Change is coming to the world of unmanned aeronautics. On Oct. 19, Secretary of Transportation Anthony Foxx announced the formation of a taskforce to come up with a plan to create a national registry for Unmanned Aircraft Systems, also known as drones. Today, FAA Administrator Michael Huerta announced the members of that taskforce. It’s made up of over two dozen people from all aspects of the drone world; manufacturers, retailers, airline pilots, law enforcement, lobbyists, and even a member of the Academy of Model Aeronautics.
The taskforce has until Nov. 20 to determine the parameters for drone registration. According to the FAA and DOT, drone registration is needed due to the ever-increasing number of drone sightings by airline pilots, the grounding of helicopters fighting wildfires in California, and drone crashes at sporting events. They feel that making private individuals register their drones, they will be able to trace that drone back to its owner. Of course, this will only work if the drone crashes and if the owner put the registration information on the drone.
This holiday season retailers are expecting to sell an estimated 1 million new drones. That means 1 million new drone pilots. Prior to the advent of quadcopters with flight controllers that stabilized them in flight, remote controlled aircraft was an expensive hobby that required a lot of skill to enter. Maintaining the throttle, collective, tail rotor, and cyclic of an RC helicopter took years of practice and thousands of dollars in spare parts from crashing on a regular basis. As far as RC airplanes go, you need a field to use as a runway to takeoff and land. With quadcopters, they basically fly themselves. Some even allow you to enter GPS coordinates, create a flight plan, and the drone will take off, fly the route, then land itself, all without any input from the operator.
The simplicity of drones and the low cost of entry means that RC aircraft have gone from an expensive hobby to a cheap toy that anyone can buy and fly. Yes, there’s a few bad apples out there that make the rest of the drone flying community look bad, but that’s the case in anything. The official national body for model aviation in the US, the AMA, is urging its members to head over to the Federal Register notice on UAS registration and tell the FAA to exempt “sUAS that lack the capability to fly beyond line of site by using either first-person view, or those sUAS that lack onboard navigational systems that allow the aircraft to fly missions beyond visual line of site”, which would remove traditional RC planes an helicopters form the requirements. They cite their “impeccable 80-year track record of operating safely” as the reason they should be exempt. This is akin to the government requiring all cars capable of 200+ mph to be registered and the Ferrari Club of America saying that Ferraris and Maseratis should be exempt because Ferrari drivers are safer than those dirty Lamborghini plebs.
If the federal government wants us to register our toys because they have the ability to do stupid stuff, what’s to stop them from wanting to know the name of every owner of a fast car? The best part of this whole situation is that the FAA doesn’t require that the pilots of ultralights, which are much larger and more dangerous than drones, to register their aircraft or even be licensed to fly them. It’s pretty obvious that the government is scared of a new technology that they don’t know how to control, and due to a few high profile incidents involving drones, they are knee-jerking their way into something that’s going to be a nightmare to implement and manage and gives no incentive to the drone owners to participate in.
Regardless of how you feel about drone registration, head over to regulations.gov and read up on what they are saying and the 10 questions they are asking. You can leave a public comment with your feelings on the matter, and all comments are read.
Just had an interesting problem with a customer that seems a bit obscure, so I figured I would write it down to help someone else. All of the other solutions to this issue focus solely on there being a problem on the Windows side, which may not necessarily be the case.
Situation: customer is setting up a Windows 2008 R2 server in a VMware cluster, on a VLAN that is sitting behind a firewall. The firewall is is the gateway for the VLAN (say 192.168.34.1). When configuring the network interface on the server, picking ANY IP address in the 192.168.34.0/24 network results in the error message “Windows had detected an IP address conflict”. This happens even if there are no other devices on the VLAN aside from the firewall.
The issue? There was a static (identity) NAT entry in the Cisco ASA firewall for 192.168.34.0/24. By default, Cisco firewalls will proxy ARP for NAT entries.
- (8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting.
- (8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired.
This is desirable behavior for a firewall on the edge of the network because the upstream router needs to know where to send traffic for NAT’ed hosts. For internal firewalls this can cause issues, especially with 8.4 code where you need to setup identity NAT to exempt devices from NAT.
