Random Cisco geekery, issue 5: A VPN between a Cisco EPC3925 and a FRITZ!Box 7270.

I’ve struggled quite a bit to get these two devices together, mostly because the parameters on the FRITZ!Box are not documented, so it was hard to make them match with the Cisco device. But eventually I’ve managed to, so I’m happy to share the parameters.

Here we go.

First of all, here we assume that you are using dynamic IP addresses, in which case you need to use a dynamic DNS service to get it done (eg. DynDNS, No-IP, or your own solution).

Let’s say that the location using the FRITZ!box is using fritz.dyndns.example and the local subnet is, and the Cisco router is using cisco.dyndns.example and the local subnet is

What to do on the FRITZ!box?

Create a file with this:

Replace all the lines with a comment at the end with what suits your situation. Once ready, open the control panel of your FRITZ!Box, go to Internet > Permit Access > VPN, and upload the file you’ve just created, then go to Import VPN Settings.

What to do on the Cisco EPC3925?

Go to Security > VPN, and create a new Tunnel with whatever name you like.

  • Local Secure Group: put your local subnet (
  • Remote Secure Group: put your remote subnet (
  • Remove Secure Gateway: the remote FQDN (fritz.dyndns.example)
  • Key Management:
    • Key Exchange Method: Auto (IKE)
    • Encryption: DES
    • Authentication: SHA1
    • PFS: Enable
    • Pre-Shared Key: your VPN password (your_shared_key)
    • Key Lifetime: 3600

Now click Save Settings, then go on Advanced Settings and set this:

  • Phase 1:
    • Operation Mode: Aggressive
    • Local Identity: the local host Name (cisco.dyndns.example)
    • Remote Identity: the remote host Name (fritz.dyndns.example)
    • Encryption: 3DES
    • Authentication: MD5
    • Group: 1024-bit
    • Key Lifetime: 28800
  • Phase 2:
    • Group: 1024-bit

Save the settings, cross your fingers and your toes and click on Connect.

Homebrew your own Dynamic DNS system with cPanel and PHP.

Hello. The geeky pill of today is about how to get rid of DynDNS and feel like those punks when they make their DIY t-shirt with a political message on it. Or something like that.

See, many providers nowadays are providing hosting based on cPanel and a certain number of subdomains that you can set up through the front end. What you may learn today is that cPanel also offers an API that could let you do this automatically.

The API calls themselves are quite easy to understand and apply, but the troublesome part was about the authentication. Now, cPanel actually does offer several ways to connect, but the only one that really worked for me was the first one, which goes like this:

  1. Log into the cPanel API;
  2. Once you get redirected to the front end, you get a URL like this: http://mc2dn.name:2082/cpsess1234567890/frontend/x3/index.html
  3. Take the cpsess value from that URL;
  4. Make your API call using the cpsess value, for example: http://yourdomain.example:2082/cpsess1234567890/json-api/cpanel?cpanel_jsonapi_module=ZoneEdit&cpanel...

As a starting point I’ve used a great blog article, which provides also a ready-made PHP script with everything set to go (and this will be your primary point of reference to set the whole thing up, actually). The only problem with that solution is that the request is based on one of the several authentication systems that my provider wasn’t allowing for some reason. In order to work around it, I’ve basically instructed cURL to behave like a browser.

Continue reading

Random Cisco geekery, issue 4: Some break-sequence madness.

What is this break sequence even for?

The break sequence is a special key combination that is sent to the router its booting sequence. It has to be done at the very beginning, and lets you get access to a special mode called ROMMON. Think about it as a command-line version of the BIOS menu that you access by pressing F2 or DEL on your PC; if you use a Mac, think about OpenFirmware.

Let’s face it: most of the time you won’t need to access ROMMON when working on your Cisco devices, except for a number of cases in which it turns to be really useful:

  1. The flash memory is corrupt, hence the IOS firmware cannot be loaded (in this case you won’t even need the break sequence) or it loads but crashes in the middle of the process;
  2. You were upgrading IOS, but your router got power-cycled by mistake – or, in other words, you “bricked” the router, so to say;
  3. You lost access to the device and you need to reset the password, or you want to be even more brutal and erase the whole configuration from the NVRAM.

How do I send the break sequence?

When you normally work on a computer, you trigger the break sequence by simply pressing Ctrl+Break on your keyboard. Since you don’t connect a keyboard directly to the Cisco device, but you rather use telnet or ssh, we need to do something slightly different.

Although you could send a BREAK signal via telnet or ssh (eg. using PuTTY’s system menu), this kind of connection is available only after the router has passed the boot process, so we can’t grasp those precious early seconds of life of the router.

