISE permit 999
!

ASA URL filtering with MPF

Problem:  “I want to block facebook.com and myspace.com but I don’t have a Websense server.”

regex domlist1 "facebook.com"
regex domlist2 "myspace.com"
!
class-map type regex match-any DomainBlockList
  match regex domlist1
  match regex domlist2
!
class-map type inspect http match-all BlockDomainsClass
  match request header host regex class DomainBlockList
!
policy-map type inspect http http_inspection_policy
  class BlockDomainsClass
  reset log
!
policy-map global_policy
  class inspection_default
  inspect http http_inspection_policy
!
service-policy global_policy global
wr mem

BGP Through an ASA with Authentication

By default, the ASA will strip TCP option 19 causing MD5 authentication for BGP to fail.  In addition, the ASA randomizes the TCP sequence numbers, which also breaks things.  To fix this:

tcp-map BGP_FIX
  tcp-options range 19 19 allow
!
access-list BGP permit tcp any any eq 179
!
class BGP
  match access-list BGP
  !! could also use match protocol tcp eq bgp
!
policy-map global_policy
  class BGP
    set connection advanced-options BGP_FIX
    set connection random-sequence-number disable
!

ASA Authentication Proxy with ACS

Goal:  all outbound telnet and HTTP connections passing through the ASA must first be authenticated against an ACS server using the TACACS+ protocol.

aaa-server ACS_SERVER protocol tacacs+
aaa-server ACS_SERVER (inside) host 1.2.3.4
    key myACSkey
!
access-list outbound_auth permit tcp any any eq 23
access-list outbound_auth permit tcp any any eq 80
!
aaa authentication match outbound_auth inside ACS_SERVER

There are additional options to configure HTTP vs. HTTPS and redirection vs. basic HTTP authentication.  The documentation is a bit confusing, so I will be labbing this up shortly.

ASA Enhanced Service Object Groups

The ASA introduced the concept of object groups in version 7.0.  You could group a list of IP addresses, protocols, services, or ICMP types into one logical entity and refer to it by name in your access lists.  In the 7.x releases, however, a service object group could only contain entries for a single protocol (TCP, UDP, or both TCP/UDP).  This forced admins to either use a separate object group for TCP and UDP ports (requiring two ACE entries), or to match more ports than necessary (by using the tcp-udp type).

The 8.0 release of the ASA software solves this problem by introducing an enhanced Service object group that allows a mix of multiple protocols within the same group.  Unfortunately, the 8.0 and 8.2 ASA configuration guides don’t appear to cover this new type of service group or show an example.

object-group network DMZ_NET
  network-object 1.2.3.0 255.255.255.0
!
object-group service DMZ_SERVICES
  service-object tcp eq 80
  service-object udp eq 53
  service-object tcp eq 53
  service-object icmp
!
access-list DMZ extended permit object-group DMZ_SERVICES any object-group DMZ_NET

Restarting CCIE Security

Now that the major CCIE training vendors have released updates covering the new CCIE Security 3.0 blueprint topics, I’ve decided to restart my preparations for the exam. My current goal is to sit the lab exam on October 1 in RTP.

I’ll be using a mix of both IPexpert and InternetworkExpert materials for my preparation.  Both vendors’ new technology-focused lab releases look terrific.  Hopefully, by the time I work through them they’ll have some updated 8-hour full mock labs available.

For the most part, I’ll be relying on Dynamips for lab work, since now that the VPN 3000 is no longer in the lab everything except for the switches can be simulated.  I’ll have to rent some rack time to review the switch-based security stuff from R&S, but for the most part I’m not worried there.

Notes to Self: IPexpert Security Lab A

These are mostly notes for my own benefit as I work through various labs. In this case, I only worked on specific sections of lab A, as I was a bit short on time.

Section 1: Layer 2 configuration

  • when creating an SVI for a given VLAN, always make sure the VLAN itself exists on all switches in the transit path for that VLAN.

  • if the lab specifies restricting “management access”, don’t forget to check if the HTTP server is enabled and add a similar access class to it as to the VTY’s.

  • Filtering traffic by ethertype

    mac access-list extended F0_15 deny any any 0x1234 0x0
    permit any any ! int fa0/15 mac access-group F0_15 in !

  • VLAN filtering by MAC address

    mac access-list extended VL123 permit host 0000.1234.4321 host 0000.4321.1234 ! vlan access-map VL123 10 action forward match mac address VL123 vlan access-map VL123 999 action drop ! vlan filter VL123 vlan-list 123

No real problems with this section other than interpretation on the VLAN filtering. In a lab, I’d ask the proctor if they meant traffic from this range of MAC addresses or just between the two.

Section 2: Pix / ASA Configuration

  • When originating a default route and running RIP on both inside & outside, use a route-map with ‘match interface’ to control which side we send the default route to.

  • don’t be so quick to assume an answer. Configured HTTP/HTTPS and missed that the question said a “Web/SMTP/DNS” server so left out a bunch of the ACL.

  • when configuring AAA through a firewall, don’t forget to set the source int on the remote device if required.

  • remember that a transparent firewall will not pass anything inbound by default (except ARP) without an access-list. Just like a routed firewall.

  • a transparent firewall must have a management IP address configured or it will not pass any traffic, even if that traffic would otherwise be allowed.

  • always check for required single/multiple changes, since it needs a reboot of the device and wastes time.

  • basic process for setting up contexts

    admin-context FOO context FOO config-url disk0:/FOO.txt ! context BAR config-url disk0:/BAR.txt allocate-interface eth0/0 allocate-interface eth0/1 !

