Here's a link to a great site from my friend Rene Molenaar:
GNS3Vault
Description from the site:
* Cool Scenarios to get the maximum out of your networking experience ;)
* Downloadable topologies that you can use right away with the GNS3 software.
* Different levels of difficulty, there's something for everyone...novice, intermediate and expert!
* The forum where you can discuss about all the labs.
* It's possible to review labs.
* You can share your labs with others.
AND Yes, all for free ;)
13 Sept 2010
30 Jul 2010
Using 3rd Party SFP modules in Cisco Devices
All SFP modules contain in their EEPROM, a Serial Number, Vendor Name & ID, Security code and a CRC. The Switch checks this information, if it can't verify it might give messages like the following:
There are two undocumented cisco commands to get 3rd party SFP modules to work:
%PHY-4-UNSUPPORTED_TRANSCEIVER: Unsupported transceiver found in Gi1/0/1
%GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: GBIC in port 65538 has bad crc
There are two undocumented cisco commands to get 3rd party SFP modules to work:
switch(config)# service unsupported-transceiver
switch(config)# no errdisable detect cause gbic-invalid
16 Jun 2010
Upgrading Software on a 6509 Switch
Planning on upgrading the ancient CatOS 5.5(1)on our 6509 switch.
1. Check Supervisor NMP BootROM version. If Fw 5.1(1) then you must field upgrade your ROM. Check here.
Ref: Upgrading Software Images on Catalyst 6000/6500 Series Switches
1. Check Supervisor NMP BootROM version. If Fw 5.1(1) then you must field upgrade your ROM. Check here.
Ref: Upgrading Software Images on Catalyst 6000/6500 Series Switches
15 May 2010
Running ASA and ASDM using GNS3/Qemu
Finally got ASA and ASDM to work nicely with GNS3.
Here's my setup:
GNS3 v0.7
Qemu (The one that comes with GNS3 v0.7)
ASA 802-k8 (files needed for Qemu are: asa802-k8.initrd.gz & asa802-k8.kernel)
ASDM 6.0(2)
Fiddler (Instructions to configure it are here)
To get ASDM to connect with ASA, you must use Fiddler to intercept the HTTPS stream and modify it to correct some of Qemu's shortcomings.
Then set your JRE to use fiddler as proxy.
All instructions can be found in the lengthy discussion at hacki.at. Make sure to read pages 17,18,+
Here's my setup:
GNS3 v0.7
Qemu (The one that comes with GNS3 v0.7)
ASA 802-k8 (files needed for Qemu are: asa802-k8.initrd.gz & asa802-k8.kernel)
ASDM 6.0(2)
Fiddler (Instructions to configure it are here)
To get ASDM to connect with ASA, you must use Fiddler to intercept the HTTPS stream and modify it to correct some of Qemu's shortcomings.
Then set your JRE to use fiddler as proxy.
All instructions can be found in the lengthy discussion at hacki.at. Make sure to read pages 17,18,+
9 May 2010
Visio tips & tricks
In this post I will collect Visio tips & tricks that I come up with and links to similar articles.
Shortcuts:
Ctrl+1 Pointer Tool
Ctrl+2 Text Tool
Ctrl+3 Connector Tool
Ctrl+W Zoom Whole Page
Ctrl+Shift+G Group
Ctrl+Shift+U Ungroup
Links:
Shortcuts to Edit in Visio @ Visio Insights
Nortel Visio Stencils
Visio Stencils collection (lots of vendors)
Shortcuts:
Ctrl+1 Pointer Tool
Ctrl+2 Text Tool
Ctrl+3 Connector Tool
Ctrl+W Zoom Whole Page
Ctrl+Shift+G Group
Ctrl+Shift+U Ungroup
Links:
Shortcuts to Edit in Visio @ Visio Insights
Nortel Visio Stencils
Visio Stencils collection (lots of vendors)
2 May 2010
STP, PVST, RSTP, MSTP articles
Many standards, many proprietary approaches.. All this causes interoperability and management headaches.
References:
Understanding MSTP, very in-depth article from Petr Lapukhov.
Understanding STP and RSTP Convergence, again by Petr.
Lots of valuable articles from ine blog.
References:
Understanding MSTP, very in-depth article from Petr Lapukhov.
Understanding STP and RSTP Convergence, again by Petr.
Lots of valuable articles from ine blog.