Fortunately, the Console port helps you, keeping the connection open since the very beginning. I assume that you already know how to get to the Console port of a Cisco device, but to put it short: get a serial port on your computer, connect it to the router using the blue cable, open HyperTerminal and ensure you use a connection with 9600 baud, no parity, 8 data bits, 1 stop bit, and no flow control (9600 8N1).

Once you’re ready, open the connection. If the device is still turned on, try pressing Enter, and you should get something (User Access Verification? A prompt? A reassuring MOTD like “If you got here it means that you did something wrong”?). There’s a number of reason why it could not work – ok, I’m lying, most of the time it’s just that you need to throw that fake USB-to-Serial you’ve just bought and go find another one.

Turn on the router and start pressing Ctrl+Break like you’re possessed by the devil.
You should get a prompt like:

Or just:

The difference matters, because then you’ll need to use different commands, eg. confreg 0x2142 vs. o/r 0x2142. Most of the time you’ll find complete guides on the commands you need to use based on your model, but let me anticipate to you that nowadays you’ll just find the first prompt (2600-ish) most of the time, rather than the second (more for older 2500s).

I dnt use HyperTerminal bcuz M$ suxx

If you’re using Linux, then just use minicom. You might need to install it (eg. sudo apt-get install minicom). You can’t use Ctrl+Break with minicom, instead you’ll need to press Ctrl+A then F and you’ll see “Sending BREAK” printed in the middle of the screen for a moment. It’s not as funny as flooding the line with Ctrl+Break by just keeping them pressed for 10 minutes, but it still does it job pretty well.

No it doesnt wrk!!!!111!!

It can happen. In this case there’s an alternative that I’ve just tried successfully and is documented on the Cisco website:

  • Turn off the router
  • Set your connection to 1200 baud instead of 9600
  • Open the connection
  • Turn on the router
  • Start pressing Spacebar and keep it pressed for 15 seconds
  • Disconnect
  • Set the connection back to 9600 baud
  • Connect again and press Enter

This is for HyperTerminal – with minicom it’s even easier, as you don’t have to do any “connect-disconnect” thing, just set the speeds by pressing Ctrl+A, then P, then B, B and B again, then Enter, do the Spacebar stuff while turning on the router, then again Ctrl+A, P, C, Enter.

Further documentation on what to do after entering ROMMON:

Random Cisco geekery, issue 3: What’s your favourite IPv6 subnetting scheme?

Before you skip this with a tl;dr, here’s the long story short:

  1. If you want to make your life easy, just use /64 subnets for everything, nuff said;
  2. If you really want to make things exact, in the original old-school “save-precious-IP-addresses” way that you have continuously experienced while using IPv4, then use /112 subnets when working on point-to-point links between two routers, and not /126 or /127, as this interferes with some logic internal to IPv6. However, generally speaking, this hardcore approach is not advisable.

Quick review of IPv6 addressing.

If you’re really reading this article, then it probably means that you hardly need to understand how IPv6 addressing is different than IPv4. However, I’ll try to make it as simple as possible.

All the fuss about IPv6 goes around the fact that 30 years ago nobody would have probably ever imagined that 4.3 billion (yes, billion) IP addresses would have been really used completely at some point. There were few computers, the Internet was almost nothing, and it looked like it was going to be like that for a very long time. The reason why soon we moved from classful IP networks to CIDR was that whole Class A networks (now known as /8 subnets) were given to institutions like MIT and Stanford University just like offering peanuts: do you really need 16 million (yes, million) unique IP addresses, especially since NAT and VPN tunnelling can make 1 IP address quite enough for a quite reasonable number of users?

IPv6 was a radical solution: free unique global addresses for everyone, no more frustrations configuring NAT! When you read that a 128-bit IP address can offer a staggering number of unique combinations (think about 3 followed by 38 zeros), this is really a dream coming true.

An IPv6 address doesn’t even consider classful IP routing, doesn’t have subnet-zero issues, doesn’t need NAT (even if it still exists), makes configuration pretty easy with some mechanisms that assign unique IP addresses and get most of the info a host normally needs just automagically (kinda).

One of the most useful mechanisms is certainly EUI-64. How does it work? In short, it takes the MAC address, adds and changes bits here and there and – voilà! – you get 64 bits that are pretty guaranteed to be unique inside your subnet. Think about it as an evolution of the APIPA algorithm, the one that works as a failover for DHCP (or, more simply, the one that generates a hideous address when you less expect it).

EUI-64 on P2P links.

