Showing posts with label cisco. Show all posts
Showing posts with label cisco. Show all posts

Cisco ASA in GNS3

January 23, 2017
Here is another tutorial running Cisco ASAv on GNS3 using Qemu.

For Configure GNS3

In My case I have used ASAv952-204.qcow2

Go to the GNS3>Edit>Preferences>QEMU>Qemu VMs>New
Follow on screen procedure. 

 Don't forget to enable kvm and memory allocation. 

Now you can see I can run ASAv 9.5.2

 Blank Password.

Tags # cisco # GNS3 # network Continue Reading
By at
Tags , ,

IOS XR GNS3 QEMU

December 05, 2016
This time lets have tutorial on Cisco XR 9k series router image running on the GNS3. Please don't ask for the XR image. Your are smart enough to get it.

My system configuration:

Ubuntu 16.04
GNS3 1.4
RAM 8Gig
i7 processor

Used XR Image
iosxrv-k9-demo-6.0.1.qcow2

This image is VIRL extracted image.

You need to convert this image into QEMU image, follow this link

I strongly recommend you to run it on the Linux system.

Now you have converted image, then go to the GNS3>Edit>Preferences>QEMU>Qemu VMs>New
then follow the onscreen procedure.

Setting for QEMU XR Image.

RAM:- 4Gig
CPU:- 1


Adapters at lest 4. 


-enable-kvm




Here you can see I can run the XR on my system. Interface is up and system is already booted. 



I have run 3 XR router  here is my system RAM CPU usages.



RP/0/0/CPU0:XR3(config)#int gi0/0/0/0
RP/0/0/CPU0:XR3(config-if)#ip add 192.168.13.2 255.255.255.252
RP/0/0/CPU0:XR3(config-if)#commit
RP/0/0/CPU0:XR3#ping 192.168.13.1
Mon Dec  5 14:28:29.088 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/19 ms


Note: Assign IP on gi0/0/0/0 interface but connect on e1 to e/1 on your router otherwise it will not ping. 

Enjoy. 




Tags # cisco # linux # network Continue Reading
By at
Tags , ,

Unit vpnagentd service not loaded.

December 01, 2016
Somebody ask me to run Cisco EPIC VPN lab test provide by the Cisco. I just try it done but Anyconnect client doesn't seems to work on ubuntu system. The error message was


How to resolved the issue?? 

First of all install the following packages.

sudo apt-get install lib32z1 lib32ncurses5

Then try to install the AnyConnect client, if its still show the same error message. Used below command....

sudo apt-get install network-manager-openconnect

Reload the changes using this command....

sudo systemctl daemon-reload

Now AnyConnect should be installed. 




Tags # cisco # linux # network Continue Reading
By at
Tags , ,

EoMPLS Configuration

March 08, 2016
EoMPLS is point to point L2 VPN services which is used to transport all Ethernet frame received on particular Ethernet or VLAN,  its also called Any Transport over MPLS(ATOM) means this technology can connect like Frame-Relay, PPP, Ethernet,ATM etc.

IOS used
c7200-adventerprisek9-mz.151-4.M

Logical Topology
 
Make sure MPLS with IGP  is confugure as shown in a diagram. I'm not going to configure MPLS here. This tutorial only show how to configure xconnect tunnel peer with other side customer faces interface in our network diagram we interconnect PE1 fa1/0 with PE2 fa0/0 interfaces.

Config of PE1

PE1#sh run
Building configuration...

Current configuration : 1337 bytes
!
upgrade fpd auto
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE1
!
ip cef

interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.252
 ip ospf 1 area 0
 duplex half
 mpls ip
!
interface FastEthernet1/0
 no ip address
 duplex auto
 speed auto
 xconnect 3.3.3.3 15 encapsulation mpls
!
router ospf 1

mpls ldp router-id Loopback0 force
======================================
PE1#sh mpls l2transport vc

Local intf     Local circuit              Dest address    VC ID      Status
-------------  -------------------------- --------------- ---------- ----------
Fa1/0          Ethernet                   3.3.3.3         15         DOWN
PE1#
*Mar  8 07:49:39.887: %LDP-5-NBRCHG: LDP Neighbor 3.3.3.3:0 (2) is UP
 
PE1#sh mpls l2transport vc

Local intf     Local circuit              Dest address    VC ID      Status
-------------  -------------------------- --------------- ---------- ----------
Fa1/0          Ethernet                   3.3.3.3         15         UP



PE1#sh mpls l2transport vc detail
Local interface: Fa1/0 up, line protocol up, Ethernet up
  Destination address: 3.3.3.3, VC ID: 15, VC status: up

pc1

PC1> ping 10.10.10.11
84 bytes from 10.10.10.11 icmp_seq=1 ttl=64 time=39.002 ms
84 bytes from 10.10.10.11 icmp_seq=2 ttl=64 time=39.002 ms
84 bytes from 10.10.10.11 icmp_seq=3 ttl=64 time=39.002 ms
84 bytes from 10.10.10.11 icmp_seq=4 ttl=64 time=40.002 ms
84 bytes from 10.10.10.11 icmp_seq=5 ttl=64 time=31.001 ms

