Thursday, 2 August 2012

RIP over GRE Tunnel with QoS Configuration

In this configuration I have 4 routers R1, R2, R3 and R4. R2 and R3 run External BGP. There is also a GRE tunnel running between R2 and R3 over which we run RIP. R1 and R4 also run RIP. QoS configuration is applied to the tunnel interface via a service policy which shapes the traffic based on which access list it matches. 
This configuration was made on GNS3 with 2691 routers running C2691-ADVENTERPRISEK9-M. 
Irrelevant parts of the config below have been omitted for brevity.


=~=~=~=~=~=~=~=~=~=~=~= R1=~=~=~=~=~=~=~=~=~=~=~=
hostname R1
!
! Two loopback interfaces to allow us to differentiate the traffic for the class-maps
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
 ip address 11.11.11.11 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 duplex auto
 speed auto
!
! We run RIP to learn routes from R2
router rip
 version 2
 network 1.0.0.0
 network 11.0.0.0
 network 192.168.0.0
 network 192.168.1.0
 no auto-summary
!

=~=~=~=~=~=~=~=~=~=~=~= R2=~=~=~=~=~=~=~=~=~=~=~=
hostname R2
We create two class-maps which match named access lists
class-map match-all CMAP_MATCH11
 match access-group name MATCH11
class-map match-all CMAP_MATCH1
 match access-group name MATCH1
!
We have a policy-map which assigns 8K and 512K to each respective class-map.
! The overall method of the policy maps says, if you match ACL MATCH1 then you 
! will be allocated 8K of bandwidth, if you match ACL MATCH11 then you will get 
! 512K of bandwidth
policy-map TUNNEL
 class CMAP_MATCH1
  shape average 8000
 class CMAP_MATCH11
  shape average 512000
 class class-default
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
We have a tunnel interface with a service policy applied
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 tunnel source Loopback0
 tunnel destination 3.3.3.3
 service-policy output TUNNEL
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 speed 100
 full-duplex
We run RIP over the LAN and tunnel interfaces only
router rip
 version 2
 passive-interface default
 no passive-interface FastEthernet0/0
 no passive-interface Tunnel0
 network 10.0.0.0
 network 192.168.1.0
 no auto-summary
! BGP to R3 to carry the tunnel
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 neighbor 192.168.2.254 remote-as 2
 neighbor 192.168.2.254 next-hop-self
 no auto-summary
!
! ACLs to match the source and destination loopbacks
ip access-list extended MATCH1
 permit ip host 1.1.1.1 host 4.4.4.4
ip access-list extended MATCH11
 permit ip host 11.11.11.11 host 44.44.44.44
!
!
=~=~=~=~=~=~=~=~=~=~=~= R3 =~=~=~=~=~=~=~=~=~=~=~=
hostname R3
!
!
! Class-map, policy-map and ACLs are basically the reverse of R2
class-map match-all CMAP_MATCH44
 match access-group name MATCH44
class-map match-all CMAP_MATCH4
 match access-group name MATCH4
class-map match-all MyClass
!
!
policy-map TUNNEL
 class CMAP_MATCH4
  shape average 8000
 class CMAP_MATCH44
  shape average 512000
 class class-default
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 tunnel source Loopback0
 tunnel destination 2.2.2.2
 service-policy output TUNNEL
!
interface FastEthernet0/0
 ip address 192.168.2.254 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 192.168.3.1 255.255.255.0
 speed 100
 full-duplex
!
router rip
 version 2
 passive-interface default
 no passive-interface FastEthernet0/1
 no passive-interface Loopback0
 no passive-interface Tunnel0
 network 10.0.0.0
 network 192.168.3.0
 no auto-summary
!
router bgp 2
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 neighbor 192.168.2.1 remote-as 1
 neighbor 192.168.2.1 next-hop-self
 no auto-summary
!
ip access-list extended MATCH4
 permit ip host 4.4.4.4 host 1.1.1.1
ip access-list extended MATCH44
 permit ip host 44.44.44.44 host 11.11.11.11
!

=~=~=~=~=~=~=~=~=~=~=~= R4 =~=~=~=~=~=~=~=~=~=~=~=
hostname R4
Again, R4 is basically a mirror of R1
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Loopback1
 ip address 44.44.44.44 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.3.254 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 192.168.4.1 255.255.255.0
 speed 100
 full-duplex
!
router eigrp 1
 network 0.0.0.0
 no auto-summary
!
router rip
 version 2
 network 44.0.0.0
 network 0.0.0.0
 no auto-summary
!