Let’s calculate a little bit what we got exactly:

  1. IANA assigned only 2000::/3 to be used for unicast. This lowers the number from the original 2128 down to 2125 (which is still a lot, a number 37 zeros);
  2. At the moment what is being really used is 2001::/16, which brings the total down to 2112 (still awesome, 33 zeros);

Now here we got the tricky part. It seems that the main advice on implementing an IPv6 network, regardless of its size, is to get a /48 network (which can give you 264 networks, which is 2 followed by just 19 zeros) and split it in /64 networks (65536 networks), regardless of how big is the subnet.

Yes, this means that even a point-to-point network, with just 2 routers, will actually lay into an address space that could host an incredible number of more hosts. Why this? It’s because of EUI-64. Thanks to this, a configuration gets pretty easier: you just need to write something like ipv6 address 2001:db8:0:0:x::/64 eui-64, and just care about assigning a unique x for each subnet.

Adieu to the IPv4 mindset?

Now, is this a waste or an advantage? My first thought when I’ve seen half IP address wasted in automatic addressing was, obviously, the MIT & Standford effect, i.e.: what if we’re giving out IPv6 addresses too easily and one day we’ll run out of them too?

But then I’ve realized this. While point-to-point links really need a global IP address (because a local IP address wouldn’t show up in a traceroute and make troubleshooting even more problematic), it’s quite hard that even the largest company would have more than 65536 subnets, counting both P2P links and LANs; even in that case, they can still request an additional /48, which wouldn’t hurt considered how many /48 are available in the address space (264).

Plus, while we’re witnessing a moment in which really everything is getting connected to the global network, even imagining a worst case scenario of a future where there will be, say, 10 billion people, and each person will have 50 devices connected to the network between mobile phones, TVs, computers, tablets, routers, switches, and whatever you could think of (intelligent washing machines?), and each device will have its own global unicast IPv6 address, we’re still talking about a demand of billions and billions against an offer of billions of billions.

So, answering the question: yes, I think that we can actually forget about the IPv4 “spacesaving” mindset we got used to and embrace this new hideously wasting way of allocating IP addresses.

Still into the old-skool addressing?

There are reasons for which you might want to ration IP addresses anyway. One of the reasons might be that you’ve been allocated a single /64 addresses. Another one might be that you’re really into static addressing for some reason. Another one can be that just like pain.

Since in IPv4 we got used to /30 links, giving you just 2 usable IP addresses, you might want to do something similar in IPv6 and use /127 as a prefix. Well, there are some caveats in this case. Some have been summed up in RFC 3627, which is bearing a quite explicitly Dijkstra-ish title: Use of /127 Prefix Length Between Routers Considered Harmful. An even easier document is IPv6 address architecture on point-to-point links by M. Yoshinobu (you may want to jump to page 25).

In very short terms, if you really want to do this, better find a compromise and use a /112 instead. There’s still waste of IP addresses, but this would give less routing issues and it’s still easier to configure.

Random Cisco geekery, issue 2: Use one router to console into another, aka Reverse Telnet.

Normally we use our PC to connect to the Console port of a Cisco device. However there’s another thing you can do, which is using the AUX port of a router to connect to the Console port of another router (well, even the same actually, if you really fancy).

There are several reasons why you would learn this. One of this is that there are some devices called Access Servers (such as a Cisco 2509) which can let you connect to up to 8 console ports using so-called Async ports. Alternatively, you can use a network module like NM-16A, which is basically doing the same. Attached to this, you would normally use an octal cable (also called “the octopus” for the naughty ones).

The other reason (my case, coincidentally), is just because your USB-to-Serial dongle works like sh*t.

Step 1: prepare a rollover cable.

You can just buy one, but why? It’s just like an Ethernet cable with a different pinout – which, must say, it’s even easier than T568A/B, as whatever colour order you have chosen on one side, you just need to do exactly the opposite on the other, so that the first coloured wire becomes the last, the second becomes the seventh, the third becomes the sixth and so on.

As far as I know there are no standards on the colour order, so I chose this on the two sides:

  1. Orange, White-orange, Green, White-green, Blue, White-blue, Brown, White-brown;
  2. White-brown, Brown, White-blue, Blue, White-green, Green, White-orange, Orange.

Step 2: learn Reverse Telnet.

Now: how can we use the AUX port?

Cisco devices have some special ports that can be accessed via Telnet. These ports follow the format 2nnn, where nnn stands for the line number. By telnetting into these ports, you’ll get access to the line you need – in this case the AUX port.

First of all we need to tell the router to accept inbound connections on the AUX line:

To get the value for nnn, just issue a show line from the router.
In this case nnn = 065.

Then get the IP of any interface that is not down. In this case, just to be sure that this would work anyway, I have created a loopback interface with IP address =, and this is what I’m going to use:

And finally, we combine all these info:

Here we go. R1 has offered its AUX port to let you log into R2 via its console port.
Let’s try to exit, so that we come back to R1.

