The Silo Chronicles
The not so exciting adventures of a Network Engineer

As anyone who has ever applied an access-list to an interface knows you must specify the direction in which you wish to apply the access-list.  This direction is used to determine which side is to be used as the source or destination.  While this sounds fairly straight forward it remains a black magic area for many engineers.  Today we are going to demystify this directionality and make it simple and straight forward.

Background
The first thing we must acknowledge is that unicast communications is always between two parties.  As such there is always a direction that communications is flowing.  For the purpose of this post we are going to define those directions as local and remote.  The local side is the interface that has the access-list on it and the remote side is whoever is on the other end of that interface.

Since all unicast communications is between two parties there is always a source and a destination.  These are the terms used within the access-list creation process.  The question is which side local or remote is the source and which side local or remote is the destination.  This is where the direction statement you specify on the interface comes into play.

Which Direction Am I Going?
If you apply the direction IN on an interface’s access-list the interface (local side) considers the source address to be the remote side.  If you apply the direction OUT on an interface’s access-list the interface (local) considers the destination access to be the remote side.  Thus the packet is flowing IN from the remote side or OUT to the remote side.

Why is this important?
Directionality is very critical into the effectiveness of access-lists.  If you do not understand which side is the source or destination your access-lists might result in being more open than originally intended or even worse longer than necessary.

One of my current joys I keep getting subjected to is the upgrade Auth Fail messages on brand new phones from Cisco. It seems that with the introduction of 8.5.2(SR1) Cisco requires that you know the new signature in order to load the firmware. The only problem is that brand new phones from Cisco are still shipping with 8.3.1 which doesn’t know the new signature. What does this mean? This means if you are running a current version of Communications Manager you are going to have to manually upgrade the firmware to version 8.5.2 and then let it upgrade to the current version on your system otherwise it will be stuck at the original version.

The Fix

NOTE: You have to run a back-leveled version of firmware on the phone first. Installing this version for the first time will override the default device loads for ALL phones. As such make sure to go to “Devices\Device Settings\Device Defaults” and find the model in question taking note of what the load it currently is set to.  We need this so after we install the back-leveled version of firmware we can change back the default load to the more recent version already installed.

The first thing you will need to do is go download version 8.5.2 from CCO.  Do NOT download the SR1 version as the SR1 version uses the new signature.  Once it is download install it on your Communication Manager Cluster and restart the TFTP Service on all your servers that offer TFTP.  If you don’t restart the TFTP server the system won’t recognize and offer up the new file we just installed.  Once it is installed the default device load for that model will be changed to that version, something liek “SCCP42.8-5-2S”.  You will change to change this back to the latest version you have installed on your system otherwise you risk downgrading all of your phones.

Once you have 8.5.2 install on your system and your default device load changed back to the current version simply find the phone in question under “Device\Phones”.  Inside the phone configuration is a variable called Phone Load Name.  Put the 8.5.2 load name, the value the default device load was automatically changed to, click save and then reset the phone.  Once the phone resets it will upgrade to 8.5.2 and re-register with the system.  Once it is upgraded to 8.5.2 simply remove the value from Phone Load Name, save and reset the phone again.  This time the phone will go ahead and upgrade to the current version.

Long story short, pretty much all Communication Manager systems will need to have 8.5.2 firmware installed for all their phone models and be prepared to manually upgrade to 8.5.2 all new phones on the system.

It’s been awhile since I last posted so I figured I would start with a command of the day post. Today’s post is actually going to be several commands. These are commands that are not very common but I find useful when working with the Cisco Autonomous Access Points.

dot11 arp-cache [optional]
This command is entered in the global configuration mode. It enables client ARP caching on the access point. ARP caching on the access point reduces the traffic on your wireless LAN and increases client battery life by stopping ARP requests for client devices at the access point. Instead of forwarding ARP requests to client devices, the access point responds to requests on behalf of associated client devices and drops ARP requests that are not directed to clients associated to the access point. When ARP caching is optional, the access point responds on behalf of clients with IP addresses known to the access point but forwards through its radio port any ARP requests addressed to unknown clients. When the access point knows all the IP addresses for associated clients, it drops any ARP requests not directed to its clients. In its beacon, the access point includes an information element to alert client devices that they can safely ignore broadcast messages to increase battery life.

dot11 [Interface] carrier busy
This has to be one of my favorite commands for deploying new access points. This command is entered in the EXEC mode and will cause the access point to do a carrier busy test on each channel resulting in a report showing you how busy each of the channels are allowing you to select a free channel. Two things to note:

1. This will disassociate users from the access point so make sure it isn’t in production or people are aware of an outage before issuing the command.

2. To see the report you need to issue a “show log” command or if connected via console console logging enabled.

show dot11 associations
This command will show you a list of devices currently associated with the access point. You might find it useful to make this an alias on the access point.

