Category Archives: Networking

Its all about Networking

How to configure OSPF Totally Stubby Area in Cisco Routers- Series 1?

In this series of posts lets configure OSPF Totally Stubby Area, but before proceeding further let’s summarise the below topology

OSPF Totally Stubby Area
  1. Two OSPF Areas Area 0 and Area 5
  2. R1, R2 and R4 are part of Area 0 and OSPF is configured on the directly connected links on each router ( R1 – R2 link , R1-R4 link)
  3. R4 has four loop back interfaces  loopback 1 (10.0.1.1) , loopback 2 (10.0.2.2) ,loopback 3 (10.0.3.3) and loopback 4 (10.0.4.4) ,these loopback interfaces networks are redistributed into OSPF
  4. R2-R3 are part of Area 5, R2 happened to be a ABR
  5. OSPF Area 5 is configured on the interfaces connected between R2-R3.

Currently Area 5 is a normal area and its not been configured as a totally stubby area,  R2 installs the R4 loopback interface networks as Type 5 LSA and forward the same to Area 5

We can see from the below snap shot R2 received R4 loopback networks as Type 5 LSAs and the routes are installed as Type 2 External OSPF routes, also we could see the interface connecting R1-R4 are also advertised as Type 3 LSA

R2 - R4 route
R2 - type 5

R3 sees R4 loopback interfaces network as Type 5 LSA and R1-R4 , R1-R2 links network 192.168.14.0/29 , 192.168.12.0/29  as Type 3 LSAs

R3 LSA table

In next post, let’s see by what impact Area 5 will have especially after configuring it as  OSPF Totally Stubby Area.

Introduction to Cisco port security and the reasons to implement

A growing challenge facing network administrators is determining how to control who can access the organization’s internal network—and who can’t. For example, can anyone walk into campus LAN , plug in a laptop, and access the network? You might argue that the wall jack has no connection to a switch, but couldn’t someone just pull the Ethernet cable from a working PC and connect to the network that way?

You might think this an unlikely scenario, but it does happen. For example a salesmen coming in to demo products, and they would just pull the Ethernet jack off a PC and connect it to their laptop, hoping to get Internet access.

I turned to switch port security to help solve the problem. Let’s look at how we can use Cisco’s Port Security feature to protect our organization.

Understand the basics
In its most basic form, the Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will disable the port. Most of the time, network administrators configure the switch to send a SNMP trap to their network monitoring solution that the port’s disabled for security reasons. When using port security, we can prevent devices from accessing the network, which increases security.

Benefits to port Securty
The key benefits of Port Security are:
•Network Availability – Reduce campus wide network outages caused by broadcast storms by blocking non standard hubs and switches.
•Network Reliability – Network port bandwidth can be guaranteed if limited to one MAC address. Bandwidth can’t be guaranteed if other network devices are sharing the network port.
•DHCP Availability – Reduce the risk of over subscription of DHCP IP Address per VLAN by limiting one MAC address per port.
•Network Security – Limiting one MAC address per switch port is an attack mitigation strategy. Stops CAM tables flooding attacks forcing the switch into repeater mode. Tools like macof can be used for this type of attack.
•Future Proofing – The implementation of port authentication at the edge of the network (802.1x) will also limit user to one MAC address per port.

Applying Cisco Security Features to Solve Common Problems

Sample Configuration for port security
Configuring the Port Security feature is relatively easy. In its simplest form, port security requires going to an already enabled switch port and entering the port-security Interface Mode command. Here’s an example:

Switch)# config t
Switch(config)# int fa0/18
Switch(config-if)# switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode

Switch(config-if)# switchport port-security
Switch(config-if)#^Z

By entering the most basic command to configure port security, we accepted the default settings of only allowing one MAC address, determining that MAC address from the first device that communicates on this switch port, and shutting down that switch port if another MAC address attempts to communicate via the port. But you don’t have to accept the defaults.

Know your options
As you can see in the example, there are a number of other port security commands that you can configure. Here are some of your options:
switchport port-security maximum {max # of MAC addresses allowed}: You can use this option to allow more than the default number of MAC addresses, which is one. For example, if you had a 12-port hub connected to this switch port, you would want to allow 12 MAC addresses—one for each device. The maximum number of secure MAC addresses per port is 132.
switchport port-security violation {shutdown | restrict | protect}: This command tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum. The default is to shut down the port. However, you can also choose to alert the network administrator (i.e., restrict) or only allow traffic from the secure port and drop packets from other MAC addresses (i.e., protect).
switchport port-security mac-address {MAC address}: You can use this option to manually define the MAC address allowed for this port rather than letting the port dynamically determine the MAC address.

