Angel's Blog

CIsco: Aironet 1242G Autonomos AP Configuration

Cisco 1242G Access Point Configuration (AIR-LAP1242G-A-K9), Image: c1240-k9w7-mx.124-21a.JA1 Autonomous AP

/*reset everything*/
ap#write erase
ap#reload
ap>en
Password: Cisco //default password
ap#

/*configure AP's ip address*/
ap#config t
ap(config)#interface BVI1 
ap(config-if)#ip address 192.168.0.100 255.255.255.0
ap(config-if)#no shut

/*other stuff*/
ap(config)#ip name-server 4.2.2.2 8.8.8.8
ap(config)#ip default-gateway 192.168.0.1
ap(config)#ip domain name example.com

/* configure ssid */
ap(config)#dot11 ssid 1242G
ap(config-ssid)#authentication open
ap(config-ssid)#authentication key-management wpa version 2
ap(config-ssid)#wpa-psk ascii 123456789 // psk
ap(config-ssid)#guest-mode  //broadcasts ssid

/* associate ssid 1242G to the radio*/
ap(config)#interface dot11radio 0
ap(config-if)#encryption mode ciphers aes-ccm
ap(config-if)#ssid 1242G

/*ssh config*/
ap(config)#crypto key generate rsa  //chose 1024
ap(config)#aaa new-model 
ap(config)#aaa authentication login default local //use local database
ap(config)#username admin password admin

/*defaults http password*/
admin/Cisco

ASA (8.0): Natting inside hosts using outside interface (NAT overload in router lingo)

All hosts in 192.168.1.0/24 will be seen with source 172.16.1.192 in the internet. May also be known as PAT.

interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.16.1.192 255.255.255.0

interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 

global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0

//bonus: configure dns client in asa
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8

Minicom: Connecting to Cisco router console port

1)yum install minicom

2)dmesg|grep ttyp //see what serial ports are available

2)minicom -s //configuration mode

3)select "Serial port setup" option

4)select "A" and enter desired serial port

5)select "E" and specify "C" and "Q" options (9600 8N1)

6)make sure "F" is YES and "G" is NO (hardware flow control only),on previous screen

7)save setup as CISCO

8)run it: [root@localhost ~]# minicom CISCO

======================================================================
2/2016

For step 2 /dev/ttyS0 worked (that's a zero), and NO Hardware Flow control made pressing enter work, restarted AP and I notice messages were appearing on screen, but hitting enter will not have any results, changing Hardware Flow Control to NO fixed it.

/dev/ttyUSB0 also worked :)

IPSec Tunnels with VTIs

VIRTUAL TUNNEL INTERFACES

Cisco® IPSec VTIs are a new tool that customers can use to configure IPSec-based VPNs between site-to-site devices. IPSec VTI tunnels provide a designated pathway across a shared WAN and encapsulate traffic with new packet headers, which helps to ensure delivery to specific destinations. The network is private because traffic can enter a tunnel only at an endpoint. In addition, IPSec provides true confidentiality (as does encryption) and can carry encrypted traffic.With IPSec VTIs, users can provide highly secure connectivity for site-to-site VPNs and can be combined with Cisco AVVID (Architecture for Voice, Video and Integrated Data) to deliver converged voice, video, and data over IP networks.

BENEFITS:

• Simplifies management---Customers can use the Cisco IOS® Software virtual tunnel constructs to configure an IPSec virtual tunnel interface, thus simplifying VPN configuration complexity, which translates into reduced costs because the need for local IT support is minimized. In addition, existing management applications that can monitor interfaces can be used for monitoring purposes.

• Supports multicast encryption---Customers can use the Cisco IOS Software IPSec VTIs to transfer the multicast traffic, control traffic, or data traffic---for example, many voice and video applications---from one site to another securely.

• Provides a routable interface---Cisco IOS Software IPSec VTIs can support all types of IP routing protocols. Customers can use these VTI capabilities to connect larger office environments---for example, a branch office, complete with a private branch exchange (PBX) extension.

• Improves scaling---IPSec VTIs need fewer established security associations to cover different types of traffic, both unicast and multicast, thus enabling improved scaling.

