Archive

Archive for the ‘Tips’ Category

univercd – Cisco documentation resource locator

August 22, 2010 Leave a comment

I was looking for some details on a 2800 router and as always, started with Google. I found all kind of results, some good and close (but general, I had to find a 2800 specific document) and some far far away. Then I remembered that there is one place I didn’t check: Cisco’s main Documentation site: univercd

Since I get many questions about finding documents, I think it does worth a post.

So what’s the story here? This is the official explanation:

Beginning May 14, 2007, Cisco will begin migrating product documentation from the Cisco Connection
Online (CCO) Documentation site to the Cisco Technical Support and Documentation site on Cisco.com.
As documents are migrated, they are replaced with redirects to the new locations. Please update your
bookmarks to reflect new document URLs. Additionally, new product documentation will begin to appear
only on the Technical Support and Documentation site.

Simple right?
Search by hardware type to the left OR software type to the right (Routers->Modular Access Routers in my case for the 2800 series) then choose the specific series – Cisco 2800 Series Integrated Services Routers was my choice and you get all the main documentation topics right away:

I was a click away from the item I was looking for: Connecting a USB Module to the Router USB Port and it all took about 10 seconds (and I include the site redirection wait time). I admit, sometimes it take a bit longer to find what you’re looking for but even then, it would most likely be faster than any other search option when you need an official document.

Oh, you ask about the USB eToken? That would have to wait for the next post ūüėČ

Advertisements

Free CCNA Workbook

August 19, 2010 Leave a comment

With comprehensive Labs and great video series this website offer a much-needed FREE CCNA resource. Matthew George, the founder did an amazing work for the good of all the CCNA candidates out there so spread the word ūüôā

This is thea part of the intro:

Our mission is to provide quality CCNA lab training materials to assist you as an individual in pursuit of the Cisco Certified Network Associate Certification. The CCNA certification is a globally recognized certification awarded by Cisco Systems to display associate level knowledge of network engineering skills; skills which include a basic understanding and ability to design, implement and maintain networks that utilize technologies such as Frame Relay, Virtual LAN’s, STP, VTP, ISL, Dot1q, Port Security, Static Routes, RIP, EIGRP, OSPF, Access Control List and much much more.

show interface history command

July 31, 2010 2 comments

Today I want to show a command that was introduced with IOS 15.1T. Using this command will upgrade your troubleshooting capabilities as you can (finally) look back and have some decent historical data on the interface level.

My home lab uses old equipment that is not supported by this IOS version but fortunately enough I had access to a lab router (2800 series) that was loaded with this latest and greatest version.

So here are few notes on the show interface history command:
To begin with, this command allow you to collect utilization history and show it in a (Cisco kind of) graphical representation. If you’re familiar with the show processes cpu history command you know what I’m talking about. Another similarity to the cpu command is the options: last 60 seconds, last 60 minutes and last 72 hours but since it’s an interface command, you get 2 graphs per time frame: Input and Output
The data that you get can be packets per second (pps) or bit per second (bps), both are useful when you try to get some better understanding of what’s going on with your interface.

Check this example (followed by explanation):

Lab65R2# show interface gigabitethernet 1/1 history 60min

3689548755356314774665664876546

10
9    *
8   **  *                  *
7   *#  #*        **       #*
6  *##  ##    #   ## #* ** ##*  *
5  #### #### *#   ## ##### ###* *
4  ######### ##  *#############**
3 ############## ###############*
2 ############## ################
1 ###############################
0….5….1….1….2….2….3….3….4….4….5….5….6
.          0    5   0   5    0    5   0    5   0   5    0

3333333333333333333333333333331
Mlcst 556555555565555555555565535555700000000000000000000000000000
22322111111     121221211211
57149774766867 133175814422022
iDrop 425727636317619265454496840996600000000000000000000000000000
GigabitEthernet1/1 input rate(mbits/sec)  (last 60 minutes)
* = maximum   # = average

As you can see, it’s not so pretty but it does offer some useful troubleshooting information.
I show here one example of Input history for 60 minutes time frame. You can see the number of multicast (Mlcst) packets and drops, both show per minute data. To get the total number you’ll have to work a bit and add up all the numbers, one by one. You can also see the rate per minute in the graph with average (#) and max (*)¬† points marked.

To summarize, this is not one of those commands that you’ll use on a daily basis but when time comes and you have a problem, it will come handy and might shed some light on traditionally dark corners.

Home Lab – NTP and logging

July 18, 2010 Leave a comment

I got few emails asking for basic troubleshooting steps & tips. I’ll dedicate few posts over the next weeks to some simple basic (yet very important) steps.

