Booches.nl

Cisco 888G with KPN 3G connection

Something I don’t see and don’t do very often is the configuration of a router including a 3G connection. So this blog post helps me during the process of configuring future connections. For todays configuration I am using the Dutch carrier KPN to establish the 3G connection. As hardware I am using a Cisco 888G router with a PCEX-3G-HSPA-G module. The most difficult during the configuration is the retrieval of the correct provider information. For this KPN connection is used the following credentials:

• - APN name: fastinternet
• - PPP CHAP username: <empty>
• - PPP CHAP password: <empty>
• - DNS: ns1.kpn-gprs.nl (62.133.126.28) & ns2.kpn-gprs.nl (62.133.126.29)

Don’t forget to use the above DNS servers when using a 3G connection from KPN. All other DNS servers, including Google’s DNS servers, won’t work.

The SIM card is locked by default with a password, so I first needed to unlock the SIM card. The unlocking of the SIM is accomplished with the following command:

router#cellular 0 gsm sim unlock <pin code>

The next thing to do is creating a gsm modem profile. With the modem profile you can configure different profiles with different APN, authentication, username and password combinations. For my connection I only need to specify the APN name, like shown below:

router#cellular 0 gsm profile create 1 fastinternet

Another important step is the configuration of a chat-script. The chat-script is used to define the Attention Dial Tone (ATDT) commands when the dialer is initiated. For gsm connections, the script always has the following syntax:

router(config)#chat-script <script name> “” “ATDT*99*<modem profile number>#” TIMEOUT <timeout value> CONNECT

Getting back to my configuration I configured the following chat-script:

router(config)#chat-script gsm-chat-script “” “ATDT*99*1#” TIMEOUT 30 “CONNECT”

Next you need to configure regular dial-on-demand (DDR) routing for the cellular interface. My cellular interface is used as the primary internet connection, so I included the necessary NAT statements on the interfaces.

interface Cellular0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer pool-member 1
async mode interactive

!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string gsm-chat-script
dialer persistent
ppp chap hostname <APN name>
ppp chap password 0 <provider password>
ppp ipcp dns request
no cdp enable

!
dialer-list 1 protocol ip permit

The last two steps involve the configuration of a default route and line configuration mode. I configure a regular default route with the Dialer 1 interface as next-hop interface. The line configuration mode, includes the following commands for the KPN connection.

line 3
script dialer gsm-chat-script
modem InOut
no exec
rxspeed 7200000
txspeed 5760000

That’s it. Just configure a routed or VLAN interface. Some NAT and ACL statements and you are ready to go. You can use several

show cellular 0 <commands>

commands for troubleshooting or information about your connection.

OpenSSL for testing TLS

I was looking for a way to test the TLS configuration of a secure mail server and stumbled across a website called “OpenSSL Command-Line HOWTO”. This websites explains how to test a TLS connection using OpenSSL.

The s_client and s_server options provide a way to launch SSL-enabled command-line clients and servers. There are other examples of their use scattered around this document, but this section is dedicated solely to them.

In this section, I assume you are familiar with the specific protocols at issue: SMTP, HTTP, etc. Explaining them is out of the scope of this article.

You can test, or even use, an SSL-enabled SMTP server from the command line using the s_client option. Secure SMTP servers offer secure connections on up to three ports: 25 (TLS), 465 (SSL) and 587 (TLS). Some time around the OpenSSL 0.9.7 release, the openssl binary was given the ability to use STARTTLS when talking to SMTP servers.

# port 25/TLS; use same syntax for port 587
openssl s_client –connect mail.booches.nl:25 –starttls smtp

# port 465/SSL
openssl s_client –connect mail.booches.nl:465

RFC821 suggests (although it falls short of explicitly specifying) the two charaters “<CRLF>” as line-terminator. Most mail agents do not care about this and accept either “<LF>” or “<CRLF>” as line-terminators, but Qmail does not. If you want to comply to the letter with RFC821 and/or communicate with Qmail, use also the –crlf option:

openssl s_client –connect mail.booches.nl:25 –starttls smtp –crlf

XenServer and Multicast with IGMP support

Today I tried to add a virtual Terminal Server within a XenServer to a NLB cluster. The current NLB cluster contained only physical servers. When adding the virtual server to the NLB cluster with the NLB manager, the server lost all IP communication. It isn’t possible to connect to or from the server. Together with the system administrator, we searched multiple forums and we found the solution to the problem.

It looks like XenServer doesn’t support multicast by default, because of the bridge design of the network interfaces. We found an interesting article on the internet to enable multicast on the virtual interface.

