Sunday, May 29, 2016

Geeking Out This Weekend

 on  with No comments 
No studying happening today, I'm geeking out with my Lego Dimensions game.  I bought it a while ago, just haven't had the time and energy necessary to assemble it on the same day until today.  As usual, the kids are having even more fun with it than I am.

Here's the base station and the game. I spent about a half hour putting it together.  I forgot how much fun Legos are.

And here is it lit up, with The Doctor added.


Saturday, May 28, 2016

Retro Computing, Modern Internet

 on  with No comments 
In ,  
A while back, there was a thread on the Techexams Forums about retro computing. I don't remember the exact purpose of the thread, but reading through it inspired me to fire up my oldest operating system running in a VM at the time, which happened to be Windows NT Workstation 4.0, and see what I could do with it.  Very little software written in the last decade will run on NT4, so the installation is pretty stock.  I think I just have an older version of 7zip and an era appropriate version of Microsoft Office.  There is a screenshot below.

In the screenshot, you'll see Windows NT with Internet Explorer 2.0 in all it's glory, perusing the Techexams Forums.  The VM is running in Virtualbox, and as of version 5.0.10 (the version installed on my OpenSUSE workstation at the time this was written), the guest additions drivers CD still supports NT4.  Newer versions of Virtualbox may or may not still support Windows NT4, though I don't see any reason why they wouldn't.  And if anybody cares, I also have one NT4 Server running as a PDC and a second running as a BDC that also run perfectly fine in Virtualbox.

Since I was able to log in and make my post to the thread, I guess it was mission accomplished?

I believe current versions of VMware still support NT4.  Hyper-V does not, and as far as I know never did. Microsoft of course insists you to upgrade to the latest/greatest version of Windows at your own expense.


Wednesday, May 25, 2016

ACLs by Country

 on  with 1 comment 
In , ,  
Have you ever wanted to create an ACL by country?  There's a number of different ways you can go about it.  Certain models of firewalls have this functionality built in.  IOS based routers and ASA firewalls have no such capability, so we'll have to do this a bit more manually.  I'll present two methods.

The first method is detailed here.  In this post, wget goes out to the Internet and grabs the necessary data from the applicable RIR.  Some custom Perl code pulls out the subnets associated with that country and then builds the ACL.  This one is probably not for the faint of heart nor someone not very fluent in Unix command lines.

A simpler way is through a website called Country IP Blocks.  Navigate to The Create Country ACL page on their site and you can select one or more countries to build an ACL for.  Then pick which format you want the results in.  Cisco ACL is just one of 12 options here, and then click "Create ACL" and you're done.  Other sites such as and provide similar functionality.

These lists get pretty long. Want one that that will permit or deny United States based addresses?  That'll be 55,348 lines.  Want to create an ACL that will block Russia and China?  That's 27,386 lines.  Hope your router is maxed out on RAM.

Saturday, May 21, 2016

No Copyright Infringement Intended

 on  with 1 comment 
In , ,  
An often cited piece of United States law is "17 U.S. Code § 107 - Limitations on exclusive rights: Fair use." Fair Use, as it is commonly referred to as, allows limited use of copyrighted material for a small set of purposes.   The YouTube crowd likes to cite it as the justification which allows them to post entire works (such as a song or an episode of a TV show).  They'll often follow up that citation with the phrase "No copyright infringement intended."   So that's all it takes?


