MPLS Redundancy solutions

A popular network solution a lot of companies who have branch offices are using is MPLS (Multiprotocol Label Switching). There are several MPLS redundancy solutions ranging from costly to cost effective. We won’t go into the technical details of setting it up, but more or less explain the solutions out there.

The ideal solution would be setting up a complete MPLS network using another service provider. This is probably the most costly solution however will give you the greatest results.

Another solution is to have point to point connections to the branch offices. This can be costly as well depending on how many branch offices there are and what other offices they need to have connectivity to.

The most cost effect solution will only give marginal performance depending on the load. You can set up an IPSEC VPN between offices using your typical broadband connections (cable, DSL). I’m actually currently in the process of setting this up for a small office that needs connectivity to a main office in the event that their MPLS link goes down.

Automating the fail-over process for these solutions should be no different than doing it for a dedicated circuit. There are multiple ways of going about it. Dynamic routing, load balancing, and setting different metrics for the 2 different routes are a few ways to do it.

This was just to give you an idea of what types of solutions are out there. In a later post, I will go into detail about the equipment that can be used and some example configurations of the scenarios given the different equipment.

Introduction to the OSI model

Knowledge of the OSI model is crucial in network troubleshooting. Not only is it important to have a good grasp on the OSI model for network troubleshooting, but also if you plan on pursuing any of the Cisco certifications. The OSI model will provide you with an excellent foundation on troubleshooting, giving you a starting point, working your way through the model to find issues in network connectivity.

The Open Systems Interconnection (OSI) model consists of seven layers of network architecture. These layers are the Application, Presentation, Session, Transport, Network, Data-Link, and Physical layers. For the most part if you’re a network administrator, like me, most of your work will be concerned with the first three layers, Physical, Data-Link, and Network.

Now let’s break down the different OSI model layers and what they do:

Layer 7 – Application Layer

The Application layer is generally the closest to the end user. This is where the end user will interact with software in order to communicate across a network. General examples of this layer are telnet,  HTTP, FTP, SMTP.

Layer 6 – Presentation Layer

The Presentation layer is where the data from the Application layer is taken and encapsulated into a form of data that can be used for travel across a network. This layer converts data for use in the Application layer or the Session layer for use in the opposing layer.

Layer 5 – Session Layer

The Session Layer maintains communications or connections between nodes on a network. It establishes, maintains, and terminates. It can operate in full-duplex, half-duplex, or simplex operating modes. Any checkpointing or recovery operations in TCP usually happen on this layer. An example of this layer in action would be an application that uses RPC to execute actions in another address space remotely.

Layer 4 – Transport Layer

The Transport layer is where reliability is controlled through flow control, (de)segmentation, and error control. This is where all data is transfered between end users. Error checking happens on this layer and it can retransmit any failures. Examples of this implementations of this layer are TCP and UDP.

Layer 3 – Network Layer

The Network layer, my favorite, is where all routing happens on a network. This is where data is transferred to it’s destination across one or more networks. This is where routers operate. Data travels across this layer alot like traveling the highway system. Data flows between different routers (hops) to finally make it to it’s destination. The most known implementation of the Network layer is Internet Protocol or IP, as it is most called.

Layer 2 – Data-Link Layer

The Data-Link layer is where data is transfered between nodes on a network. This layer has the capability to detect and correct errors that might have occured on the Physical layer. One of the most well known implementations of this layer is Ethernet. You will find most network switches on this layer. The Data-Link layer provides a connection across the physical link by using vendor assigned hardware MAC address verses assigned IP addresses, like the Network layer does.

Layer 1 – Physical Layer

The Physical layer is where all electrical and physical connections are made. On this layer you will find cabling, hubs, and, network adapters to name a few. Where the Data-Link layer connects multiple nodes, the Physical layer is mostly concerned with connected a single device to the network medium.

That’s a rough introduction to the OSI model. There is a lot more theory of it, but I just wanted to give a quick overview.

All your troubleshooting efforts should start at layer 1, what I like to call ‘checking the basics’. Bypassing layer 1 can cost you alot of time in troubleshooting. I generally make sure cables are plugged in and all devices are powered on. A lot of times you may find a simple easy to correct issue here and save yourself alot of grief in troubleshooting the higher level layers. From there you can just work your way up the layers. This will provide good coverage of possible failures or misconfigurations across the network.

Some network administrators, including my self, talk of a ‘Layer 8′. This is the actual end user themself. I like to call this ‘operator head space and timing’. You should be able to judge and categorize your end users by level of knowledge if you’ve been working with them for some period of time. You can usually skip to ‘Layer 8′ if you’re able to identify the issue with the end user from their complaint. This of course is not part of the Cisco certification process and has more to do with experience in dealing with end users, which you will learn on the job.

How to configure DHCP on a Cisco Router

I prefer running DHCP on a server within the network, but if it comes to it you do have the option of configuring DHCP on a Cisco router. I do believe some of the newer Cisco Catalyst switches have this ability too.

We are going to assume you have a Cisco router already setup and in service on your network.

First thing you will want to do is login to your router and go into config mode. Once in config mode you will want to setup a DHCP pool.

Router(config)# ip dhcp pool newpool

You can replace ‘newpool’ with whatever you choose to name your DHCP pool. Next thing we want to do is tell the router the network and subnet.

