Friday, January 9, 2009

Native VLANs - ISL vs 802.1q, CatOS vs IOS

When configuring trunking, the discussion of Native VLANs may be a little confusing, especially when comparing ISL trunking vs 802.1q, and IOS vs CatOS.

Here's a breakdown:

First, the concept of Native VLAN is only understood by 802.1q. So, for ISL trunking, do not worry about setting it, as ISL encapsulates EVERY FRAME going through that trunk(more below).

A Native VLAN is merely a single VLAN ID already allowed on a trunk that will be used for all untagged frames sent/received. In other words, if the switch receives a frame on this trunk with no VLAN ID tagged on it, it will assume that this frame is in the Native VLAN, and inversely, if it sends a frame on this trunk that is in the Native VLAN, it will not bother tagging the frame.

As stated above, this does not apply to ISL because it encapsulates packets(instead of tagging them, like 802.1q), and every packet must be encapsulated, therefore, ISL does not bother with the concept.

Typically, you have a dedicated "switch management" VLAN on your network, and all your switches' management addresses are in this VLAN, and this VLAN is set as native on every trunk link between these switches. A lot of times setting the Native VLAN does not matter on newer switches, but I have found that some Cisco Autonomous APs and very old switches require it set, so I feel it is best to keep it consistent, YMMV.

To check the current Native VLAN on IOS:
sh int trunk InterfaceX/Y

To check the current Native VLAN on CatOS:
sh trunk X/Y

On IOS, its pretty easy to set the native VLAN, just enter the following command under the interface(where Z is the VLAN ID):
switchport trunk native vlan Z

On CatOS, its not as obvious, but just as easy, you just merely set the vlan of the trunk port as if it were an access port:
set vlan Z X/Y

As I said before its not terribly necessary nowadays, but for consistency I recommend setting it to the same VLAN as the management interface of your end-user switches. No matter what you do, you must ensure that the Native VLAN matches on both sides of your 802.1q trunk, because otherwise two Cisco switches will detect the mismatch via CDP and will block the port, until its fixed. The following IOS command will show you a list of any such blocked ports:
show spanning-tree inconsistentports

Friday, December 19, 2008

Cisco "Setup Express"

Newer Cisco "pizza box" switches (3560/3750 and others) have a MODE button on the front of them that is used for both the password-recovery feature, as well as the "setup express" feature.

Reference:
http://cciepursuit.wordpress.com/2007/06/29/completely-clearing-a-cisco-switchkinda/


I would recommend disabling the setup express feature(no setup express in configure mode) as it really provides NO benefit in my eyes. It does not affect the password recovery feature(unless you are super paranoid, disabling password recovery can be disastrous).

My argument is that while a switch is powered on, there should not be this easy to essentially reboot the switch with a blank config, with the only way to remedy is renaming files via console cable. This can have one nosy user/janitor take down your switch until you can run out there with a laptop.

Wednesday, October 8, 2008

Disable Vista's Media Center(Ultimate or Home Premium only)

Open a command prompt with admin rights(if you UAC turned on, just type cmd into the search bar of the start menu and hit Ctrl-Shift-Enter)

Type:
reg add HKLM\SOFTWARE\Policies\Microsoft\WindowsMediaCenter /v MediaCenter /t REG_DWORD /d 1 /f

To re-enable it(not likely to happen ;-))
reg delete HKLM\SOFTWARE\Policies\Microsoft\WindowsMediaCenter /v MediaCenter /f

Too good not to post

Wow...what an article:

http://www.babeled.com/2008/06/24/reaganomics-trickle-down-theory-suppliy-side-economics-or-by-any-other-name-is-still-a-fallacy/

Monday, October 6, 2008

VHDMount Fun

I had the lovely privilege of re-formatting my home PC the other day. I regularly use Vista(so sue me) on my home PC and I used its built-in backup tools to backup all my files to my second harddrive, including a CompletePC backup.

What I found was that for the normal file backup and restore feature, when you go to restore, it will restore ALL FILES FROM THE BEGINNING OF THE BACKUP SET. Take this scenario

  • Backup Set Created(first backup made)

  • Backup

  • Backup

  • Files Deleted

  • Backup


If I restore from the last backup, the deleted files will be found in the backups. Thats fine, pretty useful if i wanna undelete a file from awhile ago...but I did not anticipate this behavior....especially since I cleaned/reorganized my music collection recently.