=~=~=~=~=~=~=~=~=~=~=~= Verification~=~=~=~=~=~=~=~=~=~=~=
A ping from R1 lo0 to R4 lo0 goes via the tunnel interface
R1#traceroute 4.4.4.4 source 1.1.1.1

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 192.168.1.254 48 msec 24 msec 16 msec
  2 10.0.0.2 44 msec 44 msec 28 msec
  3 192.168.3.254 96 msec *  68 msec

An extended ping with a larger packet size - note the average RTT is 482ms
R1#ping 4.4.4.4 source 1.1.1.1 size 500 rep 50

Type escape sequence to abort.
Sending 50, 500-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 40/482/1008 ms

An extended ping but this time we specify the other loopbacks as source and destination so we hit the QoS policy with a higher bandwidth - note the much better average RTT of 58ms
R1#ping 44.44.44.44 so 11.11.11.11 size 500 rep 50

Type escape sequence to abort.
Sending 50, 500-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 20/58/92 ms

On R2 if we issue the policy map interface command we see the following. Note how we see delayed packets on the CMAP_MATCH1 class and none on the CMAP_MATCH11 class.
R2#sh policy-map interface
 Tunnel0

  Service-policy output: TUNNEL

    Class-map: CMAP_MATCH1 (match-all)
      361 packets, 184332 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name MATCH1
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval  Increment
             Rate           Limit  bits/int  bits/int  (ms)      (bytes)
             8000/8000      2000   8000      8000      1000      1000

        Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      0         361       175776    174       87000     no

    Class-map: CMAP_MATCH11 (match-all)
      460 packets, 239040 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name MATCH11
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval  Increment
             Rate           Limit  bits/int  bits/int  (ms)      (bytes)
          5120000/5120000   32000  128000    128000    25        16000

        Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      0         460       228000    0         0         no

    Class-map: class-default (match-any)
      139 packets, 15568 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any


Posted by at No comments:

Monday, 16 July 2012

Multi VRF

The configuration below shows how to configure the PE and CE routers to extend a VRF to a customer site. This allows a CE (customer) router to support two separate routing tables. This configuration was created on GNS3 with IOS version c2691-adventerprisek9-mz.124-25d.bin. Parts of the configuration below have been omitted for brevity:


! PE (Provider Edge) Router Configuration
!
hostname PE-Router
!
! Create two VRFs 
ip vrf VRF1
 rd 1:100
 route-target export 1:100
 route-target import 1:100
!
ip vrf VRF2
 rd 2:100
 route-target export 2:100
 route-target import 2:100
!
! Create a loopback interface to act as the BGP router ID, note it is not part of
! a vrf
interface Loopback0
 ip address 100.1.1.1 255.255.255.255
!
! Create two more loopback interfaces, one in each VRF. This was just done to 
! illustrate that you can use overlapping address space
interface Loopback1
 ip vrf forwarding VRF1
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback2
 ip vrf forwarding VRF2
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 speed 100
 full-duplex
!
! Create two subinterface with a dot1q tag and assign to each vrf
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip vrf forwarding VRF1
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip vrf forwarding VRF2
 ip address 192.168.2.1 255.255.255.0
!
! Configure the BGP section
router bgp 1
 no synchronization
 bgp router-id 100.1.1.1
 bgp log-neighbor-changes
 no auto-summary
 !
 address-family ipv4 vrf VRF2
  redistribute connected
  neighbor 192.168.2.254 remote-as 100
  neighbor 192.168.2.254 activate
  no synchronization
 exit-address-family
 !
 address-family ipv4 vrf VRF1
  redistribute connected
  neighbor 192.168.1.254 remote-as 100
  neighbor 192.168.1.254 activate
  no synchronization
 exit-address-family
!

===============================================================


 ! CE (Customer Edge) Router Configuration

!
hostname CE-Router
!
! On this router we just create one VRF - the other received routes are going
! to go into the global routing table
ip vrf VRF2
 rd 2:100
!
interface FastEthernet0/0
 no ip address
 speed 100
 full-duplex
!
! Create subinterfaces with dot1q tags - note that only Fa0/0.2 has
! a vrf forwarding statement
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 192.168.1.254 255.255.255.0
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip vrf forwarding VRF2
 ip address 192.168.2.254 255.255.255.0
!
interface FastEthernet0/1
 no ip address
 speed 100
 full-duplex
!
! BGP configuration - note how one neighbour statement is in the global
! section and one is in the "address-family ipv4" section
router bgp 100
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 neighbor 192.168.1.1 remote-as 1
 no auto-summary
 !
 address-family ipv4 vrf VRF2
  redistribute connected
  neighbor 192.168.2.1 remote-as 1
  neighbor 192.168.2.1 activate
  no synchronization
 exit-address-family
!

