(In previous posts I misspoke and claimed they were 1751′s, they are in -fact 1750′s).  The Cisco 1750′s have a slot for Voice Interface Cards, something I’ve not worked with – and something that influenced my purchase of the routers.

PVDM module goes in the top empty slot, DIMM in the right empty slot

I quickly realized I’d need a Digital Signal Processor (PVDM) card (~$90 on ebay) in addition to the VICs – AND I didn’t have enough memory OR flash to run an appropriate IOS image. The Flash upgrade to 32M was appx $30.00, with memory running about the same. Things started to quickly add up.

Right side is where the replaceable Flash goes

Which made me look at the Cisco 2621 also sitting on my work-bench.  Research quickly revealed I was looking at a much more affordable path.  I got a pretty good deal on an NM-2V with 2 FXO cards (ebay – about $115.00 – with the added bonus that the seller lives in my same city, so I saved on shipping and we met in an Aldi’s parking lot):

The NM-2V supports two VIC cards… the FXO (Foreign eXhange Office ~= PSTN origination/termination) and FXS (Foreign eXchange Service ~= provices dialtone service)  cards generally run about $50.00 on ebay, with the NM-2V averaging around $14-$45. So all in all, I paid at or below the average price for the entire package, and it all arrives at the same time. (There are other types of cards as well, but FXO and FXS are the only types I’m concerned with)

My first task is to get enough memory installed in my 2621 to support an IOS image with VOIP and ADSL capabilities. I’d searched around for some time before finding a site that I really like – www.parts-quick.com. They provide full specs on each router, the  max and min memory capabilities, flash upgrades, etc.. and the prices aren’t bad either.

The Glowing Bones of a Cisco 2621

My overall goal is to have one device that handles everything related to the telephone line: DSL termination/bridging, PSTN gateway, and dialtone server – a device I’m affectionately calling “beigebox0″. This will allow me to replace my Zyxel DSL bridge and Linksys PAP-2T, plus actually hook the PBX  into the PSTN. My current layout (an Asterisk box + Linksys PAP-2T)  has only SIP origination/termination, leaving an unused POTS line coming into my house. The new setup will still utilize the Asterisk PBX for voicemail and dialplan processing (as well as long distance over SIP, and an IAX2 trunk to Telephreak) , but use the Cisco 2621 for local call termination (calls in my native ratecenter).

The New Voice Lan (We don't need no stinkin' Visio)

Routing (and PPPoE) will still be handled by the Quagga router.  The Quagga also has a Courier V.32 Voice modem connected to it for troubleshooting dialup POPs, wardialing the 900 or so phone numbers my company owns (for auditing purposes),  and adding a backup connection in the event the DSL line goes dead (of course if dialtone is gone also, I’m out of luck). The modem _could_ be moved over to the 2621′s AUX port, but as all routing occurs at the Quagga, this layout makes more sense.

The link between the 2621 and the PBX could have been done a number of different ways. In the end, I opted to treat the 2621 as being on the WAN side of things, and I am using its management IP for that SIP endpoint. This gives me the ability to filter traffic between the PBX and the “beigebox” at the router. Directly connecting the 2621 to the PBX would reduce hop-count, however also add another location where firewall rules need to be managed and monitored aggressively.

Calls made from the home phone hit the 2621 via the FXS port, and are SIP-ed over the FastEthernet interface through the router and to the PBX.  If the call is long-distance it heads  BACK out the router to my SIP provider, with local calls heading back to the 2621 for connection to the PSTN. All call routing (local and long distance) is determined at the PBX. (The one exception being 911, which is immediately bridged at beigebox0)

Basic flow of an outbound call

Incoming calls from the PSTN (via the FXO voice-port)  will soon be  sent to the PBX for handling – which will initially sends the call back to beigebox0 to ring the home phone (via the FXS port), and following a number of rings sent to voicemail on the PBX.

