Jaycee's Networking

April 23, 2009

BGP Path Selection – IOS

Filed under: BGP, IOS — Tags: — Jaycee @ 11:31 pm

1. Next-Hop accessible:

By default, routers don’t update the next-hop attribute when exchanging routers by iBGP. BGP will not pass unreachable routes to the main routing table, but it will keep them in its own route database.

*NEXT_HOP is mandatory attribute that carries the IP address of the 1st BGP router along the path to the destination network. By default, the NEXT_HOP router will be the router that announced this route to the AS. For routes learned from an external AS via eBGP, the NEXT_HOP router will be the 1st router in the neighboring AS. This information is passed intact throughtout the AS using iBGP, so all routers in the AS se the same NEXT_HOP router.

2. Synchronization:

Synchronization means that a BGP router is not allowed to advertise a route that is learned from another BGP peer until the router knows about the route via an IGP.

If synchronization is enabled, the router will ignore any iBGP routes that are not synchronized. Because the AS needs to behave consistently, if you run an IGP and iBGP, they have to agree.

For a BGP route to be usable, the IGP must also contain a route to the same prefix. This ensures that one of these BGP peer routers doesn’t try to forward a packet to the other internal BGP peer unless the network connecting them knows what to do with this packet.

Synchronization requirement: Asserts that a route must be known by an IGP before it may be advertised to BGP peers.

Disabling synchronization is an absolute MUST for running iBGP: Cisco routers allow to disable synchronization, which is necessary in any case where you dont redistribute the IGP routes into BGP.

Synchronization can be disabled safely under either of 2 conditions:

(1) If your network doesn’t pass traffic from one AS to another (i.e., other networks do not route their traffic through you.)

(2) If all your border routers are running BGP.

router bgp 65500
 network 192.168.1.0
 neighbor 192.168.55.5 remote-as 65501
 no synchronization

3. Weight (Influences OUTBOUND traffic, but apply on inbound) :

This is Cisco proprietary parameter given to a route on a particular router and is used only within that router. The weight is never given to other routers.

*Default weight = 0, except for locally sourced routes which get a default weight = 32,768. The maximum weight is 65,535.

*Weight value => the higher the better.

router bgp 65500
 no synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 172.18.5.0 mask 255.255.255.0
 neighbor 192.168.1.5 remote-as 65510
 neighbor 192.168.1.5 weight 200
 no auto-summary

4. Local Preference (Influences OUTBOUND traffic, but apply on inbound) :

Routers only include LOCAL_PREF attribute when communicating within an AS (iBGP).

(1) For external routes, the router that receives a particular route via eBGP sets sets the Local Preference value.

(2) For internal routes, it’s set by the router that introduced the route into BGP.

This allows you to force every router in your AS to preferentially send traffic for a particular destination through a particular eBGP link.

Local preferences are shared among iBGP routers, but they are NOT shared with external BGP routers.

*Default Local_PREF = 100.

*Local_PREF value => the higher the better.

*LOCAL_PREF is discretionary attribute.

router bgp 65500
 no synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 172.18.5.0 mask 255.255.255.0
 bgp default local-preference 200
 neighbor 192.168.1.5 remote-as 65510
 neighbor 192.168.1.5 route-map LOCALPREF in
 no auto-summary

route-map LOCALPREF permit 10
 match ip address prefix-list LOW_LOCALPREF
 set local-preference 50
route-map LOCALPREF permit 20

ip prefix-list LOW_LOCALPREF seq 10 permit 172.22.0.0/1

5. Self-Originated:

BGP routes prefer routes that originate inside their own AS.

6. AS Path (Influences INBOUND traffic, but apply on outbound) :

For routes that originate outside of the AS, BGP will prefer the one with the shortest path. AS paths allow BGP to detect routing loops.

*AS_PATH is mandatory attribute. There are 2 types of AS_PATHs:

(1) An AS_SEQUENCE describes the literal path taken to reach the destination
(2) An AS_SET is an unordered list of ASNs along the path.