Wednesday, May 18, 2016

TCL Scripting

 on  with 2 comments 
In , ,  
According to it's man page, "tclsh is a shell-like application that reads TCL commands from its standard input or from a file and evaluates them. If invoked with no arguments then it runs interactively, reading TCL commands from standard input and printing command results and error messages to standard output. It runs until the exit command is invoked or until it reaches end-of-file on its standard input."  The TCL Developer Xchange describes the TCL language as  "a very powerful but easy to learn dynamic programming language, suitable for a very wide range of uses, including web and desktop applications, networking, administration, testing and many more. Open source and business-friendly, TCL is a mature yet evolving language that is truly cross platform, easily deployed and highly extensible. "

The language was created John Ousterhout at the University of California, Berkley.  It's either installed by default or available through the package repositories in nearly every Linux distribution and flavor of BSD.  ActiveState maintains an edition called ActiveTcl.  The community edition has precompiled binaries for Windows, Mac and Linux.  The Enterprise Edition adds binaries for HP-UX, Solaris and AIX.  ActiveState also the home of ActivePerl and ActivePython, which are solid editions of Perl and Python for the same platforms.

Tclsh was added to Cisco IOS in version 12.3(2)T and 12.2(25)S, and to Cisco NX-OS in Release 5.1(1) to provide scripting capability.  With it, you are able to run TCL commands directly from the Cisco IOS prompt, or to create and execute scripts written in the TCL language.  Just about anything you can do in tclsh on a Linux or BSD system can be done in tclsh on a Cisco router.  This of course assumes you're using straight TCL and not any add-on packages.

To use tclsh, simply type the command tclsh at the exec prompt.  To exit tclsh, type tclquit.  While within tclsh you can create scripts with the proc command, by typing proc script_name {, and then ending your script with a closing }.  A great example of the power of this scripting environment can be found in this post at INE, where Brian McGahan, along with an assist from reader Jason Cook, demonstrates a TCL script to generate a number of random IP addresses and subnet masks tied to Loopback interfaces.  I've used this script several times in the lab to quickly add routes into a routing protocol.  If you're feeling really adventurous, you can even get your router to Tweet.  And that's the beauty of scripting, you are able to quickly and easily automate the mundane tasks that aren't what you are working on and interested in, but still need accomplished.

And though it is not suggested, you can change your login shell on a Linux, BSD or Unix system to tclsh and do your day to day work in it as a means of learning the language and environment.  However, as noted, its not suggested as it's not really suited as being used a login script wasn't in the design goals.  See this article for more details.

I'll be getting more into TCL on IOS in the near future.

Some Good References to Get Started:

The official reference from Cisco:
Cisco IOS Scripting with TCL Command

The Cisco book:
Tcl Scripting for Cisco IOS

Some books that come recommended by the TCL Developer Exchange:

Practical Programming in Tcl and Tk, 4th ed.
Tcl/Tk, Second Edition: A Developer's Guide
Tcl and the Tk Toolkit, 2nd ed.
Tcl/Tk 8.5 Programming Cookbook

Saturday, May 14, 2016

Hard Code DNS Servers with PowerShell

 on  with No comments 
In , ,  
The following is a PowerShell script to quickly hard code DNS servers for every network interface present on a computer. It will overwrite the existing DNS servers configured on that machines interfaces.  In this example, we'll be using the IP addresses for OpenDNS servers.

# The servers that we want to use
$newDNSServers = "",""

# Get all network adapters that already have DNS servers set
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.DNSServerSearchOrder -ne $null}

# Set the DNS server search order for all of the previously-found adapters
$adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)}

Thursday, May 12, 2016

Do the Google

 on  with 1 comment 
In , , ,  

It still surprises me that in 2016, there are still people out there who cannot, or will not, use Google to find the answer to their question.  I'm the admin of a large group on Facebook that exists primarily for people pursuing the CCNA certification, though most technical discussion that stays on the right side of the law is permitted.  Since we get at least one question a day that involves something that could be solved in 10 seconds with Google such as "what is the CCNA?" or "what is Spanning Tree?" I've decided to put together a page explaining how to use Google to find what you're looking for.  And for the Microsoft slappies out there, you are more than welcome to try that other "search engine" as long as you're enjoying it's crap results.  I for one very rarely got good results when I tried it a couple times in the past.

