Archive for the ‘Cisco configuration’ Category

« Older Entries
Newer Entries »

IPv4 and IPv6 Access Control Lists In Cisco IOS

Wednesday, November 5th, 2008

Do you feel like you are comfortable with writing ACLs? This will be refreshing!

I’ll get to IPv6 in the bottom of this, it might prove extremely useful to understand the concept at first.

What are Access Control Lists?
ACLs are simple rulesets, they can be used to filter network traffic, routing updates, matching packets and a lot of different uses. The most common and basic usage must be to restrict network traffic to your router by applying it on the vty lines.

The access control lists have numbers and can also have text as identifiers, each number or string represents a specific access control list.

There are several “classes” of Access Control Lists, the most common ones are

  1. IP Standard Access List
    List numbers 1-99, can only define source or destination, not source and destination.
  2. IP Extended Access List
    List numbers 100-199, can define both source and destination as well as port and protocol numbers.

Okay, I understand…. but how do I configure it?

A IP standard access control list with two entries is configured like this

Router#conf t
Router(config)#ip access-list standard 5
Router(config-std-nacl)#5 permit 192.168.0.0 0.0.0.255
Router(config-std-nacl)#10 permit 192.168.1.0 0.0.0.255

To apply this inbound on an interface, just use

Router#conf t
Router(config)#int te 1/1
Router(config-if)#ip access-group 5 in

The alternative way to define an access list number 5 with two entries is

Router#conf t
Router(config)#access-list 5 permit 192.168.0.0 0.0.0.255
Router(config)#access-list 5 permit 192.168.1.0 0.0.0.255
Router(config)#

To apply this one inbound on a line interface

Router#conf t
Router(config)#line vty 1
Router(config-line)#access-class 5 in

Nice, now I have a lot of ACLs configured in my network for all the IPv4 traffic, mon ami! But IPv6 traffic still seems to keep flowing right through, thought you said you were supposed to make sense of all this in the end?

Yeah, I know I promised that and as long as you understand the IPv4 basics you will understand IPv6 pretty well. You will need to understand basic IPv6 subnetting theory to be able to filter subnets (obviously), if anyone wants me to write an article about it, just comment about it and I will get on to it ASAP. When you learn that, you will see that IPv6 access control lists are pretty much the same as for IPv4.

Anyways, I take for granted you understand IPv6 subnetting by now so I will just get right on to the configuration, an example for an IPv6 access list in Cisco IOS follows

Router#conf t
Router(config)#ipv6 access-list myfirewall
Router(config-ipv6-acl)#permit 3ffe:200::/32 any
Router(config-ipv6-acl)#permit 3ffe:100::/32 any

To verify the access-lists just look at this

Router#show access-lists myfirewall
IPv6 access list myfirewall
permit ipv6 3FFE:200::/32 any sequence 10
permit ipv6 3FFE:201::/32 any sequence 20
Router#

To apply this IPv6 Access Control List to an interface, just do as follows

Router#conf t
Router(config)#int te 1/1
Router(config-if)#ipv6 traffic-filter myfirewall in

To apply this IPv6 access control list to a line

Router#conf t
Router(config)#line vty 1
Router(config-line)#ipv6 access-class myfirewall in

Tags: , , , , ,
Posted in Cisco configuration, Tutorials | 1 Comment »

Configuring IPv6 BGP Peering Sessions on Cisco IOS

Sunday, November 2nd, 2008

The future is closer than you think, are you ready?

Here is a little tutorial on configuring IPv6 BGP peering sessions on Cisco IOS.

First set the IP address on the interface, if this is a private peering session you can use a small network from your own PA block, on an exchange this IP address should be assigned by the exchange administrators.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int fa 0/0
Router(config-if)#ipv6 address 3ffe:1234:1234::1/64

Then, it can be an idea to nullroute the prefix you are going to announce, I think it is good practice because it will also effectively blackhole traffic destined to unexisting networks. This will be announced into BGP with the redistribute static configuration item.

