For whatever reason, you may wish to use your Cisco router as a primary DNS server. If you're stuck in a situation where you need to send certain DNS domain names to different DNS servers then this post is for you!
Firstly we must set our default DNS servers:
ip name-server 203.50.2.71
ip name-server 139.130.4.4
Secondly, now we need to configure our different DNS servers as "views"
ip dns view default
dns forwarder 203.50.2.71
dns forwarder 139.130.4.4
ip dns view internal_dns
dns forwarder 192.168.0.10
dns forwarder 192.168.0.11
Now we match our DNS views into a "view-list"
ip dns view-list conditional
! give the internal_dns view a priority of 10 and bind it to name-group 1
view internal_dns 10
restrict name-group 1
! give the default view a highest priority
view default 99
Define the domains you wish to forward internally by "name-list"
ip dns name-list 1 permit 10\.IN-ADDR
ip dns name-list 1 permit .*.LOCAL
Enable the DNS server to the view-group "conditional"
ip dns server view-group conditional
Lastly, enable the DNS server
ip dns server
Saturday, 7 September 2013
Sunday, 30 June 2013
Capturing Packets from a Cisco Router for Wireshark pcap
In case you wish to troubleshoot issues and view specific packet flow traversing your routers, you will need a tftp server setup so that you can export your captures.
I use tftpd64 or tftpd32. It's a nice free, simple tftp daemon that runs on Windows: http://www.jounin.net/tftpd32.html
In this example, my tftp server is on 10.0.0.55.
First off, we need to create an access-list the matches the traffic you wish to capture. I am wanting to capture traffic traversing my router, destined to and from 32.55.55.32
Router(config)# access-list 140 permit ip host 32.55.55.32 any
Router(config)# access-list 140 permit ip any host 32.55.55.32
This ACL will capture all traffic to and from this IP address.
Next we need to enable the Cisco packet monitoring service:
Router# monitor capture buffer holdpackets
Now we can filter the monitored traffic by filtering it through our access-list:
Router# monitor capture buffer holdpackets filter access-list 140
Now for some tweaks so that we actually get complete packet data for inspection in Wireshark
Router# monitor capture buffer holdpackets size 10240 max-size 9500
Now we need to name our particular packet capture. I have called mine "testcap"
Router# monitor capture point ip cef testcap all both
Router# monitor capture point associate testcap holdpackets
Now we can start our capture!
Router# monitor capture point start testcap
Once you think you have acquired enough packets, to stop the capture, type:
Router# monitor capture point stop testcap
Now you can export your data to your tftp server by typing in the following command. You can then open the .pcap file in Wireshark for viewing
Router# monitor capture buffer holdpackets export tftp://10.0.0.55/testcap.pcap
Once uploaded you can clear your capture buffer by typing the following:
Router# no monitor capture buffer holdpackets
Router# no monitor capture point ip cef testcap all both
To check if there are any current captures or parameters configured, you can use the following command:
Router# sh monitor capture point all
I use tftpd64 or tftpd32. It's a nice free, simple tftp daemon that runs on Windows: http://www.jounin.net/tftpd32.html
In this example, my tftp server is on 10.0.0.55.
First off, we need to create an access-list the matches the traffic you wish to capture. I am wanting to capture traffic traversing my router, destined to and from 32.55.55.32
Router(config)# access-list 140 permit ip host 32.55.55.32 any
Router(config)# access-list 140 permit ip any host 32.55.55.32
This ACL will capture all traffic to and from this IP address.
Next we need to enable the Cisco packet monitoring service:
Router# monitor capture buffer holdpackets
Now we can filter the monitored traffic by filtering it through our access-list:
Router# monitor capture buffer holdpackets filter access-list 140
Now for some tweaks so that we actually get complete packet data for inspection in Wireshark
Router# monitor capture buffer holdpackets size 10240 max-size 9500
Now we need to name our particular packet capture. I have called mine "testcap"
Router# monitor capture point ip cef testcap all both
Router# monitor capture point associate testcap holdpackets
Now we can start our capture!
