Cisco CCNA – ICDN1 – Study notes


  • Global Unicast
    • Public IPV6 address – equivalent to public IPV4
  • Link-Local
    • Local network only IPV6 address (within one subnet) – FE80::/10 to FEBF::00/10
    • if not given an address, device will autogenerate one based on the MAC address of the interface
    • Generally used as the def-gw for most devices.
  • Unique local
    • Like private IPv4 addresses. Will not be forwarded by routers
    • FC00::/7 to FDFF::/7
  • IPv6 Multicast
    • Assigned
      • FF02::1 – All nodes multicast – all devices with ipv6 enabled will join the group. Used for RA and RS messages.
      • FF02::2 – All routers multicast –  All routers with “ipv6 unicast-routing” will join the group.
    • Sollicited node
      • Based on ethernet MAC NIC to be received by all hosts but only processed by the one with the matching MAC address.
  • SLAAC – RA message option 1
    • Stateless Address Autoconfiguration.
    • Router RA – Router Advertisement –  message broadcast – every 200 seconds – Also when receiving Router Solicitation message.
    • Contains network prefix and length, Def GW, DNS address and domain name.
  • SLAAC and DHCPv6 – RA message option 2
    • Same as just SLAAC but suggests a DHCPv6 server that feeds the DNS server and domain name information only.
  • DHCPv6 only – RA message option 3
    • Link-local for def GW.
    • DHCPv6 server for Global Unicast, DNS and domain name and everything else.
    • Cannot provide def-gw.
  • EUI64
    • Option 1 and option 2 RA.
    • Uses the MAC address to create a interface address.
    • FF:FE in the middle portion of the IPv6 address.
    • DAD – Duplicate Address Detection – Send NS if no NA received, the address is free to be used.
  • IPv6 Neighbor Solicitation – NS
    • When you know the ipv6 unicast but don’t know the MAC address of the end device.
  • Ipv6 Neighbor Advertisement – NA
    • Message replied when receiving a NS. Contains the MAC address of the sending device.

Ansible & Cisco – Automating configuration management.

Configuring network equipment has always been somewhat of a tedious affair. Copy and pasting a configuration file through the console port doesn’t scale (or you need a lot of interns!) and other solutions like Cisco Prime are slightly overkill if you only want to change a few lines of configuration.

This is where Ansible comes to the rescue. Originally built as a Linux Configuration Management Tool, in the vein of Chef/Puppet/Salt, it’s built around an SSH agent-less push model. Directly using the SSH connection, it’s remotely executing command you define in “Playbooks” This is why it’s a great fit when it comes to network devices as those are still telnet/SSH based. API/Netconf are starting to be more and more common, but SSH is still present. Especially on older network equipment.

Recently, Ansible has been augmented with a series of module that allow a network operator to leverage Ansible to deploy configuration to remote equipment. For example, if you just realized that your template is mysteriously missing NTP, Syslog and SNMP configuration and there are about 40 pieces of equipment deployed – I’m not saying this totally happened to us – Ansible is here to help.

The following playbook does the following :

  • Define a role : cisco-ios-common – which holds all the default configuration that is used by our devices.
  • In our case, the SSH connection is initiated from the sysadmin computer running the playbook – but it can be adapted to run from a bastion host.
  • No need to gather facts.
  • Create the variable holding the credentials necessary for accessing the equipment.

The actual file with the tasks is fairly simple.

This is literally lines that are parsed from the “show running-config” command and compared to each task. If it’s not there, it’s added or changed . In this case, we configure the RO SNMP community and the NTP server. To be extra careful, we also take a backup of the running-config before applying the changes. Using the “provider” statement, we are referencing the variables defined in the playbook file. All other private variables can be stored in an Ansible vault file and encrypted.

With the appropriate inventory file I was able to quickly fix our deployment mistake without manually connecting to every single switch.