  • when configuring local authentication on the ASA, don’t forget to explicitly enable it, for ssh/telnet

    hostname ASA1 domain-name ipexpert.com crypto key generate rsa general-keys ssh 1.2.3.0 255.255.255.0 inside username cisco password cisco aaa authentication ssh console LOCAL

Section 3: IDS Configuration

  • I need to spend time learning the IDS command line. I’m fairly solid through IDM but not through the CLI.

  • IOS IPS basic config

    ip ips name FOO ip ips notify log logging host 1.2.3.4 logging on int se0/1/0 ip ips FOO in !

Section 7: VPN Configuration

  • when configuring L2L VPN’s on the VPN3000 through the GUI, be careful when configuring the interesting traffic. The mask is specified as a wildcard mask, e.g. 0.0.0.255, not a subnet mask.

Source Filtering for Internet Traffic

When examining inbound traffic at your Internet edge, there are quite a few source networks that should be automatically discarded. RFC 3330 (Special-Use IPv4 Addresses) specifies many of these.

Local Networks

In most sane networks, you should never see inbound traffic from your own address space. Thus, if you have 12.3.45.0/24 as your public address space, your inbound ACL should block traffic appearing to be sourced from this network.

RFC 1918

10.0.0.0 /8

172.16.0.0 /12

192.168.0.0 /16

An easy way to remember the CIDR value for these (found on GroupStudy): each is 4 greater than the last.

Local-only Networks

0.0.0.0 /8

127.0.0.0 /8 - note: not just 127.0.0.1!

169.254.0.0 /16

These are (respectively) the “this network” range, the localhost address space, and the Microsoft AutoNet network (also called APIPA, for Automated Private IP Addressing).

Reserved Networks

192.0.2.0 /24 - TEST-NET, e.g. example.com

198.18.0.0 /15 - Benchmark networks

240.0.0.0 /4 - Class E

Multicast

224.0.0.0 /4

The multicast address space will never appear as a source address in legitimate traffic. A multicast IP is always a destination.

Unassigned Address Space

Many experts recommend filtering all unallocated address space (networks that have not been assigned to users or ISPs by the various numbering authorities, such as ARIN or APNIC). This requires diligence on the part of network administrators to track new address allocations and keep ACLs up-to-date, to avoid blackholing legitimate traffic from newly-assigned networks. For more information, see the Bogon Reference at Cymru.

Simple NAT (PAT) Example #1

A very simple example for when you want to very quickly get a network (for example, a branch office) online behind a DSL line or similar.  This PATs all private network traffic behind the outside interface’s public IP.

interface FastEthernet0/0
  description TO_ISP
  ip nat outside
!
interface FastEthernet0/1
  description TO_LAN
  ip nat inside
!
ip access-list standard NAT_SOURCE
  permit 10.1.1.0 0.0.0.255
!
ip nat inside source list NAT_SOURCE interface FastEthernet0/0 overload

#23115!

CCIE Logo

A more detailed post to come…

This Week

Getting down to the wire for my lab attempt (22 days to go!)  I’ve been horrible about blogging my progress, but I’m going to try to be more consistent in the home stretch.  Overall I think I’m in good shape, but I really need to focus over the next 3 weeks to be completely ready.

Plans for this week:

  • IE just released their first v.5 full labs (lab 1 and lab 10).  I’ll probably skip Lab 1, since it’s only a level 5 and I’ve already watched the live Lab Meetup, but I’ll definitely be hitting lab 10 since it’s an 8.

  • I have IE rack rentals Tue-Thu.  My goal is to hit two full IE labs (v.5 lab 10 and probably v.4 lab 7)

  • IPexpert rack rentals Fri, Sat, Sun, Mon.  I want to get some solid lab hours in before the Christmas break.  Haven’t picked a set of labs yet, but at least book 3, labs 9 and 10.

  • I may try to pay for another IE mock lab during my current Christmas break.  My lab 4 attempt went pretty well (77, with a couple of sections I disagreed with the proctor on).

  • Reading:

    • Finish the QoS self-study book

    • Start the Cisco Press multicast and IPv6 books

    • IE workbook 1 v.5 solution guides.  These are terrific for individual technology focus.

InternetworkExpert Vol. 2, Lab 3 Notes

Switching

  • beware of pruning issues when some switches are transparent and some aren’t.  If not otherwise specified, make all switches transparent if one is.

IP Telephony

  • macro apply cisco-phone $access_vlan 5 $voice_vlan 4 sets most things properly

  • To change the CoS applied to traffic coming from the PC connected to a phone: switchport priority extend cos 1

  • Don’t forget to enable mls qos globally or nothing will work

PPP

  • as a general rule, use no peer neighbor-route on all PPP interfaces to avoid random /32 routes showing up in IGPs and redistributions.  They’re only needed if you have different subnets at each end of the link.

IGP’s – RIP

  • use the distribute-list gateway option along with a prefix-list to specify the routers from which we will accept routes.

  • don’t forget the prefix option (e.g. distribute-list prefix FOO not distribute-list FOO when filtering routing updates

  • remember, though, that a distribute-list doesn’t have to use a prefix-list.  It also works just fine with a regular ACL (useful for permit any or deny any).

Getting closer and closer...