Router# monitor capture point start testcap
Once you think you have acquired enough packets, to stop the capture, type:
Router# monitor capture point stop testcap
Now you can export your data to your tftp server by typing in the following command. You can then open the .pcap file in Wireshark for viewing
Router# monitor capture buffer holdpackets export tftp://10.0.0.55/testcap.pcap
Once uploaded you can clear your capture buffer by typing the following:
Router# no monitor capture buffer holdpackets
Router# no monitor capture point ip cef testcap all both
To check if there are any current captures or parameters configured, you can use the following command:
Router# sh monitor capture point all
Wednesday, 19 June 2013
Example of CBWFQ QoS and Shaping
Shaping to 30mbps Maximum:
ip access-list extended ShapeMepermit ip 172.16.0.0 0.0.0.255 any
permit ip any 172.16.0.0 0.0.0.255
!class-map match-any ShapeMe
match access-group name ShapeMe
!
policy-map ShapeMe
class ShapeMe
shape average 30m
! Will shape at 30mbps maximum
!
int g0/0
service-policy output ShapeMe
! Apply to output interface. If needed in both ingress and egress, apply to both inside and outside interfaces
Priority for SQL Traffic?
ip access-list extended SQL
permit tcp 10.113.32.0 0.0.3.255 10.113.176.0 0.0.3.255 range 1433 1434
permit tcp 10.113.176.0 0.0.3.255 10.113.32.0 0.0.3.255 range 1433 1434
class-map match-any SQL
match access-group name SQL
policy-map SQL
class SQL
priority 1024
! Guarantees 1mbps at all times
int g0/0
service-policy output SQL
! Apply to output interface. If needed in both ingress and egress, apply to both inside and outside interfaces
What is I just want to shape traffic by the interface that it enters? Eg an internet or WAN interface?
! Since you can only shape on output, not input, in this example I will shape the Upstream and Downstream CIR rate to 100mbps down and 40mbps up. The inbound or internet interface is GigabitEthernet0/1. GigabitEthernet0/0 is the LAN side.
match input-interface GigabitEthernet0/1
class-map match-any QoS_UP
match any
policy-map QoS_DOWN
class QoS_DOWN
shape average 100m
policy-map QoS_UP
class QoS_UP
shape average 40m
interface GigabitEthernet0/0
description LAN Interface
service-policy output QoS_DOWN
interface GigabitEthernet0/1
description Internet Interface
service-policy output QoS_UP
Sunday, 19 May 2013
Configuration Example for Cisco 857/877W Config for Bigpond or Telstra Internet Direct
This config is straight out of a Cisco 857W router running on Bigpond. It has Wifi enabled with WPA2 AES encription. The Cisco is running IOS version 12.4.
service
password-encryption
service
internal
!
hostname
<hostname>
!
enable
secret <your enable password>
!
no
aaa new-model
!
dot11
ssid <Your SSID>
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii <Your Wireless Key>
!
no
ip dhcp use vrf connected
ip
dhcp excluded-address 10.0.0.138 10.0.0.254
!
ip
dhcp pool LocalNet
network 10.0.0.0 255.255.255.0
default-router 10.0.0.138
domain-name internet.local
dns-server 10.0.0.138
lease 365
!
ip
cef
ip
domain name internet.local
ip
name-server <nameserver 1>
ip
name-server <nameserver 2>
!
username
admin secret <admin password>
!
bridge
irb
!
interface
ATM0
no shutdown
no shutdown
no
ip address
atm
ilmi-keepalive
pvc
8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl
operating-mode auto
!
interface
FastEthernet0
no shutdown
no shutdown
!
interface
FastEthernet1
no shutdown
!
!
interface
FastEthernet2
no shutdown
!
!
interface
FastEthernet3
no shutdown
!
!
interface
Dot11Radio0
no shutdown
no shutdown
no
ip address
!
encryption
vlan 1 mode ciphers aes-ccm
!
ssid
<Your SSID>
!
speed
basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel
2462
station-role
root
world-mode
dot11d country AU both
!
interface
Dot11Radio0.1
encapsulation
dot1Q 1 native
ip
virtual-reassembly
no
cdp enable
bridge-group
1
bridge-group
1 subscriber-loop-control
bridge-group
1 spanning-disabled
bridge-group
1 block-unknown-source
no
bridge-group 1 source-learning
no
bridge-group 1 unicast-flooding
!