Router#conf t
Router(config)#ipv6 route 3ffe:2000::/32 null 0

Now we create a prefix list that permits only this network, this is very important to avoid leaks of prefixes to your peers. This prefix list is going to be applied outbound on to the BGP peering.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ipv6 prefix-list announceAS65001-ipv6 seq 5 permit 3FFE:2000::/32
! better safe than sorry
Router(config)#ipv6 prefix-list announceAS65001-ipv6 seq 5000 deny ::/0 le 128

Now we are ready to configure the BGP peering session, this is just a simple example and most of these commands can be applied to peer groups, so that each configuration gets easier.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router bgp 65001
Router(config-router)#redistribute static
Router(config-router)#neighbor 3ffe:1234:1234::2 remote-as 65002
Router(config-router)#address-family ipv6 unicast
Router(config-router-af)#neighbor 3ffe:1234:1234::2 activate
Router(config-router-af)#neighbor 3ffe:1234:1234::2 soft-reconfiguration inbound
Router(config-router-af)#redistribute static
Router(config-router-af)#neighbor 3ffe:1234:1234::2 prefix-list announceAS65001-ipv6 out

This will redistribute the static nullroute we made earlier to the peer at 3ffe:1234:1324::2, and the peering session should be up by now.

I can verify it on the other end:

Router2#sh ip bgp ipv6 unicast
BGP table version is 8, local router ID is 10.0.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight Path
*> 3FFE:2000::/32 3FFE:1234:1234::1
0 0 65001 ?

As you can see, the network 3ffe:2000::/32 is now announced on this peering session, the route is sourced from AS65001. You can also get this on the summary:

Router2#sh ip bgp ipv6 unicast summary
BGP router identifier 10.0.0.1, local AS number 65002
BGP table version is 8, main routing table version 8
1 network entries using 152 bytes of memory
1 path entries using 76 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 500 total bytes of memory
BGP activity 2/1 prefixes, 4/3 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
3FFE:1234:1234::1
4 65001 26 23 8 0 0 00:05:54 1

If you want to see the prefixes announced to a peer or received from a peer. (This requires soft reconfiguration inbound configured on the peering session, neighbor 3ffe:1234:1234::2 soft-reconfiguration inbound in configuration.

Router2#sh ip bgp ipv6 unicast neighbors 3ffe:1234:1234::1 received-routes
BGP table version is 8, local router ID is 10.0.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight Path
*> 3FFE:2000::/32 3FFE:1234:1234::1
0 0 65001 ?

Total number of prefixes 1

The prefix 3ffe:2000::/32 is received from 3ffe:1234:1234::1.

Router#sh ip bgp ipv6 unicast neighbors 3ffe:1234:1234::2 advertised-routes
BGP table version is 3, local router ID is 10.0.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight Path
*> 3FFE:2000::/32 :: 0 32768 ?

Total number of prefixes 1

Voila, a better understanding and some real life examples of IPv6 BGP peering in Cisco IOS.

Tags: , , , , ,
Posted in Cisco configuration, Tutorials | 2 Comments »

5 Tips to Securing a Cisco Network

Monday, October 27th, 2008

Some things you can’t do something about, but you should take security seriously.

1. Reverse Path Forwarding
When you enable Reverse Path Forwarding (RPF) on an interface, the router will check with a lookup in the FIB/CEF table to see that there exists a path back to the source address on the interface on which it receives a packet. This avoids spoofing of packets.

The way to configure reverse path forwarding is like this

Router#configure terminal
Router(config)#interface GigabitEthernet 2/1
Router(config-if)#ip verify unicast reverse-path

2. Silence that port
A lot of networks leak sensitive information on their switchports, this should be a pretty silent switchport.

Switch#configure terminal
Switch(config)#interface GigabitEthernet0/16
Switch(config-if)#no cdp enable
Switch(config-if)#spanning-tree bpdufilter enable
Switch(config-if)#no keepalive

This will supress CDP (Cisco Discovery Protocol), spanning-tree bpdu’s and ethernet keepalives on that interface. In my last post I wrote a little about storm-control and port security.

