Blogs for Network Geeks

AGGREGATORS / LISTS

• Andy Bryant’s Networking Google Bundle


• CCIETalk


• Jaluri


• PacketLife.net’s Blog List

GENERAL NETWORKING

• Aaron’s Worthless Words (Aaron Conaway)


• Always The Network (Colby Glass)


• Cisco Blog – The world of all things Cisco


• Cisco IOS Hints and Tricks (Ivan Pepelnjak, published author)


• EtherealMind.com – Human Network Infrastructure (Greg Ferro and others)


• evilrouters.net (Jeremy Gaddis)


• Juniper Hacks


• NetCraftsmen Staff Blogs


• networking-forum.com Blog


• Packet Life (Jeremy Stretch)


• Routing-Bits (Ruhann)


• Roving Network Engineer (Dan Hughes)


• Teneo!!! (Aaron Paxson)


• Working From My Shed (Stuart Howlette)

CERTIFICATION / STUDY

• Darren’s CCIE Mission


• Internetwork Expert (vendor)


• IPExpert (vendor)


• Mind Mapping for Certifications (Andrew G. Mason)


• Wireless CCIE, Here I Come (Jennifer Huber)

Vendor Blogs, Feeds, and Tweets for Network Geeks

This is a list of vendors who service the networking industry in areas of wireless, routing, switching, VoIP, security, or management.

• Adtran


• Aerohive


• Alcatel-Lucent


• Allied Telesis


• ArcSight


• Aruba


• AT&T


• Avaya


• Barracuda


• Blade Network Technologies


• Blue Coat


• BMC Software


• BreakingPoint


• British Telecom Business


• Brocade


• CA Technologies


• Check Point


• Cisco


• Citrix


• Core Security Technologies


• D-Link


• Dell


• EMC


• Enterasys


• Ericsson


• Extreme


• F5


• Force10


• Fortinet


• Global Crossing


• Hewlett-Packard


• Huawei


• IBM


• Ixia


• Juniper


• LANDesk


• Level 3


• Linksys


• Meru


• Motorola


• Netcordia


• Netgear


• Nokia Siemens


• Palo Alto Networks


• Proxim


• Qualys


• Qwest


• Radware


• Riverbed


• Ruckus


• ShoreTel


• Siemens Enterprise Communications Group


• SonicWall


• Thales


• TippingPoint


• Trapeze Networks


• Verizon Business


• Voltaire


• Vyatta


• Xirrus

Securing Debian Configuration checklist

• 
  Limit physical access and booting capabilities
  
  
  
  • 
    Enable BIOS password
    
  
  
  • 
    Disable floppy booting
    
  
  
  • 
    Set a LILO or GRUB password (/etc/lilo.conf or
    /boot/grub/menu.lst, respectively); check that the LILO or GRUB
    configuration file is read-protected.
    
  
  
  • 
    Disallow MBR floppy booting back door by overwriting the MBR (maybe not?)
    
  
  
  
  


• 
  Partitioning
  
  
  
  • 
    Separate user-writable data, non-system data, and rapidly changing run-time
    data to their own partitions
    
  
  
  • 
    Set nosuid,noexec,nodev mount options in /etc/fstab
    on ext2 partitions such as /tmp
    
  
  
  
  


• 
  Password hygiene and login security
  
  
  
  • 
    Set a good root password
    
  
  
  • 
    Enable password shadowing and MD5
    
  
  
  • 
    Install and use PAM
    
    
    
    • 
      Add MD5 support to PAM and make sure that (generally speaking) entries in
      /etc/pam.d/ files which grant access to the machine have the
      second field in the pam.d file set to "requisite" or
      "required".
      
    
    
    • 
      Tweak /etc/pam.d/login so as to only permit local root logins.
      
    
    
    • 
      Also mark authorized tty:s in /etc/security/access.conf and
      generally set up this file to limit root logins as much as possible.
      
    
    
    • 
      Add pam_limits.so if you want to set per-user limits
      
    
    
    • 
      Tweak /etc/pam.d/passwd: set minimum length of passwords higher (6
      characters maybe) and enable md5
      
    
    
    • 
      Add group wheel to /etc/group if desired; add pam_wheel.so
      group=wheel entry to /etc/pam.d/su
      
    
    
    • 
      For custom per-user controls, use pam_listfile.so entries where appropriate
      
    
    
    • 
      Have an /etc/pam.d/other file and set it up with tight security
      
    
    
    
    
  
  
  • 
    Set up limits in /etc/security/limits.conf (note that
    /etc/limits is not used if you are using PAM)
    
  
  
  • 
    Tighten up /etc/login.defs; also, if you enabled MD5 and/or PAM,
    make sure you make the corresponding changes here, too
    
  
  
  • 
    Disable root ftp access in /etc/ftpusers
    
  
  
  • 
    Disable network root login; use su(1) or sudo(1).
    (consider installing sudo)
    
  
  
  • 
    Use PAM to enforce additional constraints on logins?
    
  
  
  
  


• 
  Other local security issues
  
  
  
  • 
    Kernel tweaks
    
  
  
  • 
    Kernel patches
    
  
  
  • 
    Tighten up logfile permissions (/var/log/{last,fail}log, Apache
    logs)
    
  
  
  • 
    Verify that setuid checking is enabled in /etc/checksecurity.conf
    
  
  
  • 
    Consider making some log files append-only and configuration files immutable
    using chattr (ext2 filesystems only)
    
  
  
  • 
    Set up file integrity . Install debsums
    
  
  
  • 
    Consider replacing locate with slocate
    
  
  
  • 
    Log everything to a local printer?
    
  
  

  
  

  • 
    Burn your configuration on a bootable CD and boot off that?
    
  
  
  • 
    Disable kernel modules?
    
  
  
  
  


• 
  Limit network access
  
  
  
  • 
    Install and configure ssh (suggest PermitRootLogin No in
    /etc/ssh, PermitEmptyPasswords No; note other suggestions in text
    also)
    
  
  
  • 
    Consider disabling or removing in.telnetd
    
  
  
  • 
    Generally, disable gratuitous services in /etc/inetd.conf using
    update-inetd --disable (or disable inetd altogether, or use a
    replacement such as xinetd or rlinetd)
    
  
  
  • 
    Disable other gratuitous network services; mail, ftp, DNS, www etc should not
    be running if you do not need them and monitor them regularly.
    
  
  
  • 
    For those services which you do need, do not just use the most common programs,
    look for more secure versions shipped with Debian (or from other sources).
    Whatever you end up running, make sure you understand the risks.
    
  
  
  • 
    Set up chroot jails for outside users and daemons.
    
  
  
  • 
    Configure firewall and tcpwrappers (i.e. hosts_access(5)); note
    trick for /etc/hosts.deny in text
    
  
  
  • 
    If you run ftp, set up your ftpd server to always run chrooted to the user's
    home directory
    
  
  
  • 
    If you run X, disable xhost authentication and go with ssh instead; better yet,
    disable remote X if you can (add -nolisten tcp to the X command line and turn
    off XDMCP in /etc/X11/xdm/xdm-config by setting the requestPort to
    0)
    
  
  
  • 
    Disable outside access to printers
    
  
  
  • 
    Tunnel any IMAP or POP sessions through SSL or ssh; install stunnel if you want
    to provide this service to remote mail users
    
  
  
  • 
    Set up a loghost and configure other machines to send logs to this host
    (/etc/syslog.conf)
    
  
  
  • 
    Secure BIND, Sendmail, and other complex daemons (run in a chroot jail; run as
    a non-root pseudo-user)
    
  
  
  • 
    Install snort or a similar logging tool.
    