*AS_PATH value: the shorter the better

ip as-path access-list 10 permit ^65501$
ip as-path access-list 20 permit _65530_
ip as-path access-list 20 deny _65531$
ip as-path access-list 20 permit .*

router bgp 65500
 no synchronization
 network 172.18.5.0 mask 255.255.255.0
 neighbor 192.168.1.5 remote-as 65510
 neighbor 192.168.1.5 filter-list 10 in
 neighbor 192.168.2.5 remote-as 65520
 neighbor 192.168.2.5 filter-list 20 out
 no auto-summary

.*” permits all other AS Paths
“^$” the filed is empty

ip as-path access-list 10 permit ^$

route-map PREPEND permit 10
 match as-path 10
 set as-path prepend 65501 65501 65501
route-map PREPEND permit 20

router bgp 65501
 neighbor 192.168.1.5 route-map PREPEND out
no auto-summary

7. Origin:

BGP selects IGP routes in preference to EGP, and EGP in preference to INCOMPLETE routes. An INCOMPLETE route is one that is injected into BGP via redistribution.

*ORIGIN is mandatory that have 3 different values:

0 – IGP
1 – EGP
2 – Incomplete

8. MED (Multi-exit discriminator) (Influences INBOUND traffic, but apply on outbound) :

BGP selects the route with the lowest MED value. MED actually leaves your AS and tells your neighbor routers which link we want them to talk to. That is, you use the MED to tell your ISPs which of serveral entrances to your network they should use. You should use MED values ONLY IF you are multihomed to a single provider.

MED is used ONLY if both routes are received from the same AS, or if the command “bgp always-compare-med” has been enabled.

With “bgp always-compare-med” enabled, BGP will compare MED values even if they come from different ASes, althought to reach this step the AS_PATHs must have the same length. You should use this command throughout the AS or you risk creating routing loops.

MED values are ONLY propagated to adjacent ASes, so routers that are further downstream dont see them at all.

*Default MED = 0.

*MED value => the lower the better

access-list 10 permit 192.168.0.0 0.0.255.255

route-map MED permit 10
 match ip address 10
 set metric 100
route-map MED permit 20

router bgp 65500
 neighbor 192.168.1.5 MED out

9. External :

BGP prefers eBGP to iBGP paths which helps to eliminate loops. iBGP routes don’t include internal routes that are sourced from within your AS, because they are selected at step 5. This test only looks at routes to external destinations.

EBGP metric = 20 is lower than other IGP beacause it should go out of the AS instead of staying in AS.

iBGP metric = 200 is higher than other IGP because if it’s an internal route, it should use internal IGP.

10. IGP Cost :

BGP compares the IGP costs of the paths to the next-hop routers, and selects the closest one. This ensures that faster links and shorter paths are used where possible.

11. eBGP Peering/Ages of the routes :

BGP will look at the ages of the routes and use the oldest route to particular destination for stability.

12. Router ID :

BGP resorts to the router IDs of the next-hop routers by selecting the next-hop router with the lowest router ID. Router IDs are unique which guarantees to eliminate any remaining duplicate route problems.

A router’s ID is the IP address assigned to the loopback interface or the highest IP address on an active interface at boot time.

*Router ID => the lower the better

Advertisements

Troubleshooting with ARP

Filed under: Troubleshoot — Tags: — Jaycee @ 4:42 pm

Problem:

All the hosts in the 192.168.10.0/24 subnet of the LAN are facing connectivity issues. The regular applications like web and e-mail are either not working or are extremely slow.

Troubleshooting:

1. Ping the default gateway to verify the connectivity.

2. Ping replies from gateway (192.168.10.254) are successful.

3. Ping to any address beyond the (192.168.10.254) interface (Ethernet 0) fails.

4. do “sh int e0“:

Ethernet0 is up, line protocol is up
Hardware is QUICC Ethernet, address is 0010.7bcc.57eb
Internet address is 192.168.10.254/24

5. do “arp -a” to check the local arp table:

C:\> arp -a
Internet Address   Physical Address     Type
192.168.10.254      00-d0-c8-af-e2-5e dynamic

* The incorrect mapping misdirects all the Internet traffic to the host with the wrong MAC.
=> Possible causes of the incorrect entry:

a. IP of the default gateway is used by another host in the local subnet.
b. A local host is running a malicious program to poison the arp table of all the hosts in the subnet.

