Aug 3

Topology:

dhcp_nat

Scenario:

The Host in the 192.168.0.0/24 network should get its IP address from a DHCP server.

Relay is the default router for the Host, but doesn’t have a DHCP service running. It will pass any DHCP requests from it’ f1/0 interface to the DHCP server that has DHCP pools configured on it, using the “ip helper-addres” command.

Between the DHCP router and the Relay router there is a public network, but behind Relay, there is a private network (Host is part of that network).  Relay will use NAT with overload (PAT) to service the private network.

Relay uses DHCP as it’s default route to the Internet, but DHCP doesn’t know about the private network in which Host is in (private networks shoudn’t be permitted to be accessed from the Internet).

Configurations:

DHCP:

ip dhcp pool DHCP_POOL
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1

interface FastEthernet0/0
ip address 200.0.0.1 255.255.255.0

Relay:

interface FastEthernet0/0
ip address 200.0.0.100 255.255.255.0
ip nat outside

interface FastEthernet1/0
ip address 192.168.0.1 255.255.255.0
ip helper-address 200.0.0.1
ip nat inside

ip nat inside source list NAT_HOSTS interface FastEthernet0/0 overload

ip access-list standard NAT_HOSTS
permit 192.168.0.0 0.0.0.255

Host:

interface FastEthernet1/0
ip address dhcp

Problem:

Relay will receive a DHCP request (broadcast) on F1/0 interface. Because of the “ip helper-address“, Relay will transform the request from broadcast to unicast and send it to the DHCP router. The  DHCP request will reach the router, it will assign  an IP from the pool, but the reply will never reach Host.

Explenation:

Using “debug ip dhcp server events“, “debug ip dhcp server packet” and “debug ip packet“, we can find out the problem.

The first thing that could come to mind is the fapt that if Relay receives a packet on F1/0 interface (192.168.0.1) it will send an unicast message with the source IP address of that interface and a destination address of the ip-helper server. This is not true. The relayed request is considered to be generated by the local router (Relay). This means that the source IP address of the relayed request is that of the outgoing interface to the DHCP Server. Here is the debug ip packet output:

*Mar  1 02:33:23.127: IP: tableid=0, s=200.0.0.100 (FastEthernet0/0), d=200.0.0. 1 (FastEthernet0/0), routed via RIB

If  the source address of the IP packet does not have an IP address from the 192.168.0.0/24 network, how does the DHCP Server know from witch pool to give out a free address. The answer is a field in the DHCP protocol, called GIADDR (Gateway IP Address). The value of this field will be the IP address of the interface in the private network.

The problem is that after the DHCP server chooses an IP from the pool, it will reply to the unicast request, with another unicast packet that has the destination IP the GIADDR, not the source address of the request. The output from debug ip dhcp server events:

*Mar  1 03:13:33.719: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d 63.6330.322e.3035.6230.2e30.3031.302d.4661.312f.30 through relay 192.168.0.1.
*Mar  1 03:13:33.731: DHCPD: Sending DHCPOFFER to client 0063.6973.636f.2d63.6330.322e.3035.6230.2e30.3031.302d.4661.312f.30 (192.168.0.2).
*Mar  1 03:13:33.731: DHCPD: unicasting BOOTREPLY for client cc02.05b0.0010 to relay 192.168.0.1

The DHCP router doesn’t know about the 192.168.0.0/24 network because that is a private network behind a NAT.

A solution to the situation is to add a static route on the DHCP router to the private network. But this would ruin the purpose of NAT. A better solution is to avoid the scenario by design (still, the situation could come up in lab environments and you should now know why it behaves the way it does)

Jul 23

Anti-lockout best practice

Posted by Alex Juncu

ACL are usually configured for firewall configurations, for traffic filtering. When configuring ACLs, careful planing should be made so that in the moment when you are applying an ACL, things get filtered exactly the way you want it. In a lab environment tests can be made and if somethings doesn’t work right, you can start over. But in a live network router, filtering the wrong traffic could cause network outages.

If you are connected to the router via telnet or ssh (most likely in productions routers) it is very easy to lock yourself out of the router by denying the telnet or ssh traffic on an interface between you to that router. This is mostly because how IOS works. Any commands given in IOS are instantly commited to the live configuration. And, for example, if you make a configuration with an ACL and you forget about the implicit deny any (any) and you also forget to permit the telnet/ssh traffic, you might find yourself with the router not responding to any input after you apply the rules. It might take a while to figure out that you can’t access the router anymore and need to get physically to its location and either reload it or  use the console port to remove the ACL from the running-config.

