access-class in on vty needs vrf-also

I was upgrading an a Cisco 2811  remotely from 12.4(24)T8 to 15.1(4)M8. The Tunnel is was using for management was part of a VRF.

interface Tunnel9
...
vrf forwarding management-vrf
...

After the upgrade I was able to ping the router remotely but wasn’t able to get an SSH connection. From the steppingstone I was using I got:

[peter@steppingstone-server:~]$ ssh 192.168.1.1
ssh: connect to host  192.168.1.1 port 22: Connection refused

Luckily I had the possibility to reach the router via another way. When I was logged in and did some searching I found out that in this newer release you need the append the optional vrf-also keyword at the end of the access-class <acl-number> in command. The keyword allows incoming connections from interfaces that belong to a VRF.  See the cisco site for more information about this command.

So to get the remote management fixed I just needed to configure:

cisco-2811(config)#line vty 0 15
cisco-2811(config-line)#access-class 23 in vrf-also

Your vty configuration should look something like:

line vty 0 4
 access-class 23 in vrf-also
 exec-timeout 120 0
 privilege level 15
 logging synchronous
 login local
 transport input ssh
line vty 5 7
 access-class 23 in vrf-also
 exec-timeout 120 0
 privilege level 15
 logging synchronous
 login local
 transport input ssh
line vty 8 15
 access-class 23 in vrf-also
 exec-timeout 15 0
 privilege level 15
 logging synchronous
 login local
 transport input ssh

Older AirPort Utility version on Mac OS X Mavericks

In my home network I use a Airport Time Capsule (4th Generation) as my gateway and DHCP server. A while ago I configured a “DHCP Message” via the Airport Utility. I never noticed this message, before on my Laptop with Ubuntu. When I got a MacBook every time I connected via the wireless I got this annoying “DHCP Message” message in a pop-up.

DCHP Message

It was time to remove this message, since it has no use else than annoy people.

The current version of AirPort Utility for Mac is 6.3.1 and I noticed they stripped some features in this version; including the “DHCP Message”. Also the AirPort app on an iOS device was not able to change or delete this “DHCP Message”. So I was not able to remove the message with these apps.

Installing the older versions 5.4.2 or 5.5.3 for Mac didn’t work on Mavericks. I got the message: “Airport Utility can’t be installed on this disk. The version of Mac OS X on this volume is not supported.”

Version of Mac OS X not supported

There might be other tricks in Mac OS X, but I used Wine. There is not a direct DMG package of wine which you can install. But there is this wonderful tool called Homebrew, as they call it; “The missing package manager for OS X”. This tool is really great. Just follow the easy guidelines for installation on there homepage http://brew.sh:

$ ruby -e "$(curl -fsSL https://raw.github.com/Homebrew/homebrew/go/install)"

Once brew is installed it’s only one command to install Wine:

$ brew install wine 

Once Wine was installed it was easy downloaded AirPort Utility 5.4.2 for Windows and installed it using Wine:

$ wine AirPortSetup.exe

Follow the installation (next, next, next…) and started APUtil.exe with Wine:

$ wine ~/.wine/drive_c/Program\ Files/AirPort/APUtil.exe

The Airport Utility is unable to find the Airport by itself, but you can open it via; File > Configure Other. Enter the IP and password and you’re in. And of course the best this is you have an option to remove the “DHCP Message”:

  • Go to Internet > DCHP
  • remove all the text in the DCHP Message field
  • and click Update (it will restart and the message is gone)

Airport Utility using Wine

It took a while, but now the annoying message isn’t there anymore :)

Another nice option in the older version of Airport Utility is that you can enable SNMP and change the SNMP community.

Start Chrome with IPv6 disabled

I was testing something in Chrome on a Mac and I wanted to be sure IPv6 was not cause of the issue. In Firefox you have the option to disable IPv6 by browsing to about:config and toggle the preference name network.dns.disableIPv6 to the value true.

Within Chrome I was not able to find such an option.  The alternative is to start Chrome with the --disable-ipv6 option. for Mac the complete line to start Chrome via the terminal is:

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --disable-ipv6

You can check for example on www.whatismyipv6.com to test this.

Netflix content different on IPv6

I’m using Netflix at home and use my Playstation 3 for the playback of the content. A few days ago I was looking for a movie to watch. Since the PS3 interface is not the most user-friendly, I used my laptop which is running Windows 8.1 to search for some movies. I found the movie and wanted to start it on my PS3, but I couldn’t find it!!