6. Clear the arp table and manually map the IP:

C:\> arp -d 192.168.100.254
C:\> arp -s 192.168.10.254 00-10-7b-cc-57-eb

7. Verify the arp table:

C:\> arp -a
Internet Address   Physical Address     Type
192.168.10.254      00-10-7b-cc-57-eb  static

Netstat and Nbtstat

Filed under: Information — Jaycee @ 4:21 pm

<Netstat>

1. Netstat shows TCP/IP statistics:

a. Current network session to and from the host
b. Protocol statistics
c. Routing Table
d. The number of bytes sent, received, or dropped

2. Windows-based:

-a displays all connections and listening ports.
-e displays Ethernet statistics.
-n displays addresses and port numbers in numerical form
-o displays process ID
-p proto shows connections for the protocol specified by proto
-r displays the routing table
-s displays per-protocol statistics
interval redisplays selected statistics, pausing interval seconds b/w each display

*SYN_RECEIVED state indicate a half-open TCP connection. It can be an indication of a SYN flood attack.

3. Linux-based:

-r displays routing table
-i displays interface table
-g displays multicast group memberships
-s displays networking statistics (like SNMP), a summary of IP, ICMP, TCP and UDP
-M displays masqueraded connections
-n doesn’t resolve names, in numeric format
-N resolves hardware names
-e displays other information
-p displays PID
-c views a continuous display that gets refreshed periodically until interrupted by Ctrl-C
-l displays listening server sockets
-a displays all sockets (default: connected)
-o displays timers
-F displays FIB
-C displays routing cache instead of FIB
-t displays the currently active TCP connetions

*Display all the active connections except the UNIX sockets: netstat -atuwp

4. Issue “netstat -s” command to get a summary of IP, ICMP, TCP and UDP statistics:

Icmp:
echo requests: 53
echo replies: 17
Tcp:
4 segments retransmitted
30 resets sent

a. Under ICMP, “Echo Requests” counter indicates the number of ping packets received by the host.
=> A rapid increase in “Echo Request” indicates that the host is under an ICMP flood attack.
b. Under TCP, a large number of “segments retransmitted” indicates packet loss.
c. A rapid increase in “resets sent” indicates that the host is being subjected to a TCP port scan.

<Nbtstat>

1. Nbtstat to determine the user on a Windows machine with that IP address, it also provides the MAC address of the Ethernet interface.

nbtstat -A remote-ip-address

2. Example: use “nbstat” to trace a user

a. Use “show mac-address-table dynamic” on Cisco switch to obtain MAC:

Router#sh mac-address-table dynamic
vlan  mac address         type          protocol  ports
10     0080.1c93.8040  dynamic  ip              5/7

b. Use “show arp” on Cisco router to obtain MAC-to-IP:

Router#sh arp
Protocol Address
Internet 172.20.52.12

c. Use “nbtstat -A ip-address” to determine the user who is logged in to the machine with that IP:

C:\>nbtstat -A 172.20.52.12
SPOPE     <03>  UNIQUE    Registered
MAC Address – 0080.1c93.8040

<Examples>

1. “netstat -ao“: lists various TCP and UDP ports, the local and foreign addresses associated with the ports, and the current state of the ports.

C:\WINDOWS>netstat -ao

Active Connections

Proto Local Address Foreign Address State PID
TCP   pro1:epmap   pro1.dpetri.net:0   LISTENING   860
TCP   pro1:microsoft-ds   pro1.dpetri.net:0   LISTENING   4
TCP   pro1:1025   pro1.dpetri.net:0   LISTENING   908
TCP   pro1:1084   pro1.dpetri.net:0   LISTENING   596
TCP   pro1:2094   pro1.dpetri.net:0   LISTENING   596
TCP   pro1:3389   pro1.dpetri.net:0   LISTENING   908
TCP   pro1:5000   pro1.dpetri.net:0   LISTENING   1068
TCP   pro1:1084   srv1.dpetri.net:1026   ESTABLISHED   596
TCP   pro1:2094   srv1.dpetri.net:1166   ESTABLISHED   596
UDP   pro1:epmap   *:*   860
UDP   pro1:microsoft-ds   *:*   4
UDP   pro1:isakmp   *:*   680
UDP   pro1:1026   *:*   1040
UDP   pro1:1027   *:*   1040
UDP   pro1:1028   *:*   680
UDP   pro1:1038   *:*   908
UDP   pro1:1043   *:*   624
UDP   pro1:1085   *:*   596
UDP   pro1:1086   *:*   596
UDP   pro1:1242   *:*   1040
UDP   pro1:ntp   *:*   908
UDP   pro1:1649   *:*   596
UDP   pro1:1900   *:*   1068
UDP   pro1:2095   *:*   976
UDP   pro1:2217   *:*   1856
UDP   pro1:ntp   *:*   908
UDP   pro1:1900   *:*   1068

2. “netstat -es“: is useful in detecting the traffic generated or received by the machine. The interface statistics provide a summary of packets sent and received. A high number of discards, errors, or unknown protocols indicates problems at the Ethernet level caused by cabling, duplex and autonegotiation issues.

netstat-es

3. “netstat -r“: displays the route table.