===============================================================

On the PE router:

 ! Only the loopback0 interface is in the global routing table
PE-Router#sh ip ro
     100.0.0.0/32 is subnetted, 1 subnets
C       100.1.1.1 is directly connected, Loopback0

PE-Router#sh ip route vrf VRF1
     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback1
C    192.168.1.0/24 is directly connected, FastEthernet0/0.1

PE-Router#sh ip route vrf VRF2
     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback2
C    192.168.2.0/24 is directly connected, FastEthernet0/0.2

PE-Router#sh ip bgp vpnv4 all
BGP table version is 14, local router ID is 100.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:100 (default for vrf VRF1)
*> 1.1.1.1/32       0.0.0.0                  0         32768 ?
*  192.168.1.0      192.168.1.254            0             0 100 ?
*>                  0.0.0.0                  0         32768 ?
Route Distinguisher: 2:100 (default for vrf VRF2)
*> 1.1.1.1/32       0.0.0.0                  0         32768 ?
*  192.168.2.0      192.168.2.254            0             0 100 ?
*>                  0.0.0.0                  0         32768 ?

On the CE router:

CE-Router#sh ip ro
     1.0.0.0/32 is subnetted, 1 subnets
B       1.1.1.1 [20/0] via 192.168.1.1, 00:44:36
C    192.168.1.0/24 is directly connected, FastEthernet0/0.1

CE-Router#sh ip route vrf VRF2
     1.0.0.0/32 is subnetted, 1 subnets
B       1.1.1.1 [20/0] via 192.168.2.1, 00:39:49
C    192.168.2.0/24 is directly connected, FastEthernet0/0.2

CE-Router#sh ip bgp summary
BGP router identifier 192.168.1.254, local AS number 100
BGP table version is 4, main routing table version 4
2 network entries using 234 bytes of memory
3 path entries using 156 bytes of memory
3/2 BGP path/bestpath attribute entries using 372 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 786 total bytes of memory
BGP activity 5/1 prefixes, 7/1 paths, scan interval 60 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.1     4     1      54      53        4    0    0 00:45:31        2

CE-Router#sh ip bgp vpnv4 all
BGP table version is 7, local router ID is 192.168.1.254
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 2:100 (default for vrf VRF2)
*> 1.1.1.1/32       192.168.2.1              0             0 1 ?
*  192.168.2.0      192.168.2.1              0             0 1 ?
*>                  0.0.0.0                  0         32768 ?


Posted by at No comments:

Friday, 6 July 2012

VRF Lite

VRF Lite (I hate the word lite - a real toe-curling Americanism - can't we call it VRF Basic or VRF - Beginner's Edition?) is a way of using VRF on a router without BGP.
In its simplest form VRF is a way of creating separate forwarding instances and routing tables on a single router. Different customers can then connect to the same router via different interfaces and all traffic is kept separate. Different customer can even have overlapping address spaces because each VRF gets its own routing table. 
The configuration below was created in GNS3, the routers are 2961s and the IOS version used is: c2691-adventerprisek9-mz.124-25d.bin.

I have only included the config for R3 here as that is the thing doing the VRF bit. There is nothing unusual about the configs for the other routers - to them they are not aware that VRF is taking place. R1 and R4 are part of Site_A and R2 and R5 are part of Site_B. Irrelevant bits of the R3 config have been omitted for brevity.

 !
hostname R3
!
ip cef
!
!
! Create two VRF instances for our two sites with different route distinguishers
ip vrf Site_A
 rd 100:1
!
ip vrf Site_B
 rd 100:2
!
! This interface is in VRF Site_A
interface FastEthernet0/0
 ip vrf forwarding Site_A
 ip address 10.0.0.254 255.255.255.0
 duplex auto
 speed auto
!
This interface is in VRF Site_B
 interface Serial0/0
 ip vrf forwarding Site_B
 ip address 10.0.1.254 255.255.255.0
 clock rate 8000000
!
This interface is in VRF Site_A
interface FastEthernet0/1
 ip vrf forwarding Site_A
 ip address 192.168.0.254 255.255.255.0
 duplex auto
 speed auto
!
This interface is in VRF Site_B - note how it uses the same address as Fa0/1
interface FastEthernet1/0 ip vrf forwarding Site_B
 ip address 192.168.0.254 255.255.255.0
 speed 100
 full-duplex
!
! We enable EIGRP for Site_A, note how the majority of the configuration now goes under
! "address-family ipv4" section
router eigrp 1 auto-summary
 !
 address-family ipv4 vrf Site_A
  network 10.0.0.0
  network 192.168.0.0
  no auto-summary
  autonomous-system 1
 exit-address-family
!
! We enable OSPF for Site_B - looks a bit different than the EIGRP bit doesn't it?
router ospf 1 vrf Site_B
 log-adjacency-changes
 network 10.0.1.0 0.0.0.255 area 0
 network 192.168.0.0 0.0.0.255 area 0
!
!
end