  
  
  • 
    Do without NIS and RPC if you can (disable portmap).
    
  
  
  
  






• 
  Policy issues
  
  
  
  • 
    Educate users about the whys and hows of your policies. When you have
    prohibited something which is regularly available on other systems, provide
    documentation which explains how to accomplish similar results using other,
    more secure means.
    
  
  
  • 
    Prohibit use of protocols which use cleartext passwords (telnet, rsh and
    friends; ftp, imap, http, ...).
    
  
  
  • 
    Prohibit programs which use SVGAlib.
    
  
  
  • 
    Use disk quotas.
    
  
  
  
  


• 
  Keep informed about security issues
  
  
  
  • 
    Subscribe to security mailing lists
    
  
  
  • 
    Subscribe to security updates -- add to /etc/apt/sources.list an
    entry (or entries) for http://security.debian.org/debian-security
    
  
  
  • 
    Also remember to periodically run apt-get update ; apt-get upgrade
    (perhaps install as a cron job?).
    
  
  
  
  

Layer by Layer Troubleshooting with a Cisco Router

Every network admin is going to have trouble with network links on a Cisco router, at one point or another. The best way to troubleshoot any networking issues is to use the OSI model and go layer by layer. In my article How to use the OSI Model to Troubleshoot Networks, we talked about the different troubleshooting approaches and how to use them to troubleshoot your network, in general. In this article, you will find out how to use the OSI model to troubleshoot, bottom up, using a Cisco router.

OSI Model - Bottom Up Troubleshooting

If you will recall, the OSI model starts with the physical layer (layer 1) and goes up to layer 7 (application). When troubleshooting with a Cisco router, much of your time will be spent working in layers 1-3. They are:

• Layer 3 - Network


• Layer 2 - Data Link


• Layer 1 - Physical

Because these layers build on each other, Layer 1 is most critical, without layer 1, layer 2 will not function. Without layer 1 & 2, layer 3 will not function, and so on. For this reason, I start troubleshooting at layer 1, physical, and move on up from there.

Router Troubleshooting at OSI Layer 1 & 2 - Physical & Data link

Remember, if Layer 1 isn't up, nothing else will work so make sure you start here. Examples of layer 1 are your T1 circuit or your Ethernet cable - physical connectivity. I usually troubleshoot layer 1 and layer 2 in union because they are so closely paired. Examples of layer 2 - data link - are your line protocol (such as Ethernet, ATM, 802.11, PPP, frame-relay, HDLC, or PPP).

To troubleshoot at these layers, the first thing I would do on your router is a show interface. Here is an example of a LAN Gigabit Ethernet circuit:

Router# show interface
GigabitEthernet0/0 is up, line protocol is up
Hardware is BCM1125 Internal MAC, address is 0015.2b46.5000 (bia 0015.2b46.5000)
Description: LAN Connection to Data center
Internet address is 10.20.100.1/16
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, link type is autonegotiation, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/2/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 750000 kilobits/sec
5 minute input rate 3218000 bits/sec, 1715 packets/sec
5 minute output rate 1390000 bits/sec, 2129 packets/sec
1416888620 packets input, 15402720 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 1556005 multicast, 0 pause input
0 input packets with dribble condition detected
1666663097 packets output, 573841802 bytes, 0 underruns
19 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
19 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

Here is what a WAN T1or T3 circuit might look like:

Routerl# show interface serial 3/0
Serial3/0 is up, line protocol is up
Hardware is DSXPNM Serial
Description: Sprint T3
Internet address is 10.2.100.2/30
MTU 4470 bytes, BW 9000 Kbit, DLY 200 usec,
reliability 255/255, txload 77/255, rxload 26/255
Encapsulation HDLC, crc 16, loopback not set
Keepalive set (10 sec)
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 18394
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 927000 bits/sec, 1914 packets/sec
5 minute output rate 2752000 bits/sec, 1504 packets/sec
1560997932 packets input, 3254680247 bytes, 0 no buffer
Received 255480 broadcasts, 1 runts, 1 giants, 0 throttles
1567 input errors, 1567 CRC, 976 frame, 496 overrun, 0 ignored, 908 abort
1303636803 packets output, 3737276508 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 output buffer failures, 0 output buffers swapped out
1 carrier transitions
DSU mode 1, bandwidth 9000, real bandwidth 9000, scramble 0

Here is the quick version:

Router# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.20.100.1 YES NVRAM up up
Serial3/0 10.2.100.2 YES NVRAM up up

Here is what you look for:

• Is the interface UP?


• Is the line protocol UP?


• If both the interface and line protocol are NOT up, your connection is never going to work.


• To resolve a line down, I look at the cable or the keepalives


• To resolve a line protocol down, check to make sure that the protocols match on each side of the connection(notice the "line protocol" on each of the interfaces above).


• Are you taking input, CRC, framing, or other errors on the line (notice how the serial interface above does show errors)? If so, check your cable or contact your provider.

In general, verify that you have a good cable on each side, verify that line protocols match, and that clocking settings are correct.

If this is an Ethernet connection, is there a link light on the switch?

If this is a serial connection, do you have an external CSU/DSU? If it is an external CSU, check that the Carrier Detect (CD) light & data terminal ready (DTR) lights are on. If not, contact your provider. This also applies if you have an internal Cisco WIC CSU card. If that is the case, take a look at this Cisco link on understanding the lights on that card.

You can, of course, use the Cisco IOS test commands to test your network interfaces with internal staff and with your telecommunications providers.

Do not proceed to upper level layers until your Physical interface on the router shows as being UP and your line protocol is UP. Until then, don't worry about IP addressing, pinging, access-lists or anything like that.

Router Troubleshooting at OSI Layer 3 - Network

Once you have Layers 1 & 2 working (your show interface command shows the line is "UP & UP", it is time to move on to layer 3 - the OSI Network layer. The easiest thing to do here to see if layer 3 is working is to ping the remote side of the LAN or WAN link from this router. Make sure you ping as close as possible to the router you are trying to communication with - from one side across to the other side.

Here are examples of successful & failed pings:

Router# ping 10.2.100.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Router#
Router#
Router#
Router#
Router# ping 1.1.1.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#

The easiest way to check the status of Layer 3 - the network layer - is to do a show ip interface brief, as I did above. Here is an example:

Router# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.20.100.1 YES NVRAM up up
Serial3/0 10.2.100.2 YES NVRAM up up

Notice the IP addressing on each of these interface. Also do a show running-config, like this (you can even specify an interface, like this):

Router# show running-config int serial3/0
Building configuration...
 
Current configuration : 225 bytes
!
interface Serial3/0
description Sprint T3
bandwidth 9000
ip address 10.2.100.2 255.255.255.252
no ip proxy-arp
no ip mroute-cache
dsu mode 1
dsu bandwidth 9000
no cdp enable
end
 
Router#

I would recommend taking this interface configuration and comparing it, side by side, with the remote WAN connection to ensure they are the same. Ask yourself questions like:

• Are these interfaces on the same IP network?