1 May 2010
Cisco and HP Interoperability
Some pointers to related information on the net:
Articles:
Summaries from Dave Tucker's 3 Day Training: HP ProCurve/Cisco Interoperability – Day 1, Day 2, Day 3
Documents:
ProCurve and Cisco Spanning-tree Interoperability
Discovery Protocols, STP, Link Aggregation, IP Routing, etc:
HP & Cisco Interoperability Guide
Articles:
Summaries from Dave Tucker's 3 Day Training: HP ProCurve/Cisco Interoperability – Day 1, Day 2, Day 3
Documents:
ProCurve and Cisco Spanning-tree Interoperability
Discovery Protocols, STP, Link Aggregation, IP Routing, etc:
HP & Cisco Interoperability Guide
20 Apr 2010
Troubleshooting High CPU Utilization
Cisco 7500 Series Routers, Troubleshooting TechNotes
* High CPU Utilization in Exec and Virtual Exec Processes
* The show processes Command
* Troubleshooting High CPU Utilization Due to Interrupts
* Troubleshooting High CPU Utilization due to Processes
* Troubleshooting High CPU Utilization in IP Input Process
* Troubleshooting High CPU Utilization on Cisco Routers
* Understanding VIP CPU Running at 99% and Rx-Side Buffering
* What Causes %SYS-3-CPUHOG Messages?
* High CPU Utilization in Exec and Virtual Exec Processes
* The show processes Command
* Troubleshooting High CPU Utilization Due to Interrupts
* Troubleshooting High CPU Utilization due to Processes
* Troubleshooting High CPU Utilization in IP Input Process
* Troubleshooting High CPU Utilization on Cisco Routers
* Understanding VIP CPU Running at 99% and Rx-Side Buffering
* What Causes %SYS-3-CPUHOG Messages?
IOS Syslog facilities
Logging and debugging messages are the cornerstone of troubleshooting.
There are 4 possible destinations for Logging:
1.Console
2.Monitor
3.Buffer
4.Host
+plus SNMP
Descriptions for the fields in the output above.
When troubleshooting in High CPU utilization situations, and you have to use debugging, make sure to disable or "level-limit" the console and monitor logging facilities. Instead use the buffered logging facility to record the debug output and view it with "show logging". This will allow the CPU to process the log messages in a high utilization environment.
To use a syslog server and set the log-level:
Reference:
Troubleshooting and Fault Management Commands @ Cisco
Troubleshooting High CPU Utilization on Cisco Routers @ Cisco
There are 4 possible destinations for Logging:
1.Console
2.Monitor
3.Buffer
4.Host
+plus SNMP
R1(config)#do sh logging
Syslog logging: enabled (9 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
Console logging: level debugging, 33 messages logged, xml disabled
Monitor logging: level debugging, 0 messages logged, xml disabled
Buffer logging: disabled, xml disabled
Logging Exception size (8192 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 38 message lines logged
Descriptions for the fields in the output above.
When troubleshooting in High CPU utilization situations, and you have to use debugging, make sure to disable or "level-limit" the console and monitor logging facilities. Instead use the buffered logging facility to record the debug output and view it with "show logging". This will allow the CPU to process the log messages in a high utilization environment.
To use a syslog server and set the log-level:
R1(config)# logging host
R1(config)# logging trap ?
<0-7> Logging severity level
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
Reference:
Troubleshooting and Fault Management Commands @ Cisco
Troubleshooting High CPU Utilization on Cisco Routers @ Cisco
10 Apr 2010
Portable Product Sheets @ Cisco
Here's a page I came across on the Cisco Site.
Provides easy access to reference documents useful to partners.
Eg: Switch Performance, IOS Packaging, Router Memory/Performance, ISR Ref.Sheets, etc.
Portable Product Sheets
Provides easy access to reference documents useful to partners.
Eg: Switch Performance, IOS Packaging, Router Memory/Performance, ISR Ref.Sheets, etc.
Portable Product Sheets
7 Apr 2010
Password recovery references for almost all Cisco Devices
Here's a great reference page from Cisco, explaining the pwd recovery procedures for many of their devices.
Password Recovery Procedures
Password Recovery Procedures
Internet Map of Autonomous Systems in Türkiye
Here's a recent and very well done study of the Networks/ASs located in Türkiye, by Hakan Çetin.
Türkiye'nin Otonom Sistem Seviyesinde İnternet Haritasının Çıkarımı (TİH) - 2009
Türkiye'nin Otonom Sistem Seviyesinde İnternet Haritasının Çıkarımı (TİH) - 2009
1 Apr 2010
Steps for migrating from PIX to ASA
You should be running v7.x on your PIX so that your configuration can be converted properly. Two ways of going about this:
* Tool-Assisted Conversion (Link)
* Manual Conversion
I'll covert the manual method here.