Of course, you can also configure port security on a range of ports. Here’s an example:
Switch)# config t
Switch(config)# int range fastEthernet 0/1 – 24
Switch(config-if)# switchport port-security
However, you need to be very careful with this option if you enter this command on an uplink port that goes to more than one device. As soon as the second device sends a packet, the entire port will shut down.

View the status of port security
Once you’ve configured port security and the Ethernet device on that port has sent traffic, the switch will record the MAC address and secure the port using that address. To find out the status of port security on the switch, you can use the show port-security address and show port-security interface commands. Below are examples for each command’s output:
Switch# show port-security address
Secure Mac Address Table
——————————————————————-
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
1 0004.00d5.285d SecureDynamic Fa0/18 –
——————————————————————-
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024

Switch# show port-security interface fa0/18
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0004.00d5.285d
Security Violation Count : 0

Switch#

How to configure Cisco VIRL – VMMaestro to use SecureCRT as an external telnet and SSH Client?

Cisco VIRL comes with an internal SSH and Telnet client which is quite good and it opens all the SSH and telnet sessions within VMMaestro GUI, but if someone wants to use Secure CRT on  their MAC as an external client, one can easily configure the changes in VIRL VMMaestro,

VMMaestro-1

Terminal>Cisco Terminal

Step 1

Change the title format to : %s

Step 2

Select : Use external terminal applications

Step3

Use the following fields show below

Telnet command:/Applications/SecureCRT.app/contents/MacOS/SecureCRT
Telnet arguments:/T /N %t /TELNET %h %p
SSH Command:/Applications/SecureCRT.app/contents/MacOS/SecureCRT
SSH arguments:/T /N %t /TELNET %h %p
VMMaestro-2

By doing these minor changes you can use Secure CRT to SSH or Telnet VIRL Devices

telnet VIRL
VIRL telnet 1

What is the OSPF Stub Area?

We all know OSPF as routing protocol is one of the most widely used IGP protocol, OSPF happens to be the most scalable IGP protocol. OSPF also happens to be one of the complex protocols as it deals with various concepts and terminologies. One such a topic where people get confused is OSPF Area types.

I will try to simplify them and present them in an easy language, I am not going to reinvent the wheel, as one can find plenty of resources for OSPF.

What is a OSPF Stub Area ?

OSPF Stub Area basically filters out information of an OSPF database purely based on the LSA types, Basically, an ABR  in a Stub Area prevents LSA type 5 to be flooded into a Stub Area, it removes Type 5 LSA  and replaces them with a default route which is a Type 3 LSA.  To simplify  ABR creates a default route using LSA 3, listing a  0.0.0.0 with a subnet mask  0.0.0.0 and flood the same into the stub area. By using Stub Area feature one can reduce the CPU utilization of a Router.

OSPF Stub Area

From the above scenario, we can see Type 3 LSA is exchanged between Area 0 and 5, however, when a Type 5 LSA reaches R2 which is an ABR, it will strip External LSAs  (Type 5 LSAs) and replace them with a default route towards the Router R3.

OSPF Stub Area is configured in Cisco Routers using an IOS command

router ospf 1

area 5 stub

In the upcoming post, let’s see how to configure OSPF stub area in Cisco Routers, we will build a sample topology using Cisco VIRL.

Cisco ASA VPN troubleshooting  – Decaps but No encaps

Recently we observed a strange issue while building a site to site VPN tunnel between a Cisco ASA [9.1( 5) ] and Palo Alto Next Generation firewall.(PAN-OS 7.0.9) It was observed always phase 1 part of tunnel established successfully with peer however phase 2 failed to come up.

Always we were seeing issues with encapsulation, the packets sent were never encapsulated, however the packets received from remote peers were de capsulated, this means  the ASA was not encrypting the data. The below logs demonstrates the error,

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 74, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 74

We did a through troubleshooting and we ensured the following ay both ends of the firewalls

  • Ensure both the firewalls have an appropriate route for the interesting traffic / proxy id
  • Ensured the ACL / Policies are matched
  • Ensured NAT configuration is done properly as were using source based NATTing at both the end.
  • Ensured proper debugging is done at both ends,
  • Involved vendors to see what the issue was

Upon through troubleshooting it was discovered the ASA was hitting a bug CSCuo58411

This bug basically creates duplicate entries in tunnel manger and one could see from the below logs

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 10: matched.
Jul 24 08:20:49 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.0.100.2, sport=45638, daddr=192.168.120.100, dport=45638

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 10: matched.
Jul 24 08:20:50 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager

The work around worked for us to fix this issue, was to upgrade the ASA from 9.1(5) to 9.5(3)6 . The other recommended work around to fix this issue is

Issue “debug menu ike-common 10” to remove the stale IKEv2 entries (this will delete all current IKEv2 connections)

How to ace F5 – 201 TMOS administration certification exam?