Layer 2 security @ Lan ETS

The network team @ Lan ETS helps design and build the infrastructure for one of the biggest LAN event in North America. Over a weekend, over 2000 players will stress our infrastructure to it’s limits. This is some of our observations and lessons.

Ask anyone working in network security if allowing 4000 unknown and untrusted devices on your network is a good idea and you’ll get a chuckle and a “Wait, did you do that?”

This a very common challenge in LAN events, where we host over 2000 players over a 72 hours gaming session. Add wired and wifi devices and you get a large amount of strange devices entering your network. We have very little control over the type of devices that players bring and we need to have mechanisms in place to protect our network.

Here are a few of the tools and configs we use during the event.

DHCP Snooping

DHCP is the process by which a computer asks for a IP address and is given one by a DHCP server. Without a functioning DHCP server, computers connected to the network would have to be configured manually which is impossible with our type of event.

While extremely useful, DHCP can also be used by malicious attackers. The DHCP snooping mechanism allows us to prevent attackers from hosting their own DHCP server while on our network. Basically, we configure specific ports as “trusted”, usually our uplinks, as a source of DHCP OFFERS message type. Ports used by players become “untrusted” after enabling DHCP snooping. This means that an attacker hosting his own rogue DHCP server will never see his fake OFFERS reaching any other players. At the same time, OFFER DHCP messages will safely transit from our network core to the device.

DHCP Snooping does a bit more than just deal with the request portion of the DHCP protocol, but it’s a must-have configuration when it comes to any network. With DHCP being based mostly around broadcast message types, DHCP snooping allows you to cut down on traffic leaking to other ports. The less an attacker knows, the better.

Port-Security – Mac address limit

We also limit the number of MAC addresses per port. While we don’t necessarily mind players bringing several devices, we provide a single port per player for a console or a computer. This is mostly to prevent extreme cases where players bring their own switch (or hubs!) and connect all their friends. While not technically wrong, we offer up to a Gbit port to each player, we see no reason for players to not enjoy the full speed of the network.

This configuration will also prevent attackers from requesting too many IPs from our DHCP server by hosting dozens of Virtual Machines on his machine. This could technically prevent other legitimate players from obtaining leases from the DHCP server.

Here is a configuration snippet. We limit the MAC addresses per port to 2 and any extra MAC address traffic is dropped while the initial 2 can still pass through. This allows players to experience the network without any interruption even if they trip over the limit. We can then take action as we log all events and review throughout the event.

BPDU Guard

There are things you never want to hear when running a LAN event. “They cut the fiber in the ceiling” – “Someone dropped his lunch on the core router” and “I think we have a loop somewhere”. Loops in a network are messy. Due to the somewhat spam-ish tendency of modern networks with broadcast traffic, a single loop can sometimes bring the entire network to it’s knees as traffic is forwarded in a back and forth.

With over 30 kilometers of optical fiber and Ethernet cables and a setup spanning 20 or so hours, it’s easy to lose sight of where cables go. It takes a single moment of inattention to plug a cable back into the same switch it’s from or to create a loop by pulling a second uplink from the same switch.

Fortunately, there is something called “BPDU Guard” that can be used as a first line of defense against loops. A “BPDU”, or a Bridge Protocol Data Unit, is a packet used in the creation of a “Spanning Tree” topology which provides a loop free network when properly designed.

Our network features a topology where end-users are provided a single port for a single device which allows us to enable BPDU Guard on ports used by players. This way, there can be no mistakes when plugging in the equipment as a port receiving a BPDU packet will automatically shutdown. It also protects us against a player bringing his own Spanning-Tree aware equipment. This is also addressed with the MAC addresses limit per port.

More Tools and Techniques – (and the future for us!)

Here are other features that you should look into to protect your network.