In the end we took the following steps to enable multicast support on the virtual interface of the XenServer.

1. 1. Install the XenServer tools on the virtual server;
2. 2. Execute the ifconfig command, like shown below, to enable multicast on the virtual interface;

# Retrieve the DOMID of the virtual server
xe vm-list name-label=<VMNAME> params=dom-id

# Enable multicast on the virtual interface of the virtual server
ifconfig vif<DOMID>.0 multicast

We restarted the virtual server and the DOMID changed, but multicast with IGMP support was still working and the server was still part of the NLB cluster. The system administrator will do some more testing and he will try to add another virtual server to the NLB cluster.

Cisco Connect – Software Download Entitlement Controls

I read about it on the internet and last week I received the “official” mail from the Cisco Partner Channel about the changes regarding the Software Download Centre Entitlement Controls. The e-mail (in Dutch) can be found below. I have different feelings about the changes regarding the software entitlements. It isn’t possible anymore to just download any software with a CCO of PICA (Partner Initiated Customer Access) account from January 2nd 2011.

Downloading software is only possible for networking components with a valid ‘software- download‘ contract (like SmartNet). If you have a contract to download software for a specific Cisco Catalyst switch, you can only download the software of that switch. So check your Cisco Service contract, like serial number and part ID, check if they are correctly registered and if the contract are registered to the correct CCO ID.

Sadly for me, as consultant, it will be very hard to download the latest software. I have a valid CCO account, but as a company we don’t have any support contracts to download software. Not only the change in software entitlement, but also the change in the license structure of the hardware and software feature set has impact on my daily work. It is getting harder and harder, and in the end, maybe impossible to check the latest features with tools like GNS3 and Dynamips. Not only for testing purposes, but also for studying purposes. Emulating software with Dynamips is extremely powerful when you try to achieve CCIE or other certifications.

On the other hand, I can also understand Cisco that they try to protect the copyrights of their products and the investment of the paying customers. I know that multiple vendors make their software available for free, but I know some of these vendors and they have very poor software maintenance. Sometimes you need to downgrade after upgrading an image. Or specific releases just disappear and aren’t supported anymore.

I guess we have to get used to the new concept and in a couple of months or years we don’t know better. I am positive that somebody will find new ‘solutions’ for the download and feature set ‘problems’.

Beste Partner,

Zoals u wellicht weet is voor het gebruik van Cisco software een licentie vereist. Een licentie die betaald is en waarmee u software kunt downloaden. Dit spreekt voor zich. Echter, voorheen was het mogelijk om met een CCO of PICA (Partner Initiated Customer Access) account met ‘software-download toegang’ alle IOS software te downloaden. Ook van producten die niet binnen het contract vielen. Cisco heeft tot op heden een zogenaamd trust model gehanteerd.
Om de copyrights van onze software producten te beschermen, herzien we in december alle contracten op basis van betaalde licenties. Partners die betaald hebben voor de service kunnen in de toekomst software blijven downloaden. Diegenen zonder licentie hebben vanaf 2 januari geen gratis toegang meer. Op die manier beschermt Cisco het intellectueel eigendom en uw investering in de producten.
Om deze wijziging zo goed mogelijk te laten verlopen, vragen we u als Partner het volgende te doen voor 2 januari 2011:

• Check hier of uw Cisco Services contract(en) volledig zijn en vul eventueel ontbrekende gegevens in, zoals serie nummers, part ID’s (productserie en typenummer) en locaties.
• Verifieer of al uw Cisco producten geregistreerd staan op het Cisco servicecontract en dat u geldige licenties heeft voor de Cisco Software.
• Bekijk of alle servicecontract(en) aan de juiste gebruikersnaam en CCO ID zijn gekoppeld op www.cisco.com
• Controleer of al uw medewerkers geregistreerd en geautoriseerd zijn en check of hun gegevens ook correct zijn ingevuld.

Vanaf 2 januari 2011 controleren we standaard alle software die wordt gedownload op licenties. De download snelheid vertraagt niet. En als u geregistreerd bent, ondervindt u geen hinder van deze wijziging tijdens het downloaden.

Mocht u naar aanleiding van dit bericht vragen hebben, stel deze gerust aan uw Partner Account Manager.

Met vriendelijke groet,
Cisco

Fred Gerritse
Directeur Partner Organisatie

STP successor – CiscoNL

I just watched a online movie on the CiscoNL – Technology site about the successor for Spanning Tree Protocol in the near future. The movie can be found here (language: Dutch).