interface
Vlan1
no
ip address
bridge-group
1
bridge-group
1 spanning-disabled
!
interface
Dialer1
ip
address negotiated
ip
nat outside
ip
virtual-reassembly
encapsulation
ppp
dialer
pool 1
dialer-group
1
ppp
authentication chap callin
ppp
chap hostname <ISP Username>
ppp
chap password <ISP Password>
!
interface
BVI1
description
LAN & WLAN Bridge
ip
address 10.0.0.138 255.255.255.0
ip
nat inside
ip
virtual-reassembly
!
no
ip forward-protocol nd
ip
route 0.0.0.0 0.0.0.0 Dialer1
!
no
ip http server
no
ip http secure-server
ip
dns server
ip
nat inside source list 1 interface Dialer1 overload
!
access-list
1 permit 10.0.0.0 0.0.0.255
access-list
23 permit 10.0.0.0 0.0.0.255
dialer-list
1 protocol ip permit
!
control-plane
!
bridge
1 protocol ieee
bridge
1 route ip
!
line
vty 0 4
access-class
23 in
privilege
level 15
login
local
transport
input telnet ssh
!
end
Wednesday, 15 May 2013
Enabling SNMP and Netflow for Solarwinds NPM and NTA on Cisco ISR, ASR and ASA firewalls
This assumes that your Solarwinds collector and Netflow analyser are on 192.168.0.55.
ip access-list standard Solarwinds
permit host 192.168.0.55
!
Now we can enable SNMP:
snmp-server community public RO Solarwinds
snmp-server location Marios Pizza Shop
snmp-server contact Mario Bros
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
Now to enable NetFlow:
ip flow-export version 9
ip flow-export destination 192.168.0.55 2055
To check if all is working as expected, you can type the following command:
sh ip cache flow
If you just want to use Netflow without the export to a Netflow collector, just negate the "ip flow-export" commands.
For Cisco ASR's or ISR's with Flexible Netflow:
Firstly, lets create an ACL for our Solarwinds Server:
ip access-list standard Solarwinds
permit host 192.168.0.55
!
Now we can enable SNMP:
snmp-server community tceo RO Solarwinds
snmp-server location Mario's Pizza Shop
snmp-server contact Mario Bros
Now to enable NetFlow:
flow record NETFLOW_RECORD
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect interface output
collect counter bytes
collect counter packets
!
flow exporter NETFLOW_EXPORT
destination 192.168.0.55
transport udp 2055
!
flow monitor NETFLOW_MONITOR
exporter NETFLOW_EXPORT
record NETFLOW_RECORD
Choose which interface to monitor traffic on for both ingress and egress. In this case I'm picking GigabitEthernet0/0/0
interface GigabitEthernet0/0/0
ip flow monitor NETFLOW_MONITOR input
ip flow monitor NETFLOW_MONITOR output
!
To check if all is working as expected, you can type the following command:
sh flow monitor
For Cisco ISR's without Flexible Netflow:
Firstly, lets create an ACL for our Solarwinds Server:
ip access-list standard Solarwinds
permit host 192.168.0.55
!
Now we can enable SNMP:
snmp-server community tceo RO Solarwinds
snmp-server location Mario's Pizza Shop
snmp-server contact Mario Bros
Now to enable NetFlow:
flow record NETFLOW_RECORD
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect interface output
collect counter bytes
collect counter packets
!
flow exporter NETFLOW_EXPORT
destination 192.168.0.55
transport udp 2055
!
flow monitor NETFLOW_MONITOR
exporter NETFLOW_EXPORT
record NETFLOW_RECORD
Choose which interface to monitor traffic on for both ingress and egress. In this case I'm picking GigabitEthernet0/0/0
interface GigabitEthernet0/0/0
ip flow monitor NETFLOW_MONITOR input
ip flow monitor NETFLOW_MONITOR output
ip flow monitor NETFLOW_MONITOR output
!
To check if all is working as expected, you can type the following command:
sh flow monitor
For Cisco ISR's without Flexible Netflow:
Firstly, lets create an ACL for our Solarwinds Server:
ip access-list standard Solarwinds
permit host 192.168.0.55
!
