Troubleshooting:(Windows sever 2008) DHCP server Access Denied

Lets say you added a new role in your Windows Server 2008 a DHCP server.
Now you trying to authorize it so it can accept DHCP clients request but you are getting a Access Denied message






This happens when you do not have permissions to do this
you NEED to add the user you using to a group which have permission to do it i mean to authorize your DHCP server to distribute DHCP to DHCP clients

You could add it to some default groups such like domain admin

After you ADD this user to the group which have permission to do this you NEED to log off that user and then log in again.

TroubleShooting: Forticlient

When you getting this error
loc_ip=y.y.y.y.y loc_port=500 rem_ip=x.x.x.x rem_port=500 out_if=0 vpn_tunnel=test1
status=negotiate_error msg="No response from the peer, retransmit (st=1)....

program=ipsec msg=Failed to add vpn gateway x.x.x.x to trusted zone

The problem is mostlikely that IKE IPSEC service isnt configured to pass the firewall so check out those policies in the fortigate or in the firewall of the company.

I had that problem today when i was on a client and iwas trying to vpn to another client to fix something in there. I was getting that error... and i didnt know my co worker which configured that fortigate blocked IPSEC service, i realize that after 15 mins thinking what was it.

Configuration: Alcatel rate limit the traffic 6200s

I was asked to do it last week in my job ill give away a sample configuration of how you do it by CLI

You can rate limit the bandwidth upstream and downstream this is how you do it with Alcatel 6200s


qos advanced
mac access-list test1
permit any any
exit
class-map test2
match access-group test1
exit
policy-map test3
class test2
police "committed-rate in kbp" "committed-burst in bytes" exceed-action drop
exit
exit
interface ethernet "interface number"
service-policy input test3
traffic-shape "commited rate in kbps" "excessive burst in bytes"
exit

Works pretty good...

Tech Note: Rip Auto Summarize

Another good Tech note if you are studying for CCNA exam

Rip just auto summarize when it crosses a different network boundary which means that if the networks has the same major network then the auto summarize wont happen

The other thing is that they all must share the same subnet mask

So Ex.1

10.1.10.0/24|-----R1<---192.168.1.0/30---->R2<----192.168.1.4/30---->R3----|10.2.20.0/24

here R1 will sned an update to R2 with Network 10.0.0.0
(As its a cross a diff. class boundary/ diff.network)

Ex.2

10.1.10.0/24|-----R1<---10.16.3.0/30---->R2<----10.16.3.4/30---->R3----|10.2.20.0/24

here R1 wont send an update to R2 !!!, Its the same class boundary , using the same Major network 10.0.0.0 but the update will be supressed, AS the out going int. have a DIFFERENT SUBNET MASK /30


Ex.3

10.1.10.0/24|-----R1<---10.16.3.0/24---->R2<----10.16.4.0/24---->R3----|10.2.20.0/24

NOW , the network will work fine, you will see that R1 will recive an update with 10.2.20.0 ,10.16.3.0 &
10.16.4.0 and the interface on R1 thats will recive the updates will apply a mask of /24 on them.

Tech Notes: Feasible distance and Advertise distance

Feasible distance and Advertise distance
More Good stuff if you are studying for CCNA


FD=fiasable distance

AD=advertise distance

AD = distance from the neighbor router to the destiny

FD = AD+the cost between your router and his neighbor

is simple as that
Simple example

R1---------R2--------R3---------R4

Cost from R1 to R2 is 4

Cost from R2 to R4 is umm 8 so AD is 8 cause is the cost from the neighbor of R1 to destiny

FD = 4+8=12

in this example i just gave you a uniroute from R1 to R4 but normally there will be many routes with many differets FD, the router pick the one with lower FD and put it in the routing table.

How To: Router Summarization

Router summarization

Ripv1 and IGRP
those protocols do auto summary to the classfull network which means
if you try to add a network of 10.1.1.1 it will auto summary to 10.0.0.0

You cant turn off this auto summary in Ripv1 and IGRP

you can turn it off on Ripv2 and EIGRP summarizing

OSPF and IS IS does not auto summery

Note:
Classful routing protocols (RIPv1 and IGRP) automatically summarize routes on the classful network boundary and do not support summarization on any other bit boundaries. Classless routing protocols support summarization on any bit boundary.


Route Summarization Calculation example

suppose you got this networks attached to your router like different LAns

172.16.12.0/24

172.16.13.0/24

172.16.14.0/24

172.16.15.0/24

1) first step:
You will convert everything to binary

10101100.00010000.00001100.00000000 -->172.16.12.0
10101100.00010000.00001101.00000000 --->172.16.13.0
10101100.00010000.00001110.00000000 -->172.16.14.0
10101100.00010000.00001111.00000000 -->172.16.15.0


2) Second Step

You need to locate the bits till where the bits are equals
What i mean with this ?

10101100.00010000.00001100.00000000 -->172.16.12.0
10101100.00010000.00001101.00000000 --->172.16.13.0
10101100.00010000.00001110.00000000 -->172.16.14.0
10101100.00010000.00001111.00000000 -->172.16.15.0

As you can see all the bits are equal till 6th bit of the 3rd octet(can you can see it above i BOLDED all the equals bits)

Now you find this we will go to step 3

3)Third step

You need to count those bits, the summary route number will be the first IP address in the block, and the subnet mask will be the number of common bits.

so the answer is
172.16.12.0/22


Well i think this is all you need to know about summarizing

How to:Fortigate DHCP Address Reservation

Well here is something i have used a lot, in the day to day work and this is the DHCP Address Reservation

You can only configure it in CLI so you will need to access via Console, Telnet, or via web(The console in the status Dashboard)
so here is how you do it on fortinet (Fortigates)

config system dhcp reserved-address
edit "Carlos"
set ip 192.168.1.10
set mac 00:21:70:8B:79:DD
next
end

ip is the ip address you are assigning to the client
mac is the mac address of the network card or wireless network card

you MUST put end and then hit enter or this change wont save.