So far, the layout has functioned perfectly. Next up – finish inbound handling of calls on the PBX (voicemail, etc)

Cisco 2621 config snippet:

hostname beigebox0

voice rtp send-recv
!
voice service voip
sip
bind all source-interface FastEthernet0/0

voice-port 1/0/0
description POTS line
ring number 10
!
voice-port 1/0/1
!
voice-port 1/1/0
description HomePhone
timeouts call-disconnect 10
!
voice-port 1/1/1
description ModemLine
timeouts call-disconnect 10
!

!
!
dial-peer voice 100 pots
description Dialing 411
destination-pattern ^411$
port 1/0/0
!
dial-peer voice 101 pots
description Dialing 911
destination-pattern ^911$
port 1/0/0
!
dial-peer voice 102 voip
description TelePhreak
destination-pattern ^666$
session protocol sipv2
session target sip-server
session transport udp
dtmf-relay rtp-nte
codec g711ulaw
no vad
!
dial-peer voice 200 pots
description PBXManualCallRouting
destination-pattern ^70001…….$
port 1/0/0
forward-digits 7
!

dial-peer voice 300 voip
description PBXConnector
destination-pattern .T
session protocol sipv2
session target sip-server
session transport udp
dtmf-relay rtp-nte
codec g711ulaw
no vad
!
sip-ua
calling-info pstn-to-sip from name set beigebox
calling-info pstn-to-sip from number set 70001
sip-server ipv4:<PBX IP>:5060
!
!
telephony-service

Asterisk sip.conf config snippet:

[beigebox]
type=friend
host=<2621 Management IP>
nat=no
qualify=no
insecure=invite
canreinvite=no
context=beigebox

This is an impressive piece of work.

The book is freely available for download and covers a wide range of wireless topics – including using Solar Energy for power, OLSR for routing, and low-cost tools (including the WiSpy) that can assist in site surveys.

So far I’ve only had a chance to skim the work, but I’m definitely impressed. Now I have some weekend reading to look forward to.

Currently 30 subscribers on the wireless

With an average of 1.75 users online at any given moment:

Users online at any given moment.

I’ve also started working on writing a Netflow analyzer application, based off a similar application I wrote for work.  At the current time, this version  only streams real-time connection endpoints and DNS statistics (last resolved sites, most resolved sites), as well as detects TCP SYN scans. Each flow record is also colorized (similar to what you would see in Wireshark), to further categorize the type of connection.

Instead of calling the gethostbyaddr() function on a destination IP  (which simply pulls a PTR record, and in the world of vhosts is a poor representation of where a user is actually connecting),  subscriber DNS queries are syslogged offsite and parsed.  The Netflow Live application I’m building uses those parsed and stored queries to give a fairly accurate determination of what site is being visited when.

Visited URLs could also be determined and logged  if a transparent Squid proxy was utilized on the Access Points. I have NO intention of doing this, however. I’m only concerned with endpoints and protocols being used. The number one protocol in use on the network:  HTTP (Shocking!)

Netflow Live (streaming recent connections)

For those of you unfamiliar with Netflow, it’s a solution put forth by Cisco for IP traffic profiling. The two main elements are an exporter (usually a router) and a collector (which the exporter sends flow data to). Netflow does not include data  payloads , ONLY a log of the endpoints used in each connection. (Think of it this way: When you make a long distance phone-call, you receive a monthly bill that details your phone number called another phone number at a specific time, for a specific duration. The phone company doesn’t actually have record of the conversation, however).

The data collected does include IP source and destination addresses, Transport layer source and destination ports, byte countes, packet counts, TCP flags, and MAC addresses. (Below is all the fields actually captured)

This is all the data that's actually stored from each connection.

So what does this allow? Utilizing Netflow, I can determine subscribers on the network with certain network signatures for viruses, detect some DoS attacks and SYN scans, and graph the most commonly used protocols on the network.

I can also shape traffic based on determinations made by looking at the data. Is someone experiencing bad Skype calls due to someone streaming video over HTTP? I can use the netflow data to reshape things as needed.

So what’s in the works? Using NetGeo data, I plan on mapping connection endpoints on a US world map, allowing a visual display of where in the world most connections are destined.

Orion Netflow offers the same functionality I'm going for - but at a hefty pricetag.