What I’ve been up to:

  • IPExpert’s one week R&S bootcamp in San Jose

  • IPExpert’s one week mock lab workshop in San Jose

  • InternetworkExpert’s “Open Lecture” multicast troubleshooting (in progress)

  • InternetworkExpert’s 5-day lab bootcamp CoD (in progress)

  • InternetworkExpert’s Adv. Technology CoD on redistribution (in progress)

  • Working through IEWB3 to get better at core technology, especially redistribution

Study Notes -- PPP and PPP Authentication

Sources:

  • IPexpert BLS class-on-demand

  • IPexpert v.10 Workbook 2

  • InternetworkExpert ATS CoD v4.5

Notes – PPP General:

  • By default, PPP will inject a directly-connected /32 route for the remote end into each device’s routing table.  Can be safely disabled unless both ends of the link are not on the same logical IP subnet (e.g. one side or both sides are using ‘ip unnumbered’).  To disable, use the ‘no peer-neighbor-route' interface-level command.

  • The ‘ppp quality’ interface-level command enables Link Quality Monitoring (LQM), which will bring down the interface if the number of bytes transmitted vs. received over a link falls below a given percentage.

  • The ‘ppp reliable-link’ command enables LAP-B numbered mode to negotiate a reliable link.

Notes – PPP Multilink

  • The ‘ppp multilink links minimum’ interface option (under the Multilink interface) specifies how many physical circuits must be up before the bundle comes up.  The ‘mandatory’ option brings the bundle down if the number of active links falls below the minimum.

Notes – PPP Authentication:

  • The ‘ppp authentication <protocol>’ command is only required on the side of the link that is issuing the challenge (the “server” side).  This may also be referred to as the side that’s “doing authentication” or that is “authenticating

  • CHAP (and EAP) will use the hostname of the router as the username, by default.  PAP requires the username to be explicitly specified with the ‘ppp pap sent-user’ command. If you need to use a different username, you can specify it using the ‘ppp chap hostname’ or ‘ppp eap identity’ commands.

  • For CHAP, if you don’t want to specify the global username/password combo on the client (or you don’t know the server’s hostname), you can specify just the password to be sent to any remote authentication challenge with the ‘ppp chap password’ command at the interface level.

  • If you want to use the same username in both directions with CHAP, use the ‘no ppp chap ignoreus’ interface-level command, since by default CHAP will refuse to authenticate with “ourself” if the hostname matches.

  • EAP is an additional “secure” protocol distinct from CHAP.  MS-CHAP and MS-CHAPv2 probably aren’t “different enough” from CHAP to satisfy a lab requirement of two different secure protocols.

  • You must specify ‘ppp eap local’ for EAP to work unless you have a radius server available.

  • EAP doesn’t use the shared password from the ‘username’ statement when responding to a challenge.  You need to specify the password using ‘ppp eap password <pass>

IPExpert End-to-End Bootcamp

I’m in San Jose, CA for IPExpert’s two-week End-to-End route/switch bootcamp.  I was very lucky to win this training at Cisco Networkers this year and am definitely looking forward to it.  The flight out was a bit annoying (flew Airtran instead of Delta and you could really notice the little differences).  Just got back from dinner at Chipotle’s and am planning to take an early night and hopefully get my internal clock synced up.

Narbik/IPExpert Workbook EIGRP Notes

Timers

  • Hello and Dead interval timers are set on a per-interface basis with ip hello-interval eigrp <AS> <seconds> ip hold-time eigrp <AS> <seconds>

  • The stuck-in-active (SIA) timer is configured with the router-level command timers active-time <seconds|disabled>

Metrics

  • The metric calculation in an EIGRP AS can be changed with the router-level command metric weight 0 <bandwidth> <load> <delay> <offset> <reliability>

  • The metric calculation formula is

    ( ( k1 * bandwidth ) +

    ( k2 * bandwidth ) / ( 256 - load ) +

    ( k3 * delay ) +

    ( k5 / reliability ) +

    k4

    ) * 256

  • To configure the hop count considered unreachable (default 100) use router-level command metric maximum-hops <count>

  • The administrative distance of internal and external routes can be configured using the router-level command distance eigrp <internal> <external>

Bandwidth Used for EIGRP

  • EIGRP uses 50% of the interface bandwidth by default

  • Can be changed using the interface-level command ip bandwidth-percentage eigrp <AS> <percent>

Stubs

  • A stub can be configured to only receive (not send) routes using the router-level command eigrp stub receive-only

Logging

  • no eigrp log-neighbor-changes

  • eigrp log-neighbor-warning <interval> will log updates that are received from an IP not in the subnet of the receiving interface.

Summary Addresses

  • The leak-map option to ip summary-address eigrp references a route-map that defines what component routes of a summary supernet are also injected along side the summary. It is only available on physical and VirtualTemplate interfaces (not on subinterfaces).

Load Balancing

  • For unequal-cost load balancing, the AD of the worst route must be less than the FD

  • Take the AD of the worst route and divide by the AD of the best route (rounding up) to get the variance.

Authentication

  • same as RIP, but configured on a per-interface and per-AS basis ip authentication mode eigrp 300 md5

Narbik/IPExpert RIPv2 Notes

General Notes

  • passive-interface default is recommended, due to the network statement being classful

  • don’t forget to consider switch-based solutions like vlan access-maps and port access-lists (blocking udp/520) to prevent updates from propagating between routers if the task restricts your configuration options on the routers themselves.

  • CCIE Links page updated with RIPv2 links

Timers

  • default basic timers are 30/120/120/240 (update, invalid, hold down, flush)

  • periodic updates can be delayed after a triggered update with the sleep parameter at the end of the timers basic router command.

  • the “hold down” timer is Cisco-proprietary. Set it to 0 if you need to retain full compatibility with RFC 2453.

