Posts Tagged ‘cisco ios’

A Word About BGP Bogons Filtering

Tuesday, December 9th, 2008

BGP4 filtering is important, but how can you keep track of the prefixes and do active filtering on them?

It has been a while since my last blog post now, it’s partly because I have been (honestly) pretty lazy lately, yes, I have been trying to cool down on all my working because I started to get some problems with keeping track of my own feelings.
..and also because I have been trying to spend a little more time with the girl that actually can stand living with such a busy internet lunatic, we went to see the Norwegian setup of the musical Grease and also a Norwegian talk show named Senkveld, and along with all the xmas preparations and that it has been kind of hectic, but very very nice.
While I am still talking freely here, why is it that while I can see people reading around, I never see any comments from you guys?

Anyways, enough with the excuses and all that – on with the show, right?
[*APPLAUSE*]

The point about this post is to inform about the problems with bogon IPv4 (and probably IPv6 too, I haven’t looked at that yet) prefixes being announced into the Internet, and the problem about Internet Service Providers accepting these prefixes and adds them to their routing table. The worst case scenario would be like spam from 127.0.0.1

But, what are bogons.. or bogon prefixes?
I am glad to be asked that question sometimes, it is good – it shows that someone paid attention.
Bogon prefixes are for example unassigned prefixes, or RFC1918 networks and there are also other reserved ranges.

The assignment process for IPv4 is somewhat like this:

  1. IANA allocates a block of IPv4 addresses to a Regional Internet Registry (usually /8 to i.e. RIPE)
  2. The RIR then makes suballocations of this block to a LIR, a LIR is a Local Internet Registry (i.e. your ISP)

The ISP can then announce this IPv4 prefix in the BGP table on the Internet.
All these IANA to RIR assignments are public information, you can find it at cymru.com, they have regular updates.

The problem with bogons
The problem exists when networks listed as RESERVED or UNALLOCATED in this list are being announced and produces internet traffic.
For example, if you want to send out totally anonymous spam, what could you possibly do to ISPs without proper filtering?
Yeah, you could see someone announcing 192.168.0.0/22 and start spamming from 192.168.1.0.

Do you keep track of every announcement ever done to you? (In that case, how do you do it?)
I run a quagga router which also sees all announcements to our network and logs these to a logfile, and I am insterested to hear about other solutions – I know there are some java based applications.

To be consistent; you do not want bogons announced to you, you do not want to accept bogon networks and start routing traffic to them.

How to fix?
There’s a bogons prefix-list that Team Cymru creates that is very useful for Cisco enthusiasts like me.
They have constructed a secure BGP template.

So let us hope maybe there’s at least one extra bogon filter in place tomorrow, and let me know about it!

Configuring MySQL AAA Authentication and Accounting with Tacacs+ on Linux

Monday, November 10th, 2008

So, been experimenting more with tacacs+ and got everything working out nicely with MySQL – so here is my tutorial!

It seemed like I had to run out of my “Oh, I run ubuntu so I will just apt-get” luck sometime, as I actually had to take this one from source to make it work completely.
So I will start with the Linux end of this, the compiling of tac_plus

If you followed my previous tutorial, you will have to remove the old tac_plus package.

root@server:~# apt-get remove tac-plus
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages will be REMOVED:
tac-plus
0 upgraded, 0 newly installed, 1 to remove and 104 not upgraded.
Need to get 0B of archives.
After unpacking 324kB disk space will be freed.
Do you want to continue [Y/n]?
(Reading database … 227395 files and directories currently installed.)
Removing tac-plus …
Stopping Tacacs+ server: tac_plus.
root@server:~# dpkg –purge tac-plus

The dpkg –purge command will remove all configuration files, so if you want to keep them just run

root@server:~# cp -r /etc/tac-plus /root/tac-plus-configuration

This will store the old configuration files in a folder named /root/tac-plus-configuration

Now compile the tac_plus daemon, remember to have the libmysql++-dev installed before you do this. It should also bring along libmysql++2c2a libmysqlclient15-dev by itself.