Upgrading your PIX to v7.x
1. Get copies of your config and version/license info
2a. If BIOS is earlier than 4.2, use Monitor Mode instead of copy tftp flash
Reboot and press BREAK or ESC during boot to enter Monitor Mode
PIX will automatically boot, but the software upgrade is only done in Memory, you MUST you go through the steps below to complete the upgrade!
2b. Upgrade System software
3. Now you have upgraded your software and your config was auto converted to v7.x
You should go through and check the changes made, which could be very different from your older pix config.
4. Use this config in your ASA appliance. Do this either with the Copy/Paste method, or via a tftp/ftp config file transfer.
Ref: Migration from PIX 500 Series Security Appliances to ASA 5500 Series Adaptive Security Appliances
* Tool-Assisted Conversion (Link)
* Manual Conversion
I'll covert the manual method here.
Upgrading your PIX to v7.x
1. Get copies of your config and version/license info
# show running
# write net
# show version
2a. If BIOS is earlier than 4.2, use Monitor Mode instead of copy tftp flash
Reboot and press BREAK or ESC during boot to enter Monitor Mode
monitor>interface
monitor>address
monitor>server
monitor>gateway
monitor>ping
monitor>file
monitor>tftp
PIX will automatically boot, but the software upgrade is only done in Memory, you MUST you go through the steps below to complete the upgrade!
2b. Upgrade System software
#enable
#copy tftp: flash:
Address or name of remote host []? 10.1.6.44
Source filename []? pix701.bin
Destination filename [pix701.bin]?
3. Now you have upgraded your software and your config was auto converted to v7.x
You should go through and check the changes made, which could be very different from your older pix config.
4. Use this config in your ASA appliance. Do this either with the Copy/Paste method, or via a tftp/ftp config file transfer.
Ref: Migration from PIX 500 Series Security Appliances to ASA 5500 Series Adaptive Security Appliances
30 Mar 2010
G.HSDSL Config through a Cisco 828 router
I'll copy this here for reference purposes. Used a few of these configs to connect one of my customers branch offices to their headquarters.
Be careful of the vpi/vci values which should be:
Point to point g.shdsl links: 0/35
Internet g.shdsl links: 8/35
Be careful of the vpi/vci values which should be:
Point to point g.shdsl links: 0/35
Internet g.shdsl links: 8/35
!
controller DSL 0
mode atm
line-term cpe
line-mode 2-wire line-zero
dsl-mode shdsl symmetric annex B
line-rate auto
!
!
interface ATM0
no ip address
ip nat outside
ip virtual-reassembly
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
bandwidth 2048
ip nat outside
ip virtual-reassembly
pvc 8/35
pppoe-client dial-pool-number 1
!
!
!
interface Dialer0
mtu 1476
bandwidth 2048
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression iphc-format
ip tcp adjust-mss 800
load-interval 30
dialer pool 1
ppp authentication pap chap callin
ppp chap hostname user@isp
ppp chap password 0 123
ppp pap sent-username user@isp password 0 123
ppp ipcp dns request
ip rtp header-compression iphc-format
!
29 Mar 2010
Most useful Freeware/Shareware Windows Apps.
Firefox: THE browser of the Internet. Won't use anything else.
Total Commander, my choice of File Manager since, forever.
CDBurnerXP: Very nice CD/DVD/BlueRay, Data/Audio burner. Freeware.
SysInternals: Indispensable system tools.
Media Player Classic: With a few codecs, it's all you need to play your videos.
Winamp: Essential audio player for me.
TrueCrypt, an essential encryption suite.
BitComet, my choice of torrent client.
Foxit, a freeware PDF Reader. It's light-weight and fast, why use bloated Adobe apps?
Daemon Tools Lite, mount cd/dvd images
Total Commander, my choice of File Manager since, forever.
CDBurnerXP: Very nice CD/DVD/BlueRay, Data/Audio burner. Freeware.
SysInternals: Indispensable system tools.
Media Player Classic: With a few codecs, it's all you need to play your videos.
Winamp: Essential audio player for me.
TrueCrypt, an essential encryption suite.
BitComet, my choice of torrent client.
Foxit, a freeware PDF Reader. It's light-weight and fast, why use bloated Adobe apps?
Daemon Tools Lite, mount cd/dvd images
SyncToy
iMazingConverterWindows.exe iMazingConverter, heic'den jpg, mov'dan mp4'e çeviriyor, gerçekten free ama dikkat et, converter'ı indir sadece.