PC1> sh ip

NAME        : PC1[1]
IP/MASK     : 10.10.10.10/24
===============================================================

pc2
====
PC2> ping 10.10.10.10
84 bytes from 10.10.10.10 icmp_seq=1 ttl=64 time=40.002 ms
84 bytes from 10.10.10.10 icmp_seq=2 ttl=64 time=40.002 ms
84 bytes from 10.10.10.10 icmp_seq=3 ttl=64 time=41.002 ms
84 bytes from 10.10.10.10 icmp_seq=4 ttl=64 time=59.003 ms
84 bytes from 10.10.10.10 icmp_seq=5 ttl=64 time=41.003 ms

PC2> sh ip

NAME        : PC2[1]
IP/MASK     : 10.10.10.11/24

=================================================================

PE1#sh mpls ldp neighbor all
    Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0
        TCP connection: 1.1.1.1.646 - 2.2.2.2.47031
        State: Oper; Msgs sent/rcvd: 36/35; Downstream
        Up time: 00:24:20
        LDP discovery sources:
          FastEthernet0/0, Src IP addr: 192.168.12.1
        Addresses bound to peer LDP Ident:
          192.168.12.1    1.1.1.1         192.168.13.1
    Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 2.2.2.2:0
        TCP connection: 3.3.3.3.61604 - 2.2.2.2.646
        State: Oper; Msgs sent/rcvd: 21/22; Downstream
        Up time: 00:11:25
        LDP discovery sources:
          Targeted Hello 2.2.2.2 -> 3.3.3.3, active, passive
        Addresses bound to peer LDP Ident:
          3.3.3.3         192.168.13.2

Tags # cisco # EoMPLS # GNS3 Continue Reading
By at
Tags , , , ,

Configuring a Basic MPLS VPN

March 08, 2016
It's been a long time I'm away from blogging due to some R&D on the network with Juniper boxes. On this tutorial I'm going to configure very basic MPLS VPN configuration in GNS3. After that we go for EoMPLS configuration.

This is the logical topology for this tutorial.
 
Here I only post the configuration file from PE other router configuration is almost same. Here is the points should be remember.

1. Make sure IGP with MPLS is configure on PE,P, it shouldn't be configure on customer facing interface.
2. Make sure all loopback interface is reachable. 
3. Configure VRF with RD and RT, then applied it on right interface.
4. Configure MP-BGP on PE and peer it.
5. Make sure to redistribute the CE IGP protocol into the BGP and vice versa.

Below command can be copy paste into your router. Before that make sure you had make change necessary things.

Config from PE1

PE1#sh run
Building configuration...

Current configuration : 2126 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE1
!
ip cef
ip tcp synwait-time 5
!
!
!
!
ip vrf CustA
 rd 100:1
 route-target export 1:100
 route-target import 1:100
!
no ip domain lookup
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 192.168.11.2 255.255.255.252
 ip ospf 1 area 0
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet0/1
 ip vrf forwarding CustA
 ip address 192.168.13.1 255.255.255.252
 duplex auto
 speed auto
!
!
router eigrp 1
 auto-summary
 !
 address-family ipv4 vrf CustA
 redistribute bgp 1 metric 1500 2000 200 100 15000
 network 192.168.13.0
 no auto-summary
 autonomous-system 100
 exit-address-family
!
router ospf 1
 log-adjacency-changes
!
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 neighbor 3.3.3.3 remote-as 1
 neighbor 3.3.3.3 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
 neighbor 3.3.3.3 activate
 neighbor 3.3.3.3 send-community both
 exit-address-family
 !
 address-family ipv4 vrf CustA
 redistribute eigrp 100
 no auto-summary
 no synchronization
 exit-address-family
 =============
CE1#ping 192.168.24.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.24.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/70/92 ms

CE1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     192.168.13.0/30 is subnetted, 1 subnets
C       192.168.13.0 is directly connected, FastEthernet0/1
     192.168.24.0/30 is subnetted, 1 subnets
D       192.168.24.0 [90/307200] via 192.168.13.1, 00:50:22, FastEthernet0/1


Tags # cisco # GNS3 # MPLS Continue Reading
By at
Tags , , ,

Cisco Protected Port

October 29, 2014
I can see in my network any customer can communicate to any one on the same VLAN. Basically when ever any unknown packets ingress into the switch. Switch found no record in CAM table, so that frame flood every port of the respected VLAN, except the frame received port. Such a communication can very dangerous for the service provider and its customer. Because any one can sniff or send information to other customer in same VLAN. 