root@server:~# cd /usr/local/src
root@server:/usr/local/src# wget -q http://www.gho.no/download/tac_plus-4.4.tgz
root@server:/usr/local/src# tar -zxf tac_plus-4.4.tgz
root@server:/usr/local/src# cd tac_plus-4.4
root@server:/usr/local/src/tac_plus-4.4# wget -q http://www.gho.no/download/securid.tgz
root@server:/usr/local/src/tac_plus-4.4# tar -zxf securid.tgz
root@server:/usr/local/src/tac_plus-4.4# ./configure –with-mysql –with-db

It should now print a lot of ‘checking for’ or ‘checking wheter’ lines, just let it run.
The last couple of lines you should see should be:

creating Makefile
creating tac_plus.spec
creating config.h
config.h is unchanged

Then it’s time to run make to compile the source code into a binary file.

root@server:/usr/local/src/tac_plus-4.4# make
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c acct.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c authen.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c author.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c config.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c choose_authen.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c default_fn.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c default_v0_fn.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c do_acct.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c do_author.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c dump.c
dump.c: In function ‘dump_nas_pak’:
dump.c:159: warning: incompatible implicit declaration of built-in function ‘exit’
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c enable.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c encrypt.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c expire.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c hash.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c tac_plus.c
tac_plus.c: In function ‘main’:
tac_plus.c:364: warning: incompatible implicit declaration of built-in function ‘exit’
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c md5.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c packet.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c parse.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c programs.c
programs.c: In function ‘my_popen’:
programs.c:282: warning: incompatible implicit declaration of built-in function ‘exit’
programs.c:287: warning: incompatible implicit declaration of built-in function ‘exit’
programs.c:292: warning: incompatible implicit declaration of built-in function ‘exit’
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c pw.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c pwlib.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c report.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c sendauth.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c sendpass.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c time_limit.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c utils.c
utils.c: In function ‘tac_exit’:
utils.c:79: warning: incompatible implicit declaration of built-in function ‘exit’
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c accesslog.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c ext_authen.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c db.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c db_ext.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c db_null.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c db_mysql.c
gcc -g -O2 -L/usr/lib/mysql -o tac_plus -L/usr/lib/mysql acct.o authen.o author.o config.o choose_authen.o default_fn.o default_v0_fn.o do_acct.o do_author.o dump.o enable.o encrypt.o expire.o hash.o tac_plus.o md5.o packet.o parse.o programs.o pw.o pwlib.o report.o sendauth.o sendpass.o time_limit.o utils.o accesslog.o ext_authen.o db.o db_ext.o db_null.o db_mysql.o -lmysqlclient -lz -lnsl -lpthread -lc -lcrypt -Llib/lnx -laceclnt
root@server:/usr/local/src/tac_plus-4.4# cp tac_plus /usr/sbin/

Now, I just did a quick hack with copying the tac_plus binary to /usr/sbin, if you choose to install it with make install, be aware that it will spread files all around your system that you really don’t need.

I got a library error, this is my fix.

root@server:/usr/local/src/tac_plus-4.4# /usr/sbin/tac_plus -v
/usr/sbin/tac_plus: error while loading shared libraries: libaceclnt.so: cannot open shared object file: No such file or directory
root@server:/usr/local/src/tac_plus-4.4# cp lib/lnx/libaceclnt.so /usr/lib && ldconfig
root@server:/usr/local/src/tac_plus-4.4# /usr/sbin/tac_plus -v
tac_plus version 4.4rc2-3 (Extended Tac_plus)

Perfect, shared libraries installed and the tacacs daemon seems to be working!
Now to create the configuration file and everything.

root@server:/usr/local/src/tac_plus-4.4# cd /etc
root@server:/etc# mkdir tac-plus && chmod 700 tac-plus
root@server:/etc# cd tac-plus
root@server:/etc/tac-plus# touch tacacs.conf && chmod 700 tacacs.conf

Edit the /etc/tacacs.conf file with your favourite editor, I as always love vim.
For simplicity, let us keep it to a small amount of lines.

