Sunday, January 23, 2011

IP SLA: Reachability Configuration


Steps


  1. Create the monitor


     (config)# ip sla monitor <#>

     (config-sla-monitor)# type <type> <options>

      
  2. Schedule the probe


    (config)# ip sla monitor schedule <#> start-time <start> life <life>

       
  3. Configure the track object
     
    (config)# track <#> rtr <#> reachability

       
  4. Apply the tracking in a route-map
     
    (config-route-map)# match ip address <acl>

    (config-route-map)# set ip next-hop verify-availability

     
Verification 
router# sh ip sla statistics

 
Links
http://www.tech-recipes.com/rx/3894/cisco-sla/
Posted by Josh 0 comments

Path Control: Configuration


Steps



  1. Create an ACL to capture interesting traffic


    (config)# ip access-list extended CLIENT1

    (config-ext-nacl)# permit ip host 192.168.1.20 any log

    (config)# ip access-list extended CLIENT2

    (config-ext-nacl)# permit tcp host 192.168.1.21 any eq telnet

    (config-ext-nacl)# permit tcp host 192.168.1.21 any eq 443


  2. Create a route-map utilising the ACL


    (config-route-map)# match ip address <acl>

    (config-route-map)# set ip next-hop <ip>


  3. Enable policy-based routing on an interface

    (config-if)# ip policy route-map <name>

      
    OR
     

    Apply the route map to traffic sourced from the router itself

      
    (config)# ip local policy route-map <name>


Verification

  router# show route-map
Posted by Josh 0 comments

Wednesday, September 29, 2010

Understanding the way OSPF forms neighbours

Open Shortest Path First, in all its glory is a Link State routing protocol that does not only update routing tables with the “lower cost route” or best path to a destination or many, but maintains a full topological database among other features.

OSPF Uses the SPF (Shortest Path First) algorithm developed by Dijkstra and some of its features are that it:

  • Maintains 3 tables (neighbour, topology and routing).
  • Divides networks into multiple areas, and supports summarization to reduce bandwidth and processor utilization.
  • All areas must connect to area 0, unless a Virtual Link is implemented.
  • Supports authentication (in plain text or using M55 hashes).
  • An efficient OSPF domain requires an IP addressing hierarchical design.
  • Uses triggered updates generated by changes in the topology and Link State periodic updates on long intervals (usually every 30 minutes).

But for all of this to happen, OSPF routers must establish a neighbour relationship (except the authentication which takes place during the process of forming the adjacency) with all the other OSPF routers that belong to the same network segment. The process usually takes a few seconds in broadcast shared networks (Ethernet) or Point to Point networks, and a little bit longer on Non Broadcast Multi-access Networks (Frame Relay). However the process is complex and is essential to know the phases and steps that it goes through in order to accurately troubleshoot any issues that might take place when using this protocol.

1. Determine the Router ID

This is the identifier or “name” that the router will have in the OSPF process; there are three ways to determine this parameter:

  •  Manually configured ID (using the router-id command under the OSPF process).
  • Highest loopback interface configured on the router.
  • Highest ip address configured on an “UP” interface.


A manually configured ID is preferred or “beats” the highest loopback or ip address configured on the router during the election, and a loopback is preferred over an ip. It is recommended that you manually set up the ID on your routers. There are several advanced configurations (like the
Virtual Links) that require you to manually enter a neighbor’s router ID. Once the router ID is chosen another election will take place only if the OSPF process is cleared using the clear ip ospf process command from privileged mode, or if the router gets reloaded.


Cisco routers do not reboot very often during production, imagine what could happen if you are running an advanced configuration that depends on one of your neighbor’s ID and it is the highest loopback or ip; you then create a higher loopback for testing purposes on that neighbor and accidentally leave it on your router, once the router gets reloaded or the process cleared the new higher loopback will be elected and your configuration will make no sense at all. This is why Cisco recommends manually configured ID’s. You can view the ID using the show ip protocols command or the show ip ospf <process ID> both from privileged mode.






2. Add interfaces to the Link State Database

Once the Router ID has been defined it is time for OSPF to know which networks will be advertised in the OSPF process and on which interfaces will OSPF be running. This is defined via the network (A.B.C.D + wildcard bits + area) command under the OSPF process (configrouter).