Broadcast packet also flooded into the network that can bottleneck our network. The way to protect such a bottleneck of the network we can configure switch port as protected port thus no port can directly communicated in a same broadcast domain.

Command:
interface fa0/2
switchchport mode access
switchport access vlan 30
switchport protected

This way we can protect the user in same VLAN. Protected port only be configured in edge port not the trunk port or L3 connected port. Now the protected port prevent any unicast, broadcast or multicast packet entering to the same switch interface. But traffic forwarded to same domain can be communicated through L3 device like router. 

Tags # cisco # hack # network Continue Reading
By at
Tags , ,

How To Configure RSPAN on Cisco Switch

October 08, 2014
Sometime I need to analyze network traffic from remote switch. Thus RSPAN is life saver. Go to the site and capturing the packets and analyze the packets is very time consuming. So here a small tutorial which explain how to configure packets with RSPAN.

SW1(This is the remote switch, Which is the source for our packets.)

sw1(config)#vlan 444
sw1(config-vlan)#remote-span
sw1(config)#monitor session 1 source interface Fa1/0/1 - 16
sw1(config)#monitor session 1 destination remote vlan 444



SW2(The destination switch where you going sniff the packets send my remote switch on case sw1.)
sw2(config)#vlan 444
sw2(config-vlan)#name RSPAN_VLAN
sw2(config-vlan)#remote-span

sw2(config)#monitor session 1 destination interface Gi0/17
sw2(config)#monitor session 1 source remote vlan 444

Now you can capture remote packets in port 17.

All these tutorial tested on cisco 3750 switch.
Tags # cisco # network Continue Reading
By at
Tags ,

Cisco IOS Upgrade

September 30, 2014
All these tasks have been done in production environment. I upgraded almost 50 switch IOS in production environment. In my case I don't removed working IOS from the 2950 switch. You may encounter low flash memory during the up-gradation of the new IOS. If that happen do see at the bottom of this tutorial where I had mention how to recover some more space for IOS up-gradation.

Step1:
Fist of all create tftp server in one of the updated IOS switch.
sw2(config)#tftp-server c2950-i6k2l2q4-mz.121-22.EA14.bin

Step2:
Then go to the remote switch where you want to upgrade IOS with new version.

sw1#copy tftp: flash:
Address or name of remote host [100.100.255.47]?
Source filename [100.100.255.47]? c2950-i6k2l2q4-mz.121-22.EA14.bin
Destination filename [c2950-i6k2l2q4-mz.121-22.EA14.bin]?
Accessing tftp://100.100.255.47/c2950-i6k2l2q4-mz.121-22.EA14.bin...
Loading c2950-i6k2l2q4-mz.121-22.EA14.bin from 100.100.255.47 (via Vlan2): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 3722814 bytes]

3722814 bytes copied in 143.124 secs (26011 bytes/sec)

Step3.
Check your copied IOS in the switch.

sw1(config)#do dir flash:
Directory of flash:/

    2  -rwx         864  Mar 01 1993 05:45:31 +05:45  vlan.dat
    3  -rwx       13499  Sep 23 2014 22:17:39 +05:45  config.text
    4  -rwx        1952  Sep 23 2014 22:17:39 +05:45  private-config.text
    5  -rwx     3722112  Mar 01 1993 07:33:24 +05:45  c2950-i6k2l2q4-mz.121-22.EA12
    6  -rwx        5871  Mar 01 1993 06:18:00 +05:45  sw1-config
    7  -rwx          43  Mar 01 1993 07:37:36 +05:45  env_vars
    8  -rwx     3722814  Sep 24 2014 12:30:41 +05:45  c2950-i6k2l2q4-mz.121-22.EA14.bin
  305  -rwx        5168  Mar 01 1993 08:37:25 +05:45  running-config1
  306  -rwx        1048  Sep 23 2014 22:17:39 +05:45  multiple-fs

7741440 bytes total (263680 bytes free)

Step5.
Verify the IOS if corrupted while copying form remote system to the destination system.

sw1#verify /md5 flash:c2950-i6k2l2q4-mz.121-22.EA14.bin
.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Done!
verify /md5 (flash:c2950-i6k2l2q4-mz.121-22.EA14.bin) = 8d3250ee253b81b7fe2762e281773fbc

Step6.
Now boot system

sw1(config)#boot system c2950-i6k2l2q4-mz.121-22.EA14.bin

Step7.
Write into the memory, otherwise your system may not boot from the new IOS or if you removed working IOS you system may not found any IOS.

sw1#wr memory
Building configuration...
[OK]

sw1#reload
System configuration has been modified. Save? [yes/no]: y
Building configuration...
[OK]

Step8.
Now check your system boot from new IOS

sw1#sh ver | inc image
System image file is "flash:/c2950-i6k2l2q4-mz.121-22.EA14"
Proceed with reload? [confirm]


How to recover extra space in 2950 switch.

