Skip to content

Category: Networking

Connecting Network Gear to Avocent/Cyclades ACS Console Server

There’s a lot of differing information about what the proper cabling for connecting Cisco/HP/whatever network gear to an ACS console server. I’ve seen everything from straight-through to rollover to a modified version of straight-through. However, Avocent provided the correct version and I’ve verified that it works.

From the Avocent/Emerson Power site:

RJ-45 (Cyclades) to RJ-45 (Sun/Cisco), crossoverRJ-45 RJ-45
Cyclades Sun/Cisco
——– ———
3 TxD ———— RxD 6
6 RxD ———— TxD 3
4 Gnd ——–|— Gnd 4
|— Gnd 5
2 DTR ———— DSR 7
7 DCD ———— DTR 2
1 RTS ———— CTS 8
5 CTS ———— RTS 1

To build this, take a standard TIA-568B straight-through cable and cut of one end. Remake the cut end as follows:

Pin 1 2 3 4 5 6 7 8
Color Brown White/Brown Green Blue White/Orange White/Green Orange White/Blue (optional)

The factory end would go into the console port of the network gear, while your custom end would go into the ACS.

Updating the Firmware on Quanta LB4M Switches

There seems to be a lack of information (that isn’t misinformation) on how to upgrade the firmware on Quanta LB4M switches. Posts abound containing warnings about bricking your switch. Likely, these people attempted some XMODEM transfer that was not needed. All you need is a TFTP server, which can even be running on your local computer.

Grab a copy of the firmware from Jared’s site (or my mirror: 1.1.0.8 / 1.0.2.17). I used lb4m.1.1.0.8.bin as it’s the latest and seems to be the most featureful, although I’m still trying to locate a copy of the release notes for each version.

Make that file available via your TFTP server and ensure that your switch can see your TFTP server (ping should do nicely). I’ll assume that your TFTP server is on 192.168.1.100, so if it isn’t replace that with the IP you’re using. Once your switch can see the TFTP server, it’s time to begin.

The LB4M has two firmware slots: image1 and image2. You’ll need to determine which is currently active, as you cannot download firmware to the active slot.

(Switching) #show bootvar

Image Descriptions

image1 : default image
image2 :

Images currently available on Flash

--------------------------------------------------------------------
unit      image1     image2      current-active         next-active
--------------------------------------------------------------------

  1     1.0.2.14   1.0.2.14              image1              image1

This shows that we need to download the firmware into image2, as image1 is the currently loaded firmware. We do that with the following command:

(Switching) #copy tftp://192.168.1.100/lb4m.1.1.0.8.bin image2

Select ‘y’ at the prompt of “Are you sure you want to start?” and the transfer will begin. It will take a few minutes, but should complete without issue, assuming your TFTP server is reachable and working properly. If all goes well, you’ll see the following:

Verifying CRC of file in Flash File System

File transfer operation completed successfully.

All that’s left is activating the image and rebooting.

(Switching) #boot system image2
Activating image image2...

(Switching) #reload

Installing Cisco ASDM on Linux

Cisco’s Adaptive Security Device Manager is a GUI tool for managing and configuring Cisco security appliances. It runs perfectly well under Linux, but can be a little tricky to get running. Today, I’ll show you how.

I am currently running the following:

  • Fedora 22 Workstation w/ Gnome 3.16
  • Oracle Java 8 (1.8.0_45)

Adding a Security Exception

The first thing we need to do is add a security exception for the ASA. Open up the Java Control Panel with the following command:

$ /usr/java/latest/bin/ControlPanel &

Click on the Security tab and then on the Edit Site List… button.

Once the Exception Site List window opens, click on Add and type in “https://” followed by the IP of your ASA and a trailing forward-slash. If you’ve configured ASDM to be available on a different port, you’ll need to specify that. For example, if your ASA has the IP address of 192.168.10.1 and you’ve configured ASDM to be on port 4430, you’d enter the following:

https://192.168.10.1:4430/

Click OK to close the Exception Site List window, then OK again to close the Java Control Panel.