These configurations will be reflected in the show ip protocols command.






3. Send Hello messages on predefined interfaces

Hello messages are the packets that build up and maintain the neighbor relationship; these are periodically sent every 10 seconds on broadcast and Point to Point networks, and every 30 seconds on Non Broadcast Multi-access Networks. After a period of time without receiving hellos on an interface a router takes down the neighbor relationship, this is known as a dead timer and is by default 4 times the hello timer (how often the router sends a hello message).

These timers must match on the routers that are attempting to establish a relationship, are manually configurable (but it is not recommended to do so) and can be viewed by using the show ip ospf interface command.




A router sends these packets on the interfaces that have assigned the addresses that where entered in the OSPF process using the network command. Once a router sends this packet for the very first time it reaches a “down state” that means the local router is waiting to hear back from the router that is to become a neighbor.

4. Receive Hello message

There are several values that must match between 2 routers for them to become neighbors, here is the list:

  •  Area ID
  • Subnet Mask
  • Hello and dead timers
  • Authentication password

The receive hello stage is where all these parameters are checked, and the routers ensure that their future neighbor matches with the local values, and then reaches the init state; you can view the output of these process by issuing the debug ip ospf adj or debug ip ospf events commands.

All of these parameters are manually configurable. If you issue any of the previous debug commands or the show ip ospf neighbor command and you see a relationship bouncing between down state and init state it is because some of these values do not match between your routers, and the relationship will never reach a full state (final stage of the process).




5. Send reply Hello

Routers send hello packets constantly to their neighbors, whenever a hello message is received on a router’s interface after it has reached the init state the router must answer itself a question. Is the router I am receiving this hello message from already my neighbor?

·          If it is, then the router just resets its local dead timer and continues with its full neighbor relationship.
·          If not the router will reach the 2-way state for this future neighbor and will continue in the process of adding this router as a neighbor.



6. Determine Master-Slave status in the relationship

This stage is to determine basically who sends information first, and sets the routers in an exstart state, the information that the routers will be sending is known as a Database Description (DBD) and it’s a small update or summary that includes the networks that are to be advertised in the OSPF process and some information of the router that is sending it.

Each router sends its DBD and looks at the other router’s or routers’ parameter called priority (which is by default 1). The router with the highest priority value will be elected as a MASTER and if there is a tie of priority values the highest router ID wins the election. The priority is a per interface value. You can view this event in real time by issuing the debug ip ospf adj command.



The priority is a manually configurable command, and it can be tuned by using the ip ospf priority command under the desired interface (must be the one connected to the other OSPF running router), highest configurable priority is 255.




7. Database Descriptions acknowledged and reviewed

Once the MASTER and SLAVE statuses are assigned the slave sends the first packet, which is a Link State Request that the MASTER responds with a Link State Update (packet that contains one or many of the 11-type Link State Advertisements). Then the MASTER sends a LSR to the SLAVE that will respond with another LSU. This is known as the loading state or on newer IOS versions exchange state and the routers are basically exchanging all the routing information like remote networks and best way to get to them, within an area (LSAs type 1 and 2) , multiple areas (LSAs type 3) or even another routing protocol domain (redistribution, LSAs type 5).

No need to worry if you issue the show ip ospf neighbor command and you see the relationship in the loading state for a while (usually longer periods on Non Broadcast Multi-access networks), the routers are just exchanging their information and you can confirm that by using the debug ip ospf adj command.




8. Neighbors are synchronized

After the loading or exchange stage is completed the routers reach the full state and neighbor relationship is finally completed, routers are fully synchronized. Behold the output of the entire process courtesy of the debug ip ospf adj command.








POSSIBLE NEIGHBOUR STATES:



Down
This is the initial state of a neighbor conversation. It indicates that there has been no recent information received from the neighbor. On non-broadcast networks, Hello packets may still be sent to "Down" neighbors, although at a reduced frequency (see Section 9.5.1).

Attempt
This state is only valid for neighbors attached to non- broadcast networks. It indicates that no recent information has been received from the neighbor, but that a more concerted effort should be made to contact the neighbor. This is done by sending the neighbor Hello packets at intervals of HelloInterval (see Section 9.5.1).

