Is it hard for a firewall, such as Cisco ASA, to be an NTP Server?

The direct answer is, NO, it’s not hard at all. It’s just a matter of supporting the NTP Server capability on any firewall appliance’s software.

The right question should be: why to implement such critical service on a device that is designed, beforehand, to protect services?! It’s just the logic! NTP opens vulnerabilities, and must not be implemented on firewalls.

Hence, you cannot find a way to configure a Cisco firewall (or any other) as a NTP server!

File Transmission needs reliability! Why TFTP works on top of UDP, though?

By definition User Datagram Protocol (UDP) is an unreliable protocol! It doesn’t provide any error checking or correction, no whatsoever! So what makes a sensitive application such as TFTP use it?

Simply, because UDP is simple! There’s no overhead using UDP. On the other hand TFTP was designed to be very lightweight, and using TCP will overcome this advantage.

We still need some kind of reliability! No?

SURE! What TFTP does is that, it uses its own “rudimentary” reliability mechanism, in which an “ACK” will be sent for each received block (i.e. packet), and any “non-ACKed” block will be resent again. This mechanism is called “Positive Acknowledgement with Retransmission”.

A good video to watch:

http://www.youtube.com/watch?v=Ird87q644F8

Why DNS works on top of UDP? ..It’s just a wrong question! No More!

Yes DNS works on top of UDP, and there is a good reason for that. But it also works on top of TCP.  When and why?

Ok then, DNS, the number one application, will always prefer to use UDP, for the same reason we all know, that UDP is less overhead on the network, especially when the packets of both DNS queries and DNS responses not exceeding 512 bytes in size (size of a maximum UDP packet). It’s a matter of efficiency.

Q: What if the DNS response message was lost when it’s on the way back to the requesting client?

A: The client simply will query the DNS server again.

However, DNS server (aka, resolver) will communicate over TCP in case of large replies or zone transfers only. In other words, when the reply takes more than 512 bytes in size, TCP connection is established with the client in order to send the response back.

We can configure DNS to always run on top of TCP, but this is not recommended!

In a nutshell, DNS queries are always UDP based, because they are less than 512 bytes, whereas DNS responses can be either UDP or TCP.

ال VTP Client, أين يحفظ معلوماته عن ال VLANs؟...

كلنا نعلم أن عمل ال VTP هو نقل معلومات عن ال VLANs لكل السويتشات الموجودة في نطاق محدد. فمثلاً عندما يقوم مدير الشبكة بإضافة VLAN100 مثلاً على إحدى السويتشات فإن ال VTP يقوم بإرسال هذه المعلومة إلى باقي السويتشات بدل أن يذهب مدير الشبكة إلى كل سويتش ويضيف ال VLAN الجديدة

ال VTP  هو اختصار لِ VLAN Trunking Protocol ويأتي بثلاثة أنواع:

VTP Server: السويتش التي تكون معرّفة VTP Server يستطيع مدير الشبكة أن يضيف عليها VLANs جديدة أو أن يحذف منها ما أراد, ويقوم ال VTP بنشر المعلومات الجديدة إلى باقي السويتشات في الشبكة

VTP Client: السويتش التي تكون معرّفة VTP Client لا يمكن أن يُضاف عليها أو يُحذف منها أية VLANs ولكنه يأخذ هذه المعلومات من ال VTP Server

VTP Transparent: هذا النوع مثلُه مثل ال VTP Server أي يوجد إمكانية لإضافة وحذف VLANs لكنه لا ينشر هذه التحديثات إلى أي شويتش بالشبكة

هنالك من يقول أنه وباعتبار أن VTP Client يأخذ معلومات الVLANs من ال VTP Server فإنه يفقدها حالما يتم إعادة إقلاع السويتش فيعود ويأخذها من ال Server مرة أخرى. هذه المعلومة غير صحيحة, فكما أن السويتش الذي يكون VTP Server يحفظ معلومات ال VLANs بداخل ملف يدعى VLAN.dat يكون موجود على ال Flash كذلك حال السويتش التي تكون VTP Client

وللتذكير فإن وجود معلومات ال VLANs بملف ال VLAN.dat يحفظها من الضياع في حال تم إعادة اعدادات السويتش إلى "حالة المصنع" (عندما تنفيذ أمر write erase)

لنقم بعمل تجربة صغيرة جداً على ال Packet Tracer:

الرسم الصغير هذا هو كل ما نحتاج عمله

هذه الإعدادات الأساسية التي نحتاجها

VTP_CLIENT(config-if)#int fas0/1 VTP_CLIENT(config-if)#switchport mode trunk VTP_CLIENT(config)#vtp mode client VTP_CLIENT(confi#vtp domain VTP

VTP_SERVER(config)#int fas0/1 VTP_SERVER(config-if)#switchport mode trunk VTP_SERVER(config)#vtp mode server VTP_SERVER(config)#vtp domain VTP

الآن لنقم بإضافة VLAN 100 على ال VTP Server وكما نعلم سيقوم ال VTP بإرسال هذه المعلومة إلى ال VTP Client. نتأكد من ذلك بتنفيذ أمر show vlan briefعلى VTP Client