Distribute Lists

  • distribute-list uses a separate ip prefix-list for defining the gateway and the routes

Default Originate

  • the route-map option to default-information originate causes the 0/0 route to only be injected into RIP if the route-map is satisfied (e.g. if a route exists)

Multicast / Broadcast / Unicast

  • RIPv2 defaults to sending updates via multicast (224.0.0.9)

  • The passive-interface and neighbor router commands change it to unicast

  • The ip rip v2-broadcast interface command changes it to broadcast

  • A very tricky way to force unicast updates without using the neighbor command:

    ip nat outside udp X.X.X.X 520 224.0.0.9 520

    int se0/0/0

    ip nat outside

This converts the inbound multicast updates to unicast, which will create a NAT table entry and translate all outbound RIP updates to unicast as well (NAT is bidirectional)

Authentication

  • IOS 12.4 supposedly requires a valid send-lifetime configured for a key before it will work.

  • RIP will always use the first valid key when sending updates out an interface.

Route Filtering

  • The three methods to kill a route:

    • distribute-list with an ACL

    • offset-list pushing the metric beyond 16

    • distance command setting the AD to 255

Technology Labs Checklists

Again, for my own benefit, checklists for the Narbik, IPExpert, and InternetworkExpert v.5 technology-focused workbook labs.

**Narbik Book 1 **

  • 35503560skipping for now

  • 35503560 QoS – skipping for now

  • Frame Relay – done!

  • On-demand Routing

  • RIP – done!

  • EIGRP

  • OSPF

  • Policy-based Routing

  • BGP

  • IPv6

Narbik Book 2

  • NAT

  • IP Services

  • GRE

  • Multicast

  • QOS

  • Security

  • Prefix-Lists

IPExpert Workbook 1

  • General Lab Setup

  • Catalyst PVST – skipping for now

  • Catlayst MST – skipping for now

  • Catalyst Rapid PVST – skipping for now

  • Layer 2 Tunneling – skipping for now

  • Frame Relay

  • Bridging and Frame Relay

  • RIP – done!

  • EIGRP

  • OSPG

  • BGP

  • Routing Protocol Redistribution

  • ACLS and Filters for IP

  • Router Security

  • Router Redundancy

  • Advanced Router Management

  • Multicast

  • QoS

  • QoS/MQC Conversions

  • GRE and Routing Protocols

  • IPv6

  • IPv6 Advanced Routing

InternetworkExpert v.5 Workbook 1

  • Bridging and Switching – skipping for now

  • Frame Relay

  • IP Routing

  • RIP

  • EIGRP

  • OSPF

My CCIE Study Schedule

This is a bit rough, but it’s more or less what I plan to do between now and January to get ready for the R&S lab.

Week of September 8

  • Narbik technology labs

  • IPExpert technology labs

  • InternetworkExpert v.5 technology labs

Week of September 15

  • Narbik technology labs

  • IPExpert technology labs

  • InternetworkExpert v.5 technology labs

Week of September 22

  • IPExpert multi-protocol labs #1-5

Week of September 29

  • Note:  work travel week

  • IPExpert multi-protocol labs #6-10

Week of October 6

  • Note:  work travel week

  • IPExpert multi-protocol labs #11-15

Week of October 13

  • InternetworkExpert workbook 2 full labs, #1-4

  • InternetworkExpert workbook 3 core labs, #1-2

Week of October 20

  • InternetworkExpert workbook 3 core labs, #3

  • InternetworkExpert workbook 2 full labs, #5, 10, 12

  • InternetworkExpert workbook 3 core labs, #4, 5

Week of October 27

  • InternetworkExpert workbook 2 full labs, #16, 17, 18

  • InternetworkExpert workbook 3 core labs, #6-7

Week of November 3

  • InternetworkExpert workbook 3 core labs, #8-10

  • InternetworkExpert workbook 2 full labs, two or three of #6-10, 11, 14-15, 19-20

Week of November 10

  • IPExpert on-site bootcamp

Week of November 17

  • IPExpert 5-day mock lab bootcamp

Week of November 24

  • Note: Thanksgiving Week

  • Review results of IPExpert bootcamp

  • InternetworkExpert mock lab #1 and #2

Week of December 1

  • IPExpert workbook 3 full labs, #1-4

  • InternetworkExpert mock lab #3 and #4

Week of December 8

  • IPExpert workbook 3 full labs, #5-8

  • CCIE Accessor #1

Week of December 15

  • IPExpert workbook 3 full labs, #9-12

  • CCIE Accessor #2

Week of December 22

  • Note: Christmas Week

  • IPExpert workbook 3 full labs, #13-14

Week of December 29

  • IPExpert workbook 3 full labs, two or three of #15-20

Week of January 5

  • Final Review, travel and exam!

Narbik Labs: Frame Relay notes

Lab 1: Hub and Spoke using Frame-Relay Map Statements

  • On a multipoint interface, the router can’t ping itself unless you add a frame-relay map statement pointing the interface IP to one of the DLCI’s.

  • When configuring frame-relay maps on the spokes, don’t use the broadcast keyword for mappings to other spokes.  Otherwise, the hub will get redundant routing information (broadcasts/multicasts).

  • The keepalive command controls the LMI Status inquiry interval, and the frame-relay lmi-n391dte command controls the complete status enquiry interval.

  • Status inquiries are LMI type 1 inquiries, full status inquiries are LMI type 0 inquiries.

Lab 2: Hub and Spoke using Point-to-Point Subinterfaces

  • No need to manually disable inverse-arp when using subinterfaces.

  • On a point-to-point interface, the router can reach all IP addresses (including itself) without a mapping, as long as the IP is in the routing table with a valid next hop.

Lab 3: Mixture of Point-to-Point and Multipoint Frame Relay

No notes.