3. Configure AAA and ACL’s for secure VTY access
VTY’s are for example the telnet connections on Cisco, to configure who should be able to access your switch via telnet just do like this:

Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#access-list 80 permit 10.0.0.0 0.0.0.255
Switch(config)#access-list 80 permit 192.168.0.0 0.0.255.255
Switch(config)#line vty 0 15
Switch(config-line)#access-class 80 in
Switch(config-line)#end
Switch#

This will limit VTY access to 10.0.0.0/8 and 192.168.0.0/16, the netmask is a Cisco wildcard mask, troubles figuring them out? Try the wildcard cheat.

If you want to have separate users (will show up in logs) instead of the regular password prompt, you can configure AAA as such:

Switch#configure terminal
Switch(config)#username cisco secret mypassword
Switch(config)#aaa new-model
Switch(config)#aaa authentication login default local
Switch(config)#line vty 0 15
Switch(config-line)#login authentication default
Switch(config-line)#^Z
Switch#

4. Encrypt passwords in Configuration
Do you see this in your configuration?

Switch#show run | include ^username
username admin password 0 mysecret

To enable encryption of passwords just configure

Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#service password-encryption
Switch(config)#end
*Mar 4 10:21:10.343: %SYS-5-CONFIG_I: Configured from console by console
Switch#show run | include ^username
username admin password 7 060B1632494D1B1C11

This gives Cisco Type 7 encryption (which, I am sorry to say; is very crackable), but it is at least something.
I like to use ’secret’ instead of ‘password’ which gives MD5 passwords in the configuration file, I am not sure of the difference, but it seems to give me what I want.

5. More secure routing protocols with passive-interface default
A passive interface is an interface which does not send nor receive routing information. Passive-interface default is supported by all routing protocols, and is configured quickly.

router routing-protocol
passive-interface default
no passive-interface interface

Passive-interface default sets all interfaces passive, and no passive-interface activates one interface. I have a more real life configuration example below.

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router ospf 1
Router(config-router)#passive-interface default
Router(config-router)#no passive-interface fastEthernet 0/2
Router(config-router)#^Z
Router#
*Mar 4 10:36:17.931: %SYS-5-CONFIG_I: Configured from console by console

This will ensure that OSPF traffic is only exchanged on fastEthernet 0/2.

Tags: , , , , , ,
Posted in Cisco configuration, Tutorials | No Comments »

Basic Cisco Configuration Steps for Absolute Beginners

Friday, October 24th, 2008

Thought I would write a post for those of you who are not yet evil Cisco Jedi masters with a black belt containing a network swizz army knife, with a sharp firewall slicer and a port opener.

Setting the hostname

Switch#configure terminal
Switch(config)#hostname SuperSwitch
SuperSwitch(config)#

As you can see, the hostname change happened immediately.

Configuring a VLAN with an IP on two ports
To get the list of interfaces on the Switch

Switch# show interfaces description

To create a new Layer 2 VLAN on the switch

! configure terminal enters configuration mode
Switch#configure terminal
! vlan 10 creates the layer 2 vlan on the switch, this is actually
! usually done by the switch when the first port is set to access vlan 10
Switch(config)#vlan 10
Switch(config-vlan)#exit
! Enter interface configuration
Switch(config)#interface GigabitEthernet1/0/1
! Sets the port to mode access
Switch(config-if)#switchport mode access
! Sets the port to access vlan 10
Switch(config-if)#switchport access vlan 10
! No shutdown turns on the port
Switch(config-if)#no shutdown
!
! Enter interface configuration of the second port and do all the same
! You can enter more interfaces at the time with the range command
! for example: interface range GigabitEthernet1/0/1 – 2
! In that way you wouldn’t have to do this twice.
Switch(config-if)#interface GigabitEthernet1/0/2
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)#no shutdown
Switch(config-if)#exit
!
! Now create the layer 3 interface on vlan 10
!
Switch(config)#interface vlan 10
!
! Sets the IP address 10.0.0.1 and unshuts the interface
Switch(config-if)#ip address 10.0.0.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#end
Switch#

The computers on port GigabitEthernet 1/0/1 and 1/0/2 should now be able to ping 10.0.0.1 when they are configured with those IP settings.

Configuring a trunk port
A trunk port is a port that can carry several VLANs in one port, it is done with 802.1q or ISL, the first one is mostly prefered because it is not proprietary so several vendors supports it.