24 Mar 2010
Win7 Tips&Tricks, Useful Applications
* Shortcuts: Master List of Windows 7 Keyboard Shortcuts (Mar 09)
* Take ownership and delete files/folders for good!
For Files:
For Directories (will perform action recursively):
* Turn off Driver Signing
* Turn off Hibernation
* Classic Start Menu and Explorer
Classic Shell, now this is very cool, I had enough of the new featureLESS Start menu and awkward Explorer
* Take ownership and delete files/folders for good!
For Files:
takeown /f file_name /d y
icacls file_name /grant administrators:F
For Directories (will perform action recursively):
takeown /f directory_name /r /d y
icacls directory_name /grant administrators:F /t
* Turn off Driver Signing
bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit.exe -set TESTSIGNING ON
* Turn off Hibernation
powercfg -h off
* Classic Start Menu and Explorer
Classic Shell, now this is very cool, I had enough of the new featureLESS Start menu and awkward Explorer
19 Mar 2010
CCNP at last!
Hooray!! Just became CCNP certified today.
Now it's onto my ultimate goal, CCIE Routing & Switching. Must start planning right away ;-)
Now it's onto my ultimate goal, CCIE Routing & Switching. Must start planning right away ;-)
11 Feb 2010
History of Computers and the Birth of the Internet
I've been reading "Where Wizards Stay Up Late" by Hafner&Lyon which tells the story of ARPA and how the network to connect all the different mainframes in universities came to being, which then would be the foundation of the Internet. It's written in a novel fashion and once you start flipping the pages it's hard to put it down!
There are mentions of many of the first huge computing machines that were built in various Universities and Corporations, such as the TX-2 in MIT Lincoln Labs, Q-32 that was transferred by the Airforce from SDC to ARPA, etc. So being the researcher I am :) I had to track these beasts and learn more about them. I shall write a separate article about these in the near future.
Computer History Museum in California (History Timeline)
There are mentions of many of the first huge computing machines that were built in various Universities and Corporations, such as the TX-2 in MIT Lincoln Labs, Q-32 that was transferred by the Airforce from SDC to ARPA, etc. So being the researcher I am :) I had to track these beasts and learn more about them. I shall write a separate article about these in the near future.
Computer History Museum in California (History Timeline)
10 Feb 2010
CCIE Preparation, devices to accumulate for a home lab
This is a WIP entry that I'll use to compile a list of useful devices/information for my future CCIE lab preperation
ISDN Simulator B-LinkU has 2 ports that you can connect to using U or S/T interface.
2520 Series Multiport routers, for use as Frame Relay switch, ISDN cloud.
ISDN Simulator B-LinkU has 2 ports that you can connect to using U or S/T interface.
2520 Series Multiport routers, for use as Frame Relay switch, ISDN cloud.
6 Feb 2010
Cisco Router boot configuration
File Systems:
system: (RAM, where running-config is kept)
nvram: (NVRAM, where startup-config is saved)
bootflash: (Internal Flash memory)
slot0: (First PCMCIA slot)
slot1: (Second PCMCIA slot)
Copying:
#copy ftp: system:running-config
#copy ncp: system:running-config
#copy tftp: system:running-config
#copy ftp: nvram:startup-config
#copy rcp: nvram:startup-config
#copy tftp: nvram:startup-config
#copy system:running-config nvram:startup-config
Booting:
#show bootvar (verify the contents of the CONFIG_FILE environment variable.)
#boot config dest-flash-url (Set the CONFIG_FILE environment variable.)
#boot network ftp:[[[//[username[:password]@]location]/directory]
/filename]
#boot network rcp:[[[//[username@]location]/directory]/filename]
#boot network tftp:[[[//location]/directory]/filename]
#service config (Enable the router to download config-files at startup)
#boot system
Other Useful commands:
#service compress-config
#boot buffersize bytes (The buffer that holds the configuration file is usually the size of NVRAM. Larger configurations need larger buffers. )
(config)#config-register value
#dir [flash-filesystem:]
Examples
#copy system:running-config tftp://172.16.1.130/istanbul-config
#copy system:running-config ftp://netadmin1:mypass@172.16.101.101/Ankara-config
#copy rcp://netadmin1@172.16.101.101/host1-confg system:running-config
#copy slot0:4:ios-upgrade-1 nvram:startup-config
Ref: Rebooting and Reloading - Configuring Image Loading Characteristics @ Cisco
Cisco IOS Conf. Fundamentals Command Reference Boot Commands
system: (RAM, where running-config is kept)
nvram: (NVRAM, where startup-config is saved)
bootflash: (Internal Flash memory)
slot0: (First PCMCIA slot)
slot1: (Second PCMCIA slot)
Copying:
#copy ftp: system:running-config
#copy ncp: system:running-config
#copy tftp: system:running-config
#copy ftp: nvram:startup-config
#copy rcp: nvram:startup-config
#copy tftp: nvram:startup-config
#copy system:running-config nvram:startup-config
Booting:
#show bootvar (verify the contents of the CONFIG_FILE environment variable.)
