Cisco

A collection of 43 posts

CCIE

GET VPN (GNS3 Lab)

Group Encrypted Transport (GET) VPN is slightly different and has quite different use cases from more traditional point to point IPSEC VPN where each point to point VPN is quite distinct in its own right. The most import thing to remember at GET VPN is the "G" means

CCIE

DMVPN setup with PSK (GNS3 Lab)

Dynamic Multipoint VPNs (DMVPN) offer a low admin overhead and scalable VPN solution. It is also efficient at routing traffic as it can dynamically reconfigure itself from a hub and spoke to a partial or full mesh topology! This means that not all traffic has to pass through the hub

640-553 CCNA Security

Disable ASA TCP State tracking (make my ASA a router)

Recently had to use this (useful?) feature to help a customer with an asymmetric traffic flow via an ASA. The ASA would only see the out bound traffic from a host with the return traffic going via an alternative path not visible to the ASA.This simple diagram is an

Cisco

jun2acl (Juniper to Cisco ACL Script)

Recently we've needed to migrate an inherited environment  away from Juniper Junos and onto Cisco IOS. As part of this a lot (!) of old an quite nasty firewall filter config needed to be converted to Cisco ACL style. Unfortunately (maybe for a good reason???) there doesnt already seem

CCIE

EIGRP (Named vs Legacy)

Just a quick look over the basic differences with the newer style of EIGRP config. It really is quite a bit nicer (more logcal?) layout in the config with things like authentication moving under the eigrp config so its easy to see related config under one section of show run

BGP

BGP RTBH setup using exaBGP

In this post I'll describe a basic setup using Cisco IOS, IOS XR and exaBGP that will function as a BGP remotely triggered blackhole (RTBH) allowing you to null route any source/destination prefix. The example topology will be as below: exaBGP by a very nice man called

642-691 BGP+MPLS

Difference between Router Descriptor (RD) and Route Target (RT)

Studying towards the SPEDGE (great word Cisco!) tonight and couldn't quite define exactly Route Descriptors and Route Targets. So lets try First off it might be important (and obvious) to note both RT and RDs will only ever be configured and used on PE nodes! P and CE

Cisco

Generate DSCP marked pings

Today it was useful to confirm a switch was passing DSCP marked packets as expected and handling 'ef' marked packets. To do this on a cisco switch we can use the extended ping feature and set the Type of Service (ToS) to a decimal value that is equivalent

Cisco

SNMP ACL (after community check?!)

Not my usual kind of post of "how to do ...blah" but something I'd come across yesterday that was a little interesting/annoying/silly. Best practice dictates you apply an ACL to your SNMP config so only configured hosts can poll a router/switch even if

Cisco

Connectivity problems to a NAT'd host via a VPN on Cisco IOS

Problem where a client on one side of a VPN tunnel cannot communicate with another host on the other side that has a static nat entry. The host 10.0.0.2 is a mail and web server (tcp/25 & tcp/80) that provides these services to hosts on

ASA

Grab multiple OIDs via SNMPwalk

SNMPWALK is a great too for grabbing SNMP oject identifier values (OIDs). To see how to install it see this post here. Mostly I use it for checking various single OID values but sometimes is can be useful to grab more than one value. SNMPwalk itself doesn't allow

Cisco

Show "free" (not used for a while) ports on Cisco switch with one command

Reasonably common task I come accross is to find free ports on switches (ports that havent been used for sometime). Sometimes its very easy where you can use an NMS or similar to give you a pretty output to show ports and their last input/output. However in my experience

Cisco

Cisco Security Manager logging SDEE messages from IPS in Event viewer

Cisco Security Manager +4 (I was trying 4.0.1 at the time of this post) has an "event viewer" feature thats actually pretty good! It can receive syslog and SDEE messages, parse them and display them in the nice gui for you. Syslog is pretty straight forward

CCNP Security

DMVPN with PKI authentication (GNS3 Lab)

Dynamic Multipoint VPNs (DMVPN) offer a low admin overhead and scalable VPN solution. It is also efficient at routing traffic as it can dynamically reconfigure itself from a hub and spoke to a partial or full mesh topology! This means that not all traffic has to pass through the hub

802.1x

EAP, EAPOL and EAP types

Extensible Authentication Protocol (EAP) - is a transport mechanism used in 802.1x to authenticate supplicants (hosts/pcs) against a backend server (Radius) via an authenticator (Switch). The first byte of the EAP header contains the code field, this identifies the EAP packet type. The four different codes are shown

Cisco

Cisco (type 7) password decryption and encryption with Perl

I've often seen password decryption tools for the Cisco (type 7) passwords and wondered how they worked. To learn more about that and Perl I thought I'd give it a go :) The short story is it just seems to XOR each character against a value in

ASA

Cisco pipe options and some regex examples

Just a quick post about using the pipe (|) command on Cisco devices to help format the output of any command. Add the pipe to any show command then ? can show the available options. Below is from a 6500. 6509#show run | ? append Append redirected output to URL (URLs supporting append

Cisco

Display the specific port used in an etherchannel for given src/dst info

Etherchannel on Cisco switches uses a hashing algorithm to determine which interface within the bundle to send the data over i.e. The port choice is deterministic and will always be the same unless ports are added to the bundle or the hashing algorithm is changed. It also means that

ASA

Cacti graph template for Cisco ASA VPN sessions (IPSEC, SSL, WEBVPN + Total)

Exported from Cacti 0.8.7e (including all dependencies) and made using a Cisco 5520 ASA running 8.4(1). OIDs used * IPSEC VPN count - .1.3.6.1.4.1.9.9.171.1.3.1.1.0 * SSL VPN count (Anyconnect) - .1.3.6.1.4.

640-553 CCNA Security

Role Based CLI access to Cisco IOS using Views

Just having a play around with role based access and "views". Not a feature I've used much in production. Below we will configure a view that only allows the use of the show interface commands. Then we will configure a use that when logging in via

ASA

Install & configure nfdump with nfsen on Ubuntu server 10.04

This was done using Ubuntu server 10.04 although everything is compiled from source so the commands should be very similar on any linux box. There are also example configs for Cisco ASA 8.2 near the bottom of the post. I was looking for a netflow collector/analyser that

Android

Setting up OpenVPN for Android phone (NAT & ZBFW on Cisco 1801)

I've been looking to get a decent "native" VPN setup on my android phone for a while. There doesn't seem to be native support for IPSEC VPNs terminating on Cisco routers. Long request topic for it [here] although ASA8.4(1) supposedly has support

Cisco

IOS ping with rotating data pattern/payload

Came across an interesting problem where depending on the ping payload the loss would vary quite a bit when being sent over a WAN link. Pings using windows machines were seeing higher loss than from linux boxes. It turns out windows uses a rotation from A-W for its ping payload

640-553 CCNA Security

Simple Zone Based IOS Firewall (GNS3 Lab)

Just a post about the basic config and options of Cisco IOS zone based firewall using the Topology below Grab the initial configs and GNS3 .net file [HERE]. From the initial configs all interfaces have connectivity to each other. First off lets configure the zones and assign each interface to

640-553 CCNA Security

Steps to configure an IPSEC site to site VPN on a Cisco IOS device (GNS3 Lab)

Just some short notes on basic IOS vpns using the topology below as an example. All the configuration examples are for the router Lefty. Grab the GNS3 .net file and initial configs [HERE] if you want to try. The following five steps need to configured in order to create an