Archive for October, 2008

5 Tips to Securing a Cisco Network

Monday, October 27th, 2008

Some things you can’t do something about, but you should take security seriously.

1. Reverse Path Forwarding
When you enable Reverse Path Forwarding (RPF) on an interface, the router will check with a lookup in the FIB/CEF table to see that there exists a path back to the source address on the interface on which it receives a packet. This avoids spoofing of packets.

The way to configure reverse path forwarding is like this

Router#configure terminal
Router(config)#interface GigabitEthernet 2/1
Router(config-if)#ip verify unicast reverse-path

2. Silence that port
A lot of networks leak sensitive information on their switchports, this should be a pretty silent switchport.

Switch#configure terminal
Switch(config)#interface GigabitEthernet0/16
Switch(config-if)#no cdp enable
Switch(config-if)#spanning-tree bpdufilter enable
Switch(config-if)#no keepalive

This will supress CDP (Cisco Discovery Protocol), spanning-tree bpdu’s and ethernet keepalives on that interface. In my last post I wrote a little about storm-control and port security.

3. Configure AAA and ACL’s for secure VTY access
VTY’s are for example the telnet connections on Cisco, to configure who should be able to access your switch via telnet just do like this:

Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#access-list 80 permit 10.0.0.0 0.0.0.255
Switch(config)#access-list 80 permit 192.168.0.0 0.0.255.255
Switch(config)#line vty 0 15
Switch(config-line)#access-class 80 in
Switch(config-line)#end
Switch#

This will limit VTY access to 10.0.0.0/8 and 192.168.0.0/16, the netmask is a Cisco wildcard mask, troubles figuring them out? Try the wildcard cheat.

If you want to have separate users (will show up in logs) instead of the regular password prompt, you can configure AAA as such:

Switch#configure terminal
Switch(config)#username cisco secret mypassword
Switch(config)#aaa new-model
Switch(config)#aaa authentication login default local
Switch(config)#line vty 0 15
Switch(config-line)#login authentication default
Switch(config-line)#^Z
Switch#

4. Encrypt passwords in Configuration
Do you see this in your configuration?

Switch#show run | include ^username
username admin password 0 mysecret

To enable encryption of passwords just configure

Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#service password-encryption
Switch(config)#end
*Mar 4 10:21:10.343: %SYS-5-CONFIG_I: Configured from console by console
Switch#show run | include ^username
username admin password 7 060B1632494D1B1C11

This gives Cisco Type 7 encryption (which, I am sorry to say; is very crackable), but it is at least something.
I like to use ‘secret’ instead of ‘password’ which gives MD5 passwords in the configuration file, I am not sure of the difference, but it seems to give me what I want.

5. More secure routing protocols with passive-interface default
A passive interface is an interface which does not send nor receive routing information. Passive-interface default is supported by all routing protocols, and is configured quickly.

router routing-protocol
passive-interface default
no passive-interface interface

Passive-interface default sets all interfaces passive, and no passive-interface activates one interface. I have a more real life configuration example below.

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router ospf 1
Router(config-router)#passive-interface default
Router(config-router)#no passive-interface fastEthernet 0/2
Router(config-router)#^Z
Router#
*Mar 4 10:36:17.931: %SYS-5-CONFIG_I: Configured from console by console

This will ensure that OSPF traffic is only exchanged on fastEthernet 0/2.

Locking Down Network Ports from IOS

Sunday, October 26th, 2008

Someone connecting to your network can cause serious damage if you are sloppy with security.

port-security
port-security on switches is very flexible, first show the status of port security

Switch#show port-security interface Gi0/19
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 001b.53b1.ffff:20
Security Violation Count : 181

Port security is disabled, violation mode is shutdown which means that the port should be shutdown if port security is tripped. There are

Let us limit this port to one MAC address, and if we see more than one; shutdown the port.

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int gi 0/19
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#switchport port-security
Switch(config-if)#
11:31:17: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/19, putting Gi0/19 in err-disable state
Switch(config-if)#
11:31:17: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001b.53b1.ffff on port GigabitEthernet0/19.
11:31:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/19, changed state to down
Switch(config-if)#
11:31:19: %LINK-3-UPDOWN: Interface GigabitEthernet0/19, changed state to down

What happened here? First we limited the port to max one MAC address, then we configured that if this is violated then the port should be shutdown. And at last we turned on port-security.
As you can see, immediately the port went in an errdisable state for a security violation.

storm-control
Storm control can be used to limit the amount of broadcast, unicast or multicast traffic on a port.
To show the status of storm control

Switch#show storm-control gigabitEthernet 0/19
Interface Filter State Upper Lower Current
——— ————- ———– ———– ———-
Switch#

A typical broadcast storm can look like this

Switch#show interface gigabitEthernet 0/19 | i rate
Queueing strategy: fifo
5 minute input rate 106111000 bits/sec, 207129 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
Switch#

I have over 100mbit input traffic, and nothing output. I can try to apply storm-control that with shutdown the port if the amount of broadcast traffic reaches 100mbit.

