Archive for September, 2008

Usefull and Free Network Management and Monitoring Software

Monday, September 29th, 2008

Thought I would take a quick look at popular and good software for networking personel.

Graphing

  1. RRDtool is widely deployed for graphing usage. It can be used to make graphs like the ones I have at www.arpa.no, a lot of software takes use of RRDtool to perform their graphing job, like Munin.
  2. MRTG is often used for simple graphing, but it can also be configured to take use of RRDtool to make nicer graphs.
  3. SmokePing is also written by Tobias Oetiker, and it is used to make pretty cool graphs of roundtrip times.
  4. Cacti is a whole graphing frontend for RRDtool, it is very powerfull, but I also often find it very complex for small simple tasks.
  5. Munin is very nice for simple graphing tasks, and it is what I use to make the graphs on arpa.no, it of course uses RRDtool. It is a Norwegian project, developed by Linpro.

Monitoring

  1. Naigos is widely deployed for monitoring puposes, it can be very hard to get working, but when it works it monitors for outages, TCP ports down, and any other suspect half-states things can end up in. I have found Nagios very reliable, and I even developed a plugin for doing a handshake with RTMP servers like Wowza or Red5, because my workplace sells those kind of services.
  2. Snort can be used to monitor for suspect network activity, it can recognize DDoS, port scans, etc.

    Analyze

  1. flow-tools can be used to receive and analyze netflow data from Cisco and Juniper routers.
  2. FlowScan can be used to make pretty graphs from Netflow data collected by the cflowd tool.

Other cool utilities

  • MTR is an interactive traceroute application, very usefull.
  • I am currently developing a new Network Management System, and I am hoping that it will be released in 2008. It will be open source, so I guess it might be of interest!

    Which ones did I forget, which tools do you use?

    Understanding and Configuring IPv6 Routing on a Cisco Router

    Saturday, September 27th, 2008

    You do have a backup plan for IP addressing, now that we are running out of IPv4 space, right?

    IPv6 isn’t something awfully new, but some of the ideas can be hard to grasp.
    To understand IPv6 routing, I had to learn how to do subnetting of IPv6 address space.

    Subnetting basics
    To understand IPv6 subnetting, I took it from what I had learned about the basics of subnetting IPv4 addresses.

    IPv4: The number 192.168.0.1 only represents a 32-bit number, split into 4 ‘octets’, which are groupings of 8 bits (256 combinations 0 – 255), each octet is separated with a dot ‘.’.
    The network mask represents the subnet size, because the network mask eventuallyl decides who you can talk to (for example 255.255.255.0 means that all bits in the last octet can be freely manipulated, hence a subnet mask of 255.255.0.0 means you can change the tweak last octets to your hearts content.

    IPv6 addresses and subnetting
    This is basically just the same as for IPv4, except the address is now 128 bits compared to 32.
    This makes room for 2^128 addresses while IP version 4 was limited to 2^32.
    Just a little calculation, for the fun of it:

    (2^128)-(2^32) = 340282366920938463463374607427473244160

    This is how many MORE addresses the IP version 6 will give us.

    In IPv6 the octets we all know from IPv4 are 8 groupings of 16 bits, and instead of being written in decimal format – they are written in hex.
    So a valid IPv6 address could be 3ffe:1000:0000:0000:0000:0000:0000:0001/126.
    How does this work?
    /126 indicates that 2 bits left from the mask for host addressing, this will give four host addresses.

    One thing you should notice is that while it can feel natural, it will not work to use addresses such as ::9, ::10, ::11, and ::12 for the same subnet.

    The key here is hex, which ranges from 0 – 9 and a – f, so it’s counted like 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d,e and f.

    To be certain, use the Online IPv4 and IPv6 calculator, it will calculate the subnets for you.
    Just enter an IPv6 or IPv4 address with the corresponding CIDR (for example /24) and it will return the network range.

    Enable forwarding of IPv6 Unicast Packets in Cisco IOS

    Router(config)# ipv6 unicast-routing

    Configure a static IPv6 default gateway/route

    Router(config)# ipv6 route ::/0 3ffe:1::1

    This would configure a default route to 3ffe:1::1.