Init
In this state, an Hello packet has recently been seen from the neighbor. However, bidirectional communication has not yet been established with the neighbor (i.e., the router itself did not appear in the neighbor's Hello packet). All neighbors in this state (or higher) are listed in the Hello packets sent from the associated interface.

2-Way
In this state, communication between the two routers is bidirectional. This has been assured by the operation of the Hello Protocol. This is the most advanced state short of beginning adjacency establishment. The (Backup) Designated Router is selected from the set of neighbors in state 2-Way or greater.

ExStart
This is the first step in creating an adjacency between the two neighboring routers. The goal of this step is to decide which router is the master, and to decide upon the initial DD sequence number. Neighbor conversations in this state or greater are called adjacencies.

Exchange
In this state the router is describing its entire link state database by sending Database Description packets to the neighbor. Each Database Description Packet has a DD sequence number, and is explicitly acknowledged. Only one Database Description Packet is allowed outstanding at any one time. In this state, Link State Request Packets may also be sent asking for the neighbor's more recent advertisements. All adjacencies in Exchange state or greater are used by the flooding procedure. In fact, these adjacencies are fully capable of transmitting and receiving all types of OSPF routing protocol packets.

Loading
In this state, Link State Request packets are sent to the neighbor asking for the more recent advertisements that have been discovered (but not yet received) in the Exchange state.

Full
In this state, the neighboring routers are fully adjacent. These adjacencies will now appear in router links and network links advertisements.
Posted by Josh 0 comments

Sunday, September 26, 2010

Tina Shakour and Jeremy Ciora talk CCVP Certification

Tina Shakour and Jeremy Ciora talk CCVP Certification and Best Practices. They also touch on how to focus your time when going for your CCVP.

Check it out:

Posted by Josh 0 comments

Tuesday, September 21, 2010

networking-forum.com CCNA scholarship offer

If you're not already CCNA certified, how would you like to be? Even better, what if it cost you nothing?

 

What's going on?

networking-forum.com is offering a scholarship to one person who would like to earn a Cisco Certified Network Associate (CCNA) certification. The scholarship will provide the CCNA Official Exam Certification Library, a separate forum specifically dedicated to the candidate for his or her use during their studies with feedback from the site's members, and reimbursement of the exam fees after they pass their exam(s).

How is the recipient chosen?

To qualify for the scholarship, candidates will need to write an essay about why they want to earn their CCNA certification and why they make a good candidate for the scholarship. All essays must be received by October 8th, 2010 and posted in this thread. The essays will be judged by our crack(head) staff and a few prominent members. The recipient will be announced in this thread and notified via a site private message on October 15th, 2010.

Check out the full details, here.
Posted by Josh 0 comments

Monday, September 20, 2010

ASA emulation in GNS3

Normally You need to patch the ASA kernel in Linux to get it working properly, it's a real pain in the butt. If you don't use a patched kernel you cannot use the ASDM, and you will not be able to write to flash (which means no reloads). That said, I've done it previously and have got it working. I wrote up a guide for my co-workers, but you're welcome to try as well.

Here it is:
  1. Grab a copy of the patched files and store them locally, they’re here.
  2. Install GNS3 if you haven’t already. Open it and look under “Edit -> Preferences” then go in to the ‘Qemu’ tab.
  3. Set the ‘initrd’ and ‘kernel’ paths to the files you saved in step 1.
  4. Make sure these ASA settings under ‘Qemu options’ are set to the following:
    5. -hdachs 980,16,32 -vnc :1 auto console=ttyS0,9600 bigphysarea=16384ide1=noprobe Also, make sure your NIC type is set to “pcnet” 
  1. On the ‘General Settings’ tab, make sure you know where your working directory is.

  2. Drag an ASA on to the topology (this creates the working directories)
  3. Browse to the ASA working directory (you checked the location of that in step # 5).
  4. If your ASA is called ‘ASA1’ on the network topology, there will be an “ASA1” folder in the working directory.

  5. Create a FLASH hard drive image using qemu-img.exe
    6. H:\>c:
C:\>cd "Program Files"
C:\Program Files>cd GNS3
C:\Program Files\GNS3>qemu-img.exe create FLASH 256M
Formatting 'FLASH', fmt=raw size=268435456
C:\Program Files\GNS3>
  6. Browse to “C:\Program Files\GNS3” and find your FLASH file.