But next up:  I  need to fix the  bug preventing a software reboot of the access points – hopefully I can get to that this weekend.

Update  6/9/2010:

Jake Wilson pointed out the free NetFlow analyzer Scrutinizer by Plixer. I’ve not had a chance to look it over yet – but check out this video about the product.  I first came across that video a month or two ago… it was like staring at the sun, initially I couldn’t tell if I liked it or not – but I watched it like 20 times that day.  GREAT work guys, catchy AND entertaining.

It was this time last year that my almost successful attempt at rearing an ant colony in a plaster-cast formicarium failed.  Since then, other projects have taken precedence, and all my equipment (test-tubes, tubing, home-made asperators, numerous containers, etc…) have been packed away in the basement). I immediately ran downstairs and grabbed out the first container and spool of tubing I could find.

One of the earlier plaster cast nests

I’m still not entirely sure what killed off the last colony -  only 2 ants hatched prior to them all being found dead.  There’s a couple likely possibilities: I fed them a few pieces of birdseed – learning later that some birdseed contains pesticide; there may have been a lack of oxygen in the formicarium (I was hoping the large amount of evaporating water would provide an ample amount of oxygen), the clay used to form the chambers in the formicarium possibly contained sulphur….

So, I’m picking up and starting all over. The gang at antfarm.yuku.com have put together a great forum on ant care, building formicariums, general tips – AND they do ant identifications.

The New Ant Queen

She appears to have laid a couple eggs.

After providing the pictures and a brief description – it appears this may be Camponotus Pennsylvanicus. (I believe that’s a carpenter ant). Not exactly the best thing to have in one’s house, but I’ve seen no visible wood damage anywhere.

Instead of re-using the former plaster-cast nest, I’m starting over. The plastic box is readily available at the local Michaels Arts and Crafts Store, I purchased 3 initially, so I have another one laying around. To form the chambers in your formicarium, you simply apply clay to the walls. After filling the enclosure with plaster of paris and allowing time for it to dry, you pull the cast out of the box and remove the clay.

Image is of yuku.com member "The Darkwun" applying clay.

My former nest (see the topmost  picture) had a drilled hole to allow for application of water at the base. The top portion (the lid) of the nest had a thermometer and humidity meter. I also had a connector tube allowing me to connect the formicarium to a food scavenging area. The nest itself had many wraparound tunnels going around each side.

My current plans are to keep the exact same idea, although use deeper chambers. Honestly, I couldn’t have been happier with the former nest, but I’d rather not risk the possibility of contamination.

I’ll post pictures of the new build in the coming week. In the meantime take a look at this video of ants farming aphids.

]]> http://www.braindeadprojects.com/blog/what/bow-to-the-new-queen/feed/ 0 http://www.braindeadprojects.com/blog/braindeadtip/ccna-certified/ http://www.braindeadprojects.com/blog/braindeadtip/ccna-certified/#comments Wed, 28 Apr 2010 17:23:21 +0000 admin http://www.braindeadprojects.com/blog/?p=442 Well, it took me long enough to get my ass in gear to do it – but I finally got around to taking the CCNA – and passed on the first attempt.

I’d been planning on doing so for as far back as my last few years in commercial radio, but a level of uncertainty (“What exactly is ON the exam?”) led to my procrastination.

Eventually I came upon the non-credit offering brochure of my local community college, and found they offered a class on what one needs to know and study to pass the CCNA.

The course was fast paced and had an impressive instructor (smart, rarely drifted off topic, had good studying suggestions, and a pretty good sense of humor). It also included a number of materials: Lab manuals, Cisco Certified Network Associate Study Guide (ISBN: 0470110082) by Todd Lamlee, and copies of RouterSim Network Visualizer 6.0 and CertSim. (There was plenty of hands-on lab time as well, including two Saturday workshops).

The  Network Visualizer software  is nice when away from the classroom lab – although I quickly found that I preferred using my home lab instead (something I’d pieced together via ebay over time).

