Monday 28 September 2015

Scheduling a reload of a router using cron

Maybe you have a dodgy router in the fleet, or a memory leak on one of them. This little snippet as bought me some time in some situations. Scheduling a reload is very simple. The below will reload the router every night at midnight.

event manager applet daily-reload
 event timer cron name daily-reload cron-entry "0 0 * * *"
 action 1.0 syslog msg "Automated Reload Triggered"
 action 1.1 reload

Friday 18 September 2015

Configuring IPv6 Prefix Delegation on a Cisco router for Ethernet or Dialer interfaces

This post shows an example of how to configure IPv6 on Ethernet or Dialer delivered services. This might come in handy if you want to configure IPv6 on Telstra TBiz on the NBN or pretty much any IPv6 delivered service.

So let's say for example, your ISP has given you a PD (Prefix Delegation) of 2001:1111:2222:333::/56 and you'd like to give a couple of your attached VLAN's onsite their own /64 subnets for eating up the new IPv6 space in the internet.

It's actually pretty easy to do, but you're going to have to forget everything you ever knew about IPv4 because the game has changed slightly.

Firstly, let's pick up that nice new prefix delegation your ISP has given you. Login, enable and go to configuration terminal. Let's enable ipv6 routing and cisco express forwarding (cef).

router(config)# ipv6 cef
router(config)# ipv6 unicast-routing

First things first, the best thing to do is make a new IPv6 ACL to keep all the script kiddies out of your network. Everything on IPv6 is publicly routable. Goodbye NAT and sitting safely behind private IP addresses. This is no more. Once you're IPv6 configured, everything on your local LAN sits on the public internet, so security is a big player. Let's create an ACL to allow things to happen.

router(config)# ipv6 access-list IPV6-IN
router(config-ipv6-acl)# permit icmp any any
router(config-ipv6-acl)# permit tcp any any established
router(config-ipv6-acl)# permit udp any any eq 546

Note the udp port 546. This is used for autoconfiguration and will need to be allowed for your ISP to give you a prefix delegation. Once we have our new ACL, we're ready to configure our first interface.

Type in the interface facing your ISP. In this example, it's GigabitEthernet0/0. I'll assume you already have all the normal IPv4 things in here, so I won't show them in the below example.

I recommend that you configure a "link-local" address. It is normally generated from the interface's MAC address, however if you're using any subinterfaces or using port-channels, you can get duplicate link-local addresses and IPv6 simply won't work. For our internet facing interface, we'll give it a link-local address on FE80::1.

router(config)# interface GigabitEthernet0/0
router(config-if)# ! configure a link-local address
router(config-if)# ipv6 address FE80::1 link-local
router(config-if)# ! assign the first /64 of our new prefix delegation
router(config-if)# ipv6 address IPV6-PD ::1/64
router(config-if)# ! enable ipv6 on the interface
router(config-if)# ipv6 enable
router(config-if)# ! enable the router to find the default route
router(config-if)# ipv6 nd autoconfig default-route
router(config-if)# ! enable the DHCP client and assign a name of IPV6-PD to your prefix delegation
router(config-if)# ipv6 dhcp client pd IPV6-PD
router(config-if)# ! Assign our ACL to the interface
router(config-if)# ipv6 traffic-filter IPV6-IN in

Now is a good time to check whether or not you have received your prefix delegation. Because IPv6 is new, it's not uncommon for ISP's to stuff it up.

router# sh ipv6 dhcp int


It should output what your assigned prefix is. If this is all good, then carry on. Otherwise, something isn't right with your ISP.

In this example, I have two VLAN's which I want to divide up the next two /64's to. VLAN 2 is on GigabitEthernet0/1.2 and VLAN 3 is on GigabitEthernet0/1.3

Unfortunately there is an issue with how Windows processes ICMPv6 Router Advertisements (RA's) within its NDIS drivers. It's an issue which has long plagued many network administrators, and a quick Google search will show you that.

What happens is, for example you have two VLAN's, one is a General use VLAN and another might be for VOIP. Frames are tagged on the VOIP VLAN for example. If you want to enable IPv6 for both VLAN's, Windows (in its wisdom) will untag the RA frame from the router and pass it through to the operating system. What you essentially end up with is a Windows client with an IPv6 address and gateway on the tagged VLAN as well as the untagged causing weird disconnection issues with Windows clients.

