Posts Tagged ‘tutorial’

Port Mirroring on Cisco – Monitoring the network

Thursday, May 14th, 2009

“We just bought a new IPS/IDS, just put it between us and our transit provider!”. Sounds slick, huh? This request seems easy, but do you really know if it will function like expected and not jam all network traffic?

Try it out on a mirrored (SPAN) port first! With a SPAN you can get a copy of all traffic from/to a port output on a second port, without interacting with traffic. This can be very helpful if you want to test out some new equipment for Intrusion detection and/or prevention. Snort is an open source alternative for monitoring network traffic for obscurity and irregularities.

To configure a SPAN on 2940, 2950, 2955, 2960, 2970, 3550, 3560 and 3750 switches

Switch#conf t
Switch(config)#monitor session 1 source interface Fa0/18
Switch(config)#monitor session 1 destination interface Fa0/2

With the configuration above you will copy all traffic from FastEthernet 0/18 and output it to FastEthernet 0/2
The Cisco Catalyst 2950 is incapable to monitor vlans, but this is possible on for example the Cisco 3750.

To verify a SPAN session

Switch#sh monitor session 1
Session 1
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/18
Destination Ports: Fa0/2

I hope this maybe encourages you to test out some applications or equipment that you’ve been wanting to try but haven’t had the guts to!

Configuring MySQL AAA Authentication and Accounting with Tacacs+ on Linux

Monday, November 10th, 2008

So, been experimenting more with tacacs+ and got everything working out nicely with MySQL – so here is my tutorial!

It seemed like I had to run out of my “Oh, I run ubuntu so I will just apt-get” luck sometime, as I actually had to take this one from source to make it work completely.
So I will start with the Linux end of this, the compiling of tac_plus

If you followed my previous tutorial, you will have to remove the old tac_plus package.

root@server:~# apt-get remove tac-plus
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages will be REMOVED:
0 upgraded, 0 newly installed, 1 to remove and 104 not upgraded.
Need to get 0B of archives.
After unpacking 324kB disk space will be freed.
Do you want to continue [Y/n]?
(Reading database … 227395 files and directories currently installed.)
Removing tac-plus …
Stopping Tacacs+ server: tac_plus.
root@server:~# dpkg –purge tac-plus

The dpkg –purge command will remove all configuration files, so if you want to keep them just run

root@server:~# cp -r /etc/tac-plus /root/tac-plus-configuration

This will store the old configuration files in a folder named /root/tac-plus-configuration

Now compile the tac_plus daemon, remember to have the libmysql++-dev installed before you do this. It should also bring along libmysql++2c2a libmysqlclient15-dev by itself.

root@server:~# cd /usr/local/src
root@server:/usr/local/src# wget -q
root@server:/usr/local/src# tar -zxf tac_plus-4.4.tgz
root@server:/usr/local/src# cd tac_plus-4.4
root@server:/usr/local/src/tac_plus-4.4# wget -q
root@server:/usr/local/src/tac_plus-4.4# tar -zxf securid.tgz
root@server:/usr/local/src/tac_plus-4.4# ./configure –with-mysql –with-db

It should now print a lot of ‘checking for’ or ‘checking wheter’ lines, just let it run.
The last couple of lines you should see should be:

creating Makefile
creating tac_plus.spec
creating config.h
config.h is unchanged

Then it’s time to run make to compile the source code into a binary file.

root@server:/usr/local/src/tac_plus-4.4# make
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c acct.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c authen.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c author.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c config.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c choose_authen.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c default_fn.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c default_v0_fn.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c do_acct.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c do_author.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c dump.c
dump.c: In function ‘dump_nas_pak’:
dump.c:159: warning: incompatible implicit declaration of built-in function ‘exit’
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c enable.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c encrypt.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c expire.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c hash.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c tac_plus.c
tac_plus.c: In function ‘main’:
tac_plus.c:364: warning: incompatible implicit declaration of built-in function ‘exit’
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c md5.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c packet.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c parse.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c programs.c
programs.c: In function ‘my_popen’:
programs.c:282: warning: incompatible implicit declaration of built-in function ‘exit’
programs.c:287: warning: incompatible implicit declaration of built-in function ‘exit’
programs.c:292: warning: incompatible implicit declaration of built-in function ‘exit’
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c pw.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c pwlib.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c report.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c sendauth.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c sendpass.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c time_limit.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c utils.c
utils.c: In function ‘tac_exit’:
utils.c:79: warning: incompatible implicit declaration of built-in function ‘exit’
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c accesslog.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c ext_authen.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c db.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c db_ext.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c db_null.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c db_mysql.c
gcc -g -O2 -L/usr/lib/mysql -o tac_plus -L/usr/lib/mysql acct.o authen.o author.o config.o choose_authen.o default_fn.o default_v0_fn.o do_acct.o do_author.o dump.o enable.o encrypt.o expire.o hash.o tac_plus.o md5.o packet.o parse.o programs.o pw.o pwlib.o report.o sendauth.o sendpass.o time_limit.o utils.o accesslog.o ext_authen.o db.o db_ext.o db_null.o db_mysql.o -lmysqlclient -lz -lnsl -lpthread -lc -lcrypt -Llib/lnx -laceclnt
root@server:/usr/local/src/tac_plus-4.4# cp tac_plus /usr/sbin/

