CCNA Lab #3

One more CCNA R/S lab for those folks still following my data rant.  Configure this one up the best you can and get it working in record time.

And here are the instructions:

I'm going to record me doing this lab so that people can follow along.  Keep in mind this might be a bit long as I'm bound to make mistakes.  I think this will help out those who need it though.  Recording will be posted once I get it made and uploaded.

Apparently I am not going to be able to record the session at the moment.  Windows as usual is acting up and making life difficult.  I will still try to get it recorded but I am not making any promises.  I may have to get this complete on my iMac since I never have issues on OS X.

UPDATE: I made a boo boo and Oklahoma should be 192.168.3.0 /26 and 192.168.3.64 /26.

A revisit on SIP

Month's ago I had put a post up on the basics of SIP and said that I was later going to get a little more in detail on the protocol. That post was mainly a very high level view with the core components. Now what I would like to do is take it one step further and start explaining some of the headers and how to read the SIP messages correctly.

I think one of the biggest issues with SIP is the pure amount of messages that are sent for every transaction.  Every time you setup a call you get an INVITE, every time you go on hold, INVITES are sent with certain SDP characteristics announcing a hold status so the call doesn't get torn down.  Every time something registers you get a REGISTER message.  Basically, everything is recorded down on what is going on.

Below is a basic SIP header from an INVITE, we will go over each header field that is relevant and annotate which ones are mandatory.  The thing is with SIP, you are required to have certain SIP headers regardless of what is going on.  While others may be optional, headers like To:, From:, Via:, Call-ID:, etc. are all necessary components to the SIP protocol.

INVITE sip:3212@10.0.0.153:5060;user=phone SIP/2.0

Via: SIP/2.0/UDP 10.0.0.4:5060;branch=z9hG4bKs3uc2t20dgj04lkn51s1.1

From: <sip:2226541300@10.0.1.3:51088;user=phone>;tag=127.0.0.1+1+a5380157+652ceee3

To: <sip:3212@97.208.31.204:5060;user=phone>

CSeq: 818076443 INVITE

Expires: 180

Min-SE: 3600

Session-Expires: 3600

Supported: replaces, timer

Content-Length: 313

Request-Disposition: fork, sequential

Allow: INVITE, BYE, REGISTER, ACK, OPTIONS, CANCEL, SUBSCRIBE, NOTIFY, PRACK, INFO, REFER, UPDATE

Call-ID: 9AB0E358-1FFEC2pzsxRAnf9OsjW3of1wROpUYiBxisHiIwiB6zBrtY79UsAJ92FonzIYhJx1BEJKAr

P-Asserted-Identity: <sip:2226541300@10.0.1.3;user=phone>

Privacy: none

Max-Forwards: 66

Contact: <sip:2226541300@10.0.1.3;user=phone>

Content-Type: application/sdp

User-Agent: Alcatel-Lucent 5020 MGC-8 8.1.0.11.SP1.1

v=0

o=root 2085757204 2085757204 IN IP4 10.0.0.4

s=session

c=IN IP4 10.0.0.4

t=0 0

m=audio 34732 RTP/AVP 0 8 18 101

a=rtpmap:0 PCMU/8000

a=rtpmap:8 PCMA/8000

a=rtpmap:18 G729/8000

a=fmtp:18 annexb=no

a=rtpmap:101 telephone-event/8000

a=fmtp:101 0-16

a=silenceSupp:off - - - -

a=ptime:20

a=sendrecv

So with the above, I highlighted a few lines that I will go over.  First and foremost this is a INVITE meaning an endpoint is sending a request.  I am capitalizing this information because all requests are always CAPITALIZED, and will always get a response back, regardless if it is a success or failure.  The six requests that you can get in SIP are INVITE, CANCEL, BYE, REGISTER, ACK, and OPTIONS.  Responses would be something like a 200 ok, ringing, trying, etc.  These are always in response to a SIP REQUEST.  Now, yes I know there are others like a PRACK and SUBSCRIBE but those are not the six main requests/methods.  Again, everything starting in CAPITAL letters is a request and anything starting with a number is a response such as a 180 ringing.  See below for a response to a SIP request.  Please note this one does not coincide with the SIP message I posted above.