That is it for the config side of thing. Some show commands to illustrate the point:

Show ip route on the router shows no routes, not even connected ones, this is because all interfaces are part of a VRF so the global routing table has no visibility of them.

R3#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

R3#


Ah, this is more like it - now we can see all the routes for Site_A VRF including connected interfaces. Note the "D" showing that we have EIGRP learned routes

R3#sh ip ro vrf Site_A

Routing Table: Site_A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     4.0.0.0/32 is subnetted, 1 subnets
D       4.4.4.4 [90/409600] via 192.168.0.1, 01:01:18, FastEthernet0/1
     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, FastEthernet0/0
C    192.168.0.0/24 is directly connected, FastEthernet0/1

We see something similar for Site_B, note the "O" for OSPF learned routes

R3#sh ip ro vrf Site_B

Routing Table: Site_B
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     5.0.0.0/32 is subnetted, 1 subnets
O       5.5.5.5 [110/2] via 192.168.0.1, 00:46:17, FastEthernet1/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.1.0 is directly connected, Serial0/0
C    192.168.0.0/24 is directly connected, FastEthernet1/0

Show ip EIGRP neighbours on R3 shows no neighbours, again because they are part of the VRF rather than global to the router (am I labouring the point a bit..?)

R3#sh ip eigrp neighbors
IP-EIGRP neighbors for process 1

Here they are:

R3#sh ip eigrp vrf Site_A neighbors
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
1   10.0.0.1                Fa0/0             11 01:03:41  206  1236  0  15
0   192.168.0.1             Fa0/1             14 01:09:27   41   246  0  8

This is a handy command too:

R3#sh ip vrf interfaces
Interface              IP-Address      VRF                              Protocol
Fa0/1                  192.168.0.254   Site_A                           up
Fa0/0                  10.0.0.254      Site_A                           up
Fa1/0                  192.168.0.254   Site_B                           up
Se0/0                  10.0.1.254      Site_B                           up
Posted by at No comments:

Thursday, 5 July 2012

Cisco NAT with multiple WAN connections

With reference to: 
https://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml


This configuration allows you to run NAT over two WAN connections and load balance over them. Created and tested in GNS3. An example of where you would use this is if you had a single router connected to two different service providers and you wanted to NAT over both of them for load balancing. Should one of them go down NAT should continue to work over the other connection (though in practice I found that if you had an active NAT translation over one connection and you pulled that WAN link it would not failover automatically and you would have to kill that session and restart it - I was using pretty old IOS on GNS3 though).
It is not shown here but you can control which source address gets NAT'ted on which connection through the use of policy routing.


! Create two ip sla monitors to track the next hop of each WAN connection
ip sla monitor 1
 type echo protocol ipIcmpEcho 123.123.123.2 source-interface FastEthernet0/0
 timeout 1000
 threshold 40
 frequency 3
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
 type echo protocol ipIcmpEcho 124.124.124.2 source-interface FastEthernet1/0
 timeout 1000
 threshold 40
 frequency 3
ip sla monitor schedule 2 life forever start-time now
!
!
! Create two tracking objects to track the state of the ip sla monitors
track timer interface 5
!
track 123 rtr 1 reachability
 delay down 15 up 10
!
track 345 rtr 2 reachability
 delay down 15 up 10
!
Fa0/0 defined as an outside NAT interface
interface FastEthernet0/0
 description WAN Connection 1
 ip address 123.123.123.1 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
Fa0/1 defined as an inside NAT interface
interface FastEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
Fa1/0 defined as an outside NAT interface
interface FastEthernet1/0
 description WAN Connection 2
 ip address 124.124.124.1 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
!
! Static routes configured to follow the tracked objects
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 123.123.123.2 track 123
ip route 0.0.0.0 0.0.0.0 124.124.124.2 track 345
!
! NAT overload statements for each WAN interface referencing their own 
! route-map
ip nat inside source route-map nat1 interface FastEthernet0/0 overload
ip nat inside source route-map nat2 interface FastEthernet1/0 overload
!
! ACL defining the "inside" network
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
!
! Route-map referencing the ACL and matching one interface
route-map nat2 permit 10
 match ip address 100
 match interface FastEthernet1/0
!
Route-map referencing the same ACL and matching the other interface
route-map nat1 permit 10
 match ip address 100
 match interface FastEthernet0/0
!
Posted by at No comments:

