Random Ramblings

In the game of life it appears there is a need to continue the quest (Quest!!! but I’m already on a quest!) of more skills or up skilling . In doing so, I’ve returned to what got me started in IT: data communication.

Whilst Cisco isn’t the only path one could take to up skill, is would appear to be a road well traveled ( google cisco certifcation for greater understanding). I’ve had a Cisco 1720 with VPN module and second ethernet card lying around at the office to sometime now and thought since is a quiet time, I’d install it as the router into the office. Since I didn’t have an ADSL WIC for this machine, I’ve used a another DSL modem in Bridge mode to send straight pppoe command to the cisco. I pulled the basis of the config from cisco.com so I know is a supported idea…

Requirments appeared to be simple: route a 8mbit DSL connection to a NAT’ed LAN network with some stateful packet management.

This is typically at 20 min job in linux. 8 hours later in writing a config that is syntactically correct (because my IOS experience is low), I finally started to see some results for a hard days work trawling through cisco.com website(if this sounds lame try finding stuff at cisco.com) for config examples of different lumps of code. A couple hours more and I have what appears to be a working system. Dialer works and a PPPoE session is created. Fantastic! Internet appears to work and statefull packet management is working.. All in all I was quite happy with my own abilities.

Came into the office the next day to “how come we only get downloads at 16kbps… This has to best head snap I’ve had in while. Whilst I’d research QoS I hadn’t actually done any configuration for it.

Started the usual diagnostics… Reproduce the problem: check, check configuration for anything obvious: check, Check RAM requirements:check, check CPU usage: umm not check.. This is what I was greated with:

337777744444 11111 11111
100
90
80
70
60
50
40
30
20
10 *****
0….5….1….1….2….2….3….3….4….4….5….5….
0 5 0 5 0 5 0 5 0 5
CPU% per second (last 60 seconds)
1
2 9 0 3
112 1212 24 13 338401212 1323333113121 1115 4465243522
100 * *
90 * *
80 * *
70 * *
60 * *
50 * *
40 * * *
30 * * *
20 * * # *
10 * # # * ** * *
0….5….1….1….2….2….3….3….4….4….5….5….
0 5 0 5 0 5 0 5 0 5
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
1 1 11 1 1 1 1
769798890997038007980909870998909
949728690256037009960309360965909
100 * ** * * ** * * ** *** ***
90 * ******* * *** ****** *******
80 * *********** *******************
70 * *********** *******************
60 ************* *******************
50 ************* *******************
40 ************* *******************
30 *********************************
20 *********************************
10 *********************************
0….5….1….1….2….2….3….3….4….4….5….5….6….6….7.
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%

( It was across a weekend) hmm… CPU appears to be a bit spikey… Not good. So I remove the CBAC config and access-lists. One reload later and now I’m gettting 24kbps…

Here’s the config edited for security sake.