One way of avoiding this is to schedule an automated reload in 10-15 minutes, while you are configuring, From enable mode issue the command:

#reload in MINUTES

This will reload the router after the specified number of minutes. It will ensure that if you lock yourself out, the router will revert back to the working startup-config. If the configuration was applied successfully, you can cancel the scheduled reload with the command

#reload cancel

http://www.youtube.com/watch?v=SMWi7CLoZ2Q
Jul 18

Frame Relay Switching

Posted by Alex Juncu

Frame Relay is still very much a popular subject in exams, labs and in the real networks.

Any lab with topologies that run different protocols over FR must start with the layer 2 configuration of the Frame Relay switched network. FR Topologies like full mesh or hub and spoke require a Frame Relay Switch. A FR Switch is a normal router but specifically configured to do Frame Relay switching.

First of all, we need to tell the router to start switching Frame Relay traffic. From global configuration mode we need to issue the frame-relay switching command.

Then, on the interfaces to Frame Relay clients, we need to start sending keepalives (LMIs) by configuring the interface as DCE with the frame-relay intf-type dce command.

The last thing that the FR Switch needs to do is to route DLCI on the virtual cicuits. This is done to tell an interface where to put a received frame with a DLCI. The frame will be put on another interface with another DLCI.  The configuration is done per interface with the frame-relay route command. The command requires that you specify the incoming  DLCI, on which the switching decision will be maide, the outgoing interface, and the DLCI with which the frame will be sent (”freame-relay route IN_DLCI OUT_INT OUT_DLCI”).

If Inverse ARP is not disabled on the FR Switch, no DLCI-IP mappings will be required.

Topology:

fr_sw

Configuration:

R1(config)#int s0/0
R1(config-if)#no shut
R1(config-if)#encapsulation frame-relay
R1(config-if)#clock rate 128000
R1(config-if)#ip address 10.1.2.1 255.255.255.0

R2(config)#int s0/0
R2(config-if)#no shut
R2(config-if)#encapsulation frame-relay
R2(config-if)#clock rate 128000
R2(config-if)#ip address 10.1.2.2 255.255.255.0

FR-Sw(config)#frame-relay switching
FR-Sw(config)#int s0/1
FR-Sw(config-if)#no shut
FR-Sw(config-if)#clock rate 128000
FR-Sw(config-if)#encapsulation frame-relay
FR-Sw(config-if)#frame-relay intf-type dce
FR-Sw(config-if)#frame-relay route 102 interface s0/0 201
FR-Sw(config-if)#int s0/0
FR-Sw(config-if)#no shut
FR-Sw(config-if)#clock rate 128000
FR-Sw(config-if)#encapsulation frame-relay
FR-Sw(config-if)#frame-relay intf-type dce
FR-Sw(config-if)#frame-relay route 201 interface s0/1 102


Running Configurations:

R1:

interface Serial0/0
ip address 10.1.2.1 255.255.255.0
encapsulation frame-relay
clockrate 128000
no fair-queue
end

R2:

interface Serial0/0
ip address 10.1.2.2 255.255.255.0
encapsulation frame-relay
clockrate 128000
no fair-queue
end

FR-Sw:

interface Serial0/0
no ip address
encapsulation frame-relay
no fair-queue
frame-relay intf-type dce
frame-relay route 201 interface Serial0/1 102
end

interface Serial0/1
no ip address
encapsulation frame-relay
frame-relay intf-type dce
frame-relay route 102 interface Serial0/0 201
end

Jul 18

Back-to-back Frame Relay

Posted by Alex Juncu

This is the simplest use of a Frame Relay encapsulation and it’s between two routers, without a Frame Relay Switch. PPP or HDLC would make more sense to use in these types of links, but it is useful in labs.

In a back-to-back scenario is important to remember what the FR Switch should be doing: being the DCE and sending the keepalives to maintain the layer 2 link to the client router. Because of the fact that no FR Switch is present, the lack of keepalives being sent must be ignored using the “no keepalive” command. Also, Inverse ARP won’t work, so manual IP-DLCI mapping will be needed.

The FR Switch should be the one doing swapping of DLCIs on the network so the frames arrive at their destination with the correctly mapped DLCIs. In this case, we will need to have the same DLCI set in the manual mapping so the routers match entries in the mappings.

