Tuesday, February 16, 2016
Friday, February 5, 2016
Example - How to configure Site-to-site VPN with IOS router
- Router 1 (Left):
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key CISCO address 10.10.20.3
!
!
crypto ipsec transform-set My-Set esp-aes 192 esp-sha-hmac
!
crypto map MyMap 10 ipsec-isakmp
set peer 10.10.20.3
set transform-set My-Set
match address R1_TO_R3
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
crypto map MyMap
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
!
router ospf 10
router-id 1.1.1.1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip access-list extended R1_TO_R3
permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
- Router 3 (Right):
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key CISCO address 10.10.10.1
!
!
crypto ipsec transform-set My-Set esp-aes 192 esp-sha-hmac
!
crypto map MyMap 10 ipsec-isakmp
set peer 10.10.10.1
set transform-set My-Set
match address R3_TO_R1
!
interface FastEthernet0/0
ip address 172.16.3.3 255.255.255.0
!
interface FastEthernet0/1
ip address 10.10.20.3 255.255.255.0
crypto map MyMap
!
router ospf 10
router-id 3.3.3.3
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip access-list extended R3_TO_R1
permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
- Validation:
Router3#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: MyMap, local addr 10.10.20.3
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer 10.10.10.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3242, #pkts encrypt: 3242, #pkts digest: 3242
#pkts decaps: 3242, #pkts decrypt: 3242, #pkts verify: 3242
#pkts compressed: 0, #pkts decompressed: 0
Router3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.10.10.1 10.10.20.3 QM_IDLE 1002 0 ACTIVE
Monday, January 11, 2016
Command to see all floatings routes
With the classic 'show ip route static', the backup floating route is not seen in the display:
Router#show ip route static
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.10.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.10.2.1
In order to see both routes, active and non-active route, we have to use the command 'show ip static route'. With this command, both routes and metrics are seen:
Router#show ip static route
Codes: M - Manual static, A - AAA download, N - IP NAT, D - DHCP,
G - GPRS, V - Crypto VPN, C - CASA, P - Channel interface proces
B - BootP, S - Service selection gateway
DN - Default Network, T - Tracking object
L - TL1, E - OER, I - iEdge
D1 - Dot1x Vlan Network, K - MWAM Route
PP - PPP default route, MR - MRIPv6, SS - SSLVPN
H - IPe Host, ID - IPe Domain Broadcast
U - User GPRS, TE - MPLS Traffic-eng, LI - LIIN
IR - ICMP Redirect
Codes in []: A - active, N - non-active, B - BFD-tracked, D - Not Track
Static local RIB for default
M 0.0.0.0/0 [1/0] via 10.10.2.1 [A]
M [5/0] via 10.10.25.1 [N]
Router#show ip route static
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.10.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.10.2.1
In order to see both routes, active and non-active route, we have to use the command 'show ip static route'. With this command, both routes and metrics are seen:
Router#show ip static route
Codes: M - Manual static, A - AAA download, N - IP NAT, D - DHCP,
G - GPRS, V - Crypto VPN, C - CASA, P - Channel interface proces
B - BootP, S - Service selection gateway
DN - Default Network, T - Tracking object
L - TL1, E - OER, I - iEdge
D1 - Dot1x Vlan Network, K - MWAM Route
PP - PPP default route, MR - MRIPv6, SS - SSLVPN
H - IPe Host, ID - IPe Domain Broadcast
U - User GPRS, TE - MPLS Traffic-eng, LI - LIIN
IR - ICMP Redirect
Codes in []: A - active, N - non-active, B - BFD-tracked, D - Not Track
Static local RIB for default
M 0.0.0.0/0 [1/0] via 10.10.2.1 [A]
M [5/0] via 10.10.25.1 [N]
Friday, December 11, 2015
Capture traffic on Cisco switch with EPC (both directions)
Embedded Packet Capture is a powerful tool implemented on certain Cisco devices. With this technology, it's no more mandatory to SPAN traffic in order to capture it. You can capture traffic at differents points of your network with some limitations described in the Cisco documentation.