To configure a trunk port, you will have to issue this configuration on the trunk port on both switches:

Switch#configure terminal
Switch(config)#interface GigabitEthernet 1/0/10
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport mode trunk
Switch(config-if)#no shut
Switch(config-if)#end
Switch#

This will create a trunk, per default it will accept any vlan tags, so if you do not want the network you connected to access any of your private vlans you will need an access list of which VLAN tags to accept on this port.

switchport trunk allowed vlan 10

By issuing this command on the port, you will only allow vlan 10 to flow through it.

If you now want to give for example port 9 on the second switch access to that 10.0.0.1

Switch#configure terminal
Switch(config)#interface GigabitEthernet 1/0/9
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)#no shutdown
Switch(config-if)#end
Switch#

This is how to setup basic vlans and trunking on Cisco.
Read my other posts for more advanced configuration examples!

Tags: , , ,
Posted in Cisco configuration | 1 Comment »

Locating the Cisco Switchport of a Server based on IP Address

Thursday, October 23rd, 2008

Locating computers or servers is a task I often do, and this is a tutorial on how I do it.

I have mentioned the do command, and mentioned it again in my 5 Magic Cisco Tips and Tricks article.

I am now going to give you more of a tutorial!

Locating a machine on switch port in a larger Cisco network
If you only have the IP address, just run this command:

show ip route *ipaddress*

The router will now tell you which interface this subnet is connected to.

In a usual setting you might have routed a larger block of addresses to for example a routing switch.
If this is the case, you will need to investigate layer 3 further down to that switch/router.

When you have found the IP address as directly connected issue this command to look up the MAC address in the ARP table.

show ip arp | include *ipaddress*

This will output the MAC address for this IP address, you can use this with this command:

show mac address-table | include *macaddress*

You will now see which port this hardware address is connected to.

In case you have a switch connected, you will need do the show mac address-table command on that switch also.

You can often identify switches by doing a show mac address-table interface *port*
If this gives a long list of MAC addresses with the TYPE dynamic, this is probably a switch.

Tags: , , ,
Posted in Cisco configuration, Tutorials | No Comments »

syslog-ng | Cisco: Setting Up Remote Syslog To MySQL in Linux

Thursday, October 16th, 2008

We are all in the need of a good method of keeping track of our log messages.

It’s a good feeling to know that all the syslog messages from all the equipment I manage are safely deposited into a MySQL database which is backed up daily by our backup software.

First, syslog-ng
I use Ubuntu, so I can also use their practical package manager and run

apt-get install syslog-ng

Then whip up /etc/syslog-ng/syslog-ng.conf in your favourite editor and add this to the configuration.

source s_net {
udp(ip(10.0.0.58) port(514));
tcp(ip(10.0.0.58) port(51400));
};

The 10.0.0.58 should be the IP address that you want syslog-ng to listen on, it has to be bound up to the server that runs syslog-ng.

Also add this to make syslog-ng write to a special pipe:

destination d_mysql {
pipe(“/tmp/mysql.pipe”
template(“INSERT INTO logs (host, facility, priority, level, tag, date,
time, program, msg) VALUES ( ‘$HOST’, ‘$FACILITY’, ‘$PRIORITY’, ‘$LEVEL’,'$TAG’,
‘$YEAR-$MONTH-$DAY’, ‘$HOUR:$MIN:$SEC’, ‘$PROGRAM’, ‘$MSG’ );\n”) template-escape(yes));
};

And to make things that comes from s_net go to d_mysql to make the
messages from the cisco device go to mysql instead:

log {
source(s_net);
destination(d_mysql);
};

Make a pipe that syslog-ng can write to with this command:

mkfifo /tmp/mysql.pipe

MySQL
Almost ready for the Cisco configuration, just get the database up first.
Setup the MySQL database like this:

CREATE DATABASE syslog
USE syslog

CREATE TABLE logs (
host varchar(32) default NULL,
facility varchar(10) default NULL,
priority varchar(10) default NULL,
level varchar(10) default NULL,
tag varchar(10) default NULL,
date date default NULL,
time time default NULL,
program varchar(15) default NULL,
msg text,
seq int(10) unsigned NOT NULL auto_increment,
PRIMARY KEY (seq),
KEY host (host),
KEY seq (seq),
KEY program (program),
KEY time (time),
KEY date (date),
KEY priority (priority),
KEY facility (facility)
) TYPE=MyISAM;

