I discussed in a previous post how to use host monitors to determine if nodes in your pools were serving up their appropriate content. Nodes that fail their health monitors can be disabled in the pool to prevent a user from seeing an error, redirecting traffic to working servers.

But what about cases where all of your nodes in the pool are failing their health check? One solution to this problem is by using fallback hosts.

The fallback host feature allows you to specify a URL to redirect the users traffic to in the event that there are no working nodes. Generally this would be a maintenance page or something along those lines.

Edit the sites HTTP profile (or if you are using a stock profile, create a custom one sourced from the stock profile you are using). It should look similar to the image below:

Check the custom box next to fallback host. Put in the URL of your maintenance page or the site you would like your users traffic to be redirected to. Save your changes by selecting “Finished”.

Most everyone has heard the recommendations that to avoid insomnia you should stop using back-lit devices a few hours before you intend to go to sleep (the reason being that the bright light triggers your brain to think that it’s daytime and that it should be wide awake). While this is good advice, for a lot of people including myself it’s not practical as my job has me working in a lot of after hours change windows and a lot of my personal research time is in that timeslot as well.

Lately I have been using a piece of software called F.lux. You provide it with your zip code (or Lat/Long if you’re outside of the U.S. or weird). Basically what it does is during the time of day that you should be wide awake, it lights your LCD at full brightness; as it gets later in the day it slowly adjusts your backlighting to a warm sunset’esque glow. The application can be easily manually overridden if you find yourself needing to stay awake or needing accurate color representation at night.

They quote several studies and doctors suggesting its effectiveness, but all you have to do is use it one night and I think it’s likely you’ll be convinced. Looking at a screen that’s been adjusted for the evening, I can just feel my body calming down and eyelids getting heavier.

It’s available free for Windows XP/Vista/7, OS X and Linux.

Here are my exam notes for the LX0-102 exam. Same format as the 101 notes, following the LPI objectives.

I recently took my LX0-101 exam and figured I would post up my study notes. They follow the exam objectives and the number in parentheses after each section header is the number of questions on the section that you can expect to see on the test.

The 101 gets you nothing by itself, but if you pass both the LX0-101 and the 102 it actually nets you 4 certs. CompTIA gives you the Linux+ and (with your permission) will publish your results to LPI who will grant you the LPIC-1. You can then then submit your LPI ID to Novell here, and they will grant you both the Novell Certified Linux Administrator (CLA) and the Novell Data Center Technical Specialist (DCTS).

Fair warning: the formatting ain’t purty and I wouldn’t try and use this as your sole resource for studying for the exam (although I think the coverage is pretty decent). I’ll publish 102 notes when I am through with them. If anyone spots any errors, let me know and I will fix them.

I’ve been working on this XOS Hardening Guide for a while now, just finished it. I tried to make it pretty straight-forward, commands are in code blocks, things that you need to swap out are in [BRACKETED BOLD].

This is written assuming you are on a new switch, modifications should be put in place if it’s being applied to an existing switch (for example, you might not want to run the command that deletes all of your VLAN’s). Many of these are also judgement calls – what I have here is probably my judgement but adjust for your own environment/risk tolerance level.

Configure Management

Create Management VLAN

Configure Management ACL

Configure Management Protocols

Configure Local Accounts

Configure TACACS Authentication (Be aware…)

Note: You can apply any lockout/password policies to whatever use database you point your RADIUS/TACACS+ server to.

Configure Monitoring

Configure SNMP ACL

Configure SNMP v2

Configure Remote Syslogging

Miscellaneous

Configure Warning Banner

Disable EDP

Disable Ports Not in Use

Beyond this, just use best practice. Label your ports appropriately, monitor your logs, segment your users onto appropriate VLAN’s, etc. XOS also supports various port security options but as how you would want to configure those varies hugely among environments, I didn’t include them in this post.

Whenever something doesn’t work, the Network Admin is guilty until proven innocent. It’s important to have tools available to help you determine if you are in fact guilty, and if not help provide evidence to support your case.

The ASA’s Packet Tracer feature is a great tool along those lines that lets you ask your firewall “what-if” scenarios. You can specify hypothetical traffic and the firewall will inject a virtual packet meeting your specifications and show you what would happen at each layer (ACL’s, NAT, IPS, etc.) of it’s processing of the packet .

On the command line, Packet Tracer uses the following syntax:

You can optionally also append a “detailed” to the end to receive verbose output or “xml” to receive the results in xml format.

A few examples:

Would check to see if my internal host 192.168.0.10 could pull up www.google.com

Would check to see if 8.8.8.8 (A Google DNS server, but I use it as my stand-in IP for “random guy on the internet”), could pull up this website; also requests verbose output.