Router(dhcp-config)# network x.x.x.x y.y.y.y

Replace x.x.x.x with the network address and y.y.y.y with the subnet mask. Next we will tell the router what DNS domain name the clients will use.

Router(dhcp-config)# domain-name domain.com

Obviously, you will replace ‘domain.com’ with your domain. Now we need to tell the router the primary and secondary DNS server IP addresses to be used in the DHCP scope.

Router(dhcp-config)# dns-server 1.1.1.1 2.2.2.2

Replace 1.1.1.1 with your primary DNS server and 2.2.2.2 with your secondary DNS server. We need to specify the default gateway or router.

Router(dhcp-config)# default-router x.x.x.x

Replace x.x.x.x with your default gateway or router IP address. Next we want to specify the length of the lease of the addresses assigned by the DHCP server.

Router(dhcp-config)# lease 7

Here I have set the lease time to expire in 7 days. Alternatively, you can use the syntax ‘lease DAYS HOURS MINUTES’, replacing those variables with the obvious requirements. You can even go as far as setting it for an infinite perios of time using ‘lease infinite’.

This pretty much sums up setting up DHCP on a Cisco router with IOS. I do want to show you one more thing. Suppose you want to exclude some IP address that you want to reserve for static devices. The following command needs to be performed in the the global configuration mode, so type ‘exit’ and perform the following if you are still at the last step.

Router(config)# ip dhcp excluded-address x.x.x.x y.y.y.y

You will want to replace y.y.y.y with the start address of the range you want to exclude and replace y.y.y.y with the end address. Example: ‘ip dhcp excluded-address 192.168.100.0 192.168.100.100. This will exclude addresses all the way up to 192.168.100.100. Therefore, DHCP will start assigning IP address leases at 192.168.100.101.

Now that we have setup our DHCP scope we can enable to DHCP service.

Router(config)# service dhcp

Now you should be able to grab an IP address via DHCP. Don’t forget to save your configuration.

How to enable SSH on a Cisco Router or Switch

I know a lot of network administrators have long used telnet to remotely manage Cisco routers. My preferred method of accessing these routers remotely is SSH. It is secure and encrypted verses telnet, where all data will be transferred in clear text making it easy for ’sniffers’ to reveal important information that can be used in an attack.

Any how let’s get started.

This assumes you have already logged in to your Cisco router and are in enable mode.

First, you want to check whether SSH has already been enabled.

Router# show ip ssh
%SSH has not been enabled

If you see the result above it obviously means that SSH has not already been enabled on this device.

On with the configuration:

You will want to configure a hostname on your router. This will be performed in configuration mode. (note the prompt)

Router(config)# hostname Router1

The hostname has been set. Now we will configure a domain name for the device.

Router1(config)# ip domain-name Domain1

The domain name has been set. Now we want to generate a RSA key pair.

Router1(config)# crypto key generate rsa modulus 1024

Next we will set a timeout interval.

Router1(config)# ip ssh time-out 120

This will set a time limit of 120 seconds for the SSH session to negotiate.
You can also set a maximum number of retry attempts incase of a failed negotiation.

Router1(config)# ip ssh authentication-retries 3

This will set the maximum amount of retries to 3.
The next thing we will do is change the default port for SSH from 22 to 8855. This is not necessary, however I do recommend it for an added level of security.

Router1(config)# ip ssh port 8855

At this time you can log off of the Cisco device and test the connection with a terminal client. In Windows I like to use PuTTY and in Linux or OSX I use the ssh command in the terminal.

Once you’ve logged in and verified the connection is good you can disable telnet access.

Router1(config)# line vty 0 4
Router1(config)# transport input ssh

Now the only way you will be able to remotely access your Cisco device is via SSH on the port you specified earlier, if you opted to change the default port.

Now to save your configuration changes to the Cisco device, you want to save the running-config to the startup config. There are 2 ways of performing this. I will show you both ways, but you should already know this by now.

Option 1

Router1# wr mem

Option 2

Router1# copy running-config startup-config

Now your new configuration should be saved. One last thing we can do to verify SSH configuration is repeat the first command in this tutorial.

Router1# show ip ssh
SSH Enabled - version x.x
Authentication timeout: 120 secs; Authentication retries; 3

We should see the above result with the configuration that we performed.

That concludes setting up SSH access on your Cisco router or switch. I highly recommend using SSH over telnet especially if you will be managing your device remotely. Telnet will give you absolutely no protection from sniffing.

Microsoft to allow Windows 7 users to downgrade to XP or Vista

Microsoft has confirmed that it will allow Windows 7 OEM consumers to downgrade to Windows Vista or Windows XP.

Many of you might know that this is business as usual. Volume licensing users have long had the ability to use their licenses to install a version back. Normally this was restricted to one version back, but for a limited time Microsoft OEM’s will allow customers to downgrade 2 Windows versions prior. This will allow customers to select versions of Windows as old as XP.

Since Windows 7 is just a refresh of the mixed reviewed Windows Vista operating system we at illcommunications thought this was inevitable. We do however feel that Windows 7 is a major improvement over the Windows Vista platform.

As with prior versions of the Windows operating system some business users will probably elect to continue utilizing Windows XP in their business environments for some time. We don’t believe that Microsoft’s offering of downgradability to be any judgement of what Windows 7 will be, but more of a convenience and hopefully continued support of the Windows XP platform for those that are less likely to be early adopters the new operating system.