Monday, April 21, 2008

Virtual Private Networks Troubleshooting - Part I

I've seen quite a number of posts asking why VPN users are not able to access their network even though they have been successfully connected.

Let's try to troubleshoot what happens here. A very common VPN setup is to use 2 NICs and run Routing and Remote Access on one of them. The benefits of this would be that you can isolate VPN traffic and keeping it from overloading the NIC that handles the internal network traffic. One thing to note for is that the two NICs have to be assigned IPs from different networks or subnets. For example:

1st NIC (VPN): /24
2nd NIC(internal network): /24

(Don't worry if you don't understand the /24. It's called the slash notation for the subnet mask which is the equivalent of

Through the initial RRAS setup, users will be able to connect to the VPN just fine and will be assigned an IP address of one of the networks. The problem arise when they try to connect to network resources on through the 2nd NIC (the other network). This is due to the fact that Windows doesn't know how to route the packets from the network to network.

You can tell Windows how to route traffic between the two NICs by configuring a static route with the "Route" command. Type "Route /?" at the Command Prompt for more information.

And as usual, I have a second way to accomplish the job by turning on Routing using RIP or OSPF and add the two NICs to it.

One thing that I see lacking from most Windows Administrators is the understanding of TCP/IP and network routing. I would recommend Windows Administrators to take CCNA anytime. Even though it might seem so remote from their daily tasks, one can walk away from a CCNA class with so much helpful information that makes their job much easier to do.

Monday, March 17, 2008

Switch Port Security

If you are working in a strict security environment then switch port security is a must. Configuring switch port security could become a tidious task. However, if you can control the environment when you setup the network, this little trick can help you save a lot of work.

Instead of configuring port security and manually enter MAC address for the port, you could plug all your hosts in then issue the following commands:

Switch(config)#int range f0/1-xx
Switch(config-if-range)#switchport port-security
Switch(config-if-range)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation restrict
Switch(config-if-range)#switchport port-security mac-address sticky

The first command takes you to the interface range configuration mode; the next two turn on the port security and set a maximum number of mac addresses to 1. "Violation restrict" will not allow traffic for any host whose mac address is different than what the switch has learned for the port in question. After that, the "mac-address sticky" commands instruct the switch to learn the mac address dynamically and remembers it for the each port.

Sunday, March 2, 2008

Basic Load Balancing

Load Balancing normally has two modes of operation: Per-Destination and Per-Packet.

Per destination load balancing means the router distributes the data packets based on the destination address. If you have two paths going to Host A & B on the same network then all packets for Host A will travel over the first path and all packets for Host B will travel over the second path. This will preserve the packet order which is very useful in certain applications; however, it could result in unequal usage of the network links as bandwidth & load are not taken into route calculation.

Per packet load balancing means the router sends one packet over the first path and second packet over the second path; all going to the same destination. Per packet load balancing guarantees equal load across all the links; however, the packets may arrive at the destination out of order because of different delay/bandwidth may exist on different paths.

Per destination load balancing is enable by the command:

Router# config t
Router(config)# interface Ethernet 0
Router(config-if)# no ip route-cache

Now the router CPU will look at every single packet and spread them across the different path available in the routing table for the destination. This is not recommended on low end server as it could crash the router because the CPU must do all the processing and might not be able to handle it. To enable fast switching, use the following commands:

Router# config t
Router(config)# interface Ethernet 0
Router(config-if)# ip route-cache

Newer switching schemes such as Cisco Express Forwarding (CEF) allow you to do per packet and per destination load balancing more quickly but it does imply that extra resources will be needed to maintain it.

Thursday, February 28, 2008


Working remotely with routers & switches you don't have the flexibility to reset the devices at will when things go wrong unless you can control power distribution to the devices.

This is where the Reload command comes in handy. Before making changes to the configuration, you can enter:

Reload in 10

which will reload the device in 10 minutes. Once the command is entered, you can proceed with the configuration changes. If things go wrong and you lost connectivity to the device, try back in about 10 minutes since the device will get reloaded with the original startup-configuration and restore connectivity.

