It looks like my post on DD-WRT and the WRT54G2 is pretty popular with the readers, so I’m going to clear up a few of the questions that have been brought up.  First and foremost, the WRT54G2 is going to run a very limited version of DD-WRT.  If you want to run a full blown version of DD-WRT, you’re going to have to get your hands on a WRT54GL or one of the other routers that is designed to run full open source firmware.  I have used these and let me tell you, they work great.  I’ve set up Chillispots all over the place using those, as well as creating a really nice mesh network for a large office.  So, the answer to one question is yes, you can create a wireless mesh network with DD-WRT.  Even the smallest install supports linking routers and mBSSID just like the much more expensive Aironet products from Cisco.

Now, I have a confession to make.  I bricked my WRT54G2.  I wasn’t paying attention and tried to upgrade to a newer version of the firmware when actually it was an older version.  I’m the guy that wrote the how-to on upgrading this router and I screwed it up.  Awesome!  You should be fine as long as you follow the directions in my previous post on this.  Currently I’m running a WRT54G v6 and a WRT310N at the house.  The 54G is running in G only mode, the 310N is running in N only mode.  The reason I’m doing this is because when you run a dual band router in mixed mode, it’s going to suck.  I was only connecting to the 310N with my N adapter at 65 Mbps.  Once I added the WRT54G in AP mode and G only and moved the 310N to N only mode, that jumped to over 130 Mbps.

If there are any more questions about this, please don’t hesitate to post them.  I’ll be more than happy to answer your questions.

-Greg

(Please read the whole thing before you get mad and click that X at the top right of the screen.)

Dear Technical Recruiter,

I would first like to thank you for contacting me about the position that you are trying to fill.  I appreciate that you either found my resume on one of the web’s many job sites or that I was already in your database.  Before we get into your email, I would like to cover a few bases with you that I think may help you not only in this search, but in future searches as well.

First off, if we have a previous rapport, it is perfectly fine to contact me with few personal details in your email.  Evidently we have spoken before and you are just passing along information for my consumption.  If we have never been in contact before, I feel that a short introduction is in order.  At least tell me who you are and who you represent.  And no, your email signature is not good enough.  It’s not hard to throw in a “Hi Greg!  I’m Joe Schmoe with ABC IT Services!”  It’s much better than “I saw your resume online. Look at this job.” followed by a signature.  I’m a person… trying being personable.

Secondly, as a technical recruiter, it may help that you have some technical knowledge.  I’m not saying that you have to know everything.  All I’m saying is that some knowledge may be helpful.  It really makes you look like an idiot in some of the job postings when you have no idea what you are talking about.

On that subject, let’s talk about industry certifications.  Learn them.  They are your lifeline to the “real” world.  You need to know what each certification is, where it stands in the hierarchy of that technology, and what kind of knowledge it takes to obtain each cert.  Send me one more “entry-level” position that requires a CCIE and I will reply with a very rapidly spreading virus attached to my resume.  Trust me when I say your virus scanner will not pick it up either. And don’t think I’m joking with you.  I will do it.  In the world of Cisco, it goes CCENT -> CCNA -> CCNA – Speciality -> CCxP (where x = speciality) -> CCIE – Speciality.  The “A” in CCNA means Associate, the “P” in CCNP means Professional, and the “E” in CCIE means EXPERT.  May I suggest a quick trip to Cisco’s website to brush up on those certs.  It takes all of 5 minutes and makes you look a lot less like a complete idiot.  Microsoft has a page like this to. So does Citrix.  I could continue to link to all the sites, but I’m not going to do your job for you.

Thirdly, let’s learn a little English.  Now this is a VERY small percentage of you, but when I get an email that reads “I saw you resume online I like bring your attention to following contract position” I am going to assume that if you can’t master the languange of the country you reside in, you can’t master your job and therefore I’m not going to want you as the guy that holds my future in his hands.  How can I trust that you will accurately convey my experience and qualifications to the client if you can’t accurately convey the job requirements to me?