#boot config dest-flash-url (Set the CONFIG_FILE environment variable.)
#boot network ftp:[[[//[username[:password]@]location]/directory]
/filename]
#boot network rcp:[[[//[username@]location]/directory]/filename]
#boot network tftp:[[[//location]/directory]/filename]
#service config (Enable the router to download config-files at startup)
#boot system
Other Useful commands:
#service compress-config
#boot buffersize bytes (The buffer that holds the configuration file is usually the size of NVRAM. Larger configurations need larger buffers. )
(config)#config-register value
#dir [flash-filesystem:]
Examples
#copy system:running-config tftp://172.16.1.130/istanbul-config
#copy system:running-config ftp://netadmin1:mypass@172.16.101.101/Ankara-config
#copy rcp://netadmin1@172.16.101.101/host1-confg system:running-config
#copy slot0:4:ios-upgrade-1 nvram:startup-config
Ref: Rebooting and Reloading - Configuring Image Loading Characteristics @ Cisco
Cisco IOS Conf. Fundamentals Command Reference Boot Commands
1 Feb 2010
GRE over IPsec in a Hub-Spoke Topology w/ EIGRP (Lab) #2
Ok this is the enhanced version of the previous GRE lab I've posted.
We've decided to encrypt and secure all communications between our HQ and Branches.
As previously noted we needed GRE to run a dynamic routing protocol (EIGRP) between our networks. So here we implement an IPsec GRE tunnel that will encrypt all traffic including the multicast EIGRP messaging.
Download Project files for GNS3.
We've decided to encrypt and secure all communications between our HQ and Branches.
As previously noted we needed GRE to run a dynamic routing protocol (EIGRP) between our networks. So here we implement an IPsec GRE tunnel that will encrypt all traffic including the multicast EIGRP messaging.
Download Project files for GNS3.
30 Jan 2010
GRE Tunnels in a Hub-Spoke Topology w/ EIGRP (Lab) #1
Our company DasBoot Corp. has opened a few offices in Turkey.
The corporate offices are in sunny Izmir and there is one branch in Istanbul, and two in Ankara.
They all have basic Internet connectivity to our trusted ISP: DynamiteBBS. Which by the way is running IS-IS in its backbone with MPLS on top.
As the Network engineer of DasBoot, we decide to create tunnels in a hub-spoke fashion, connecting our branches to the corporate network. We use private addressing in our network (eg. 172.16.0.0). Here's a demonstration of running EIGRP to facilitate full connectivity between our networks. I know not too complicated but good practice and extensible lab anyways. Enjoy..
(Download GNS3 Project files)
My favorite Firefox addons
My browser of choice has been Firefox since the beginning, the 1.0 version in 2004. Before that I had been a longtime user of Opera.
I've been happily using the 3.5 version for a while and here are my favorite addons:
NoScript: It's a must have security addon IMHO.
Session Manager: A successful session manager. Very reliable and uses light resources.
Secure Login: Keeps track of my passwords for Forums/other sites that have low security priority on my list. I try to use different credentials for most sites.
oldbar: Brings back the Old Address Bar from version 2.
gspace: Use your gmail account space as a file cabinet.
I've been happily using the 3.5 version for a while and here are my favorite addons:
NoScript: It's a must have security addon IMHO.
Session Manager: A successful session manager. Very reliable and uses light resources.
Secure Login: Keeps track of my passwords for Forums/other sites that have low security priority on my list. I try to use different credentials for most sites.
oldbar: Brings back the Old Address Bar from version 2.
gspace: Use your gmail account space as a file cabinet.
29 Jan 2010
ISCW in the bag
I'm almost there, one to go!
Been reading up on ONT for a while, so this should be quick.
Been reading up on ONT for a while, so this should be quick.
27 Jan 2010
Cisco Type 5 and Type 7 passwords
Cisco uses two types of password encryption to store your passwords. Type 7 is the Cisco proprietary method (Vigenere cypher) and is weak. The Type5 is encrypted using MD5 hashing, and is considered pretty strong. The "enable secret" password is stored using Type 5.