You must enter the mac address with the 00:21:70:8B:79:DD format, you cannot use the 00-21-70-8B-79-DD format

Now you would ask me, why would i want to do this?
Ill give you an scenario:

You got a small business client, and the network administrator of that company ask you that he needs that the Manager´s laptop get an specific IP, but he is unable to put it in the laptop because the manager uses his laptop outside the company and he needs DHCP enable on his wireless card because he doesnt know anything about IPs, static ips etc.
If he put the static ip in his laptop then the manager wont be able to connect in public APs or in his home, because it will have the company´s ip address in the wireless network card.
So how do you fix it?
Well that would be putting an address reservation on their Fortigate(Supposing this is the only DHCP Server in their network)
With this he will be able to have his wireless card with DHCP enabled and still in the company connect with the specific ip he needs and when he go to anywhere else he will be able to connect to any network with DHCP without doing any change on his network card.

This is really useful.

Tech Notes: Cidr/address Aggregation/summarization/subnetting

Let Start this blog explaining some concepts.
If you are studying for Cisco Certified Network Associate(CCNA) this will help you a lot.

People do confuse all this terns and also sometimes thinks that for example route summarization is equal to CIDR and that kind of thing so i decide to explain all of them.

Lets first look at the subnetting

This is something which the address mask is extended into the host space to address multiple data links under one major network address

Now looking in the other perspective a subnet address may be though of a as a summarization of a group of sub-subnets and also a major network address may be though of a summarization of a group of subnet address
What i mean is that for example if i got
a major netowrk 192.168.1.0/24
we can subnet it to

192.168.1.0/25
192.168.1.128/25

This would be 2 subnets of a major network of 192.168.1.0/24

But i could take the

192.168.1.0/25 and subnet it eeven more that part to

192.168.1.0/26
192.168.1.64/26

this would be sub-subnets of the subnet 192.168.1.0/26

I could summery this
192.168.1.0/26
192.168.1.64/26
to
192.168.1.0/25 which will be the thing i said above "a subnet address may be though of a as a summarization of a group of sub-subnets"

and i could summery thi
192.168.1.0/25
192.168.1.128/25
to 192.168.1.0/24 which is major network address that was summarized from a group of subnet address

Now what is summarizing?
Well summarization is reducing the lengh mask but without breaking the class limit of the major network. So what do i mean with this?
Well when you summarazing a Class C you will be just able to summarize till the /24 lets say if you got many /26s then when you summarazing you will be able to reduce the mask legh of the group of the /26 to something smaller than it but BIGGER than /24
for example
192.168.1.0/26
192.168.1.64/26
192.168.1.128/26
192.168.1.192/26

you can summarize that to 192.168.1.0/24

Now lets see Address aggregation(known also as supernetting)
Address aggregation takes the summarization a step furtehr by breaking the class limits of the major network addresses.
What do i mean with this?
for example if i had
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24

I wouldnt be able to summarize that because i would be breaking the class limits....so what i can do is doing address aggretation and conver that to

192.168.0.0/22
So An aggregate address represents a numerically contigous group os networks address

Lets look at CIDR(classless interdomain Routing)
This is something that uses Address aggregation to resolve the problem of th exponential growth of the internet... all the Class B address were being used while the class C address werent soo used....
CIDR aggretares of class C addresses are allocated by the IANA to various worldwide address assignment authorities such as APNIC in asia ARIN in north america and RIPE in europe
The address assignment authorities in turn to divide their portion among the regional internet ISPs. When an organization applies for an aip address and requires addressing for a fewer than 32 subnets and 4096 host, it will be given a contigous group of class C address Called a CIDR BLOCK

So in this way the internet routers of individual organizations might advertise a single summary addres to their ISP.
The idea of this is summarazing addresses in a region in a single region address
Just to give you all an example of how this is distributed
Multi-regional 192.0.0.0 - 193.255.255.255
Europe 194.0.0.0 - 195.255.255.255
Others 196.0.0.0 - 197.255.255.255
North America 198.0.0.0 - 199.255.255.255
Central/South
America 200.0.0.0 - 201.255.255.255
Pacific Rim 202.0.0.0 - 203.255.255.255
Others 204.0.0.0 - 205.255.255.255
Others 206.0.0.0 - 207.255.255.255

So in conclusion
1-Summarizing is not equal to suppernetting... the both reduce the network mask lenght but ones breaks the class limit of the major network(supernetting) and the other doesnt(summarization) in other words summarization is to the right of the major network boundary while supernetting is to the left of the major boundary.
2-CIDR is not equal to summarization..... CIDR use address aggregation and CIDR is a solution to the exponential growth of the internet....

Welcome to my blog

Hello everyone
In my blog you will find a lot of networking information, which means yeah information about network configuration in specific equipments like Cisco, Alcatel, Fortinet, Microsoft, step by step with screenshots on how to do stuff.
You will also be able to find day to day troubleshooting, configuration of myself as i work of it, and a lot more.

Regards
Carlos / Network Support Engineer
Cisco Certified Network Associate
Fortinet Certified Security Administrator
Microsoft Certified Technology Specialist: Configuring Windows Vista Clients
Wireless# Certified