    Configuring an IPv6 address on an interface

    Router(config-if)# ipv6 address 3ffe:1::1/64

    Verifying configuration
    Verify IPv6 Routing Table

    Router# show ipv6 route

    Pinging over IPv6 from Cisco IOS

    Router# ping ipv6

    Also check out these featured articles
    Configuring IPv6 OSPF Routing In Cisco IOS

    Get Support for IPv6 Rouing on the 3750 Platform

    BGP Configuration: Basic example in Cisco IOS

    Tuesday, September 23rd, 2008

    A lot of people are looking for bgp configuration information for cisco and foundry, so I’ll explain a bit about the different statements and also post a couple of configuration examples.

    Cisco

    01: ip route 10.0.0.0 255.0.0.0 null 0
    02: router bgp 65000
    03: network 10.0.0.0 mask 255.0.0.0
    04: neighbor 192.168.0.1 remote-as 65001

    1. Line 01 adds a route to 10.0.0.0/8 to null, this will make BGP announce this prefix as it will per default on cisco not announce networks it does not reach.
    2. Line 02 starts a BGP process with a local AS number of 65000.
    3. Line 03 adds the network 10.0.0.0/8 to the local BGP table, the router will now announce this network into BGP.
    4. Line 04 sets up a peering session with 192.168.0.1 with their AS number defined as 65001.

    Security issues in peering
    I wrote a rant about this in August when the news papers put up their big posters about the Internet dying (again.) 😉
    Peering sessions should have a password and it might also be wise to filter the outbound announcements with a prefix-list, to make sure not to announce full transit to every peering partner.
    Also, you do not want this to happen to you either, so you should at least configure a maximum prefix count.

    Cisco, more BGP configuration statements (beginning in global config)

    ip prefix-list AS65000 seq 5 permit 10.0.0.0/8
    ip prefix-list AS65000 seq 1000 deny 0.0.0.0/0 le 32
    router bgp 65000
    neighbor 192.168.0.1 password oursecret
    neighbor 192.168.0.1 prefix-list AS65000 out
    neighbor 192.168.0.1 maximum-prefix 5

    The first two lines will define a prefix list which will match only 10.0.0.0/8
    The third line enters BGP configuration while the fourth line sets a password, the same password has to be configured on the other end (for AS65000 on the remote peer) for the peering session to become active.
    Line number 5 will apply a prefix-list and the last line will make the router accept NO MORE than 5 prefixes from this peering partner.

    Foundry BGP Configuration
    This is mostly the same, but the dry basics is as follows:

    ip route 10.0.0.0/8 null0
    router bgp
    local-as 65000
    neighbor 192.168.0.1 remote-as 65001
    network 10.0.0.0 255.0.0.0

    And the filtering BGP4 statements for Foundry

    ip prefix-list AS65000 seq 5 permit 10.0.0.0/8
    ip prefix-list AS65000 seq 1000 deny 0.0.0.0/0 le 32
    router bgp
    neighbor 192.168.0.1 password oursecret
    neighbor 192.168.0.1 prefix-list AS65000 out
    neighbor 192.168.0.1 maximum-prefix 5

    So as you can see, the BGP configuration is mostly the same for both routers, so lets focus our attention to more BGP configurations on Cisco IOS.

    BGP Peering From a Loopback Interface
    Per default routers always use the IP address on interface directly connected to the peer as the source address for the peering session. Sometimes this is prefered configurable, for example not to drop peerings due to hardware failure, or when doing eBGP multihop peering.

    This is very configurable in BGP configuration in Cisco IOS

    neighbor 192.168.0.1 update-source Loopback0

    Verification
    At last, we need to verify the peering session. I usually use this command:

    show ip bgp sum | i REMOTEAS

    Substitute ‘REMOTEAS’ with the AS number of which you want to check, for example it will show this for AS65001 from our lab. (I will include the header also because it is usefull in this example, even though it won’t show up in your show command.)

