Dirk-Jan's blog

Using the wireless functionality of the Cisco 877W router I discovered that the wireless connection being disconnected en reconnected intermittently. At fist I thought it might be my Linux notebook doing wierd things, but as other wireless clients acting the same I suspected my new broadband router. Looking at the router log it appears that Cisco IOS reports “CCKM authentication failed”, in which CCKM stands for Cisco Centralized Key Management.

%DOT11-7-CCKM_AUTH_FAILED: Station 0016.44d7.xxxx CCKM authentication failed

So I started searching the web for this particular error message. As I found out more people have reported it and some were suggesting raising the broadcast key change interval, but that didn’t work for me. Also downgrading the IOS software was mentioned, but hey I don’t like to downgrade so I upgraded to a more up to date IOS version and the problem seems to be fixed! The last two days since the upgrade there are no more annoying dis- and reconnects. It starting to look like Cisco has done a good job!

I did the upgrade from IOS version c870-advipservicesk9-mz.124-22.T.bin to c870-advipservicesk9-mz.124-24.T1.bin.

Beware of IOS version c870-advipservicesk9-mz.124-24.T.bin, this one seems to be unstable.

This will most certainly apply to the complete Cisco 870 series.

Lately I stumbled upon a extension for the well known media server Firefly called Fireplay. It’s a easy to use flash based music player interface for Firefly which uses RSP (Roku Server Protocol). The player is able to list playlists, artists, albums, genres and play selections. Because it’s a flash based player, you can use it everywhere you like.

It has features like download tracks, cover art, generate XSPF-playlists and more. The included documentation states that future features include playlist generation/editing, shuffle mode, and faster browsing.

The following section describes how to install Fireplay.

1. Download Fireplay mirror.

# wget http://www.mellberg.org/FirePlay.zip
--2009-06-12 23:50:18--  http://www.mellberg.org/FirePlay.zip
Resolving www.mellberg.org... 213.185.18.18
Connecting to www.mellberg.org|213.185.18.18|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104755 (102K) [application/zip]
Saving to: `FirePlay.zip'

100%[======================================>] 104,755      114K/s   in 0.9s

2009-06-12 23:51:04 (114 KB/s) - `FirePlay.zip' saved [104755/104755]

#

2. Copy the zip file to the admin-root directory of Firefly and extract the zip file which contains (four files). The example shows the path for Debian Linux.

# cp FirePlay.zip /usr/share/mt-daapd/admin-root/
# unzip FirePlay.zip
Archive:  FirePlay.zip
  inflating: FirePlay.html
  inflating: FirePlay.readme.txt
  inflating: FirePlay.swf
  inflating: AC_RunActiveContent.js
#

3. Open the usual Firefly URL in your browser followed by the Fireplay page

http://yourserver:3689/FirePlay.html

It is necessary to enter the Firefly admin password, set in the FireFly configuration file (mt-daapd.conf).

It is also possible to serve FirePlay using a webserver like Apache.

Have fun playing songs!

Version 3 of the Simple Network Management Protocol (SNMP) is developed with as main purpose securing the insecure SNMP protocol. Since I needed to setup SNMP for a monitoring tool I decided to do it the secure way, which is SNMP v3. This article will describe how to configure SNMPv3 on a Cisco device using Cisco IOS, in my case a broadband router.

The first task is to login at the console as a privileged user and switch to configuration mode.

router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
router(config)#

The next task is to define a view. To keep it simple, we’ll create a view that allows access to the entire internet subtree:

#snmp-server view readview internet included

Next, create a group that uses the just created view. This command creates a group called readonly and v3 means that SNMPv3 should be used. The auth keyword specifies that the entity should authenticate packets without encrypting them. The read readview says that the view named readview should be used whenever members of the readonly group access the router.

#snmp-server group readonly v3 auth read readview

The following command creates a user called snmpro, who belongs to the readonly group. auth md5 specifies that the router should use MD5 to authenticate the user (sha is also possible). The next item is the user’s password or passphrase, which is limited to 64 characters. The last item priv des56 specifies the encryption of the SNMP packets.

#snmp-server user snmpro readonly v3 auth md5 password priv des56 passphrase

This configuration uses encryption to prevent passwords from being transferred in clear text and also encrypts the SNMP packets themselves, which may contain information that you don’t want available to the public.

End config mode with CNTL/Z or simple type ‘end’. And issue ‘write mem’ to save the current configuration to non-volatile memory to make this change permanent.

router(config)#end
router#write mem
Building configuration...
[OK]
router#

To verify if it’s working you can use snmpwalk. In the example below I use a Linux system to execute the snmpwalk command to request the system description (sysDescr.0) from a host called router.

$ snmpwalk -v 3 -u snmpro -l authPriv -a MD5 -A password -x DES -X passphrase \
router sysDescr.0
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T5, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 01-May-08 02:31 by prod_rel_team
$

As you can see the system description is returned successfully.

Today I decided it was time to introduce my iPhone to the campus wireless network, instead of using the slow GPRS network of my carrier. I’m still a happy user of the first generation iPhone, so I’m stuck with GPRS and that’s why I like WIFI.