Current configuration : 4850 bytes
!
version 12.3
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxx
!
username admin password 7 xxxxxxxxxxx
clock timezone AEST 10
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local enable
aaa session-id common
ip subnet-zero
no ip source-route
no ip rcmd domain-lookup
!
!
ip domain name example.com
ip name-server 10.2.1.1
ip name-server 10.2.1.253
ip name-server 10.2.1.3
!
ip cef
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect udp idle-time 60
ip inspect dns-timeout 10
ip inspect name CBAC1 tcp timeout 3600
ip inspect name CBAC1 udp timeout 30
ip inspect name CBAC1 icmp timeout 30
ip inspect name CBAC1 ftp timeout 3600
ip inspect name CBAC1 http timeout 3600
ip inspect name CBAC1 smtp timeout 3600
ip inspect name CBAC1 tftp timeout 30
ip inspect name CBAC1 h323
ip inspect name CBAC1 realaudio
ip inspect name CBAC1 rtsp
ip inspect name CBAC2 tcp timeout 3600
ip inspect name CBAC2 udp timeout 30
ip inspect name CBAC2 icmp timeout 30
ip inspect name CBAC2 ftp timeout 3600
ip audit po max-events 100
ip ssh authentication-retries 2
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
ipv6 unicast-routing
no ftp-server write-enable
!
!
interface Loopback0
description Local loopback
no ip address
!
interface Ethernet0
ip address 10.2.254.253 255.255.255.252
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0
ip address 10.2.1.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip inspect CBAC1 in
speed auto
!
interface Serial0
no ip address
shutdown
!
interface Dialer0
ip address negotiated
ip access-group 111 in
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxx
ppp chap password 7 xxxxxxxxxxx
ppp pap sent-username xxxxxx password 7 xxxxxxxxxxx
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.2.1.4 22 interface Dialer0 22
ip nat inside source static tcp 10.2.1.4 21 interface Dialer0 21
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
!
access-list 1 remark NAT ACL
access-list 1 permit 10.2.0.0 0.0.255.255
access-list 2 remark Permit SSH traffic for 10.2.0.0/16 and deny everything else
access-list 2 permit 10.2.0.0 0.0.255.255
access-list 101 remark traffic in FE/0
access-list 101 permit tcp 10.2.0.0 0.0.255.255 any
access-list 101 permit udp 10.2.0.0 0.0.255.255 any
access-list 101 permit icmp 10.0.0.0 0.255.255.255 any
access-list 111 remark traffic entering D/0
access-list 111 permit tcp any 10.2.0.0 0.0.255.255 established
access-list 111 permit ip any 10.2.0.0 0.0.255.255
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any host 10.2.1.4 eq 22
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any 10.2.0.0 0.0.255.255 time-exceeded
access-list 111 permit icmp any 10.2.0.0 0.0.255.255 packet-too-big
access-list 111 permit icmp any 10.2.0.0 0.0.255.255 traceroute
access-list 111 permit icmp any 10.2.0.0 0.0.255.255 unreachable
access-list 111 deny ip host 255.255.255.255 any
access-list 111 deny ip 10.0.0.0 0.255.255.255 any log
access-list 111 deny ip 172.16.0.0 0.15.255.255 any log
access-list 111 deny ip 192.168.0.0 0.0.255.255 any log
access-list 111 deny ip any host 127.0.0.1 log
access-list 111 deny ip 0.0.0.0 255.255.0.0 any log
access-list 111 deny tcp any any eq 22222 log
access-list 111 deny tcp any any range 60000 60020 log
access-list 111 deny udp any any eq snmp log
access-list 111 deny ip any any
access-list 112 remark traffic exiting D/0
access-list 112 permit ip any any
access-list 112 deny ip any any
dialer-list 1 protocol ip permit
!
banner login ^CCAuthorised Access only
This system is the property of example.com.
UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged and violations of of this policy result
in disciplinary action/Criminal Proceedings.^C
!
line con 0
line aux 0
line vty 0 4
access-class 2 in
password 7 xxxxxxxxxxxxx
transport input ssh
transport output ssh
!
ntp server 198.142.76.162
ntp server 203.209.212.99
ntp server 60.242.56.98
!
end


Surely A Cisco 1720 can router 8mbit/s connection without causing the CPU to burn away. I’ve run this config past a couple of cisco nuts and they can’t seem to find anything stupid. If you can help with problem please drop me a line.  I’m happy to reciprocate with either a beer or Unix help.

Tags: Uncategorized // Add Comment »

Merry Christmas and happy new year to you all.. Since this is belated, I can ask how your festive season went…  As usual a trip back home and see Mum and Dad was in the order along with grand-parents and the like.. I’m sure everyone does something similar each year…  Drank some great wine and met relative I never new existed… All in all a great day.

Short and sweet.

Tags: General // Add Comment »

Went to Wade and Athene’s Wedding today… Interesting event to say the least.. I think Mario got a mention in the wedding vowels along with being on the cake.  Played Wii boxing at the reception. I think Wii boxing should be used to mediate more relationship issues. ( mental note: buy wii).  Wow ppl turned out in force. Because the humidity was in the 90’s, pretty bamboo fans were supplied.

Food was great.. All in all a great day..

I hope for the “happily ever after” life they deserve.