Now, about the position that you have contacted me about.  Before you start banging out that e-mail to me, do yourself a favor and brush up on those certs we spoke about earlier.  If the job REQUIRES a CCNP and the client is not willing to accept a CCNA in place, don’t bother wasting my time or your time.  Also, I have to ask if the client is even sure what he needs.  Is your contact with the client an HR person with no idea what he’s talking about when it comes to this position or is he the IT Department head who knows what he wants and needs?  If he’s the HR guy, chances are he is about as informed as a house fern when it comes to technology.  He wants to seem smart and impressive so he’s going to say he wants that CCIE for his entry to mid level position.  Someone needs to tell him about an old quote…  “Tis better to keep your mouth closed and be thought a fool than open it and remove all doubt”.  Let the big boys handle the big jobs.  You are looking for someone to manage your most important asset after your employees; your network.  I understand you want the best person for the job, but please be reasonable in your requests.  Someone that has undertaken the time and expense to obtain a CCIE is not going to even think about accepting your $60k per year job when he can be making $150k elsewhere.

Think/Read before you write/speak/type/forward.  If the client sends you an email with the requirements for a position and in that email one of the requirements is “10 years experience with Microsoft Windows Server 2003″ and it’s only 2009, contact the client before forwarding me that email.  You will come off like an idiot when I read that and not only will I forward it to all of my friends to show them how big of an idiot you are, I will most likely reply to you to tell you how much of an idiot you are.  If you think that it is a reasonable request for someone to have 10 years experience with Server 2003, quit your job and kill yourself so you do not contaminate the gene pool any further.

Let me give you an example of an unsolicited email that I would like to see.  In this example, you have already looked at my resume and have a position that I may be a fit for.

Greg,

My name is Cheesy McHeadhunter with TekNetSolutions Consulting Technology Management.  I came across your resume on I-Need-A-Job-So-I-Can-Buy-Beer.com and have a position that you may be a fit for.  While the requirements for the job state that a CCNP is required, I believe that the client is/would be willing to accept a CCNA and someone with your experience, so please don’t let that deter you from getting back with me.  I believe that your resume fits what the client really needs and I’m ready to talk with you about this position.  You can reach me at 212-382-5968 or my email.  I hope to hear from you soon!

-Cheesy

(signature with contact info)

(job info)

How hard is that?  You don’t look like an idiot, you haven’t offended me by treating me like just another set of alphanumeric characters in your “to” line, and it’s personable and informative.  Wow.  You just got my attention!  It’s SO EASY!  You have just become the guy I want working for me.  I now feel comfortable with you bidding me to prospective clients and I will almost certainly pass your information along to my friends that are in the market for technical positions.  You will now have a whole contact list full of qualified and talented individuals that you can easily place, you’ll make better money, and you won’t become the laughing stock of the talent pool.

I didn’t write this letter to offend you.  I wrote this to help you.  I hope you take this to heart and do what you can in the future to at least TRY to change the perception that we, the talent pool, have of recruiters.  To be honest, we hate dealing with you, but we know it’s just a fact of life that we have to.  We know you hate dealing with us too.  You think of us as pretentious geeks, and that’s OK.  We are.  Let’s just try to make the best of it and make it as painless as possible for the both of us.

Sincerely,

Greg Ledet

Wow… 2 posts in 1 day.  This is almost unheard of for me!  This past weekend I picked up a Samsung Instinct.  It’s a really cool phone with all kinds of cool little gadgets, but if you just go plugging  it in, it won’t work as a modem.  I’ve figured out a little way around that.

First, you’ll notice that when you plug your phone in using the USB cable, it turns off the phone completely and accesses the SD card in the phone.  A simple way around this is to just remove the card.  Easy, right?  Now you’re going to need to change a setting in the phone.  You’re going to type ##DEBUGMENU# on your keypad (##332846368# for those of you that can’t spell).  You’ll need your MSL next.  You can normally get this by asking the person at your local Sprint store very nicely.  It’ll be a 6 digit number that you’ll type in and it’ll bring you to a menu.  Go to “Toggle NAI” and Toggle modem off.  Yes, I said turn it off.  Trust me, this is the only way it’s going to work.  Once you’ve got all of that done, create a new Dial-up Networking Connection using your Samsung modem.  Leave the Username and Password blank and use #777 as your dialup number.  That’s it!  Pretty simple, eh?