Thursday, 24 May 2012

Quagga Basic Configuration

A very basic guide to getting quagga up and running (I did this in a virtualbox environment using a Ubuntu  Mini ISO - if you do a minimal install with no xserver and 128MB RAM it runs just fine).

 First install quagga:
#sudo apt-get install quagga

 Quagga configuration files are contained in /etc/quagga. Before doing anything you will find two files in there called daemons and debian.conf. Open daemons:

 #sudo nano /etc/quagga/daemons

 Here you can configure which routing protocol daemons you want to use. Scroll down to the bottom of the file and change any entries to YES for daemons you wish to use - Zebra should be enabled as a minimum. For example to use RIP and BGP you would configure as follows:

 zebra=yes
bgpd=yes
ripd=yes

 Everything else can be left as NO. Save the file and exit (CTRL X and "yes" to save)

 Before starting quagga you need to create a configuration file for each of the daemons specified above. The files need to be writable or you can't save your config:

 #cd /etc/quagga
#sudo touch zebra.conf bgpd.conf ripd.conf
#sudo chmod 777 /etc/quagga/*.conf

 Edit the zebra.conf file:

 #sudo nano /etc/quagga/zebra.conf

 Add the line:

 password password

 This sets your password to "password" - feel free to choose a more cryptic password if you are feeling adventurous. Save the file and exit (CTRL X and "yes" to save).

 We can now start quagga:

 #sudo /etc/init.d/quagga start

 You can access quagga by going to:

 #telnet localhost zebra

 This is a bare minimum configuration to get things started - there is still lots more to do from here but this will at least get the services running and allow you to login.
Posted by at No comments:

Friday, 11 May 2012

Automate Config Backups - Cisco and Ubuntu

This post shows you how to automate backing up your Cisco config to a remote TFTP server. For this recipe you will need:
  • Cisco router /switch running IOS with support for "kron" and "archive" commands
  • Ubuntu PC 
  • IP Connectivity between the Cisco and the Ubuntu PC
First install atftpd on your Ubuntu PC:

sudo apt-get install atftpd

Edit the atftpd config file:

sudo nano /etc/default/atftpd

Change:

USE_INETD=true
to
USE_INETD=false

Note the location that atftpd stores files written to the server is defined as the last entry in the OPTIONS line in this file. Default is /srv/tftp. You don't need to change this unless you really want to do so.

Start the service:

sudo service atftpd start

The service is now running, you can verify this with the command:

sudo ps -A | grep atftpd
 1519 ?        00:00:00 atftpd

The bit in red shows that the atftpd process is running and the number 1519 refers to PID.

Logon to your Cisco device - first we will verify that we can write our config to our new TFTP server. Issue the command:
MyRouter#cop run tftp:
Address or name of remote host []? 192.168.0.1
Destination filename [MyRouter-confg]?
!!
4165 bytes copied in 5.228 secs (797 bytes/sec)

What just happened here? You issue the command "copy run tftp" which means copy the running config to a tftp server. The cli asked you for the address of the remote server (192.168.0.1). The cli then asks you for the filename you wish to write to on the server - by default it will use your router hostname and append "confg" hence MyRouter-confg in this case. The two !s show that the file is being copied over and the cli tells you how long it took.

If you now go back to your server and do a directory listing of our tftp folder you should see your file there:

bob@fossil.org:~$  ls -la   /srv/tftp/ | grep MyRouter
-rw-r--r-- 1 nobody nogroup 4165 2012-05-11 16:06 MyRouter-confg

So we know tftp server and client bits work. Now to automate it.

We use the archive command:
MyRouter#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
MyRouter(config)#archive
MyRouter(config-archive)#path tftp://192.168.0.1/MyRouter.cfg

The archive command will now write the config to the tftp server when you issue the archive config command. Try it:

MyRouter#archive config
!!

You can then use the command show archive to see the history of archived configs. 