In case you were wondering, the title of this post, "Do the Google" came from a poster on Reddit by the name of /u/sajaschi, in the Tales from Tech Support sub-reddit, that he heard from a family member who's computer he supported.   I liked the term and immediately told him that I'm stealing it. The thread is here for completeness.

Wednesday, May 11, 2016

Intel NIC Teaming on Server 2008R2

 on  with No comments 
In , ,  

In this post we're going to go through the process of configuring NIC Teaming on Server 2008R2, and I'm sure the process works the same on earlier versions of Windows Server as well.  Server 2012 and up have native support for NIC teaming that is independent of the drivers, so thankfully it's no longer necessary to set this up vendor by vendor.

While Windows Server does include a wide array of Ethernet drivers out of the box, we’ll need to grab the latest driver and utility bundle directly from the Intel website.  The drivers that were available from Microsoft as of the time I did this did not support teaming.  Go to the Intel website and search for the appropriate drivers for your sever.

Now double click on the executable and install the drivers. Once installed, we have a number of additional features available. Note the before and after shots of the hardware properties.

Now we’re ready to team the NICs.  This step will create a small period of downtime for the server, so make sure you’re performing these steps in an approved maintenance window.  Note that you will also lose connectivity at one point, so make sure a remote desktop session is not you only means of access to this server.
First, open the control panel on the server. Then Open the device manager in the control panel. Finally, hit the tick mark next to Network Adapters to show the servers NICs.

Double click on either of the NICs here. This brings up the properties for the device as follows.

Now click on the Teaming tab.

Check the box next to “Team this adapter with other adapters” and then click the box labeled “New Team…” that is no longer greyed out. The “New Team Wizard” now begins.

The name of the team is not important, pick whatever you like or take the default. Click next. In the next box, check the box next to all available NIC’s that you want to team, then click next. In the Select a team type, select the appropriate type of teaming depending on what you’re trying to accomplish with this team. Click finish to exit the wizard. Now here is the point where you’ll lose connectivity because IPV4 (and it’s settings such as IP address) is pulled off of each individual NIC.

Open the Network Connections box in windows. Note that now you have a third interface that is called “TEAM: Team #0” or what you selected as the team name during the New Team Wizard.

Double click on the team and apply the appropriate addressing.

You can test the functionality of the team by starting a constant ping to an address (ping –t and then pull one Ethernet cable, replace it, then pull the other Ethernet cable. During my testing, I lost a single ping during this entire testing process.


Saturday, May 7, 2016

All of the P's

 on  with No comments 
In ,  
I can recall from my military days the phrase "Proper Prior Planning Prevents Piss Poor Performance."  You can easily substitute in Preparation in place of Planning here, but both get at the same point.  Of course I am doubting my recollection of the exact phrase now, and you'll see why here shortly.  In the military, this wasn't just a phrase, but a philosophy that they tried to instill in us and get us to live by.  It's about how you didn't just read through the requirements and then jot down some notes after thumbing through a manual or two.  It's about how we practiced for parades over and over again to get everyone in perfect sync, so onlookers would only hear one click, one pop on each movement and not 100 individual hands slapping their rifle.  Plan it out and put in the work, so your performance is perfect on game day.

Well, I was looking up the exact phrase a while ago, and I came across a blog post by a gentlemen by the name of Simeon Martins who took this to an entirely new level.  In his post, he has a number of 5 P, 6 P, etc. takes on this old phrase.  And yes, I'm writing this entire blog post based on the chuckle I had reading Mr. Martins' post.

In the lab, this is how you should approach it. Don't just enable SSH on your router a couple times and think you've got it.  Configure SSH on all of the routers in your topology.  Explore all of the options you have for the various steps in the process.  Wipe the routers and do it all again.  You're not done after you've successfully configured it and logged in with Putty one time. You're not done after you've configured it a dozen times today.  Your repetition should include revisiting the topic again and again.  That's the Proper Prior Planning you need to put in. The Piss Poor Performance you're looking to Prevent would be failing your next certification exam.