Now, I just did a quick hack with copying the tac_plus binary to /usr/sbin, if you choose to install it with make install, be aware that it will spread files all around your system that you really don’t need.

I got a library error, this is my fix.

root@server:/usr/local/src/tac_plus-4.4# /usr/sbin/tac_plus -v
/usr/sbin/tac_plus: error while loading shared libraries: cannot open shared object file: No such file or directory
root@server:/usr/local/src/tac_plus-4.4# cp lib/lnx/ /usr/lib && ldconfig
root@server:/usr/local/src/tac_plus-4.4# /usr/sbin/tac_plus -v
tac_plus version 4.4rc2-3 (Extended Tac_plus)

Perfect, shared libraries installed and the tacacs daemon seems to be working!
Now to create the configuration file and everything.

root@server:/usr/local/src/tac_plus-4.4# cd /etc
root@server:/etc# mkdir tac-plus && chmod 700 tac-plus
root@server:/etc# cd tac-plus
root@server:/etc/tac-plus# touch tacacs.conf && chmod 700 tacacs.conf

Edit the /etc/tacacs.conf file with your favourite editor, I as always love vim.
For simplicity, let us keep it to a small amount of lines.

The contents of /etc/tacacs.conf

key mykey
default db = mysql://tacacs:tacacspassword@localhost/tacacs

The logics of the MySQL URI is mysql://username:password@databasehost/database, so the username will now be tacacs, the password will be ‘password’ and the database ‘tacacs’ on the MySQL server on localhost.

MySQL Setup
We now need to setup the backend databases for tac_plus to communicate with.

root@server:/etc/tac-plus# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11335
Server version: 5.0.38-Ubuntu_0ubuntu1.4-log Ubuntu 7.04 distribution

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql> \. /usr/local/src/tac_plus-4.4/tac_plus.sql
Query OK, 1 row affected (0.36 sec)

Database changed
Query OK, 0 rows affected (0.19 sec)

#… You should get a lot of these lines and return to the prompt, verify the structure:
mysql> show tables;
| Tables_in_tacacs |
| access |
| accounting |
| acl |
| admin |
| attribute |
| contact_info |
| host |
| node |
| user |
| vendor |
10 rows in set (0.08 sec)

# You now need to grant access to tacacs
mysql> GRANT ALL PRIVILEGES ON tacacs.* to tacacs@localhost IDENTIFIED BY ‘tacacspassword’;
Query OK, 0 rows affected (0.00 sec)

You could grant SELECT on the user and host tables, while letting it modify for example only the accounting and access tables which it uses for .. well, accounting records. It records logins/logouts and commands written if you want to. Tac-plus will automagically do this for you, and the Cisco Configuration is well documented in my article about Log Commands on Your Cisco Routers and Switches With Tacacs On Linux. Oh well, let us go on.

Let us insert just a user and a host.

INSERT INTO user (uid, gid, password, expires) values (‘username’, ‘100’, ENCRYPT(‘testtest’), ‘0000-00-00’);
INSERT INTO host (ip, hostgroup, hkey, network, submask, loginacl, host) VALUES (‘’, ‘Routers’, ‘tercesym’, ‘0’, ‘0’, ‘666’, ‘1’);
INSERT INTO acl (id, type, seq, permission, value, value1, submask) VALUES (‘666’, ‘2’, ‘1’, ’57’, ‘allusers’, ‘0’, ‘0’);

That should be it, we are done with this and we can now start the daemon.

root@server:~# /usr/sbin/tac_plus -C /etc/tac-plus/tacacs.conf -d254 -l tac.log

You can now monitor tac.log which resides in your current working directory (pwd), with tail -f tac.log and you can remove the -d254 when you are sure this is working.
You should now be able to login with user username and password testtest.

To configure your Cisco IOS running Switch or Router

Router(config)#aaa authentication login default local group tacacs+
Router(config)#tacacs-server host key mykey

As long as you keep the ‘local’ in the authentication line, you will still be able to fall back to local user authentication.