Today I’m working on some little things that at some point make a big difference: Date & Time.

What? Who cares about it? !
Right? Wrong!
Setting the time on all your devices is critical when troubleshooting. It is important to have the same method across the organization to allow troubleshooting effectiveness. I’ll start with the ‘how’:

ITDualism1(config)#ntp server 192.168.1.6 prefer
ITDualism1(config)#ntp server time-a.nist.gov
ITDualism1(config)#ntp server 0.north-america.pool.ntp.org

The basic command set an IP or Hostname as the time-server. I used my PC, which I always keep on as the prefered source and added a couple of outside sources (I types in the names, the router translated to IP). In your production environment you should use any device that provide NTP services or an outside source. Make sure you allow UDP port 123 traffic between the routers and the NTP server.
Use the ntp command help for many more options, it is a small feature that allow great flexibility which you’ll need in a complex environment.

The next thing we’ll do is verify that we actually sync the time. In a router that was just installed (or turned on) you can use show clock and verify the time (unless you’re in 1993 :)). On a production router you can use either show ntp status or show ntp associations:

ITDualism1#show ntp associations

address            ref clock       st      when    poll   reach   delay   offset    disp
~64.90.182.55     172.31.32.1       5       29      1024   377     4.2     -8.59     1.6
+~153.16.4.136    192.168.1.111     3       69      128    377     4.1     3.48      2.3
*~192.168.1.6     192.168.1.111     3       32      128    377     7.9     11.18     3.6
~129.6.15.28¬†¬†¬†¬†¬† 0.0.0.0¬†¬†¬†¬†¬†¬†¬†¬†¬† 16¬†¬†¬†¬†¬†¬†¬† –¬†¬†¬†¬†¬† 64¬†¬†¬†¬† 0¬†¬†¬†¬†¬†¬† 0.0¬†¬†¬†¬† 0.00¬†¬†¬†¬†¬† 16000.
* master (synced), # master (unsynced), + selected, – candidate, ~ configured

One last note on the time and date methods. If your organization is multi time-zone make sure you set the correct time-zone per site or use UTC for all the routers. I set my clock to NYC time:

ITDualism1(config)#clock timezone EDT -5

Now that the time is synced I’ll configure logging. As I mentioned, time and have a major role when you troubleshoot your routers. When you log events and try to analyze the data your goal is to capture events that happen at the same time across the network and understand what was happening.

The best way to start is installing a Syslog server. I’ve used KIWI’s Syslog server for years but any other server would be just as good. Make sure you have the IP address of the server and go back to your console.

If you never used the logging command check the help option and take a look at my configuration:

ITDualism1(config)#logging 192.168.1.6
ITDualism1(config)#logging trap
ITDualism1(config)#service timestamps log datetime
ITDualism1(config)#snmp-server enable traps config

The commands I used configured 192.168.1.6 (my PC) as logging destination, allow trap and add timestamp that include date & time. The last command is a specific log for a selected protocol or in my case, configuration changes. This is just a sample of the different options and since there are many different parameters that should be considered when you build your routers (and switches) you should spend few minutes and ask yourself what is your goal, how much data you want to log and fine tune as you go.

Home Lab – login configuration

July 15, 2010 2 comments

Now that my lab is up and all the pieces connect, it is time to get off the console cable and the tight room at the lab area and relax on my sofa with great view to the AC ūüėČ

In a production environment you always strive on max security and when it comes to routers remote access it is called ssh (if you know nothing about it, start here). Since my lab uses some older routers I have to compromise but lucky enough I enjoy both worlds and can show you how to configure ssh. Keep in mind that (like many other commands) syntax might be a bit different on different IOS versions (but the key components will always be the same).

Out of the 3 routers only my 2621 support ssh. I picked this order of commands to create some of the messages you might see on the way. I’ll explain each of them following the output.

ITDualism1(config)#ip ssh time-out 120
Please create RSA keys to enable SSH.

ITDualism1(config)#ip ssh authentication-retries 3
Please create RSA keys to enable SSH.

The first commands set the values for time-out (0-120) and authentication-retries (0-5). Though it prompted to create RSA keys, the commands did go through and the values I set are in the system. Now it’s time to create the key:

ITDualism1(config)#crypto key generate rsa usage-keys
% Please define a domain-name first.

As you can see, domain-name is prerequisite and the router couldn’t create the key.