Installing ASDM

Go back to your terminal window and enter the following command, replacing <SITE_ADDRESS> with the IP and port number, if changed, of your ASA:

$ javaws https://<SITE_ADDRESS>/admin/public/asdm.jnlp

Accept the security warnings and login to your ASA. ASDM will install itself and, if you have the Applications Menu extension turned on, you’ll find it under Java WebStart.

Getting FDMA Working on a CPN

As per my last post, I will show here the basic configuration of how to get FDMA working on a Lot 10 CPN. All CECOM documentation only shows how to get a JNN working, but (as CPNs don’t have a GPS to provide timing) we have to do things differently.

Cabling

  • TFOCA-2 runs from Port 1 on the LOS case to J1 on the STT. In our LOS case, we had to use the spare fiber pair to connect to the CTM-100/C.
  • Serial cable connects from NT2R Serial0/0/0 to the LOS case’s Channel 1 Red.
  • Serial patch from Port 1 NRZ to Channel 1 Black (all on the LOS case).
  • FDMA modem and CTM-100/C installed as labeled in the STT.
  • KIV-7M installed as labeled in the LOS case, COMSEC loaded, and strappings matching the HUB.

CTM-100/C Configurations

The following setup will allow your CTMs to pull timing through your FDMA modem.

SETTINGS LOS CASE STT
Mode Fiber Fiber
Input NRZ NRZ
Rate <Provided in SAA> <Provided in SAA>
NRZ Mode EIA530A EIA530A
NRZ Config DCE/EXT DTE/EXT
NRZ Clock ——- TXC
Clock Source Fiber Input
Status (when complete) <Rate> nF_ P_ L_ <Rate> Nf_ P_ L_

NT2R Configuration

  • Remove “passive-interface Loopback0” from the OSPF configuration.
  • Add a network statement to include the Hub’s NT2R (e.g. “network 144.104.201.224 0.0.0.0 area 0”). The IP of the Hub’s NT2R should be visible in your routing table, as it is a directly connected network via Serial0/0/0 (shown in the yellow box below).
#show ip route
NT2R Routing Table

Conclusion

That should be it. If any additional configuration is required, it is Hub-specific and not something we came across. If additional help is required, I can be contacted via this blog (must use a .mil email address).

Next Post: Getting FDMA Working on a CPN

Normally, a WIN-T Battalion Command Post Node (referred to as either BnCPN or CPN) is configured to connect to the WAN via a TDMA satellite link. This is the way things are normally done and the way we are trained to make it work. However, the powers that be have decided to make certain CPNs “Super CPNs” by providing them with an FDMA modem, which is normally reserved for the JNN. This has been done for a while: another CPN at FOB Wolverine (where I was working in Afghanistan) had an FDMA link back in 2010. The only problem is that no one, or very few people, know how to make it work.

Well, we figured it out this morning. I have copious notes and will be posting a write-up for the benefit of fellow CPN operators and the CECOM FSRs who support us.

Home Server Updates and New Theme Pending

While reading We Got Served, I found an article discussing the upgrade of HP MediaSmart home servers from their factory software to version 3.0. This upgrade adds a bunch of new features including:

  • a new video converter,
  • HP Media Streamer, which allows you to stream your media to any Internet connected computer
  • better Mac support for server administration and backup
  • ability to stream to you iPhone or iPod Touch via HP MediaSmart Server iStream app.
  • a new UI for the Server Console

“Sign me up,” I thought. So, I called up HP only to find out that the discs are no longer available. So, being a determined WHS administrator, I looked for ISO images on the Internet. The problem is that these discs are specific to the model of MediaSmart server you have: there’s a separate set for the EX470s, EX480s, etc. It’s pretty easy to find ISOs for the EX480s, but I have an EX470, of course.

After a bit of searching, I determined that a poorly named torrent actually contained the ISO I was looking for.