It took me a while, but it seems that Netflix, according many forums, uses DNS to show you specific content. Netflix self is not specific about how they verify your geographic location. But it is only allowed to watch movies in your geographic location, but Netflix takes responsibility to check you geographic location, as you can see in the Netflix Terms of Use point 6c:

You may view a movie or TV show through the Netflix service only in geographic locations where we offer our service and have licensed such movie or TV show. The content that may be available to watch will vary by geographic location. Netflix will use technologies to verify your geographic location.”

In the Privacy Policy, Nexflix explains they are using your IP addresses and you device configuration (so your DNS IP address fits into this description);


We keep track of your interactions with us and collect information related to you and your use of our service, including but not limited to: your online activity, title selections, reviews, ratings, payment history, correspondence, Internet protocol addresses, device and software data (such as type, configuration and unique identifiers), instant watching of movies, TV shows and related activity. We use this information for such purposes as determining your general geographic location, providing localized content, enforcing our terms (such as determining your eligibility for a free trial), providing recommendations on movies & TV shows we think will be enjoyable, personalizing the service and our marketing to better reflect particular interests, tracking your instant-watching hours, determining your Internet service provider, helping us quickly and efficiently respond to inquiries and requests and otherwise analyzing, enhancing, administering or promoting our service offering for you and other users.

So, why couldn’t I watch this movie on my PS3, but was I able to watch is without any problems on my Windows 8 laptop. The answer is very simple;

I configured my home router with an HE.net IPv6 tunnel, since my provider Ziggo, doesn’t provide IPv6 connectivity. My Windows is using IPv6 (as it should be) and the PS3 unfortunately does not support IPv6 and therefor uses the IPv4 DNS address from my Dutch provider. I also use the IPv6 DNS addresses from Hurricane Electric and therefor Netflix probably thinks my laptop is located in the USA instead of the Netherlands.

The big question now is; “Am I violating the Netflix Terms of Use?”

Passed the CCNP SWITCH exam

Yesterday I passed for the Cisco CCNP SWITCH 642-813 exam. I got 45 question most of them multiple choice and some Testlet and Simlet questions. I got the following type of questions during my examination:

  • Multiple-Choice, Single Answer
  • Multiple-Choice, Multiple-Answer
  • Drag and Drop
  • Testlet Question
  • Simlet

You can see the more detailed descriptions of this questions types in the online Cisco Certification Exam Tutorial.

I used the CCNP SWITCH 642-813 Official Certification Guide book as self-study reference. This book only just over 400 pages and with some practical experience is enough to pass for the exam.

Now on to the next exams and get CCNP Certified.

New job at CGI

This month I started a new challenge at the company CGI. I really like being a member of this wonderful and successful organization. Currently CGI has around 69000 employees and is this growing in current economical times.

The first few days I kept myself busy getting familiar with the internal CGI systems. This week I have my first interview to see if I can start working on an assignment. Hopefully I’ll find a assignment soon! If you’re interested to invite me for an interview, please let me know. I’m really looking forward to get started again and work on some challenging new network environments.

Let the good times begin!

IPv6 tunnel on Time Capsule

Most Internet Service Providers (ISP) don’t have the ability yet to get native IPv6 on your home router/modem. Most modems the ISP provides don’t have the ability to router IPv6 packets, but only IPv4. If you ask you ISP to configure their provided modem in a bridged mode, you then can connect you own device to it and that device will provide your router function in your home network.

If you use a Time Capsule as your home router you can fairly easy set up a IPv6 tunnel if your provider does not support a native IPv6 connection. This tunnel allows you to connect to the IPv6 Internet. Your connection with your ISP will still be only using IPv4. If you connect to a website which is only available via IPv4 nothing will change. If you connect to a website which is available on IPv6. Your home router will encapsulate the IPv6 packet into an IPv4 packet and send it to the other end of the tunnel. The packet which normally only has a IPv6 header, now has a IPv4 header in front of it. Therefore your ISP will handle this traffic exactly the same as the other IPv4 packets.
So how does your router know to where it must send the encapsulated IPv6 packet? You tell the router by configuring the tunnel parameters manually. For such a configuration you need a so called Tunnel Broker. This Tunnel Broker is the other end of the Tunnel where the IPv4 header is removed again and only the IPv6 packet will be left and routed to the final destination.
So before you can start your manual IPv6 tunnel configuration, the only thing you need is so called Tunnel Broker. I use the Hurricane Electric Free IPv6 Tunnel Broker.