A 2950, 2 1751's, a 26xx (and 2 2900's not pictured)

The home lab consists of a random number of bits: 2 1751′s with T1 CSU/DSU’s (got at a price of $39.00 together off Ebay), a 26xx ($60.00 off Ebay), 2 Cisco 2900XL’s (appx $70 together from Ebay), a 2950XL (about $80.00 off Ebay), 2 Quagga routers, an ImageStream Rebel Router, and a server dedicated to virtual servers (which I used to emulate 7204′s via Dynamips). Yes, a lot of the equipment is old, but it works great.

By the way – you CAN connect the T1 WICs back to back using a T1 crossover cable. Many other types of cards (ADSL cards for instance) don’t allow you to do this.

A T1 crossover cable (Integrated or external CSU/DSU is required)

When away from the house, I quickly become fond of  Dynamips (a Cisco Router emulator based off of QEMU). Only after the exam did I learn the beauty of GNS3, a great front-end for Dynamips that allows one to lay out a network graphically. (Which saves a lot of time as I was previously building everything by hand).

GNS3 - making network simulation easy

When using GNS3, I personally recommend also using PuttyCM to enjoy the use of tabbed Putty connections to your simulated equipment. I believe a youtube video from Train Signal is what ledme to PuttyCM (although it appears they may have been using something slightly different):

This is PuttyCM

As I mentioned, the course provided a few decent pieces of software – the first being Network Visualizer. The biggest pro to Network Visualizer is that it doesn’t require a copy of an IOS image to run a simulated router. It does cause CPU to ramp at times (of course Dynamips does the same thing emulating a device), and it is limited in IOS commands, but for an introductory piece of software, it’s not bad.

This is RouterSim

The real beauty in the RouterSim Suite is CertSim. CertSim is almost the exact same experience one has at taking the actual exam. I’m not sure how many questions are in the CertSim question bank, I only ever came across a very very small number of Simlets though. I should disclose that I actually worked with CertSim for about a day, as I’d not realized I had it:

A realistic simulation of what the CCNA exam is like.

Having plenty of PTO to burn, in the end I decided to schedule my exam on a Monday, and take off the previous Friday. 3 days of nothing but studying (well, I took  breaks here and there to play with my latest toy and grab more coffee) and Monday I got the cert.

Next up? The first of 3 exams for the CCNP.

The Wi-Spy 2.4x

The Wi-Spy 2.4x is a portable USB spectrum analyzer for the 2.4Ghz range (They have other models that cover 900mhz and 2.4/5Ghz). The 2.4x model includes an external antenna (SMA), whereas the 2.4i has an internal antenna only.

The Accompanying Chanalyzer software

With the use of a wireless card, one can overlay SSID’s atop the channels in the Topographical  graph and determine what radiation  belongs to which Access Point. The bottom graph (Planar view) allows one to view which Zigbee channel, wifi channel, or frequency range is most in use.

There’s a similar device on the market which is substantially cheaper, the Airview,  manufactured by Ubiquiti Networks (~$39 vs. ~$160), but from what I’ve seen, the Chanalyzer sofware in use with the Wi-Spy appears to have more features (the ability to record your captures, the ability to overlay RF “fingerprints” of various devices atop your captures), etc. The Airview software is written in Java (Read:  supported in Linux), whereas Chanalyzer is written in .NET (good luck with that one under WINE).

There are Linux tools for use with the Wi-Spy (Spectrum-Tools) which I can defnitely appreciate,  but again the recording/playback and fingerprinting along with SSID overlays really make Chanalyzer nice. (For the record, you can actually record the data using one of the tools in the Spectrum Tools suite… I don’t believe you can playback easily though)

Spectrum Tools: from the author of Kismet

I’m supposed to be working on a number of other things at the moment (studying for an exam being the major item on my to-do list) so unfortunately this post is more of a “guess what I just got” as opposed to a “look at what this can do”.  In the next few weeks, I plan on picking up an AirView also, and will provide a side-by-side comparison of the two.

In the meantime, check out this video advertising the Wi-Spy, and if you have any experience, recommendations or thoughts on it or the AirView – hit me up in the comments.

