“I make a living doing nothing I don’t love to do, namely making music and writing words. I do not remember not wanting to do them. As far as I can tell, I could always play the piano and I could always write. I decided some time ago that this is how I would live, by my gifts, doing what I felt I was meant to do. I resolved to get up every day and work whether I had any paid work to do or not. I vowed to support myself at whatever level my music and my writing would bring in, and to give it away when I couldn’t sell it. I haven’t had a boring day since. That’s my advice: quit that job. Jump! I’m sorry I ever did anything else, to tell the truth, although it wouldn’t leave me with much of a story to tell if I hadn’t.

-David Vest

davidvestband.com
Full article:
http://www.cascadeblues.org/NWBlues/vest_david/vest_david-0311profile.htm

I just got an email about automating some configuration changes, so I figured I would just post about it and send the link.

Basically anything on a network device can be scripted out using Expect as long as it has SSH or Telnet access open to it. There are other ways,such as SNMP set, but I use expect.

Here is a really simple one that you just run from a Linux shell:
/usr/bin/expect
set timeout 10
set hostname “10.4.5.6″

set username “name”
set password “password”
set enablepassword “itsasecret”
spawn telnet $hostname

expect “Username:” {
send “$username\n”
expect “Password:”
send “$password\n”

expect “>” {
send “en\n”
expect “Password:”
send “$enablepassword\n”
expect “#” {
send “config t\n”
expect “#”
send “no tacacs-server host 10.4.11.2
no tacacs-server key 1 *******

tacacs-server host x.x.x.x
tacacs-server key ********

wr me
exit
”
}
}

interact
}

Here is a more automated one that uses the script and a list of IP addresses that you supply in a separate text file named “fw_IP.txt” (or whatever you like, just change it in the script on line 8 also):

#!/bin/sh
# argument for username
#echo $1
# argument for password
#echo $2
# argument for enable password
#echo $3
for i in $(cat fw_IP.txt); do
#echo $i
expect -c ‘
set timeout 15
spawn telnet ‘”$i”‘
expect -re “(sername:|ogin:)” { send “\’”$1″‘\r” }
expect -re “assword:” { send “\’”$2″‘\r” }
expect -re “(>|#)” { send “\enable\r” }
expect -re “assword:” { send “\’”$3″‘\r” }
expect -re “(fw1|fw2|fw3)(>|#)” { send “\show arp\r” }
expect -re “(>|#)” { send “\show run | in static\r” }
expect -re “(>|#)” { send “\exit\r” }
‘
done

This document provides an overview of Cisco’s Storm Control including configuration steps and examples as well as implications of using storm control.

The purpose of storm control is to prevent a packet storm from over-utilizing the resources of a switch. By default storm control is not configured and must be enabled on a per-interface basis. There are three types of storm control; unicast, multicast, and broadcast, and they are all configured separately using the following options, taken from Cisco’s website;

 
 Command
 Purpose
 
Step1
 configure terminal
 Enter global configuration mode.
 
Step2
 interface interface-id
 Specify the interface to be configured, and enter interface configuration mode.
 
Step3
 storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]}
 Configure broadcast, multicast, or unicast storm control. By default, storm control is disabled.

The keywords have these meanings:

• For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage (up to two decimal places) of the bandwidth. The port blocks traffic when the rising threshold is reached. The range is 0.00 to 100.00.

• (Optional) For level-low, specify the falling threshold level as a percentage (up to two decimal places) of the bandwidth. This value must be less than or equal to the rising suppression value. The port forwards traffic when traffic drops below this level. If you do not configure a falling suppression level, it is set to the rising suppression level. The range is 0.00 to 100.00.

If you set the threshold to the maximum value (100 percent), no limit is placed on the traffic. If you set the threshold to 0.0, all broadcast, multicast, and unicast traffic on that port is blocked.