VTP_SERVER(config)# vlan 100

VTP_CLIENT# show vlan brief VLAN Name                             Status    Ports ---- -------------------------------- --------- ------------------------------- 1    default                          active    Fa0/1, Fa0/3, Fa0/4, Fa0/5                                                 Fa0/6, Fa0/7, Fa0/8, Fa0/9                                                 Fa0/10, Fa0/11, Fa0/12, Fa0/13                                                 Fa0/14, Fa0/15, Fa0/16, Fa0/17                                                 Fa0/18, Fa0/19, Fa0/20, Fa0/21                                                 Fa0/22, Fa0/23, Fa0/24 100  VLAN0100                         active

الآن وحتى نتأكد من أنه حتى وإن كانت ال switch هي VTP Client فإنها سوف تحافظ على معلومات ال VLANs  سوف نقوم بعمل التالي:

1-      نفصل الكبل الواصل بين السويتشين وذلك لنضمن ال Client لن يأخذ معلومات ال VLANs من ال VTP Server

2-      نعمل write erase على السويتش التي هي VTP Client

3-      نعمل reload لنفس السويتش

بعد إعادة الإقلاع نرى أن اسم السويتش قد تغير من VTP_Clinet إلى اسم Switch الذي هو الاسم الافتراضي مايدل على أن السويتش قد عادت إلى الإعدادت الافتراضية.

الأن لنقم بتنفيذ أمر show vlan brief مرة أخرى:

Switch#show vlan VLAN Name                             Status    Ports ---- -------------------------------- --------- ------------------------------- 1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4                                                 Fa0/5, Fa0/6, Fa0/7, Fa0/8                                                 Fa0/9, Fa0/10, Fa0/11, Fa0/12                                                 Fa0/13, Fa0/14, Fa0/15, Fa0/16                                                 Fa0/17, Fa0/18, Fa0/19, Fa0/20                                                 Fa0/21, Fa0/22, Fa0/23, Fa0/24 100  VLAN0100                         active

كما نرى أن ال VLAN100 ماتزال موجودة. هذا دليل كافي على أن السويتش التي تكون VTP Client تحفظ معلومات ال VLANs بملف ال VLAN.dat, الحقيقة التي قد تغيب عن الكثيرين.

أسف على الإطالة وأتمنى لجميعكم الفائدة

VTP Client! Where it saves its VLAN Information?

We all know that the role of the VTP protocol is to replicate the VLAN information to all switches in a VTP domain. So when the network administrator creates new VLAN (say VLAN100) on one switch, the VTP will automatically update all the switches in the network.

VTP stands for VLAN Trunking Protocol, and comes in three modes:

1-      Server Mode: the switch that’s configured in this mode will allow VLANs to be created and/or deleted. VLANs are stored in VLAN.dat file under the flash directory.  VTP will send the updated information to all other switches in the LAN.

2-      Client Mode: the switch that’s configured in this mode will not allow any VLAN creation or deletion. All the VLAN information is taken from the VTP server.

3-      Transparent Mode: just like the VTP server mode, it allows VLAN creation and/or deletion, and store VLAN information in VLAN.dat. But unlike server mode, transparent mode will not tell any switch any VLAN information, and will not listen to any updates from any other switch.

There’s a debate out there about where a VTP Client stores its VLAN information. Whether it’s stored in a VLAN.dat file (just like a VTP server), or just taken from the VTP server, even after a reboot.

As a reminder, VLANs stored in VLAN.dat file will save them from being erased, even after we “write erase” our switch.

Let’s try it out on Packet tracer!

The below illustration is all what we need to test our understanding

Here’s the basic configuration:

VTP_CLIENT(config-if)#int fas0/1 VTP_CLIENT(config-if)#switchport mode trunk VTP_CLIENT(config)#vtp mode client VTP_CLIENT(confi#vtp domain VTP

VTP_SERVER(config)#int fas0/1 VTP_SERVER(config-if)#switchport mode trunk VTP_SERVER(config)#vtp mode server VTP_SERVER(config)#vtp domain VTP

Now let’s update our VTP server switch by adding a new VLAN (VLAN100). As you might guess, VTP will update the VTP Client with this information. To make sure, just do “show vlan brief” on VTP client!

VTP_CLIENT# show vlan brief VLAN Name                             Status    Ports ---- -------------------------------- --------- ------------------------------- 1    default                          active    Fa0/1, Fa0/3, Fa0/4, Fa0/5                                                 Fa0/6, Fa0/7, Fa0/8, Fa0/9                                                 Fa0/10, Fa0/11, Fa0/12, Fa0/13                                                 Fa0/14, Fa0/15, Fa0/16, Fa0/17                                                 Fa0/18, Fa0/19, Fa0/20, Fa0/21                                                 Fa0/22, Fa0/23, Fa0/24 100  VLAN0100                         active

VTP_SERVER(config)# vlan 100

Now, for us to make sure that even when the switch is in VTP Client mode, it will keep the VLAN information, we’ll do the following test:

1-      Disconnect the link between the two switches. This will ensure that the VTP Client will not update itself from the VTP server

2-      Issue “write erase” on the VTP client

3-      Issue reload on VTP client

After the switch boots up, we can notice that the switch name is returned to the default name, i.e. “switch”, which tells that the switch is returned to its factory default.