In case you may have little space in switch, your new IOS have "3722814" size and switch only left "2220544" bytes free, in my case I don't need html file so I delete it form the switch.
sw1#dir flash:
Directory of flash:/

    2  -rwx     3722112  Apr 08 2013 11:13:12 +05:45  c2950-i6k2l2q4-mz.121-22.EA12
    3  -rwx         796  Mar 01 1993 05:45:28 +05:45  vlan.dat
    4  drwx        4224  Mar 14 2008 11:52:14 +05:45  html
   79  -rwx        1048  Sep 23 2014 17:05:12 +05:45  multiple-fs
   81  -rwx       12534  Sep 23 2014 17:05:12 +05:45  config.text
   83  -rwx        1958  Sep 23 2014 17:05:12 +05:45  private-config.text

7741440 bytes total (2220544 bytes free)

sw1#delete /f /r flash:html
Delete filename [html]? 
Tags # cisco # network Continue Reading
By at
Tags ,

Recover password Cisco Catalyst Switch 2950/2970

August 21, 2014

Power of the switch. Hold down the mode button located on the left side of the front panel, reconnect the power cable to the switch. After few seconds you can see switch: prompt: then release the Mode button when the Status (STAT) LED goes out. (When you release the Mode button, the SYST LED blinks amber).

1. The following instructions appear:
  The system has been interrupted prior to initializing the
   flash filesystem.  The following commands will initialize
   the flash filesystem, and finish loading the operating
   system software:
       flash_init
       load_helper
       boot
   switch:

2. Now follow the following command

switch: flash_init
switch: dir flash
switch: rename flash:config.text flash:config.old
switch: boot

3. Enter "n" at the prompt to start the setup program

--- System Configuration Dialog ---
   At any point you may enter a question mark '?' for help.
   Use ctrl-c to abort configuration dialog at any prompt.
   Default settings are in square brackets '[]'.
   Continue with configuration dialog? [yes/no]: n

    !--- Press Return or Enter.
 
    Switch>
 
    !--- The Switch> prompt is displayed.

      switch>en
      switch#

4. Type rename flash:config.old flash:config.text to rename the configuration file with its original name.

    Switch#rename flash:config.old flash:config.text
                Destination filename [config.text]
    Switch#

5. Copy the configuration file into memory

       Switch#copy flash:config.text system:running-config

6. Change the password


      Switch#configure terminal
      Switch(config)#no enable secret
      Switch(config)#enable secret Cisco
      Switch(config)#end

7. Write the into the memory.

          Switch#write memory
                 Building configuration...
                 [OK]
        Switch#
Tags # cisco # network Continue Reading
By at
Tags ,

Reset password Cisco Catalyst Switch 2950/2970

August 21, 2014


To reset password of  2970 Switch, power off the switch and press MODE button then power it on, take a look at the SYS led when it glows green leave the mode button. To recover the password click here.

Now your are in switch: prompt mode.
switch: flash_init
switch: dir flash:



switch: delete flash:config.text
switch: delete  flash:vlan.dat

 


Now your switch has been reset, you can reconfigure the switch. 

Tags # cisco # network Continue Reading
By at
Tags ,

Cisco Switch Doesn't Boot Automatically

June 13, 2014
Recently I encounter Cisco switch 3750 reload puts it into switch: prompt. I try every possible troubleshoot but wherever switch reload its automatically boot to recovery mode.

This is happen because manually boot process is enable to yes.

test-sw4#sh boot
BOOT path-list:       flash:/c2950-i6k2l2q4-mz.121-22.EA12
Config file:          flash:/config.text
Private Config file:  flash:/private-config.text
Enable Break:         no
Manual Boot:          yes
*************Output Omitted****************

To set switch to boot automatically, we have to issue no boot command in global configuration mode.

test-sw4(config)#no boot manual ?
  <cr>
test-sw4(config)#no boot manual
test-sw4(config)#end
test-sw4#wr
Building configuration...
[OK]
test-sw4#

Verify the command.

test-sw4#sh boot
BOOT path-list:       flash:/c2950-i6k2l2q4-mz.121-22.EA12
Config file:          flash:/config.text
Private Config file:  flash:/private-config.text
Enable Break:         no
Manual Boot:          no
HELPER path-list:  
*****************Output Omitted****************

Other method
You can set it form the switch:prompt
Initial might be look like this. MANUAL_BOOT=yes
switch:setBOOT=flash:/c2950-i6k2l2q4-mz.121-22.EA12MANNUAL_BOOT=yesswtich:
Use MANUAL_BOOT=no form switch:prompt. Command case sensitive.
switch:MANUAL_BOOT=no





Tags # cisco # network Continue Reading
By at
Tags ,

Cisco Access Server Configuration 2511

June 09, 2014
In this lab we learn to configure access server. For this lab we are going to use Cisco 2511 router. Before configure the access server make sure you have connect console cable to the router and you can access the router.