The topology:

fr_b2b

Configuration:

R1(config)#int s0/1
R1(config-if)#no shut
R1(config-if)#clock rate 128000
R1(config-if)#ip address 10.1.2.1 255.255.255.0
R1(config-if)#encapsulation frame-relay
R1(config-if)#frame-relay map ip 10.1.2.2 42
R1(config-if)#no keepalive

R2(config)#int s0/1
R2(config-if)#no shut
R2(config-if)#clock rate 128000
R2(config-if)#ip address 10.1.2.2 255.255.255.0
R2(config-if)#encapsulation frame-relay
R2(config-if)#frame-relay map ip 10.1.2.1 42
R2(config-if)#no keepalive

Running configurations:

R1:

interface Serial0/1
ip address 10.1.2.1 255.255.255.0
encapsulation frame-relay
no keepalive
clockrate 128000
frame-relay map ip 10.1.2.2 42
end

R2:

interface Serial0/1
ip address 10.1.2.2 255.255.255.0
encapsulation frame-relay
no keepalive
frame-relay map ip 10.1.2.1 42
end

Jun 11

Basic packet crafting

Posted by Dragos Draghicescu

Ok, this will be a short one :) . I just want to raise attention on how can one bypass an extended (or standard) ACL (or access-list).

So, for this example, i have one router with an IP address of 10.10.10.2, which can be accessed only by the admin, only from 20.20.20.20. That is done with an inbound ACL, put on the egress interface of the router. Looks like this:

Extended IP access list 111
20 permit ip host 20.20.20.20 host 10.10.10.2 log

There is a little problem with spoofing: the return traffic has to be routed back to the attacker. But everything will work just fine if you happen to be in the same network with the admin (you can achieve bidirectional communication). In case the attack is done over the Internet, there is still the possibility of a DOS (Denial Of Service), by sending tons of packets that will be accepted. I assumed another thing: your ISP does not check for the source of the packets (DOS attacks are less frequent if that simple measure is taken).

For the demonstration, i chose a well-known packet crafter named HPING3. It allows one to customize a packet at different layers and it`s well documented, but for now we will only use a fraction of it`s power:

$ sudo hping3 -S 10.10.10.2 -a 20.20.20.20

The result could be:

*Mar 1 05:52:01.702: %SEC-6-IPACCESSLOGP:
list 111 permitted tcp 20.20.20.20(0) -> 10.10.10.2(0), 360 packets

To check the amount of pings, you can issue the command “show ip traffic | section ICMP“. You can “clear ip traffic” before that.

Despite this, ACLs are still adding a serious amount of security to your network. But in front of a determined attacker, one should do more than that in order to have a healthy network.

Mar 25

Output manipulation in Cisco IOS

Posted by Alex Juncu

One of the things that make Command Line Interfaces, like Bash, very efficient for administration is the output manipulation with piping and redirecting. Cisco IOS has most of the Bash equivalent modifiers, and administrators that know how to work with them can do things much more faster… this can make the difference in a lab exam or in the real world. Most show commands support this features and depending on the IOS, you have more or less features.

The usual “show run” command prints a large output, from which you need only a few lines. You can only scroll down with space and enter (the the Linux more command). If you are searching for a keyword in the running config, you can go to the line that contains the string using the slash key, like in vim or more or less in Linux. So, “/KEYWORD” after running the show command, while scrolling, will take you to the wanted line.

If you want from the output just some lines, you can filter them, just like piping the output to grep in Linux. You can use the ” | ” after the show command to see how you can filter (be careful, there is a space before and after the |). To print just the lines that have a keywork, use “ | include KEYWORD“, and to print all lines except the ones what have the keyword, use “ | exclude KEYWORD“. If you want to print out all output starting with a line that contains a keyword until the end of the lines, use “ | begin KEYWORD“.

Taking advantage of the hierarchical structure of the running config, you can print out just a section of the output. For example, “show run | section   router ospf 1” will list the configuration for the OSPF process 1 and “show run | section interface Serial0/0” will print the configuration for the specified interface. Be careful, this is case sensitive and you need to mach the case of the line in the running config (”Serial 0/0″ will work, “serial 0/0″ won’t).

Redirection into a file is also possible. “show run | redirect flash:run” will put the contents of the running config into a file called ‘run’ in flash memory. This is similar to the “>” operand in Bash. Using redirect, the content of the target file will be replaced. You can append to the file (like “>>” in Bash) with “ | append FILE“.  “ | tee FILE” works like redirect, but it also prints the output to the screen.

Regular expressions are also supported. If you like to print from the routing table, the routes received from RIP, you can filter with “show ip route | include R” and the routes from EIGRP with  “show ip route | include D”. But you can do this in one line, filtering with both conditions, with “show ip route | include [RD]“.