In order to be  a F5 Certified BIG-IP Administrator , one must pass two exams

  • Exam 101 – Application Delivery Fundamentals
  • Exam 201 – TMOS Administration

Upon passing Exam 101 Application Delivery Fundaments he/she becomes eligible to take Exam 201 TMOS Administrator provided he /she appears for Exam 201 in two years time. Unless one passes both of these exams one cannot expect any certificate from F5.  Upon passing 201 Exam F5 issues a F5 Certified BIG-IP Administrator which can be downloaded from F5certification portal

f5-certification-graphic

Courtesy: F5

Recently I was successful in passing F5 BIG-IP 201 exam and now I am a F5 Certified BIG-IP Administrator.  When it comes to F5 exams they are quite challenging but at the same time they are straight forward.  By having good hands on experience with BIG-IP Appliance and reading the recommended resources provided by F5 one could ace this exam.

When it comes to preparation of any certification exams the main thing one always look for is the right resource, for F5 BIG-IP 201 exam there are few but quite awesome recourses available. By using them one can certainly ace the exam. There is no single dedicated book one can find for this exam however the resources available in form of study guides, videos courses and practice labs are more than enough for F5 BIG-IP 201 exam preparations.

The first thing one should have a right determination and clear vision to ace this exam as this needs good amount of dedication and time, the main resources one depend for the preparation for this exam are available from F5. F5 offers a study guide 201-TMOS Administration V2 for free which any one can download from their portal.

This study guide is very brief in nature and it covers all the topics of blue print of the F5 BIG-IP 201 exam,  the great thing about this guide it comes with lots of hyperlinks for the various topics covered. One should give a good attention to those hyperlinks and read and practice them.

The second great resource available is from F5 University  the recommended training are

  • Getting Started with F5 products
  • LTM Essentials

These videos are quite helpful in understanding the concepts and F5 terminologies, the video courses are presented in very simple manner and  quite rich in information . The content of these videos and the quiz presented after each module/topic are quite informative and relevant from exam perspective.

Thirdly the F5 Training labs which are free comes with great work books and one can get good hands on experience on F5 BIG-IP Appliances, the labs presented are so good that one can really master how to administrator BIG-IP Appliance LTM module.

Apart from using the F5 training labs , I built a virtual lab on my Mac book using F5 Big IP Virtual Appliance with 90 days trail license.

The great thing about F5 is the free resources provided by them are quite good and more than enough to nail the F5 exams , however one need to give details to minute little details like the TMSH commands usages, events generated by BIG-IP Appliance, the led status etc.

How to set up an F5 BIG-IP LTM Virtual lab on VMware Fusion?

After passing the F5 201 – TMOS Administration Exam, some of the professional friends were keen to know how to build an F5 practice lab on their personnel machines.

In this post we will walk through how to build a virtual lab for F5 201 – TMOS Administration Exam on macOS Sierra step-by-step.

We will be using the following topology to built an F5 Virtual lab so that one can practice for their 201 – TMOS Administration Exam. Before starting please ensure VMware Fusion is installed on macOS Sierra

figure-1-f5-ltm-topology

Fig 1 – F5 BIG-IP LTM Toplogy

We will be using four VMWare networks for this lab, by default “vmnet” is created so we need to create three more VMware networks.

  • vmnet2
  • vmnet3
  • vmnet4

The IP Address mapping and functions of VMware networks will be as follow:

figure-2-ip-address-schema

Step 1: Launch VMware fusion and then select preferences

figure-3-vmware-fusion

Step 2: Click the Icon Network and click lock icon to make changes

figure-4-network


Step 3 : Select + icon to add a custom network named vmnet 2 and assign the Subnet IP 172.16.1.0 and Subnet Mask 255.255.255.0. This will be the internal network. Also ensure to select the following checkbox

  • Connect the host Mac to this network
  • Provide addresses on this network via DHCP
figure-5-add-custom-network
figure-6-vmnet2


Step 4: Select + icon to add a custom network named vmnet 3 and assign the Subnet IP 172.16.2.0 and Subnet Mask 255.255.255.0. This will be the HA network. Also ensure to select the following checkbox

  • Connect the host Mac to this network
  • Provide addresses on this network via DHCP
figure-7-vmnet3


Step 4: Select + icon to add a custom network named vmnet 4 and assign the Subnet IP 10.1.0.0 and Subnet Mask 255.255.255.0. This will be the management network. Also ensure to select the following checkbox