• For bps bps, specify the rising threshold level for broadcast, multicast, or unicast traffic in bits per second (up to one decimal place). The port blocks traffic when the rising threshold is reached. The range is 0.0 to 10000000000.0.

• (Optional) For bps-low, specify the falling threshold level in bits per second (up to one decimal place). It can be less than or equal to the rising threshold level. The port forwards traffic when traffic drops below this level. The range is 0.0 to 10000000000.0.

• For pps pps, specify the rising threshold level for broadcast, multicast, or unicast traffic in packets per second (up to one decimal place). The port blocks traffic when the rising threshold is reached. The range is 0.0 to 10000000000.0.

• (Optional) For pps-low, specify the falling threshold level in packets per second (up to one decimal place). It can be less than or equal to the rising threshold level. The port forwards traffic when traffic drops below this level. The range is 0.0 to 10000000000.0.

For BPS and PPS settings, you can use metric suffixes such as k, m, and g for large number thresholds.
 
Step4
 storm-control action {shutdown | trap}
 Specify the action to be taken when a storm is detected. The default is to filter out the traffic and not to send traps.

• Select the shutdown keyword to error-disable the port during a storm.

• Select the trap keyword to generate an SNMP trap when a storm is detected.
 
Step5
 end
 Return to privileged EXEC mode.
 
Step6
 show storm-control [interface-id] [broadcast | multicast | unicast] 
 Verify the storm control suppression levels set on the interface for the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed.
 
Step7
 copy running-config startup-config
 (Optional) Save your entries in the configuration file.
 
 

To disable storm control, use the

no storm-control {broadcast | multicast | unicast} level interface configuration command.

For configuration, use the following commands;

Switch# configure terminal

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# storm-control unicast level pps 60k 50k

This configuration would stop forwarding packets when the traffic on the interface reached 60k packets per second, and would not begin forwarding packets again until it dropped below 50k packets per second.

Note: Some customers will require a higher threshold or may need unicast storm-control disabled on certain interfaces to support extremely high bandwidth services.

This document provides a short overview of the limitations of Windows Streaming Media Services when using a Cisco ASA Firewall.

Protocols Used by Windows Media Services 9
Microsoft Windows Media Services 9 uses two protocols to deliver streaming media to client computers: RTSP (Real Time Streaming Protocol) on TCP port 554, and MMS (Microsoft Media Server) on TCP port 1755. If these ports on a firewall cannot be opened, port 80 (HTTP) can be used to stream content via a Windows plug-in. However, if any other service, such as IIS, is using port 80 on the same IP address, you cannot enable the plug-in.

Protocol Rollover
Earlier versions of Microsoft Media Player do not support RTSP, so Microsoft Media Services 9 features automatic protocol rollover. If a computer tries to connect using an earlier version of Windows Media Player using an MMS URL (mms://server/video.file), the best protocol is automatically negotiated.

Limitations
Many protocols open secondary TCP or UDP ports. The initial session negotiates a connection using a well known port number (0 – 1023) and dynamically assigns any additional port numbers. When application-inspection is used on a firewall, the firewall monitors sessions and dynamic port assignments for a session. By default, the ASA firewall configuration matches all application inspection traffic on all interfaces, however, rtsp-inspection does not support NAT, so rtsp-inspect must be disabled on the firewall.

Solution
Since all application inspection is on by default on Cisco ASA firewalls, the configuration must be changed. This can be done by changing the global inspection policy as shown below:

class inspection_default
no inspect rtsp

This can also be done using the ASDM using these steps from the Cisco website:

Step 1 Click Configuration > Firewall > Service Policy Rules.
Step 2 Add or edit a service policy rule according to the “Adding a Service Policy Rule for Through Traffic” section on page 23-4.  If you want to match non-standard ports, then create a new rule for the non-standard ports. See the “Default Inspection Policy” section for the standard ports for each inspection engine. You can combine multiple rules in the same service policy if desired, so you can create one rule to match certain traffic, and another to match different traffic. However, if traffic matches a rule that contains an inspection action, and then matches another rule that also has an inspection action, only the first matching rule is used.
Step 3 On the Edit Service Policy Rule > Rule Actions dialog box, click the Protocol Inspection tab.
For a new rule, the dialog box is called Add Service Policy Rule Wizard – Rule Actions.
Step 4 Check each inspection type that you want to apply.
Step 5 (Optional) Some inspection engines let you control additional parameters when you apply the inspection to the traffic. Click Configure for each inspection type to configure an inspect map.
You can either choose an existing map, or create a new one. You can predefine inspect maps from the Configuration > Firewall > Objects > Inspect Maps pane. See the “Inspect Map Field Descriptions” section for detailed information of each inspect map type.
Step 6 You can configure other features for this rule if desired using the other Rule Actions tabs.
Step 7 Click OK (or Finish from the wizard)

The view from midships
Flying fish
Being able to yell at my boss
2 hour lunches
Being able to leave work at work
Rough seas
The feeling of cruising past the Sumitomo towers on the way back to Yoko
Snow on the ground in Ikego
Christmas parties at my house
The beach at Shichirigahama
The young sailors that were eager to learn
Plenty of time to read/study

I set this up on my laptop just to try out the Vyatta platform, but it can, and should be run on dedicated hardware for any practical usage. Here’s how I set it up;

1. Download and install the (free) VMWare Player.

2. Download the VC5 Virtual Appliance from Vyatta.

3. Unzip the files to a new folder.

4. Double click the .vmx file in the folder and VMWare Player will open.

5. Click “Power on this virtual machine”.

6.  The Vyatta router appliance will boot up and ask for your username and password, which are “vyatta” and “vyatta”.

7.  After you have logged in you will probably want to enable web (GUI) access, which will require a few configuration changes. Start by typing “configure” to enter configuration mode.

8.  Set up an interface for your internal network. Example: “set interface Ethernet eth0 address 192.168.0.1/24”

9.  Enable web access; “set service https”.

10.  Then you have to save your changes by typing “commit”.

11.  Now open your web browser and enter the address you gave the router.

 
12.  If you get the certificate error, just click “continue to this website…”

13.  Login using the default username and password “vyatta”.

I’ll never use this thing. I know what my access lists will do.” That is what I said when I first saw the Packet Tracer tool on an ASA. And I never did use it, until today.

I was troubleshooting an SQL connection between two servers on different VLANs, and I had already checked my ACLs, so I figured it was probably some software firewall on the servers. I was asked to check again, and I couldn’t find any reason why the traffic wasn’t going through. That’s when I decided to try out the Packet Tracer.

I watched with pleasure as the animation showed each check box filled in with one green check after another. Until the very last one. The last checkbox was for NAT exemption, and it was filled with a big old red X.

I was not happy that it actually was a network problem, but I was happy that I used a tool instead of using my brain because I probably wouldn’t have looked for the NAT exemption for a very long time since it was supposed to have been configured when that environment was turned up (you know who you are lol..).

So I guess nine times out of ten, you don’t really need to use the Packet Tracer, but keep it in the back of your mind for when your mind is playing tricks on you.

I made a quick little video of how the Packet Tracer works, it’s my first screencast, but I’m sure it won’t be my last, given how nice Jing is to use.

2009-07-17_2215

Back when I was in the world’s finest navy, we had a mentor program. It was mandatory. I hated it. I didn’t think there was anybody on that ship who could help me with anything. I had goals that had nothing to do with the Navy. I was already taking classes online, getting certifications, and basically getting ready for when I would be a free man again.

But when my end of enlistment was getting close, I started going crazy. My wife and kids were in Houston, I was out at sea, and all of the hoops I needed to jump through to get processed out were back in Japan. The last thing I wanted to do was to stay out at sea or in Japan any longer than I had to. Not even a day. I hadn’t seen my wife and kids in 4 months.