• Do these interfaces have the same subnet mask?


• Are there any access-lists (ACL) that are blocking your traffic?


• Can you remove all optional IP features to make sure that the basic configuration works before adding additional features that could be causing trouble?

Here is an example. Look at the two interfaces below. What is the real problem, causing these two to not communicate?

Router 1

interface Serial3/0 description Sprint T3 - TO ROUTER 2 bandwidth 9000 ip address 10.2.100.2 255.255.255.252

Router 2

interface Serial3/0 description Sprint T3 - TO ROUTER 1 bandwidth 1500 ip address 10.2.100.5 255.255.255.252

No, there is no problem with the bandwidth statement. Bandwidth statements are only used as comments and by routing protocols to select the best route. The real problem here is that the second router's serial interface is not on the same IP subnet as router #1. Even though they have the same subnet, the 10.2.100.5 IP address will never be able to communicate to the 10.2.100.2 IP address because they are on different networks but directly connected.

Let's say that you are now able to ping across the link, from one side to another. While that is a great sign, it doesn't always mean that everything is "fixed". You still may not be able to communicate from a client on the LAN of one router, to a client on the LAN of another router, due to things like improperly configured IP routing protocols.

For one LAN to communicate to another LAN, through routers (through a WAN, usually), you MUST have either static routes or dynamic routes configured. To ensure you have a route configured for the network you are trying to reach, do:

Router# show ip routes

and look at

Router# show ip protocols

For troubleshooting layers 3, all the way up, look at the output of this command:

Router# show ip interfaces
 
GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.20.100.1/16
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is disabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is enabled
IP CEF switching is enabled
IP CEF Flow Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, Flow cache, CEF, Subint Flow
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain inside
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled

Router Troubleshooting at OSI Layers 4 - 7

Now, let's say that you have made it to the point where you can ping from LAN to LAN, through your WAN. Congratulations - that is a very good sign. If you are still having trouble, it must be in OSI Layers4-7. Here are those layers listed out and possible issues you might experience in each layer:

• Layer 4 - Transport - in the transport layer are TCP and UDP - you could be have an ACL or QoS feature blocking or slowing this traffic. Your TCP traffic could also be fragmented to the point that it could not be reassembled. Another option is that you may not be receiving an ACK back from your traffic that was successfully sent.


• Layer 5 - Session - in the session layer are protocols like SQL, NFS, SMB, or RPC - you could be taking errors on any one of these session protocols. I would recommend using a protocol analyzer like Wireshark to analyze your session data.


• Layer 6 - Presentation - in the Presentation layer are data encryption, compression, and formatting - your VPN tunnel could be failing or perhaps you are sending one type of data (like a MPEG) and the receiver is trying to view it as a WMV file.


• Layer 7 - Application - in the Application layer are, of course, your applications like FTP, HTTP, SCP, TFTP, TELNET, SSH, and more - you could be trying to connect to a telnet server with the SSH protocol, for example.


• Layer 8 - End User - the standing joke is that "Layer 8" is the user - the user could be just mistyping their username or password or you, the network admin, could have been troubleshooting the wrong IP address all along.

Summary

In summary, using the OSI model to troubleshoot connectivity issues is the fastest and most efficient way to troubleshoot any network issue. Even if someone calls you to work on a Windows share problem, all of the same principles in this article apply to that troublesooting process. So remember, the next time you work on a network issue - remember the OSI model and how to use the bottom-up approach to troubleshooting! It could same you a while lot of time!

HOWTO: Setting up QEMU on Ubuntu with TUN/TAP and NAT

Step 1) Compile and setup of Qemu and KQemu
Step 2) Installation of GuestOS [ Windows 98se in this example ]
Step 3) Setup of Tun/Tap network interface on host and guest OS.
Step 4) NAT setup to allow guestOS access to the internet.

*note: KQEMU is the QEMU Accelorator

Brief Description:
QEMU is an Open-Source Emulator that emulates x86 arch as well as several others.... allowing for guestOS's to be installed inside the host OS.
QEMU is available for Linux, Mac, and Windows. We'll be covering the Linux Package in this HowTo.
For more information on QEMU visit the projectpage @ http://fabrice.bellard.free.fr/qemu/

What you'll need:
+ QEMU source tarball from http://fabrice.bellard.free.fr/qemu/
+ KQEMU binary tarball from http://fabrice.bellard.free.fr/qemu/
+ linux-headers package
+ IPTables ( should already be installed ) package
+ libsdl1.2-dev package
+ Tun/Tap package
+ uml-utilities package
+ windows98 install cd and valid windows98 serial.
+ GCC-3.4 package

Ok, so this is the first HowTo i've wrote in quite a long time. First for ubuntu, and Qemu..


################################################## ##############
[ Step 1 ] - Compilation and Installation of KQEMU and QEMU

Outlined here is the steps taken to compile and setup Qemu and Kernel Module KQemu

A) Download the latest source tarball of QEMU from http://fabrice.bellard.free.fr/qemu/download.html current version is 0.8.1
B) Download the latest binary of KQEMU from http://fabrice.bellard.free.fr/qemu/qemu-accel.html

C) Move the tarballs to your /usr/local/src directory and deflate
#> sudo mv qemu-version.tar.gz /usr/local/src/
#> sudo mv kqemu-version.tar.gz /usr/local/src/

deflate...
#> sudo gunzip qemu-version.tar.gz; sudo tar -xvf qemu-version.tar
#> sudo gunzip kqemu-version.tar.gz; sudo tar -xvf kqemu-version.tar

D) Install linux-headers for your current kernel version.
If you don't know your current kernel version you can do `uname -r` at the shell to find out...

#> sudo apt-get install linux-headers-`uname -r`

E) Install GCC-3.4 [ qemu complains on GCC-4 ] and libsdl1.2-dev

#> sudo apt-get install gcc-3.4 libsdl1.2-dev

locate the installed gcc-3.4 binary using whereis
#> whereis gcc-3.4

it should be located in /usr/bin/ if not found at all installation failed. repeat step E.
make a note of it's location. you're going to need it in step F

F) Configure and Compile QEMU and KQEMU

change directories to your qemu-source you deflated in step C
#> cd /usr/local/src/qemu-version
#> sudo ./configure --cc=/usr/bin/gcc-3.4 [ remember the location of it from step E? ]

once configuration is completed run make and make install to compile and install... do so as follows

#> sudo make
#> sudo make install

verify that QEMU installed correctly...
#> whereis qemu

change directories to your kqemu-source you deflated in step C, and configure make and make install

#> cd /usr/local/src/kqemu-version
#> sudo ./configure
#> sudo make
#> sudo make install

verify that device node /dev/kqemu exists
if not...execute following commands

#> sudo mknod /dev/kqemu c 250 0
#> sudo chmod 666 /dev/kqemu

Active module KQEMU
#> sudo modprobe kqemu
Verify that it loaded properly
#> lsmod | grep kqemu
If it failed to show up. issue a dmesg | tail to see what the error was
#> dmesg | tail
Anyway... continuing...

