Archive for the ‘Infrastructure Management and Disaster Recovery’ Category

Just proof reading now. Any modifications from now will be to either correct mistakes or remove words. I’m finished with the actual work now.

Only outstanding thing is to finish off the logbook (if required). I’ve done loads of logbook-esque work but not all of it is strictly mapped to the logbook exercises. We’ll just have to wait and see how this goes down.

This Friday: enormous takeaway curry to celebrate, then nearly three weeks of freedom :)

Hi all,

I’m back. I didn’t really go anywhere, but I’ve been too busy writing up my latest assignment to bother with such frivolities as blogging up the place. Respec.

So I have 4,000 words to play with. Three sections:

  • Part 1) Network design and implementation, 40% of the overall mark
  • Part 2) HACME network performance tools, 20%
  • Part 3) HACME security audit, 30%
  • Added value: 10%

By my reckoning that means 1600 words, 800 and 1200 respectively, plus a little in reserve for good times. So what do I do about that then? My Part 1) is already 5000 words and I barely said a thing. Part 2) 4000 words. Part 3) 5000 words. And I’m pretty good at précis writing (believe it or not).

Gah! I’m gonna have to slice up this bad boy to buggery and put all the less-great-than-other-great-stuff in the appendices. Damn you, mathematics!

Steve

1) Install the Microsoft Loopback Adapter as per this guide (Windows 7. Similar process for other Windows versions):
2) Configure the Loopback Adapter with whatever network settings you like
3) Restart the PC. You cannot continue until you restart the PC.
4) Open up a cmd prompt as administrator and navigate to your GNS3 installation directory, something like this:
D:\Program Files\GNS3\
Run this batch file:
Network device list.cmd
It will come up with something like this:
d:\Program Files\GNS3>”Network device list.cmd” 

Network adapters on this machine:

NIO_gen_eth:\Device\NPF_{3B5E3AA6-9CB1-432A-96B8-AAE3A5CDEECB}
Name      : Local Area Connection* 13
Desciption: Anchorfree HSS Adapter

NIO_gen_eth:\Device\NPF_{A4FE4E95-2FA5-459A-9CF5-C5C791E9C56F}
Name      : VMware Network Adapter VMnet1
Desciption: VMware Virtual Ethernet Adapter

NIO_gen_eth:\Device\NPF_{527BED14-BACA-4172-BC91-461E6BF5ADC8}
Name      : VirtualBox Host-Only Network
Desciption: Sun

NIO_gen_eth:\Device\NPF_{666C55DE-B00A-4DCA-8965-BBCAA585B1A2}
Name      : VMware Network Adapter VMnet8
Desciption: VMware Virtual Ethernet Adapter

NIO_gen_eth:\Device\NPF_{43547361-64A5-4F9A-8F9E-FA8AC8566CCF}
Name      : Local Area Connection
Desciption: VIA Rhine II Fast Ethernet Adapter

NIO_gen_eth:\Device\NPF_{93765268-BEF5-4BAC-A09B-761F48BB6861}
Name      : Loopback
Desciption: MS LoopBack Driver

Find your loopback adapter and take note of the last few characters of the long code (i.e. 6861 in this example).

5) Run GNS3 as Administrator.
6) Add a Router and a Could.
7) Configure the Cloud. On the NIO Ethernet tab find your loopback device on the dropdown
Add this and return to your project.
8) Start the router and configure it with an IP address which could talk to the one you set on your loopback device.
interface FastEthernet0/0
ip address 10.10.10.2 255.255.255.0
duplex auto
speed auto
That’s it! Ping from the router to your desktop and vice versa to prove connectivity. You can now use GNS3 and Dynamips as real routers on your home network, and can make VMs talk to your virtual routers, enabling you to perform network monitoring at home without needing lab access.

I chose to use PuTTY for my console access because it’s the one I’m most familiar with. Here’s how I set it up:

Just to prove that GNS3 and Dynamips is working correctly I put together a really simple network with dynamic routes using OSPF. Got it talking within minutes, which is great news. However…

…Dynamips is too resource-hungry for my old PC. It uses all my CPU all the time, making it impossible to build a sizeable network in my environment.
Today I will undertake a simple experiment to achieve something that’s impossible in Packet Tracer: prove that HSRP works. (Packet Tracer 5.3 doesn’t support HSRP.) This means that R4 and R5 are equivalent to each other and one can take over is the other fails. They have their own IPs but share a HSRP IP address. It is this address which is used by the rest of the network, meaning that other devices don’t need to be configured in the event of an R4/5 failure.

