How Do I Find/Change My IP Address?

KB ID 0000208

What’s an IP address?

An IP address is the address used on a network to find your PC, Server, Laptop, or Printer etc. It’s the networking equivalent of your house number and post code (or Zip Code for visitors from over the pond).

Do you want your PUBLIC or PRIVATE IP address? As we started to run out of addresses, there were a number of solutions that we came up with, one you will see below (DHCP) the other is NAT (Network Address Translation) that lets many IPs on a network share one (or more) public IP addresses on the internet. If you want to know your PUBLIC address (your address in on the internet) then simply see below;

Your Public IP Address Is: [user_ip]

Where does my IP address come from?

You get an IP address by two methods,

1. Statically Assigned: Your address never changes and is allocated to you manually.

2. Dynamically Assigned: Your machine gets its IP address automatically via a system called DHCP.

What does an IP address look like?

Most IP addresses in use today are IP version 4 and consist of 4 numbers separated by three full stops (or once again, periods, for overseas visitors).

An IP address 192.168.1.100

Is that all my computer needs?

NO! You need FOUR pieces of information to access the internet and work properly;

1. The IP address itself (i.e. 192.168.1.100) this is unique to every machine on the network.

2. The Subnet Mask (i.e. 255.255.255.0) this tells the machine how big the network it is on, is.

3. The Default Gateway, this is another IP address on the network that you need to go through to get off the local network, i.e. to access the internet.

4. The DNS IP address, this is another IP address of a machine that can translate IP addresses into names (e.g. translate www.bbc.co.uk to 212.58.246.159).

What’s my IP address?

1. Windows Key + R > type ‘cmd’ {Enter}

2. A Command Window will open, click within the box and you can type in commands, the command to show your IP address is ipconfig, but this WONT show us the DNS settings as well, to do that the command is “ipconfig /all“.

Note: If you have many network connections you will get results for them all, you may need to scroll up and down to find the right one.>

IP Problems

Problem 1: My machine has got an IP address that is 169.254.x.y (where x and y can be any number from 1 to 254).

Answer: This machine is set to get its IP address automatically via DHCP but it cant speak to the DHCP server, because either the DHCP server is down or there is no connection between the DHCP server and you.

Problem 2: My IP address shows as 0.0.0.0

Answer: You have been given a static IP address and someone on the same network is using the same address, this causes an IP conflict, change one of the IP addresses.

Find out if your IP address is statically assigned of dynamically assigned

The more eagled eyed of you will see on the ipconfig /all results above that this machine is disabled for DHCP so its dynamically assigned however, on your Windows machine do the following.

1. Windows Key + R > Tyoe ‘ncpa.cpl’ {Enter}

2. Your network connections window should open and locate the connection you are connecting with (you might have many, be sure to select the right one, i.e. you might have one for dial up, one for wireless, one for a VPN to the office etc). Right click the connection and select properties.

3. On the window that appears you may have to scroll down the list, we are looking for its TCP/IP (on newer machines it will be called “Internet Protocol Version 4 (TCP/IPv4)”, Select it and click properties.

4. Now you can see if your addresses are set statically or dynamically.

How to change your IP address

To change your IP address you first need to know if you have a static IP address or a Dynamically assigned one. (That’s why this section is below the one above).

1. If you have a static IP address, simply change it on the screen shown (diagram above).

2. If you have a Dynamic IP address, you can either reboot the machine in question or Click Start > run > cmd {enter}

3. A Command Window will open, click within the box and you can type in commands, the command to release your IP address is ipconfig /release

Then to get a new address type in ipconfig /renew

Related Articles, References, Credits, or External Links

NA

Enable The “Remote Registry Service” through Group Policy

KB ID 0000488 

Problem

I was rolling out Trend Worry Free Business Security this week, and to send out the client software all the client machines needed the remote registry service enabled. That’s great but it’s set to manual startup be default.

As I didn’t want to visit each machine I wanted to do this through group policy.

Solution

1. On a domain controller, Start > administrative tools > Group Policy Editor > Either edit an existing policy or create a new one (Remember its a computer policy you need to link it to something with computers in it, if you link it to a users OU nothing will happen).