Named as the PC Restore Disk, not Server Recovery Disk
Named as the PC Restore Disc, not Server Recovery Disc

Here are the actual discs, so you can see how they’re named by HP.

IMG_18443

After getting it downloaded, I installed it per the directions in the initial article and it went off without a hitch. Of course, I had to setup everything again, including the DHCP and WINS services that the server was providing, but it doesn’t take too long.

I’ve already noticed improved performance in responsiveness and LAN media streaming and look forward to further tweaking and getting everything perfect.

On another note, I am working on my own custom theme for this blog. Hopefully, it will be ready soon. Look for it in the next month.

Fixing Name Resolution with Windows Home Server

As I’ve posted before, I use a Windows Home Server to manage backups and store my media on my home network. Normally, you’d access it via its NetBIOS name: like \\WHSERVER. However, I’ve found that this functionality degrades over time. I still have no idea why, but I know how to fix it.

The First Attempt

Searching the Goolges for this this will eventually lead to a number of forum posts and blog entries telling you to enable NetBIOS over TCP/IP in your network adaptor’s Advanced IPv4 settings.

Advanced IPv4 Settings

For some of my computers, this worked for a few months. Then it stopped again. I’m thinking it has to do with the DNS suffix I use on my network, but I can’t be sure.

Getting It To Work

Windows Home Server is a stripped-down version of Windows Server 2003, but includes much of that functionality (minus Active Directory). As such, I decided that a WINS server (and DHCP pointing to it) would solve all my name resolution issues.

First, I went into my router and disabled DHCP. WHS’ DHCP Server will fail to start if it detects another DHCP server running on the same subnet. I left the page open, however, as I’d need to copy all my static reservations over to the Windows server.

Install DHCP Server and WINS Server in Add/Remove Windows Components.

Follow the instructions in Help to set up an identical DHCP configuration to the one your router was providing, but include the WHS’ IP address as the primary WINS server.

Everything should work smoothly after that.

NOTE: I initially setup a DNS Server on the WHS, as well. However, I found that it was not needed and removed it. Testing after the fact shows that everything is just fine without it, as the computers do not attempt to use DNS to resolve short names unless the WINS resolution fails.

Gargoyle Router Firmware on Netgear WNDR3700v2

A few days ago, I mentioned that I was having major issues with DD-WRT running on my Netgear WNDR3700v2. My wireless was constantly dropping out and even my wired connections would lose the ability to see the router. On the day I gave up, I had to reset the router five times. Not okay.

So, I looked at Gargoyle Router. Gargoyle is basically a front-end for OpenWrt, an open-source router firmware. It’s stable and works well with a number of flashable routers.

So far, I’m enjoying the stability and minor wireless speed increase, by being able to open up the wireless channel size, which unlocks the full potential of 802.11n. Gargoyle Wireless Settings

For those users in North America, you’ll need to download a firmware image that ends in “-NA”. Currently, only version 1.5.0 in the Experimental branch and version 1.4.3 in the stable branch support North America for the WNDR3700v2. These files can be uploaded to the factory firmware’s Upgrade page and, after waiting about 5 minutes, will completely install without any other user interaction.

The default IP address will be 192.168.1.1 and the web login password will be ‘password’.

DD-WRT on a Netgear WNDR3700v2

I tried out DD-WRT on my WNDR3700v2. It was awful. I’d get frequent loss of connectivity on both wired and wireless segments. Unstable as hell.

I’m now trying Gargoyle and we’ll see how things go.

Cracking Wireless Passwords

First of all, grab yourself Backtrack Linux. This is a Linux distro tuned for security testing. It is also popular with black hats, but is very well used by network security professionals.

I recommend using a Live DVD image on a laptop with WiFi.

Cracking WEP (Lifehacker)

Cracking WPA (Lifehacker)

This requires the router to have WPS’ PIN enabled, which many tech-savvy users are disabling. I can promise there are still many routers with this enabled. On my block, there are 12.

NOTE: Don’t do this to networks you are not authorized to access and/or test. I do not take any responsibility for any legal ramifications.