# Also create the user, replace username and password
GRANT ALL PRIVILEGES ON syslog.* TO syslogng@localhost IDENTIFIED BY ‘mypassword’;

Run this command to pipe the queries to MySQL, preferably in a screen or make a script that can run it in the background.

mysql -u syslogng –password=mypassword syslog < /tmp/mysql.pipe

Restart the syslog-ng process now:

/etc/init.d/syslog-ng stop
/etc/init.d/syslog-ng start

Cisco Syslog Configuration
Now all you have to do on the cisco router is one simple command to make it log to the syslog database.

Router(config)# logging 10.0.0.58

This will make the Cisco Router send all logging output to the syslog-ng process on 10.0.0.58

I have made a simple PHP page that makes the syslog output more viewable, it is not very pretty – but it works.
I am sure anyone of you can improve it, if you do please send me the change and if it is generally usefull I will update the package here with your improvement and leave a credit for you in it!

You can download the package syslog-ng PHP page

Tags: , , , , , ,
Posted in Cisco configuration, Tutorials | 1 Comment »

3 Tips On How to Solve The Need for Network Redundancy

Saturday, October 4th, 2008

Take a look at these tips for solving redundancy in a Cisco based network!

HSRP is the Hot Standby Router Protocol.

Most client hosts do not run any dynamic routing, and is seemingly prone to a single point of failure in the event of a router failure.

With HSRP running on two routers, the actual gateway IP address is bound to a virtual MAC address. The active HSRP router will respond to frames destined for the virtual MAC address, and redundancy is provided.

Configuration of HSRP in Cisco IOS

Enter interface configuration

Router(config)# interface fastethernet 0/0

Set an IP address

Router(config-if)# ip address 10.0.0.3 255.255.255.0

The router will still need an IP address to communicate on, for example when not elected as active.

Activate HSRP for this interface

Router(config-if)# standby 1 ip 10.0.0.1

The IP address 10.0.0.1 is the redundant virtual IP address.
This is the command that enables the HSRP process on the interface.

Tweaking the priority

Router(config-if)# standby 1 priority 100
Router(config-if)# standby 1 preemt

The router with the higher priority will become the active HSRP router when the preemt command is enabled.

Verifying HSRP configuration

Router#sh standby
FastEthernet0/0 – Group 1
State is Active
2 state changes, last state change 00:00:59
Virtual IP address is 10.0.0.1
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.576 secs
Preemption enabled
Active router is local
Standby router is unknown
Priority 100 (default 100)
IP redundancy name is “hsrp-Fa0/0-1″ (default)

As you can see from this output, we are the active HSRP Router for HSRP standby group 1 – and the Standby router is unknown, this means the other side has not been configured.

There has been 2 state changes, because it will first automatically be in mode Speak, then it will eventually go through Standby to Active.

BGP
Using BGP is a must when it comes to redundancy, it will let you multihome with different upstream providers. I have written an article with an introduction and a Basic example BGP configuration in Cisco IOS.

If you need IPv4 addresses for your organization, you may qualify for a PI Network (Provider Independent). This will enable you to take part in the global routing and pick and choose among several upstream providers.

Rapid Spanning Tree Protocol
STP is a layer 2 protocol that detects and blocks layer 2 loops, with a very fast convergence time on link state changes. To configure spanning-tree you can use the following commands.

Enable spanning-tree

Switch(config)# spanning-tree mode rapid-pvst

This command enables the per vlan rapid spanning tree, this means one STP instance per vlan.
Be aware, there is a limit in at least Cisco 3560 and Cisco 3750 that limits it to 128 simultaneous spanning tree processes.

How STP Detects Loops and BPDU filters
The switch will flood BPDU’s (Bridge Protocol Data Units) out on all interfaces per default, and if it can see its own MAC address in an incoming BPDU it will know when a link have looped.