The contents of /etc/tacacs.conf

key mykey
default db = mysql://tacacs:tacacspassword@localhost/tacacs

The logics of the MySQL URI is mysql://username:password@databasehost/database, so the username will now be tacacs, the password will be ‘password’ and the database ‘tacacs’ on the MySQL server on localhost.

MySQL Setup
We now need to setup the backend databases for tac_plus to communicate with.

root@server:/etc/tac-plus# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11335
Server version: 5.0.38-Ubuntu_0ubuntu1.4-log Ubuntu 7.04 distribution

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql> \. /usr/local/src/tac_plus-4.4/tac_plus.sql
Query OK, 1 row affected (0.36 sec)

Database changed
Query OK, 0 rows affected (0.19 sec)

#… You should get a lot of these lines and return to the prompt, verify the structure:
mysql> show tables;
+——————+
| Tables_in_tacacs |
+——————+
| access |
| accounting |
| acl |
| admin |
| attribute |
| contact_info |
| host |
| node |
| user |
| vendor |
+——————+
10 rows in set (0.08 sec)

# You now need to grant access to tacacs
mysql> GRANT ALL PRIVILEGES ON tacacs.* to tacacs@localhost IDENTIFIED BY ‘tacacspassword’;
Query OK, 0 rows affected (0.00 sec)

You could grant SELECT on the user and host tables, while letting it modify for example only the accounting and access tables which it uses for .. well, accounting records. It records logins/logouts and commands written if you want to. Tac-plus will automagically do this for you, and the Cisco Configuration is well documented in my article about Log Commands on Your Cisco Routers and Switches With Tacacs On Linux. Oh well, let us go on.

Let us insert just a user and a host.

INSERT INTO user (uid, gid, password, expires) values (‘username’, ‘100’, ENCRYPT(‘testtest’), ‘0000-00-00’);
INSERT INTO host (ip, hostgroup, hkey, network, submask, loginacl, host) VALUES (‘10.0.0.5’, ‘Routers’, ‘tercesym’, ‘0’, ‘0’, ‘666’, ‘1’);
INSERT INTO acl (id, type, seq, permission, value, value1, submask) VALUES (‘666’, ‘2’, ‘1’, ’57’, ‘allusers’, ‘0’, ‘0’);

That should be it, we are done with this and we can now start the daemon.

root@server:~# /usr/sbin/tac_plus -C /etc/tac-plus/tacacs.conf -d254 -l tac.log

You can now monitor tac.log which resides in your current working directory (pwd), with tail -f tac.log and you can remove the -d254 when you are sure this is working.
You should now be able to login with user username and password testtest.

To configure your Cisco IOS running Switch or Router

Router(config)#aaa authentication login default local group tacacs+
Router(config)#tacacs-server host 10.0.0.5 key mykey

As long as you keep the ‘local’ in the authentication line, you will still be able to fall back to local user authentication.

If you get any weird errors or warnings, post them as a comment and I will have a look at it!

Configuring 802.1Q Trunk Links in Cisco IOS

Monday, September 22nd, 2008

This is CCNA level stuff, here is an insight article about trunk links.

What is a trunk link?
A port in trunking mode can carry multiple vlans with two types of encapsulation, either ISL or 802.1Q.
Multiple vendors support 802.1Q, and that makes it my choice for a trunking protocol.

How does 802.1Q work?
It works by inserting a 4-byte tag in the original frame header, this contains the VLAN identification along with some other information.

Bits 16 3 1 12
TPID PRIORITY CFI VID

The TPID is the Tag Protocol Identifier, this should be set to 0x8100 for 802.1Q.
The PRIORITY is a 3-bit priority, ranges from 0 – 7.
The CFI is the Canonical Format Idicator, which means that it is used to identify if the MAC address is in canonical format or not, if it is set to 0 the address is in canonical format.

The tag is 4 bytes long, and with a 12-bit VLAN ID field, it can hold 2^12 = 4096 Vlans.
The switch will also recompute the FCS-field, since the frame is altered.