I’m still working out some bugs with this.  The connection doesn’t stay up very long, but it will auto-redial, so it doesn’t go down for long.  I’m getting about 1.5 Megabit down and 256k up, so it’s not blindingly fast, but it works.  Hell, as I write this, I’m sitting in at the bar drinking a beer.  And yes, I’m using my new Samsung Instinct as a modem to do it.

BEWARE!  According to Sprint, even though you have an unlimited data plan, you still have to pay for a PAM plan.  I’m not doing this currently as I’m only testing out the functionality.  I suggest that if you want to use your Instinct as a modem, you buy a plan with Sprint.

Yesterday I wrote in this blog about how the economy is killing our salaries.  If any of you are in the job market looking for work now, you know what I’m talking about.  Evidently there’s a few of you out there that are taking that post to heart, as it’s been re-posted on a few other websites dedicated to Cisco and network engineering.  Well, I have some good news.

After talking with the recruiter yesterday, the account manager met with the customer and brought my resume with him.  After looking over my resume and looking at my experience, they decided to bid me at $*EDIT*/hour, which was in the area we originally discussed.  I can only assume that my tirade to the recruiter about making less than the guy that puts the tail-lights on your Mustang worked.  And it’s true.  According to the link I put in the post yesterday, A line worker for Ford is currently making $60 per hour including benefits.  That comes out to right at $125,000 per year with benefits.  I remember working a job in which I was making in the $64k per year range and according to H.R. at that company, my total compensation package was around $88k.  If someone is making $125k, I can only imagine what their take home pay is.  My guess is somewhere in the $85k to $90k per year range.

Again, we need to stand together on this.  I’m not proposing a union type of thing, but what I am proposing is that we stand our ground and make sure that we are getting paid what we are worth.  The average cost to get a CCNA is a little over $3000.  Same for a CCDA.  To get a CCIE, you’re looking at well over $25,000 after you pay for the parts to build a lab at home, the books you’re going to need, and flunking the lab portion of the test 3 or 4 times at $1250 per, plus the cost to fly to the lab location, pay for your hotel, etc.

As network engineers, we are the keepers of the network infrastructure.  We are the ones that keep our networks running and business flowing.  The stress level of our profession is extreme and we need to constantly keep up with new technologies, new hardware and software (moving to an ASA from a PIX and the IOS that comes with it), and whenever something screws up, we’re normally the first to be blamed.  That’s why I used to wear a t-shirt to work that said “It’s not the network” (which you can buy on the t-shirt link at the top of the page).  Not to mention, we’re usually the first line of security on our networks, and that in and of itself carries a huge responsibility.

We need to be paid for all of the crap we have to eat on a daily basis.  We need to be paid for all of the training that we had to go through to get to our current position.  And we sure as hell need to make recruiters realize that, damnit, I’ve busted my ass for years to reach a senior position and I’m not going to start back at the bottom.  We need to stand up, take a play out of Howard Beale’s playbook, and say “I’m mad as hell and I’m not going to take this anymore!”

(Edit) I’ve decided to edit out what I was bid at on the off chance that I get the job and one of my coworkers looks me up.

I have been in Ohio now since September 18, 2008.  I worked for a total of 3 weeks since being here.  I’ve been looking for a job and sending out resumes nearly every day since then.  I’ve had a few interviews, but nothing has really panned out.  On Friday, I went in for an interview with a recruiter who had a few positions with a large enterprise client.  This is surely someone you’ve heard of and it seems like a company that I would want to go to work for.  During the interview, we spoke about what kind of hourly rate I would require to go to work.  The number we discussed was $35 an hour.  This is a little less than what I was making at my last job, but I’m willing to take a bit of a pay cut to get back to work.  I normally charge $115 an hour for consulting, and I thought that $35 would be reasonable.

I received a phone call this morning from that same recruiter.  He was getting ready to have lunch with the client today and wanted to discuss with me my asking rate.  He told me that he wanted to be competitive and asked if I’d be willing to come down on that rate a little.  I tried to explain to him that I would be willing to come down slightly, but at the same time, I have a resume and a salary history to think about.  Not only that, but I don’t feel that I should have to lowball my salary, especially with my experience, to get a 3 month contract.  That’s when he hit me with a bit of a bomb.  He told me that he has spoken with other network engineers that would be willing to do the job for $25 per hour.