Slightly off topic, but good to know, is how to stop output. For example, traceroute to an unreachable location, will try 30 hops before it stops, and this might take a long time. To break the action hit the key combination “Ctrl+Shift+6“.

Nov 11

Simple topology: two routers, connected via a (serial) link, each with a loopback interface configured on it.

Loopback 0 on R1 has the IP 2001:A::1/64 and Loopback 0 on R2 has the IP 2001:B::1/64.  We want to make R1 aware of the 2001:B::0/64 network and R2 aware of the 2001:A::0/64 network. RIPng would be the the easiest way of doing that.

First we need to enable IPv6 unicast routing, and then start the RIP process on the interfaces.

R1(config)#ipv6 unicast-routing
R1(config)#ipv6 router rip SIMPLE_RIP
R1(config)#interface lo0
R1(config-if)#ipv6 address 2001:A::1/64
R1(config-if)#ipv6 rip SIMPLE_RIP enable

R2(config)#ipv6 unicast-routing
R2(config)#ipv6 router rip SIMPLE_RIP
R2(config)#interface lo0
R2(config-if)#ipv6 address 2001:B::1/64
R2(config-if)#ipv6 rip SIMPLE_RIP enable

We also need to activate the RIP process on the transit link and make the interface IPv6 enabled.

R1(config)#interface s0/1/1

R1(config-if)#ipv6 rip SIMPLE_RIP enable

R1(config-if)#ipv6 enable

R2(config)#interface s0/1/1

R2(config-if)#ipv6 enable

R2(config-if)#ipv6 rip SIMPLE_RIP enable

As it can be noticed, we haven’t configured a global IPv6 address on the interface, yet, RIP will do it’s job.

R2#sh ipv6 route
IPv6 Routing Table – 5 entries
Codes: C – Connected, L – Local, S – Static, R – RIP, B – BGP
U – Per-user Static route
I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary
O – OSPF intra, OI – OSPF inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2
ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2
D – EIGRP, EX – EIGRP external
R   2001:A::/64 [120/2]
via FE80::219:E8FF:FEF2:8F3A, Serial0/1/1

C   2001:B::/64 [0/0]
via ::, Loopback0
L   2001:B::1/128 [0/0]
via ::, Loopback0
L   FE80::/10 [0/0]
via ::, Null0
L   FF00::/8 [0/0]
via ::, Null0

The reason why it works, it’s a link local address, which is automatically configured once you turn on IPv6 on the interface. If the command “(config-if)#ipv6 enable” would have been missing, there would have been no exchange of routes.

Let us now analyze a possible misconfiguration. Let’s configure a global address on the link. What first comes to mind is IPv4 rule that stated that the serial interface of each router has to be configured in the same broadcast domain.  We will configure the serial interface on R1 with 2001:C::1/64 and serial interface on R2 with 2001:D::1/64 (clearly in different subnets).

R1#show ipv6 interface serial 0/1/1
Serial0/1/1 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::219:E8FF:FEF2:8F3A
No Virtual link-local address(es):
Global unicast address(es):
2001:C::1, subnet is 2001:C::/64

R2#show ipv6 interface serial 0/1/1
Serial0/1/1 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::21A:2FFF:FE2A:2118
No Virtual link-local address(es):
Global unicast address(es):
2001:D::1, subnet is 2001:D::/64

Even if we don’t have the two routers in the same subnet from the global address perspective, they are in the same broadcast domain from the link local address point of view. The traffic will still be routed via the link local address, because it’s actually “closer”.

R   2001:A::/64 [120/2]
via FE80::219:E8FF:FEF2:8F3A, Serial0/1/1

So, if your routes are flowing when you are thinking that they shouldn’t, you might want to remember the link local address.

Thanks go out to BogdanD for help with case study.

Nov 8

To lower broadcast traffic in our network or for some extra security we use Virtual LANs. Cisco switches can be configured with Ethernet VLAN IDs ranging from 1 to 1001 and, with the extended VLANs, from 1006 to 4096. For trunking, we can use the IEEE 802.1Q (dot1q) protocol that can support the extended VLANs (1-4096).

The fisrt important rule of implementing VLANs in a network tells us that a switch won’t forward a frame from a VLAN if it does not know about that VLAN. All the switches in a network need to know about all the VLANs regardless of the fact that they have or not local access ports in those VLANs. So, we need to go to every switch and configure all the VLAN IDs, or we could use VTP (VLAN Trunking Protocol), Cisco’s proprietary protocol that automatically configures network-wide all the VLANs. Remember, VTP is on by default, in Server mode.