One can easily crack the Type7 passwords w/ utilities that are available on the net.
You can also do it straight from inside the IOS. Just create a key chain, and copy paste the encrypted string to the "key-string 7". Here's how:
One can easily crack the Type7 passwords w/ utilities that are available on the net.
You can also do it straight from inside the IOS. Just create a key chain, and copy paste the encrypted string to the "key-string 7". Here's how:
24 Jan 2010
GRE Tunnel w/ IPsec protection, (and ISAKMP association using RSA keys)
1. Generate an RSA Public Key for our router.
#crypto key generate rsa general-keys label R1
Here you can see the generated key. Do the above for also R2, and copy paste their public keys to each other in next step.
#sh crypto key mypubkey rsa
% Key pair was generated at: 12:35:34 UTC Jan 24 2010
Key name: R1
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D35594 62FB3925
22EBD28E A64B12A7 2D0D44C1 DD28F9BF 8BA52834 516FC231 F1791352 A90ADEE0
A61E77C7 5F132B9E 11193B08 B338D531 D40EE40D 9699E742 DF020301 0001
% Key pair was generated at: 13:35:36 UTC Jan 24 2010
Key name: R1.server
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00A4764D E3D85AFD
2E9254C0 DBB88E08 CE86FA63 8D82C08C D11F14DF AF9264C9 2F5C1CBC 7081C66D
DFE73BB3 66E5A354 48B73EF0 3773545B F5BACBA7 CEBA55DA 4D3D52A1 0B62BFFD
BA93A21E 9B65D23F 9A843994 FAAEB67E BF565A6F 38A8DC3A D5020301 0001
2. Create a key chain. Addressed to router R2 with its IP address and copy paste its public key in here.
#crypto key pubkey-chain rsa
addressed-key 10.1.1.6
key-string
Enter a public key as a hexidecimal number ....
(PASTE HERE)
and use quit to finish
Download project files for GNS3
22 Jan 2010
IPsec VPN Lab, (using Dynamic crypto Map)
In this lab we connect the 3 sites of our company using secure IPsec VPN connections.
The ISP network consists of 4 Routers which are running EIGRP between them.
Our headquarters is connected to the ISP with the CE_4 router.
The branch offices, CE_5 being Branch1, and CE_8 Branch2.
Networks are 192.168.0.0/21 behing CE_4, edge router.
In Branch 1 we have 192.168.16.0/20 networks. (Simulated with loopback int)
In Branch 2 there are the 192.168.8.0/21 networks.
This setup demonstrates all the IPsec negotiation and tunnel establishment using a dynamic map on CE_4.. The key point is the create the relationship between the static crypto map and the dynamic one.
Due to our ISAKMP Policy we are using a Pre-Shared key for authentication. Which will be defined as a wildcard, so our VPN peers can connect using whichever address they have.
# crypto isakmp key
Here are the lab files for gns3. Download
Good Reading:
Wildcard Pre-Shared Key Enhancement @cisco
Security Commands: crypto dynamic-map through ctype @cisco
21 Jan 2010
IPSEC VPN session status
IKE SA | IPsec SAs | VPN Tunnel Status |
|---|---|---|
Exists, active | Exists (flow exists) | UP-ACTIVE |
Exists, active | None (flow exists) | UP-IDLE |
Exists, active | None (no flow exists) | UP-IDLE |
Exists, inactive | Exists (flow exists) | UP-NO-IKE |
Exists, inactive | None (flow exists) | DOWN-NEGOTIATING |
Exists, inactive | None (no flow) | DOWN-NEGOTIATING |
None | Exists (flow exists) | UP-NO-IKE |
None | None (flow exists) | DOWN |
None | None (no flow exists) | DOWN |
SDM Hints
I was using Firefox 3.5.1 and jre 1.6.12 (java6 update 12), some of the wizards were not launching. For example the Site-to-Site VPN and GRE Tunnel wizards.
I downgraded the my JavaVM to jre 1.6.0.3 and now all is working fine.
For documentation, requirements and installations goto SDM@cisco
To connect to your router via SDM:
#ip http server
#ip http secure-server
#ip http authentication local
#username privilege 15 password 0
I downgraded the my JavaVM to jre 1.6.0.3 and now all is working fine.
For documentation, requirements and installations goto SDM@cisco
To connect to your router via SDM:
#ip http server
#ip http secure-server
#ip http authentication local
#username
16 Jan 2010
My Cisco Certifications Plan
11 Jan 2010
LDP (Label Distribution Protocol)
LDP is the protocol that distributes label bindings for FECs between LSRs (Label Switching Routers.) The LIB (Label Information Base) of an MPLS enabled router is the table that all the bindings are kept. The LIB is populated by information from LDP, MP-BGP and RSVP.