BSD $ netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.1.1        UGSc        1        0    dc0
localhost          localhost          UH          1        0    lo0
192.168.1          link#1             UC          3        0    dc0
192.168.1.1        00:06:25:63:dd:ec  UHLW        2        0    dc0   1190
surf               00:a0:cc:28:8c:7a  UHLW        1      117    dc0   1135
smurf              localhost          UGHS        0        0    lo0
192.168.1.255      ff:ff:ff:ff:ff:ff  UHLWb       3       65    dc0

Linux :~> netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
192.168.1.0     *               255.255.255.0   U         0 0          0
eth0
default         192.168.1.1     0.0.0.0         UG        0 0          0
eth0

C:\WINDOWS\Desktop>netstat -r
Route table

===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      24.67.179.1    24.67.179.22       1
      24.67.179.0    255.255.255.0     24.67.179.22    24.67.179.22       1
     24.67.179.22  255.255.255.255        127.0.0.1       127.0.0.1       1
   24.255.255.255  255.255.255.255     24.67.179.22    24.67.179.22       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        224.0.0.0     24.67.179.22    24.67.179.22       1
  255.255.255.255  255.255.255.255     24.67.179.22               2       1
Default Gateway:       24.67.179.1
===========================================================================
Persistent Routes:
  None

4. “netstat -t“: displays the currently active TCP connections.

         [root@Linux] /#netstat -t         
         Active Internet connections (w/o servers)
         Proto	Recv-Q	Send-Q	Local Address	Foreign Address	State
         Tcp	0	0	deep.openar:netbios-ssn	gate.openna.com:1045	ESTABLISHED
         Tcp	0	0	localhost:1032	localhost:1033	ESTABLISHED
         Tcp	0	0	localhost:1033	localhost:1032	ESTABLISHED
         Tcp	0	0	localhost:1030	localhost:1034	ESTABLISHED
         Tcp	0	0	localhost:1031	localhost:1030	ESTABLISHED
         Tcp	0	0	localhost:1028	localhost:1029	ESTABLISHED
         Tcp	0	0	localhost:1029	localhost:1028	ESTABLISHED
         Tcp	0	0	localhost:1026	localhost:1027	ESTABLISHED
         Tcp	0	0	localhost:1027	localhost:1026	ESTABLISHED
         Tcp	0	0	localhost:1024	localhost:1025	ESTABLISHED
         Tcp	0	0	localhost:1025	localhost:1024	ESTABLISHED
 

5. “netstat -atuwp“: display all the active connections except the UNIX sockets.

         [root@Linux] /#netstat -atuwp         
         Active Internet connections (servers and established)
         Proto	Recv-Q	Send-Q		Local Address		Foreign Address	       State	PID/Program name
	 Tcp	0	0		*:5902			*:*			LISTEN     4649/Xrealvnc
    	 Tcp	0	0		*:x11 			*:*			LISTEN      4433/XFree86
         Tcp	0	0		*:x11 -2		*:*			LISTEN      4649/XFree86
         Tcp	0	0		*:ssh 			*:*			LISTEN          882/sshd
         Tcp	0	0		192.168.0.30:ssh 	192.168.0.103:3578	ESTABLISHED       3438/0
         Tcp	0	0		192.168.0.30:5902 	192.168.0.103:3645	ESTABLISHED 4649/Xrealvnc

6.”netstat -i“: displays the statistics of the Ethernet interface.

[root@Linux] /#netstat -i
Name Mtu  Net/Dest     Address   Ipkts    Ierrs Opkts    Oerrs  Collis  Queue
le0  1500 b5-spd-2f-cm tatra     14093893 8492  10174659 1119   2314178   0
lo0  8232 loopback     localhost 92997622 5442  12451748 0      775125    0

7.”netstat -s“: displays a summary of IP, ICMP, TCP and UDP.