The second part of this is to schedule the archiving to take place using the kron command:

MyRouter(config)#kron policy-list MyKronPolicy
MyRouter(config-kron-policy)#cli archive config
MyRouter(config-kron-policy)#exit
MyRouter(config)#kron occurrence MyKron at 20:00 recurring

So what does this mean? Here we have created a kron policy list which issues the command archive config, We have then created a kron entry to run this policy at 20:00 every day. There are other options for when you can run the command - either as a one off or in a given amount of time from now. You can check your kron table with the command:

MyRouter#show kron schedule
Kron Occurrence Schedule
MyKron inactive, will run again in 0 days 04:23:43 at 20:00 on

This shows the next time that the kron entry will be run. If your Cisco device is not using NTP and your clock is set incorrectly you may get a warning about the clock being wrong.

And that is it. You should now have your config backed up automatically every day at 20:00. The archive command is clever enough to increment the filename so you don't overwrite your previous entry each time.
Posted by at No comments:

Thursday, 2 February 2012

640-553 IINS Security

Goals of Network Security: Confidentiality, Integrity, Availability
Government and Military Classification Model: Unclassified, Sensitive but Unclassified, Confidential, Secret, Top-secret.
Organisational Classification: Public, Sensitive, Private, Confidential
Classification Roles: owner, Custodian, User 
Controls in a Security Solution: Administrative, Physical, Technical. Further classified as Preventive, Deterrent, Detective.
Security Incident: Motive, Means, Opportunity
Legal and Ethical Ramifications: Criminal Law, Civil Law, Administrative Law
Attack Categories: Passive, Active, Close-in, Insider, Distribution
Defence in Depth: Host-based Intrusion Prevention System (HIPS), Network-based Intrusion Prevention System (NIPS), Network-based Intrusion Detection System (NIDS) 
IP Spoofing: blind / nonblind spoofing
Confidentiality Attack Strategies: Packet Capture, Ping sweep / port scan, dumpster diving, EMI interception, wiretapping, social engineering, sending information over overt / covert channels.
Integrity Attack Strategies: Salami attack, data diddling, trust relationship exploitation, password attack, botnet, session hijack
Availability Attack Strategies: Denial of Service, DDoS, TCP SYN Flood, ICMP Attacks, Electrical Disturbance, physical attacks

 System Development Life Cycle

  • Initiation (security categorization and preliminary risk assessment)
  • Acquisition and development (risk assessment, security functional requirement analysis, security assurance requirements analysis, cost considerations and reporting, security planning, security control development, developmental security test and evaluation)
  • Implementation (inspection and acceptance, system integration, security certification, security accreditation
  • Operations and maintenance (configuration management and control, continuous monitoring)
  • Disposition (Information preservation, media sanitation, hardware and software disposal).
Operations Security Overview:
  • Separation of duties
  • Rotation of duties
  • Trusted recovery
  • Configuration and change control
Disruptions: Nondisaster, disaster, catastrophe
Backup Sites: Hot site, warm site, cold site.

Security Policies: governing policy, technical policies, end user policies

Router Security:


#security authentication failure rate 5 log
change the default of 10 attempts for a 15 second cool off period for attempted logins.

 #conf t
#privilege exec level 6 debug
#username bob priv 5 pass bob
change the debug command to a privilege level 6 command, bob can no longer run the debug command

Enabling Views
#enable view
password: <enter enable password>
#conf t
#parser view MyView
#secret 0 password
#commands exec exclude show
#username bob view MyView password 0 bob 
create a view called MyView which is excluded from using all show commands and assign that view to bob

 Protecting Router Files
#conf t
#secure  boot image
#secure boot config
#do show secure bootset

 VTY Security
#conf t
#login block for <seconds> attempts <attempts> within <seconds>
#login quite-mode access class <ACL>
first command specifies a quiet period after a number of failed login attempts, the second command specifies an ACL of exemptions from this rule.