First off, I’ve moved everything from the Linksys WRT-54GTM devices to an Engenius EOC-2610. The system Atheros AR2315 based. (More pictures here)

An Engenious Naked. Totally hot.

The firmware is still OpenWRT kamikazee (I dumped DD-WRT a while ago on the 54G’s), with a patched version of the NoDogSplash captive portal  (to prevent the graceful exit when a null token is submitted, also to support a “Magic token”, since I don’t truly care about it being the same one issued during the pre-authentication phase).

The only lingering issue relates to my version of the hardware not handling a reboot, which is a known issue apparently related to the kernel’s watchdog driver. There’s already a patch out there, and I plan on implementing it soon. (At present, an “init 6″ will simply cause the unit to stop responding – requiring an actual powercycling) The good news is that I’ve never had to actually reboot the device for any reason.

Other installed packages include NProbe for Netflow export and  SNMP for monitoring/graphing purposes. In all honesty, the build is rather simple but effective. It’s also waterproof – the Engenius EOC-2610 is built for outdoor use – complete with waterproof housing and PoE support (albeit based on the warnings on the PoE injector, I don’t believe it’s 802.3a[ft] compatible)

As of this morning, we’re up to 13 users in the neighborhood. Shortly, I’ll be lighting up the Eastern portion of the neighborhood, which will provide access to a larger number of users.

Oh, and there’s a new look to the portal:

The new Midtown WiFi Theme

The new look is a slight modification to the Lorea Hub Theme, with additional imagery from istockphoto.com.

The LastFM Social Site

You may have noticed the inclusion of my recently listened to tracks on the bottom right side of this screen:

My recently listened to songs.

One of the major benefits to LastFM is it’s API – instead of being tied down to using only the LastFM player to ‘scrobble, I can use pretty much any open-source audio player I want  – and still share my recent tracklist with others. (Googling “pandora API” reveals that as of a few months ago,  Pandora has yet to release an API)

The LastFM player

The open API has allowed a number of really nice applications to be developed – you can AudioScrobble from an IPhone, a BlackBerry, graph your listened-to artists history, etc, etc…

Personally, my most commonly used item is one of the most minimal: an MPlayer CLI wrapper used in conjunction with LastFMSubmitD. This allows me to run my player behind a screen and ‘scrobble at the same time. (And running the player behind a screen gives me the freedom to bounce in and out of X)

MPlayer behind a Screen

Over the years, I’ve been slowly working on digitizing all of my audio library. Initially, I was doing the process using only LAME (especially since I generally prefer a command-line tool for most things), however not having anything to add the ID tags to tracks, I finally migrated to using GRip.

Grip and the Velvet Undergound

Grip allows you to set whatever format string for filenames you want, handles the CDDB lookups and automates ID3 tagging. I generally don’t use the audio player, but it’s there also.

My overall goal is to install an outdoor speaker system in the next few weeks and have my WebpadDT streaming my entire audio library over the wireless from a control point in the kitchen.  The Webpad is ready, the library is 1/3 ripped, now it’s time to find some good speakers.

For years, I used PWManager to store the hundred or so passwords I needed access to. Like most password managers, you have a database file with a master password.  The master password pretty much unlocks everything.

This was PWManager

I really liked PWManager. There were obvious things missing – most importantly a command line or NCurses based way to access your password database. Overall though – I always found it to be solid.

Unfortunately upgrades to my workstation in the last 12 months have rendered it practically useless. (Gentoo went to KDE4, unfortunately PWManager was written for the KDE3 libraries)

I’d searched for a while, evaluating a few open-source password managers before finally settling on KeePassX.

This is KeePassX

KeePassX is based on the QT4 library, has decent search features, and really expands upon what PWManager provided.  When I initially migrated to KeePassX, the one thing that bothered me was the missing “systray-like” ability to right-click on the minimalized application icon, manuever quickly to a group, then username – and copy the selected password into the clipboard.