• Offers flexibility in defining features---An IPSec VTI is an encapsulation within its own interface. This offers flexibility of defining features to run on either the physical or the IPSec interface.

Source (as of 2013):
http://www.cisco.com/en/US/technologies ... Paper.html

Setting NTP in Cisco 1721 router.

router#show ver
Cisco IOS Software, C1700 Software (C1700-ADVENTERPRISEK9-M), Version 12.4(7), RELEASE SOFTWARE (fc6)...

router(config)# ntp server 1.gr.pool.ntp.org
router(config)#clock timezone PST -7 //Los Angeles :)

router#show clock   
18:21:43.570 PST Sat Oct 12 2013

router# show ntp associations
router# show ntp status

Cisco Catalyst 3550 Port Mirroring

Switch(config)# no monitor session 1
Switch(config)# monitor session 1 source interface fastethernet0/1
Switch(config)# monitor session 1 destination interface fastethernet0/8

Cisco 1721 IOS Image Upgrade from ROMMON using TFTP

//using tftpd32 server

rommon 36 > TFTP_SERVER=172.16.1.8
rommon 37 > tftpdnld

IP_ADDRESS: 172.16.1.33
IP_SUBNET_MASK: 255.255.255.0
DEFAULT_GATEWAY: 172.16.1.1
TFTP_SERVER: 172.16.1.8
TFTP_FILE: c1700-adventerprisek9-mz.124-7.bin

//If you want to boot from the image on the TFTP server without writing it to flash then use the command: tftpdnld -r

Site-to-Site VPN Configuration (Rapido y Furioso :)

//local network
//LAN IP addres 10.0.0.0 255.255.255.0
//R2(local router) public address: 23.0.1.0 255.255.255.0

crypto isakmp policy 1
authentication pre-share
exit

crypto isakmp key cisco address 56.2.11.2

//interesting traffic
access-list 100 permit 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

//transform set
crypto ipsec transform-set MYSET esp-sha-hmac esp-aes

//crypto map(bind all together)
crypto map MYMAP 1 ipsec-isakmp
set transform-set MYSET
set peer 56.2.11.2
match address 100
exit

//turn on policy (interface with public address)
int fa0/0
crypto map MYMAP
exit

===============================================================================

//remote network
//LAN IP address 192.168.1.0 255.255.255.0
//R4(local router) public address: 56.2.11.2

crypto isakmp policy 1
authentication pre-share
exit

crypto isakmp key cisco address 23.0.1.2

//interesting traffic
access-list 100 permit 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

//transform set
crypto ipsec transform-set OTHER_MYSET esp-sha-hmac esp-aes

//crypto map(bind all together)
crypto map MYMAP 1 ipsec-isakmp
set transform-set OTHER_MYSET
set peer 23.0.1.2
match address 100
exit

//turn on policy (interface with public address)
int fa0/0
crypto map OTHER_MYMAP
exit

//Now local hosts should be able to ping remote hosts

//verification commands
show crypto ipsec sa

/* IKE phase 1 tunnel is for private use when the two edge routers(R2 &R4) need to talk to each other,and it's used to create the IKE phase 2 tunnel (also called the IPSec tunnel).*/

: )

Dynamic ACLs (Lock-and-Key ACLs)

Lock-and-key access allows you to set up dynamic access lists that grant access per user to a specific source/destination host through a user authentication process(telnet login authentication).

See cut-through proxy, They call it like that in the ASA world.

Cisco Router Remote Access IPSec VPN with Pre-Shared Key & Certificate (EZVPN)

The video demonstrates configuration of remote access IPSec VPN with Windows software client on Cisco router. We will look at both simple pre-shared key authentication as well as using client certificate. The client is placed behind a NAT router to demonstrate the significance of NAT Transparency, and compare it to raw IPSec and cTCP (IPSec over TCP). The video finishes off by showing how client can be allowed access to local subnet when a non-split tunnel is used.

Topic includes
- Easy VPN (EZVPN) with Software IPSec Client
- Client Pre-Shared Key and Certificate Authentication
- NAT Transparency (UDP 4500)
- cTCP aka IPSec over TCP
- 'include-local-lan' Option when not using Split Tunnel

Cisco Remote Access VPN Client for IPsec (Win7 64b)

vpnclient-winx64-msi-5.0.07.0290-k9.exe

https://supportforums.cisco.com/thread/2074141 (or built in software in Win7?)