But the use of VTP can sometimes lead to unexpected behavior on the switch. Most common is when you try to reset your switch and you delete the running-config and the flash:vlan.dat, reload the IOS and find all your VLANs still there. If you have VTP configured in your network (without authentication), upon boot-up, the switch will get the VLAN information from it’s VTP neighbors, the reason being that the default configuration is Server mode. The solution would be to set the switch in Transparent mode and delete the VLANs.

The configuration of VTP Transparent mode causes another strange exception. As we are have studied in CCNA, the vlan.dat file in flash holds the VLAN information for a switch, not the running-config in NVRAM. This is not true when dealing with Transparent mode. If the switch is in VTP transparent mode, the VLAN information IS stored in running-config. So, if you configure vtp mode transparent, configure some VLANs, delete the vlan.dat and reboot, you will find the VLANs still there.

One more situation where VLANs are stored in running-config is when we use extended VLANs. Regardless of VTP mode, if we configure a VLAN with an ID greater than 1006, it will be stored as an entry in running-config. Extended VLANs will NOT be carried through VTP, so it makes sense not to store them in vlan.dat, because the switch will try to synchronize the file with the VTP information.

Nov 4

In labs we use reverse telnet to access our equipment (as in “routers and switches”) directly into console. To make things a little bit easier for our students we created a web page with “telnet://” links pointing directly to each router/switch.
That should be enough to solve all those pesky little questions like “what was that address again ?”. And it is. At least when the computer used by our students is running Windows. But we do have a little problem because all our computers in the lab are running Ubuntu. And Firefox. And it appears that Firefox in Ubuntu doesn’t know how to handle “telnet://” links.

I solved the problem by installing Opera browser and add the telnet handler in Opera. Or even better, install Opera and Putty and use Putty to handle “telnet://”. But the problem with Firefox kept bugging me and even if I’m lazy i knew that it became personal.
So I started to search the allmighty internet. I found out that I can add telnet protocol in user prefs in Firefox. But it didn’t work. So I kept searching and finally I’ved put the bits and pieces together and solved the problem. Here it goes.

First thing to do is to tell Firefox that we WANT to use telnet:// links. To do that we must open Firefox and type “about:config” in address bar. And we create a new boolean preference (right click on an empty space), name it “network.protocol-handler.expose.telnet” and set the value “false” and restart the browser. That should be enough for Firefox to let us select an external application to open “telnet://” links.
From this point forward we can choose the easy way and choose putty or the hard way and use gnome-terminal/xterm/konsole. The “hard way” because telnet in terminal doesn’t know how to handle “address:port” format. So how should we do that ? Simple, we create a shell script and we use that script as the default application to open “telnet://” links in Firefox.

The script is pretty easy :


#!/bin/sh

address=`echo ${*##telnet://} | sed 's/:/ /g'`

#For xterm junkies :
xterm -e "telnet $address"

#For gnome-terminal users :
#uncomment the next line but comment
#all other terminal launchers (xterm, konsole)
#gnome-terminal -e "telnet $address"

#For konsole hipsters :
#konsole sends args separately to command so we use "" only for telnet
#uncomment the next line but comment
#all other terminal launchers (gnome-terminal, xterm)
#konsole -e "telnet" $address

And voila, sit back, relax and enjoy a cold beer…

Nov 4

Networking is sometimes hard not because of the concepts that you need to apply, but because of the difference in implementation of some protocols on the equipment. For example, the default settings for DTP differ from one switch model to the next.

DTP (Dynamic Trunking Protocol) is used to negotiate a trunk link between two switches. From the DTP point of view, a port can be ‘desirable‘ (it will actively try to negotiate a  trunk), ‘auto‘ (it will form a trunk if the other side wants to be a trunk) and ‘non-negotiate‘ (port will not negotiate the link). The reason for this protocol is to have a working access or trunk link immediately after you connect the switch to the network.   Most of the combinations are:

  • auto – auto => access
  • auto – desirable => trunk
  • desirable-desirable => trunk
  • auto – trunk => trunk
  • auto – access => access
  • desirable – trunk => trunk
  • desirable – access => access

What you should pay attention to is the default setting of a port on different switch models. On a 2950 (Layer 2 switch) and a 3550 (Layer 3 switch), a port is, before any configurations, in desirable. If you connect two of these switches, you will have a trunk link formed. On the other hand, on a 2960 or a 3560, a port is in auto, so between these models, you will have an access port (by default, in VLAN 1). Even more problems could arrive when you have in a network switches of different models. If you connect a 2960 and a 2950, because the first is in auto and the second  is in desirable, a trunk link will be negotiated, so you should be careful when dealing with these kinds of situations.