[ Step 1 Completed ]
################################################## ################


[ Step 2 ] Installing Guest OS
*notes: you can use either the actual install CD or an ISO made from the original install disk, I used an iso.
you can also use the dd command with the seek option to create your hard disk image file, in place of qemu-img create
for convenience we're going to use the qemu-img binary installed with QEMU

*help: Run qemu/qemu-img without any arguements to view it's help

A) Create the Hard Drive Image File to use as HDA
choose the directory you wish to store your disk images you can use mkdir to create a new one. I use ~/qemu
#> cd ~/qemu
A brief rundown of what we're executing here....
qemu-img create [filename] [-f format( raw, vvfat, cloop,... )] [size G(gigs), M(megs) ]
#> qemu-img create win98.img -f raw 2G
Ok, we've created the 2G image file to install windows98se into....now we load QEMU to boot from the cdrom/iso file specified to start installation

#> qemu -hda win98.img -cdrom /dev/cdrom -boot d -localtime -net nic -net tap
Now QEMU should boot from CD, just follow the steps to complete the installation...

Once installation has completed now we can move onto Step 3
[ Step 2 Complete ]
################################################## ################

[ Step 3 ] Setting up TUN/TAP network interface on HostOS and GuestOS

A) Install uml-utilities via apt
#> sudo apt-get install uml-utilities
B) Load kernel module tun
#> sudo modprobe tun66.202.65.50
C) Create the /dev/net/tun device node
#> mkdir /dev/net
#> mknod /dev/net/tun c 10 200
D) Setup the tap0 interface, with an ip address i use 192.168.100.1 for this.
Create the tap0 interface using tunctl
#> sudo tunctl

Give it an IP-Address
#> sudo ifconfig tap0 192.168.100.1 up
Make sure it was configured properly...
#> ifconfig

You should see tap0 with an inet addr: 192.168.100.1 and a Mask: 255.255.255.0
If there is no mask set...sometimes this happens don't know why but it's happend....do this
#> sudo ifconfig tap0 192.168.100.1 netmask 255.255.255.0 up


Ok, we're done with the HOST side of this

E) Setting up the GuestOS's network configuration

If you don't have QEMU booted into windows already then do so by this command...
#> qemu -hda win98.img -boot c -net nic -net tap &

Once windows has loaded goto your Control panel and open Network Settings
At the configuration tab Select TCP/IP and click properties

In the Properties window
- Select the IP Address Tab
select specify an IP address
enter 192.168.100.2 as your ip address
enter 255.255.255.0 as your subnet mask
- Select the Gateway Tab
add a new gateway as 192.168.100.1
- Select Ok
Select Ok
Now you will be promted for a restart....restart and you should be able to ping the guestOS from the hostOS

F) Testing the network connection
from a terminal
#> ping 192.168.100.2 -c 4
You should reach 192.168.100.2 if not, verify you followed every step.

Make sure you can Ping the Host from the guest

on Windows from a dosprmpt
#> ping 192.168.100.1 -n 4
You should reach 192.168.100.1 if not, verify you followed every step correctly.

[ Step 3 Complete ]
################################################## ###############

[ Step 4 Setting up NAT to allow GuestOS access to the internet ]
*note: i'm going to go ahead and assume you have iptables already installed.

A) Load Required Kernel Modules
#> sudo modprobe ip_tables
#> sudo modprobe iptable_nat
#> sudo modprobe ip_nat_ftp
#> sudo modprobe ip_nat_irc

B) Enable IP-Forwarding
as root run
#> echo "1" > /proc/sys/net/ipv4/ip_forward

If you get your IP Address Dynamically e.g. PPP0 (Dial-up)
as root run
#> echo "1" > /proc/sys/net/ipv4/ip_dynaddr

Enable SNAT (MASQUERADE) functionality on eth0/ppp0
*note: replace eth0 with ppp0 for dialup

#> sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

C) Setup DNS on guestOS
*note: this is for windows98se, methods aren't listed for other OS's

You can retrieve your DNS Server Ip's from your /etc/resolv.conf file after connected to the internet.

#> sudo cat /etc/resolv.conf

In windows, goto control panel -> networking -> TCP/IP Properties -> DNS Configuration
Select Enable DNS

Set Host to your gateway address, i set mine to 192.168.100.1 for my gateway
Set Domain to your Domain i just set it to one of the DNS servers IP Address's
Add your ISP DNS Servers to the DNS List..

Ok, reboot! everything should work fine now..
[ Step 4 Complete ]

After following these steps you should have a working Qemu using the KQEMU accelerator as well as Tun/Tap Virtual Network forwarding Requests from the guest to the internet.
If something isn't working, double check to make sure you set it up correctly.

Cisco ios keyboard shortcut

Delete: Removes the character to the right of the cursor
Backspace: Removes the character to the left of the cursor
Up Arrow: Allows you to scroll forward through previous commands
Down Arrow: Allows you to scroll backwards through previous commands
Ctrl+P (or up arrow): Displays the last command entered
Ctrl+N (or down arrow): Displays previous commands entered
Ctrl+A: Moves the cursor to the beginning of the current line
Ctrl+E: Moves the cursor to the end of the current line
Ctrl+F: Moves forward one character
Ctrl+B: Moves backwards one character
Esc+F: Moves forward one word
Esc+B: Moves backwards one word
Ctrl+R: Redisplays a line (starts a new line, with the same command shown)
Ctrl+U: Erases a line
Ctrl+W: Erases a word
Tab: Completes a partial command
Ctrl+Z: Exits configuration mode, returning you to privileged EXEC mode

Interview with 6x CCIE Roman Rodichev!!!!

It is my pleasure and honor to introduce Roman Rodichev 6x CCIE #7927 ( yes six ). Roman is the first person in the world to hold all 6 active CCIE certifications!!! He is also the instructor, content developer, and owner of ieMentor

Larry: Thanks for taking the time to participate in this interview.

Roman: Thank you, Larry. It’s great to see a new online resource dedicated to the CCIE training industry. Thank you for spending time on doing this! A lot of folks who are going for a CCIE appreciate this too.

Larry: Thanks. I am hoping that the blog will become a valuable resource. The first thing I have to ask about is – 6 CCIE certifications!!! What drove you to want to go that far?

