Small servers

26/03/11 17:08 Filed in: services

A quick note about tcp small servers.

DOC-CD says:

"The TCP small servers consist of three services: Discard (port 9), Echo (port 7), and Chargen (port 19)."

If we do a portscan to a router before and after enabling tcp-small-server with the command:

R(config)#service tcp-small-servers


We can see that these ports are opened:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on  (10.1.0.254):
Port       State       Service
7/tcp      open        echo                    
9/tcp      open        discard                 
13/tcp     open        daytime                 
19/tcp     open        chargen


The DOC-CD misses port 13 corresponding to Daytime Protocol. As Fox Mulder used to say: "trust no one".

Let's check if it works: 

telnet 10.1.0.254 13
Trying 10.1.0.254...
Connected to 10.1.0.254.
Escape character is '^]'.
Saturday, March 26, 2011 18:09:30-ROME
Connection closed by foreign host.


Great! IOS tell us the time.

The chargen port:

telnet 10.1.0.254 19
Trying 10.1.0.254...
Connected to 10.1.0.254.
Escape character is '^]'.
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh
"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi
#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk
%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl



The echo port is quite funny, it send us back whatever we send it:

telnet 10.1.0.254 7
Trying 10.1.0.254...
Connected to 10.1.0.254.
Escape character is '^]'.
hi!
hi!
hello!
hello!


The traffic sent to the discard port is simply discarded, used for testing:

telnet 10.1.0.254 9
Trying 10.1.0.254...
Connected to 10.1.0.254.
Escape character is '^]'.
junk
junk
trash


UDP small servers work as TCP, just over a different transport protocol.


HTH

https://cisco.6connex.com/portal/cvc/login

17/03/11 11:34 Filed in: cisco

Cisco Virtual Connection

Cisco Virtual Connection gives you a front-row view—from your own desk—of innovations that bring people, information, and businesses together. It’s your all-access pass to a multitude of media-rich presentations on the latest networking, collaboration, and data-management solutions for enhancing efficiency and increasing your company’s bottom line. Register now to connect to practical answers, expert advice, and proven solutions on a regular basis, without leaving your office.

Jeremy Cioara on the Value of Earning the CCIE

17/03/11 11:10 Filed in: about_ccie

Jeremy Cioara is a great teacher and speaker.

LINK

The 10 Networking Commandments

13/03/11 19:59 Filed in: fun
The 10 Networking Commandments

1. Thou shalt above all, maintain the integrity of the network.
2. Thou shalt have a long term strategic direction.
3. Thou shalt always opt for quality before expediency.
4. Thou shalt meet the requirements, exceed the expectations and anticipate the needs of users.
5. Thou shalt benefit from a successful implementation by careful project planning.
6. Thou shalt provide reliability, availability and serviceability.
7. Thou shalt maintain detailed, timely and accurate documentation.
8. Thou shalt commit to continuous training.
9. Thou shalt test in a test environment.
10. Thou shalt install and label cables properly.

LINK

PPPoE peer ip address

13/03/11 15:49 Filed in: ppp

Quick note on PPPoE address assignment.


!!!!! IPCP !!!!!

!!!!! CLIENT

interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
end

!!!!! SERVER

ip dhcp-server 10.0.12.1
interface Virtual-Template10
ip address 10.0.32.2 255.255.255.0
peer default ip address dhcp
end



!!!!! DHCP !!!!!

!!!!! CLIENT

interface Dialer1
ip address dhcp
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
end

!!!!! SERVER

interface Virtual-Template10
ip address 10.0.32.2 255.255.255.0
ip helper-address 1.1.1.1


Link on GroupStudy


Autoinstall - Frame Relay

03/03/11 18:37 Filed in: frame-relay | autoinstall

First of all: autoinstall works only on the first serial interface of the router, don't forget it.

This is the topology for the small lab:

autoinstall_FR

R1 is a TFTP server, it stores R3 configuration in flash.

R3 has no configuration.

R2 interface is configured as follow:

interface Serial1/0
 ip address 10.0.23.2 255.255.255.0
 ip helper-address 1.1.1.1
 encapsulation frame-relay
 ip ospf network broadcast
 ip ospf 1 area 0
 serial restart-delay 0
 frame-relay map ip 10.0.23.3 203 broadcast
end


When R3 starts, the autoinstall process looks for a configuration:

Would you like to enter the initial configuration dialog? [yes/no]: no
Would you like to terminate autoinstall? [yes]: no
Please Wait. Autoinstall being attempted over Serial1/0 !!!!!!!!!!!