Now we can enable SNMP:
snmp-server community public RO Solarwinds
snmp-server location Marios Pizza Shop
snmp-server contact Mario Bros
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
Now to enable NetFlow:
ip flow-export version 9
ip flow-export destination 192.168.0.55 2055
Choose which interface to monitor traffic on for both ingress and egress. In this case I'm picking Gi0/0
interface GigabitEthernet0/0
ip flow ingress
ip flow egress
!
To check if all is working as expected, you can type the following command:
sh ip cache flow
If you just want to use Netflow without the export to a Netflow collector, just negate the "ip flow-export" commands.
For ASA Firewalls:
This process is a bit more complicated on a Cisco ASA firewall that the above Cisco configuration.
Firstly we name our Solarwinds Server:
name 192.168.0.55 Solarwinds
Enable SNMP:
snmp-server host dmz Solarwinds community public
snmp-server location Marios Pizza Shop
snmp-server contact Mario Bros
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
Now to enable Netflow - first we create an ACL for what traffic you wish to monitor - typically everything:
access-list netflow-export extended permit ip any any
Now we set the Netflow parameters:
flow-export destination <output interface name> Solarwinds 2055
flow-export template timeout-rate 3
flow-export delay flow-create 10
Configure our Netflow Classes:
class-map netflow-export-class
match access-list netflow-export
!
!
Configure our Policies:
policy-map global_policy
class netflow-export-class
flow-export event-type all destination Solarwinds
!
The simplest way to setup a Cisco router for Australian ADSL using PPPOA
This tutorial assumes that you are using an ISP which supports PPPOA. Bigpond and Telstra Internet Direct support this.
In this example I am configuring a Cisco 2811 with a HWIC-1ADSL WIC in Slot 0. This gives it an interface of "atm0/0/0".
interface ATM0/0/0
description ADSL Physical Interface
no ip address
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
Next we can configure our Dialer interface. This is used to initiate authentication to your ISP.
In this example I am configuring a Cisco 2811 with a HWIC-1ADSL WIC in Slot 0. This gives it an interface of "atm0/0/0".
interface ATM0/0/0
description ADSL Physical Interface
no ip address
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
Next we can configure our Dialer interface. This is used to initiate authentication to your ISP.
interface Dialer0
description ADSL Dialer Interface
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname username@bigpond.com
ppp chap password your_password
!
Now we can configure our internal LAN interface
interface FastEthernet0/0
description LAN Interface
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
Create a standard ACL ready for NAT
ip access-list standard LAN
permit 192.168.0.0 0.0.0.255
!
Allow NAT for the above ACL
ip nat inside source list LAN interface Dialer0 overload
Finally we set our default route out of the Dialer0 interface
ip route 0.0.0.0 0.0.0.0 Dialer0
Now with any luck you should have a working internet connection.
To configure DNS and DHCP services on the router please refer to my blog about enabling DHCP and DNS services.
Setting up DHCP and DNS services on Cisco Routers
In this blog I will explain how to setup a DHCP and DNS server on your Cisco router.
The network subnet is as follows:
Network Address: 192.168.0.0
Subnet Mask: 255.255.255.0
Router: 192.168.0.1
Dynamic Range: 192.168.0.10 - 192.168.0.254
ISP DNS Server: 8.8.8.8
Subnet Domain Name: mylan.local
These commands specify the DNS server and local domain to the router:
ip domain name mylan.local
ip name-server 8.8.8.8
This command enables the Cisco DNS Service
ip dns server
Before we create our DHCP server, we should specify which IP's are not to be assigned. This being 192.168.0.1 to 192.168.0.9
ip dhcp excluded-address 192.168.0.1 192.168.0.9
Now we specify our DHCP Pool:
ip dhcp pool MyLAN
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
domain-name mylan.local
lease 7
!
You may now wish to assign statically assigned IP addresses to various hosts on your network. You can do this by creating another DHCP pool
ip dhcp pool MyLaptop
host 192.168.0.10 255.255.255.0
client-identifier 0100.0430.52c7.88
!
Note: The client identifier is NOT the MAC address of the client. The easiest way to find the client identifier is to connect the machine to the network and wait for it to be assigned an IP by the router.
In enable mode, type in:
show ip dhcp binding
Match the client identifier with the IP address you were dynamically assigned then create your static pool like the one mentioned above.
Subscribe to:
Posts (Atom)