Friday, May 6, 2016

Unsupported Caims in Shady Research

 on  with No comments 
In , ,  
So I had a little time to kill today at work while a script ran, so I headed over to Google to look at recent articles regarding Netflow.  I'm currently working on the SENSS exam, and Netflow is the main area where I'm still weak in it's topics.  A little light reading is the best I can do while at the office, GNS3 is not an approved application, and I'd probably get some looks cracking open Network Security Technologies and Solutions at my desk.

So while looking through some choice academic output regarding various uses of Netflow data in detecting ssh brute force attempts, IPv4 address utilization and other interesting uses, I came across an article that caught my attention right away.  Yes, by Google I mean Google Scholar.   What can I say, I learn better reading applied science.  What caught my eye right away was the poor spelling and grammar right off the bat in the abstract.  I got to the literature review of this article and found this gem:

"VoIP technology was started in February 1995 by Vocaltec, Inc. in Israel. It transfers the voice over high speed network, cheaper comparing to PSTN and reachable to everywhere through internet by loon developed by Google with 4G LTE speed."  

The citation for this incredible statement is an overview of Google's Project Loon, a theoretical use of balloons to raise up wireless access points to eventually cover the globe with a wireless mesh network.  The article cited a third source discussing this project, which after 5 years has covered around 40 square miles of New Zealand.  While at first glance I had thought that they were implying that the core of the Internet was running on technology that was invented by Google, I'm not sure what they are implying is much better.  Additional balloons are not going to be deployed at the drop of a hat to provide VoIP to undeserved areas.

So the bottom line is this.  You can't make grandiose claims that simply aren't supported by the literature in literature based research.  You may slide it past a professor who is overworked or just doesn't understand the material.  You may even slide it past the editors of The Indian Journal of Science & Technology.  But sooner or later this sloppy work is going to get picked up on.  I almost used their contact us page to complain.

Wednesday, May 4, 2016

Find IP Addresses for an AS Number

 on  with No comments 
In , ,  
A very often asked question in the CCNA Facebook Group that I administer is how to block a website with an ACL. Naturally, a bunch of people will jump in with pinging the web server and then putting the IP address returned into the ACL, but for a major web site, this isn't going to work.  A major website is going to have multiple IP addresses serving up the content, and the IP address that gets returned when I attempt to resolve it likely won't be the same IP address that gets returned when I attempt to resolve it hours or even days later.  So the more knowledgeable members of the group answer (correctly) that the original poster should be looking into a proper firewall or proxy server to handle this job.

Monday, May 2, 2016

Backing up Your Blogger Images

 on  with No comments 
In , ,  
In a couple recent posts, I've covered how to backup your blog in Blogger. The problem is, this gives you an XML file containing all the text of your posts, however, you get none of the images. So what about images? There is a lot of dated and flat out incomplete information on this around the Internet. And since a lot of my posts will be of no use without the screenshots that accompany the text, I for one care about backing up my images as well.

What you need to do to get to your images is to go to Picasa Web Albums. On this page, you'll see "My Recent Albums." One of those albums will be titled the name of your blog, and in it will be all of the images that appear in your blog posts. If you have more than one blog under this Google account, you'll see folders for each of your blogs. Unfortunately, they're all in one big folder, in the order that they were uploaded to your blog. So if you're like me and don't always finish one post before moving on to another, you may find that they are disorganized to some extent.  

Everything I've read so far stated that everything in Picasa would transfer automatically over to Google Photos, but that is not the case in my Google account.  So what to do, since Picasa is being retired? The Picasa API's are deprecated, and none of the "Picasa Image Downloaders" that I tried appear to work any longer.

Since my collection on Picasa is just a few sets of screenshots, it wasn't a big deal for me to go through my blog post by post and save the images using DownloadThemAll, a great addon for Firefox.  But what about those with hundreds, or even thousands, of images?