Archive for January, 2009

Routing Challenge

Thursday, January 29th, 2009

I was dealing with an issue the other day at work that was kind of challenging and made my brain hurt…

Scenario

Note the diagram below.

Before Network

What we have is a simplified diagram of 4 routers. Rtr A and B are currently connected to our global ATT MPLS carrier and receiving routes via BGP from our other corporate BGP sites (expected). Rtr A and B are also advertising their own networks back out providing reachability to subnets behind Rtr A and B as well as C and D. End-to-end connectivity is easily done with the bidirectional exchange of route information — that is not the challenge here.

(more…)

Book Review – Voice over IP Security

Thursday, January 15th, 2009

Voice over IP Security

In preparation for the CCIE Voice Lab, I figured this would be a good book to read in terms of security. This book was recently published by Cisco Press and they were nice enough to send me a copy.

Summary
This book helps make the general security vulnerabilities known in terms of VOIP. Many security topics are covered such as :: DOS, session hijacking, media tapping, etc. This book also introduces the security capabilities for protocols such as H323, MGCP, SCCP and SIP.

Who should read this book?
It’s a great book for anyone looking into securing their VOIP network. This is a great starter book to help understand the challenges and different areas and protocols that need to be examined. I was hoping for more configuration related information, as this book is 95% theory based. If you understand what you need to do in terms of security but you’re looking for a practical implementation book, this isn’t the book for you. Anyone wanting to understand some of the general security concerns surrounding voice, should read this book as a first step.

What I didn’t like
Most of the screen output captures were dealing with the SIP protocol and very little was shown of SCCP and H323. While I understand the need to stay vendor neutral, I was surprised with the amount of SIP in this book. There is a lot of discussion surrounding SIP vulnerabilities. The last part of this book (last two chapters) dealt with lawful intercept. While I understand the use, I would have rather seen more configuration examples vs. something a smaller percentage of users will use.

What stands out
The first half of the book is probably the best. Part of security is understanding the signaling aspect of protocols like SIP, H323 and MGCP. The signaling process is broken down nicely and makes this book a great reference for call setup issues. The first half of the book also goes over the general security concerns you have to look out for.

Upcoming CCIE R&S changes

Wednesday, January 14th, 2009

Per Cisco Learning ::

Effective February 1, 2009, Cisco will introduce a new type of question format to CCIE Routing and Switching lab exams. In addition to the live configuration scenarios, candidates will be asked a series of four or five open-ended questions, drawn from a pool of questions based on the material covered on the lab blueprint. No new topics are being added. The exams are not been increased in difficulty and the well-prepared candidate should have no trouble answering the questions. The length of the exam will remain eight hours. Candidates will need to achieve a passing score on both the open-ended questions and the lab portion in order to pass the lab and become certified. Other CCIE tracks will change over the next year, with exact dates announced in advance.

Effective February 17th, 2009, candidates will also see two other changes in CCIE written exams. First, candidates will now be required to answer each question before moving on to the next question; candidates will no longer be allowed to skip a question and come back to it at a later time. Second, there will be an update to the score report. The overall exam score and the exam passing score will now be reported as a scaled score, on a scale from 300-1000. This change will not affect the difficulty of the current set of exams and will assure CCIE written exams will be consistent with Cisco’s other career certification exams.

I personally wouldn’t be worried. If you can pass the lab, any open ended question shouldn’t be that hard.. I’m curious as to why they decided to add it.

Cisco Telepresence QoS

Monday, January 12th, 2009

Recently we added another Cisco Telepresence in our network (CTS 3000) and it gave me an opportunity to work on some QoS configs.

Cisco has a great reference for QoS with Telepresence and is a must read for anyone deploying Telepresence on the network.

Cisco Telepresence SRND

I dealt with the QoS config in 3 different levels :: access, distribution, and WAN edge

At our access level, we use Catalyst OS and IOS in distribution and WAN edge. Refer to the SRND for the recommended values depending on Line cards being used. The example below is for 1p3q8t cards. To find out the QoS capabilities of the port use “show qos info runtime mod/port”.

Access config ::

(more…)

Cisco IOS Dynamic DNS

Wednesday, January 7th, 2009

I recently decided to configure dynamic DNS on my Cisco router at home. Lately, my ISP has been giving me issues causing my IP address to change quite often. Since I don’t pay for a static IP, I use dynamic DNS services to map my IP to a DNS name.

I use a free service from dyndns, which lets you pick a domain name to link to your IP. This is most useful for those of us hosting some minor applications behind our routers and we want to connect via a DNS name vs. an IP address that can change.

I usually just go to the website when my IP address changes, but I decided I wanted to let my router do the updating for me.

See sample config below ::

(more…)