30 Jan 2010
GRE Tunnels in a Hub-Spoke Topology w/ EIGRP (Lab) #1
Our company DasBoot Corp. has opened a few offices in Turkey.
The corporate offices are in sunny Izmir and there is one branch in Istanbul, and two in Ankara.
They all have basic Internet connectivity to our trusted ISP: DynamiteBBS. Which by the way is running IS-IS in its backbone with MPLS on top.
As the Network engineer of DasBoot, we decide to create tunnels in a hub-spoke fashion, connecting our branches to the corporate network. We use private addressing in our network (eg. 172.16.0.0). Here's a demonstration of running EIGRP to facilitate full connectivity between our networks. I know not too complicated but good practice and extensible lab anyways. Enjoy..
(Download GNS3 Project files)
My favorite Firefox addons
My browser of choice has been Firefox since the beginning, the 1.0 version in 2004. Before that I had been a longtime user of Opera.
I've been happily using the 3.5 version for a while and here are my favorite addons:
NoScript: It's a must have security addon IMHO.
Session Manager: A successful session manager. Very reliable and uses light resources.
Secure Login: Keeps track of my passwords for Forums/other sites that have low security priority on my list. I try to use different credentials for most sites.
oldbar: Brings back the Old Address Bar from version 2.
gspace: Use your gmail account space as a file cabinet.
I've been happily using the 3.5 version for a while and here are my favorite addons:
NoScript: It's a must have security addon IMHO.
Session Manager: A successful session manager. Very reliable and uses light resources.
Secure Login: Keeps track of my passwords for Forums/other sites that have low security priority on my list. I try to use different credentials for most sites.
oldbar: Brings back the Old Address Bar from version 2.
gspace: Use your gmail account space as a file cabinet.
29 Jan 2010
ISCW in the bag
I'm almost there, one to go!
Been reading up on ONT for a while, so this should be quick.
Been reading up on ONT for a while, so this should be quick.
27 Jan 2010
Cisco Type 5 and Type 7 passwords
Cisco uses two types of password encryption to store your passwords. Type 7 is the Cisco proprietary method (Vigenere cypher) and is weak. The Type5 is encrypted using MD5 hashing, and is considered pretty strong. The "enable secret" password is stored using Type 5.
One can easily crack the Type7 passwords w/ utilities that are available on the net.
You can also do it straight from inside the IOS. Just create a key chain, and copy paste the encrypted string to the "key-string 7". Here's how:
One can easily crack the Type7 passwords w/ utilities that are available on the net.
You can also do it straight from inside the IOS. Just create a key chain, and copy paste the encrypted string to the "key-string 7". Here's how:
24 Jan 2010
GRE Tunnel w/ IPsec protection, (and ISAKMP association using RSA keys)
1. Generate an RSA Public Key for our router.
#crypto key generate rsa general-keys label R1
Here you can see the generated key. Do the above for also R2, and copy paste their public keys to each other in next step.
#sh crypto key mypubkey rsa
% Key pair was generated at: 12:35:34 UTC Jan 24 2010
Key name: R1
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D35594 62FB3925
22EBD28E A64B12A7 2D0D44C1 DD28F9BF 8BA52834 516FC231 F1791352 A90ADEE0
A61E77C7 5F132B9E 11193B08 B338D531 D40EE40D 9699E742 DF020301 0001
% Key pair was generated at: 13:35:36 UTC Jan 24 2010
Key name: R1.server
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00A4764D E3D85AFD
2E9254C0 DBB88E08 CE86FA63 8D82C08C D11F14DF AF9264C9 2F5C1CBC 7081C66D
DFE73BB3 66E5A354 48B73EF0 3773545B F5BACBA7 CEBA55DA 4D3D52A1 0B62BFFD
BA93A21E 9B65D23F 9A843994 FAAEB67E BF565A6F 38A8DC3A D5020301 0001
2. Create a key chain. Addressed to router R2 with its IP address and copy paste its public key in here.
#crypto key pubkey-chain rsa
addressed-key 10.1.1.6
key-string
Enter a public key as a hexidecimal number ....