I started talking to my mentor. In fact, I even got an extra one. One of them was a really crusty, salty, old and single master chief. I didn’t really want to learn to be like him or anything, but he new the Navy inside-out. He knew all of the forms and policies, and he even knew a lot of the people at the offices I needed to call or go to.

The other guy was very cool, he was a chief and had been married for twenty-something years and I really respected him. I told him I was having a rough time and he gave me some solid advice as well as listening and understanding.

So that is why I have initiated a formal mentoring program where I work. I had mentioned it to my boss before. I even put it on my annual review in the “what would improve your job satisfaction” section. But nothing happened. So yesterday I sent an email to one of the VPs, and he forwarded it to the CEO. I now have a meeting set up on Monday with the director of Human Resources.

Fishing is my war.  My Sunday football game.  I have my charts, I check the tides, I check em again. I check the wind forecast. I check the moon phase. I choose my target. I would usually go to a place on the west end of Galveston. As soon as it was light enough to see, I would get out of the car, parked next to the cow field. I put on my waders, my polarized sunglasses, grabbed my float-well and rod and walked to the water. Sometimes I would start far inside the cove, where the water was barely knee deep. Casting, retrieving, casting, retrieving. It was in this area that I caught my trophy flounder. The water was only a few inches deep, and I didn’t feel much of a bite. I felt like I was snagged on a log, until she shook. I could tell it was something massive. It was exhilarating. I was so scared to lose her once I finally got a look at her that I waded over to a patch of grass and climbed out of the water before I tried to get her off of the hook. She turned out to be a 24″ hog. I wish I had gotten her mounted, but she and the seven trout I caught the next day made a feast. That era was one of the best times of my life. I would love to relive it. I fished like crazy, and I did it, for the most part, completely alone. I did the planning and preparations, and the driving and the catching and the cleaning and everything else by myself. Everything except the eating. I caught so many fish in those days that I would come home and start filleting and then I would have to stop and sleep and fillet some more. I always had fish. If not fresh, I always had plenty in the freezer. That cove was my spot. I knew every inch of it. I fished it from first light until pitch dark on many occasions. I would cover a lot of territory, casting in every direction until I got a bite. I never wanted to leave. Even if I had done well, I was on a quest. I was obsessed with it. I loved the sunsets. I saw so many of them. So beautiful, so quiet, so peaceful. The only sounds were the seagulls and pelicans. Sometimes there were flamingoes. The sound and the splash of a big trout hitting my topwater lure, and the forceful tug on my line, finding its way to my wrist, where the muscles maxed out in a quick twitch to set the hook, then easing the tension and feeling the fish’s movements. Swinging her around to one side as I let her run, then quickly but smoothly arcing my rod back in the other direction. Like a cobra, trout seem reluctant to make their move while their opponent is still making their own moves. By keeping steady tension and keeping the rod in a smooth motion from side to side in long sweeping arcs, you will keep a trout from spitting the lure most of the time, but they are smarter than you think. Try to keep constant pressure on an older, wiser trout, and see what she does. They have their own tricks, and they don’t always stay on the defensive. When they jump out of the water in a massive leap, shaking that powerful head so hard that it vibrates down the line and through the rod straight to your wrist and down to your elbow, and then, nothing. Slack line, you’ll know what I’m talking about. Another more in your face tactic is for them to swim full speed, straight towards your legs. For the novice trout fisher, you won’t know what is going on until it’s too late. One of two things will happen, either you’ll react and reel like crazy to try to catch up and tension the line again, usually to find that there is no more tension- the moment has gone slack with your line, or, she will run right between your legs in an attempt to knock the lure off. She sees your legs as a piece of structure, a tool at her disposal. You see your legs as the new target of those two treble hooks, razor sharp, affixed to your Top Dog lure.More experienced fishermen have learned to always keep their legs together when fighting a trout in her element.