2. Navigate to, Local Computer Policy > Computer Configuration > Policies > Windows Settings > Security Settings > System Services.

3. In the right hand pane locate “Remote Registry”.

4. Define the policy, and set the startup type to automatic.

4. Then (post reboot) All your clients will have the service running.

 

Related Articles, References, Credits, or External Links

NA

Cisco IOS – Configuring Switch to Switch MACSEC

KB ID 0001000 

Problem

My colleague had to set this up on the test bench today, and it looked infinitely more interesting that what I was doing, so I grabbed my console cable, and offered to ‘help’.

This was done on two Cisco Catalyst 3560-X switches, each with a 10G Service Module (C3KX-SM-10G), and 1Gb SFP modules (Note: Not 10Gb ones, this will become important later).

Solution

1. First hurdle was, when we tried to add the first command to the interface ‘cts man’ it would not accept the command, you need to make sure you are running either IP Base, or the IP Services feature set.

Note: We are running the universal IOS image this allows us to do the following;

[box]

Switch(config)#license boot level ipbase
PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR

LICENSE KEY PROVIDED FOR ANY CISCO PRODUCT FEATURE OR USING SUCH
PRODUCT FEATURE CONSTITUTES YOUR FULL ACCEPTANCE OF THE FOLLOWING
TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO BE BOUND
BY ALL THE TERMS SET FORTH HEREIN.

You hereby acknowledge and agree that the product feature license
is terminable and that the product feature enabled by such license
may be shut down or terminated by Cisco after expiration of the
applicable term of the license (e.g., 30-day trial period). Cisco
reserves the right to terminate or shut down any such product feature
electronically or by any other means available. While alerts or such
messages may be provided, it is your sole responsibility to monitor
your terminable usage of any product feature enabled by the license
and to ensure that your systems and networks are prepared for the shut
down of the product feature. You acknowledge and agree that Cisco will
not have any liability whatsoever for any damages, including, but not
limited to, direct, indirect, special, or consequential damages related
to any product feature being shutdown or terminated. By clicking the
"accept" button or typing "yes" you are indicating you have read and
agree to be bound by all the terms provided herein.

ACCEPT? (yes/[no]): yes
Switch(config)#
Mar 30 01:43:18.513: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name
= c3560x Next reboot level = ipbase and License = ipbase

[/box]

Then reload the switch.

2. Then this jumped up and bit us;

[box]

Mar 30 01:32:07.400: %CTS-6-PORT_UNAUTHORIZED: Port unauthorized for int(Te1/1)
Mar 30 01:32:19.379: %PLATFORM_SM10G-3-SW_VERSION_MISMATCH: The FRULink 10G Service Module (C3KX-SM-10G) in switch 1 has a software version that is incompatible
with the IOS software version. Please update the software. Module is in pass-thru mode.

[/box]

3. If you issue the following command, you can see the difference (highlighted).

[box]

Switch#show switch service-modules
Switch/Stack supports service module CPU version: 03.00.76
                          Temperature                     CPU
Switch#  H/W Status       (CPU/FPGA)      CPU Link      Version
-----------------------------------------------------------------
 1       OK               41C/47C         ver-mismatch  03.00.41


Switch#

[/box]

4. So a quick download from Cisco later, with the file on a FAT32 formatted USB drive.

[box]

Switch#archive download-sw usbflash0:/c3kx-sm10g-tar.150-2.SE6.tar
examining image...
extracting info (100 bytes)
extracting c3kx-sm10g-mz.150-2.SE6/info (499 bytes)
extracting info (100 bytes)

System Type: 0x00010002
Ios Image File Size: 0x017BDA00
Total Image File Size: 0x017BDA00
Minimum Dram required: 0x08000000
Image Suffix: sm10g-150-2.SE6
Image Directory: c3kx-sm10g-mz.150-2.SE6
Image Name: c3kx-sm10g-mz.150-2.SE6.bin
Image Feature: IP|LAYER_3|MIN_DRAM_MEG=128
FRU Module Version: 03.00.76

Updating FRU Module on switch 1...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!
!!!!!!!!!!!!!!!!!!!

