Sabotage Networks

Cisco ASA 8.4 - Global Access Lists

2011-08-17T13:06:00.006+01:00

Handy new feature in version 8.4 of the ASA software is the ability to do global access lists. The Cisco ASA allows security levels to be applied to interfaces, traffic is automatically allowed from a high to low security level interface but not vice versa. It's probably designed for the fairly common use case of a perimeter device between a LAN and the internet. The internet link is set to

Evaluation Assurance Levels - EAL

2011-04-13T16:17:00.029+01:00

EAL stands for evaluation assurance level and is a certificate of security for IT products measured against a set of common security criteria. The main source of information on EAL levels is the common criteria portal where you can find details of approved products and information on the criteria used for the EAL certifications.Who uses it?Your average network bod may not come across EAL very

Legacy FRTS & Subinterfaces

2011-02-14T13:41:00.007Z

FRTS and subinterfaces. This page follows on from the previous article on legacy FRTS configuration here and shows the default behaviour of FRTS with subinterfaces.The legacy frame-relay traffic shaping has to be enabled on a physical interface. Any subinterfaces will then inherit the configuration, which is 56kbps by default. The network is shown below:In the example below FRTS is turned on but

Frame Relay Traffic Shaping - Legacy Configuration

2011-02-13T15:38:00.012Z

This is a basic lab to play around with frame-relay traffic shaping, FRTS. It uses the legacy configuration method rather than MCQ. INE have a great article here describing the other options.This article assumes some knowledge of QoS terms such as CIR, Bc, Be and Tc.The lab used looks like this:I'll use the GNS3 built in frame switch to make life easier, the config is below:The basic router

Zone Based Firewall & Port Forwarding

2010-12-21T19:47:00.006Z

This article covers setting up port forwarding with Cisco Zone Based Firewall (ZBF) on a typical home connection.There are a couple of steps:1 - Give your LAN host a static IP.2 - Set up NAT to handle the port forwarding3 - Set up ZBF rules to allow the traffic1 - Static IPYou can either manually configure the client or use a DHCP reserved address.DHCP reservation is a royal pain on the Cisco 800

MST - Multiple Spanning Tree - Don't change the mappings!

2010-05-27T20:36:00.003+01:00

MST allows you to create spanning-tree instances and map VLANs into them.Combined with VTP version 3 means you can advertise the MST mappings automatically, as shown here.MST has the concept of regions.Whether a switch is a member of a particular region depends on three things:The configured MST region name.The configured MST revision number.The VLAN to MSTI mappings.The entire VLAN to MSTI

Bundling Frame Relay Links

2010-05-26T21:30:00.010+01:00

Frame-relay study time!There are several ways to bundle links together in frame-relay:Frame-relay Multilink - FRF.16PPP MultilinkFRF16 requires configuration all along the path, so the service provider must support it. PPP multilink can be used on any frame-relay links and doesn't require anything from the SP. Frame-relay Multilink - FRF.16I'll be using the incredibly complicated topology shown

SNMP Trap on VSS Failover

2010-05-24T19:59:00.012+01:00

One of the big things that Cisco VSS is missing is the ability to clearly see when it's failed over.You set up your spanking new 6500 with 10Gig supervisors, plug it into your network management, lose one of the boxes and get a few traps about routing problems. What you really want is a big in-your-face message saying "HELP ME THE VSS JUST FAILED OVER OH MY GOD THE SKY IS FALLING!!11!one" and

Basic PPPoE Lab

2010-03-22T20:05:00.004Z

Configurations below for a PPPoE lab, directly connecting two routers. This uses the new broad-band access (bba) command instead of the old VPDN ones.Client:interface Dialer1 ip address 192.168.0.10 255.255.255.0 encapsulation ppp dialer pool 1interface FastEthernet0/0 pppoe-client dial-pool-number 1Server:interface Virtual-Template1 ip address 192.168.0.1 255.255.255.0bba-group pppoe global