Configuration of a trunk link
Now, to configure a trunk link between two switches the following code should be suitable:

Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# exit
Switch(config) vlan 500

The encapsulation will define the encapsulation of the trunk link to either ISL or 802.1Q.
The mode trunk will force the port into a trunking mode, where you can also choose dynamic to make switches negotiate the mode. I force all ports to their mode, always.
The vlan 500 command will create the vlan 500, this should automatically be trunked when configured on both sides.

Disallow some vlans
Sometimes we don’t wanna make a mess and let some vlans over some trunk links.
Imagine spanning a customers vlan from US to Spain by accident, or worse..
Imagine delivering layer 2 connectivity between a set of location for a customer on different vlan ID’s, delivered on a trunk link. If you aren’t careful you can end up letting private vlan traffic leak between customers.

Switch(config)# interface Gig1/0/1
Switch(config-if)# switchport trunk allowed vlan 500

This will make sure that only vlan 500 is allowed over this trunk link, even if the other side tries to negotiate another vlan from you.

Pitfalls
Make sure to use the add statement if you are adding more vlans to a trunk link.

Switch(config-if)# switchport trunk allowed vlan add 200

Or else the configuration will overwrite the old vlans you might have configured on a link.

Verification
To verify your trunk links, you can for example do this:

Switch#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Gi1/0/1 auto 802.1q trunking 1

Port Vlans allowed on trunk
Gi1/0/1 500

Port Vlans allowed and active in management domain
Gi1/0/1 500

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 500

Here you can see that port Gi1/0/1 is trunking, and that vlan 500 is allowed and active over the trunk.

You can also use show vlan id;

Switch# show vlan id 500

VLAN Name Status Ports
—- ——————————– ——— ——————————-
500 VLAN500 active Gi1/0/1, Gi1/0/2

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
—- —– ———- —– —— —— ——– —- ——– —— ——
500 enet 101545 1500 – – – – – 0 0

Remote SPAN VLAN
—————-
Disabled

Primary Secondary Type Ports
——- ——— —————– ——————————————

Switch#

Here you can see that vlan 500 is configured on the trunk link Gigabit ethernet 1/0/1 and also on 1/0/2.

That’s a little insight in 802.1Q trunking vlan links!

5 Magic Cisco tips & tricks aka magic IOS commands

Monday, September 15th, 2008

I have been working a lot for several years, and now I want to share some of my best tips for working faster and more efficient on Cisco routers in Cisco IOS.

I posted earlier about the ‘do’ command, but I am going to include it here because it is so darn practical.

So with no further mess – here is the list, not sorted after any specific order.

  1. ‘do’ in config mode
    This is one of the most time saving ones that few people seem to know about, use it!
    It lets you run exec commands in global configuration mode.
  2. include, exclude and begin
    Ever wanted to find something in the configuration? Or maybe you want to see some info, and not some?
    Use include or exclude, for example you can do

    Router1(config)# do show running-config | include ip_address

    This will include every occurance of ‘ip address’ in your running configuration file, the underscore works for spaces, and as such you can also do

    Router1(config)# do show running-config | exclude password

    This will exclude every line that has the word ‘password’ in it, can be usefull if you are listing the configuration file to someone, or you can even do

    Router1(config)# do show running-config | exclude (password|secret)

    This will exclude every line containing EITHER password or secret, and you can use regular expressions here.
    This means that even show interfaces | include (^Vlan|Internet_address|packets\/sec) is valid, which will give you a list of your Vlan interfaces.

  3. alias ps
    Use aliases, do you ever run the same commands a thousand times?
    I have at least these aliases in place on all my equipment:

    alias exec sb show ip int brief
    alias exec ps sh proc cpu | excl 0.00%__0.00%__0.00%

  4. time-range command

    time-range Workhours
    periodic weekdays 8:00 to 16:00
    !
    ip access-list extended permit Permission-To-Internal-Server-In-Work-Hours
    permit tcp any host 10.0.0.5 eq www time-range Workhours
    deny tcp any host 10.0.0.5 eq www
    permit ip any any

    This will allow access to 10.0.0.5 within 8am and 4pm

  5. Redistribute default gateway route into OSPF
    A lot of people are wondering about this one too.

    Router1(config-rtr)# default-information originate always

    This is done under the ‘router ospf’ in global configuration.