SIP/2.0 180 Ringing
Via: SIP/2.0/UDP 182.168.250.49:5060;branch=z9hG4bK786d156c;rport=5060
Contact: <sip:9011@182.168.246.213:35134;rinstance=7af05ded7e7e49e6>
To: <sip:9011@182.168.246.213:35134;rinstance=7af05ded7e7e49e6>;tag=9a00d038
From: "9012"<sip:9012@182.168.250.49>;tag=as66995cd4
Call-ID: 7cebe5d1060b11452571a22e0e2cb919@192.168.250.49
CSeq: 102 INVITE
User-Agent: X-Lite release 1002tx stamp 29712
Content-Length: 0

Now I wish I had a way of generating some SIP traffic right now but I don't have access to a test lab for SIP at the moment since my demo license expired and I'm not in the habit of using a production network for labbing and testing unless absolutely necessary.  Anyways, as you can see, the above message is a response as it starts with a number and generally is not capitalized.  You still see all the same basic headers here only without the SDP.  Please note these are SIP messages I have used from the web and I have changed some of the information intentionally just in case there is a confidentiality issue.

Now a bit more on the OPTIONS request.  This is becoming more and more common as we move forward into a pure IP telephony environment.  Amongst other things, OPTIONS is used heavily for something called an OPTIONS PING which monitors the status of a egress point on a gateway.  If it doesn't respond it can mark it as dead and go out another route.  The great thing about this is, before SIP, this wasn't really possible and you have to wait for timeouts to occur in the H.323 and MGCP world or worse, manually change it over.  The rest of the requests I have already gone over in the other post and can be easily discovered on the web.  At this point, I am assuming you have a high level knowledge of SIP. 

I'd like to go over some of the SDP markers in the first SIP message.  As you can see, it is quite extensive.  The bad part is, with voice, video, and presentations that list will double in size to create even more of an eye sore.  Starting with the "c=" line in the SDP we can see an IP address and that it is IPv4.  This line identifies where media is coming from and where it should be sent to.  This can be a good place to look to make sure that your network is working the way it should be.

Originator or "o=" is an indicator of who is initiating the connection.  This has a username (if applicable), their IP, and who they are.  It is as simple as that.  There are more stipulations as to how the field should be populated and those can be found in RFC 4566 if you want to get into the nitty gritty.

Next is the all important "a=" line which marks what codecs you are going to be advertising and accepting.  PCMA/8000 is G.711a-law and PCMU/8000 is G.711u-law.  In the United States we use u-law inclusively. Another way to remember it is u-law for the U<---nited States.  (Thanks Jeremy Ciaroa for that one!).  Other codecs can also be listed here like G729 as listed above, iLBC, etc.  

You will also see things like "a=sendrcv".  This can be an indication of what is going on with the media.  Is it expecting to send only, receive only, do both, or go inactive completely?  There are four different  attributes in this particular that you will commonly see:

1. a=sendrecv
2. a=sendonly
3. a=recvonly
4. a=inactive

Normally, in a hold situation you will see a a=sendonly followed by a response of a=recvonly.  This is indicative of a stream going on hold.  A new transaction is sent just for the hold feature.  Now, this isn't the only time you will see these tags but the most common in a phone environment is hold/resume.  so why is one send only and the other receive only?  Well the user placing someone on hold is presumed to be send only because they are going to be streaming music on hold from CUCM or something of the sort while the distant end will only be receiving and not sending and voice packets back.  You should only see your RX on your Cisco phone bumping substantially during this time.  The other possiblity during a hold session is a=inactive.  This indicates nothing is being sent or received and basically dead air is all that remains.  SIP has to maintain the connection somehow, so you will continue to see SIP INVITES and 200 ok messages with a=inactive until the session is resumed.  How else would you maintain that call?

Well, looking at everything above I think I will cut this post here.  I will continue on with more headers and SDP lines in a future post.  I don't want to risk someone falling asleep on me now since it is imperative you understand SIP as the replacement technology for H.323...if we were get there in our lifetime.  It seems like PRIs are still everywhere while SIP is being slowly implemented in more and more places.