Switch(config)#interface GigabitEthernet 1/0/1
Switch(config-if)#spanning-tree bpdufilter enable

This will stop sending and receiving of BPDUs on the interface GigabitEthernet 1/0/1.

Switch(config-if)#spanning-tree bpduguard enable

This command will make the switch ignore BPDU’s received on the configured interface.

Change spanning tree priority

Switch(config)#interface GigabitEthernet 1/0/1
Switch(config-if)#spanning-tree vlan 100 cost 200

This will apply a cost of 200 to vlan 100 traversing over GigabitEthernet 1/0/1

Verify Spanning Tree

Switch#show spanning-tree vlan 2000

VLAN2000
Spanning tree enabled protocol rstp
Root ID Priority 27223
Address 0012.5555.0000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 27223 (priority 24576 sys-id-ext 2000)
Address 0012.55555.0000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Gi1/0/2 Desg FWD 4 128.2 P2p Peer(STP)
Gi1/0/3 Desg FWD 4 128.3 P2p Peer(STP)
Gi1/0/5 Desg FWD 4 128.5 P2p
Gi1/0/15 Desg FWD 4 128.15 P2p

This is output from the root bridge, all ports the vlan exists on are in Forwarding mode.
The protocol output in the top verifies that we are running rapid STP.

Output from Neighbor STP Switch

Switch2#show spanning-tree vlan 2000

VLAN100
Spanning tree enabled protocol rstp
Root ID Priority 27223
Address 0012.55555.0000
Cost 4
Port 1 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 35415 (priority 32768 sys-id-ext 2000)
Address 0012.0007.dddd
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Gi0/1 Root FWD 4 128.1 P2p
Gi0/4 Desg FWD 4 128.4 P2p
Gi0/8 Desg FWD 4 128.8 P2p Peer(STP)

We are not the root bridge, the output shows that ‘Switch’ is the root bridge for this spanning tree.

Tags: , , , , ,
Posted in Cisco configuration | No Comments »

Understanding and Configuring IPv6 Routing on a Cisco Router

Saturday, September 27th, 2008

You do have a backup plan for IP addressing, now that we are running out of IPv4 space, right?

IPv6 isn’t something awfully new, but some of the ideas can be hard to grasp.
To understand IPv6 routing, I had to learn how to do subnetting of IPv6 address space.

Subnetting basics
To understand IPv6 subnetting, I took it from what I had learned about the basics of subnetting IPv4 addresses.

IPv4: The number 192.168.0.1 only represents a 32-bit number, split into 4 ‘octets’, which are groupings of 8 bits (256 combinations 0 – 255), each octet is separated with a dot ‘.’.
The network mask represents the subnet size, because the network mask eventuallyl decides who you can talk to (for example 255.255.255.0 means that all bits in the last octet can be freely manipulated, hence a subnet mask of 255.255.0.0 means you can change the tweak last octets to your hearts content.

IPv6 addresses and subnetting
This is basically just the same as for IPv4, except the address is now 128 bits compared to 32.
This makes room for 2^128 addresses while IP version 4 was limited to 2^32.
Just a little calculation, for the fun of it:

(2^128)-(2^32) = 340282366920938463463374607427473244160

This is how many MORE addresses the IP version 6 will give us.

In IPv6 the octets we all know from IPv4 are 8 groupings of 16 bits, and instead of being written in decimal format – they are written in hex.
So a valid IPv6 address could be 3ffe:1000:0000:0000:0000:0000:0000:0001/126.
How does this work?
/126 indicates that 2 bits left from the mask for host addressing, this will give four host addresses.

One thing you should notice is that while it can feel natural, it will not work to use addresses such as ::9, ::10, ::11, and ::12 for the same subnet.

The key here is hex, which ranges from 0 – 9 and a – f, so it’s counted like 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d,e and f.

To be certain, use the Online IPv4 and IPv6 calculator, it will calculate the subnets for you.
Just enter an IPv6 or IPv4 address with the corresponding CIDR (for example /24) and it will return the network range.

Enable forwarding of IPv6 Unicast Packets in Cisco IOS

Router(config)# ipv6 unicast-routing

Configure a static IPv6 default gateway/route

Router(config)# ipv6 route ::/0 3ffe:1::1

This would configure a default route to 3ffe:1::1.