The solution? Add “no-proxy-arp” to the end of your identity NAT statements:
nat (inside,outside) source static obj_Internal obj_Internal no-proxy-arp route-lookup
The other (less desirable) solution is to disable the ARP-checking functionality in Windows, but this means it won’t be able to detect a legitimate IP conflict. You can do this through a quick registry hack: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, create a DWORD named “ArpRetryCount” with a value of “0?.
Yes, it’s been a while since my last update, so I’m going to make this one short and sweet. Lately I started messing around with Plex Media Center/Server and sharing my server with a couple of my friends. While I do have a good bit of bandwidth here at the house, my friends sure know how to suck that bandwidth dry. So, it’s time to implement some traffic shaping here at the house.
In order to implement the traffic shaping, I need to know what the traffic looks like. For me to shape it, I need to know what it looks like, so I’m going to setup an analyzer. I have a specific media server that is separate from my lab rack. It’s plugged into a little Cisco gigabit switch that has an LACP Lag bundle going back to my core EX3200-48T. To setup an analyzer is very simple…in fact, it’s only 3 commands.
set ethernet-switching options analyzer plex–monitor input ingress interface ae0.0 set ethernet-switching options analyzer plex–monitor input egress interface ae0.0 set ethernet-switching options analyzer plex–monitor output interface xe-0/0/45.0
That’s it. Now, let me explain what I did there.
To configure an analyzer called “plex-monitor” and specify the input (source) interfaces and the output interface, I need to configure the interface connected to my media server as input interfaces for the port-mirror analyzer. I want to see both ingress and egress traffic, so I tell it to do both.
user@switch# set analyzer plex-monitor input ingress interface ae0.0
user@switch# set analyzer plex-monitor input egress interface ae0.0
Now, I configure the output analyzer interface for the analyzer. This will be the destination interface for the mirrored packets:
[edit ethernet-switching-options] user@switch# set analyzer plex-monitor output interface ge-0/0/45.0
That’s it. Now, all the traffic going to that lag bundle (the server is the only thing plugged into that switch) will be mirrored to port ge-0/0/45. I can plug my Wireshark box into that port, get a good capture of the traffic, and set my traffic shaping accordingly. Can you guess what my next post is going to be about?
I recently signed up for the Square service to accept credit cards on my iPhone. They have two different ways of charging fees: 2.75% per transaction when you swipe the card using their reader or 3.5% + %0.15 per transaction if you enter the card number manually. Since I’ve already written mobile fee calculators for both PayPal and Etsy, I decided to use the same code and make one for Square. All 3 are designed to fit perfectly on an iPhone screen and since they are very lightweight, they run pretty quick. If you use any of these services, these calculators will come in very handy!
PayPal Fee Calculator
Etsy Fee Calculator
Square Fee Calculator
Recently I’ve run into two clients that were issues with the Cisco 2960G and 2960S switches. Both clients are using PoE versions of the switch for VoIP applications. They were noticing jitter, packet loss and poor call quality, even though QoS is configured on the switch. After a lot of troubleshooting on the voice side of the house, they came to me to see if I could find anything going on. In digging around in the first customer’s network, I noticed that the CLI was pretty slow and did a quick “show processes cpu” and saw that the cpu utilization was around 80%. By sorting the processes, I saw that the Hulc LED process was taking up about 15%. A quick search of the Cisco Bug Toolkit brought up Bug ID CSCtg86211 (you need a CCO account to view), even though that’s not 100% correct. It’s the only one that explained what’s going on.
I had the client open a TAC case and TAC wanted to fight with the client, telling them that the high CPU shouldn’t have any effect on the switch performance (really!). I suggested that the client upgrade the switches to the latest version of IOS and once that was done, all the voice quality issues disappeared. Total CPU utilization dropped to below 20%, calls cleared up, everything was beautiful.
Last week, I got an email from one of our project managers asking if I could look into an issue that another client was having. If I hadn’t known that this was a different client, I would have thought that she had cut and pasted the exact problems that the first client was having. When I found out that they were using 2960’s, I immediately thought of this and sent the client a copy of the bug report and told him to open a TAC case. This is the email I received from him:
I tested the CPU Utilization on all of our Cisco 2960Ss and they ranged between 68-99%. I have a test switch on the bench with nothing connected and it was running at 75%. I updated it with the new code and it dropped to the 20-35 % range. I am going to update some additional switches before I call Cisco. The first question they will probably ask is are you running the latest code.