Lab 4: Multipoint Frame Relay without Frame Relay Mapping

Using PPP between spoke and hub to distribute layer 3 information

! Hub
int serial1/0
  encap frame
  no ip address
  frame-relay interface-dlci 102 ppp Virtual-Template 1
  frame-relay interface-dlci 103 ppp Virtual-Template 1
  frame-relay interface-dlci 104 ppp Virtual-Template 1
!
int virtual-template 1
  ip address 150.0.0.1 255.255.255.0
!




! Spoke 2
int serial1/0
  encap frame-relay
  no ip address
  frame-relay interface-dlci 201 ppp Virtual-Template 2
!
int Virtual-Template 2
  ip address 150.0.0.2 255.255.255.0
!
  • The virtual template ID must be different on each spoke, even though it’s the same on all DLCIs on the hub.

Lab 5:  Frame Relay and Authentication

  • Yeah, I need to deep-dive on PPP authentication.  Very, very weak here.

Lab 6:  Frame Relay End-to-End Keepalive

map-class frame-relay FREEK12
 frame-relay end-to-end keepalive mode bidirectional
!
int ser1/0.12 point-to-point
 frame-relay interface-dlci 102
  class FREEK12
!

Timers that can be used to adjust FREEK:

frame-relay end-to-end keepalive [send|receive]

  • timer

  • error-threshold – how many failures must occur before the interface goes down

  • success-events – how many successes must occur before the interface comes up

  • event-window – how many recent events to consider when testing error-threshold or success-events

Links for 2008-09-01

CCIE Prep, Catching Up Again

Real-life and work have continued to intrude on my preparation hours, but hopefully that’s about to change.  I now have the beginnings of a week-by-week strategy for labs and other prep tasks with enough slack to adjust for unexpected things popping up.

Haven’t done much lab work at all, but I have managed to get some reading done along with reviewing some video-on-demand:

Ongoing Reading:  QoS Exam Certification Guide (Odom)

Ad Hoc Reading:  Routing TCP/IP, Volume 1 (Doyle):  RIP, EIGRP

Video Lectures:  IPExpert EIGRP, RIP, IP Services, TCL, Access Lists

Assuming things go according to plan, this week and next will be spent working through the Narbik technology labs and (depending on time) some of the InternetworkExpert v5 labs.  Planning to use Dynamips for 100% of this, except for the switching stuff.  Will probably do at least one rack rental either next weekend or the weekend after to catch up on those.

Applescript to Sync SmartGroups with iPhone

Since the iPhone does not sync SmartGroups from the MacOS Address Book (only regular groups), I wrote this script to automatically create ordinary groups with the contents of my SmartGroups.  I name all of my SmartGroups starting with “SM” and the script creates regular groups with the same name, but starting with “” (so SM_Family would become _Family).

Note that this script will delete all contacts from any regular groups that begin with “_” and match the name of a SmartGroup, so be a bit careful before you run it the first time.

on replaceString(theText, oldString, newString)
    set AppleScript's text item delimiters to oldString
    set tempList to every text item of theText
    set AppleScript's text item delimiters to newString
    set theText to the tempList as string
    set AppleScript's text item delimiters to ""
    return theText
end replaceString

tell application "Address Book"
    set theGroups to every group
end tell

repeat with aGroup in theGroups
    if id of aGroup contains "ABSmartGroup" then
        set theName to "_" & replaceString((name of aGroup), "SM_", "")

        tell application "Address Book"
            if group theName exists then
                remove every person from group theName
            else
                make new group with properties {name:theName}
            end if
            add (every person in aGroup) to group theName
        end tell
    end if
end repeat

tell application "Address Book" to save addressbook

Narbik Workbooks!

CCIE Day 3-6Catching Up

Catching up a bit from the weekend.  Didn’t get much done on Friday or Sunday, other than a bit of reading, due to other commitments.  However, on Saturday I did a 4-hour rack rental with CCIE2Be.com and a second 8-hour rental with IPExpert.  The CCIE2Be session was spent working on the IEv5 Workbook #1 bridging and switching content.  Ended up going about halfway through.  For the IPExpert session, I re-did the first half of their Switching focus lab, concentrating on speed and not making stupid oversights.  Went pretty well.

Last night I tackled the first half of the IEv5 frame relay lab, using my Dynamips lab setup.  Went very well, and the virtual setup seems to work well so far.  We’ll see how it goes when I get to more involved labs, but if it continues to go as well as the frame stuff did, my rack costs should go down quite a bit.  As far as the content, I had a bit of trouble with back-to-back frame relay and some of the more non-standard Inverse-ARP scenarios, but after re-watching the IE frame relay class-on-demand I now feel comfortable with those as well.

Tonight I’ll be finishing up the IE frame relay lab and probably hitting the IPExpert version.  I may spend a bit of time getting my Dynamips lab working with the IE initial configs (updating interface names and the like).  My Narbik workbooks should arrive tomorrow and I’ll be hitting his FR labs then.  After that, it’s on to IP!

CCIE Prep, Day 2IPExpert Vol. 1, Sec. 1-2

Tonight was my first real practice session using the ProctorLabs rack rentals and IPExpert’s workbook 1.  Overall, it went well, and I was quite impressed with both products, although I ran into a couple of minor headaches:

  • some of the ProctorLab racks apparently have 4 x 3560 switches instead of 3 x 3560 and 1 x 3550 as shown in the lab topology.  This caused a couple of unexpected problems relating to different default trunk modes.

  • the Section 1 logical topology diagram had a labeling error (swapped fe0/0 and fe0/1 on R9), which led to a bit of fun in getting layer 3 reachability.