 #login delay <seconds>
#login on-failure | on-success log
#do show login

 Cisco Access Control Server:

 Ports used:
RADIUS Authentication / Authorization: 1645, 1812 (UDP)
RADIUS Accounting: 1646, 1813 (UDP)
TACACS+: 49 (TCP)
Various other management: 2000 - 2002 (TCP)

 Sample IOS Configuration:

#conf t
#aaa new-model
#tacacs-server host 192.168.1.1
#tacacs-server key c1sco
#aaa authentication login default tacacs+

 Securing the Router

 #auto secure
one step lockdown of router security. Can also be done through SDM via Configure --> Security Audit

 Syslog severity levels:

 Level - Name - Description

 0 - Emergencies - system unusable
1 - Alerts - Requires immediate attention
2 - Critical - possible interruption of services
3 - Errors - system is still usable, errors are occurring
4 - Warnings - certain operations failed to complete
5 - Notifications - alert administrators about a state change
6 - Informational - normal operation alerts
7 - Debugging -  detailed troubleshooting info

 SSH Configuration:

 #conf t
#ip domain-name mydomain.local
#crypto key generate rsa general-keys modulus 1024 
1024 modulus is the recommended minimum size
#do show crypto key my pubkey rsa
#line vty 0 4
#no transport input telnet
#transport input ssh

 To remove all rsa keys use the command:
#conf t
#crypto key zeroize rsa

 Layer 2 Security

 VLAN Hopping - switch spoofing (emulate a trunk port) and double tagging

 #conf t
#interface g1/0/1
#spanning-tree root guard
if a superior BPDU packet is received on this port it will go into a "root inconsistent" state. This should be enabled on all ports that will never be a path to the root.
#conf t
#interface g1/0/1
#spanning-tree portfast bpduguard

a port immediately goes into the forwarding state but will disable itself on receipt of a BDPU packets

 #conf t
#ip dhcp spoofing
#ip dhcp spoofing 1, 10, 20-30
#interface g1/0/1
#ip dhcp spoofing trust
enable dhcp spoofing on vlans 1, 10 and 20 through 30. Configure g1/0/1 as a dhcp trusted port (i.e. a DHCP server is attached to this port). All other ports are untrusted by default.

 #conf t
#ip arp inspection vlan 10
#interface g1/0/1
#ip arp inspection trust
enable DAI (Dynamic ARP Inspection) on VLAN 10 and add g1/0/1 as a trusted port). DAI works by comparing arp replies with the DHCP binding table to make sure they are legitimate. 

 #conf t
#access-list 101 permit tcp any host 192.168.1.1 eq smtp
#vlan access-map  JUST_MAIL 10
#match ip address 100
#action forward
#exit
#vlan filter JUST_MAIL vlan-list 10-20
enable a VACL to just allow smtp to host 192.168.1.1 and apply it to all VLANs in the range 10 to 20.

 Private VLAN (PVLAN) Port Types:
  • Promiscuous - can communicate with all other PVLAN ports
  • Isolated - can only communicate with promiscuous ports
  • Community - can communicate with other ports in the same community and promiscuous ports
Port Security - in the event of a CAM table overflow a port can be configured to go into one of the following modes:
  • Protect - packets to known MAC addresses are forwarded, unknown ones are dropped. No alert is sent to the administrator
  • Restrict - same as protect but an SNMP trap and syslog message are generated if configured.
  • Shutdown
Secure MAC Address Types


  • Static Secure MAC - statically configured MAC address on a port configured with the command switchport port-security mac-address <address>
  • Sticky Secure MAC - same as above but learned dynamically and automatically added to running config
  • Dynamic Secure MAC - same as sticky but NOT stored in the running config
Default setting on switchports is:

#switchport mode dynamic desirable
(which means auto configure for a PC or another switch connection)
#int fa0/1
#switchport port-security maximum 1 
(only allow one MAC address per interface)
#switchport port-security violation protect | restrict | shutdown
(protect = first MAC will work, others will not. restrict does the same but logs)
#switchport port-security mac-address sticky
(first address learned is allowed)

 #show port-security interface fa0/1 
802.1x

  • Supplicant - end user device (PC etc.) seeking access to the network
  • Authenticator - switch etc that acts as a bridge between the supplicant and the authentication server. Translates between EAPOL and RADIUS
  • Authentication Server - RADIUS server that performs the authentication
#conf t
#int fa0/1
#dot1x port-control forced-authorized | forced-unauthorized | auto

Extensible Authentication Protocols
  • EAP-MD5 - EAP with MD5 checksum
  • EAP-TLS - X.509 certificates create secure tunnel 
  • PEAP (MS-CHAP v2) - MS CHAP authentication from within a s secure tunnel
  • EAP-FAST - similar to PEAP but using shared secret keys
#conf t
#dot1x guest-vlan supplicant
Guest VLAN


802.1x Authenticator Configuration

 #conf t
#aaa new-model
#aaa authentication dot1x default group radius
#aaa authorization network default group radius
Last command is optional and instructs the authenticator to consult the authentication server for VLAN assignment etc.
#dot1x system auth-control
enable dot1x authentication globally on the switch
#int g1/0/1
#switchport mode access
#dot1x port-control auto
commands below are optional
#dot1x host-mode multi-host
#dot1x guest-vlan <vlan-id>
#dot1x auth-fail vlan <vlan-id>

#show dot1x
#show dot1x [all | interface]
#show aaa servers

 Worm Attacks

 Phases of a worm attack; enabling vulnerability, propagation mechanism, payload, probe phase, penetration phase, persist phase, propagate phase, paralyse phase.