[root@Linux] /#netstat -s
UDP

udpInDatagrams      =  39228     udpOutDatagrams     =  2455
udpInErrors         =     0

TCP

tcpRtoAlgorithm     =     4      tcpMaxConn          =    -1
tcpRtoMax           = 60000      tcpPassiveOpens     =     2
tcpActiveOpens      =     4      tcpEstabResets      =     1
tcpAttemptFails     =     3      tcpOutSegs          =   315
.
.
IP

ipForwarding        =     2      ipDefaultTTL        =   255
ipInReceives        =  4518      ipInHdrErrors       =     0
.
.
ICMP

icmpInMsgs          =     0      icmpInErrors        =     0
icmpInCksumErrs     =     0      icmpInUnknowns      =     0
.
.

IGMP:

0 messages received
0 messages received with too few bytes
0 messages received with bad checksum
0 membership queries received
0 membership queries received with invalid field(s)
0 membership reports received
0 membership reports received with invalid field(s)
0 membership reports received for groups to which we belong
0 membership reports sent

Ping

Filed under: Information, IOS — Tags: — Jaycee @ 9:04 am

1. Ping is used to verify:

a. Network connectivity b/w 2 endpoints
b. Round-trip delay in communicating with the host
c. Packet loss

2. Ping works by sending an ICMP (Internet Control Message Protocol) Echo Request message and waiting for the ICMP Echo Reply packets.

3. Round-trip time is important for proper functioning of some real-time applications:

a. VoIP has a maximum of 300ms
b. Citrix has a maximum of 250ms for acceptable performance

4. Ping uses ICMP traffic, whereas most of the user traffic consists of TCP or UDP. Ping can potentially produce inaccurate results:

a. Timeout value

1) Default timeout value for Windows ping is 1 second (1000 ms). This can cause inaccurate results on slower links such as satellite-based connections.

2) use -w to change the default timeout value: ping -w 5000 ip-address

b. MTU (Maximum transmission unit)

1) On an Ethernet network, MTU is 1500 bytes.

2) If DF (Don’t Fragment) bit in the IP header of the datagram is set, the router cannot fragment the datagram.
=> Router drops the bigger packets and sends an ICMP Destination Unreachable, fragmentation needed and DF set message to the source.

3)  MTU-related issues are common in IPSec-based VPN. IPSec encapsulates the original IP datagram with an IPSec header, thus making the packet larger:

i) IP Fragmentation and MTU Path Discovery with VPN

ii) IPSec can make fragmentation problems worse, because it lengthens each IP packet by one, or possibly two, IP headers. These added headers vary in length by choice of IPSec protocols (and whether IntraPort’s “NAT transparency” is also in use), but empirically they do not exceed 80 bytes per packet.

iii) A good technique (the best technique, really) of avoiding fragmentation with IPSec is reducing the interface MTU that applications and the IP protocol stack see on both ends of the TCP connection. If the applications and the IP protocol stack think the interface MTU is 1420 bytes or less, they will not emit packets that need to be fragmented after IPSec encapsulation for transport through Ethernet-size-capable routers and links.

5. Windows-based of ping:

a. Default ping packet is 56 bytes; IP header is 28 bytes.

b. If 1272 byte is the biggest size that can get replys, then the actual MTU size is 1272 + 28 = 1300 bytes.

c. -f sets the DF bit; -l buffer-size specifies the data payload size; -t for continuous ping; -a for Name Resolution; -r records route for count hops; -w sets timeout in ms for each reply; -n sets the number of echo requests to send; Ctrl-Break to view the summary without stopping.

ping -f -l 1500 ip-address

6. Linux-based of ping:

a. Default ping packet is 56 bytes; IP header is 28 bytes.

b. -M do sets the DF bit; -M dont to not set the DF bit; -s specifies the number of bytes of data; -i sets timeout in ms for each reply; -I specifies the source address; -c sets the number of echo requests to send.

ping -c 4 -M do -s 1272 ip-address

7. IOS-based of ping:

a. Default ping packet is 100 bytes:

b. Use “Record” IP header option – informs the hops that the Echo Request went through and the hops it visited on the return path. traceroute command dont get information about the path that the Echo Reply takes.

c. Use “ip name-server ip-address-of-DNS-server” command

d. use “no ip directed-broadcast” command to prevent the ICMP flooding attack. DDoS attacks usethe directed broadcast of ICMP packets to flood the target network with broadcast replies, such as Smurf.

*An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet, but which originates from a node that is not itself part of that destination subnet.