Simple network where R4 and R5 should be in the HSRP pool, and R6 wants to communicate with one of them
R6 has the higher priority so gets all the load while it is available. The above screenshot shows each router’s config. I have proven complete communication between all three.
IP 192.168.0.1 sits in front of 192.168.0.2 and 192.168.0.3.
Experiment by switching off R4: R5 takes over.
Switch off R5: no service
Switch R4 back on again: we get a response again. Success!
Simple, but it shows how easy it is to build in resilience, assuming you have the money to double up your devices. Other things to think about are the cables. There’s (may be) no goo building resilience into your devices unless you have resilient power and communication lines. The old classic ‘man in digger breaks your cables’ scenario would take out everything to the left of the switch unless you had an alternative physical route. Same is true for power: if R4 and R5 use the same power source and that goes down, what benefit did you gain by having resilient devices?
Another issue would is configuration management: R4 and R5 need to be kept in sync at all times for failover to work seamlessly.
This is a good example of how to build simple resilience in a small network, but on a large scale you’ll be thinking about GLBP or dedicated hardware load balancer devices.
Tomorrow I will hook up Dynamips to my local network and show how my VM devices can communicate with each other via my virtual Dynamips devices. But I will leave GNS3 after this because it’s just too slow on my computer.

Steve

Hi all,

Just a little tip for you. After installing the HACME Bank application in your XP SP3 VM there is a final configuration step you’ll need to undertake which I haven’t seen documented elsewhere.

By default IIS 5.1 is limited to 10 concurrent HTTP connections. This is because IIS on an XP machine isn’t intended for production use, so Microsoft discourage this by setting the user limit unusably low. You can’t increase the total  number of connections, but you can turn of ‘HTTP keep-alive’ so that persistent connections are not possible. This decreases the likelihood of using up all available connections. If you do use them up you’ll get a 403.9 response.

Just go into Control Panel/Administrative Tools/IIS, nagivate to the top level of your website and right-click/Properties Now turn off ‘HTTP keep-alive enabled’.

I’m getting a little bit bored/frustrated with my network topology. I think I might leave it as it is for a bit and get on with some of the other assignment work.

So far I’ve built a full mesh wan using VPN within GRE for OSPF propagation. My segregation is totally based on subnetting – I might consider VLANs at some point, but I think this might be going a bit beyond the brief. I might even consider a DMZ just for the experience of setting one up, but there’s no firewall device simulation in Packet Tracer so I’d end up getting in knots with ACLs – a prospect that does not melt my butter, I must admit. I’ve got my single PAT/NAT link to the public internet working nicely. Well, as per the brief anyway: poor little Joey in London who wants to post pictures of his drunken friends on The Face Books (is this what it’s called?) has to do so by sqirting all his traffic across the Atlantic and back again. A bit of a pain.

I’ve got a few apps working too. Web server, FTP, HTTP/S, DHCP and DNS. Just makes the simulation a little more realistic. Wifi is working too, but I’m struggling to get DHCP working across subnets. The helper-address hands on packets as expected, but the basic DHCP engine in Packet Tracer is only able to allocate IP addresses based on the perceived source of the request, not the actual source, therefore it always tries to allocate local IP addresses to the remote subnet. I guess in the real world you’d either have a decent DHCP system or wrap the whole thin up in a VLAN so the physical subnets don’t matter.

I also extended my model to include a couple of the suggested six additional remote sites. However, rather than go for full mesh I surmised that HACME Bank Corporation might like to consider a managed service (i.e. hub/spoke) with routing occurring in the Cloud. In the real world this decision would be a trade-off between cost, security, availability and complexity. It is a bank, so security s likely to be high on the agenda, but it’s also very small – fewer than 3,000 staff worldwide – so maybe they don’t have the cash to be so selective.

Anyway, like I said, I’m getting bored of burning time fixing the small problems I have. Fundamentally the topology is good and it works. So for the next week or so I’m going to turn my attention to network monitoring and vulnerability testing.

Then follows the not inconsiderable task of writing this all up. Good luck to my peers who have yet to even read the assignment. (I’m not joking here. There’s a chilling wind of apathy blowing across a faction of my cohort. Considering I’ve been putting in at least 4 hours a day for four weeks on this, I fail to see how it’s possible to do the subject matter justice in the six weeks we have remaining before hand-in.)

I have a little problem. I can’t work out how to make my default route resilient to various connections going down.

Take the simple example below of a full mesh WAN. Routers 0, 1 and 2 are all private network ips managed via OSPF. Router 0 is connected to Router 3 which is the internet (via NAT/PAT). This is the only route to the internet  for all devices.

Private network communications are kept working in the event of a failure. I.e. if the connection between R0 and R2 fails, R2 can still communicate with R0 via R1 for private traffic. However, what if R1 or R2 needs to get out to the internet?

I have static default routes on R1 and R2 which point to R0. In the event of a failure that static route might not be available, so I’d want it to switch instantly to the other router, which will then forward on the traffic. However, I can’t manager this with OSPF (I think) because it’s unknown, public traffic.

If I set two static default routes then 50% of the traffic will succeed (round robin), but this isn’t what I want. I want my default route to switch when unavailability is detected.

What am I missing?