On the website you must provide the Tunnel Broker with your IPv4 address. If you don’t know your IPv4 address, you can check this on www.whatismyip.com. Your details will look like:

tunnelbroker.net-tunnel-details
Tunnelbroker.net Tunnel details

The black blocks are specific for your connection, and at the green block you have to fill your home IPv4 address.

Go to the settings of your TC with the Airport Utility and select the tab Internet:

Airport Utility - Internet tab
Airport Utility – Internet tab

on the field IPv6 DNS Servers fill in the Anycasted IPv6 Caching Nameserver address.
Form there go to to button Internet Options… which is located at the bottom. Now you can start configuring your IPv6 tunnel.

Airport Utility - Internet options
Airport Utility – Internet options

From the drop down menu’s select Manually for Configure IPv6 and choose Tunnel for IPv6 mode.
Now you only need to fill in some addresses which are on the tunnelbroker.net webpage. The fields you need for you Time Capsule configuration are:

  • IPv6 WAN Address: Client IPv6 Address
  • IPv6 Default Route: Server IPv6 Address
  • Remote IPv4 Address: Server IPv4 Address
  • IPv6 Delegate Prefix: Routed /64
  • IPV6 LAN Address: choose a address form the Routed /64 you filled in the line above. e.g. the prefix ending with ::1

Now your tunnel is set up correctly. Go to test-ipv6.com to test your IPv6.

Error code 0×80070570 while installing Windows 8 64-bit

I was trying to install Windows 8 (64-bit) on a computer and I ran into the error message:
“Windows cannot install required files. The file may be corrupt or missing. Make sure all files required for installation are available, and restart the installation. Error code: 0×80070570″

My fist guess was that this had to do with the fact I ordered a windows version which stated “Pre-existing OS License and Product Key Required”. So I tried a clear install of Windows 7 (64-bit) and I got the same error message. I searched the internet and most posts were releated to failed burned copies. Since I had a legal DVD this was not the problem. I even tried two different ones.

The I found a post which mentioned this could be related to memory problem as well. So I started to remove DIMM’s one by one. When I removed the first DIMM, I even got a blue-screen and the PC halted. I put back this first one and I removed the second DIMM. The installation was really quick and no problems occur any more. So the 0×80070570 error code was in my case a faulty memory module.

So problem solved :)

Little Planet Photography

A while ago I saw a video on Picture Correct and I had to try this myself. I really loved the good tutorial by Gavin Hoey as he explains everything very well!

The equipment I used for the Photo below is:

The lens has a nice wide angle which helps a lot for this picture. If you don’t have a very wide angle you just have to take some more pictures.

The disadvantage of the Tripod I have, is that it has a ball head which rotates in all directions. It’s not possible to lock the camera vertically and only move it horizontally. It helped me for this picture to keep the horizon in the finder window on exactly the same position. Small errors are luckily fixed by Photoshop, so you don’t need to buy a new tripod(head).

The result:

Little Planet
Little Planet by Tavenier

Time Capsule update 7.6.3 breaks IPv6

The latest version for the Time Capsule is at the moment is 7.6.3.
I installed this update and after the installation I experienced issues with my IPv6 connectivity. I googled around and found many discussions and blogs where people are explaining they have issues with IPv6 tunnels (6in4) after the update.

When I started my AirPort Utility I noticed that my native IPv6 configuration options are still the same. But the weird thing is that Apple somehow changed the IPv6 WAN address to address from the 6to4 prefix (described in RFC 3056). This prefix starts with 2002: then followed by the IP Address converted to hexadecimal numbers, which together makes the /48 6to4 prefix.

So if my IPv4 address was 123.234.123.234 my 6to4 address would be: 2002:7BEA:7BEA::/48. You need to do the calculation from decimal to hexadecimal (123 = 0x7B and 234 = 0xEA).

The weird thing is that in the configuration you can see my address was still manually configured to a IPv6 unicast prefix, but somehow Apple changed the active IPv6 on the WAN interface to the 6to4 prefix. You can see this in the picture below:
IPv6  configuration Time Capsule

The only solution to get IPv6 to work again is to downgrade the Time Capsule. You need to click on your Time Capsule. When you hover over you version number and use the ‘option’ button when you click you get the option to select your previous version number. See the screenshot below:
Downgrade Time Capsule

After the downgrade to 7.6.1 I see that the configured IPv6 WAN address is the same as the active IPv6 address. A visit to test-ipv6.com shows that IPv6 is working again :).

Links
- RIPE IPv6 reference card (very useful as a quick reference for the different IPv6 prefixes)

Networking, Photography and more…