I ran into a strange issue today and had to factory default an IP phone. I hadn’t had to this since this the 79[467]0 model phones and was perplexed when I was unable to locate the option in the menu. After a quick visit to CCO I found that they appear to have changed how to do this. I actually think the new method is pretty slick. To factory restore a newer phone simply do the following:

1. Unplug Phone
2. Hold # key
3. Plug Phone In
4. Wait until the lines start flashing in order. This will keep repeating. Once this is done type “123456789*0#”.

The phone will reset itself and re-download it’s firmware. Talk about easy. No more trying to walk a user through menus.

After my recent purchase of an iPhone 3G I became interested in making some small applications to do some common conversions and such that I run into while doing my Networking thing. While there is a subnet calculator I wasn’t able to find a BaseConverter or an IPv4 to Hex converter. I downloaded the iPhone SDK and started poking around. I quickly realized that I don’t have time to figure all of this out right now with all my certification tests. So I decided to make some iPhone friendly web tools. So far I have a BaseConverter and IPv4 Converter.

The BaseConverter does exactly that. It converts from one base to another. It supports Decimal, Binary and Hex. The primary reason I wanted this tool is to convert those pesky Hex ports found on the NetFlow outputs on the routers.

The IPv4 Converter converts an IPv4 address to Hex format and back. I wrote this small tool because manually doing it is a pain in the butt and for some reason Cisco loves to store IPv4 addresses as Hex in traces.

I am always up for suggestions on other tools. Make sure to drop me a comment if there is something you would like to see or if you run into any bugs.

http://www.crimsonsilo.com/iphone/tools/

NOTE: Yes, these tools work fine from a normal web browser as well they are just optimized for an iPhone display.

For some reason I have a had time remembering the order of IP Precedence. This is primarily because I don’t have a mnemonic for it. Well that changed tonight. While reviewing various materials for my upcoming CVoice exam I decided to come up with one. With the help of a mnemonic generator and a combination of several results I have come up with the following.

These types of memory tables I find invaluable. While IP Precedence is now clearly second place to DSCP it still is useful and you never know which this simple amount of information might come in handy.

The more prompt is something that we all encounter on a daily basis. Whether you are looking at the configuration or some sort of output we all run into it on a regular basis. The one thing that Cisco doesn’t seem to advertise is that you can do more then press enter and space. In fact there are some very useful options you can use. Below is a table of some of the options:

With IOS devices pretty much any key quits the display however with ASA you must use the q key to quit the output. If you happen across more options please let me know!

As most know current versions of IOS have numbered ACLs allowing for each inserting of new rules. For example:

This means you can just put a 15 in front of your new statement and the rule will be added between 10 and 20. This works great and upon reloading of the device the ACLs become renumbered and all is well. The thing is what happens if you want to insert more than 10 entries between two existing entries? What about if you are an anal retentive person who just wants to see it all nice and spaced apart but you don’t want to reload your device? There is a simple answer. From the configure mode enter the following command:

This tells the device to renumber the ACL named SAMPLEACL, start with the number 10 and increment lines by 10. You can play with these numbers to get it to generate all sorts of numbers but I personally just stick to 10/10.

Most of us spend a decent amount of each day poking around inside a switch or router. While in there we type various commands and inevitably miss a keystroke or want to change what we typed. Most people seem to favor the backspace here but I personally favor the session control keys. Just like a linux/unix session there are a series of control keys that allow you to do things other than delete what you have typed one character at a time.

Take some time and play around with these. I am sure you will find a few favorites and with any luck it will help a little bit of your sanity.

The one thing that doesn’t seem to be covered be by Cisco very well is that they support full regular expressions with the output modifier commands. Some of the more complex regular expressions seem to be a bit hit or miss but for the most part the all seem to be work. If you want to learn about the power of Regular Expressions then go search Google. If you want to learn a few quick tricks that you can use then this post is for you!

The Parathesis

To start with you need to know about ( and ). These are not required for simple regular expressions but please keep in mind that if you want to run complex, multiple step regular expressions you will need to encapsulate the expressions within a ( and ).

ValueA OR ValueB

This is one of the most basic regular expression. Many times you might want to return results that match A or B and not just A and just B. To do this simply format your expression like:

This will return results that match both ValueA and ValueB.

The Character Wild Card

If you want to put a character wildcard you can do so by using a period . for the character you wish to be a wildcard. The important thing to remember is this is a character wildcard and not a string wildcard. This means if you want to match either port, import, export, or report you will need to use the following wildcard:

You will notice there is two periods one for the first and one for the second character. If you don’t include both the periods you won’t match any of the words.

Limited Character Wild Card

If you wish to match import, export but not report or deport. You can do this by using a limited wild card setup. In this case you would specify the following:

Basically you put the character matches you want to between a [ and ].

The Optional Character

If you want to setup a pattern where you don’t have to match one of the characters you can use the optional character expression. Simply place a ? after the character that isn’t required. For example if you wish to match color and colour you can simply use the following expression:

This makes the u an optional character.

These are the most common regular expression that I have found useful in my daily adventures. There are a bunch of other expressions you can use and I have over simplified some of these commands to try and keep it as simple as possible. Like I said earlier I would check Google for tutorials on regular expressions. There are many great tutorials floating around.