LDP carries the labels for interior routes, from the IGP.
MP-BGP distributes routes for BGP prefixes, and RSVP is used in MPLS-TE.
LDP Functions:
Discovery of other LSRs
Session establishment, management
Advertisement of Labels
Housekeeping, notification
Two types of Adjacency:
Hello adjacency: LDP Hellos to 224.0.0.2 (all routers multicast), using UDP Port 646 for both source and destination. These hellos are sent on all MPLS enabled interfaces. Hello/Holdtime = 5/15sec default.
Transport session: After the Hello discovery, the LSRs will establish a TCP transport session on TCP/646. One of them will take active role (initiating the TCP connection to port 646, the other will take the passive role, listening on TCP/646) The LSR with the higher transport IP address will take the passive role.
LSRs will exchange session parameters with Initialization Messages, which contain info as LDP version, label distribution method, timer values, etc.
If they agree a Transport Session is established. If not, it is re-tried. This cycle has an LDP initial/maximum backup timers with default 15/120 seconds.
The session is kept open as long as an LDP message or a Keepalive is heard. The session holdtime is 180 seconds. The interval of Keepalive messages is 60 sec.
You can list the ldp parameters used by the router:
Example keep alive messages. Sent back and forth in 60sec intervals.
Ref: LDP neighbor discovery.. @Networkers-Online
LDP carries the labels for interior routes, from the IGP.
MP-BGP distributes routes for BGP prefixes, and RSVP is used in MPLS-TE.
LDP Functions:
Discovery of other LSRs
Session establishment, management
Advertisement of Labels
Housekeeping, notification
Two types of Adjacency:
Hello adjacency: LDP Hellos to 224.0.0.2 (all routers multicast), using UDP Port 646 for both source and destination. These hellos are sent on all MPLS enabled interfaces. Hello/Holdtime = 5/15sec default.
Transport session: After the Hello discovery, the LSRs will establish a TCP transport session on TCP/646. One of them will take active role (initiating the TCP connection to port 646, the other will take the passive role, listening on TCP/646) The LSR with the higher transport IP address will take the passive role.
LSRs will exchange session parameters with Initialization Messages, which contain info as LDP version, label distribution method, timer values, etc.
If they agree a Transport Session is established. If not, it is re-tried. This cycle has an LDP initial/maximum backup timers with default 15/120 seconds.
The session is kept open as long as an LDP message or a Keepalive is heard. The session holdtime is 180 seconds. The interval of Keepalive messages is 60 sec.
You can list the ldp parameters used by the router:
Example keep alive messages. Sent back and forth in 60sec intervals.
Useful commands
mpls ldp router-id interface [force]
mpls ldp discovery transport-address {interface | ip-address}
mpls ldp discovery {hello {holdtime | interval} seconds
mpls ldp backoff initial-backoff maximum-backoff
mpls ldp holdtime seconds
show mpls ldp discovery detail
show mpls ldp neighbor neighbor-ip detail
show mpls ldp parameters
Ref: LDP neighbor discovery.. @Networkers-Online
10 Jan 2010
MPLS Header & Labels
Ref:Geert’s blogMPLS header contains a 20bit Label field.
Labels 0-15 are reserved.
Label 0: Explicit Null
Label 1: Router alert label
Label 2: Explicit Null IPv6
Label 3: Implicit Null
Label 14: OAM alert label
6 Jan 2010
AToM (Any Transport over MPLS) Lab
So here we have a AToM (Any Transport over MPLS) Lab which is also known as a Martini Pseudowire.
Provider Core Routers R1,R2,R3,R4 serve as the label switching MPLS Core. The Provider Edge routers PE_1,PE_2 connect to Customer networks. The IGP running on the provider network is IS-IS.
We have a Customer HQ and a Branch Office which have connections to the same ISP.
A VPN Tunnel is built between the PE_1 <-> PE_2 to connect the customer private network.
GNS3 Project file @ Filefront
Provider Core Routers R1,R2,R3,R4 serve as the label switching MPLS Core. The Provider Edge routers PE_1,PE_2 connect to Customer networks. The IGP running on the provider network is IS-IS.
We have a Customer HQ and a Branch Office which have connections to the same ISP.
A VPN Tunnel is built between the PE_1 <-> PE_2 to connect the customer private network.
