Monthly Archives: March 2015

Solarwinds TFTP Server and Windows 7

Every network engineer needs a TFTP server utility on your laptop to manage firmware upgrades and configuration files. I’ve been using the free Solarwinds TFTP server for years, and it has worked great!! Highly recommended.

Recently, I just got a new laptop at work, an awesome Dell Precision with a fast SSD drive and 32 Gigs of RAM. The system just SCREAMS, and you should see how good VMware Workstation runs….I can have a bunch of Linux systems all running at the same time!! Anyway, after installing the TFTP server, it would not work. First time I have ever had a problem. I checked both McAfee and Windows Firewall, and they were not the problem. So…what to do?

I accessed one of my CentOS Linux systems running within VMware, and had it do an NMAP scan on UDP port 69, which is what TFTP runs on by default…

NMAP results

NMAP results

Say what?? This shows port 69 is already in use (OPEN), and this is before I started up the TFTP server. Hmmmm. So I opened up a DOS prompt (with Admin privileges) and ran “netstat -anb” to see what was already using UDP port 69…

Running "netstat -anb"

Running “netstat -anb”

Interesting…Solarwinds was already up and running…it must have installed itself as a service, and started up automatically upon system boot. But, it must not be binding properly or it would be working.

My fix:  I don’t want TFTP running all the time anyway, so I went into Windows Services and stopped the TFTP process, and reconfigured it as just a manual startup. Now, when I want to run TFTP, I just go to the Programs menu and run it from there. Plus, it is binding correctly now and works just fine.

An interesting problem which only took a few minutes to solve…but it’s these kinds of things that adds an enjoyable “spice” to the day!

A Day of Mourning…Missing My C6509-V-E

A while back, my company outsourced our Data Center to a third party hosting firm. For the most part, it has worked out well, and from a business point of view, it made lots of sense. From a personal point of view, however….well, it did hurt a bit. I mean, if you are a Sr. Network Engineer, without a Data Center, are you really still a Sr. Network Engineer?

Oh well, it is what it is. After the move, our Data Center was rather empty, except for our core 6509 switch. It was still in place, feeding a bunch of access layer switches and a few remaining servers. Until last night that is. My coworker and I had the sad duty of powering down the switch, removing it from the rack, and replacing it with two Cisco 3650-48 switches. (If you know what the annual SmartNET maintenance is on a 6509 switch, then you know the ROI on replacing it with these 3650’s is a huge no-brainer!!)

Everything went very smoothly, the new switches are in place, and the 6509 is sitting on a cart waiting to be sold. I sure wish I could afford it…it would look GREAT in my lab at home. Of course, my electrical bill would be sky-high, not to mention trying to keep the room cooled.

Before...

Before…

And after...

And after…

But…to be very honest…I’m going to miss my 6509. There is nothing like a big chassis class switch to brighten one’s day. I know it did for me.

Cisco and NGE (Next Generation Encryption)

Do you still use DES and 3DES for all your VPN and IPsec needs? I sure hope not. Do you wonder what the current and future trends are for encryption? I sure do…inquiring minds want to know, right??!! Well, good news…you don’t have to do all of that worrying….Cisco has done it for you. (And I bet they pay a lot of engineers some VERY good money to work all this out.)

Take a look at this short webpage at Cisco detailing out the current state of encryption protocols. Review your encryption configs, and if you are using any noted as Legacy or Avoid, make plans now to step up to the more secure protocols. Yes, this will take some time and effort to change, but you need to do this soon. If your company is publicly traded or in the medical arena, hopefully past audits have already flagged these issues.

One other thing to note…if you do find yourself needing to make use of better encryption protocols, make sure your existing hardware has the horsepower needed to run some of these more complex algorithms. You may find that you need to upgrade hardware too.

Network Security – Sometimes it’s Really Obvious!

Since network security is one of the hats that I wear, I get various security alerts throughout the day…from my firewall or IDS (Intrusion Detection System). Most of the time they are nothing to worry about, and I quickly figure out what happened. Sometimes, though, I end up spending a lot of time trying to figure out if the alert was serious…is something bad happening on MY network?

But then, sometimes it’s just comical….like, “Hello, I’m a newbie hacker, please let me in”. Take a look at this…

Textbook portscan example (duh)

Like duh….textbook portscan example (sterilized for public consumption)

As you can see, this portscan is stepping through my public IP address range, hitting three different destination ports…80 (http), 8080 (http alternative port), and 1080 (typically used for proxy services). And this is just a snippet…there was a total of 147 packets in less than 10 seconds. The source IP address (192.0.17.168) is from a parent block owned by an entity in China, but is sub-delegated to a hosting facility located in Los Angeles. Go figure. There really is no way to know who is doing this…probably some 11 year old kid in Beverly Hills.

But I did get a laugh out of this. Hope you did too.