A router that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a router that is directly connected to its destination subnet, that packet is “exploded” as a broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast.

The ip directed-broadcast interface command controls the explosion of directed broadcasts when they reach their target subnets. The command affects only the final transmission of the directed broadcast on its ultimate destination subnet. It does not affect the transit unicast routing of IP directed broadcasts.

If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached will be exploded as broadcasts on that subnet. If an access list has been configured with the ip directed-broadcast command, only directed broadcasts that are permitted by the access list in question will be forwarded; all other directed broadcasts destined for the interface subnet will be dropped.

If the no ip directed-broadcast command has been configured for an interface, directed broadcasts destined for the subnet to which that interface is attached will be dropped, rather than being broadcast.

8. Other OS-Based of ping:

a. fping: can test multiple hosts simulataneously

http://www.fping.com

b. hping: provides additional capability to use TCP, UDP, RAW-IP for testing remote host connectivity, has a traceroute mode, the ability to send files between a covered channel, and many other features.

http://www.hping.org

  • Firewall testing
  • Advanced port scanning
  • Network testing, using different protocols, TOS, fragmentation
  • Manual path MTU discovery
  • Advanced traceroute, under all the supported protocols
  • Remote OS fingerprinting
  • Remote uptime guessing
  • TCP/IP stacks auditing
  • hping can also be useful to students that are learning TCP/IP.

c. SmokePing: provide detailed graphic records of network performance

http://people.ee.ethz.ch/~oetiker/webtools/smokeping

9. ICMP traffic is often assigned a lower priority on the routers. If the router CPU utilization is high, the ping process might not respond.

10. Troubleshooting steps:

a. Ping the loopback address of the source device
=> confirm local TCP/IP Stack

b. Ping the external network interface of the source device
=> confirm local NIC is working and ethernet link is up

c. Ping the default gateway of the source device
=> confirm connectivity and routing b/w host and default gateway

d. Ping the destination device
=> confirm connectivity b/w host and destination


Basic Tools

Filed under: IOS, Security — Tags: — Jaycee @ 1:19 am

1. In-band vs. Out-of-band:

Out-of-band does not carry LAN/WAN traffic that flows through the router.
In-band signaling uses the same path for data and control signals.

2. Cisco console cable:

a. It goes into the serial port adapter (DB9-to-RJ-45)
b. Console settings: 9600 N81 Hardware
c. Securing a console connection: use “exec-timeout” command

3. Terminal emulation software:

a. Windows-based:

1) HyperTerminal
2) HTPE (HyperTerminal Private Edition)
3) TeraTerm
4) PuTTY
5) SSH Secure Shell Client (http://www.ssh.com)

b. Linux-based:

1) Minicom
2) Cu
3) GtkTerm

4. Log session:

a. Linux users can log Telnet sessions by using Tee command:

telnet host-ip-address 2>&1 | tee text-file

b. Windows users can use “set logfile filename“:

C:>telnet
> set logfile routerlog.txt

5. For SSH encryption algorithm:

a. Configure:

crypto key generate rsa 1024
ip ssh time-out 120
ip ssh authentication-retries 4
line vty 0 4
transport input ssh

b. Display SSH info:

#sh ip ssh
#sh ssh

c. Login:

It can be DES or 3DES, depending on the encryption supported by the IOS image of the router, siwtch or firewall.

ssh -l username -c 3DES ip-address

6. Enable GUI:

1. Enable IOS for HTTP:

R(config)#ip http server
R(config)#ip http secure-server
R(config)#ip http authentication {aaa|enable|local|tacas}
R(config)#username name [privilege level]
R(config)#username name password secret

username jaycee password cisco
username jaycee privilege 15
ip http server
ip http authentication local

2. Enable PDM (PIX Device Manager) on Cisco PIX firewall:

R(config)#http server enable
R(config)#http ip_address  [netmask][if_name]

pix(config)#http server enable
pix(config)#http 192.168.0.0 255.255.255.0 inside

*PDM can only be accessed through HTTPS (HTTP over SSL).