Access_Server#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 3000 Software (IGS-J-L), Version 11.0(18), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1997 by cisco Systems, Inc.
Compiled Mon 01-Dec-97 17:59 by jaturner
Image text-base: 0x03034C58, data-base: 0x00001000

Access_Server uptime is 3 hours, 45 minutes
System restarted by power-on
System image file is "flash:igs-j-l.110-18", booted via flash

cisco 2511 (68030) processor (revision M) with 14336K/2048K bytes of memory.
Processor board ID 10355024, with hardware revision 00000000
Bridging software.
SuperLAT software copyright 1990 by Meridian Technology Corp).
 --More--

Command reference
hostname Access_Server
!
enable secret 5 (deleted)
!
username cisco privilege 15 password 7 (deleted)
!
interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0
 ip address 10.10.10.10 255.255.255.0
 !
interface Serial0
 no ip address
 shutdown
 no fair-queue
!
interface Serial1
 no ip address
 shutdown
!
ip host Sw1 2001 172.16.1.1
ip host Sw2 2002 172.16.1.1
ip host Sw3 2003 172.16.1.1
ip host Sw4 2004 172.16.1.1
ip route 0.0.0.0 0.0.0.0 10.10.10.1
line con 0
line 1 16
 transport input all
line aux 0
 transport preferred telnet
 transport input all
 rxspeed 38400
 txspeed 38400
 flowcontrol hardware
line vty 0 4
 no login
ip host: to mapped name-to-address of the static host
    ip host (name)[tcp-port-number][address]
transport input: define a input protocol on the async lines to Telnet
    transport input all

Verify the command
Access_Server>sh ip interface brief
Interface        IP-Address      OK?  Method    Status                 Protocol
Ethernet0        10.10.10.10  YES  manual    up                     up     
Loopback0        172.16.1.1      YES  manual    up                     up     
Serial0          unassigned      YES  not set   administratively down  down   
Serial1          unassigned      YES  not set   administratively down  down   
Access_Server#sh host
Default domain is not set
Name/address lookup uses domain service
Name servers are 255.255.255.255

Host                     Flags      Age Type   Address(es)
cust215-20.classic.com.np(temp, OK)  0   IP    49.236.215.20
Sw1                      (perm, OK)  0   IP    172.16.1.1
Sw2                      (perm, OK)  3   IP    172.16.1.1
Sw3                      (perm, OK)  3   IP    172.16.1.1
Sw4                      (perm, OK)  3   IP    172.16.1.1
Access_Server#
Troubleshoot:

 Access_Server#sw2
Trying Sw2 (172.16.1.1, 2002)...
% Connection refused by remote host

Access_Server#clear line tty 2
[confirm]
 [OK]
Access_Server#sw2            
Trying Sw2 (172.16.1.1, 2002)... Open

Amnesiac (ttyu0)

login:
Tags # cisco # network Continue Reading
By at
Tags ,

Cisco Router a DHCP Server

January 20, 2014
Here is the procedure how to run your Cisco Router as DHCP server.

A small topology how to configure DHCP server in Cisco Router.
Now use the following command to configure the Router running as DHCP server. Then verify from the PC connected to that interface.


You can copy following command  and paste into your Router

******output omitted ********
!
!
!
!
ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool test
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 8.8.8.8
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.10.1 255.255.255.0

Tags # cisco # network Continue Reading
By at
Tags ,

Open DNS Recursive Resolver Attack

January 02, 2014
Dear blog reader, few days back I have face a huge DNS Amplification/Reflection attack from Mikrotik (MT) router. The Attack has been organized from different source to different destination. 

This attack also has been seen in different vendor router like d-link di-1705b, Buffalo,AirLive, Cisco(Cisco Systems, Inc. Firmware: 4608)

The Attack is possible because of MT router apply following tcp and udp packet filter destination port 53.

 IP>firewall>filter rules
chain=input action=drop protocol=udp in-interface=ether1-WAN dst-port=53
chain=input action=drop protocol=tcp in-interface=ether1-WAN dst-port=53

Same rule can be maintain for other router to block and disable resolver.

Please Note: in-interface should be your WAN port.

How to check your IP is used as open resolver

Linux command

#dig -t A jpudasaini.com.np @8.8.8.8

Note: Replace 8.8.8.8 with your IP address


Tags # cisco # mikrotik # network Continue Reading
By at
Tags , ,

Rapid Spanning Tree Protocol

October 09, 2013
You may think why we may need RSTP. Go back my previous blog post where I wrote how STP work and its port state. Now we are going to talk about RSTP. Lets learn about it and you may know why we need it.

Recall my previous theory, as we already know STP is created very long time ago and STP have below problem to converge the link.