In terms of the labs themselves, I did fairly well although I’m not quite at the level of concentration I’ll need to be at for the real exam.  I found myself getting distracted and making simple mistakes that would have resulted in dropping quite a few points on the exam.  I’m sure this will improve as time goes on.  Some specific things I stumbled on:

  • not defining loopback interfaces on every router.   My verification scripts didn’t test this as I was only pinging directly attached interfaces.

  • neglecting to enable VTP v2 to meet a specific requirement of ensuring the MD5 hash values match between authenticated devices.

  • not reading/studying the SPAN-related question to see that it was actually asking for RSPAN.

  • a pretty big fumble on the mac-address ACL section.  I really need to study this in detail, especially the bits involving matching on the EtherType.

  • I ended up skipping the section on private VLANs.  I’m fairly confident I could have gotten by using the DocCD, but I definitely don’t have a solid handle on them yet.

In general, I think it went well for a first practice session.  I was hoping to supplement the IPExpert lab with the new InternetworkExpert v5 Bridging/Switching labs, but unfortunately GradedLabs seems to be booked solid all weekend and all next week.  Looks like I’ll have to hit some content I can practice under Dynamips.

I think tomorrow I’m going to spend some time going back through the STP and Catalyst security CODs and do some DocCD review and read the BCMSN study guide a bit.  I still need to hit the IPExpert MST and Rapid-PVST labs, but those are areas I’m definitely weaker in so I want to get some book knowledge in my head first.

My Narbik Workbooks shipped

Hi Brian,

This email is sent to notify you that your order has been shipped.

Your order was shipped via UPS and your tacking number is 1Z0000000000000000.

Looks like my Narbik workbooks will be here next Friday Wednesday (they’re coming UPS Ground from California).  I have no shortage of things to work on until they get here, of course.

CCIE Lab Prep, Day 1

Rebooting my prep days since I’m now preparing for the lab instead of the written.

Last night I watched the InternetworkExpert class-on-demand sections for Ethernet Switching, VTP, Layer 3 Switching and EtherChannel, and parts of Spanning Tree.  I had watched all of them before so it was mostly a review.

Tonight is my first IPExpert/ProctorLabs rack session, in which my goal is to finish sections 1-2 of Workbook 1 (general setup and PVST+).  I need to do quite a bit of studying on MST and Rapid-PVST before diving into those sections.  The workbook suggests 5 hours as an estimated time-to-complete for sections 1-2, so we’ll see how that goes.

I’m hoping my Narbik workbooks show up fairly soon so that I can stay consistent between the IPExpert labs and the Narbik labs.  I want to try to maximize my learning on each technology section during the first phase of my prep so that I’m as ready as possible when starting the actual lab scenarios.

My Lab Exam Strategy

Now that I have a date looming in the not-so-distant future, it’s time to get serious about a strategy for preparing.

Study Materials

My plan is to use a mix of study materials from different vendors.  I was (extremely) fortunate to win one of IPexpert’s End-to-End training packages at Cisco Networkers this year, which provides an electronic copy of all their self-study materials, along with a two-week instructor-led boot camp.

In addition, I was able to purchase the InternetworkExpert self-study package with their workbooks and classes-on-demand (thanks to their 4-month payment plan).  I’ve already been making use of both the IE and IPexpert technology lectures (both audio and video) in my CCIE Written preparation, and will continue to do so for the lab prep.

Finally, I purchased a copy of Narbik’s Advanced Technology workbook, based on many, many recommendations.  This has not yet arrived.

Strategy, Part One

For the first phase of my preparation, my plan is to break things down by major technology section (switching, RIP, BGP, QoS, etc.) and do a deep-dive on each one.  The basic strategy will be:

  • watch the InternetworkExpert class-on-demand videos for the technology

  • work through the IPexpert workbook 1 labs for the technology, using ProctorLabs rack rental for switching-related labs and my Dynamips lab for everything else.

  • work through the InternetworkExpert workbook 1 labs for the technology, but only the ones for which version 5 labs are available.  I’m not crazy about the format of the v4 labs since they don’t separate the questions from the answers, which in my mind makes it easier to “cheat” instead of learn.  I may still use them for review later, though.

  • work through Narbik’s workbook labs for the technology, using CCOnlineLabs rack rental for switching-related labs and my Dynamips lab for everything else.

In addition, I’ll be using the IE and IPexpert audio content on my iPhone whenever I’m out and about to fill in gaps, as well as downloading and reading the various PDF’s from CCO.

Strategy, Part Two

Once I’ve worked through each of the individual technologies, my plan is to use a combination of the IPExpert workbook two multi-technology labs along with some of the easier IE workbook two labs (difficulty 6-7) to start getting a feel for more involved lab scenarios.  That will build up to full practice labs using the IPexpert workbook three labs, the higher-difficulty IE labs, and finally both the IE Mock Labs and the 5-day IPexpert mock lab workshop.

…and somewhere in there, I’ll sleep. :-)

Ready for 4 Months of Stress and Lack-of-Sleep

And here… we… GO

RESERVATION INFORMATION: Name:  Brian Landers Track:  Routing and Switching Lab date:  January 07, 2009

LAB LOCATION and START TIME: Cisco Systems 7025 Kit Creek Road Lake Building, 3rd building on the left Research Triangle Park, NC  27709

Yes, I'm Alive... and One Step Closer

CCIE Study Links

Moved this to its own page here.