"We sort of have two main categories of VPN. 1) Lan to Lan (aka Site to Site) and 2) Remote access. With lan to lan VPN's, there is some device (router, firewall, concentrator) that terminates bot ends of the connection. With Remote access, there is a piece of software installed on a PC/Laptop on one end and the other end would be terminated into a router, firewall or concentrator"

https://supportforums.cisco.com/thread/2074141

CCNP ROUTE Passed!

:) Today I passed CCNP 642-902 ROUTE exam !!!

•EIGRP
•OSPF
•IGP Redistribution(Route Maps,Prefix Lists,Distribute Lists)
•Policy-based routing and IP service-level agreement (IP SLA)
•BGP
•IPv6
•IPv4 and IPv6 coexistence
•Routing over branch Internet connections

Cisco IP Service Level Agreement (SLA)

IP SLA is a feature that measures the ongoing behavior of the network, it acts as a tool to test and gather data abouth the network. Network management tools can then collect that data and report whether the network reached the desired SLAs for the network, many management tools support the ability to configure IP SLA from the management tool's gui. When configure, the routers gather the results of network operation, storing the statistics in the IOS RTTMON MIB, management applications can later gather the statistics from this MIB on various routers and report whether the SLAs are met.

CCNP ROUTE (4th printing) p. 371.

-------------------------------------------------
IP SLA is a function of Cisco’s IOS enabling you to analyze a Service Level Agreement (SLA) for an IP application or service. IP SLAs use active traffic-monitoring to continuously monitor traffic across the network. This is very different from SNMP or Netflow data which give you more volume oriented statistics. Many different metrics can be analyzed using IP SLA, here is a break down of a few.

* UDP Jitter .– Probably the most used operation in all of IP SLA. This IP SLA generates UDP traffic and measures Round-trip Delay, One-way Delay, One-way Jitter, One-way Packet Loss, and overall Connectivity.
* ICMP Path Jitter .– Hop-by-hop Jitter, Packet Loss, and Delay.
* UDP Jitter for VoIP .– Enhanced test for VoIP monitoring. It can simulate various codecs and spits out voice quality scores (MOS, and ICPIF). Also shows us Round-trip Delay, One-way Delay, One-way Jitter, and One-way Packet Loss.
* UDP Echo .– Round-trip Delay for UDP traffic.
* ICMP Echo .– Round-trip Delay, full path.
* ICMP Path Echo .– Round-trip Delay and Hop-by-hop round trip delay.
* HTTP .– Round-trip time using simulated http traffic.
* TCP Connect .– Allows us to sample the time to connect to a target using TCP.
* FTP .– Round-trip time for file transfers.
* DHCP .– Round-trip time for dynamic host configuration.
* Frame-Relay .-–Round-trip Delay, and the Frame Delivery Ratio. Mostly used for circuit availability.

http://routerjockey.com/2011/05/06/ip-sla-basics/

-------------------------------------------------
Cisco IP SLA is an embedded feature set in Cisco IOS Software that allows you to analyze service levels for IP applications and services. It is one of those Cisco device instrumentation features with a long history. IOS 11.2 introduced the Response Time Reporter (RTR), which supported three functions: ICMP Ping, ICMP Echo Path, and SSCP (IBM SNA native echo). In those days, multiple customers migrated their dedicated IBM SNA infrastructure to an IP network and realized how limited IP reporting functions were compared to IBM's SNA network. RTR addressed this issue and significantly increased functionality over the years. Cisco renamed RTR Service Assurance Agent (SAA) in Cisco IOS Software Release 12.0(5)T. New features were continuously added and, in 2004, Cisco changed the name to IP SLA. Despite the name changes, the basic principle of IP SLA remained the same: an active measurement that uses injected test packets (synthetic traffic) marked with a time stamp to calculate performance metrics. The results allow indirect assessment of the network, such as Service-Level Agreements (SLA) and QoS class definitions.

http://etutorials.org/Networking/networ ... 1.+IP+SLA/

-------------------------------------------------

Also: See Cisco's NetFlow

When exactly should BGP Synchronization be enabled?