In my case, I would like capture traffic between 2 machines (only these 2 machines) has described in diagram below:
In order to do this, you can use the following configuration:
ip access-list extended HOST-TO-FILTER
permit ip host 10.10.10.1 host 10.10.20.1
permit ip host 10.10.20.1.1 10.10.10.1
!
monitor capture MY-CAPTURE file location flash:mycapture.pcap size 10 int GigabitEthernet1/0/1 both access-list HOST-TO-FILTER
After that, you can start the capture with the command:
monitor capture MY-CAPTURE start
And stop it:
monitor capture MY-CAPTURE stop
This capture can be export and read with wireshark for example.
!! Warning!!
EPC can consumes CPU and memory. Take care to apply a good filter in order to not overload your router or switch.
In my case, I would like capture traffic between 2 machines (only these 2 machines) has described in diagram below:
In order to do this, you can use the following configuration:
ip access-list extended HOST-TO-FILTER
permit ip host 10.10.10.1 host 10.10.20.1
permit ip host 10.10.20.1.1 10.10.10.1
!
monitor capture MY-CAPTURE file location flash:mycapture.pcap size 10 int GigabitEthernet1/0/1 both access-list HOST-TO-FILTER
After that, you can start the capture with the command:
monitor capture MY-CAPTURE start
And stop it:
monitor capture MY-CAPTURE stop
This capture can be export and read with wireshark for example.
!! Warning!!
EPC can consumes CPU and memory. Take care to apply a good filter in order to not overload your router or switch.
Thursday, December 10, 2015
OSPF - Filter redistribution in a Totally NSSA area
In some cases, we can have the ABR which can also be an ASBR. If we are working with a Totally NSSA area we have unnecessary routes. ABR announces a default route and his redistributed routes which are not necessary. In order to solve this case and only announce a default route, we can use the commande below on the ABR:
area X nssa no-redistribution no-summary
The schema below is anexample of this implementation:
area X nssa no-redistribution no-summary
The schema below is anexample of this implementation:
Thursday, November 5, 2015
BGP Route Reflector - Routing advertisements rules
In order to avoid a looping route, the route reflector follows the 3 rules below:
1/ routes learned from an eBGP peers can be announced to eBGP peers, clients and non-clients.
2/ routes learned from a client can be announced to eBGP peers, others clients and non-clients.
3/ routes learned from a non-client can be announced to eBGP peers, clients and they cannot be sent to a non-clients.
1/ routes learned from an eBGP peers can be announced to eBGP peers, clients and non-clients.
2/ routes learned from a client can be announced to eBGP peers, others clients and non-clients.
3/ routes learned from a non-client can be announced to eBGP peers, clients and they cannot be sent to a non-clients.
Wednesday, November 4, 2015
Track an IP on your Network
Who has never received the following question from a colleague:
- Hey, the network guy, could you find where is this laptop for me ? I have only his IP address.
To resolve this, you start to follow the IP address by looking in the arp and mac-address table of your switchs, routers and firewall. I have finished this boring job by using the following open source tool:
http://netdbtracking.sourceforge.net/
Developpers have alreay preconfigured a VM:
http://sourceforge.net/projects/netdbtracking/files/vmware/
After 30 minutes of the VM installation and some hours (depending of the size of your network) of configuration to enter your different equipment, you can provide a webtools reachable from everybody to track an IP.
You will find below some examples of host configuration.
hostname,devtype=procurvehpv2, arp
On this example, I skipped uplinks interfaces (45 and 47). I have also limited to 2 mac address by interface.
hostname,devtype=procurvehpv2,skip_port=45,skip_port=47,use_trunks,max_macs=2
- Hey, the network guy, could you find where is this laptop for me ? I have only his IP address.
To resolve this, you start to follow the IP address by looking in the arp and mac-address table of your switchs, routers and firewall. I have finished this boring job by using the following open source tool:
http://netdbtracking.sourceforge.net/
Developpers have alreay preconfigured a VM:
http://sourceforge.net/projects/netdbtracking/files/vmware/
After 30 minutes of the VM installation and some hours (depending of the size of your network) of configuration to enter your different equipment, you can provide a webtools reachable from everybody to track an IP.
You will find below some examples of host configuration.
- HP Procurve (Layer 3)
hostname,devtype=procurvehpv2, arp
- HP Procurve (Layer 2):
On this example, I skipped uplinks interfaces (45 and 47). I have also limited to 2 mac address by interface.
hostname,devtype=procurvehpv2,skip_port=45,skip_port=47,use_trunks,max_macs=2
Subscribe to:
Posts (Atom)