He’s right… Cisco will be wanting to know that. I know that once the new IOS is on the switch, it’ll solve his problems. I just wanted to put this out there so you guys don’t have to do all the searching that I did when/if you run across the same issues on your end.
I recently got a wild hair up my ass to add a RAID to my desktop. My desktop is a Gateway FX6840-23 and it came with a 1TB drive. I bought an identical drive and thought that I’d put then in RAID 0 for the increased performance, seeing as my Experience Index was only 5.9 due to a slow HDD (all other indexes were in the mid-7’s, and the drive is a 7200 RPM unit).
Digging around the BIOS I saw that the SATA controller was using AHCI mode. I cloned my current drive to another 1TB drive I had (yeah, I have 3 -1TB drives, a 500GB, and a 1.5 TB), rebooting into the BIOS and changed it to RAID. After a reboot, I hit ctrl-I and entered the RAID utility. I built the RAID and rebooted. Well, to put it nicely, I got a BSOD. I tried various things for the next 3 hours, including using Windows 7’s extended partition utility, doing a complete restore to factory on the extended partition, and everything. After I did the restore, I saw that the HDD performance hadn’t changed.
Well, I haven’t messed with RAID before on a desktop, so this was a learning experience. After some Google searches, I put the computer back in AHCI mode and booted to the clone. This worked just fine. I went to Gateway’s website and downloaded the RAID drivers.
I noticed that the driver was named iaStorV.sys, so I did a search for it and found it already installed in the Windows\System32\Drivers folder. I did a registry search for it and found it in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStorV. This made me happy!
Some more Googling later and I figured out that if I changed the REG_DWORD from 3 to 0 that it would enable things to work. I rebooted the computer, went back into the BIOS and changed the SATA controller to use RAID, pointed it to boot from the clone, and it booted right up! No BSOD, no hiccups, no nothing!
This should work going from IDE mode as well. I tried to clone the clone to the RAID, but Acronis didn’t like that too much, so I’m doing a full backup of the clone (I needed to do it anyway) and I’m going to try to restore it with the Acronis Resuce media. It’s already midnight, and this is one of those things that I’m not going to be able to put down until I’m done with it. Oh well, I guess it’s time to get back to work! Good luck getting your stuff working!
In my last post I taught you how to forward a port on the ASA 5505 running version 8.3 from the CLI. Some of you prefer to use the ASDM to do you changes, so I guess I’ll show you how to do it from there. The ASDM is a bit of a learning curve for someone that’s used to the CLI, and most CLI guys hate a GUI with a great passion. I can go either way. I use the ASDM to make some changes simply because I want to learn it and there’s some guys coming into the field today that were taught on the GUI rather than a command line.
In this lesson I’m using ASDM version 6.3(1) and ASA version 8.3(1). Since we added a web server in the last post, let’s make this one an FTP server. The FTP server’s IP is the same as the web server, 10.9.8.7/24 and we’re running over the standard FTP port, 21.
First off, we want to start up the ASDM and connect to the ASA. Once there, click on the button at the top of the screen, then the button near the bottom left, and finally select near the top left. You’ll now be at a screen that looks something like this:
Click for larger version
Now we need to create a new object, so click on “Add” under Addresses, then “Network Object”.
Now we need to fill out our new window. Once you fill out the name, IP address and description, you need to drop down the NAT box and fill it out. Click the “Add Automatic Address Translation Rules” box, leave the type as “static” and set the translated address as the outside interface.
We now need to go to the Advanced menu from the Add Network Object window and setup the port forwarding. The source will be inside, destination is outside. Protocol in this instance is TCP and our port is 21, both real and mapped.
Click “OK” twice and your object will be created as well as the port forward. Now we just need to add the access rule. On the left side of the screen, just above the NAT Rules is your Access Rules. From there we want to click “Add” and “Access Rule”.
We need to create the rule on the outside interface, coming from any IP to the FTPServer using FTP as the service.
Once you click OK, your rule is added. You don’t have to add a description like I did in the image above this one, I just did that for the hell of it. When you click “Apply” at the bottom of the screen, the ASDM will issue the commands to the ASA. I have preview turned on, so I can always see what commands are being sent to the device before they are actually sent. If you followed all the steps above and you have preview turned on, you’ll see the following:
And you’ll notice that those are the exact 4 commands that I gave in the last post about doing it from the CLI! Now you can forward any port you want from either the CLI or the ASDM!