What the hell is wrong with people?  This is a SENIOR position, not entry level.  Why would someone be willing to belittle themselves and the industry by offering to do a job for so little?  I had to explain to him that I was applying for a senior level position and not an entry level job.  I’m not some kid fresh out of school with a brand new CCNA and no experience.  Then he hit me with a real bombshell.  An entry level engineer with a college degree and a CCNA only makes $15 per hour.  That’s $31,200 per year!  I can’t even pay my bills with $15 per hour and wouldn’t be living comfortable at all with $25 per hour.

I know the economy is in the crapper folks, but as a group we need to stick together and tell these companies that our job demands a serious salary.  If you go into an interview and tell someone that you’re willing to work for 2/3 what everyone else makes, you need to reevaluate your position.  Companies need network engineers.  That need will not be going away anytime soon.  If you are a senior level engineer, you need to stand up and tell them “I’ve worked very long to reach a level of salary that I feel I deserve and I’m not going to fall back to the kind of money that a highschool kid makes!”

I don’t know about all of you, but I’ve busted my ass with hours of study, thousands of dollars in books, labs, tests, etc., and I’ve dealt with more stress than I can imagine.  Yet, a UAW worker for Ford makes $55 per hour, including benefits.  I promise you that a line worker for an auto company hasn’t had to go through all the bullshit that I have to get certifications and make sure that he keeps up with the absolute latest in technology.  An UNskilled laborer demands more money than a network engineer.  WTF is wrong with that picture?

I told the recruiter to use his best judgement in shopping me to the client.  I feel that my resume and experience speaks for itself.  I also told him, and I was very blunt in this, that he better not screw me.  If he thinks I’m going to be offended by his offer, don’t bother calling me.  The last recruiter I dealt with here did that and it really pissed me off.  I told him I wanted $80k per year, he came back with $50k per year.  I got it up to $65k, took the job, then got laid off 3 weeks later because they didn’t have enough work.  I’m not going to let that crap happen again.

Fellow engineers, don’t take this crap from recruiters.  I know times are hard and bills have to be paid, but if you hold out just a little longer, the companies are going to come full circle.  They will realize that you need to be paid for what you do and what you know.  Don’t lowball yourself!  It’s not very becoming of you as a person and it will only hurt everyone else in the field that’s out there looking for work.

I know it’s been a while since I’ve posted here, so I thought I’d throw something up. As you probably know, the time changed this weekend. We “spring” forward an hour. I made a post back in November about how to set your Cisco devices up to work properly with a time change, so you should check it out. You can find it here: http://www.gregledet.net/?p=211

Hope this helps!

I wanted to go through a few commands today to help you lock down your Cisco devices a little tighter.  I’m just going to go through them one at a time and discuss them as we go.

Router (config)# login block-for <seconds> attempts <attempts> within <seconds>

What this is used for is to block people from running a brute-force or dictionary attack on your password.  Normally, the IOS will allow you an unlimited number of attempts to get in, but with this command you can block all logins for a specified number of seconds.  Let’s say that you replace the options with (in order) 180, 5, 30.  That means that if someone fails to login after 5 attempts in 30 seconds, the router will block all logins for 180 seconds.  Keep in mind that if an intruder figures out that you’re running this, he can perform a kind of DoS attack on you because he’ll just keep trying and without plugging in the next command, not even you will be able to login to your own device!

Router (config)# login quite-mode access-class <acl>

Quiet-mode is what the router goes into when it’s blocking logins from the previous command.  If you put together an access-list, say “access-list 10 permit 192.168.1.0″, then only IP addresses from that access-list will be allowed to login while the router is in quiet-mode.  Think of it as your back door in when someone is screwing with you.

Router (config)# login on-failure log <every #>

This will log a syslog message every blank-number of attempts on failures.  Set this to every 2 or 3 failures, because even though you’re the administrator of the box, you’re going to fat-finger a password or just mistype it every now and again.  If you have good security, you might want to log every successful login, and you do that with…

Router (config)# login on-success log 1

This will create a syslog message every time someone successfully logs in.

Router (config)# security password min-length <number>

I think this is pretty self explanatory.  It’s always a good practice to require a minimum length password on your devices.