    Router#sh ip bgp sum | i 65001
    Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
    192.168.0.1 4 65001 28 27 3 0 0 00:24:15 2

    This session is now established and I receive two prefixes from the remote peer.
    If you enable ‘neighbor 192.168.0.1 soft-reconfiguration inbound‘ you will also be able to check announcements.

    Router#show ip bgp neighbors 192.168.0.1 routes
    BGP table version is 3, local router ID is 192.168.0.2
    Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
    r RIB-failure, S Stale
    Origin codes: i – IGP, e – EGP, ? – incomplete

    Network Next Hop Metric LocPrf Weight Path
    *> 10.0.0.0 192.168.0.1 0 0 65001 ?
    *> 192.168.0.0 192.168.0.1 0 0 65001 ?

    Total number of prefixes 2

    Two prefixes received from 192.168.0.1, and you can also use the command show ip bgp neighbors 192.168.0.1 advertised-routes to check what your router is announcing to the remote peer.

    That was it for today, hopefully the newer ones out there will have a better understanding of the BGP configuration.

    Configuring 802.1Q Trunk Links in Cisco IOS

    Monday, September 22nd, 2008

    This is CCNA level stuff, here is an insight article about trunk links.

    What is a trunk link?
    A port in trunking mode can carry multiple vlans with two types of encapsulation, either ISL or 802.1Q.
    Multiple vendors support 802.1Q, and that makes it my choice for a trunking protocol.

    How does 802.1Q work?
    It works by inserting a 4-byte tag in the original frame header, this contains the VLAN identification along with some other information.

    Bits 16 3 1 12
    TPID PRIORITY CFI VID

    The TPID is the Tag Protocol Identifier, this should be set to 0x8100 for 802.1Q.
    The PRIORITY is a 3-bit priority, ranges from 0 – 7.
    The CFI is the Canonical Format Idicator, which means that it is used to identify if the MAC address is in canonical format or not, if it is set to 0 the address is in canonical format.

    The tag is 4 bytes long, and with a 12-bit VLAN ID field, it can hold 2^12 = 4096 Vlans.
    The switch will also recompute the FCS-field, since the frame is altered.

    Configuration of a trunk link
    Now, to configure a trunk link between two switches the following code should be suitable:

    Switch(config)# interface GigabitEthernet1/0/1
    Switch(config-if)# switchport trunk encapsulation dot1q
    Switch(config-if)# switchport mode trunk
    Switch(config-if)# exit
    Switch(config) vlan 500

    The encapsulation will define the encapsulation of the trunk link to either ISL or 802.1Q.
    The mode trunk will force the port into a trunking mode, where you can also choose dynamic to make switches negotiate the mode. I force all ports to their mode, always.
    The vlan 500 command will create the vlan 500, this should automatically be trunked when configured on both sides.

    Disallow some vlans
    Sometimes we don’t wanna make a mess and let some vlans over some trunk links.
    Imagine spanning a customers vlan from US to Spain by accident, or worse..
    Imagine delivering layer 2 connectivity between a set of location for a customer on different vlan ID’s, delivered on a trunk link. If you aren’t careful you can end up letting private vlan traffic leak between customers.

    Switch(config)# interface Gig1/0/1
    Switch(config-if)# switchport trunk allowed vlan 500

    This will make sure that only vlan 500 is allowed over this trunk link, even if the other side tries to negotiate another vlan from you.

    Pitfalls
    Make sure to use the add statement if you are adding more vlans to a trunk link.

    Switch(config-if)# switchport trunk allowed vlan add 200

    Or else the configuration will overwrite the old vlans you might have configured on a link.

    Verification
    To verify your trunk links, you can for example do this:

    Switch#show interfaces trunk

    Port Mode Encapsulation Status Native vlan
    Gi1/0/1 auto 802.1q trunking 1

    Port Vlans allowed on trunk
    Gi1/0/1 500

    Port Vlans allowed and active in management domain
    Gi1/0/1 500

    Port Vlans in spanning tree forwarding state and not pruned
    Gi1/0/1 500

    Here you can see that port Gi1/0/1 is trunking, and that vlan 500 is allowed and active over the trunk.