Switch#conf t
Switch(config)#interface gigabitEthernet 0/19
Switch(config-if)#storm-control action shutdown
Switch(config-if)#storm-control broadcast level bps 100000000
2d10h: %PM-4-ERR_DISABLE: storm-control error detected on Gi0/19, putting Gi0/19 in err-disable state
2d10h: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Gi0/19. The interface has been disabled.
2d10h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/19, changed state to down
2d10h: %LINK-3-UPDOWN: Interface GigabitEthernet0/19, changed state to down

The interface went straight into errdisable due to the huge amount of broadcast traffic we were receiving.

You can also get the status of storm control

Switch#show storm-control
Interface Filter State Upper Lower Current
——— ————- ———– ———– ———-
Gi0/19 Link Down 100m bps 100m bps 0 bps

These are two great techniques of securing your network ports, just tune them to your preference and they will bring you a lot of good.

Basic Cisco Configuration Steps for Absolute Beginners

Friday, October 24th, 2008

Thought I would write a post for those of you who are not yet evil Cisco Jedi masters with a black belt containing a network swizz army knife, with a sharp firewall slicer and a port opener.

Setting the hostname

Switch#configure terminal
Switch(config)#hostname SuperSwitch
SuperSwitch(config)#

As you can see, the hostname change happened immediately.

Configuring a VLAN with an IP on two ports
To get the list of interfaces on the Switch

Switch# show interfaces description

To create a new Layer 2 VLAN on the switch

! configure terminal enters configuration mode
Switch#configure terminal
! vlan 10 creates the layer 2 vlan on the switch, this is actually
! usually done by the switch when the first port is set to access vlan 10
Switch(config)#vlan 10
Switch(config-vlan)#exit
! Enter interface configuration
Switch(config)#interface GigabitEthernet1/0/1
! Sets the port to mode access
Switch(config-if)#switchport mode access
! Sets the port to access vlan 10
Switch(config-if)#switchport access vlan 10
! No shutdown turns on the port
Switch(config-if)#no shutdown
!
! Enter interface configuration of the second port and do all the same
! You can enter more interfaces at the time with the range command
! for example: interface range GigabitEthernet1/0/1 – 2
! In that way you wouldn’t have to do this twice.
Switch(config-if)#interface GigabitEthernet1/0/2
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)#no shutdown
Switch(config-if)#exit
!
! Now create the layer 3 interface on vlan 10
!
Switch(config)#interface vlan 10
!
! Sets the IP address 10.0.0.1 and unshuts the interface
Switch(config-if)#ip address 10.0.0.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#end
Switch#

The computers on port GigabitEthernet 1/0/1 and 1/0/2 should now be able to ping 10.0.0.1 when they are configured with those IP settings.

Configuring a trunk port
A trunk port is a port that can carry several VLANs in one port, it is done with 802.1q or ISL, the first one is mostly prefered because it is not proprietary so several vendors supports it.

To configure a trunk port, you will have to issue this configuration on the trunk port on both switches:

Switch#configure terminal
Switch(config)#interface GigabitEthernet 1/0/10
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport mode trunk
Switch(config-if)#no shut
Switch(config-if)#end
Switch#

This will create a trunk, per default it will accept any vlan tags, so if you do not want the network you connected to access any of your private vlans you will need an access list of which VLAN tags to accept on this port.

switchport trunk allowed vlan 10

By issuing this command on the port, you will only allow vlan 10 to flow through it.

If you now want to give for example port 9 on the second switch access to that 10.0.0.1

Switch#configure terminal
Switch(config)#interface GigabitEthernet 1/0/9
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)#no shutdown
Switch(config-if)#end
Switch#

This is how to setup basic vlans and trunking on Cisco.
Read my other posts for more advanced configuration examples!

Usefull and Free Network Management and Monitoring Software Part 2

Thursday, October 23rd, 2008

I wrote about usefull and free network management and monitoring software a couple of posts earlier and wanted to follow up with just a couple of tips I got. I have included a some windows tools here, the last post was mostly about linux tools.

Here are 6 more free network management/monitoring utilities!

  1. PRTG is a network graphing suite for windows, the free version includes 10 ‘sensors’ (snmp data points).
  2. TFTPD32 is a free TFTP server for Windows.
  3. Solarwinds TFTP Server is a free TFTP server for Windows from Solarwinds, it is also widely used.
  4. Nmap is a port scanner, it works for both linux and Windows. This one is really good.
  5. Wireshark is a network sniffer/monitorer, it can be usefull for analysing traffic.
  6. netcat/netcat6 (ubuntu package names) is a nice utility if you just want to open a port, connect to a port, etc. You can even send data with it, it is described as the “TCP/IP swiss army knife”.