Hey, something went wrong here. Guess what? As you have probably experienced already, the console port is always up. This means that when you issue the exit command, this actually closes the session, but not the underlying connection, like telnet would do (remember, you’re telnetting into R1 itself now, not R2).

There’s a keystroke that comes into help: press Ctrl+Shift+6 and then x. This keystroke suspends a telnet session and brings you back to the original prompt:

All good then? No. The session is suspended, not closed, and if you will just press Enter you’ll return to R2:

How do we fix this? You need to forcefully shut down the telnet session while being in R1:

Note that, after clearing the line, I can press Enter and I’m still in R1.

But also note that the clear command doesn’t really work like a charm, as often you need to issue the command more several times before actually seeing the line disappear from show users. This is important: as long as the line shows active, any further attempt to reverse telnet will stop with a frustrating message saying “Connection refused by remote host”.

Random Cisco geekery, issue 1: RIP route preference.

Here’s the situation: two routers are connected with two interfaces, one is FastEthernet0/1 and the other one is Dialer1 (which is a bundle of two Serial interfaces).

We’re using RIP to connect these two routers:

Fa0/1 is experiencing some hardware problems, so we want to prefer Di1 instead while we investigate the issue, but still we want to be able to fail over Fa0/1 in the meantime.

Each routing protocol has ways to set “priorities” somehow. Being RIP a vector-distance routing protocol, it makes selections based on how many hops you need, somehow like BGP counting Autonomous Systems in the AS path.

Here’s the solution:

The first command says: “take all the routes received from Fa0/1 and add 1 hop to the count”. The second command does the same when sending other routes to other router over that interface. That 0 in the middle stands for “all routes”, but we can also have the number of an access-list, if you want to alter specific routes instead.

What happens next?
The RIP protocol ends up excluding Fa0/1 at all:

But still, when Di1 goes down, failover works:

Note the two routes showing as “possibly down”, as related to Di1.

You’re in greylist.

You are a PITA.
Long-lasting dull jobs are a PITA.
Flash and ActionScript are (together) a PITA.
Dull handy-dandy music players are a PITA.
Customized bash scripts are a PITA.
Pall Mall Manhattan cigarettes are a PITA.
Both missing a 64-bit CPUs and paravirtualization are a PITA.
ImageShack and its ad banners are a PITA.
Breakfasts with Nutella + Coke is a true PITA.

Prostituzione multicanale come panacea dei rapporti personali, aka: testing Separation of Concerns through quasi-asemantic HTML.

Si comincia da qui. Si scruta a fondo la forma per cercare una piccola o grande finestra verso il contenuto.

Un qualche dettaglio, attraente, in qualche maniera sensuale, fa aumentare esponenzialmente la curiosità, la voglia di sentirsi in qualche modo un tantino sopra gli altri, quegli altri che questa curiosità non l’hanno proprio avuta, oppure era troppo piccola per darle ascolto.

E il tuo cuore irrimediabilmente romantico legge al posto tuo, analizza la forma, la interpreta, scovando significati che di certo altri non hanno neppure immaginato. Finché non giungi alla conclusione che ci sarà sicuramente qualcosa di speciale, che è nascosto, che non si trova, che non soddisfa appieno quella perversione soft-voyeuristica che è a tratti persino generazionale.

Ti fai coraggio. Vinci la timidezza. Bussi alla piccola o grande finestra. Speri che il contenuto venga ad aprire. Beh, o quantomeno che si affacci, insomma.

Si affaccia. Finalmente. A volte hai la fortuna di capire subito se quello che adesso hai davanti è il contenuto o, piuttosto, un’altra forma, con tanto di delega scritta e mandato ad operare.

Il problema di queste forme è che, a volte, non ti fanno mai arrivare al contenuto. Ti illudono di essere arrivati alla sostanza, alla materia prima, ma in realtà è un trucco. Meschino. Altre volte, invece, il contenuto arriva davvero, prima o poi, e scopri che è davvero deludente. Non che sia necessariamente più noioso, o troppo difficile per i nostri gusti. Semplicemente molto diverso da come te lo immaginavi quando avevi ancora quella curiosità un po’ entusiasta. E meno male, perché altrimenti cercheresti di allinearlo il più possibile a quella tua idea di lui.

Poi (deo gratias) ti accorgi che è tutto inutile.

A volte te ne accorgi solo dopo un po’.
A volte un po’ tardi.
Te ne sei accorto o no?

Poi però ci riprovi. Non demordi.
Perché senti che è la strada giusta.
Più te lo ripeti e più sarai convinto.

(e che culo.)

(photo: play with me by s~revenge)