    You can also use show vlan id;

    Switch# show vlan id 500

    VLAN Name Status Ports
    —- ——————————– ——— ——————————-
    500 VLAN500 active Gi1/0/1, Gi1/0/2

    VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
    —- —– ———- —– —— —— ——– —- ——– —— ——
    500 enet 101545 1500 – – – – – 0 0

    Remote SPAN VLAN
    —————-
    Disabled

    Primary Secondary Type Ports
    ——- ——— —————– ——————————————

    Switch#

    Here you can see that vlan 500 is configured on the trunk link Gigabit ethernet 1/0/1 and also on 1/0/2.

    That’s a little insight in 802.1Q trunking vlan links!

    Using ‘archive’ to archive working cisco configurations

    Saturday, September 20th, 2008

    Do you have backups of your working configurations?

    Just a short weekend post, now that you have time to go over your configuration backups.
    You can use the Cisco ‘archive’ command in global configuration mode to let the Cisco switch or router automatically save backups of your configuration file to a TFTP, FTP, HTTP HTTPS, SCP or RCP filesystem.

    To configure automatic backup on to for example a TFTP server on write-memory just do this:

    Switch(config)# archive
    Switch(config-archive)# path tftp://10.0.0.1/ciscobackups/Switch
    Switch(config-archive)# write-memory

    The switch or router will now automatically archive a copy of your running configuration on 10.0.0.1

    You can use show archive to verify backups.

    Switch# show archive
    The next archive file will be named tftp://10.0.0.1/ciscobackups/Switch-3
    Archive # Name
    0 tftp://10.0.0.1/ciscobackups/Switch-1
    1 tftp://10.0.0.1/ciscobackups/Switch-2 <- Most Recent

    And you can also use the EXEC command ‘configure replace‘ to take use of archived configuration files and rollback on to one of them.

    Have a nice weekend punching out archives!

    Routing – Understanding And Tweaking the CAM

    Thursday, September 18th, 2008

    If you don’t pay attention to the CAM, your network could face serious problems.

    What is the CAM and Why is it important?
    The CAM is short for Content-Adressable Memory and is a type of memory for high speed searching applications. Other names are associative memory or when programming; associative arrays.

    The CAM makes it possible to make routing decisions in hardware instead of bothering the CPU, routes are placed in the CAM so that the linecard ASIC or FPGA hardware can look up which interface to send the packet out on somewhat directly from the memory. This decreases routing latency drastically and makes wirespeed performance possible.

    Imagine how your router would perform without this now..

    OK, Why is it important?
    Because every router have a limited amount of physical memory, and this memory space has to contain IPv4 routes, IPv6 routes and everything you are (or want to do) in hardware.
    This makes partitioning of this memory important.

    You have different ways of doing this, but it mostly involves a reload of the router.

    CAM Profiles
    On Foundry routers it’s called CAM profiles, here are the basics:

    The Internet Routing table now have about 260K prefixes, so you should worry.

    To check my CAM usage I use:

    show cam-partition usage

    On a Cisco 6500/7600 switch, you could use

    show tcam details

    When there are no more CAM space for a route, it will become unreachable.
    So pay attention to your CAM/TCAM. :-)

    Restrict SNMP Access With Views in Cisco IOS

    Wednesday, September 17th, 2008

    Would you ever let your customers pull SNMP from you?

    Short but hopefully interesting post today, I’ve been at a night course and I am pretty tired.
    I found this by accident once, and it is very handy!
    For example from stopping the smart technicians to snmpwalk your BGP router and go to lunch!

    You can restrict access to certain MIBs with SNMP views.
    This is a quick and dirty example of SNMP view usage…

    snmp-server community secret ro view secretview

    Clients using the community ‘secret’ will now be using the secretview;

    snmp-server view secret ifMIB excluded

    These are just the basics of snmp views in IOS! Play around with it!