Packet-tracer can also be used to evaluate live traffic through your firewall as opposed to hypothetical traffic; a feature you will see TAC use a lot.

First, define an access list that describes the kind of traffic you want to test.

Then as part of a capture, add the “trace” command:

For the last 9 months or so I’ve been using The Training Consortium as an online training resource supplied to me through my job.

It’s similar to several other online training resources in that it’s basically an all-you-can-eat buffet of certification training. You pay a few thousand (approximately the cost that you would pay to go to one instructor-led training course) and you can access their site for a year, which provides a mixture of recorded training, live video-conferenced training and documents. I’ve taken a few classes through it now so I thought I would make a quick post for anyone considering their product.

The Good
If you can take full advantage of it, it’s hard to argue that it’s cost effective. Even if you only take one class at a time, you can work in 12 live classes in a year, making each class come out to a few hundred each. Depending on the class that gets you the official book (for Cisco, it’s the Cisco Student Guides, which I have found are superior to anything you can get through Cisco Press), practice tests, lab work and video training. TTC advertises that their students have something like a 90% pass rate on their certification exams, but I am not clear how this data is collected so I would take it with a grain of salt.

The Bad
Several of the courses I took were newly released (the new CCNP track, the new ICOMM Voice test, etc.), and I found a significant amount of incorrect content in the material they were presenting. In most of the cases if you were following along in the Cisco Student Guide you could see the discrepancies yourself as the content wouldn’t match up. At the beginning I dutifully submitted tickets each time I found something that was incorrect and the team that addressed the tickets was nice enough and thanked me, but eventually I got tired of doing free QA work for them. Unfortunately this means I am sure many students taking their courses are committing incorrect information to their memory.

Also, many of the courses bring the term “Death by Powerpoint” to my mind, shuffling you through hundreds of powerpoint slides over several hours per section. There is some video content sprinkled in occasionally and it helps kick your brain back on, but it is still rough to get through.

The Ugly
DRM. I mean, wow. In my initial dealings with their sales team I asked about DRM in their content and was told that it was non-existent or non-intrusive. Unfortunately I did not get this in writing.

The DRM for using their site is so extensive I basically had to setup a dedicated system for accessing it. The video requires multiple plugins and the student guides are even worse – the only reasonable way to access them is to print them out, most of them taking an entire ream of paper. They only support Acrobat Reader (no non-Adobe PDF reader is supported) with their DRM package installed, which only runs on certain configurations. Everytime you access the PDF it has to dial home to its authorization servers, which oftentimes doesn’t work. This makes the training material very difficult to access and nigh-impossible to access if you aren’t sitting on the stereotypical XP workstation. Originally I was hoping for the flexibility to be able to read the documents on my Kindle; laughable in hindsight.

My Opinion
There’s some value to their offerings, but man do you have to put up with a lot of warts to get to it. Overall I have to assume that there are better solutions out there. This next go round I am probably going to look into the CBT Nuggets streaming service or the MindLeaders IT Training package.

Really interesting demo of the Nmap Scripting Engine by Fyodor at Defcon 18.

If you follow Microsoft’s (and general) best practice, your privileged accounts are not the same accounts you use while surfing the internet or checking your email, which is why I go as far as classifying this as a bug.

If you login to 2010 Exchange Management Console with an account that doesn’t have a email address attached to it and try to generate a new distribution list, it’ll throw back an error:

Where “byeager-ev” is the account you are trying to generate the distribution list with (logged in with more than likely). The reason this error pops up is it tries it assign the manager of the distribution list to the account you are trying to generate it with.

To work around this, you have to switch from the Exchange Management Console to the command line.

Open the Exchange Command Line and run the command attempted (second paragraph in the error). The change you need to make is to add

to the end of the command, where byeager is an account on your domain with a mailbox. You can swap the user to whoever you want after the distribution list is generated from the Management Console.

I’ve never had a lot of love for Microsoft Visio, I classify it solidly as the least bad of the terrible options available for diagramming. I’ve been keeping my eye on Google Drawing and check back in with it every few months to find out if it is viable for doing basic network documentation (for small companies, internal docs, etc.).

A few days ago Google pushed an update to it that I think makes it workable. Among other changes, it allows you to insert images from Picasa albums. I searched around and found these:

Cisco Network Topology Icons

They’re intended for printed docs and such, so they’re high resolution and look pretty good. You can download the pack, create a new album on Picasa (named Network Icons or whatever) and upload these to them.

After they’re up on Picasa, you have a full range (200-300′ish) of generic network icons you can insert into your diagrams, in addition to all of the standard drawing tools.

Just go to Insert, Image and choose Picasa Web Albums and your Network Icons folder.