Updating FRU FPGA image...

FPGA image update complete.
All software images installed.
Switch#

[/box]

Configuring One Switch Uplink for MACSEC

1. Notice I’m configuring GigabitEthernet 1/2 NOT TenGigabitEthernet 1/1, this is because I’m using 1Gb SFP’s, both interfaces are listed in the config! (This confused us for about twenty minutes). We are not using dot1x authentication, we are simply using a shared secret password (abc123). Note: This has to be a hexedecimal password i.e numbers 0-9 and letters a-f.

[box]

Switch(config)#interface GigabitEthernet 1/2
Switch(config-if)#cts man
% Enabling macsec on Gi1/2 (may take a few seconds)...

Switch(config-if-cts-manual)#no propagate sgt
Switch(config-if-cts-manual)#sap pmk abc123 mode-list gcm-encrypt
Switch(config-if-cts-manual)#no shut
Switch(config-if)#
Mar 30 01:59:03.800: %CTS-6-PORT_UNAUTHORIZED: Port unauthorized for int(Gi1/2)
Mar 30 01:59:04.799: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthe
rnet1/2, changed state to down
Mar 30 01:59:05.805: %LINK-3-UPDOWN: Interface GigabitEthernet1/2, changed state
to down
Mar 30 01:59:08.339: %LINK-3-UPDOWN: Interface GigabitEthernet1/2, changed state
to up
Mar 30 01:59:09.329: %CTS-6-PORT_UNAUTHORIZED: Port unauthorized for int(Gi1/2)
Mar 30 01:59:10.016: %CTS-6-PORT_AUTHORIZED_SUCCESS: Port authorized for int(Gi1/2)
Mar 30 01:59:11.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthe
rnet1/2, changed state to up

[/box]

Configuring A Port-Channel Switch Uplink for MACSEC

1. Configure MACSEC on both physical interfaces, before you ‘port-channel’ them. The second interface (when using 1GB SFP’s), is GigabitEthernet 1/4.

[box]

!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
!
interface GigabitEthernet1/2
switchport trunk encapsulation dot1q
switchport mode trunk
cts manual
no propagate sgt
sap pmk abc123 mode-list gcm-encrypt
channel-group 1 mode on
!

interface GigabitEthernet1/4
switchport trunk encapsulation dot1q
switchport mode trunk
cts manual
no propagate sgt
sap pmk abc123 mode-list gcm-encrypt
channel-group 1 mode on
!

[/box]

 

Related Articles, References, Credits, or External Links

Thanks to Steve Housego (www.linevty.com) for doing 97% of the hard work, whilst being slowed down by my ‘help’.

Sync Microsoft Domain Time To A Cisco NTP Device

KB ID 0001038

Problem

I’ve been posting domain time articles for a long time, and on more than one occasion I’ve really needed to take my Windows time from a Cisco Device and failed miserably. I’ve even used third party NTP software to solve this problem on my own test network.

On a client network, my colleague deployed ACS5 this week, I secured the ASA5585-X for AAA and it failed authentication. Logging revealed a clock skew error, so we manually set the time on the domain PDC. Within half an hour it was failing. The network topology prevented me syncing to a public NTP server from the domain PDC.

We did however have all the network devices syncing from a public time source, if only we could use one of those?

Solution

Step 1 Configure NTP on your Cisco Device.

Here I’m using a 7200 Router in GNS3, the NTP IP addresses I use are UK based NTP servers, I suggest you replace them with some public NTP servers on your own continent. I’m using two for redundancy.

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#ntp server 130.88.202.49 prefer
Petes-Router(config)#ntp server 194.35.252.7

[/box]

NOTE: You need to force the Cisco device to advertise itself with a low stratum, typically the lower the stratum, the closer to atomic time you are supposed to be, (so we are actually forcing the device to lie, but if we don’t, Windows wont trust it!)

[box]

 Petes-Router(config)#ntp master 5 

[/box]

It can take a while for NTP, (go and have a coffee), then check it’s synchronised, DO NOT proceed until the Cisco device has synchronised.