GNS3 CCNA R/S Lab #2

EDIT: Note that I made a change to the topology. I decided two links to Salado was stupid since if that core went down Jim was hosed. Still create GLBP links on the inside but instead connect to Austin as the new image shows. Yep, still studying for the new CCNA R/S and whipped up a second lab that you can try on your own and see how far you get. This one is a little more complex than the other one. Also, on the other one, if the texas remote office couldn't ping across its because I had a tunnel setup and the remote computer had to send an ICMP or some sort of data to the distant end before the crypto tunnel would stand up. See below for the latest lab image. I won't bother adding in configs for you as this is supposed to be done from the ground up. I may add more to this later, I can't think of any exam objectives I would be missing at this point other than switching with STP/SRTP/PVST+....Come to think of it, I will post a file when I am 100% satisfied I have configured this lab to my satisfaction so you can get a working model and compare.



Please note that this lab may require in excess of 3-5 GB of RAM. My laptop has 8 GB and I was sitting right around 5.16 GB of RAM chewed up from this lab. I'm not taking into account all of my other programs open however, I had email, a ticketing system, and notepad++ open. For Jim's network, it is up to you to design a proper subnet for the GLBP and WAN links. Part of learning is doing something yourself! Whip up a DHCP server while you are at it for him too. IPv6 lab will be coming soon.

• ensure the line console doesn't interrupt your typing
• setup telnet and ssh except Salado-Exec, ssh should only be enabled for this gateway
• configure both the console and vty lines for a password of cisco and enforce logging in
• create a username of cisco and a secret password of cisco
• create a secret enable password of cisco
• make sure random words don't force DNS lookups if you make a mistake typing
• configure all ip interfaces as shown
• configure EIGRP in AS 1 and only send hello packets on interfaces that you own or networks that are completely behind the GW you are on
• Configure the frame relay interfaces according to the DLCI chart
• Configure the frame relay switch
• EIGRP should be establishing adjacencies at this point, verify by pinging across
• configure DHCP for 10.x.x.x networks and exclude .1 to .9 while setting DNS to 8.8.8.8 and the default-router to the .1 address
• make sure all clients get their respective DHCP addresses and other information such as gateway and dns
• configure NAT for the additional router added into the Salado portion to use PAT, ensure nat translations are occuring on the inside global address to the inside local
• configure GLBP for Jim's setup and ensure the timers are set to miliseconds of 50 and 160 dead
• configure static routes for Jim's network to Salado-Exec and beyond
• configure default routes that all point to Corp-HQ in case a route is not known
• configure a proper route in the correct gateways to ensure data gets routed statically to Jim's computer since he is a loner and no one likes him
• configure eigrp md5 authentication between corp HQ and all other cores
• configure PPP Chap between Jim's GWs
• deny telnet to all gateways except from the engineers and IT networks
• deny ssh to all gateways except from the engineers and IT networks
• ONLY deny the CEO and CFO, permit the CTO to do his job with all engineering tasks like icmp, telnet,ssh
• deny ICMP on all host networks except IT and engineering
• deny http traffic from the corp sales department, they are committing shenangians on youtube

A CCNA Lab for those that need extra practice

I've already had my rant about not knowing CCNA R/S for new engineers or even existing ones. After several weeks of intense study I think I will be ready to go sit the new CCNA R/S exam. Yes I know, some may say it is easy, and I'm sure it is for those that do data all the time but I am a UC guy that is sliding back into the data realm slowly. Bottom line is, I miss data and all the cool routing and wireshark captures to find out problems and ways to fix them. I spent some time today finishing up a lab that I had made from scratch that tests most of the CCNA topics but not all. STP is difficult since you can't replicate the ASICS and I don't have an router IOS with a switch module to at least attempt to get STP up. I also haven't implemented GLBP / HSRP/ VRRP either even though they are fairly straight forward. I probably will add to the diagram but my back is killing me today and I haven't been in the mood to really build anything new aside from what I have already done. The below image is what I challenge you to replicate and get working 100% of the way.