  • ARP Inspection – Prevents ARP Spoofing and MITM attacks.
  • Storm-Control – Sets a level of a allowed Multicast and Broadcast traffic and shutdown a port of the limit is exceeded.
  • 802.1x – The holy grail of network security and NAC (Network Access Control). When enabled, all devices on your network must authenticate with a NAC device (Packetfence, Radius, NPS or any other flavor) before being granted access to the network. All devices must go through a guest VLAN for authentication and if successful, the port is switched into your internal VLAN. It was previously used for our event and it’s something we are looking into bringing back.
  • Private VLAN – Allows to further restrict traffic between VLANs by using secondary tags between ports.
  • IP Source Guard – Allows matching of IP per port. This means that another user cannot impersonate another IP while connected to another port.

Monitoring @ Lan ETS

Monitoring at an event of our scale is a critical part of our design process. The different monitoring services are our eyes and ears and allow us to quickly understand the state of our network. Since our event is over a very short period of time, our goal is to have a smooth experience for the player, from the moment he plugs his computer into our network. There is no worst feeling than looking at a row of players getting off their seats and being unsure of it’s a network issue!

Here is a brief overview of the different services we use to monitor our network.


A open source fork of Observium, it’s designed as a plug and play monitoring platform. You simply point it to a SNMP aware device and it will do it’s best to associate common OIDS and MIBS to “automagically” monitor the target. It then polls the OIDS every 5 minutes and updates the corresponding RRD files. It is also possible to export the data into a more modern timeseries database named InfluxDB. This allows us to access the data in a more flexible way using other services that are not compatible with the RRD format.

That said, it’s not a perfect platform. Since it’s designed around auto discovering devices, it can only detect whatever OIDS the developers configured for each platform. This means that if you are running very recent gear or equipment from obscure manufacturers, you might be missing a lot of information from the auto discovery process. There is currently no easy way to add extra OIDS to your installation.

Another issue is the polling interval as the tool was initially built around a 5 minutes window. This is acceptable in most environments but for our event, we need something that gives us almost real-time data on the state of the network. This is why we used Shinken to provide the actual Up/Down status. We rely on LibreNMS for graph and performance data.


Shinken is built as a Nagios drop-in replacement. We use it with a very short polling rate of 10 seconds with ICMP checks. We monitor only our switches, routers and servers. With around 100 or so pieces of equipment, it does tax our server resources, but it allows us for near real-time awareness of the state of our network. Within 10 seconds, we can know if a player kicked the power cord from a switch and if any other equipment is unreachable.


Nagvis was initially built as a mapping tool for Nagios. But it supports a wide variety of different back-ends as ways to fetch data. We use it in conjunction with the “Livestatus” module for Shinken. We upload a map of the venue with all of our equipment displayed. This allows us to quickly know if everything is up and running and at the same time, react if anything turns red.


Oxidized is a modern replacement for Rancid. It’s a network equipment configuration backup tool. It logs into a piece of equipment using credentials you provided and runs any commands you want. In the case of Cisco based gear, a “enable” followed by a “show run”. It then stores the results in a git based structure and provides a web interface to compare different backups. It allows us to backup our configurations throughout our design process. We usually don’t run it during our event as we do not change (hopefully…) any configurations during the weekend.


We have just recently started using Grafana as a visualization tool for our performance data. It uses a InfluxDB data-source to display data in a much more friendly and dynamic way than the RRD format. It’s an excellent tool to display interface stats and traffic.


Splunk is our log aggregation tool. We use it as a central collection point for network equipment and server logs. We use it to create dashboards to highlight important events such as port-security events or unauthorized login attempts against our network. By default, most equipment logging can be very verbose and it’s important to properly filter events to pinpoint what is important.


Raspberry Pi 2 – NTP server | Stratum 1

Well, it’s done! I have a small RP2 acting as a Stratum 1 NTP Server using a GPS module with the GPIO input.