GNS3 Project file @ Filefront
3 Jan 2010
Collection of OSPF Labs
Here are some of the labs I've created when studying for the CCNP Exams:
1. OSPF Network w/ two areas connected to the Backbone Area 0. One of the networks being a Totally Stub Area w/ redundant connections to the backbone. Download Project Files
2. Based on project above, with an extra Area 99 added via a Virtual-Link. Download Project Files
3. Backbone Area on a Point to Multipoint Frame-Relay network. A chance to observe different ospf area types. And also the DR/BDR relations and configurations in two different areas. Download
1. OSPF Network w/ two areas connected to the Backbone Area 0. One of the networks being a Totally Stub Area w/ redundant connections to the backbone. Download Project Files
2. Based on project above, with an extra Area 99 added via a Virtual-Link. Download Project Files
3. Backbone Area on a Point to Multipoint Frame-Relay network. A chance to observe different ospf area types. And also the DR/BDR relations and configurations in two different areas. Download
2 Jan 2010
Collection of IS-IS Labs
A collection of IS-IS labs created by me, during CCNP Studies.
1. Based around a Frame-Relay Backbone, with 3 areas and their L1/L2 routers. Download project files
2. A different and more complex topology, with Frame Relay p2p links and other good stuff thrown in. Download
1. Based around a Frame-Relay Backbone, with 3 areas and their L1/L2 routers. Download project files
2. A different and more complex topology, with Frame Relay p2p links and other good stuff thrown in. Download
1 Jan 2010
VRRP Timer tips
The default timer for VRRP advertisements by the Master Router is 1 seconds.
The holdtime is 3 times this and is a default around 6 seconds.
VRRP timers must either be the same in the Group or routers "set to learn" these timers. Because if a VRRP Backup router receives a VRRP Advertisement w/ different timer then the one it has configured, the packed will be discarded. This will cause both routers to think they are Masters!
If routers are set the "learn timers", then the adv.time learned from the vrrp adv.packet will override the one in the config.
(config-if)# vrrp 1 timers learn
If you want to use timers in msec, this must be defined in all the vrrp group routers because when using msec timers, learning the timers from the master feature will not work.
R1(config-if)#vrrp 1 timer adv msec 200
R1(config-if)#vrrp 1 timer learn
% cannot learn timer values when millisecond timers are configured
R1(config-if)#
Note: In VRRP, a sub-second hello timer results in a hello timer of 1 second being sent. So if you set msec timer on one router and a non-default non-learning vrrp on another, they won't talk to each other!
Ref: VRRP @ Cisco
Very good investigation of the topic: (HSRP,VRRP,GLBP timers)
The holdtime is 3 times this and is a default around 6 seconds.
VRRP timers must either be the same in the Group or routers "set to learn" these timers. Because if a VRRP Backup router receives a VRRP Advertisement w/ different timer then the one it has configured, the packed will be discarded. This will cause both routers to think they are Masters!
If routers are set the "learn timers", then the adv.time learned from the vrrp adv.packet will override the one in the config.
(config-if)# vrrp 1 timers learn
If you want to use timers in msec, this must be defined in all the vrrp group routers because when using msec timers, learning the timers from the master feature will not work.
R1(config-if)#vrrp 1 timer adv msec 200
R1(config-if)#vrrp 1 timer learn
% cannot learn timer values when millisecond timers are configured
R1(config-if)#
Note: In VRRP, a sub-second hello timer results in a hello timer of 1 second being sent. So if you set msec timer on one router and a non-default non-learning vrrp on another, they won't talk to each other!
Ref: VRRP @ Cisco
Very good investigation of the topic: (HSRP,VRRP,GLBP timers)
NAT Order of Operation
To summarize, there's the old way of NATting (domain-based NAT) and the new way introduced with 12.3(T), NAT Virtual Interface (NVI).
In domain based NAT;
Packets on the outside first get translated then routed.
Packets on the inside interface the routing decision is made first and then the translation and forwarding.
In NVI based NAT
The translation/routing is done in a symmetric manner. Routing lookup is performed twice. First to send the packet to NVI, second to route packet using the post-translated addresses.
References: The Inside and Outside of Nat : CCIE Journey
NAT Order of Operation @ Cisco
In domain based NAT;
Packets on the outside first get translated then routed.
Packets on the inside interface the routing decision is made first and then the translation and forwarding.
In NVI based NAT
The translation/routing is done in a symmetric manner. Routing lookup is performed twice. First to send the packet to NVI, second to route packet using the post-translated addresses.
References: The Inside and Outside of Nat : CCIE Journey
NAT Order of Operation @ Cisco
Subscribe to:
Posts (Atom)