Configuring an IPv6 address on an interface

Router(config-if)# ipv6 address 3ffe:1::1/64

Verifying configuration
Verify IPv6 Routing Table

Router# show ipv6 route

Pinging over IPv6 from Cisco IOS

Router# ping ipv6

Also check out these featured articles
Configuring IPv6 OSPF Routing In Cisco IOS

Get Support for IPv6 Rouing on the 3750 Platform

Tags: , , ,
Posted in Cisco configuration | 1 Comment »

BGP Configuration: Basic example in Cisco IOS

Tuesday, September 23rd, 2008

A lot of people are looking for bgp configuration information for cisco and foundry, so I’ll explain a bit about the different statements and also post a couple of configuration examples.

Cisco

01: ip route 10.0.0.0 255.0.0.0 null 0
02: router bgp 65000
03: network 10.0.0.0 mask 255.0.0.0
04: neighbor 192.168.0.1 remote-as 65001

  1. Line 01 adds a route to 10.0.0.0/8 to null, this will make BGP announce this prefix as it will per default on cisco not announce networks it does not reach.
  2. Line 02 starts a BGP process with a local AS number of 65000.
  3. Line 03 adds the network 10.0.0.0/8 to the local BGP table, the router will now announce this network into BGP.
  4. Line 04 sets up a peering session with 192.168.0.1 with their AS number defined as 65001.

Security issues in peering
I wrote a rant about this in August when the news papers put up their big posters about the Internet dying (again.) ;)
Peering sessions should have a password and it might also be wise to filter the outbound announcements with a prefix-list, to make sure not to announce full transit to every peering partner.
Also, you do not want this to happen to you either, so you should at least configure a maximum prefix count.

Cisco, more BGP configuration statements (beginning in global config)

ip prefix-list AS65000 seq 5 permit 10.0.0.0/8
ip prefix-list AS65000 seq 1000 deny 0.0.0.0/0 le 32
router bgp 65000
neighbor 192.168.0.1 password oursecret
neighbor 192.168.0.1 prefix-list AS65000 out
neighbor 192.168.0.1 maximum-prefix 5

The first two lines will define a prefix list which will match only 10.0.0.0/8
The third line enters BGP configuration while the fourth line sets a password, the same password has to be configured on the other end (for AS65000 on the remote peer) for the peering session to become active.
Line number 5 will apply a prefix-list and the last line will make the router accept NO MORE than 5 prefixes from this peering partner.

Foundry BGP Configuration
This is mostly the same, but the dry basics is as follows:

ip route 10.0.0.0/8 null0
router bgp
local-as 65000
neighbor 192.168.0.1 remote-as 65001
network 10.0.0.0 255.0.0.0

And the filtering BGP4 statements for Foundry

ip prefix-list AS65000 seq 5 permit 10.0.0.0/8
ip prefix-list AS65000 seq 1000 deny 0.0.0.0/0 le 32
router bgp
neighbor 192.168.0.1 password oursecret
neighbor 192.168.0.1 prefix-list AS65000 out
neighbor 192.168.0.1 maximum-prefix 5

So as you can see, the BGP configuration is mostly the same for both routers, so lets focus our attention to more BGP configurations on Cisco IOS.

BGP Peering From a Loopback Interface
Per default routers always use the IP address on interface directly connected to the peer as the source address for the peering session. Sometimes this is prefered configurable, for example not to drop peerings due to hardware failure, or when doing eBGP multihop peering.

This is very configurable in BGP configuration in Cisco IOS

neighbor 192.168.0.1 update-source Loopback0

Verification
At last, we need to verify the peering session. I usually use this command:

show ip bgp sum | i REMOTEAS

Substitute ‘REMOTEAS’ with the AS number of which you want to check, for example it will show this for AS65001 from our lab. (I will include the header also because it is usefull in this example, even though it won’t show up in your show command.)

Router#sh ip bgp sum | i 65001
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.0.1 4 65001 28 27 3 0 0 00:24:15 2

This session is now established and I receive two prefixes from the remote peer.
If you enable ‘neighbor 192.168.0.1 soft-reconfiguration inbound‘ you will also be able to check announcements.