7. TFTP Servers:

a. Windows-based:

Solarwind’s TFTP server: http://www.solarwinds.net

b. Linux-based: tftpd

1) Install tftpd: apt-get install tftpd
2) Configuration file: /etc/inetd.conf
3) Create tftpboot directory that matches the one in /etc/inetd.conf file (default location: /boot):  mkdir /tftpboot
4)
Change the folder permission to allow read and write permissions: chmod 666 /tftpboot
5) Change the owner to nobody: chown nobody /tftpboot
6) Change the file permission to allow read and write permissions: chmod a+wr *
*Linux tftpd has a built-in security feature that prevents access to files unles they are already created on the tftps server.
=> Before writing to any file, you must create it on the TFTP server.
==> The file must have read-and-write permission.
7) Restart inetd server: /etc/init.d/inetd restart

c. IOS-based:

R(config)#tftp-server flash:ios-image-file.bin

d. IOS commands to use tftp:

copy running-config tftp:
copy startup-config tftp:
copy tftp running-config
copy tftp startup-config

e. PIX commands to use tftp:

1) Copy running configuration to a TFTP server:

write net tftp-ip-adddress:filename

2) Copy configuration from a specified file on the TFTP server:

config net tftp-ipaddress:filename

8. FTP Servers:

a. Windows-based: it offers a built-in FTP server under IIS server

b. Linux-based:

1) vsFTP (very secure FTP): http://vsftpd.beasts.org

(i) install vsftpd: apt-get install vsftpd
(ii) edit /etc/vsftpd.conf: anonymous_enable=no
(iii) create ftp user: useradd ftp-user, passwd ftp-user
(iv)restart vsftpd: /etc/init.d/vsftpd restart

2) ProFTP: http://www.proftpd.org
3) WUFTP: http://www.wu-ftpd.org

c. IOS to use FTP:

R#copy running ftp://ftp-user:cisco@192.168.0.103/router-confg

9. IOS to use SCP:

a. Configure SCP:

Router (config)# aaa new-model
Router (config)# aaa authentication login default group tacacs+

*aaa authentication login {default | list-name} method1 [method2…]

Router (config)# aaa authorization exec default group tacacs+

*aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} [method1 [method2]]

Router (config)# username superuser privilege 2 password 0 superpassword
Router (config)# ip scp server enable

b. Debug SCP:

Router#debug ip scp

c. Example:

aaa new-model
aaa authentication login default local
aaa authorization exec default local
username tiger privilege 15 password 0 lab
ip ssh time-out 120
ip ssh authentication-retries 3
ip scp server enable

Everything as a service

Filed under: Information — Tags: — Jaycee @ 12:35 am

1. CaaS (Communication as a service):

delivery of Voice over IP (VaaS), instant messaging, and video conferencing applications using fixed and mobile devices

2. IaaS (Infrastructure as a service)

Delivery of computer infrastructure: platform virtualization environment for running client specified virtual machines, computer hardware, computer network ( including firewalls, load balancing), internet connectivity

3. SaaS (Software as a service):

SaaS software vendors may host the application on their own web servers or download the application to the consumer device, disabling it after use or after the on-demand contract expires. The on-demand function may be handled internally to share licenses within a firm or by a third-party application service provider (ASP) sharing licenses between firms. Examples of SaaS vendors include SAP Business ByDesign and Google Apps which provide common business applications online that are accessed from a web browser, while the software and data are stored on the servers.

Drawbacks:

a. Data transfers take place at Internet, rather than local Ethernet speeds; the provider may go bankrupt and the firewall may not permit integration with back end systems. It may not be easy to judge the importance of such issues when an implementation is first started, however they are largely resolved by the Hybrid SaaS model.

b. Widespread implementation of SaaS requires well defined services. That can achieve an economy of scale and the capacity to balance supply and demand. This requires areas of IT that are ubiquitous and commodity-like. SaaS is therefore not suitable for innovative or highly specialized niche systems, though SaaS may be used to provide one or more components in such systems.

c. As with manufacturing, a lack of substitutability and second sourcing options with any commodity creates a strategic weakness for any customer in terms of security, competition and pricing. Various forms of this weakness, such as “vendor lock-in”, are often cited as a barrier to adoption of SaaS as the current industry lacks portability and interoperability between vendors. This means that to change from one vendor to another will take a considerable amount of effort and time, although no more time then required to convert or migrate from one traditional, installed software package to another. This situation is resolvable by the introduction of open sourced standards and the development of markets based upon such standards.

d. Many vendors counter the concerns over potential security and operational risk with the argument that the professionals operating SaaS applications may have much better security and redundancy tools available to them. One vendor of SaaS document and process automation has for many years offered a “data-return guarantee” that allows clients to receive their documents and data upon cancellation of service.