(PASTE HERE)
and use quit to finish
Download project files for GNS3
22 Jan 2010
IPsec VPN Lab, (using Dynamic crypto Map)
In this lab we connect the 3 sites of our company using secure IPsec VPN connections.
The ISP network consists of 4 Routers which are running EIGRP between them.
Our headquarters is connected to the ISP with the CE_4 router.
The branch offices, CE_5 being Branch1, and CE_8 Branch2.
Networks are 192.168.0.0/21 behing CE_4, edge router.
In Branch 1 we have 192.168.16.0/20 networks. (Simulated with loopback int)
In Branch 2 there are the 192.168.8.0/21 networks.
This setup demonstrates all the IPsec negotiation and tunnel establishment using a dynamic map on CE_4.. The key point is the create the relationship between the static crypto map and the dynamic one.
Due to our ISAKMP Policy we are using a Pre-Shared key for authentication. Which will be defined as a wildcard, so our VPN peers can connect using whichever address they have.
# crypto isakmp key
Here are the lab files for gns3. Download
Good Reading:
Wildcard Pre-Shared Key Enhancement @cisco
Security Commands: crypto dynamic-map through ctype @cisco
21 Jan 2010
IPSEC VPN session status
IKE SA | IPsec SAs | VPN Tunnel Status |
---|---|---|
Exists, active | Exists (flow exists) | UP-ACTIVE |
Exists, active | None (flow exists) | UP-IDLE |
Exists, active | None (no flow exists) | UP-IDLE |
Exists, inactive | Exists (flow exists) | UP-NO-IKE |
Exists, inactive | None (flow exists) | DOWN-NEGOTIATING |
Exists, inactive | None (no flow) | DOWN-NEGOTIATING |
None | Exists (flow exists) | UP-NO-IKE |
None | None (flow exists) | DOWN |
None | None (no flow exists) | DOWN |
SDM Hints
I was using Firefox 3.5.1 and jre 1.6.12 (java6 update 12), some of the wizards were not launching. For example the Site-to-Site VPN and GRE Tunnel wizards.
I downgraded the my JavaVM to jre 1.6.0.3 and now all is working fine.
For documentation, requirements and installations goto SDM@cisco
To connect to your router via SDM:
#ip http server
#ip http secure-server
#ip http authentication local
#username privilege 15 password 0
I downgraded the my JavaVM to jre 1.6.0.3 and now all is working fine.
For documentation, requirements and installations goto SDM@cisco
To connect to your router via SDM:
#ip http server
#ip http secure-server
#ip http authentication local
#username
16 Jan 2010
My Cisco Certifications Plan
11 Jan 2010
LDP (Label Distribution Protocol)
LDP is the protocol that distributes label bindings for FECs between LSRs (Label Switching Routers.) The LIB (Label Information Base) of an MPLS enabled router is the table that all the bindings are kept. The LIB is populated by information from LDP, MP-BGP and RSVP.
LDP carries the labels for interior routes, from the IGP.
MP-BGP distributes routes for BGP prefixes, and RSVP is used in MPLS-TE.
LDP Functions:
Discovery of other LSRs
Session establishment, management
Advertisement of Labels
Housekeeping, notification
Two types of Adjacency:
Hello adjacency: LDP Hellos to 224.0.0.2 (all routers multicast), using UDP Port 646 for both source and destination. These hellos are sent on all MPLS enabled interfaces. Hello/Holdtime = 5/15sec default.
Transport session: After the Hello discovery, the LSRs will establish a TCP transport session on TCP/646. One of them will take active role (initiating the TCP connection to port 646, the other will take the passive role, listening on TCP/646) The LSR with the higher transport IP address will take the passive role.
LSRs will exchange session parameters with Initialization Messages, which contain info as LDP version, label distribution method, timer values, etc.
If they agree a Transport Session is established. If not, it is re-tried. This cycle has an LDP initial/maximum backup timers with default 15/120 seconds.
The session is kept open as long as an LDP message or a Keepalive is heard. The session holdtime is 180 seconds. The interval of Keepalive messages is 60 sec.