Roman: I’m not even sure what exactly drove me to this. I definitely like being challenged, I like taking tests. There is no one common reason for each of the CCIEs though.
R&S was my first and it took a couple of years to prepare for, finally passing it in August 2001 on second attempt. I just got out of college, not yet legal to drink or to rent a car. Clearly that was the most exciting CCIE to get, far more exciting compared to the last one I got this year. What an experience that was, so much inspiration, drive, fear, stress, so little sleep! First attempt was a disaster, out of excitement I threw away one of the provided pieces of paper into trash, and Kathy, my favorite proctor, wouldn’t let me continue on my second day, even though I passed the first day. She said “You are lucky we are not putting you on a black list”. I would have had to wait for almost 6 months to get another seat.
Fortunately, past programming skills helped me develop a quick script that checked Cisco’s CCIE scheduling site for available dates and grabbed a date if it became available. I was back in a month and paid more attention that time. The big driver for R&S was career advancement and desire to get through that magic $100K/year salary barrier. But more importantly, I really liked what I was doing and was fortunate enough to become inspired by a couple of CCIE Cisco folks I met around that time. One of them, Dmitry Bokotey, 5xCCIE#4460, became a very good friend of mine and was the main point of inspiration for getting drunk on Cisco Kool-Aid.
I got Security CCIE six months later on first attempt. Playing with PIXs and VPNs at that time helped out a lot. The other factor was the young age of the Security CCIE track. I always recommend students to take the CCIE lab when it just comes out and not wait for the second version of the blueprint. I realize, of course, that not everyone gets a chance to do that. The first version of the Security lab was a little raw and wasn’t as advanced as the latest blueprint. It didn’t require as much effort. I’m not saying it was easy, but definitely easier than what other folks have to go through now to achieve Security CCIE.
If Cisco could take my Security track away and let me retake the new lab, I’d like to do that. I don’t think they allow this, though.
I remember asking them the same about my Storage CCIE so that I could go and try the new second version of the lab. They wouldn’t let me.
During those two years in 2002 and 2003, I was heavily involved in some voice deployments with CallManager, Unity, IPCC, and other Cisco voice offerings. This helped me gain enough interest and knowledgebase for attempting Voice track. My sheer interest for UC (or IPT back then) held me hostage and begged me to try it. I studied for a couple of months, went and failed. I have to thank proctor Ben Ng for creating a very challenging lab. He was the most helpful proctor of all!
I haven’t seen the new security lab, but based on the six labs I took, in my opinion, Voice was the hardest.
After failing, I studied each night after work for a month, and then went back and was lucky enough to pass it.
This is where the story stops for about three years. During that time I got a chance to do a consulting gig in Europe for about a year, got married, bought a home, those dollars had to go somewhere!!
I forgot about CCIEs for a while. Finally in 2005, around the same time Storage track was coming out, I got involved with ieMentor. It was more of a hobby than a business. I wanted to do something fun and take advantage of all the knowledge CCIEs gave me and pass this knowledge on to other people. Our CCIE Service Provider, CCIE Voice and CCIE Storage workbooks came out around the same time, followed by the CCIE Service Provider and CCIE Storage bootcamps.
Writing a CCIE Storage workbook drove me to take the CCIE Storage lab. Developing labs and questions is the best way to study for the lab. Of course, not everyone would decide to use this wacky approach, but it certainly helped me pass the Storage lab on first attempt in March of 2006 and then release the workbook a month after that. In the summer of 2006, I started delivering the CCIE Service Provider bootcamps without actually having the cert.
CCIE Service Provider is my favorite track. No other track has such a collection of interconnected technologies that allows you to achieve the result only if you get every little piece right. Doing that successful final ping between two CEs is more exciting to me than making a successful phone call between two IP phones. Discovering a failed ping between two CEs is more stressful for me than discovering a broken VPN session. I don’t know, maybe it’s just me, but Service Provider technologies are just a lot of fun to work with! Obviously, I couldn’t teach the class for too long without having the certification. I went and passed it in November of 2006.
Finally, in 2008, a rumor spread that a CCIE wireless track was on the horizon. My brain was refusing to even think about it, while my heart was telling me “Just one more, and that’s it”. Also, the word “sextuple” had something sexy about it. Probably the only sexy thing ever associated with a CCIE. I locked myself in the room for two months studying controllers, access points, authentication, security, WCS, roaming, wireless voice, all the fun stuff you have to know for this great track. I took the lab in San Jose in May of 2009 and it kicked my butt.
Past experience taking these labs taught me a lesson:
1. Document the entire lab even if you think you passed it. This takes about 3 days. Don’t be lazy!!
2. Practice your lab at home and research every topic even if you believe you will get a different lab next time
3. Don’t wait after failing, schedule the lab for the soonest date possible. The most studying you will do is between the attempts.
After coming back from the wireless lab, I locked myself in a room for a month again, went back in July and was lucky to pass it. It was a very nostalgic experience coming to San Jose for the last CCIE, the same location I went to get my first one eight years ago.
In conclusion, what helped me get six CCIEs? A different thing each time:
1. R&S = lots of studying for about two years, a true CCIE preparation experience that most go through
2. Security = experience with PIXes and IOS security + luck
3. Voice = experience with IPT + two months of non-stop studying
4. Storage = writing a workbook
5. SP = teaching a bootcamp
6. Wireless = two months of non-stop studying
Some people who don’t know me think I have no life and that all I do is study. I would say that studying for CCIE R&S was really like that, no partying, lots of lab hours, lots of sleepless nights. Other tracks involved short but intense study methods. I would simply lock myself in a room with equipment and books for a couple of months. Another thing that helps me a lot is that I enjoy reading technical literature, Cisco Press books, but mostly Cisco’s documentation. The problem is that 90% of reading I do is in my car. I certainly don’t recommend it! At any point in time, you will find around ten 20-30 page Cisco website print-outs on my passenger’s seat. I don’t know why, but it helps me better digest and remember the information.
I don’t like long and boring tasks that don’t require some knowledge transfer, like driving, running on treadmill, waiting at the doctor’s office. I can’t just sit and stare at something, I need to read. Yes, reading while driving is not a good idea, but I never had an accident because of it, I usually feel more distracted talking on the phone while driving.
Larry: Wow – that’s quite a story . I think that all of us that have passed, taken or are preparing for a lab can relate in some way. As an instructor, how do you keep up to date on all of the tracks and the changes to the labs?

Roman : Various sources can help. I currently teach SP track and since the blueprint hasn’t changed for a long time, it doesn’t require too many changes to the curriculum. I make sure that I cover all topics on the blueprint. I also monitor IOS release notes to be aware of any changes or new features introduced. I listen to what students are saying or what they hear about from other people preparing for SP. I myself learn something new in each class.

Larry: That is definitely something to remember. We can always learn something new!!
Do you have a favorite technology area? One that really interests you more than the others?

Roman: I enjoy working with Data Center, Virtualization, Unified Communications and Wireless. I like them all equally as long as the project is challenging.

Larry: There are a lot of folks that are currently studying for their first CCIE. They have problems balancing work, studying and family. Do you have any advice for them?

Roman: First of all, I need to mention that my wife and I don’t have kids yet, so I’m absolutely in no position to make recommendation of how to balance your time between kids and studying. For my situation, my success at getting CCIE and how quickly I can achieve it depends entirely on how much I am interested in the technology. If configuring MPLS VPNs is more interesting than watching TV, I will pass the lab quickly.
Find time to read. Print out a 10-20 page section of a configuration guide or a tech note and read it the same day. Do this every day. There are plenty of moments in your day, wherever you are, when you are idling and could spend that time reading.
Finally, again, it’s all about INTEREST and ENJOYMENT. If you are truly interested in the technology, if you are really enjoying studying, you will find time how to balance work, wife (can’t speak for kids) and studying. People who “can’t find time for studying”, don’t actually enjoy studying that technology.

Larry: That is an important item to consider. Having a passion for what you are studying makes it more bearable. What is your reaction to the major changes to the R&S lab structure? Do you have any advice for folks that are studying for this “new breed” of lab?

Roman: I’m not very familiar with it. I’ve heard about new troubleshooting section, but can’t speak much to it. I live in the SP and Storage world.

Larry: One question that I get quite often from people is - Should I go for a professional level certification before moving to the CCIE? What is your advice on that?