AppleScript to telnet to a remote host via a bastion

AppleScript to SSH to my bastion host, then telnet to a remote host. Works best if you have RSA/DSA public-key authentication and an ssh-agent configured. Could probably use some better error handling.

set myBastion to "public.example.com"

tell application "iTerm"
  activate

  display dialog "Enter hostname:" default answer "none"
  set theResult to result
  set theHost to text returned of theResult

  set aTerm to (current terminal)

  if (count of terminal) = 0 then
    set aTerm to (make new terminal)
  end if

  tell aTerm
    set aSession to (make new session at end of sessions)

    tell aSession
      set name to theHost
      exec command "ssh -t " & myBastion & " telnet " & theHost
    end tell
  snd tell

end tell

CCIE R&S Prep, Day 5

What I Did:

  • IEATC-RSv4.5 Day 6 Parts 1-2 – Catalyst Security Port security, storm control, 802.1x, Q-in-Q tunneling.  Other than Q-in-Q, mostly simple stuff that is minimally-covered on the R&S exam but heavily on the security exam.  DocCD stuff, in other words.

Basically done with ethernet at this point.  I’ll probably spend some time going through the IPExpert audio class on the same content and reading CCO content, then it’s on to Frame Relay and PPP before diving into the real meat of CCIE with IGP/BGP.

CCIE R&S Prep, Day 4

**What I Did:
**

  • **IEATC-RSv4.5 Day 6 Parts 4-6 – Advanced Spanning Tree

Great coverage of STP by Brian McG. I especially liked the detailed examples of path manipulation, showing the effects of changing local cost and port priority on the upstream and downstream switches’ root port selection. Interestingly, he didn’t really cover the designated port selection process, probably because he was working from the IE lab topology (a full mesh). IPExpert’s STP material used a basic “square” network, which made it much clearer how the DP was selected vs. the blocking ports.**

Received my paper copy of the Cisco Press exam guide, and started reading through the basic Ethernet and L2 switching material. I still need to go back through and update my study outline based on the book material; right now it’s only based on the IE class lectures. Once I finish the Catalyst Security lectures, I’m basically done with the switching side of things, so that’ll be a good opportunity to update my notes before diving into layer 3.

CCIE R&S Prep, Day 3

Note: I’m going to number my “CCIE days” based on when I actually study, not on calendar days.

Received my printed IE workbooks in the mail yesterday, along with IPExpert’s “hard drive of fun” containing their VoD and audio content. My mountain of study materials continues to grow.

Ordered a paper copy of the Cisco Press R&S exam guide to be able to study offline when I just have to get away from the computer for a bit. Even with my Macbook Air, sometimes it’s just not convenient to read on a laptop.

What I Did:

  • IEATC-RSv4.5 Day 1 Part 4 – Layer 3 Switching and EtherChannel

This was a lot of review, as we do a large amount of both at work. Good review of PAgP vs. LACP, though, which we mostly don’t use.

  • _IPExpert Video-on-Demand Day 1 – Bridging and Switching

Quite a contrast to IE’s class-on-demand, and only a 5-day format instead of 10, so it was a bit less in-depth. Touched on several new points, though, that weren’t covered by IE. My first impression is that I prefer the IE format where the slides or consoles stay on the screen full-time, vs. switching back and forth to Scott Morris’s smiling face. :-)_

Up Next:

  • IEATC Advanced Spanning Tree lectures

  • more CCIE LAN Switching and CCO review of switching content

  • onward and upward to layer 3!

No CCIE Today

Got no studying done today, since I spent 6 12 hours in line to get a new iPhone 3G.  It is very awesome.

links for 2008-07-12

Amazon.com: CCIE Routing and Switching Exam Certification Guide (3rd Edition) (Exam Certification Guide): Wendell Odom, Rus Healy, Naren Mehta: Books

The bible for CCIE R&S; written exam studying. I have the electronic version from Safari but not the paper version yet.

(tags: books cisco certification ccie)

Links for 2008-07-10

CCIE R&S Prep, Day 2

What I Did:

  • _IEATC-RSv4.5 Day 1 Part 2 – Ethernet

This section was mostly about trunking and DTP. Learned quite a bit, since we generally hard-code all of our trunks, so I was a bit rusty on the negotiation options._

  • _IEATC-RSv4.5 Day 1 Part 3 – VTP
    _Lots on pruning, but mostly stuff I’ve worked on before.

Started an OmniOutliner document containing my class notes and notes from my expanded research. Need to find a clean way to mark up questions that I want to turn into flash cards.

Tomorrow is building on the Trunking and VTP class information using the CCIE LAN Switching book and CCO. Next up in the IE class is Layer 3 Routing and EtherChannel, followed by Frame Relay.

Resources:

Links for 2008-07-09

CCIE R&S Prep, Day 1

What I Did:

  • IEATC-RSv4.5 Day 1 Part 1 – Introduction

This was mostly just “how to prepare for the exam” material. Started a bit late in the evening, so I didn’t get much of a chance to dive into the technical content yet.

First day, starting fresh, so this is a bit light.

Resources:

Links for 2007-10-15

  • Paul Graham: The Equity Equation Interesting article from Paul Graham on how to determine if a VC equity deal, or a new hire stock offer, is a good value. Followup discussion on news.ycombinator.com is interesting as well. Tags: startup, business, venture-capital

    • Nora the Piano-Playing Cat (video) Pretty much just what the title says. Very cute. Tags: video, cute, cats

    • Prototype 1.5.1 released Final version out as of May 1 Tags: javascript, programming, web

    • Fark.com: Making Money Off of Goofy News Interview with Drew Curtis from Fark.com on NPR’s “All Things Considered.” Tags: interview, fark, web

    • CoRD Open-source remote desktop client for Mac OS X (based on the rdesktop code). Universal binary and much nicer than MSFT’s official client. Tags: osx, rdp, software, remote-desktop

    • Basics of Compiler Design Online textbook from a university professor in Denmark. Tags: online-books, education, compilers, computer-science