So, I decided to open the CompletePC backup, basically a snapshot of the entire OS drive(which i made right before my format). It saves itself as a VHD file, which I need a microsoft program called VHDMount to open/use.

To get this tool, I had to download Microsoft Virtual Server 2005 R2 SP1 from here. Start the install, and you will probably want to do a custom install and only select the VHDMount tool.

Then, I tried to use the tool via the CLI...but with my fresh Vista SP1 install, UAC was turned on, so I had to open my command prompt in admin mode....easiest way is to Click the Start globe, type cmd in the search, and hit Ctrl-Shift-Enter(C-S-E is a shortcut to run anything as admin in Vista). After opening an admin prompt, I ran the tool with the /p switch(run vhdmount /? if you want to learn all the switches). But, it kept giving me a failed message.

Hunting around the internets, I found a solution, it seems it couldn't "plug in" the vhd file because of a driver issue...and this solves it(at least for me!):

  1. Control Panel->Hardware->Install drivers for older devices with Add Hardware wizard(its hiding on the left panel)

  2. Hit next and do the Advanced option, Show all Devices, Have Disk. Point it to the VHDMount install directory(C:\Program Files\Microsoft Virtual Server\Vhdmount\ by default) and have it install the vhdbus.inf.

  3. It will install "Microsoft Virtual Server Storage Bus" device.

  4. Then I had to run vhdmount with the /p switch again...this time it will fail again, BUT windows will fuss about it finding a device it can't find the driver for.

  5. Go to device manager(its in control panel) and right click the unhappy device and install this same inf file from above for this device and voila! it works.

  6. The virtual drive should now automount to the first available driver letter.


I am happy. It works a treat after a bit of finesse.

As a bonus, here is a reg script that will allow you to mount VHD files using the context menu(put this into a file with a .reg extension, save it and double click to merge):
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Virtual.Machine.HD]
@="Virtual Hard Disk"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Virtual.Machine.HD\shell]
@="Plug in"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Virtual.Machine.HD\shell\Plug in]
@="&Plug in"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Virtual.Machine.HD\shell\Plug in\command]
@="\"C:\\Program Files\\Microsoft Virtual Server\\Vhdmount\\vhdmount.exe\" /p \"%1\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Virtual.Machine.HD\shell\Unplug (discard changes)]
@="Unplug (&discard changes)"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Virtual.Machine.HD\shell\Unplug (discard changes)\command]
@="\"C:\\Program Files\\Microsoft Virtual Server\\Vhdmount\\vhdmount.exe\" /u /d \"%1\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Virtual.Machine.HD\shell\Unplug (commit changes)]
@="Unplug (&commit changes)"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Virtual.Machine.HD\shell\Unplug (commit changes)\command]
@="\"C:\\Program Files\\Microsoft Virtual Server\\Vhdmount\\vhdmount.exe\" /u /c \"%1\""
[HKEY_CLASSES_ROOT\.vhd]
@="Virtual.Machine.HD"

Thursday, June 19, 2008

Simple Debian Lockdown(for those of you under NESSUS scrutiny)

There are a million ways to lock down a server. I prefer the non-paranoid method, since none of the data I work with is valuable enough warranting all the extra setup for paranoia-mode.

I recommend the following three, very simple, tasks to lock down your Linux server(specifically Debian Etch).

  1. Prevent root logins from SSH

  2. Turn off ident

  3. Disable RPC(only do this if you do not use NFS)


Preventing root logins via SSH is a good idea for two reasons.

  • Allows you to accurately log who is accessing your system...root can be somewhat anonymus if people know the password.

  • If someone who does know the root password becomes a threat, you simple have to restrict their username from being granted access(and physical security of course). This is a lot better than haveing to change the root password in a pinch (I like not having to update documentation every time someone leaves my company).


Removing Ident is merely to make NESSUS complain less. Its not really needed so lets shut it off.

  • Open /etc/inetd.conf in Vi/Emacs/whatever

  • Comment out the line that begins with ident(just add a # at the beginning of the line)

  • Save the file and restart inetd:  /etc/init.d/inetd restart


Finally, another thing to make NESSUS happy is to disable RPC if you arent using it(NFS shares mainly). Simple remove the package portmap from your system. On Debian: apt-get remove portmap