Let’s issue “show vlan brief” again on the client switch

Switch#show vlan brief VLAN Name                             Status    Ports ---- -------------------------------- --------- ------------------------------- 1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4                                                 Fa0/5, Fa0/6, Fa0/7, Fa0/8                                                 Fa0/9, Fa0/10, Fa0/11, Fa0/12                                                 Fa0/13, Fa0/14, Fa0/15, Fa0/16                                                 Fa0/17, Fa0/18, Fa0/19, Fa0/20                                                 Fa0/21, Fa0/22, Fa0/23, Fa0/24 100  VLAN0100                         active

Sure enough! VLAN100 is still there. This is a good proof that VTP client saves its information in the VLAN.dat, the fact that can easily be hidden from many.

ماهو ال NAT NVI ؟ وكيف يختلف عن ال NAT العادي؟

ماهو ال NAT NVI  ؟ وكيف يختلف عن ال NAT  العادي؟

أولاً ال NAT  كما نعلم هي اختصار لِ Network Address Translation  وَ NVI  هي اختصار لِ NAT Virtual Interface

إن ال NAT  بجميع أشكاله يؤمن تحويل عناوين الشبكة  إلى عناوين أخرى والتي يُصطلح عليها اسم (IP to IP translation) كتحويل العناوين الخاصة (Private IP Addresses ) إلى عناوين عامة (Public IP Addresses) التي تستخدم على الانترنت, أو حتى التحويل إلى عناوين شبكة خاصة أخرى في حالات اخرى.

وبغض النظر عن الاصطلاحات فأن ال NAT NVI  هو تطوير لل NAT المعروف المُتضمن في إعداداته تحديد ال Inside NAT Interface  وَ ال Outside NAT Interface لنجاح عمليه ال NATing.لاحظ المثال:

Router(config)# interface fa0/0 Router(config-if)# ip nat inside Router(config)# interface fa0/1 Router(config-if)# ip nat inside Router(config)# interface fa1/0 Router(config-if)# ip nat outside Router(config)# ip nat inside source static X.X.X.X   Y.Y.Y.Y (note that “inside” is specified)

لكن لا يقدر ال NAT  العادي أن يحول العناوين (IPs) مابين ال Router Interfaces لو كانوا جميعاً NAT Inside  أو كانواNAT   Outside  وهنا تبدأ المحدودية. انظر إلى الرسم التوضيحي:

هذا بالضبط ما يعالجه ال NAT NVI الذي رأى النور ابتداءاً من IOS version 12.3(14)T بحيث لا يتم تحديد ال Inside  و ال Outside  في ال NAT configuration وإنما يتم فقط تفعيل ال NAT  على ال Interfaces مع تغيير صغير في ال NAT Statement. لاحظ المثال:

Router(config)# interface fa0/0 Router(config-if)# ip nat enable Router(config)# interface fa0/1 Router(config-if)# ip nat enable Router(config)# interface fa1/0 Router(config-if)# ip nat enable Router(config)# ip nat source static X.X.X.X   Y.Y.Y.Y (note that “inside” not specified)

What is NAT NVI? And how it differs from the “Normal” NAT?

As we all know that NAT stands for Network Address Translation, where NVI stands for “NAT Virtual Interface”

NAT in all its flavors is designed to convert IP addresses to other IP addresses (AKA, IP-to-IP translation), i.e. convert private IP addresses to public IP addresses that are understood on the Internet. You can also convert the private IP addresses to other private addresses as you might guess

NAT NVI is an updated version of the “normal” NAT which needs to specify “outside” and “inside” interfaces In the NAT configuration. Notice the example:

Router(config)# interface fa0/0 Router(config-if)# ip nat inside Router(config)# interface fa0/1 Router(config-if)# ip nat inside Router(config)# interface fa1/0 Router(config-if)# ip nat outside Router(config)# ip nat inside source static X.X.X.X   Y.Y.Y.Y (note that “inside” is specified)

The “normal” NAT is only able to do translation between “inside” and “outside” interfaces, and will not do any translations between two “inside” or two “outside” configured interfaces. HERE COMES THE LIMITATION. Look at the illustration:

This is exactly what NAT NVI comes to solve, starting from IOS version 12.3(14)T. in its configuration we only enable NAT without specifying any “inside” or “outside” interfaces, like the example below

Router(config)# interface fa0/0 Router(config-if)# ip nat enable Router(config)# interface fa0/1 Router(config-if)# ip nat enable Router(config)# interface fa1/0 Router(config-if)# ip nat enable Router(config)# ip nat source static X.X.X.X   Y.Y.Y.Y (note that “inside” is not specified)