You can list the ldp parameters used by the router:
Example keep alive messages. Sent back and forth in 60sec intervals.
Ref: LDP neighbor discovery.. @Networkers-Online
LDP carries the labels for interior routes, from the IGP.
MP-BGP distributes routes for BGP prefixes, and RSVP is used in MPLS-TE.
LDP Functions:
Discovery of other LSRs
Session establishment, management
Advertisement of Labels
Housekeeping, notification
Two types of Adjacency:
Hello adjacency: LDP Hellos to 224.0.0.2 (all routers multicast), using UDP Port 646 for both source and destination. These hellos are sent on all MPLS enabled interfaces. Hello/Holdtime = 5/15sec default.
Transport session: After the Hello discovery, the LSRs will establish a TCP transport session on TCP/646. One of them will take active role (initiating the TCP connection to port 646, the other will take the passive role, listening on TCP/646) The LSR with the higher transport IP address will take the passive role.
LSRs will exchange session parameters with Initialization Messages, which contain info as LDP version, label distribution method, timer values, etc.
If they agree a Transport Session is established. If not, it is re-tried. This cycle has an LDP initial/maximum backup timers with default 15/120 seconds.
The session is kept open as long as an LDP message or a Keepalive is heard. The session holdtime is 180 seconds. The interval of Keepalive messages is 60 sec.
You can list the ldp parameters used by the router:
Example keep alive messages. Sent back and forth in 60sec intervals.
Useful commands
mpls ldp router-id interface [force]
mpls ldp discovery transport-address {interface | ip-address}
mpls ldp discovery {hello {holdtime | interval} seconds
mpls ldp backoff initial-backoff maximum-backoff
mpls ldp holdtime seconds
show mpls ldp discovery detail
show mpls ldp neighbor neighbor-ip detail
show mpls ldp parameters
Ref: LDP neighbor discovery.. @Networkers-Online
10 Jan 2010
MPLS Header & Labels
Ref:Geert’s blog
MPLS header contains a 20bit Label field.
Labels 0-15 are reserved.
Label 0: Explicit Null
Label 1: Router alert label
Label 2: Explicit Null IPv6
Label 3: Implicit Null
Label 14: OAM alert label
MPLS header contains a 20bit Label field.
Labels 0-15 are reserved.
Label 0: Explicit Null
Label 1: Router alert label
Label 2: Explicit Null IPv6
Label 3: Implicit Null
Label 14: OAM alert label
6 Jan 2010
AToM (Any Transport over MPLS) Lab
So here we have a AToM (Any Transport over MPLS) Lab which is also known as a Martini Pseudowire.
Provider Core Routers R1,R2,R3,R4 serve as the label switching MPLS Core. The Provider Edge routers PE_1,PE_2 connect to Customer networks. The IGP running on the provider network is IS-IS.
We have a Customer HQ and a Branch Office which have connections to the same ISP.
A VPN Tunnel is built between the PE_1 <-> PE_2 to connect the customer private network.
GNS3 Project file @ Filefront
Provider Core Routers R1,R2,R3,R4 serve as the label switching MPLS Core. The Provider Edge routers PE_1,PE_2 connect to Customer networks. The IGP running on the provider network is IS-IS.
We have a Customer HQ and a Branch Office which have connections to the same ISP.
A VPN Tunnel is built between the PE_1 <-> PE_2 to connect the customer private network.
GNS3 Project file @ Filefront
3 Jan 2010
Collection of OSPF Labs
Here are some of the labs I've created when studying for the CCNP Exams:
1. OSPF Network w/ two areas connected to the Backbone Area 0. One of the networks being a Totally Stub Area w/ redundant connections to the backbone. Download Project Files
2. Based on project above, with an extra Area 99 added via a Virtual-Link. Download Project Files
3. Backbone Area on a Point to Multipoint Frame-Relay network. A chance to observe different ospf area types. And also the DR/BDR relations and configurations in two different areas. Download
1. OSPF Network w/ two areas connected to the Backbone Area 0. One of the networks being a Totally Stub Area w/ redundant connections to the backbone. Download Project Files
2. Based on project above, with an extra Area 99 added via a Virtual-Link. Download Project Files
3. Backbone Area on a Point to Multipoint Frame-Relay network. A chance to observe different ospf area types. And also the DR/BDR relations and configurations in two different areas. Download
2 Jan 2010
Collection of IS-IS Labs
A collection of IS-IS labs created by me, during CCNP Studies.