    • Wizard Entertainment Great interview with Joss Whedon discussing Wonder Woman, X4, Goners, and even Battlestar Galactica (the new one). Tags: interview, scifi-fantasy, buffyverse, joss, comics, movies

    • JavaScript Tools TextMate Bundle Lets you run Javascript Lint, JSMin, and Dojo Compressor from within TextMate Tags: textmate, osx, programming, webdev

    • Adobe CS3Clean Script Looks like you can’t just trash the Photoshop CS3 beta or install over it. You need this script to clean up Adobe’s mess before installing the release version. Tags: photoshop, adobe, osx

    • S5 Reloaded New enhanced version of the outstanding S5 browser-based presentation/slideshow system. Tags: powerpoint, presentations, webdev, javascript, ajax, css

    • How to Change the World Ten questions with Seth Godin about his new book. Tags: productivity, books, interview

    • Amazon.com: The Dip: A Little Book That Teaches You When to Quit (and When to Stick) Seth Godin has a new book out: “Whether you’re a graphic designer, a sales rep, an athlete, or an aspiring CEO, this fun little book will help you figure out if you’re in a Dip that’s worthy of your time, effort, and talents. If you are, The Dip will ins Tags: books, productivity

    • Amazon: ALL-ETT Billfold – Thinnest Wallet Ever Made Looks quite impressive. Can hold up to 30 cards without significant bulk. Tags: geektoys

    • Free Hosting of YUI Files from Yahoo! Awesome! Yahoo is allowing developers to serve up the YUI JavaScript, CSS, and image assets directly from their edge servers. Tags: yui, yahoo, javascript, hosting

    • macosxhints.com - TFTPd configuration and usage Very useful if you’re on a Mac and do router/switch admin. I always have to Google to remember the right steps to enable TFTP. Tags: sysadmin, cisco, osx, tftp

    • Y Combinator: Startup News Reddit-like web site focused on startups, from Paul Graham’s “Y Combinator” VC firm. Tags: startup, news

    • Third body pulled from giant sinkhole That’s the kind of hole from which you expect to see appear a giant worm of some sort. Tags: weird

    • Resolving Files with TextMate, Subversion, and FileMerge Nice little tutorial on using TextMate’s (somewhat poorly-documented) Subversion support, along with Apple’s FileMerge tool, to work through Subversion conflicts when updating a file. Tags: osx, programming, textmate, subversion

    • Getting to Deadline - Programmer Productivity Tips At Work (Getting to Done) Great collection of tips for being more productive. Many are specific to software development, but quite a few are applicable to any work. Tags: programming, productivity

    • Rails Envy: Acts_As_Ferret Tutorial Great rails plugin that makes model objects searchable using Ferret, the high-performance Ruby full-text search engine based on Apache Lucene. Tags: lucene, programming, ruby, rubyonrails, search

    • Advanced Linux Programming Full text available online. Published in 2001 and described as being for “[developers] already experienced with programming for the GNU/Linux system, are experienced with another UNIX-like system and are interested in developing GNU/Linux software, or wa Tags: books, linux, programming

Photosynth: Unbelievably cool demo

Photosynth is an incredible product (based on a technology called Seadragon) from Microsoft Live Labs for visualizing huge data sets. The demo video, from last year’s TED conference, is absolutely amazing.

Links for 2007-07-19

  • Paul Graham: The Equity Equation Interesting article from Paul Graham on how to determine if a VC equity deal, or a new hire stock offer, is a good value. Followup discussion on news.ycombinator.com is interesting as well. Tags: startup, business, venture-capital

Links for 2007-05-11

Links for 2007-04-30

  • CoRD Open-source remote desktop client for Mac OS X (based on the rdesktop code). Universal binary and much nicer than MSFT’s official client. Tags: osx, rdp, software, remote-desktop

Links for 2007-04-27

  • Basics of Compiler Design Online textbook from a university professor in Denmark. Tags: online-books, education, compilers, computer-science, -to-be-read

Republished my ADExport Script

Realized that at some point my script for exporting all email addresses from Microsoft Exchange got moved out of the document root. It’s back, and you can find it here. I haven’t tested it in a while (since we moved from Sendmail/SpamAssassin to IronPort at work), but it worked well enough when we were using it.

Links for 2007-04-23

  • Wizard: Joss Whedon Great interview with Joss Whedon discussing Wonder Woman, X4, Goners, and even Battlestar Galactica (the new one). Tags: interview, scifi-fantasy, buffyverse, joss, comics, movies

    • JavaScript Tools TextMate Bundle Lets you run Javascript Lint, JSMin, and Dojo Compressor from within TextMate Tags: textmate, osx, programming, webdev

    • Adobe CS3Clean Script Looks like you can’t just trash the Photoshop CS3 beta or install over it. You need this script to clean up Adobe’s mess before installing the release version. Tags: photoshop, adobe, osx

    • S5 Reloaded New enhanced version of the outstanding S5 browser-based presentation/slideshow system. Tags: powerpoint, presentations, webdev, javascript, ajax, css

    • How to Change the World Ten questions with Seth Godin about his new book. Tags: productivity, books, interview

    • Amazon.com: The Dip Seth Godin has a new book out: “A Little Book That Teaches You When to Quit (and When to Stick).” Tags: books, productivity

    • Amazon: ALL-ETT Billfold – Thinnest Wallet Ever Made Looks quite impressive. Can hold up to 30 cards without significant bulk. Tags: -wishlist, geektoys

Back Among the Living

I decided to start blogging again, assuming I can come up with something interesting to say. Back to using WordPress for the moment, along with MarsEdit and TextMate.