Router (config-line)# exec-timeout <min> <sec>

You’ll notice that this command is issued under a VTY or Console line, and you’ve probably seen it before.  The default for this command is 5 minutes, and I can’t stand getting kicked out of a router after only 5 minutes.  I may be looking something up in Google or something and next thing you know, I’ve got to log back in.  I normally set this to 15 minutes. You can also do a “no exec-timeout” and that will disable it completely, but you should only do this in a lab environment.

Router (config)# service password-encryption

This will encrypt every clear text password that you have on your router.  So if you have a console password or something like that, it’ll be encrypted.

Hope these help you button things down!

-Greg

Hey guys, I’m throwing together some T-Shirt designs and I’ve decided to let my readers have first crack at them. If you notice at the top of this page, I’ve put up a new page on the site. Check out my T-Shirts! They make a great Christmas present for yourself or a fellow network engineer! I’ll be adding shirts regularly, so keep checking until you find something that you like!

-Greg

Happy Thanksgiving kiddies!  I’ve decided to put together a little how-to for the home users that may be throwing around the idea of upgrading the firmware on their WRT54G2 to DD-WRT.  “But the WRT54G2 isn’t supported by DD-WRT yet Greg!”.  Well, that’s not exactly true.  Follow these simple instructions and you’ll have it done in less than 10 minutes.

You’ll need the following files:

Linksys TFTP utility
VxWorks Prep
VxWorks Killer
DD-WRT Firware

I’ve put them all here for your convenience.

Get and install Linksys tftp.exe, set your PC to static IP, 192.168.1.10.

1. Reset the router to defaults on the Linksys Admin page, and let it reboot or manually reboot it after its finished.

2. Set your computer to a static IP of 192.168.1.10/24 and plug Ethernet cable into one of the LAN ports on the router.

3. Close all your browser windows. Start the tftp utility, set server to 192.168.1.1.  Password is “admin” and browse to the VxWorksPrep-G2V1.bin file. Click Upgrade. Wait a minute for it to reboot on its own, if it doesn’t, then power cycle the router manually.

4.  In the tftp utility, browse to the VxWorksKiller-G2V1.bin file and click Upgrade. Wait 2 minutes for it to reboot on its own, if it doesn’t, then power cycle the router manually.

Joe the Network Admin (not the plumber) asks about The Quick and Dirty, Cut and Paste TACACS+ install:

I am in the process of setting up TACACS+ across our network. Could you please explain the “default group” part of the TACACS commands. I setup a group in ACS called network admins which is mapped to an active directory group. I want to permit only the users in this group to be able to login to our network infastructure. Would I replace the “default group” part of the command with my network admin group name. Any tips you could give, would be great. Thanks…..Great website!!!

Well Joe, let’s see if we can’t get you an answer.  Configuring AAA on Cisco devices is always a pain in my ass, and I feel your pain in setting it up across your network, but it will be for the best.

You are a little mistaken in the command structure for AAA, so I’ll try to break it down.  After you have enabled AAA globally, you neeed to define the authentication method lists and apply them.  There are 5 authentication methods: local, group TACACS+, group RADIUS, line, or enable authentication.  So the “login default group tacacs+ local” actually breaks down to “login, default, group tacacs+, local”. Let me break down the command “aaa authentication login default group tacacs+ local”.

aaa authentication login
default: Used to create a default that is automatically applied to all lines and interfaces to specify the method or sequence of methods used for authentication.

group group name: Used to specify the use of a AAA server. The group radius and group tacacs+ methods refer to previously defined RADIUS or TACACS+ servers. The group-name string is used to specify a predefined group of RADIUS or TACACS+ servers for authentication.

local: The local username and password database is used.

To put that simply, you’re telling the device that the default way to login is to use TACACS+ first, and if the TACACS+ server isn’t available, to use the local database.  This goes the same for all of the other commands.  There is no “default group”, but rather you’re telling the device that the “default” action is to use “group tacacs+”.

I hope that clears it up for you!

Oh, and I almost forgot.  If you only want to allow your admins access to your devices, you do that through the Cisco Secure ACS administration tool (the web admin page), not on the devices themselves.

One last tidbit… TACACS+ uses TCP port 49.

And don’t forget, if you have any questions that you want answered, don’t hesitate to shoot an email to Greg@GregLedet.net or leave a comment on the post you have questions about!  This goes for everyone!