1. Listening : 15s of listening for BPDUs. Switch sends/receives BPDUs on this state
2. Learning : 15s of Learning MAC Address, populate switch CAM table
3. Forwarding : Port is Forwarding Traffic
4. Blocking : Switch will wait up to 20s before moving a block port into listening phase, because this the time where switch wait if the primary link may came live.

STP port state take minimum 30s to maximum 50s to link up. This is the port process which have to pass every switch when boots up or converge time.

STP downtime is the biggest problem for todays Network.

STP have problems but also we have solution !

Port Fast :

Port fast disable Spanning Tree. When you type this command on an interface it will display warning message. Like this



Because it won't really detect the node mention in Warning message. Just enable the command and unplug the cable then plug back in use show command it’s immediately transition into forwarding state because now we have the port fast enable.

You can enable port fast all end node connected ports, that allow immediate active.
Switch(config)#int range fa0/2-24
swirch(config)#spanning-tree portfast
****output omitted****
On the other hand we have problem with uplink link. We can't enable portfast on the uplink ports, as you can see in warning message. 50s downtime cause big problem to our network. So there has to be other solution for this problem. Yes you already heard about it, RSTP. Rapid Spanning tree is very fast and very good. RSTP give us faster convergence, yes what we need. Think about VoIP, dropping one packet isn't tolerance for it. Other transfer like file transfer can be retransmitted. But voice can't be retransmitted. Real time transmitting must need, we don't have loss in the link.

Some of you still using uplink fast or backbone fast, that wouldn't going to work if you have different switch other than cisco. Those are cisco proprietary. So RSTP standard have availability to participate all vender switches. Which speed things up. RSTP is very good, you can see in your network.

 RSTP with its port state 


Discarding : Its replacement of blocking state of STP, we study before. It’s mean, taking down layer 2 connectivity not sending out any traffic.
Learning: Its mean exactly STP's learning state, it is the process to learn MAC address is on that port, without it switch just act like hub, its forward every packet to every port.
Forwarding: It’s also like STP port state, forwarding means not blocking any traffic.

Port roles

Root port : The way reaching to root bridge.
Designated port : All root bridge port are designated port. Other switch have lower priority or lower mac address elected as designated port. Other switch should be block the traffic.
Alternate port : Instead blocking state in STP, where all port should be re-elected and take 50s to downtime of network. RSTP remember that port with alternate port to reach Root Bridge. If root port failure, its immediately turn it into forwarding state. So it’s doesn't have to wait 50s.
Edge port : Port fast is edge port. Where non switch are connected or host. We can use port past command to tell switch it is edge port.

 Why   RSTP is better

a. RSTP doesnt forget its port unlike STP which re-elected when primery link is down.

b. Its dosn't use extra time of STP like listening BPDUs, bonus blockig penalty,

c. If change into trunk port, that will flood to each network with TC packets, where TC is topology changes. Those are part of the BPDU's.

Tags # cisco # network Continue Reading
By at
Tags ,

Understanding STP Ports States

June 19, 2013
Hello! Frens, here is another article about STP, in this article I try to explain switch port status and how we  recognize ports status as well as Root ID and Bridge ID, What MAC address STP take to elect the Root Bridge. Hope this article is useful to understand Spanning Tree Protocol and at last I try to explain why we need RSTP. I'll post another article about RSTP in coming days.

As I already explain in my previous article about STP Root Bridge election, now we can see S1 have lowest MAC address wins the Root Bridge, let’s verified and check the status of the switches ports.
Look at the picture above we can see, from the VLAN001, which have Root ID and Bridge ID, Root ID have all information about the Root Bridge, that mean S2 knows that is the Root Bridge and out port is Fa1/1, which is Root Port and directly connected to the RB. Root Bridge has priority of 32769, MAC is 000D.BD2D.6BD9, and cost is 19 to reach the Root.

Bridge ID is information about the S2, itself, this is what switch2 is. Where normal priority 32768 plus the VLAN number 1, S2 own MAC address is 0030.F24E.C5A1.

Look out to the interface, Fa1/1 which is Root and its status is forwarded, its directly connected to the RB, Fa2/1 is connected to the PC which is not participating to STP and Fa0/1 is connected to S0, this one also on forwarding state.

Let’s look out the S1 and check the status.
From the picture, output of the S1, On Root ID information VLAN001, priority 32769, MAC Address 000D.BD2D.6BD9, This bridge is root, so you can see that Root ID and Bridge ID information is the same because this is the Root Bridge for this network. All of its port is designated and forwarding state. Root always have all its ports in designated none of its port in block state.
Now look at the S0 information, in S0 you can see Fa0/1 is Root and its directly connected and forwarding state. Fa1/1 is in blocking state because it has the highest MAC address and its prevent the loop in the network.
From the topology form the picture, now we are going to change the root, we just make S2 a root bridge, lets see the status of the S2.
Command to change STP root bridge, you can see on above screeshots.
swtich#conf t
switch(config)#spanning-tree vlan 1 root primary
switch(config)#end
switch#show spanning-tree 

All its ports became designated, this bridge is root. After changing state S2 became the root now S0 have worst MAC address, so S0 fa0/1 is on blocking state. Take a look on priority, its change to lower to 24577, which is increment of 4096. This is the basic configuration of Spanning tree.