We can see what happens debugging TFTP on R1:

R1#
*Mar  1 00:50:52.399: TFTP: Looking for cisconet.cfg
R1#
*Mar  1 00:51:13.423: TFTP: Looking for router-confg
R1#
*Mar  1 00:51:14.443: TFTP: Looking for ciscortr.cfg
R1#
*Mar  1 00:51:16.463: TFTP: Looking for network-confg
*Mar  1 00:51:16.467: TFTP: Opened flash:R3-confg, fd 0, size 2075 for process 194
*Mar  1 00:51:16.535: TFTP: Finished flash:R3-confg, time 00:00:00 for process 194
*Mar  1 00:51:16.539: TFTP: Looking for network-confg
*Mar  1 00:51:16.543: TFTP: Opened flash:R3-confg, fd 0, size 2075 for process 194
*Mar  1 00:51:16.587: TFTP: Finished flash:R3-confg, time 00:00:00 for process 194
R1#
*Mar  1 00:51:36.475: TFTP: Looking for r3-confg
R1#
*Mar  1 00:51:38.523: TFTP: Looking for r3-confg


Notice that after loading "network-confg" the router looks for a more specific file "r3-confg". If the second file is found, the two configurations are merged.

So the order is:
  • cisconet.cfg
  • router-confg
  • ciscortr.cfg
  • network-confg
  • -confg

I'm using C3725-ADVENTERPRISEK9-M, other IOS could use different names or order, I don't know.

On R3 we can see that it's configured via autoinstall from R1:

*Mar  1 00:02:44.827: %SYS-5-CONFIG_I: Configured from tftp://1.1.1.1/network-confg by console




Autoinstall - LAN

03/03/11 13:33 Filed in: autoinstall | dhcp | tftp-server | dns

Autoinstall is a quite interesting topic, it deserves some labbing.

Start from the DOC-CD as usual, we focus on the LAN implementation first.

You can find HERE the flowchart of the autoinstall process.

This guide is quite clear too:

AutoInstall Using DHCP for LAN Interfaces


This is the topology we'll use:

autoinstall_cisco


R1 and R2 will start without configuration.

R3 is the DHCP server that provides TFTP informations to R1 and R2.

R4 acts as TFTP server that stores the configurations


First step: configure DHCP pool on R3:

ip dhcp pool R1
   host 10.0.123.1 255.255.255.0
   client-identifier 0063.6973.636f.2d63.3230.302e.3636.6262.2e30.3030.302d.4661.302f.30
   option 150 ip 4.4.4.4 
   option 67 ascii R1-confg
   default-router 10.0.123.3


Do you prefer an easier client identifier? Read THIS blog post from Ivan Pepelnjak.

The pool defines a reserved IP address to be assigned to R1. We provide a default router and a couple of options.
Option 150 defines a TFTP server, option 67 defines the filename do look for.


Second step: configure R4 as TFTP server

R4(config)#tftp-server flash:R1-confg


The config file for R1 is stored in R4's flash.

Now we erase the configuration on R1 and reload it:

R1#erase startup-config 
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[confirm]
[OK]
Erase of nvram: complete
R1#reload


R1 starts without a config file, requests an IP address via DHCP:

*Mar  1 00:00:29.735: AUTOINSTALL: FastEthernet0/0 is assigned 10.0.123.1


Together with the IP address, R1 gets some options, so it looks for the TFTP server 4.4.4.4:

*Mar  1 00:00:29.739: AUTOINSTALL: Obtain tftp server address (opt 150) 4.4.4.4


The option 67 informs R1 to download the config file R1-confg:

*Mar  1 00:00:49.291: %SYS-5-CONFIG_I: Configured from tftp://4.4.4.4/R1-confg by console



We can see the TFTP request on R4:


R4#
Mar  2 23:20:14.226: TFTP: Looking for R1-confg
Mar  2 23:20:14.230: TFTP: Opened flash:R1-confg, fd 0, size 1989 for process 244
Mar  2 23:20:14.374: TFTP: Finished flash:R1-confg, time 00:00:00 for process 244



This is the capture of the request coming from R1 to R4:

autoinstall_1


We can have the same result using option 66 "Server-Name" instead of option 150. We must provide a DNS server via DHCP.

Let's do it using R2 as DHCP client. Create DHCP pool on R3:

ip dhcp pool R2
   host 10.0.123.2 255.255.255.0
   client-identifier 0063.6973.636f.2d63.3230.312e.3636.6262.2e30.3030.302d.4661.302f.30
   default-router 10.0.123.3 
   option 66 ascii tftp.ifconfig.it
   option 67 ascii R2-confg


We configure R3 as DNS server too:

R3(config)#ip host tftp.ifconfig.it 4.4.4.4
R3(config)#ip dns server


Now we can erase startup-config and reload R2.

On R2:

Translating "tftp.ifconfig.it"...domain server (255.255.255.255) [OK]
Loading R2-confg from 4.4.4.4 (via FastEthernet0/0): !
[OK - 1923 bytes]
*Mar  1 00:00:16.863: AUTOINSTALL: FastEthernet0/0 is assigned 10.0.123.2
*Mar  1 00:00:16.863: AUTOINSTALL: Obtain tftp server name tftp.ifconfig.itresolved to 4.4.4.4
*Mar  1 00:00:26.459: %SYS-5-CONFIG_I: Configured from tftp://tftp.ifconfig.it/R2-confg by console


On R4:

Mar  1 00:25:26.647: TFTP: Looking for R2-confg
*Mar  1 00:25:26.651: TFTP: Opened flash:R2-confg, fd 0, size 1923 for process 245
*Mar  1 00:25:26.719: TFTP: Finished flash:R2-confg, time 00:00:00 for process 245



Everything worked as expected.