At a minimum, here is what you need to configure:

1. Connect all devices as shown
2. Configure all ports with approrpriate addresses and bring them online
3. Configure ssh access only with a password of cisco
4. Configure a username of cisco and secret of cisco
5. Configure an enable secret of cisco
6. Ensure that the routers will not mistaken letters for DNS names
7. Disable enable timeouts
8. Set hosts with IPs so you can use their names instead of IP addresses
9. Configure EIGRP and advertise networks based on subnet with no automatic summarization, do not configure Canada nor advertise its networks!
10. Exclude the first 10 addresses in all ranges in the private networks for DHCP
11. Configure DHCP for all Offices with a /24 subnet based on the network assigned
12. Assign default routes to point to the local primary gateway of each site (not the office GWs)
13. Ensure all PCs get their DHCP addresses assigned to them and they can ping to their local GW
14. Configure the Frame Relay DLCIs as shown and map them as indicated
15. The FR-Switch should not have any other configuration as it is acting like a cloud
16. Assign static routes to get to Canada based on location (Texas will be a end all be all GW if other primary gateways don't know the correct path
17. Configure NAT for Canada to use the internet IP with PAT
18. Ensure all devices can ping to the private network in Canada
19. Ensure Canada can ping from internal to any CORP based internal IP (i.e. 10.0.3.11, 10.0.0.1)
20. Configure EIGRP md5 authentication for all links
21. Make sure that any loopback interfaces assigned are being seen as their subnet in the routing tables
22. Block all telnet traffic from all locations except Texas
23. Block all SSH traffic on private LANs on all sites except Texas
24. Verify NAT on the Canada GW
25. Enable password encrpytion globally so that any plain text passwords are garbled at minimum security.

If you can do the above without having to look anything up, you are probably good to go or still competent in data. I myself had to look up how to do md5 authentication because it's just not something I do everyday...or at all really. I'm not a network engineer I'm a UC engineer. I challenge you to complete this as fast as you can and report your times with honesty. I will probably wipe this entire topology and start from scratch and do a YouTube recording when I get the chance. I want to see how fast I can go under pressure and what I do and do not forget. Keep in mind I set all DLCI interfaces to a /24, you can modify as you want.

The Importance of CCNA in the UC Realm

I've been on my soapbox before about knowing data if you are going to be a specialty engineer, whether that be UC, wireless, security, data-center, or whatever else. I had some time on my hands so I built out a nice GNS3 lab to test my data skills. Granted I did cheat a bit since I had gone through the new CCNA R/S course on CBT nuggets, but it is still necessary to know the underlying foundation. My biggest gripe right now is that Cisco wiped out the need for a CCNA R/S as a pre-requisite to CCNA Collab and CCNP Collab. With this new road map, new engineers will be coming into the field for UC not knowing the different between router and switch. Ok, maybe that was a bit too much, but still, the problem remains. Ask them to troubleshoot STP or check a VLAN and you are going to get a blank stare. Anyways, below is a GNS3 image of what I built out. It is still a work in progress and I plan on using this to gauge other engineers's capabilities with data.

The above diagram hosts a variety of different situations that need to be configured. All the internal sites are using OSPF and the WAN connections are using EIGRP. Yes, I could have used OSPF or EIGRP across the board but part of knowing CCNA R/S is route redistribution. Thus, I used two protocol for that part. The other part is the connection to the ISP, I have a static route in place but also put in BGP as I plan on expanding that diagram to another company and bridging together from there. While BGP really isn't touched on much in the CCNA world, it is still mentioned since it is heavily used at the provider level. Additionally, different networks for each gateway per floor that go in sequence as well as ACLs to limit ICMP, web access, ssh, and telnet accordingly. Finally, when egressing to the internet, all gateways will NAT to their public IP (once I get the other ISP gateways put in there). I will also probably add some security on the routers for neighbor authentication for the hell of it as well. It's stuff like this that is important, if the ASICs could be emulated I would be running real switches as well. The switch modules available can do the job though if I really wanted to run STP and get a loop free topology while using etherchannel. Just in case anyone is doubting the configuration:

I know this wasn't really voice related and more of a rant, but I haven't run into anything interesting or different on CUCM lately. I'll try to break something on accident and post about it :)