If you get any weird errors or warnings, post them as a comment and I will have a look at it!

Configuring IPv6 BGP Peering Sessions on Cisco IOS

Sunday, November 2nd, 2008

The future is closer than you think, are you ready?

Here is a little tutorial on configuring IPv6 BGP peering sessions on Cisco IOS.

First set the IP address on the interface, if this is a private peering session you can use a small network from your own PA block, on an exchange this IP address should be assigned by the exchange administrators.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int fa 0/0
Router(config-if)#ipv6 address 3ffe:1234:1234::1/64

Then, it can be an idea to nullroute the prefix you are going to announce, I think it is good practice because it will also effectively blackhole traffic destined to unexisting networks. This will be announced into BGP with the redistribute static configuration item.

Router#conf t
Router(config)#ipv6 route 3ffe:2000::/32 null 0

Now we create a prefix list that permits only this network, this is very important to avoid leaks of prefixes to your peers. This prefix list is going to be applied outbound on to the BGP peering.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ipv6 prefix-list announceAS65001-ipv6 seq 5 permit 3FFE:2000::/32
! better safe than sorry
Router(config)#ipv6 prefix-list announceAS65001-ipv6 seq 5000 deny ::/0 le 128

Now we are ready to configure the BGP peering session, this is just a simple example and most of these commands can be applied to peer groups, so that each configuration gets easier.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router bgp 65001
Router(config-router)#redistribute static
Router(config-router)#neighbor 3ffe:1234:1234::2 remote-as 65002
Router(config-router)#address-family ipv6 unicast
Router(config-router-af)#neighbor 3ffe:1234:1234::2 activate
Router(config-router-af)#neighbor 3ffe:1234:1234::2 soft-reconfiguration inbound
Router(config-router-af)#redistribute static
Router(config-router-af)#neighbor 3ffe:1234:1234::2 prefix-list announceAS65001-ipv6 out

This will redistribute the static nullroute we made earlier to the peer at 3ffe:1234:1324::2, and the peering session should be up by now.

I can verify it on the other end:

Router2#sh ip bgp ipv6 unicast
BGP table version is 8, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight Path
*> 3FFE:2000::/32 3FFE:1234:1234::1
0 0 65001 ?

As you can see, the network 3ffe:2000::/32 is now announced on this peering session, the route is sourced from AS65001. You can also get this on the summary:

Router2#sh ip bgp ipv6 unicast summary
BGP router identifier, local AS number 65002
BGP table version is 8, main routing table version 8
1 network entries using 152 bytes of memory
1 path entries using 76 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 500 total bytes of memory
BGP activity 2/1 prefixes, 4/3 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
4 65001 26 23 8 0 0 00:05:54 1

If you want to see the prefixes announced to a peer or received from a peer. (This requires soft reconfiguration inbound configured on the peering session, neighbor 3ffe:1234:1234::2 soft-reconfiguration inbound in configuration.

Router2#sh ip bgp ipv6 unicast neighbors 3ffe:1234:1234::1 received-routes
BGP table version is 8, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight Path
*> 3FFE:2000::/32 3FFE:1234:1234::1
0 0 65001 ?

Total number of prefixes 1

The prefix 3ffe:2000::/32 is received from 3ffe:1234:1234::1.

Router#sh ip bgp ipv6 unicast neighbors 3ffe:1234:1234::2 advertised-routes
BGP table version is 3, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight Path
*> 3FFE:2000::/32 :: 0 32768 ?

Total number of prefixes 1

Voila, a better understanding and some real life examples of IPv6 BGP peering in Cisco IOS.

Locating the Cisco Switchport of a Server based on IP Address

Thursday, October 23rd, 2008

Locating computers or servers is a task I often do, and this is a tutorial on how I do it.

I have mentioned the do command, and mentioned it again in my 5 Magic Cisco Tips and Tricks article.

I am now going to give you more of a tutorial!

Locating a machine on switch port in a larger Cisco network
If you only have the IP address, just run this command:

show ip route *ipaddress*

The router will now tell you which interface this subnet is connected to.

In a usual setting you might have routed a larger block of addresses to for example a routing switch.
If this is the case, you will need to investigate layer 3 further down to that switch/router.

When you have found the IP address as directly connected issue this command to look up the MAC address in the ARP table.

show ip arp | include *ipaddress*

This will output the MAC address for this IP address, you can use this with this command:

show mac address-table | include *macaddress*

You will now see which port this hardware address is connected to.

In case you have a switch connected, you will need do the show mac address-table command on that switch also.

You can often identify switches by doing a show mac address-table interface *port*
If this gives a long list of MAC addresses with the TYPE dynamic, this is probably a switch.