Generate Strong Passwords from a Unix Box

2010-03-18T14:52:00.002Z

Works from any form of unix that has a /dev/urandom and has uuencode installed.head -n 2 /dev/urandom | uuencode -m -

IBM Blade Centers - CIGESM Configuration

2010-02-20T11:31:00.012Z

There are lots of docs from IBM explaining the blade center architecture but it's a lot of information to filter through if you're only interested in the network side.The blade center in this example holds 14 blades which are best thought of as individual physical servers. It can use the Cisco switching module called a Cisco Systems Intelligent Gigabit Ethernet Switch Module, or CIGESM. They do

Creating a CRL for an OSX keychain CA

2010-02-17T20:03:00.007Z

OSX has a handy keychain utility that can be used to create a CA among other things. I needed a CRL generated for my keychain-created CA in order to use certificate-based VPNs on a Netscreen box.There are probably 101 ways of doing this, mine is:Make a CA structure as per /opt/local/etc/openssl/openssl.cnf(or alternately you could provide the suitable CLI options to openssl each time)

ToS DSCP Mappings

2010-02-12T12:12:00.007Z

Reference table of ToS to DSCP mappings below..nobrtable br { display: none } PHB Value ToS Byte String DSCP Value CS0 0 Routine 0 CS1 32 PRIORITY 8 AF11 40 10 AF12 48 12 AF13 56 14 CS2 64 IMMEDIATE 16 AF21 72 18 AF22 80 20 AF23 88 22 CS3 96 FLASH 24 AF31 104 26

VTP Version 3 and MSTP Walkthrough.

2010-02-09T12:53:00.014Z

This article assumes you are familiar with MSTP and VTP.The latest incarnation of VTP version 3 is now available on versions of IOS from 12.2(50)SE3 onwards for 3560, 3750 and 2960s.It supports distribution of two databases:VLAN Database.MSTP Vlan-to-MSTI mapping database.Other than support for extended ID VLANs the VLAN database functionality is the same as previous versions. The MST mappings

How to get USB serial adapters working in OSX

2010-02-06T10:32:00.013Z

There are loads of cheap USB serial adapters around, the difficulty can be working out what chipset they use. The easiest way to identify them is with a Linux live-CD.Identify the chipset in LinuxYou could just install the two drivers linked below, it won't do any harm if they're the wrong ones and there probably aren't that many different USB serial chipsets around so there's a good chance it'll

Cisco Gotchas - 1800 Virtual Ports

2010-02-05T12:32:00.003Z

This is a (very late) addition to the article here.Cisco 6500 doesn't directly limit the number of spanning-tree instances. It has limits on the number of virtual ports per line card.A virtual port is a VLAN being forwarded on a trunk. So if you have 10 VLANs and 5 active trunks with no pruning then you have 50 virtual ports.A 6500 is limited to 1800 virtual ports per line-card (with caveats, see

Cisco Gotchas - Max VLANs and STP Instances

2010-02-05T12:31:00.007Z

Cisco switches have separate limitations on:The number of VLANs that can exist in the database.The number of Spanning-Tree Instances that can run.Cisco kit tends to use per-VLAN spanning-tree in which case the two values will be the same. To understand the problem and solution requires knowledge of the different types of spanning-tree available, this subject is huge but very briefly the types are

Cisco Gotchas - 16 Unique Standby Groups

2010-02-05T12:14:00.004Z

HSRP is configured in standby groups, each one having an identifier value in the switch configuration.The acceptable range of values is 0-255 and you can create as many as you want. Cisco don't recommended using more than 500 on a 6500 series or 64 on the 3550.There are limitations on the number of unique ID values you can assign however.Each instance is configured using the standby command:

Configure IOS by SNMP - Password Recovery

2010-02-01T17:04:00.012Z

This is useful if you ever end up without a password for a router but you do know the SNMP read-write community values or usernames. It can save you the need to reboot a device and do a full password recovery, useful if the device is a thousand miles away and running some vital service.You can load a configuration snippet into IOS from a TFTP server, triggered over SNMP.The steps are:Warning:

VSS Introduction

2010-01-16T14:40:00.008Z

VSS stands for Virtual Switching System and is a technology for use on 6500 series switches.It works in a similar way to stackwise on the 3750s, you have two physical devices that end up with a single logical management plane.In a large Cisco-style network you would have two core/distribution devices for redundancy. The network topology will typically need an active/standby topology. With

3750 Stackwise Upgrades

2010-01-16T12:04:00.007Z

Upgrading a Cisco switch is very easy:Copy IOS image to the flash drive on the switch.Point the boot statement at the new image.Reboot the switch.The 3750 stack is made up of several physical devices with just a single logical management interface so Cisco has implemented the archive-sw command to make upgrading it easy. It doesn't quite work as well as it should and I wouldn't recommend using it

Rapid Spanning Tree Notes

2010-01-11T18:24:00.005Z

Just been reading a bit on RSTP, there are plenty of excellent detailed resources around. Here's my summary.PDF version available hereRapid Spanning Tree - 802.1w Port Roles Role Description Detailed Root Path to root bridge The port that is closest to the root bridge in terms of path cost. Designated

DSL Firewalls and PPP Half Bridges

2010-01-03T01:35:00.007Z

A PPP Half Bridge lets you extend the public IP address of your network into the LAN. This is useful if you have a firewall that doesn't have it's own DSL modem and want to do VPNs.It's also known as DHCP spoofing.Half bridging is a hack where your DSL modem makes the PPPoA connection to your ISP and is issued a public address, then advertises that same IP back on the LAN with a very short DHCP

OSPF Reference Bandwidth Table

2009-12-09T19:13:00.006Z

Comparison of costs that are returned for various size links when the reference bandwidth is changed. OSPF Interface Cost Ref Speed Ref BW Value 10mbit link 100mbit link 1gbit link 10gbit link 100mbit 100 10 1 1

PPPoA Password Retrieval on Netgear DG834

2009-11-29T11:05:00.012Z

I wanted to install a new firewall on my home DSL connection recently, nothing against the Netgear as it works great, but I had a Juniper box that I wanted to try out. The UK uses PPPoA for home DSL connections so you need a username and password to get onto the network.The DG834 has a web interface for management, Netgear's own FAQ has help with retrieving that password if you've lost it. Once

Fixing VirtualBox VRMMRO.r0 Error on Ubuntu

2009-10-31T10:34:00.007Z

I'd just rebuilt my eeepc recently and decided to install Virtualbox. Unfortunately after installing it from the Ubuntu repository it didn't quite work, giving the error "Failed to load VMMR0.r0 (VERR_SYMBOL_NOT_FOUND)".From googling around it quickly became apparent that there's an easy fix, to uncomment a single line in a Makefile and re-compile the Virtualbox kernel modules. Unfortunately the

ASA Site-to-Site VPN Using Certificates from OpenSSL

2009-10-23T19:13:00.005+01:00

To provide increased security over pre-shared keys you can authenticate VPN endpoints using certificates. Ideally this would be using a full PKI solution but a simpler method is available if you don't need revocation.This guide is for the Cisco ASA. As with most things it's a doddle in the ASDM because you can take full advantage of the GUI and be prompted for each step, however I'll show the CLI

OpenSSL CA for VPN Certificates

2009-10-23T17:08:00.008+01:00

The aim of this article is to provide some pointers to getting a certificate authority (CA) up and running with OpenSSL and provide a few handy commands for reference. This will be used in some future articles about certificate based VPNs.To do certificate based VPNs you need a couple of things:A Certificate Authority (CA) that your end devices trust.Host certificates signed by the CA.I'll use