Now consider this scenario, the primary link is down, how long STP take to bring back secondary link online, how long it take time to change the route? Your phone is ringing; all asking what is going on? Why the link is down, what is going on?
This is happen because STP is created in long time ago, when no one care 30 to 60s downtime in the network, now the situation is change, a second downtime is not expected by the people.

We can analyze cisco switch, whenever you plug your cisco switch, you can see Amber led blinking, this is STP, by default Cisco Switch have STP enable. When its power on, switch is on Listening state for 15s, than its goes 15s for learning then forwarding and if switch goes for Blocking state, it still goes down for 20s, that is because its wait if primary link back online. We have 50s network outage to find out our primary link is down. This is not acceptable for today’s network. That’s why RSTP is handy for today's network.  





Tags # cisco # network Continue Reading
By at
Tags ,

Per VLAN Spanning Tree

June 03, 2013

All modern Cisco switch support PVST. As name indicates what per VLAN Spanning Tree does is add a VLAN number to the priority of the BPDU headers. e.g., the default priority is 32768; if you run VLAN 10 on your switch then new priority would be 32778. The result of this is you have one Root Bridge per VLAN. If your network has multiple VLAN then you have multiple Root Bridge per VLAN. In that case if you don't change anything, by default same switch will elected as Root Bridge for every single VLAN number.


From the diagram above we have VLAN 10 and 20 running on Switches which are trunked each other. We have two VLAN here that means we have two completely separate network of Spanning Tree running. Now the trunk link has run both VLAN 10 & 20. We already discuss by default priority is 32678, and then new priority would be 326778 for VLAN 10 and 32688 for VLAN 20. If that so then it’s all tied and VLAN 10 only communicate with VLAN 10 and VLAN 20 only Communicated its instance. They would end up with electing same switch for Root Bridge for both VLANs. Let’s see above topology switch4 wins the Root Bridge, it’s may have the lowest mac address and block switch1 port Fa1/1. This will block upper side of the network. That would be the primary link if we left all by default. So if we tuned the priority then Switch1 wins Root for VLAN 20 and Switch3 for VLAN 10. Now we have two separate Root Bridges.


Let's see on the topology if a VLAN 10 packet wants to traverse then it use switch3 path and VLAN 20 user Switch1 path. Because Switch3 block one port for VLAN 20 and Switch1 block for VLAN 10. That means VLAN 10 traffics doesn't goes through Switch1 and VLAN 20 traffic doesn't goes through Switch3.This could load balance effectively.  
Tags # cisco # network Continue Reading
By at
Tags ,

Spanning Tree Electing Root Bridge

June 02, 2013
Per-VLAN Spanning Tree Concepts

Let’s began with how Spanning tree work in enterprise network. From the figure we can identified who will be the root bridge and config to choose who will be the root bridge in our network.

Let’s start with default state of Spanning tree. A real world Spanning tree example. We have 3 tiered network structure of enterprise network. Top of Switch is Access, which is directly connected with the user and middle is Distribution then core switch, at bottom server FARM switches. We don't change anything priority and mac address are the same; now guess who will be the Root Bridge.

Obviously switch0, because it has the lowest mac address. That access layer switch became the Root Bridge. Now do we want that switch became Root Bridge in our network? No we didn't want it to be Root Bridge. That isn't the center of the network.


Remember that all switch finds best way to reach Root Bridge and block all other redundant links. Switches think that's the center of the network. Now switches are selecting their root port with the lowest cost path to reach the Root Bridge.

Switch2 directly connected port became Root Port because it has 100M link with cost 19. Just like Switch2, Switch3, Switch4 and other also elect Root Port. Block all other port left over. 

Okay let’s remove block port and see the network. That's the real topology of the switch look like. Take a look at this, the problem is what links got block. e.g the major link of distribution(Switch3 to Swtich2) link has been cut off as well as core switch(Switch4 to Swtich2) also cutoff, that’s what we really don't want.


Distribution Switch have a flood of traffic which is forwarded to the Root Bride, the limit of network congestion, that access switch might be low performance with lower quality like Catlyst 2900xl. It may have 100M links with definitely can't handle so much traffic coming from the distribution switch. This could be bottle-necking of the entire network. All is working fine, switch led are blinking green but user feels slow because congestion of the link. A tone of traffic is coming from the distribution switch which causes Root Bridge crashing. That could happen complete network down for 10 to 30 or more. This could depend on how big the network is? That happen because bad Root Bridge has been elected, then what switch had to be the Root Bridge.