Roman: If you are going to do CCIE, why waste time on CCNP? If you are ready for CCIE, you can go and take all CCNP tests in one day, and you’ll pass them. Getting CCNP might get you a $10-20K salary increase, but probably only if you switch jobs. If you think that CCIE is your ultimate goal, go for CCIE, don’t think about CCNP. These two certifications require a different approach in studying. Some people choose to study with pass4sure and pass the CCNP within a week. I would rather prepare first for a CCIE, and then take CCNP tests without preparation a week before the CCIE lab.

Larry: Thanks again for taking the time for this out of your busy schedule. One last closing question – If Cisco brings out another CCIE track will you go for it?

Roman: Well, it’s kind of obvious that Data Center CCIE will be the next track. It would be interesting to see if Cisco keeps Storage CCIE alive or if it decides to merge them. I love Data Center technologies and therefore will do this track. Now, if Cisco decides to make a track on TelePresence, that’s a different story!

MIKROTIK: How to apply different limits for Local/Overseas traffic

Introduction

Let's consider the scenario, when you want to apply different limit to Local and Oversea traffic. Oversea traffic - traffic that doesn't belong to the Local country traffic. To distinguish oversea traffic from Local country traffic, we will use 'mangle marks' and 'address-list' features. It will place appropriate marks to the packets to/from the Local country and Oversea networks. Note, 'address-list' entries should be replaced with respective addresses, if your router isn't located in Latvia. To find the actual list of network numbers belonging to your country, use Google or any other resources. Simple queues will limit data rate for the Local country traffic and Oversea traffic.

Address-list

First we create Local country address-list, where are placed list of network numbers belonging to ISPs in Latvia (any other country network addresses can be used instead). Full address-list configuration is not included (too many address-list entries), but address-list idea is clear. Networks added to the list 'Latvia':

/ ip firewall address-list
add list=Latvia address=159.148.0.0/16 comment="" disabled=no
add list=Latvia address=193.41.195.0/24 comment="" disabled=no
add list=Latvia address=193.41.33.0/24 comment="" disabled=no
add list=Latvia address=193.41.45.0/24 comment="" disabled=no
add list=Latvia address=193.68.64.0/19 comment="" disabled=no
add list=Latvia address=193.108.29.0/24 comment="" disabled=no
add list=Latvia address=193.108.144.0/22 comment="" disabled=no
add list=Latvia address=193.108.185.0/24 comment="" disabled=no
add list=Latvia address=193.109.211.0/24 comment="" disabled=no
add list=Latvia address=193.109.85.0/24 comment="" disabled=no
add list=Latvia address=193.110.8.0/23 comment="" disabled=no
add list=Latvia address=193.110.164.0/23 comment="" disabled=no
...
add list=Latvia address=193.111.244.0/22 comment="" disabled=no

Mangle

First we add rule to mark connections that belong to local router's subnet (192.168.100.0/24). Second rule marks connections between local subnet and overseas networks. Third rule marks oversea packets and exclude them from mangle table (passtrough=no). Finally, the last rule places packet mark on all packets that belong to Local country traffic.

/ ip firewall mangle
add chain=prerouting src-address=192.168.100.0/24 action=mark-connection \
new-connection-mark="Con Entire Traffic" passthrough=yes \
comment="Mark-connection All Traffic" disabled=no
add chain=prerouting src-address=192.168.100.0/24 connection-mark="Con Entire \
Traffic" dst-address-list=!Latvia action=mark-connection \
new-connection-mark="Con Oversea" passthrough=yes comment="Mark-connection \
Oversea Traffic" disabled=no
add chain=prerouting connection-mark="Con Oversea" action=mark-packet \
new-packet-mark="Oversea traffic" passthrough=no comment="Mark-packet \
Oversea Traffic" disabled=no
add chain=prerouting action=mark-packet new-packet-mark="Local Country Traffic" \
passthrough=no comment="Mark-packet Local Country Traffic" disabled=no

Simple Queue

Queue configuration is quite simple in the particular case. 192.168.100.254 is the local network host. First rule sets limit 256k/256k to Oversea traffic for the particular host. Respectively second simple queue set limit 1M/1M for Local country traffic.
/ queue simple
add name="Oversea" target-addresses=192.168.100.254/32 dst-address=0.0.0.0/0 \
interface=all parent=none packet-marks="Oversea traffic" direction=both \
priority=8 queue=default-small/default-small limit-at=0/0 \
max-limit=256000/256000 total-queue=default-small disabled=no
add name="Local Country" target-addresses=192.168.100.254/32 dst-address=0.0.0.0/0 \
interface=all parent=none packet-marks="Local Country Traffic" direction=both \
priority=8 queue=default-small/default-small limit-at=0/0 \
max-limit=1024000/1024000 total-queue=default-small disabled=no

Debian Mail Server Setup with Postfix + Dovecot + SASL + Squirrel Mail

Install Postfix MTA (Mail Transfer Agent)

Use the following command to install postfix in debian

#aptitude install postfix postfix-tls libsasl2 sasl2-bin libsasl2-modules popa3d

During installation, postfix will ask for few questions like name of server and answer those questions by entering your domain name and select Internet site for postfix.

Postfix configuration file is located at:/etc/postfix/main.cf. You can edit this file using popular text editor vi /etc/postfix/main.cf

Restart Postfix Server using the following command

#/etc/init.d/postfix restart

Install Dovecot

Dovecot is POP3/IMAP server which needs MTA like Postfix to work properly.

#aptitude install dovecot-imapd dovecot-pop3d dovecot-common

Dovecot configuration file is located at: /etc/dovecot/dovecot.conf

Before we proceed we need to make some changes with dovecot configuration file. Double check the following entries in the file if the values are entered properly.

Edit the dovecot configuration file using the following command

#vi /etc/dovecot/dovecot.conf

# specify protocols = imap imaps pop3 pop3s
protocols = pop3 imap
# uncomment this and change to no.
disable_plaintext_auth = no
pop3_uidl_format = %08Xu%08Xv

Now, create a user to test our pop3 mail with outlook:

#adduser user_name

Note: Always create a separate user to test your mail or ftp.

Restart Dovecot using the following command

#/etc/init.d/dovecot restart

Now, you can use your outlook express to test whether your new mail server is working or not. Just enter username: with password in outlook.

Remember you will NOT be able to send email outside your network, you will be only be able to send within your domain or local network. If you attempt to send email you get “relay access denied” error from outlook express. However, you should have no problems in receiving your email from outlook. Inorder to send email external email you will need to configure SASL authentication as described below.

Configure SASL Authentication with TLS

SASL Configuration + TLS (Simple authentication security layer with transport layer security) used mainly to authenticate users before sending email to external server, thus restricting relay access. If your relay server is kept open, then spammers could use your mail server to send spam. It is very essential to protect your mail server from misuse.

Let us set up SMTP authentication for our users with postfix and dovecot.

Edit the postfix configuration file /etc/postfix/main.cf and enter the few lines to enable authentication of our users

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = yourdomain.com
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_security_options = noanonymous

postfix does a chroot so it can’t communicate with saslauthd.

