Working with Configuration

Show previous configs :

show configuration | compare rollback ?

Compare current to previous version (in edit):

show | compare

Compare two previous versions:

show system rollback 17 compare 16

Show uncommitted changes:

show | compare

Perform rollback:

rollback <number | resuce>

Move a policy:

root@siteA# insert security policies from-zone <zone> to-zone <zone> policy <policy-name> before policy <policy-name>
root@siteA# insert security policies from-zone <zone> to-zone <zone> policy <policy-name> after policy <policy-name>

It has been possible to use Vodafone wireleless on the London underground for some time and according to Vodafone’s info page your phone should connect automatically.  Mine didn’t and neither do many peoples on Vodafone’s support forum.

I hadn’t had the need to use WiFi on the underground as I only traveled very sporadically for work into London, but now I’m doing it daily I thought it would be useful. Well it would have been had it just connected automatically – it didn’t.  Vodafone’s suggestion for if it doesn’t automatically connect is to use the “Virgin Media” WiFi, which although it works it takes you to a captive portal page and requires you to sign in with your Vodafone user name and password.  That’s a bit rubbish as when passing on the tube you ate only stationary for about 20 seconds.
More »

After I recently attended the HP Flexnetwork course I was made aware of HP’s simulator for Comware – HP Network Simulator tool for Comware7 Devices. This looks like a good study aid for network engineers and I hoped it will give me the chance to practice before taking the exam – great a simulator tool released by a manufacturer – this should be awesome. The simulator runs on VirtualBox which is a pre-requisite to installing and is very easy to get going with. The configuration is all performed in text by specifying devices and line cards to choose interfaces. Interface links are configured by specifying which interfaces to connect to others:

HP Simware
More »

PlusNet BT OpenReach Not Showing up

So we recently moved house and I wanted to move my FTTC/VDSL connection to the new property.  A quick call to PlusNet a week before our move date and a visit was scheduled for 10 days after we moved in.  Wow, this was impressive – a pretty smooth process (and I just wish the banks and solicitors were this easy to deal with), and even though 10 days in the new house with no internet access (mobile access is unusable with 1 bar of GPRS on a good day), I figured I would be busy sorting stuff with the new house anyway, so this didn’t concern me too much.  So the scheduled visit day came and passed with no visit from BT OpenReach.  Whilst highly annoyed at this, I can’t figure out out the most painful part:

1. Taking a day off work unpaid for BT OpenReach not to turn up with no cancellation notification.
2. Spending 40 minutes on hold to customer services to keep listening to the slightly patronising message about if i had internet access I could access the online portal. (I’m sure this is a joke done on purpose..)
3. After speaking to customer services who could offer no reason for the no show BT OpenReach engineer other than advising me BT have re-scheduled the visit for another 2 weeks away but have failed to inform, so a transfer to the provisioning team was necessary.  But it’s OK, they have a short telephone queue
4. Spending another 20-25 minutes on hold only to be disconnected by the person answering the phone or the phone system.
5. Spending another 45 minutes on hold back to customer services to be told the provisioning team have finished at 9pm.  I guess that’s why my call was answered at 9.05pm.  Call scheduled for 9.15AM the next morning with the provisioning team so I will be able to take the call. More »

I wanted to find out what devices where on my network – wired or wireless.  More over I wanted something that I could acknowledge known hosts and then be alerted when a new or unknown host was found on my network.  I couldn’t find anything FOSS other than some expensive network scanning/management tools, so I set about creating my own using Powershell and NMap – Arp Scan Alert Rogue Hosts


Scans the defined network range using an ARP scan to identify hosts on the network.  For all found hosts the MAC address is checked against a text file known_hosts.txt for a match.  If it is found the description is displayed and the host is identified.  If the MAC address is not found, an email is sent to the configured email address and the MAC address, IP address and time is logged to the file unknown_hosts.txt.  The script repeats the scans at the configured interval.

Screen Shots

All hosts detected:

ARP Scan - All Hosts Recognised

Rogue host detected:

Rogue Host Detected

More »

Cisco ASA 5505

Cisco ASA 5505

I recently had to try and determine the cause of random drop outs of customer’s Cisco ASA IPsec VPN between two Cisco ASA 5505s.  Both ASAs were NAT’d behind ADSL routers and ports forwarded to the firewall.  I know this *shouldn’t* cause a problem and modern implementations of the IPsec stack are much better at traversing NAT than they used to be.  One router was a Cisco/Linksys something and the other was a NetGear DGN1000.

Symptoms: Tunnel would intermittently drop after 10-30 minutes, regardless of whether traffic was passing over the link (constant PING) or not.

More »

If you get the following error reported on the Dell EqualLogic SAN (I had it on a PS4100 with 2 x ESXi hosts and a Cisco 3750G switch):

iSCSI login to target ‘,’ from initiator ‘,’ failed for the following reason: | Initiator disconnected from target during login.

The fix is to change the Login Timeout value from 5 to 60 seconds and disable ACK Offload on the iSCSI software initiator on each ESXi host and reboot the hosts – this solved the issue for me.

My ISP (Enta Net, sold via UKFSN) have allocated my an IPv6 block.  Unfortunately my current NetGear DG834G does not support IPv6 natively.  OK, so I need a new SOHO type router for home – an ADSL2+ modem and wireless router in one.

After much searching, it became apparent that there aren’t that many ‘ready’ consumer routers that support IPv6 natively (yet).  I discovered the TP-Link TD-WD8970 which looks to offer everything I need (wireless, gigabit switch, IPv6 and firewall capabilities).  Though it is a new unit there aren’t many reviews I was tempted to take the plunge and try it, until I read the manual – the maximum ADSL upstream is limited to 1Mbps. What?! I am currently syncing at 1271Kbps, so moving to this router would already limit by (limited) upstream.  Not good.  I sent an email to TP Link querying if this is a true limit and if it is hardware or software imposed.  I’m hoping it is just a soft limit or incorrect data in the manual, but I am not buying until I get confirmation that is the case.

Back to the search for a decent ‘all in one’ device.  IPv6 Compatibility  can be checked here: IPv6 Ready Approved List


Update – I swapped a few emails with TP-Link, but unfortunately even after help from their technical department they insist the ADSL2+ upstream is limited to 1Mbps, despite the G992.5 standard specifying 1.4Mbps is the maximum.  I had hoped TP-Link had just made an error in the user manual, but they advised me the produce is not suited to what I want to achieve, so I will just look at a D Link instead.

PAT can be accomplished 2 ways – by network object or by service object.

These notes are based on trying to get a port or group of ports to forward from the outside interface to a host behind the DMZ interface on a 5505 running 8.4:

Single Port – web server example

Use network object.  Add an access list rule with:


Source: any

Destination: LAN IP address of server (i.e. your internal IP address of the web server, etc)

Service: www

Now add a NAT rule – Add Network Object Rule

Name: something descriptive More »