  7. Copy that file to your “ASA working directory”. If you have more than one ASA on the topology, you’ll need to put a separate ‘FLASH’ file in each directory.



  8. Go back to GNS3, start the ASA and Open the console.
  9. It will stick at a “#” prompt. Just type exit in here.

  10. You should then see
    11. 
          Cisco ASA with  Multiple Security Contexts
          ==============================================

This is your first boot, please wait about 2 minutes for 'disk0' creation
and then execute the following commands inside the Linux prompt:

# cd /mnt/disk0
# /mnt/disk0/lina_monitor

Please note to use the following command under ASA to save your configs:

ciscoasa(config)# boot config disk0:/.private/startup-config
ciscoasa(config)# copy running-config disk0:/.private/startup-config

To get webvpn working, execute the following commands:
 
 ciscoasa# mkdir disk0:/var
 ciscoasa# mkdir disk0:/var/log
 ciscoasa# mkdir disk0:/csco_config
 ciscoasa# mkdir disk0:/csco_config/97
 ciscoasa# mkdir disk0:/csco_config/97/webcontent

Please press Enter to activate this console.
  11. Press enter and you should be back at the “#” prompt.
  12. Enter the following commands:

    13. cd /mnt/disk0
/mnt/disk0/lina_monitor
  13. The ASA should continue to boot, then drop you to the exec mode shell.
    14. 
ciscoasa>
  14. Move to priviledged exec mode and show flash
    15. 
ciscoasa# show flash
--#--  --length--  -----date/time------  path
    6  4096        Jul 26 2010 19:30:14  .private
    7  0           Jul 26 2010 19:30:13  .private/mode.dat
    8  0           Jul 26 2010 19:30:14  .private/DATAFILE
262901760 bytes total (237408256 bytes free)
ciscoasa# show file system

File Systems:

     Size(b)     Free(b)      Type  Flags  Prefixes
* 262901760   237400064   disk      rw      disk0: flash:
           -           -  disk      rw      disk1:
           -           -  network   rw      tftp:
           -           -  opaque    rw      system:

NOTES

“write memory” doesn’t work unless you’re able to set it to save to slot0: (instead of disk0:)

ciscoasa# wr mem
Building configuration...
Cryptochecksum: 6e33e06b 255d8b92 90c27d70 9f5b4de4

%Error opening disk0:/.private/startup-config (No such file or directory)
Error executing command
[FAILED] 
 
'copy running-config flash:' works however:

ciscoasa# copy run flash:
Source filename [running-config]?

Destination filename [running-config]?
Cryptochecksum: 6e33e06b 255d8b92 90c27d70 9f5b4de4 
 
Maybe use this instead?
ciscoasa# boot config flash:/running-config 
 
ALSO NOTE: ASDM will not work unless you use Fiddler. There IS a work-around for this, but I have yet to bother patching the kernel to support it. For now, you’ll need to use Fiddler.

You can set up the GNS3 topology to route your network traffic through the emulated ASA (do this at home, not work). You should have two clouds for this, one bound to a loopback adapter to emulate your local area connection (inside), and the other cloud bound to your LAN adapter that faces your router (outside).

It should look something like this:


If you wanted; you could even hang a DMZ network off the side:


Also; ASA emulation is pretty slow, I had it running on my E8400 (dual-core 3.6ghz w/ 4GB of RAM) and was only able to manage around 200-250kB/sec throughput.

Obviously it’s even slower if you enable a lot of services (IPS/inspect rules .etc)… Don’t expect to be able to route all your traffic through it.

You should also know there is no such thing as a management (management 0/0) interface on an emulated ASA (only e0/0 – e0/5).
Finally; you can not use the “reload” command. You need to stop and start the ASA to reboot it. This is the case for router emulation as well.

Hope this helps.

Tutorial written September 2010 by Josh (HighFreak1c) for the cisco-networkers.blogspot.com blog.
All rights reserved, no reproduction allowed under any circumstance.
Posted by Josh 0 comments
Subscribe to: Posts (Atom)