#rm -r /var/run/saslauthd/

#mkdir -p /var/spool/postfix/var/run/saslauthd

#ln -s /var/spool/postfix/var/run/saslauthd /var/run

#chgrp sasl /var/spool/postfix/var/run/saslauthd

#adduser postfix sasl

On the Dovecot side you also need to specify the dovecot authentication daemon socket. In this case we specify an absolute pathname. Refer to this postfix manual here

Edit /etc/dovecot/dovecot.conf file

#vi /etc/dovecot/dovecot.conf

Look for the line that starts with auth default, before that insert the lines below.

auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}

}

}

Now, rename previous auth default to auth default2. If you dont rename this then dovecot server will give you error like multiple instances of auth default.

Now restart all the following components of mail server

#/etc/init.d/saslauthd restart

#/etc/init.d/postfix restart

#/etc/init.d/dovecot restart

Test whether your mail server works or not with your outlook express. Configure a user with a user name (without @domain) and make sure that you select my server requires authentication. Under settings select same as incoming mail server

Note:
1. If you dont enable My server requires authentication in outlook you cannot send emails to external recipients and you get relay access denied error.
2. Do not use root login to login to your mail server.
3. Dont forget to create a new user before you authenticate using outlook.

Forwarding Mails

Ever wondered how to forward your mails especially if you are a webmaster managing number of sites. You might need to forward any email sent to your primary email address. Its that easy. Just create a .forward file on your home directory. Insert list of emails addresses separated by commas, where you want to get forwarded.

Login as user and type

echo ‘destination_email_address’ > .forward

or you can use vi to create .forward file. Just Delete .forward file if you dont want any forwarding.

Installing Squirrel Web Mail

Before installing Squirrel Web Mail you need to make sure you have installed apache2 with php support

#aptitude install apache2

#aptitude install libapache2-mod-php5 php5-cli php5-common php5-cgi

#aptitude install squirrelmail

Squirrelmail configuration file is located in: /etc/squirrelmail/ folder. By default all settings are preloaded.

# Run squirrelmail configuration utility as ROOT
/usr/sbin/squirrelmail-configure

Now we want to setup to run under apache. Edit apache configuration file /etc/apache2/apache2.conf and insert the following line

Include /etc/squirrelmail/apache.conf

Restart the webserver using the following command

#/etc/init.d/apache2 restart

Access your webmail using the following link

http://yourdomain or server ip/squirrelmail

Create a separate local user and login as a new user.

Mail Server Logs

Always refer to logs located in /var/log/mail.log so that you can identify what the problem is before you can troubleshoot.

A detailed look at the filesystem in Debian

A typical Linux system has, among others, the following directories:

/

This is the root directory. This is where the whole tree starts.

/bin

This directory contains executable programs which are needed in single user mode and to bring the system up or repair it.

/boot

Contains static files for the boot loader. This directory only holds the files which are needed during the boot process.

/dev

Special or device files, which refer to physical devices.

/etc

Contains configuration files which are local to the machine. Some larger software packages, like X11, can have their own subdirectories below /etc. Site-wide configuration files may be placed here or in /usr/etc. Nevertheless, programs should always look for these files in /etc and you may have links for these files to /usr/etc.

/etc/skel

When a new user account is created, files from this directory are usually copied into the user's home directory.

/etc/X11

Configuration files for the X11 window system.

/home

On machines with home directories for users, these are usually beneath this directory, directly or not. The structure of this directory depends on local administration decisions.

/lib

This directory should hold those shared libraries that are necessary to boot the system and to run the commands in the root filesystem.

/mnt

is a mount point for temporarily mounted filesystems

/proc

This is a mount point for the proc filesystem, which provides information about running processes and the kernel.

/sbin

Like /bin, this directory holds commands needed to boot the system, but which are usually not executed by normal users.

/tmp

This directory contains temporary files which may be deleted with no notice, such as by a regular job or at system boot up.

/usr

This directory is usually mounted from a separate partition. It should hold only sharable, read-only data, so that it can be mounted by various machines running Linux.

/usr/X11R6

The X-Window system.

/usr/bin

This is the primary directory for executable pro grams. Most programs executed by normal users which are not needed for booting or for repairing the system and which are not installed locally should be placed in this directory.

/usr/bin/X11

is the traditional place to look for X11 executable's; on Linux, it usually is a symbolic link to /usr/X11R6/bin.

/usr/dict

This directory holds files containing word lists for spell checkers.

/usr/doc

You may find documentation about the installed software packages in this directory.

/usr/etc

Site-wide configuration files to be shared between several machines may be stored in this directory. However, commands should always reference those files using the /etc directory. Links from files in /etc should point to the appropriate files in /usr/etc.

/usr/include

Include files for the C compiler.

/usr/include/X11

Include files for the C compiler and the X-Windows system. This is usually a symbolic link to /usr/X11R6/include/X11.

/usr/include/asm

Include files which declare some assembler functions. This used to be a symbolic link to /usr/src/linux/include/asm.

/usr/include/linux

This contains information which may change from system release to system release and used to be a symbolic link to /usr/src/linux/include/linux to get at operating system specific information.

(Note that one should have include files there that work correctly with the current libc and in user space. However, Linux kernel source is not designed to be used with user programs and does not know anything about the libc you are using. It is very likely that things will break if you let /usr/include/asm and /usr/include/linux point at a random kernel tree. Debian systems don't do this and use headers from a known good kernel version, provided in the libc*-dev package.)

Include files to use with the GNU C++ compiler.

/usr/lib

Object libraries, including dynamic libraries, plus some executable's which usually are not invoked directly. More complicated programs may have whole subdirectories there.

/usr/lib/X11

The usual place for data files associated with X programs, and configuration files for the X system itself. On Linux, it usually is a symbolic link to /usr/X11R6/lib/X11

/usr/lib/gcc-lib

contains executable's and include files for the GNU C compiler.

/usr/lib/groff

Files for the GNU groff document formatting system.

/usr/local

This is where programs which are local to the site typically go.

/usr/local/bin

Binaries for programs local to the site go there.

/usr/local/doc

Local documentation

/usr/local/etc

Configuration files associated with locally installed programs go there.

/usr/local/lib

Files associated with locally installed programs go there.

/usr/local/info

Info pages associated with locally installed pro grams go there.

/usr/local/man

Manpages associated with locally installed programs go there.

/usr/local/sbin

Locally installed programs for system administration.

/usr/local/src

Source code for locally installed software.

/usr/man

Manpages traditionally go in there, into their sub directories.

/usr/sbin

This directory contains program binaries for system administration which are not essential for the boot process, for mounting /usr, or for system repair.

/usr/share

This directory contains subdirectories with specific application data, that can be shared among different architectures of the same OS. Often one finds stuff here that used to live in /usr/doc or /usr/lib or /usr/man.

/usr/share/man

Manpages go in there, into their subdirectories.

/usr/src

Source files for different parts of the system, included with some packages for reference purposes. Don't work here with your own projects, as files below /usr should be read-only except when installing software

/usr/src/linux

This has always been the traditional place where kernel sources were unpacked. This was important on systems that /usr/include/linux was a symlink here. You should probably use another directory for building the kernel now.

/usr/tmp

Obsolete. This should be a link to /var/tmp. This link is present only for compatibility reasons and shouldn't be used.