Router#show ip bgp neighbors 192.168.0.1 routes
BGP table version is 3, local router ID is 192.168.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight Path
*> 10.0.0.0 192.168.0.1 0 0 65001 ?
*> 192.168.0.0 192.168.0.1 0 0 65001 ?

Total number of prefixes 2

Two prefixes received from 192.168.0.1, and you can also use the command show ip bgp neighbors 192.168.0.1 advertised-routes to check what your router is announcing to the remote peer.

That was it for today, hopefully the newer ones out there will have a better understanding of the BGP configuration.

Tags: , , , , ,
Posted in Cisco configuration, foundry configuration | 2 Comments »

Configuring 802.1Q Trunk Links in Cisco IOS

Monday, September 22nd, 2008

This is CCNA level stuff, here is an insight article about trunk links.

What is a trunk link?
A port in trunking mode can carry multiple vlans with two types of encapsulation, either ISL or 802.1Q.
Multiple vendors support 802.1Q, and that makes it my choice for a trunking protocol.

How does 802.1Q work?
It works by inserting a 4-byte tag in the original frame header, this contains the VLAN identification along with some other information.

Bits 16 3 1 12
TPID PRIORITY CFI VID

The TPID is the Tag Protocol Identifier, this should be set to 0×8100 for 802.1Q.
The PRIORITY is a 3-bit priority, ranges from 0 – 7.
The CFI is the Canonical Format Idicator, which means that it is used to identify if the MAC address is in canonical format or not, if it is set to 0 the address is in canonical format.

The tag is 4 bytes long, and with a 12-bit VLAN ID field, it can hold 2^12 = 4096 Vlans.
The switch will also recompute the FCS-field, since the frame is altered.

Configuration of a trunk link
Now, to configure a trunk link between two switches the following code should be suitable:

Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# exit
Switch(config) vlan 500

The encapsulation will define the encapsulation of the trunk link to either ISL or 802.1Q.
The mode trunk will force the port into a trunking mode, where you can also choose dynamic to make switches negotiate the mode. I force all ports to their mode, always.
The vlan 500 command will create the vlan 500, this should automatically be trunked when configured on both sides.

Disallow some vlans
Sometimes we don’t wanna make a mess and let some vlans over some trunk links.
Imagine spanning a customers vlan from US to Spain by accident, or worse..
Imagine delivering layer 2 connectivity between a set of location for a customer on different vlan ID’s, delivered on a trunk link. If you aren’t careful you can end up letting private vlan traffic leak between customers.

Switch(config)# interface Gig1/0/1
Switch(config-if)# switchport trunk allowed vlan 500

This will make sure that only vlan 500 is allowed over this trunk link, even if the other side tries to negotiate another vlan from you.

Pitfalls
Make sure to use the add statement if you are adding more vlans to a trunk link.

Switch(config-if)# switchport trunk allowed vlan add 200

Or else the configuration will overwrite the old vlans you might have configured on a link.

Verification
To verify your trunk links, you can for example do this:

Switch#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Gi1/0/1 auto 802.1q trunking 1

Port Vlans allowed on trunk
Gi1/0/1 500

Port Vlans allowed and active in management domain
Gi1/0/1 500

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 500

Here you can see that port Gi1/0/1 is trunking, and that vlan 500 is allowed and active over the trunk.

You can also use show vlan id;

Switch# show vlan id 500

VLAN Name Status Ports
—- ——————————– ——— ——————————-
500 VLAN500 active Gi1/0/1, Gi1/0/2

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
—- —– ———- —– —— —— ——– —- ——– —— ——
500 enet 101545 1500 – – – – – 0 0

Remote SPAN VLAN
—————-
Disabled

Primary Secondary Type Ports
——- ——— —————– ——————————————

Switch#

Here you can see that vlan 500 is configured on the trunk link Gigabit ethernet 1/0/1 and also on 1/0/2.

That’s a little insight in 802.1Q trunking vlan links!

Tags: , , , , ,
Posted in Cisco configuration | No Comments »

« Older Entries
Newer Entries »