 SAN Security

 FCIP =  Fibre Channel over IP
FCSP = Fibre Channel Security Protocol
FCAP = Fibre Channel Authentication Protocol
iSCSI = Internet Small Systems Computer Systems Interface
LUN =  Logical Unit Number
HBA = Host Bus Adaptor 
WWN = World Wide Name
VSAN = Virtual Storage Area Network
DHCHAP = Diffie-Hellman Challenge Handshake Authentication Protocol

 ACL Types:

 IP Standard ACL: 1 - 99 and 1300 - 1999
IP Extended ACL: 100 - 199, 2000 - 2699

 Turbo ACLs - #access-list compiled

 Standard - only permit /deny on source. Apply as close to destination as possible.
e.g.
#access-list 50 deny 192.168.1.0 0.0.0.255
#access-list 50 permit any
#interface f0/0
#ip access-group 50 out

 Extended - permit deny on source and / or destination or protocol / port number. Apply as close to source as possible
e.g.
#access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 80
#interface f0/0
#ip access-group 100 in

 Named - Sequence numbers
e.g.
#ip access-list extended MY_ACL
#permit tcp any any established
#permit tcp any host 1.2.3.4 eq 80
#interface fa0/0
#ip access-group MY_ACL in 
#sh access-lists MY_ACL
Extended IP access list MY_ACL
    10 permit tcp any any established
    20 permit tcp any host 1.2.3.4 eq www

Reflexive / Established - respond to established sessions

 Lock and Key Access List - user telnets to the the router (10.10.10.6) and authenticates with account cisco/cisco which then allows access. Timeout 1 means that the session stays active for 1 minute - see show command below with remaining time for that session.
interface FastEthernet0/0
 ip address 10.10.10.6 255.255.255.0
 ip access-group 101 in
!
username cisco password cisco
!
access-list 101 permit tcp any host 10.10.10.6 eq telnet
access-list 101 dynamic ALLOW_TELNET timeout 120 permit ip any any
!
line vty 0 4
 exec-timeout 0 0
 login local
 autocommand  access-enable timeout 1
!



R6#show access-lists

 Extended IP access list 101
    10 permit tcp any host 10.10.10.6 eq telnet (114 matches)
    20 Dynamic ALLOW_TELNET permit ip any any
       permit ip any any (26 matches) (time left 20)




 Router Based Firewalls

 CBAC = context based access control (dynamically opens ports for udp and tcp sessions)

 Cisco IOS Based Zone Firewall - interfaces placed in zones

 To create a zone:
#zone security DMZ-zone
#interface fa0/0
#zone-member security MyZone
To create a class map:
#class-map type inspect match-any SMTP-DMZ
#match protocol smtp

To create a policy:

#policy-map type inspection Towards-DMZ
#class type inspect SMTP-DMZ
#no drop
#pass

 To create a zone pair:
#zone-pair security EXTERNAL-TO-DMZ source out-zone destination DMZ-zone
#service-policy type inspect Towards-DMZ

 Valid actions for a policy are: Pass, Inspect, Drop


IPS/IDS

 IPS/IDS detection methods;

  • Signature Based
  • Policy Based
  • Anomaly Based
  • Honey Pot 


Site to Site VPN

 Sections highlighted are what should be mirrored at the other site.
crypto isakmp policy 100
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 192.168.1.1
!
crypto ipsec security-association lifetime kilobytes 5000
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac
!
crypto map R2-R1 100 ipsec-isakmp
 set peer 192.168.1.1
 set transform-set MyTransformSet
 match address R2-R1-VPN
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto
 crypto map R2-R1
!
interface FastEthernet0/1
 ip address 192.168.200.1 255.255.255.0
 duplex auto
 speed auto
!
ip http server
no ip http secure-server
ip forward-protocol nd
ip route 192.168.100.0 255.255.255.0 192.168.1.1
!
!
!
!
ip access-list extended R2-R1-VPN
 permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
Posted by at No comments:
Subscribe to: Posts (Atom)