/var

This directory contains files which may change in size, such as spool and log files.

/var/adm

This directory is superseded by /var/log and should be a symbolic link to /var/log.

/var/backups

This directory is used to save backup copies of important system files.

/var/lock

Lock files are placed in this directory. The naming convention for device lock files is LCK.. where is the device's name in the filesystem. The format used is that of HDU UUCP lock files, i.e. lock files contain a PID as a 10-byte ASCII decimal number, followed by a newline character.

/var/log

Miscellaneous log files.

/var/preserve

This is where vi saves edit sessions so they can be restored later.

/var/run

Run-time variable files, like files holding process identifiers (PIDs) and logged user information (utmp). Files in this directory are usually cleared when the system boots.

/var/spool

Spooled (or queued) files for various programs.

/var/spool/at

Spooled jobs for at(1).

/var/spool/cron

Spooled jobs for cron

/var/spool/lpd

Spooled files for printing.

/var/spool/mail

Users' mailboxes.

/var/tmp

Like /tmp, this directory holds temporary files stored for an unspecified duration.

Associate NCE Program (Network Consulting Engineer)

Advanced Services - Associate NCE Program (Network Consulting Engineer)

The aNCE (Associate Network Consulting Engineer) Program will provide a valuable, extensive and intense work experience - using the Cisco model of education, exposure and experience. First, education in a classroom environment - followed by exposure in a mentored environment - while you gain experience via hands on work. This is the Cisco EEE (Education/Exposure/Experience) learning framework. The end result is that you will be a trained and capable Network Consulting Engineer (NCE) as part of the Cisco Advanced Services (AS) team.

All participants will begin training at Cisco's RTP (Research Triangle Park, NC) facilities. Your final work location in the USA will be determined at a later date.

Phase I - is the first 3-4 months when you will spend 100% of your time training to acquire the technical experience (CCNA, CCNP & CCIE courses), trouble-shooting, process, professional and other skills to perform as a Cisco Associate Network Consulting Engineer (aNCE) in the new millennium. Professional skills include: teamwork, inter-personal, writing, presentation and consulting skills. It is expected that you will pass your CCNA and written CCIE examinations during this period. This is primarily an education (training) environment.

Phase II - a variable set of exposure and experience rotations for approximately 3 months. The set of rotations will be determined by your target position/organization in AS. You will work on complex and in-depth networking problems requiring strong analytical, problem solving, and engineering skills. This will be part exposure but mainly an experience (learning by doing) environment.

Phase III - This will be a rotation into a back-office Advanced Services support team to gain the exposure and experience in the world-class tools, process and people of the Advanced Services team. During this period you will receive education/exposure/experience in various technologies and AS processes. You will take the CCIE lab examination during this phase. This phase is targeted to last 4-6 weeks. This will be an Exposure (working with experts) environment.

Work Locations - You will be hired and must be willing to relocate to the Cisco campus in the Research Triangle Park (RTP), North Carolina for Phases I-III. Upon completion of all three phases, you will be relocated to meet Cisco business needs. Final work location will be determined after to joining and is based on the requirements of the Cisco AS delivery teams somewhere in the USA.

The Company - Discover all that's possible for your career!
Cisco Systems is one of the most innovative companies in the high-technology industry. We hire highly talented individuals who will contribute to Cisco’s global leadership in delivering networking products and solutions that help customers achieve their business goals.
Read more about working at Cisco and watch the video at:

http://www.cisco.com/web/about/ac40/about_cisco_careers_home.html


The Cisco Advanced Services team is a global organization charged with providing world class services to our customer base. Focused on premium customers, the AS team provides complex design, performance and optimization services to the largest networks in the world. Additionally, the AS team is in the vanguard of Advanced Technology implementation of Cisco leading edge technologies worldwide.

This is a fast paced, high impact environment where you will directly contribute to the success of Cisco's customers in deploying and utilizing the latest networking technologies. You will see a wide variety of real world customer networks and be constantly challenged to expand your networking knowledge, ability improve customer networks and to implement new services on the IP network infrastructure. You will become the Cisco expert that customers demand. See our website information on Advanced Services at:

http://www.cisco.com/en/US/products/svcs/ps11/services_segment_category_home.html

The Role
The Network Consulting Engineer (NCE) role is an ideal job for people who combine technical expertise, professional excellence and consulting skills.

The Cisco Advanced Services team works with the most advanced technologies and the best technical experts in the industry. At Cisco you will find the opportunity to do significant training because Cisco is the leader in Advanced and Emerging technologies (AT & ET). Advanced Services does the Plan-Design-Implement (PDI) and Optimize phases of these new technologies that will influence the human network. Be a part of the AS and Cisco team! The Advanced Services team is highly motivated and a place where people have a lot of fun doing their job.


Pre-Requisite:
US based candidates must already have a work authorization that permits them to work for Cisco indefinitely -- i.e., U.S. citizens, U.S. nationals, permanent residents, temporary residents (that is, individuals who have gone through the legalization program) refugees and asylees. Unfortunately, Cisco is not able to support any visa extensions, H-1B or other work permits for this program.

Eligibility Requirements:
Maximum of 2 years work experience and a new graduate, i.e. you have graduated within the last 24 months
3 to 4 year technical degree or a degree with demonstrated work experience in a technically related position
Technical degrees include Computer, Engineering, Sciences, Mathematics, etc.
Desirable but not required: Cisco Network Academy graduate

This position generally requires the following skills:

* Strong computer/network skills are desired but not required
* Strong ability to understand technical issues and apply technical concepts is required
* Passion for learning and demonstrated ability for independent study in addition to classroom instruction and team learning
* Ability to leverage technical expertise of others
* Exemplary written and verbal communication skills and ability to clearly communicate technical concepts
* Strong listening skills
* Ability to participate as a team member
* Ability to produce quality work under pressure with immediate deadlines
* Ability to take constructive feedback and make necessary changes
* Ability to give presentations to large or small groups
* Ability to adjust to a rapidly changing environment
* Ability to succeed in a highly unstructured environment


Responsibilities:
Develop solid knowledge of baseline Advanced Services (AS) skills
Develop knowledge as a Network Infrastructure (NI) specialist in core IP routing and switching
Attend and participate in technical and professional and in the first 3 months classes and events
Complete all projects and assignments on time
Highlights of the tasks to be completed within the first 3 months
Pass CCNA examination and take all CCNP examinations
Pass CCIE written certification exam
Successfully complete 3 formal presentations and join Toastmasters
Successfully complete 4 written assignments
Take the CCIE lab examination within the first 8 months
Pass the CCNP within the first 8 months
Additional certifications testing – CCDA & CCDP will be encouraged within the first 12 months

Long-term responsibilities (include but are not limited to)
Support delivery of service program to major accounts
Review network requirements and produce high and low level network designs
Review customer Implementation / Change Management Plans
Plan and execute complex Network Upgrade and Network Migration activity
Troubleshoot and resolve complex customer network problems across a broad range of technologies
Act as a technical focal point for large account network problem resolution
Attain the CCIE certification
Build simulated networks in test labs to resolve complex problems and compatibility issues
Generate reusable Intellectual Capital in the form of standard customer deliverables
Leverage and contribute to Virtual Teams
Question ways of working and suggest improvement