[box]

R1#show ntp status
Clock is synchronized, stratum 5, reference is 127.127.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**19
ntp uptime is 364600 (1/100 of seconds), resolution is 4000
reference time is D898D3A0.319A96D4 (23:05:04.193 GMT Wed Feb 25 2015)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.26 msec, peer dispersion is 0.23 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000000000 s/s
system poll interval is 16, last update was 3 sec ago.

[/box]

Step 2 Configure Windows to use Cisco NTP Time

In the past I’ve said “Windows Does not use NTP, it uses Win32 Time” This is not strictly true, it does use NTP, but by default it uses ‘Symmetric Active Mode NTP’ and your Cisco Device expects its NTP requests to be submitted via ‘Client Mode NTP‘. (See MS KB 875424 for more info).

Note: By default Windows Domains take their time from the PDC emulator, carry this procedure out on that server!

Locate your FSMO Role Servers

Open an elevated command prompt and execute the following commands (the Cisco device IP is shown in red, change accordingly);

[box]

w32tm /config /manualpeerlist:"123.123.123.148",0x8 /syncfromflags:MANUAL
net stop "windows time"
net start "windows time"
w32tm /resync

Note: If you want to specify TWO Cisco devices, use the following syntax

w32tm /config /manualpeerlist:"123.123.123.148,123.123.123.149",0x8 /syncfromflags:MANUAL

[/box]

Now in the Servers System log, you should see the following two events logged.

Event ID 37

Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:33:19
Event ID: 37
Task Category: None
Level: Information
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
The time provider NtpClient is currently receiving valid time data from 123.123.123.148,
0x8 (ntp.m|0x8|0.0.0.0:123->123.123.123.148:123).

Event ID 35

Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:21:17
Event ID: 35
Task Category: None
Level: Information
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
The time service is now synchronizing the system time with the time source 123.123.123.148,
0x8 (ntp.m|0x8|0.0.0.0:123->123.123.123.148:123).

 

Windows and Cisco NTP Problems and Errors

Event ID 47

Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:11:07
Event ID: 47
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
Time Provider NtpClient: No valid response has been received from manually configured 
peer 123.123.123.148 after 8 attempts to contact it. This peer will be discarded as a 
time source and NtpClient will attempt to discover a new peer with this DNS name. The 
error was: The peer is unreachable.

On your Cisco Device you will see debug output like so, (it will repeat 8 times);

[box]

Petes-Router#debug ntp all
NTP events debugging is on
NTP core messages debugging is on
NTP clock adjustments debugging is on
NTP reference clocks debugging is on
NTP packets debugging is on
Petes-Router#
000031: Feb 25 22:07:45.831: NTP message received from 123.123.123.151 on interface 'GigabitEthernet0/0' (123.123.123.148).
000032: Feb 25 22:07:45.835: NTP Core(DEBUG): ntp_receive: message received
000033: Feb 25 22:07:45.835: NTP Core(DEBUG): ntp_receive: peer is 0x67A57898, next action is 1.
Petes-Router#
000034: Feb 25 22:07:54.967: NTP message received from 123.123.123.151 on interface 'GigabitEthernet0/0' (123.123.123.148).
000035: Feb 25 22:07:54.967: NTP Core(DEBUG): ntp_receive: message received
000036: Feb 25 22:07:54.971: NTP Core(DEBUG): ntp_receive: peer is 0x67A57898, next action is 1.
Petes-Router#

[/box]

Causes:

This is a pretty generic error, but in this case, one of the following situations can cause this;

1. UDP Port 123 is blocked between Windows and the Cisco NTP device.

2. The Cisco NTP device has not synchronised form a reliable NTP source.

3. The stratum of the Cisco NTP device is to high.

4. Windows is attempting to sync time using ‘Symmetric Active Mode NTP‘ See my comments above.

Related Articles, References, Credits, or External Links

Windows – Setting Domain Time

Cisco ASA – Configuring for NTP

VMware – Setting up ESX NTP Time Sync