Checkpoint Traffic Sniffing

2009-10-19T19:15:00.003+01:00

There are a couple of handy commands for sniffing traffic on Checkpoint.Tcpdump and fw monitor.The following runs a tcpdump capture on IPSO, snagging the entire packet to a file:tcpdump -s1700 -w output.cap -ni host Without the -s1700 it'll just grab the first part of each packet and not the full contents. If you're running it on a newer platform (e.g. SPLAT) then you can

MPLS: EIGRP as CE-PE Routing Protocol

2009-09-28T19:59:00.004+01:00

Following the OSPF sham links and OSPF as PE-CE routing protocol articles, this entry shows how to use EIGRP as the PE-CE routing protocol.The network topology is as before.EIGRP is fairly easy to configure in this case. The CE router is just configured as per a vanilla EIGRP network with no special entries needed, on router CE1:CE1#show ip int brief | inc upFastEthernet0/0 10.0.255.1

OSPF Sham Links

2009-09-19T09:38:00.007+01:00

If you install a backup link between sites in an MPLS VPN then you can run into problems as shown below.This article follows on from OSPF as a PE-CE routing protocol and uses the same network layout.I've set everything into area 0 to simplify things a bit, however there is now a serial link between the two customer sites. Topology is shown below:Before the link is brought up the routing table on

MPLS: OSPF as PE-CE Routing Protocol

2009-09-19T08:34:00.008+01:00

This article shows a basic configuration for using OSPF as the PE-CE routing protocol. It follows on from the basic VRFs entry and uses the same network topology, with a couple of networks added to represent each sites internal LAN.OSPF uses a hierarchical network structure where normally all areas would be connected directly to area 0. In the case of MPLS VPNs, there is always a redistribution

MPLS Lab #3 -Simple VRFs

2009-09-09T20:20:00.007+01:00

This follows on from the previous article part 2.In this article I'll get the customer sites connected up in a very simple VRF.The first step is to create a VRF for the customer sites to use. This is done by naming it on each PE router, assigning a route distinguisher (RD) and setting route targets (RT) for BGP to use. The simplest way to do this is to allocate the RD in the format AS:nn where AS

Minimal Downtime Checkpoint Upgrade

2009-09-09T17:20:00.004+01:00

This is an old process I worked out for an R55->R65 upgrade on a Nokia VRRP cluster to provide minimal downtime. In lab tests this worked with under a second of lost packets. In reality I wouldn't bet on a busy cluster being upgraded without losing traffic under any circumstances!My preferred method is to wipe everything completely and re-build from config backups rather than try to do software

Useful Checkpoint Commands

2009-09-09T17:03:00.004+01:00

Some useful Checkpoint commands for reference:fw unloadlocal - Unload the local policy.fw stat - Show the policy version that is currently installed.fw log - Show the log file.fw ver - Show the installed Checkpoint version.fw lslogs - List all log files available.fw logswitch - Force a log cycle.cp_conf sic state - Show SIC (secure internal comms) status.cp_conf ha enable/disable - Enable/Disable

MPLS Lab Part 2

2009-09-06T21:31:00.007+01:00

Follows on from part 1.Now to get MP-BGP up and running on the MPLS lab. BGP-4 (as described in RFC 1771) can only carry IPv4 prefixes. RFC 2858 adds multiprotocol capability to BGP-4, which is needed to work with the vpnv4 routes that MPLS uses.vpnv4?In an MPLS network you may have customers with overlapping IP address space. In order to provide unique addressing, a vpnv4 prefix is used

MPLS Lab Part 1

2009-09-06T21:30:00.006+01:00

I'm currently studying MPLS for the CCIP qualification so will be putting up a series of articles on building a basic service-provider network to test various MPLS configurations.The first article puts together a simple WAN running OSPF.The network will look as below:(These diagrams are all created using the excellent open source software dia)The idea here is simply to get the provider part of

Checkpoint Software Blade Architecture

2009-08-24T19:13:00.009+01:00

I received an email this morning from Checkpoint advertising their new software blade architecture.Checkpoint already provide a hardware virtualization platform in the VSX-1, so could this be a blade-center version? No, the blades here are not actual blades in the sense that the rest of the industry uses the term, they are infact software modules.So what is it?It's a "new" architecture to

Caribbean?