<Dog learning new trick>In the end, the KeePassX search bar really does provide a quick way to accomplish the exact same thing.</Dog learning new trick>

When you’ve highlighted an entry (after searching for it),  CTRL-B copies the username to the clipboard, CTRL-C copies the password to the clipboard. You can also set expiration dates for passwords, associate URLs and comments to each entry, and select unique icons for various passwords.

Another benefit to KeePassX is its ability to import database files from other password managers. It should be able to import KWallet and PWManager files, although I found that import process didn’t work properly (“Compressed files are not yet supported” when trying to import from PWManager) . Thankfully a former co-worker already scripted the conversion of an exported PWManager CSV password file to a KeePassX XML file, which can then be imported with very little issue.

KeePassX also runs on OSX, Windows, and Linux. (I used to have issues occasionally where I’d have to reboot my dual-boot machine to grab a simple password from PWManager – but not anymore). The cross-platform support also means that I can now share a password database with my girlfriend (which makes paying online bills much easier)

I’d seriously recommend KeePassX to anyone saving their passwords in an easy to read text-file. It’s easy to use, pretty, and it gets the job done. Of course, I’m all ears if someone has a better password management system they’d like to recommend.

One of my classmates recently asked about how I was segmenting off the public wireless from my home LAN. As VLANs, VTPs and PPP were subjects covered in the course, I wrote the following article for the class Wiki:

In the United States, many (but not all) providers use PPPoE to establish the layer 2 connection over ADSL. The upside to this method is increased accountability/manageability, as well as the ability to resell the connection to 3rd parties (For non-resold lines, Telcos are shifting to DHCP-only connections however, as there’s less overhead involved)

Background: Many smaller ISPs use the local Telco DSLAM equipment along with dedicated circuitry and L2TP tunnels back to the smaller ISP routers – which terminate the PPP sessions. In such an instance, connections are routed to individual ISPs based on the realm in the authenticating username [username@realm.com/password]. The smaller ISP can then use their ARIN assigned network to assign globally routed IP addresses.

Working for such an ISP, I often take advantage of this setup – creating new PPPoE username and passwords on our system for individualized connections. Instead of having 3 separate ADSL lines for 3 different Internet connections, I use 1 single ADSL line for 3 different Internet connections. Each “unique” connection has it’s own PPPoE username/password and IP. (The only downside: Each connection shares the bandwidth of the 1 line).

The upside to this configuration is the isolation of Layer 3 – not all connections pass through the same router on my end of the connection. They do, however, pass through the same switch(es) and ADSL modem (however, at layer 2). Instead of worrying about access-lists to prevent different subnets from communicating with each other, I simply worry about inbound traffic from the WAN side on each connection.

My current home layout (simplified here) contains 2 switches. Switch A is located in my office, while Switch B is located where the phone line enters the upstairs. VLAN 2 connects devices directly to the ADSL modem. VLAN1 connects my home LAN to the LAN ethernet of my main home router.

In the above layout, any device connecting to the DSL Link (members of VLAN2), must maintain it’s own PPPoE link to be able to access the Internet. (To simplify this image – imagine that the Wifi router is plugged directly into the DSL modem and configured to connect using PPPoE. Then, imagine the same thing for all members of VLAN 2)

An 802.1q trunk allows the server in my office direct connection to the ADSL modem, and allows my office LAN to connect to the main router (which in turn, routes traffic out the WAN interface PPPoE connection). There are numerous other devices on the LAN.

But why do this???

When I initially decided to provide free wireless access to my neighborhood, I had a few requirements. First of all, I did not want my neighbors connecting to my home LAN. Second, for liability reasons I wanted to the free WIFI to have it’s own globally routed IP address (not an RFC-1918 address NATed with my home static IP). A third requirement was the use of Netflow version 9 to collect various headers from each packet and frame (but not the data payload itself) in the event someone attempted something malicious or a user had major virus issues.

In addition to the WIFI access, on occassion I run dedicated honeypots and malware collectors – obviously servers you want completely isolated from your home LAN.

The above layout is by no means entirely bulletproof, but the added complexity means I don’t have to look over my shoulder as much — and I don’t have to maintain access-lists just for the LAN to live in “separated harmony”