So I downloaded the already made VU-iphone.mobileconfig file to my workstation and fired up my favorite MUA, what happens to be Mozilla Thunderbird to mail the configuration as a attachment, just like the way the online manual described. But as soon as I opened up the mail app on the phone the message looked like normal text and there was no attachment to open. I decided to use Mutt as an alternative and repeated the steps described above. This time the attachment showed up as it should be. So I was able to import the wireless configuration and finished the wireless setup.

Now I’m happy being wireless connected but still curious why the attachment send by Thunderbird did not show up correctly in the mobile mail app. So I compared both mail clients MIME behaviour and it appears that Thunderbird is not behaving correctly according to rfc2183. As you can see it uses Content-Disposition type ‘inline’ instead of the correct ‘attachment’ type.

I have stripped the irrelevant header and body information of the message.

Thunderbird:

User-Agent: Thunderbird 2.0.0.21 (X11/20090320)
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="------------070008030904000701030203"

This is a multi-part message in MIME format.
--------------070008030904000701030203
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

--------------070008030904000701030203
Content-Type: text/xml;
 name="VU-iphone.mobileconfig"
Content-Transfer-Encoding: 7bit
<strong>Content-Disposition: inline;</strong>
 filename="VU-iphone.mobileconfig"

Mutt:

MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="WIyZ46R2i8wDzkSu"
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)

--WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

--WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
<strong>Content-Disposition: attachment;</strong> filename="VU-iphone.mobileconfig"

This looks like a bug..

As mentioned earlier I would post my wireless configuration of the Cisco 877W router as soon as I got it to work the way I like. In this setup the commonly used IRB bridge option is not used. This configuration will also work on the 857W model.

!
dot11 ssid <your ssid>
   vlan 2
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0 <your password>
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool wireless
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server <dns server> <dns server>
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 2 mode ciphers tkip
 !
 ssid <your ssid>
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel least-congested 2412 2442 2462
 station-role root
 no cdp enable
!
interface Dot11Radio0.1
 description WLAN vlan2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface Vlan2
 no ip address
!

On the (outside) dialer0 interface I had to add the following line to enable NAT:

ip nat outside

And at last you’ll need the next ip nat and access-list lines to make it work:

ip nat inside source list 103 interface Dialer0 overload
access-list 103 remark Traffic allowed to enter the router from the WLAN
access-list 103 permit 192.168.2.0 0.0.0.255

You can use the show dot11 or debug dot11 commands to troubleshoot. For example, the following output displays a associated device:

router#show dot11 associations

802.11 Client Stations on Dot11Radio0:

SSID [<your ssid>] :

MAC Address    IP address      Device        Name            Parent         State
xxxx.xxxx.xxxx 192.168.2.2     unknown       -               self           Assoc

router#

Enjoy being wireless!

Since switched over to a new theme I needed to rearrange the way the sidebar should look. The list of archives was just to long, think 20 months is the default, to be aesthetic correct. So I started to look for a limit setting in de admin interface of WordPress, but could not find a way to change the limit. I probably looked over it. So browsing through the php scripts I found the file responsible for the way the archives section behaves.

I use WordPress version 2.5.1 from the Debian lenny repository

Edit the following file:

wordpress/wp-includes# vi general-template.php

And look for the following function:

# cat -n general-template.php
<...>
356	function wp_get_archives($args = '') {
357		global $wpdb, $wp_locale;
358
359		$defaults = array(
360			'type' => 'monthly', 'limit' => '<strong>10</strong>',
361			'format' => 'html', 'before' => '',
362			'after' => '', 'show_post_count' => false
363		);
364
<...>
#

Change the options you whish, I lowered the limit to 10 months.

Recently I had to choose another ISP for my home internet connection, and because my previous modem was a bit limited in it’s capabilities I decided it was time to invest in a Cisco 877W Integrated Services Router.
The main reason to choose for the 877W is that I used to work with Cisco appliances, so I’m familiar with IOS and like the CLI to manage the device.

After unpacking the device I connected the serial console cable which comes with the 877W to my laptop and turned on the device. The first step was to make the internal LAN work. My new internet connection comes with 8 public IP addresses, so I had to change my internal LAN from private space to public. Now the LAN part was done I could setup the WAN interface, which took quite some time to figure out how to setup correctly.

While discovering the device it appeared that the preinstalled IOS version was a really old one that goes back to 2006. I decided to load a more recent firmware image, better safe than sorry.