On a side note, I know a lot of guys hate the ASDM. When I was writing this post and going through all of this I was kinda upset when I saw that I had 10 pictures for 4 lines of code. The good thing about the ASDM is that you have everything right there at your disposal and you really don’t need to know the vernacular of IOS. The drawback is that it will take you longer to get things done at first, but once you get used to it, it can be just as fast.
So it’s been a month and a half since I posted an update, and it’s 4:15 am right now. I can’t sleep and I found out there’s another networking blog out there using the same WP theme as me, so I figured I better put something up here since it was fresh in my mind. Well, now that the niceties are out of the way, let’s get to work.
I recently added an ASA 5505 to my home network at the edge. Obviously, when I did, all of my port forwards went to hell because the ASA is now blocking everything. I run a web server on one of my servers here and I like to be able to access it because I keep a lot of tech manuals and other stuff on there. Well, I went about trying to set up port forwarding the old way and learned real quick that this pops up when I do:
ERROR: This syntax of nat command has been deprecated.
Please refer to “help nat” command for more details.
Yeah, that sucks. On the new version of the ASA OS, global has gone the way of the dodo. I did a bunch of searches on Google to figure it out and everything I ran across was very hard to decipher. That’s why I’m writing this. You can setup a port forward in 4 quick and easy steps. Just change the things that are underlined to fit your network and you’ll be just fine.
In this example, we want to be able to access a web server behind the firewall. We’ll assume you are using the standard HTTP port, the web server’s internal IP address is 10.9.8.7/24, and that you at least know what you’re doing enough to be configuring an ASA in the first place. I’ll give you the steps, then I’ll explain.
Step 1: Create a new object group for you web server.
asa5505(config)# object network Webserver
Step 2: Add the IP of the web server to the network group.
asa5505(config-network-object)# host 10.9.8.7
Step 3: Forward the port via the NAT command.
asa5505(config-network-object)# nat (inside,outside) static interface service tcp www www
Step 4: Exit back to the root and add the access list
asa5505(config)# access-list outside_access_in permit tcp any object Webserver eq www
That’s it! Now, let’s explain what’s going on here. Cisco has started moving more and more towards use of object groups in their configs. It makes things easier, especially when you have a situation where you have 20 web servers behind the firewall and you want to add 1 more in. Rather than having to rewrite a whole bunch of ACL’s, you just add the IP of the new web server into the object group and everything is done for you. After you create the object group (in this instance a network object, you can also create service objects), you add the IP of the specific object (or objects) that you want to point to. So here our web server is 10.9.8.7. If you want to send port 80 to more than 1 IP on your internal network, just add more IP’s to that object group.
Now is the fun part. While we’re in the object group, we need to NAT port 80 only to that specific object group, hence you’re still at “asa5505(config-network-object)#” prompt. Now type “end” to get back to the regular config terminal and we need to open that port in the ACL. Yes, www = 80. You can type either one and you get the same result. If I have to go through and explain NAT, how it works and why I enter in that specific command to forward the port, then there’s a possibility that I’d need to send you an invoice for my time because we would be here for a while.
This works for ANY port forward. If you want to RDP into a machine, simply replace port 80 (all those www’s you see up there) with 3389. There is one caveat. You can only do one port forward per object group. So let’s say that our web server is also an FTP server and you want port 21 to forward as well as port 80. You’re going to have to create a whole new object group (object network FTPServer), put the same IP in the group (host 10.9.8.7), do the nat command again (nat (inside,outside) static interface service tcp ftp ftp), exit back to the root of config, and add the access list (access-list outside_access_in permit tcp any object FTPServer eq ftp).
This should get you up and running with you port forwards in no time flat. It is a bit of a pain in the ass to have to create a new object group for every port you want to forward, and maybe there’s someone out there that’s reading this right now thinking “dude, you don’t have to create more than one group! You can just do…”. Well, you need to enlighten the world with this knowledge and post it in the comments section. And if you’re too scared to do so, shoot me an email to greg(at)gregledet(dot)net.
I’d also like to thank Stefan Fouant for an excellent class today on JUNOS Switching. I learned a lot in his class and you can learn a lot from his website. Check it out and tell him Greg sent ya!