1. Based around a Frame-Relay Backbone, with 3 areas and their L1/L2 routers. Download project files
2. A different and more complex topology, with Frame Relay p2p links and other good stuff thrown in. Download
1. Based around a Frame-Relay Backbone, with 3 areas and their L1/L2 routers. Download project files
2. A different and more complex topology, with Frame Relay p2p links and other good stuff thrown in. Download
1 Jan 2010
VRRP Timer tips
The default timer for VRRP advertisements by the Master Router is 1 seconds.
The holdtime is 3 times this and is a default around 6 seconds.
VRRP timers must either be the same in the Group or routers "set to learn" these timers. Because if a VRRP Backup router receives a VRRP Advertisement w/ different timer then the one it has configured, the packed will be discarded. This will cause both routers to think they are Masters!
If routers are set the "learn timers", then the adv.time learned from the vrrp adv.packet will override the one in the config.
(config-if)# vrrp 1 timers learn
If you want to use timers in msec, this must be defined in all the vrrp group routers because when using msec timers, learning the timers from the master feature will not work.
R1(config-if)#vrrp 1 timer adv msec 200
R1(config-if)#vrrp 1 timer learn
% cannot learn timer values when millisecond timers are configured
R1(config-if)#
Note: In VRRP, a sub-second hello timer results in a hello timer of 1 second being sent. So if you set msec timer on one router and a non-default non-learning vrrp on another, they won't talk to each other!
Ref: VRRP @ Cisco
Very good investigation of the topic: (HSRP,VRRP,GLBP timers)
The holdtime is 3 times this and is a default around 6 seconds.
VRRP timers must either be the same in the Group or routers "set to learn" these timers. Because if a VRRP Backup router receives a VRRP Advertisement w/ different timer then the one it has configured, the packed will be discarded. This will cause both routers to think they are Masters!
If routers are set the "learn timers", then the adv.time learned from the vrrp adv.packet will override the one in the config.
(config-if)# vrrp 1 timers learn
If you want to use timers in msec, this must be defined in all the vrrp group routers because when using msec timers, learning the timers from the master feature will not work.
R1(config-if)#vrrp 1 timer adv msec 200
R1(config-if)#vrrp 1 timer learn
% cannot learn timer values when millisecond timers are configured
R1(config-if)#
Note: In VRRP, a sub-second hello timer results in a hello timer of 1 second being sent. So if you set msec timer on one router and a non-default non-learning vrrp on another, they won't talk to each other!
Ref: VRRP @ Cisco
Very good investigation of the topic: (HSRP,VRRP,GLBP timers)
NAT Order of Operation
To summarize, there's the old way of NATting (domain-based NAT) and the new way introduced with 12.3(T), NAT Virtual Interface (NVI).
In domain based NAT;
Packets on the outside first get translated then routed.
Packets on the inside interface the routing decision is made first and then the translation and forwarding.
In NVI based NAT
The translation/routing is done in a symmetric manner. Routing lookup is performed twice. First to send the packet to NVI, second to route packet using the post-translated addresses.
References: The Inside and Outside of Nat : CCIE Journey
NAT Order of Operation @ Cisco
In domain based NAT;
Packets on the outside first get translated then routed.
Packets on the inside interface the routing decision is made first and then the translation and forwarding.
In NVI based NAT
The translation/routing is done in a symmetric manner. Routing lookup is performed twice. First to send the packet to NVI, second to route packet using the post-translated addresses.
References: The Inside and Outside of Nat : CCIE Journey
NAT Order of Operation @ Cisco
Subscribe to:
Posts (Atom)