With the following specs I’ve created a configuration that works well for the SurfSnel ADSL product of InterNLnet:

Provider: InterNLnet (SurfSnel ADSL)
Protocol: PPPoA routed (RFC 2364)
Encapsulation: VC MUX
VPI/VCI: 0/35
Authentication: PAP

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
!
dot11 syslog
no ip source-route
ip cef
!
!
ip inspect name firewall appfw firewall
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall esmtp max-data 52428800
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip inspect name firewall skinny
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name yourdomain.com
ip name-server 217.149.196.6
ip name-server 217.149.192.6
!
appfw policy-name firewall
  application http
    strict-http action allow alarm
    content-type-verification unknown-type match-req-rsp action allow alarm
    port-misuse tunneling action allow alarm
!
!
archive
 log config
  hidekeys
!
!
interface ATM0
 description Physical ADSL (ATM) Interface
 no ip address
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode auto
 dsl enable-training-log
!
interface ATM0.1 point-to-point
 description ATM subinterface enables PPP over ATM
 no ip proxy-arp
 pvc 0/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 station-role root
!
interface Vlan1
 ip address 145.99.xxx.xxx 255.255.255.248
 ip access-group 102 in
 ip virtual-reassembly
!
interface Dialer0
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip inspect firewall in
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 1
 no cdp enable
 ppp pap sent-username <username>@dsl.inter.nl.net password 0 <password>
 ppp ipcp dns request
 ppp ipcp route default
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 permit tcp any any established
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 remark DNS In and Out
access-list 101 permit udp any eq domain any eq domain
access-list 101 permit udp any eq domain any gt 1023
access-list 101 remark DHCP client requests
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 remark NTP client requests
access-list 101 permit udp host 192.87.106.2 eq ntp any eq ntp
access-list 101 permit udp host 192.87.36.4 eq ntp any eq ntp
access-list 101 permit udp host 192.87.110.2 eq ntp any eq ntp
access-list 101 deny   ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17179591
ntp source Vlan1
ntp server 192.87.36.4
ntp server 192.87.106.2 prefer
ntp server 192.87.110.2
end

The above configuration will most likely also work on the 857W! As you’ll probably notice the wireless configuration has not been setup, so later more on this story..

This guide will help you setup Firefly Media Server to serve iTunes. This server based program, previously known as “mt-daapd” shares your media collection to iTunes. DAAP stands for Digital Audio Access Protocol and is developed by Apple to share media across a local network.

I have done the installation on Debian Lenny, but Firefly (still called mt-daapd on the Debian repository!) is even available on Windows. In order to publish the firefly shared library on the network I have used Avahi, which is a free implementation of Zeroconf including mDNS/DNS-SD.

1. Install the needed packages including dependencies

# apt-get install mt-daapd avahi-daemon

2. Setup Avahi by creating /etc/avahi/services/mt-daapd.service

<!--?xml version="1.0" standalone='no'?-->

%h

_daap._tcp

3689 txtvers=1
iTSh Version=131073
Version=196610

3. Restart the Avahi daemon

# /etc/init.d/avahi-daemon restart

4. Edit /etc/mt-daapd.conf. The following variables where important to me:

# $Id: mt-daapd.conf.templ 1660 2007-09-12 13:08:04Z rpedde $
#
# This is the mt-daapd config file.

<...>

#
# admin_pw (required)
#
# This is the password to the administrative pages
#

admin_pw = mt-daapd

<...>

#
# mp3_dir (required)
#
# Location of the mp3 files to share.  Note that because the
# files are stored in the database by inode, these must be
# in the same physical filesystem.
#

mp3_dir = /path/to/music

#
# servername (required)
#
# This is both the name of the server as advertised
# via rendezvous, and the name of the database
# exported via DAAP.  Also know as "What shows up in iTunes".
#

servername = Firefly %v on %h

<...>

5. Restart mt-daapd

# /etc/init.d/mt-daapd restart

The first time you start mt-daapd it will do a full scan to update the mt-daapd database. Watch the /var/log/daemon.log file to see when it’s ready.

May  4 09:54:25 sinners mt-daapd[16843]: Firefly Version svn-1696: Starting with debuglevel 2
May  4 09:54:25 sinners mt-daapd[16843]: Plugin loaded: daap/svn-1696
May  4 09:54:25 sinners mt-daapd[16843]: Plugin loaded: ssc-ffmpeg/svn-1696
May  4 09:54:25 sinners mt-daapd[16843]: Plugin loaded: rsp/svn-1696
May  4 09:54:25 sinners mt-daapd[16843]: Starting rendezvous daemon
May  4 09:54:25 sinners mt-daapd[16843]: Client running
May  4 09:54:25 sinners mt-daapd[16843]: Starting signal handler
May  4 09:54:25 sinners mt-daapd[16845]: Initializing database
May  4 09:54:25 sinners mt-daapd[16845]: Full reload...
May  4 09:54:25 sinners mt-daapd[16845]: Starting mp3 scan
May  4 09:54:27 sinners mt-daapd[16845]: Starting playlist scan
May  4 09:54:27 sinners mt-daapd[16845]: Updating playlists
May  4 09:54:27 sinners mt-daapd[16845]: Scanned 10 songs in 1 seconds
May  4 09:54:27 sinners mt-daapd[16845]: Starting web server from /usr/share/mt-daapd/admin-root on port 3689
May  4 09:54:27 sinners mt-daapd[16845]: Registering rendezvous names
May  4 09:54:27 sinners mt-daapd[16845]: Serving 10 songs.  Startup complete in 2 seconds

Now you should be able to connect to the mt-daapd admin webinterface at http://yourservername:3689.

6. You’re done!
Fire up iTunes and you’ll see the just created Firefly library become available under Shared. You can also use this service with Rhythmbox Music Player, XMMS with the DAAP plugin, or any other DAAP compatible music player.