USEFUL LINKS:

DHCP options are assigned by IANA, full list HERE.

How to use the mac address as client-id is explained HERE on ioshints blog. There're plenty of posts about DHCP.

RMON and MIBs

02/03/11 15:36 Filed in: rmon | snmp

Quick tip: RMON and MIB

RMON is generally an easy task, can be tricky but usually on CCIE workbooks the task are fair.

The hardest part for me is to find the MIB to monitor.

This is the task: monitor interface Vlan1, send a trap if it receives more than 100 packets every 30 seconds, send a trap if it goes under 50 packets every 30 seconds.

First step: find Vlan1 ifindex.

R#sh snmp mib ifmib ifindex 
Vlan99: Ifindex = 10
Virtual-Access2: Ifindex = 13
FastEthernet4: Ifindex = 5
FastEthernet0: Ifindex = 1
FastEthernet2: Ifindex = 3
Loopback0: Ifindex = 12
Null0: Ifindex = 6
Virtual-Access1: Ifindex = 11
Vlan1: Ifindex = 7
Virtual-Template1: Ifindex = 9
NVI0: Ifindex = 8
FastEthernet1: Ifindex = 2
FastEthernet3: Ifindex = 4


So Vlan1 has ifIndex value 7.

Now how do we find the MIB of incoming packets?

My method is to grep the output of command "sh snmp mib" and it usually works:

R#sh snmp mib | i ifIn
ifIndex
ifInOctets
ifInUcastPkts
ifInNUcastPkts
ifInDiscards
ifInErrors
ifInUnknownProtos
ifInMulticastPkts
ifInBroadcastPkts


Here it is: "ifInUcastPkts" look the right MIB entry.

Since we're looking for the entry related to Vlan1, ifIndex 7, we should use "ifInUcastPkts.7" on the rmon command.

R(config)#rmon alarm 1 ifInUcastPkts.7 30 delta rising-threshold 100 1 falling-threshold 50 2 owner ADMIN


If we write a wrong snmp object we get an error like "Unknown object:"

If you know a better method write me.


And remember, even if it's not required, don't forget to apply

R(config)#snmp-server ifindex persist


since ifIndex could change at the next reboot breaking our configuration.


Snmp v3

01/03/11 20:22 Filed in: snmp

Snmp v3 is described in many RFC, like RFC3414 and so on.

History and security of the various SNMP versions are easy to find and well known, let's focus on configuration.

SNMPv3 can work in three ways:
  • noAuthNoPriv
  • authNoPriv
  • authPriv


For the tests I use a Cisco871 as snmp-server and a OSX computer to walk the MIBs.


noAuthNoPriv
No authorization, no encryption

Router configuration;

R(config)#snmp-server view noAuthNoPriv internet included
R(config)#snmp-server user user1 noAuthNoPriv v3
R(config)#snmp-server group noAuthNoPriv v3 noauth read noAuthNoPriv


Query from OSX:

snmpwalk -v 3 -l noAuthNoPriv -u user1 10.1.0.254


As we can see in the screenshot, the data is not encrypted, the username is cleartext:

snmp1


Now we implement the first security level, authorization.


authNoPriv
Authorization required, data is not encrypted

Router configuration:

R(config)#snmp-server user user2 authNoPriv v3 auth sha CISCO123
R(config)#snmp-server group authNoPriv v3 auth read authNoPriv
R(config)#snmp-server view authNoPriv internet included


Query from OSX:

snmpwalk -v 3 -a SHA -A CISCO123 -l authNoPriv -u user2 10.1.0.254


The capture now shows "Authenticated: Set", we can still see the username "user2".

snmp2

Next step: privacy (encryption).


authPriv
Authorization required, data is encrypted

Router configuration:

R(config)#snmp-server user user3 authPriv v3 auth sha CISCO123 priv aes 128 CISCO123 
R(config)#snmp-server view authPriv internet included
R(config)#snmp-server group authPriv v3 priv read authPriv


Query from OSX:

snmpwalk -v 3 -a SHA -A CISCO123 -x AES -X CISCO123 -l authPriv -u user3 10.1.0.254


The capture shows that encryption is enabled now:

snmp3


SNMP is often referred as "Security in Not My Problem", v3 gives as an acceptable security level to use it with confidence.


Conditional debug

01/03/11 12:28

Conditional debugging is used to filter debugging messages:

R#debug condition ?
  called       called number
  calling      calling
  card         card
  glbp         interface group
  interface    interface
  ip           IP address
  mac-address  MAC address
  match-list   apply the match-list
  standby      interface group
  username     username
  vcid         VC ID
  vlan         vlan
  xconnect     Xconnect conditional debugging on segment pair



A quick example: filter RIP events only for interface Serial1/1.

We just need to enable a debug condition for interface S1/1:

R#debug condition interface s1/1


and enable rip events debug:

R#debug ip rip events



LINK