It’s been added the canadian cluster of NTP servers and has begun answering queries. The process was relatively simple with a few things to keep in mind :

  • The default repository do not hold a recent image of the NTPD image. You are better off downloading and compiling the archive yourselves.
  • Here is the GPS module for the Raspberry Pi A+/B+/2 : Link
  • If you have an older Raspberry Pi : Link
  • You might need an antenna to lock on to the GPS signal. Especially true if you are indoors. Depending if a GPS repeater is present, it might be impossible to get a lock anywhere else than the top floor of a building or a room with windows.
  • I made the mistake of ordering the old style of GPS module for the RP2. It does fit, but it’s a bit awkward and I need to get a GPIO riser so that the antenna isn’t hitting the USB/Ethernet connectors. For now, the GPS module is just not fully connected to the GPIO board. There might be 3 centimeters of the connectors exposed. Everything seems to be working fine but doesn’t look very clean.

Here is a small taste of what kind of devices seem to be hitting my server :

tcpdump_ntp (

That’s a lot of cable modem/CPE devices. I wonder why ISP are not using internal servers. Seems like time is something you would want full control over.



Centos 6.5 – Monitoring Bind9 with Bindgraph.

Bindgraph is a program based on Mailgraph and offers the same basic features. It reads the dns_queries.log file and creates a .rrd file listing the number of queries per record type (A, AAA, CNAME, PTR and a few others). It then generates a graph, takes a screenshot and creates a nice HTML page with a .cgi script.

It provides quick overview of your dns traffic. Though, it is limited to the number and type of queries and does not handle where they come from.

Day View

2014-10-12 18_05_00-DNS Statistics for

Month View

2014-10-12 18_05_50-DNS Statistics for


1) Launching the daemon :



Cisco – ASA 5510 – Basic SNMP (V2 and V3) configuration.

SNMP V2 : 

 SNMP V3 : 

Troubleshooting SNMP : 



CentOS 6.5 – Create a Certificate Authority

yum install easy-rsa
Default Directory : /usr/share/easy-rsa/2.0/



CentOS 6.5 – Private key authentication for ssh

SSH is secure! I don’t need anything else!

Well, you are not exactly wrong. But security is not something that should be taken lightly.

I’ve recently acquired a Linode host and I was stunned by the number of unauthorized login attempts. About 99% of those attempts were probably automated scripts crawling the Internet for anything responding to queries on port 22. I believe that a huge part of modern “hacking” is entirely automated which reinforces the perspective that security is a 24/7 concern.

Since SSH is your main entry point to control your machine, it’s especially critical that it’s well protected. Private/public key authentication allows you to login into your machine without providing a password.

Here is a very basic overview.

You first create a key pair : Private and Public key. The private key allows you to apply your “signature” to content. The only way to verify that signature is to have your Public key. You then transfer that public key file unto your server. When you try to connect to the server using your Private key, the server will try to match the unique signature using the Public key you had previously transferred. That entire operation completely removes the need to transfer a password. It’s almost much more complex to brute-force.

That said, it’s up to you to protect your private key. I recommend adding a passphrare during the key generation. Without that extra step, both the public and private key would both be written in clear-text.

China is knocking…

Jun 16 02:12:30 li362-86 sshd[2234]: Failed password for root from port 32848 ssh2 Jun 16 02:12:31 li362-86 sshd[2232]: Failed password for root from port 29883 ssh2 Jun 16 02:12:32 li362-86 sshd[2234]: Failed password for root from port 32848 ssh2 Jun 16 02:12:34 li362-86 sshd[2232]: Failed password for root from port 29883 ssh2 Jun 16 02:12:34 li362-86 sshd[2234]: Failed password for root from port 32848 ssh2 Jun 16 02:12:36 li362-86 sshd[2232]: Failed password for root from port 29883 ssh2

Prerequisites : This guide was performed on a CentOS 6.5 machine with almost no extra packages. Most, if not all commands, should be the same on Debian based OS. That said, be aware that you will have to substitute your own folder and files path. Any variable you need to replace with your own will be marked with the “$” sign.

Folder has to be owned by the appropriate user attempting to log in.