Hope this is usefull to some of you!

Locating the Cisco Switchport of a Server based on IP Address

Thursday, October 23rd, 2008

Locating computers or servers is a task I often do, and this is a tutorial on how I do it.

I have mentioned the do command, and mentioned it again in my 5 Magic Cisco Tips and Tricks article.

I am now going to give you more of a tutorial!

Locating a machine on switch port in a larger Cisco network
If you only have the IP address, just run this command:

show ip route *ipaddress*

The router will now tell you which interface this subnet is connected to.

In a usual setting you might have routed a larger block of addresses to for example a routing switch.
If this is the case, you will need to investigate layer 3 further down to that switch/router.

When you have found the IP address as directly connected issue this command to look up the MAC address in the ARP table.

show ip arp | include *ipaddress*

This will output the MAC address for this IP address, you can use this with this command:

show mac address-table | include *macaddress*

You will now see which port this hardware address is connected to.

In case you have a switch connected, you will need do the show mac address-table command on that switch also.

You can often identify switches by doing a show mac address-table interface *port*
If this gives a long list of MAC addresses with the TYPE dynamic, this is probably a switch.

syslog-ng | Cisco: Setting Up Remote Syslog To MySQL in Linux

Thursday, October 16th, 2008

We are all in the need of a good method of keeping track of our log messages.

It’s a good feeling to know that all the syslog messages from all the equipment I manage are safely deposited into a MySQL database which is backed up daily by our backup software.

First, syslog-ng
I use Ubuntu, so I can also use their practical package manager and run

apt-get install syslog-ng

Then whip up /etc/syslog-ng/syslog-ng.conf in your favourite editor and add this to the configuration.

source s_net {
udp(ip(10.0.0.58) port(514));
tcp(ip(10.0.0.58) port(51400));
};

The 10.0.0.58 should be the IP address that you want syslog-ng to listen on, it has to be bound up to the server that runs syslog-ng.

Also add this to make syslog-ng write to a special pipe:

destination d_mysql {
pipe(“/tmp/mysql.pipe”
template(“INSERT INTO logs (host, facility, priority, level, tag, date,
time, program, msg) VALUES ( ‘$HOST’, ‘$FACILITY’, ‘$PRIORITY’, ‘$LEVEL’,’$TAG’,
‘$YEAR-$MONTH-$DAY’, ‘$HOUR:$MIN:$SEC’, ‘$PROGRAM’, ‘$MSG’ );\n”) template-escape(yes));
};

And to make things that comes from s_net go to d_mysql to make the
messages from the cisco device go to mysql instead:

log {
source(s_net);
destination(d_mysql);
};

Make a pipe that syslog-ng can write to with this command:

mkfifo /tmp/mysql.pipe

MySQL
Almost ready for the Cisco configuration, just get the database up first.
Setup the MySQL database like this:

CREATE DATABASE syslog
USE syslog

CREATE TABLE logs (
host varchar(32) default NULL,
facility varchar(10) default NULL,
priority varchar(10) default NULL,
level varchar(10) default NULL,
tag varchar(10) default NULL,
date date default NULL,
time time default NULL,
program varchar(15) default NULL,
msg text,
seq int(10) unsigned NOT NULL auto_increment,
PRIMARY KEY (seq),
KEY host (host),
KEY seq (seq),
KEY program (program),
KEY time (time),
KEY date (date),
KEY priority (priority),
KEY facility (facility)
) TYPE=MyISAM;

# Also create the user, replace username and password
GRANT ALL PRIVILEGES ON syslog.* TO syslogng@localhost IDENTIFIED BY ‘mypassword’;

Run this command to pipe the queries to MySQL, preferably in a screen or make a script that can run it in the background.

mysql -u syslogng –password=mypassword syslog < /tmp/mysql.pipe

Restart the syslog-ng process now:

/etc/init.d/syslog-ng stop
/etc/init.d/syslog-ng start

Cisco Syslog Configuration
Now all you have to do on the cisco router is one simple command to make it log to the syslog database.

Router(config)# logging 10.0.0.58

This will make the Cisco Router send all logging output to the syslog-ng process on 10.0.0.58

I have made a simple PHP page that makes the syslog output more viewable, it is not very pretty – but it works.
I am sure anyone of you can improve it, if you do please send me the change and if it is generally usefull I will update the package here with your improvement and leave a credit for you in it!

You can download the package syslog-ng PHP page

PHP RTMP Checker for use with Nagios

Tuesday, October 7th, 2008

I got a comment on one of my posts that my RTMP checker might be of value to someone.
So I am going to release it to the public, it seems like there is a real lack of something like this.