ITDualism1(config)#ip domain-name ITDUALISM
ITDualism1(config)#crypto key generate rsa usage-keys
The name for the keys will be: ITDualism1.ITDUALISM
Choose the size of the key modulus in the range of 360 to 2048 for your
Signature Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 768
Generating RSA keys …
[OK]
Choose the size of the key modulus in the range of 360 to 2048 for your
Encryption Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]:
Generating RSA keys …
[OK]

Now that the domain-name is configured, I could create the key.¬† The reason I choose 768bit for the key is ssh2’s min requirement. At this point I don’t know if the router does support it but want to keep all the options. Generally speaking you should remember that higher bits offer better security but (like everything in life) it come with a cost: performance. Make your decision carefully and consider the hardware specs, expected load on the router and your security requirements. This is a good size selection document.

To complete this step I’ve used the show ip ssh command to verify both version and configuration:

ITDualism1#show ip ssh
SSH Enabled – version 1.5
Authentication timeout: 120 secs; Authentication retries: 3

As you can see, this router does not support ssh2 and the parameters I’ve set does show, though I got the messages when I typed them.

The next step is configuring remote access using ssh. Like access-list (and other features), configuring the parameters doesn’t mean we use the feature and we have to configure it on the required lines:

ITDualism1(config)#line vty 0 4
ITDualism1(config-line)#transport input all

In this case I allow access into vty 0 4 using all protocols, including ssh and telnet. I’ll show the other options with my 2611 routers. At this point ssh is ready and I was able to connect:

This is the standard message you expect to see when you connect via ssh the first time from a new computer. Clicking ‘Yes’ get you to the login screen and you’re good to go.

Older routers do not support ssh. Few ways to check it are shown below:

ITDualism2(config)#ip s?
sap  security  source-route  subnet-zero

The ssh command that we used on the 2621 router is not available.

ITDualism2(config-line)#transport input ?
all     All protocols
none    No protocols
pad     X.3 PAD
rlogin  Unix rlogin protocol
telnet  TCP/IP Telnet protocol
udptn   UDPTN async via UDP protocol
v120    Async over ISDN

Once again, you can see the list of all the available protocols for remote connection and ssh is not one of them.
The one last piece I want to show is how to configure the protocol for the line:

ITDualism2(config-line)#transport input all {all | none | pad | rlogin | | telnet | udptn |v120}
ITDualism2(config-line)#transport preferred telnet

In this example I allow using all protocols but configured telnet as the preferred protocol. The transport preferred setting specifies a search order when attempting to resolve names that might be valid for multiple protocols. If the address or service does not match the preferred protocol, all other valid output protocols are searched to find a valid match.

You can find some good reading from Cisco here, here and here. You might also want to look at this guide.

OFF TOPIC – Notepad.cc

June 18, 2010 Leave a comment

Squeezed between my new job and the World Cup I hardly got on-line this week.

One cool thing I did see is a web site that offer a notepad platform that you can save and even password protect it. This is a great way to share ideas with friends and co-workers and even better, keep personal notes that would be available anywhere, anytime.

Check out this example: http://notepad.cc/RofiNeron

Securing Routers and Switches

May 10, 2010 1 comment

Like every financial firm we get our share of audits. Most audits are scheduled but once in a while you can get a surprise visit – someone knock on your door and say:
“hello, we’re here for an audit”.

Part of my job is making sure my network is ready for D-day. If the auditors ask about network security I should have all the answers and preferably have a working implementation to prove my story.

So the day has come and I was asked about my network security with routers and switches at the heart of the audit. As a proud CCNP I had good answers and could easily prove my case to the required extent.  In this post I want to go over some basic steps that make a difference not just at audit day but everyday.

Physical Security – That is the physical access to the router (which result in console cable access). While most companies secure their communication rooms\closets there is one item many fail to secure: Access Switches. Many networks hold an access switch per department or floor, they put the switch on a randomly available shelf, on top of a PC or under a desk. This is a huge hole as anyone can access the switch and plug to any of its ports.

Access Lock down – If you failed to secure access to the switch or if for any reason you are forced to do so, there are few steps you can take to block intruders:

Security Monitoring – Building a second layer of security using some easy to configure tools. Enable logging and make sure the time is set to either local time or UTC so you can have accurate data. If a Syslog server is available, use it to keep track of all your logs (and avoid the misfortune of power loss on the router).

Use Access Lists – ACL is a powerful tool that can help you manage access by port, source or destination addresses. Build different access-lists for different connections and block any unnecessary traffic. Make sure you apply each access-list to the proper interface (and correct direction). Check this video on using ACL to harden IOS security.

One more reference: Cisco’s guide to harden Cisco IOS devices.