Hi,

BGP synchronization assumed an older approach of BGP deployment for a transit autonomous system. In this approach, BGP would be configured only on ASBRs, not on internal routers. The ASBRs would have eBGP peerings with outside autonomous systems, and they would also have iBGP peerings to each other. Internal routers, however, would not be running BGP.

Naturally, this constellation would result in blackholing traffic because while the ASBRs know all routes thanks to their eBGP and iBGP peerings, any internal router would have no idea about external networks. So as an additional step, the BGP routes were redistributed into the internal routing protocol. The full reachability would be therefore gained by combining the BGP on and between the ASBRs, and the redistribution of BGP routes into IGP within an AS. The internal routers are therefore spared the need to run full BGP.

Now, an ASBR can know about an external network from another iBGP peer via iBGP and theoretically, it can immediately install it into its routing table and advertise it to further eBGP neighbors. However, if the internal protocol, say, EIGRP, does not yet have that route fully advertised to all internal routers, advertising the route to eBGP neighbors would be futile: the traffic would be still misrouted or blackholed inside our AS until the EIGRP has truly advertised the network.

This is where BGP Synchronization comes in. An ASBR can know about a route via iBGP peering with another ASBR. However, it will not consider that route as valid until the same route comes through an IGP, say, EIGRP, and gets installed in the routing table. Seeing the route learned via iBGP installed as an IGP route means that the neighboring ASBR has redistributed the route correctly into EIGRP and that it is already known to all internal routers between that ASBR and your ASBR, and that means that the path is truly valid - each router on the path between you and the neighboring ASBR knows how to route packets to that destination.

So the state of seeing an iBGP-learned route as IGP-learned in your routing table means that the route itself is synchronized. Only now, you can consider the route as valid, subject it to BGP bestpath algorithm and advertise it to eBGP peers - not sooner.

"I already understand that Sync. must be disabled in case if i have a full meshed IBGP in order for IBGP routes to be entered in the IGP routing table."

iBGP peers must always be fully meshed (let us ignore route reflectors and confederations for now). However, the BGP synchronization should be deactivated if all your routers within an AS are BGP speakers and are supposed to learn the external routes via BGP. In such case, you would never redistribute BGP-learned routes into an IGP (there would be no sense in doing that as all routers speak BGP already) but the activated synchronization would prevent these routers from treating these iBGP-learned routes as valid.

In other words, the BGP Synchronization must be deactivated in all iBGP scenarios where BGP routes are not redistributed into IGP protocol. Otherwise, an iBGP speaker will wait for an iBGP-learned route to be also learned via IGP - which will never happen.

Please feel welcome to ask further!

Best regards,
Peter

https://supportforums.cisco.com/thread/2107257

:)

OSPF Neighbors vs OSPF Adjacencies

Routers become OSPF Neighbors if they have an interface connected on a common network. For example, two routers connected on a point-to-point serial link could be neighbors.

An Adjacency is required for two ospf routers to exchange route updates. Not all neighbor routers will form adjacencies.

https://learningnetwork.cisco.com/thread/2010

OSPF LSA types

Common LSAs:

BGP Best Path Selection Process

Consider only synchronized routes with no AS loops and a valid next hop, and then:

1.- Prefer highest weight (local router).
2.- Prefer highest local preference (global within AS).
3.- Prefer route originated by the local router (next hop: 0.0.0.0).
4.- Prefer shortest AS path.
5.- Prefer lowest origin code (IGP6.- Prefer lowest MED (metric, exchanged between autonomous systems).
7.- Prefer eBGP path over iBGP path.
8.- Prefer the path through the closest IGP neighbor (IGP cost).
9.- Prefer oldest route for eBGP paths.
10.- Prefer the path with the lowest BGP neighbor's Router ID.
11.- Prefer the path with the lowest neighbor IP address.

OSPF Virtual Link Configuration

R1(config)#router ospf 20
R1(config-router)#area 1 virtual-link 10.30.30.30

R2(config)#router ospf 20
R2(config-router)#area 1 virtual-link 10.50.50.50

Virtual Routing and Forwarding (VRF)

In IP-based computer networks, Virtual Routing and Forwarding (VRF) is a technology that allows multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other.

Site to Site VPN

Credits to Keith!