I wrote this basically for FastHost, as we like to deliver stability and good and reliable solutions that you can trust. Please let us know if there is anything we might be able to help with.

I have released it here on my code download page.

3 Tips On How to Solve The Need for Network Redundancy

Saturday, October 4th, 2008

Take a look at these tips for solving redundancy in a Cisco based network!

HSRP is the Hot Standby Router Protocol.

Most client hosts do not run any dynamic routing, and is seemingly prone to a single point of failure in the event of a router failure.

With HSRP running on two routers, the actual gateway IP address is bound to a virtual MAC address. The active HSRP router will respond to frames destined for the virtual MAC address, and redundancy is provided.

Configuration of HSRP in Cisco IOS

Enter interface configuration

Router(config)# interface fastethernet 0/0

Set an IP address

Router(config-if)# ip address 10.0.0.3 255.255.255.0

The router will still need an IP address to communicate on, for example when not elected as active.

Activate HSRP for this interface

Router(config-if)# standby 1 ip 10.0.0.1

The IP address 10.0.0.1 is the redundant virtual IP address.
This is the command that enables the HSRP process on the interface.

Tweaking the priority

Router(config-if)# standby 1 priority 100
Router(config-if)# standby 1 preemt

The router with the higher priority will become the active HSRP router when the preemt command is enabled.

Verifying HSRP configuration

Router#sh standby
FastEthernet0/0 – Group 1
State is Active
2 state changes, last state change 00:00:59
Virtual IP address is 10.0.0.1
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.576 secs
Preemption enabled
Active router is local
Standby router is unknown

Priority 100 (default 100)
IP redundancy name is “hsrp-Fa0/0-1” (default)

As you can see from this output, we are the active HSRP Router for HSRP standby group 1 – and the Standby router is unknown, this means the other side has not been configured.

There has been 2 state changes, because it will first automatically be in mode Speak, then it will eventually go through Standby to Active.

BGP
Using BGP is a must when it comes to redundancy, it will let you multihome with different upstream providers. I have written an article with an introduction and a Basic example BGP configuration in Cisco IOS.

If you need IPv4 addresses for your organization, you may qualify for a PI Network (Provider Independent). This will enable you to take part in the global routing and pick and choose among several upstream providers.

Rapid Spanning Tree Protocol
STP is a layer 2 protocol that detects and blocks layer 2 loops, with a very fast convergence time on link state changes. To configure spanning-tree you can use the following commands.

Enable spanning-tree

Switch(config)# spanning-tree mode rapid-pvst

This command enables the per vlan rapid spanning tree, this means one STP instance per vlan.
Be aware, there is a limit in at least Cisco 3560 and Cisco 3750 that limits it to 128 simultaneous spanning tree processes.

How STP Detects Loops and BPDU filters
The switch will flood BPDU’s (Bridge Protocol Data Units) out on all interfaces per default, and if it can see its own MAC address in an incoming BPDU it will know when a link have looped.

Switch(config)#interface GigabitEthernet 1/0/1
Switch(config-if)#spanning-tree bpdufilter enable

This will stop sending and receiving of BPDUs on the interface GigabitEthernet 1/0/1.

Switch(config-if)#spanning-tree bpduguard enable

This command will make the switch ignore BPDU’s received on the configured interface.

Change spanning tree priority

Switch(config)#interface GigabitEthernet 1/0/1
Switch(config-if)#spanning-tree vlan 100 cost 200

This will apply a cost of 200 to vlan 100 traversing over GigabitEthernet 1/0/1

Verify Spanning Tree

Switch#show spanning-tree vlan 2000

VLAN2000
Spanning tree enabled protocol rstp
Root ID Priority 27223
Address 0012.5555.0000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 27223 (priority 24576 sys-id-ext 2000)
Address 0012.55555.0000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Gi1/0/2 Desg FWD 4 128.2 P2p Peer(STP)
Gi1/0/3 Desg FWD 4 128.3 P2p Peer(STP)
Gi1/0/5 Desg FWD 4 128.5 P2p
Gi1/0/15 Desg FWD 4 128.15 P2p

This is output from the root bridge, all ports the vlan exists on are in Forwarding mode.
The protocol output in the top verifies that we are running rapid STP.

Output from Neighbor STP Switch

Switch2#show spanning-tree vlan 2000

VLAN100
Spanning tree enabled protocol rstp
Root ID Priority 27223
Address 0012.55555.0000
Cost 4
Port 1 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 35415 (priority 32768 sys-id-ext 2000)
Address 0012.0007.dddd
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Gi0/1 Root FWD 4 128.1 P2p
Gi0/4 Desg FWD 4 128.4 P2p
Gi0/8 Desg FWD 4 128.8 P2p Peer(STP)

We are not the root bridge, the output shows that ‘Switch’ is the root bridge for this spanning tree.