Don’t Forget to Clear the Router Reload

So, I had to make some changes on the router at our DR (Disaster Recovery) site, located in another state. As I posted about before, setting a “reload in” command can save your bacon if you make a configuration mistake and get locked out of the router. So I did. And then I made all the changes, tested everything, and saved the config. Job well done. I logged off and started working on something else, but I had this nagging feeling…did I forget something? No…I don’t think so. Then it hit me…the router was going to RELOAD shortly, if it hasn’t already.

I quickly logged back into the router (it was still up), and I got this upon login…

Just in the nick of time

Just in the nick of time

Whew…I still had 7 minutes before the reload would have kicked in. As you can see, I cleared the reload, and breathed a sigh of relief.

What did I learn from this? Geez…I don’t know…that I’m getting old? Yep…I guess I am.

Outside Plant Cable Replacement Project – Part 2

Here is the followup to my post on Friday concerning the 100 pair feeder cable replacement. Things went very smoothly, for the most part. There were some issues, but we handled them as they came up, and we finished the project by 3 PM Saturday afternoon.

My main area of concern was removing the old 100 pair cable and getting the new 50 pair cable successfully installed. Most of the conduit is 4″, but there is one 400 foot section that is only 2.5″. With both the 100 pair and fiber installed, there is no way we can get the 50 pair installed first. We needed to remove the 100 pair to make room, which means cutting the 100 pair, and that means no going back.

So we did get the new cable installed from the main building through the first two conduits (all 4″), prior to making any cuts on the old cable. Here is a picture of a pullbox mounted on the side of the main building…note the yellow pull rope already installed. That was nice of the previous vendor many years ago. However, we used the pull rope to install mule tape, which I like better…it doesn’t stretch, plus it is more resistant to creating heat which could burn through any existing cable, such as the fiber Internet circuit (that would not be a good thing at all).

100 pair cable and yellow pull rope

100 pair cable and yellow pull rope

The next section was the 2.5″ conduit….we then cut the 100 pair cable on both ends of the conduit, and pulled it out (and used it to pull in a heavy duty mule tape). We then pulled in the new cable with no issues. There was just one section of 4″ conduit left to go, which went quickly. We ended up getting the entire cable installed Friday evening. Here is a picture of the spool of new cable, and one of the vaults along the path…

Cable spool and vault

Cable spool and vault

Here is a closeup of the spool hanger, which makes everything MUCH easier…

Spool hanger up close

Spool hanger up close

Saturday was termination and testing, which my vendor completed around 1 PM. I then had to move any phone lines that had been terminated on pairs 51 – 100 of the old cable, since they no longer existed. After that, I then tested every single line and the PRI circuit, and verified proper operation. No issues were encountered. I’ll return on Monday to complete my documentation and a bit of remaining cleanup.

And yes, I am breathing a good bit better today…

Outside Plant Cable Replacement Project – Part 1

Yes, I’m back. Sorry for the long absence…I’ve been swamped with a variety of life events, some good and some not so good. Yet in all things, to God be the Glory.

So, what is outside plant (OSP) cable? Well, it’s cable designed to be outside (or perhaps underground), exposed to the weather. The copper or fiber strands are surrounded by a very thick and hard plastic covering, and certain types of OSP cable contain a jelly filling, which would ooze outwards in the event of a tiny hole and not allow water in. Very cool.

At one of my remote sites, we have a 100 pair copper cable that feeds both data and voice services to another building about 1500 feet away. This cable was installed many years ago, and has a number of splice cans along it’s path. Over the last year, the cable has deteriorated substantially, and keeping the many analog lines up and running is almost impossible. (This site is still a large user of faxes and modems.)

Here is one of several pull boxes located along the path…note the conditions of the vault and the splice can located on the right side…

Wet and muddy pullbox

Wet and muddy pullbox

So I hired a vendor to remove the entire 100 pair cable, and install a new 50 pair cable in one long continuous feed, no splice cans at all. The vendor is also going to clean out all of the vaults and layer in some gravel to aid in drainage. We start at 3 PM this afternoon, working until sunset, and will return tomorrow morning. We hope to have the whole project completed by Saturday afternoon.

Some of you might be wondering why I’m going with a smaller, 50 pair cable, and not another 100 pair. Well, the 100 pair cable was installed way back when every desk phone required it’s own pair of copper. Back then, all of the phones were fed through this 100 pair cable. Plus we had multiple T1 circuits for data needs too. Now, though, our phone system is Cisco VoIP, which is handled via the data network and a single PRI circuit, plus the data T1’s have been replaced by a separate fiber network, so the need for 100 pairs is not there, and will never be there. A 50 pair cable is smaller, cheaper and easier to pull, and it will give us plenty of spare pairs if our needs grow.

I will take pictures of the process and will let you know how it goes in a couple of days. Have a great weekend!!