2009-07-03T21:31:00.005+01:00

The image below comes from a beach on the west coast of Scotland, taken while visiting one of my clients sites recently.A slight departure from the technical nature of this site, but you've got to stop and enjoy moments like this when they occur:

Locating a host

2009-06-22T19:01:00.010+01:00

Something that often comes in handy is the ability to physically locate hosts on a large campus network from their IP address. This article assumes the device is correctly configured on the network.The steps are:Find the devices MAC address.Locate the STP root bridge.On the root bridge follow the path to the MAC address.1. Find the devices MAC address.The MAC address can be found in the ARP cache

SNMPv3 in CiscoWorks

2009-06-22T17:55:00.011+01:00

A brief article on how I've got SNMPv3 working in older versions of CiscoWorks. This follows on from the SNMPv3 intro.Ciscoworks only allows you to associate a single SNMP user account with each device. The same SNMP user account is used to poll the device and receive traps.The new version of Device Fault Manager apparently has full SNMPv3 support. The older ones don't seem to, but they support

SNMPv3

2009-06-22T17:46:00.007+01:00

Quick article on SNMP version 3, focused on Cisco kit.Previous versions of SNMP were configured using community strings and single-line commands in IOS.SNMPv3 management is more like user/account management and the configuration does not appear in "show run" but is instead hidden in the private config. You access SNMPv3 configuration information via "show snmp x" commands.SNMPv3

Checkpoint to Cisco VPNs #2

2009-06-08T18:42:00.015+01:00

This is part 2 of the article started here. I'll be creating traditional mode VPN rules, because they are less abstracted than VPN communities and a bit easier to understand (in my opinion). There are some complications*.To follow a similar methodology to that used on the Cisco router, the steps are as follows:Define the ISAKMP (phase 1) policy.Define the IPsec (phase 2) policy.Create the

Checkpoint to Cisco VPNs #1

2009-05-24T21:57:00.009+01:00

Article #1 - Intro & Cisco Setup.To show some of the finer points of Checkpoint VPNs I'll rig up a test lab with a site-to-site VPN linking a Cisco IOS router and a Checkpoint R65 splat box.This article is not intended to be a general VPN introduction, rather the specifics of Checkpoint/Cisco interaction.The network will look like this:The local end is using 10.0.0.0/24, the Smart Center sits in

BDPU Guard Vs Filter

2009-05-19T19:17:00.007+01:00

Spanning-tree BPDU Guard or BPDU Filter?A question that has cropped up on more than one occasion is which of these options should be used? BPDU Guard or BPDU filter?You may think it safest to use both, however that isn't the case.BPDU GuardThe port is error disabled when a BPDU is received.BPDU FilterIf the port receives BPDUs then portfast is disabled and it functions as a normal STP port.You

Secure Switchport Template

2009-05-19T18:47:00.012+01:00

There are several reasons why you might want to use a switch port template.Make life easier for administrators.Standardize configuration.Allow people without specific Cisco knowledge to configure ports.Increase security.An example template in macro form:macro name accessportswitchport mode accessswitchport nonegotiateswitchport access vlan 99no cdp enablespanning-tree portfastspanning-tree

Storm Control

2009-05-19T17:17:00.006+01:00

Storm-control is a very useful command for all switch-ports which allows you to set limits for Broadcast and Multicast traffic. When those limits are exceeded, traffic of that type is blocked on the interface until the storm has passed.The configuration for the storm control level as a percentage of the link size is:storm-control {broadcast|multicast} level {level} [level-low]You can also set the