The answer is, Core Switchs in the network should be the Root Bridge. So everybody finds the best way to reach the Root Bridge and block other redundant link. That’s the good way to configure the Spanning tree. Make sure you change the priority to lower, so the Core switch can wins the Root Bridge election, don't let mac address break the tie between the switches.

Tags # cisco # network Continue Reading
By at
Tags ,

Spanning Tree Protocol

May 31, 2013
What is STP?
Spanning Tree protocol was created to prevent loops in redundant network.

What is BPDU?

Switches send "PROBES” into the network called Bride Protocol data units (BPDUS) to discover loops. All switched in the network have that probes data back. Flipping all the switches. Checking out every single links. Actually it’s a Multicast packet. If there is redundancy in the network the switch will gets its own BPDU. Switches know there is redundant link in the network. Now switch work to find it out. That’s the goal of the BPDU.

What is ROOT Bridge?

BPDU also help to elect Root Bridge. The root bridge of the network, STP election will pick the oldest switch of the network as the root bridge by default.  All switches will find the best way to reach Root Bridge.  All other path which aren't fast to reach the root end of getting block which disable redundancy of the network.

BPDU and Elections?

BPDU are sent once every two seconds out every single port. This could identify if your primary link gone down and it’s trying to find out backup link to the root bridge. e.g, Lets imagine Switch0 send its "probes"  switch1 and switch2 broadcast this probes  and also switche1 and 2 know there is switch 0 in the network, this "probes" gets back to the switch0, it’s know s there is loops in the network. When switch find out loops, its go for the election process.

In every single BPDU packets there is two major fields.
-Priority
-Mac Address

The priority is value between 0 to 61440, the default is 32768. You can't set priority to 0 or 1 or 9, it has to set on increment of 4096 because priority field have 4 bits reserved, using 4 bits we can’t use 61440 values. By default every switch has same priority so every switch ties on priority. So every switch relay on its mac address. Who have lower mac address which is elected to root bridge, which breaks the ties between switches?  In diagram switch1 is lower than switch2 and switch 2 is lower than switch0. So the switch1 wins the election. Lower the MAC Address is older the switch, because manufacturer start to produce first switch with first mac address and go for higher and higher mac address. So the newer switches have higher mac address.

All switches know each other and same priority and mac address. And also know switch1 has the lowest MAC Address. Switch1 wins the root bridge election, it’s became the core switch of the network. Other switches of the network loss the election. Root Bridge never ever blocks the port; all its port considered being forwarding or designated port. Other switches on the networks find best way to get that root bridge. Switches calculate link cost to get Root Bridge, fast Ethernet 100M link have 19 costs. So it’s calculated which have lowest cost to reach root bridge. So switch2 and switch0 are directly connected port to Root Bridge became root port, the best way to get the root. Here is tip whenever you do show command in a switch and saw root port don't be fool that isn't Root Bridge. If the switch has a root port it can't be the root bridge because that is going out that port to reach Root Bridge.

Designated port or forwarding port is one per link so Root bridge have all designated port switch2 have one root port and one designated port one side block the link which is on the swirch0. You may think why switch0 block the port not switch2, which is because switch0 have higher mac address.

How STP major Best Path?

-Elect the Root
-Switch find lowest cost path to Root.

Link Bandwidth         STP cost
4Mbps                       250
10Mbps                    100
16Mbps                    62
45Mbps                    39
100Mbps                  19
155Mbps                  14
622Mbps                   6
1Gbps                       4
10Gbps                     2




You may think what if cost may tie?
In that case switch use lower Bridge ID. Bridge ID is priority plus Mac address. Switches broadcast its Bridge ID, whoever have lower Bridge ID preferred to be best path to reach to root bridge, other path may block.

If two switch connected with two crossover cable in that scenario lower port to break a tie. That means lower remain unblock, higher port block the redundant.










Tags # cisco # network Continue Reading
By at
Tags ,

Configure SSH Cisco

May 23, 2013
Make sure that target router are running Cisco IOS Release 12.1(1)T image or later to support SSH.

Before continuing this task don't forget to change the hostname of the router

R1(config)#ip domain-name jpudasaini.com.np
R1(config)# crypto key generate rsa

The name for the keys will be: R1.jpudasaini.com.np
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus[512]: 768
% Generating 768 bit RSA keys, keys will be non-exportable...[ok]

R1(config)#ip ssh time-out 60
R1(config)#ip authentication-retries 3
R1(config)#username jayaram secret cisco
R1(config)#line vty 0 15
R1(config-line)#transport input ssh
R1(config-line)# exit

after this configuration you can login
R1#ssh -l {login with(login name)} -v [ssh version 1 or 2] [remote server name]


Tags # cisco # network Continue Reading
By at
Tags ,