  • Connect the host Mac to this network
  • Provide addresses on this network via DHCP
figure-8-vmnet4

Step 5:  Log into F5 Website and request a free trail version of BIP-IP virtual edition

figure-9-free-trail-of-big-ip-ve

Step 6: Once an email is received from F5 with BIG-IP registration key download the BIG-IP VE System VMware Image, since the F5 201 – TMOS Administration Exam is based on TMOS version of 11.4 we will be downloading a BIG -IP V 11.4 – Virtual Edition for our labs. Download an OVA file for  VMware ESX/i Server v4.1-5.1 as its compatible with VMware fusion.

figure-10-big-ip-ve-image


Step 7-a: Import the BIG-IP VE System VMware Image VMware Fusion >File > Import

figure-11-import-big-ip


Step 7 – b: Click Choose File

figure-12-choose-file

Step 7 – c: Navigate to the folder where the BIG-IP VE System VMware Image was downloaded and select BIGIP-11.4.0.2384.0-scsi.ova image file and then click open

Click Continue to import the BIG-IP VE System VMware Image

figure-13-big-ip


Step 7 – d: Name the new virtual machine with the desired name and then click save

figure-14-save-big-ip

Step 7 – e: Accept the license agreements

figure-15-accept-license

Step 8: Once the import is completed, click finish and then click Customize Settings to configure the Network settings, if needed one can customize memory, CPU and Hard disk settings

figure-16-finish

Step 9-a: Customize Network Adapter setting to match the topology you are using.

In our case we will match to our topology

figure-17-network-adaptors

Step 9-b: Map Network Adapter to the vmnet4 network as this will be assigned to the management interface of BIG-IP Virtual Appliance

figure-18-network-adaptor

Step 9-c: Map Network Adapter 2 to the Bridge Networking Interface (in our case Network Adapter 2 will be bridged to the Wi-Fi adapter which is connected to the external network 192.168.1.0/24)

figure-19-network-adaptor2

Step 9-d: Map Network Adapter 3 to the vmnet2 network as this will be assigned to the internal interface of BIG-IP Virtual Appliance

figure-19-network-adaptor3

Step 9-e: Map Network Adapter 4 to the vmnet3 network as this will be assigned to the HA l interface of BIG-IP Virtual Appliance

figure-19-network-adaptor4

By following above steps one could a build a F5 BIG-IP LTM lab on their laptop using VMware Fusion. In upcoming post we will see how to do an initial configuration on F5 BIG-IP Virtual Edition to run F5 201 – TMOS Administration Exam labs on their laptops.

What is Cisco Champion program?

After being selected as Cisco Champion 2017, often people asked what is Cisco Champion? Some of them don’t know what Cisco Champion Program offers and what benefits they can avail be becoming a Cisco Champion.

ciscochampion2017-250

Cisco Champion Program was started by Cisco Systems with an aim to create and nurture a group of people ( Cisco geeks) who are highly influential IT technical experts, who enjoy sharing their knowledge , expertise, ideas and thoughts in innovative way across the social web be it in the form of blogs, supporting the online community by answering their queries  or with Cisco

The Cisco Champion program is open all the individuals who are either 18 years in age or older with following qualities

  • Is active on social media
  • Expresses balanced view of Cisco
  • Has Cisco-related expertise
  • Has overall expertise in IT industry
  • Chooses to actively participated in conversations relevant to Cisco and the IT industry

One can either nominate himself/ herself to Cisco Champion Program at the end of year calendar year or their peers can nominate them. Generally the nominations begins after October and cover wide variety following main interest areas

Read more…….

How to reset the Cisco Iron Port Appliance to factory default settings?

Resetting the Cisco Iron Port C370 appliance is an easy task.

In order to reset the Cisco Iron Port C 370 appliance either we need a console or ssh access (telnet access will also do).

Step 1

Log into Cisco Iron Port C370 appliance either console or shh.

C370step1]

Step 2

Suspend the Cisco Iron Port C370 appliance as without suspending the appliance we cannot reset it.

So used the “suspend” command to suspend the appliance

c370step2

Step 3

Use the command “resetconfig”to reset the Cisco Iron Port C370 appliance

For further details read more……………………………..

 

Multiple Cisco Products are affected by OSPF LSA Manipulation Vulnerability

The recent security advisory suggests that multiple Cisco products are affected by a vulnerability involving the Open Shortest Path Frist (OSPF) Routing Protocol Link State Advertisement (LSA) database. With the help of this vulnerability an unauthenticated attacker can take control of the OSPF Autonomous System (AS) domain routing table, backhole traffic and intercept traffic. Which could cause a huge damage to the attacked network.

The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain.

To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability. Read More…………………..