Once you confirm that your new configuration is working properly, you can issue the command:

Reload cancel

to cancel the reload. I find this trick to be very useful when I have to telnet or SSH to a remote device and hopefully you too.

Monday, February 25, 2008

Add Redundancy With Backup Command

You can add redundancy to your network and make you network more resilient with the Backup command. What this command does is specify an interface which will act as a back up in case the primary interface fails.

Let's take a look at the following configurations:

On RouterA:

Configure terminal
Interface f0/0
Ip address
no shutdown
Interface f0/1
Ip address
no shutdown
Backup interface f0/0
Router eigrp 20

On RouterB:

Configure terminal
Interface f0/0
Ip address
no shutdown
Interface f0/1
Ip address
no shutdown
Backup interface f0/0
Interface loop 0
Ip add
Router eigrp 20

With these configurations loaded, both Fa0/1's will change to up/up while Fa0/0's will go into standby mode and monitor the activities on Fa0/1. In the event that Fa0/1 goes down, Fa0/0 will switch to active mode and establish neighbor relationship with the connected interface and complete the failover.

To verify this, from RouterA you can ping with the repeat parameter:

Ping repeat 10000

This command will ping 10k times. While it's pinging, unplug the cable to Fa0/1. you will see that the link go down, the ping will fail and then within seconds Fa0/0 will be up and resume the active role and the pinging will resume as nothing has happened. If the link on Fa0/1 becomes active again, Fa0/0 will switch back to standby mode.

This is a quick and easy way to add redundancy to your network. There are other techniques that you can use to add redundancy to your network to include both layer 2 and layer 3 redundancies which I will discuss at another opportunity.

Friday, February 22, 2008

Keyboard Shortcuts

If you use CLI to manage your Cisco routers & switches then you should to get familiarized with the keyboard shortcuts as the can save you a lot of time & typings.

Here's the shortcut list:

  • Ctrl+B: Moves back one character at a time
  • EscB: Moves back one word at a time
  • Ctrl+A: Moves to the start of a line
  • Ctrl+F: Moves forward one character at a time
  • Esc+F: Moves forward one word at a time
  • Ctrl+E: Moves to the end of a line
  • Delete: Erases the character to the left of the cursor
  • Backspace: Erases the character to the left of the cursor
  • Ctrl+D: Deletes the character at the cursor
  • Ctrl+K: Deletes all characters from the cursor to the end of the line
  • Ctrl+U: Deletes all characters from the cursor to the beginning of the line
  • Ctrl+X: Deletes all characters from the cursor to the beginning of the line
  • Ctrl+W: Deletes the word to the left of the cursor
  • Esc+D: Deletes from the cursor to the end of a word

If none of these commands work, enhanced editing may be turned off. You can turn on enhanced editing issuing the command at the privileged command prompt:

Router# terminal editing

Wednesday, February 13, 2008

Stop Logging Messages From Interrupting Your Work

One of the things that I find really annoying with the Cisco devices is that when I am configuring a router or a switch, the console messages keep popping up all over the places and interfere with my work. Although this doesn't cause any typo error but it's really difficult to see what you have typed. Luckily, we can control the logging message behavior.

To disable, use:
Router(config)# no logging console

or if you prefer to see what's going on with the router/switch then use the "logging synchronous" command:
Router(config)# line console 0
Router(config-line)# logging synchronous
Router(config)# line vt 0 4
Router(config-line)# logging synchronous

It would be nice if these were taken into consideration and set as default options when the IOS is built but it's not the case so until they change it, you will have to either put up with it or do a little extra work to change the default behavior.

Monday, January 28, 2008

Configure DHCP on a Cisco Router or Switch

When it comes to configuring DHCP, you have a number of ways to do it. You can run DHCP service on a Windows or a Linux box or as most networking professionals prefer, run it on an existing router or a switch.

The advantage of this is that you can leverage existing hardware, provide DHCP locally at each site and reduce the dependency on the WAN link.