    5 Magic Cisco tips & tricks aka magic IOS commands

    Monday, September 15th, 2008

    I have been working a lot for several years, and now I want to share some of my best tips for working faster and more efficient on Cisco routers in Cisco IOS.

    I posted earlier about the ‘do’ command, but I am going to include it here because it is so darn practical.

    So with no further mess – here is the list, not sorted after any specific order.

    1. ‘do’ in config mode
      This is one of the most time saving ones that few people seem to know about, use it!
      It lets you run exec commands in global configuration mode.
    2. include, exclude and begin
      Ever wanted to find something in the configuration? Or maybe you want to see some info, and not some?
      Use include or exclude, for example you can do

      Router1(config)# do show running-config | include ip_address

      This will include every occurance of ‘ip address’ in your running configuration file, the underscore works for spaces, and as such you can also do

      Router1(config)# do show running-config | exclude password

      This will exclude every line that has the word ‘password’ in it, can be usefull if you are listing the configuration file to someone, or you can even do

      Router1(config)# do show running-config | exclude (password|secret)

      This will exclude every line containing EITHER password or secret, and you can use regular expressions here.
      This means that even show interfaces | include (^Vlan|Internet_address|packets\/sec) is valid, which will give you a list of your Vlan interfaces.

    3. alias ps
      Use aliases, do you ever run the same commands a thousand times?
      I have at least these aliases in place on all my equipment:

      alias exec sb show ip int brief
      alias exec ps sh proc cpu | excl 0.00%__0.00%__0.00%

    4. time-range command

      time-range Workhours
      periodic weekdays 8:00 to 16:00
      !
      ip access-list extended permit Permission-To-Internal-Server-In-Work-Hours
      permit tcp any host 10.0.0.5 eq www time-range Workhours
      deny tcp any host 10.0.0.5 eq www
      permit ip any any

      This will allow access to 10.0.0.5 within 8am and 4pm

    5. Redistribute default gateway route into OSPF
      A lot of people are wondering about this one too.

      Router1(config-rtr)# default-information originate always

      This is done under the ‘router ospf’ in global configuration.

    Route overlaps, it’s dangerous!

    Sunday, September 14th, 2008

    Just wanted to tell you that I added a new page, it’s aIP subnet calculator tool.

    It works with IPv4 and IPv6 addresses, just remember to add the network length in the end (/24) for a 255.255.255.0

    The danger with dynamic routing is the possibility of route overlaps, by this I mean having the same subnet defined on two routers announcing it in a dynamic routing protocol like for example OSPF.

    Let us say you have configured a customer as 10.0.0.48/28 and he uses 10.0.0.49 and 10.0.0.50

    Then you get a new customer and configure for example a new subnet 10.0.0.48/30, which is a more specific route (CIDR wise).

    You might end up effectively blackholing the old customers traffic, this is something one should consider.

    Use my IP subnet calculator tool to be sure not to overlap networks!

    Configuring a Cisco 7200 as a DNS server

    Saturday, September 13th, 2008

    I noticed some commands that insinuating that I can use a 7200 as a DNS server and managed to use the Cisco 7200 as a DNS server for my .lan domain. :)

    This is how I configured it

    ISP(config)#ip dns primary lan soa ns.nic.lan holm.blackedge.org 30 30 30
    ISP(config)#ip dns server
    ISP(config)#ip host ns.nic.lan 172.16.1.200
    ISP(config)#ip host ns2.nic.lan 172.16.1.1

    The ip dns primary command defines the zone.
    The ip dns server enables the DNS server.
    The ip host commands adds records to the zone.

    To verify the configuration on another router:

    IXPeer(config)#ip name-server 172.16.1.200
    IXPeer#ping ns.nic.lan
    Translating “ns.nic.lan”…domain server (172.16.1.200) [OK]
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.16.1.200, timeout is 2 seconds:
    !!!!!
    IXPeer#ping ns2.nic.lan
    Translating “ns2.nic.lan”…domain server (172.16.1.200) [OK]
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
    …..
    Success rate is 0 percent (0/5)
    IXPeer#

    This is a simple way to get local DNS resolution enabled on a Cisco 7200 router!