Whilst this wasn’t a traditional wedding I think I had more fun along with the bridal party. There should be more gamer weddings.

Tags: Uncategorized // Add Comment »

I’ve had a number of problems with the WYSIWYG interface in wordpress 2.0 and decided to do an upgrade to 2.2. I hadn’t done a wordpress upgrade, but it looked simple enough.. Typically one would firstly backup the DB (check!) and then backup the php pages ( sort of check..). Well in the midst of trying to backup as little as possible, I somehow shredded my config.php with my sql password.. Not good. Oh well a e-mail to my friendly admin and it’s all good.

Apologies to those who might have relied on it for some timely information. Better caution will be taken next time to make sure outages are much sorter.

Tags: Uncategorized // Add Comment »

The presentation when relatively well given that my 3 hsdpa modem decided not to work for practical side of the meeting. It seems a number of people came out of the woodwork to attend which is pleasing as an sage-qld executive.

I think the next presentation I do, things will be different by way I organised the slides and how I approach the content of any subject.  Anyway what’s done is done and I had a go. That’s what’s important.

Slides are available at the bottom and I’ll post my freenet6 rpm for fedora/RHEL/CentOS

Thanks for all that turned up. Special thanks goes to Aarnet for the ipv6 brokering services and David Jericho for helping with the content on the presentation.

Tags: SAGE-AU, OS X, ipv6, RHEL/Fedora // Add Comment »

Well the weekend has being up and down.. Two parties in two days but I having large hole where stuff use to be and someone to talk to for the last four years. Now she has gone. I’m quite bummed about it.. Kinda miss having someone there and it’s not even the first night.. To all the single ppl out there; I soo get loneliness. Big hugs all round.

laters..

Tags: Uncategorized // Add Comment »

Celebrated Andy’s 23rd in fantastic style which a legendary shin digg and Andy’s place… Great night, good company and fantastic drink.

Tags: Uncategorized // Add Comment »

Recipe: ccache on OS X

method:

curl -O -- http://samba.org/ftp/ccache/ccache-2.4.tar.gz
tar -xzvf ccache-2.4.tar.gz
cd ./ccache-2.4
./configure --prefix='/usr' --mandir='/usr/share/man'
make
sudo make install

Simple.. I will at sometime create a installable dmg for everyone.

Tags: OS X // Add Comment »

Well I was persuaded by Andy to get a facebook account.. So I’m on with great success and even found some past work colleges I’d lost touch with… If you have a facebook a/c feel free send me a message via the wall..

Still working on my ipv6 talk for SAGE-AU… Mircosoft has quite a suprising amount of “eatable” information on ipv6. Can’t wait to find time try out the windows server 2008. native dhcpv6 server and other interesting ipv6 fuctions.

Not to be out done I noticed that ISC has drop in a swag of ipv6 functionality in dhcp 4beta (3.0.5 for fedora test users I think).

Also Happy Birthday Andy…

Itte kimasu

Tags: ipv6, General // Add Comment »

For those who are not aware I’m a proud member of SAGE-AU ( The System Administrator Guild of Australia) Queensland Chapter. As the website says: “the network behind the people behind the network”. SAGE-AU is great organisation with very professional and extremely knowledgeable people at it’s core.  The mailing list and monthy talks are worth the membership let alone the discounts from various vendors and other perks.

After being a member for one year, I decided to put my hand up to help with the running of the organisation and  was nominated/voted in as a sage-qld execiutive.

Part of my position is to help with speakers and runnings of the meeting. In contemplating this role, I thought it would be good it get a talk together for the times that vendors could not be organised.  The talk topic I’ve chosen is: ipv6.  As my previous post have mentioned, I’ve being a big fan of ipv6 and would love to see it in consumer homes ASAP.
It has being put to me that writing a paper might be the best way to a good talk.  The only challenge is how I approach the talk?  I definitely know that I want to debunk some urban myths of ipv6 that seem to pop-up as soon as you mention ipv6.

Once I have something substantial I would post it accordingly under Creative Commons.

Itte kimasu

Tags: Uncategorized // Add Comment »