To configure DHCP on a Cisco router or switch, follow these steps:

1. Configure an IP address on the router's Ethernet port

Router(config)# interface e0/0
Router(config-if)#ip address
Router(config-if)# no shut

2. Create a DHCP IP address pool for the IP addresses you want to use.

Router(config)# ip dhcp pool dhcppoolname

3. Specify the network and subnet for the addresses you want to use from the pool.

Router(dhcp-config)# network

4. Specify the DNS domain name for the clients.


5.Specify the DNS server.


6. Specify the defaut router (or default gateway)


7. Specify the lease duration.

Router(dhcp-config)#lease 7

8. Let's say that you've decided that all IP addresses between .30 and .40 will be used for static IP devices such as mail servers and database servers and you don't want them to be available in the DHCP pool, you can exclude them using "exclude-address" command:

Router(config)#ip dhcp excluded-address

Now any device that requires an DHCP address on the network will be able to send a DHCP request to

Friday, January 18, 2008

Update Client Status on Long Running Job

Every once in a while I come across a question like: "I have a web application that has a long running job. It could take up to a few dozen minutes to complete. How can I keep the client status updated and not causing a timeout?"

The problem with a web application like this is that if the job run too long, it will cause a script timeout error. One can opt to increase the script timeout to prevent this but when you actually have an error, it would take forever before the client is notified of the error.

People often think that AJAX is the only solution to this problem but it isn't. But with a little clever coding, combining javascript with server side code, you can accomplish this. You can apply this technique to classic ASP or ASP.NET or whatever techonolgy or language you choose to use.

What we need to do is find a way to continuously sending data to the browser so that it doesn't time out on us. with vbscript and Repsonse.Buffer & Response.Flush can take care of this quite nicely.

So now we have the data streaming to the client, how to we update the status? The answer is javascript. We can script a function and take advantage of the ability to dynamically changing the content of the div or span tag to update the status when we receive some data from the server.

Please examine the source code for the complete example.

Tuesday, January 15, 2008

Optimize Routing Updates

Dynamic routing protocols such as EIGRP, OSPF & RIP update the routing table through the use of protocol updates. These updates are sent periodically from one router to another and can create quite a bit of traffic on your network.

You can optimize your router and reduce this kind of traffic through the use of the "passive-interface" command. It works by instructing the router not to send update to specific interface(s).

The "passive-interface" command can be used in two ways:

1. Specify an interface that will not participating in routing updates.

Router(config)# router rip
Router(config-router)# passive-interface Ethernet 0/0

2. Make all interfaces passive then use "no passive-interface" on interfaces that you want to participating in routing updates.

Router(config)# router rip
Router(config-router)# passive-interface default
Router(config-router)# no passive-interface Ethernet 0/0

Note that the "passive-interface" command works on all IP routing protocols except BGP.

Tuesday, January 1, 2008

Changing Computer SID

I've been working on a SharePoint project that requires a domain controller, an IIS web farm and a SQL Server. In order to quickly setup my development environment, I use Virtual Server 2005 and created a number of virtual machines and set them up in an isolated virtual network.

I started out by setting up a barebone Windows Server 2003 with SP2 and .Net Framework 2.0. After all the security updates have been applied, I copied the virtual hard drive (.vhd) file, renaming it and attached to the new virtual machines. I brought them up one by one and renamed them. Once I got through all four, they all came up with no problem.

When I promoted the DC and start joining the first member server things also went pretty well until I tried to logon to the member server with a domain account. The error message I received was:

The name or security ID (SID) of the domain specified is inconsistent with the trust information for that domain

This error occurred because I used only one installation of Windows 2003 Server. The SID is the same on all of my virtual machines because I just simply copied the .vhd file and renamed it.

The solution was to download NewSID utility from SysInterals (now owned by Microsoft). The tool allows you to change SID as well as computer name and works wonderfully in this situation.

Here's a few tips for those who might run into this same scenario:

1. Run NewSID when you bring up a clone server/computer and let it do the rename for you. This will save you from rename the computer, reboot, login then change the SID only to reboot again.

2. Run NewSID before you join the member server to the domain. This is because it will save you from all the hassle of joining domain, reboot, unjoin, reboot, change SID reboot and rejoin domain...