e. SaaS applications pose some difficulty for businesses that need extensive customization is countered with the claim that many vendors have made progress with both customization and publication of their programming interfaces. Customization will reduce substitutability and given that SaaS applications are sometimes deployed for non-strategic business activities, the strategic benefit of customization is somewhat questionable.

f. The availability of open-source applications, inexpensive hardware and low-cost bandwidth combine to offer compelling economic reasons for businesses to operate their own software applications, particularly as open-source solutions have increased in quality and become easier to install. SaaS providers can offer a higher level of service and support then most open source solutions but the level of that service in any delivery model depends greatly on the orientation of the software vendor. For example, development-centric vendors that are highly technical tend to deliver the lowest level of user support whether in terms of technical support or implementation. Conversely, companies that are services-oriented tend to offer much more developed plans for technical support, user training, even supporting services such as data capture which make the application more usable.

g. Users and purchasers of any SaaS application need to establish a strong confidence in the provider of the service, particularly if the application stores the user’s data. This confidence can be enhanced and enforced by a balanced Service Agreement that gives the provider opportunities to correct issues but within limits that the client can accept. The provider needs to be trusted with both the intention and the ability to safeguard this information. Thus internet security procedures such as SSL or other encryption technologies should be required by all SaaS consumers.

4. PaaS (Platform as a service):

Delivery of a computing platform and solution stack as a service. It facilitates deployment of applications without the cost and complexity of buying and managing the underlying hardware and software layers, providing all of the facilities required to support the complete life cycle of building and delivering web applications and services entirely available from the Internet—with no software downloads or installation for developers, IT managers or end-users. It’s also known as cloud computing, in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure “in the cloud” that supports them.

April 5, 2009

SVI

Filed under: IOS, VLAN — Tags: , , — Jaycee @ 7:23 pm

1. Layer 2 switchport modes:

a. Access – one Vlan
b. Trunk – multiple Vlans
c. Tunnel – Transparent Layer 2 VPN
d. Dynamic (3560 dynamic auto, 3550 dynamic desirable) – DTP negotiation

*3560 and 3550 are both layer-3 switches: ip routing

2. Layer 3 Ports:

a. Switched Virtual Interface (SVI) => vlan interfaces
b. Native routed interfaces => Fast Ethernet interfaces

3. Example:

3550# sh run int f0/1
interface FastEthernet0/1
switchport mode dynamic desirable
no ip address
end

3550# sh int f0/1 switchport
Name: Fa0/1
Administrative Mode: dynamic desirable
Switchport: Enable <= running layer 2
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: isl
Negotiation of Trunking: On

3550# sh cdp nei
Device ID Local Intrfce Holdtme Capability Platform Port ID
3550 Fas 0/1 172 S I WS-C3550-2 Fas 0/1

3560# sh int f0/5
Name: Fa0/5
Switchport: Enable
Administrative Mode: dynamic auto
Operational Mode: static access <= the other side didn’t initiate trunk, so it fell back to access mode
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On <= via DTP

4. Layer 2 Trunking

a. ISL – Cisco proprietary, all traffic tagged with ISL
b. 802.1q – Open standard, “Native” Vlan sent untagged => native vlan has to match on all switches and routers
c. DTP – Dynamic Trunking Protocol

*The goal of setting vlan is to separate broadcast domain.

5. Example:

3560# sh int trunk
Port Mode Encapsulation Status Natvie vlan
Fa0/5 desirable n-isl trunking 1
Fa0/6 auto n-isl trunking 1

Port Vlans allowed on trunk
Fa0/1 1-4094
Fa0/5 1-4094 <= means not doing any filtering by default
Fa0/6 1-4094

Port Vlans allowed and active in management domain
Fa0/5 1
Fa0/6 1

Port Vlans allowed and active in management domain
Fa0/1 1

Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1 <= forwarding state
Fa0/5 none <= blocking state
Fa0/6 none <= blocking state

3560(config)#int f0/5
3560(config-if)#switchport trunk encapsulation dot1q

3560(config)#sh int trunk | in 802.1q
Fa0/4 auto n-802.1q trunking 1
Fa0/5 desirable n-802.1q trunking 1

*Vlan 1 can’t be removed from “Vlans allowed on trunk list”.

6. You can tag vlan 1 if other devices do not support untagged traffic:

SW1(config)# vlan dot1q tag native

Blog at WordPress.com.