There is a workaround, but it involves some hackery which the router will complain about, but I'll show you how here. What you need to do is set the same Link-Local address on each subinterface. This includes things like port-channels. To do this however, you'll need to disable a feature called Duplicate Address Detection, or "DAD" for short.

Under configuration terminal, type the following:

router(config)# ipv6 nd dad time 1

This makes duplicate address detections only last 1ms. Otherwise if it see's the same Link-Local address configured on different interfaces, it'll disable IPv6 on that interface.

So here's what we do....

router(config)# interface GigabitEthernet0/1.2
router(config-subif)# ! configure a link-local address of FE80::2 for VLAN 2
router(config-subif)# ipv6 address FE80::2 link-local
router(config-subif)# ! Delegate the second /64 increment to this VLAN
router(config-subif)# ipv6 address IPV6-PD ::2:0:0:0:1/64
router(config-subif)# ! enable IPv6 on this interface
router(config-subif)# ipv6 enable
router(config-subif)# !
router(config-subif)# interface GigabitEthernet0/1.3
router(config-subif)# ! configure a link-local address of FE80::2 for VLAN 3 as well
router(config-subif)# ipv6 address FE80::2 link-local
router(config-subif)# ! Delegate the third /64 increment in this VLAN
router(config-subif)# ipv6 address IPV6-PD ::3:0:0:0:1/64
router(config-subif)# ! enable IPv6 on this interface
router(config-subif)# ipv6 enable

You may be wondering by this point. What about a static default route? Well the good news is, you don't need one. It is learned from your ISP by the "ipv6 nd autoconfig default-route" command we entered earlier on your Internet facing interface.

Everything should now be good to go. A refresh of your local LAN adapter should mean you receive an IPv6 address. Yup, you don't even need to configure DHCP! Your clients will learn their IP's off the router. Pretty cool huh?

Note: Some Dialer interfaces fail to refresh their Prefix Delegations after the Dialer interface comes back up. Perhaps it's ADSL and it performs a resync, forcing the Dialer interface to reauthenticate.

The below is a workaround for the problem. I have not had this issue, however if you do, this could come in handy. Thanks to Internode for this gem.

event manager applet MONITOR-IPV6-DHCP-APP
 event syslog pattern "DIALER-6-BIND"
 action 1.0 cli command "enable"
 ! Replace the Dialer interface with the correct number...
 action 1.1 cli command "clear ipv6 dhcp client Dialer1"
 action 2.0 syslog priority debugging msg "Refreshed IPv6 DHCP PD lease (Dialer rebind)"
!

Saturday 7 September 2013

Configuring Conditional DNS forwarding on a Cisco router

For whatever reason, you may wish to use your Cisco router as a primary DNS server. If you're stuck in a situation where you need to send certain DNS domain names to different DNS servers then this post is for you!

Firstly we must set our default DNS servers:

ip name-server 203.50.2.71
ip name-server 139.130.4.4

Secondly, now we need to configure our different DNS servers as "views"

ip dns view default
 dns forwarder 203.50.2.71
 dns forwarder 139.130.4.4

ip dns view internal_dns
 dns forwarder 192.168.0.10
 dns forwarder 192.168.0.11

Now we match our DNS views into a "view-list"

ip dns view-list conditional
! give the internal_dns view a priority of 10 and bind it to name-group 1
 view internal_dns 10
  restrict name-group 1
! give the default view a highest priority
 view default 99

Define the domains you wish to forward internally by "name-list"

ip dns name-list 1 permit 10\.IN-ADDR
ip dns name-list 1 permit .*.LOCAL

Enable the DNS server to the view-group "conditional"

ip dns server view-group conditional

Lastly, enable the DNS server

ip dns server

Sunday 30 June 2013

Capturing Packets from a Cisco Router for Wireshark pcap

In case you wish to troubleshoot issues and view specific packet flow traversing your routers, you will need a tftp server setup so that you can export your captures.

I use tftpd64 or tftpd32. It's a nice free, simple tftp daemon that runs on Windows: http://www.jounin.net/tftpd32.html

In this example, my tftp server is on 10.0.0.55.

First off, we need to create an access-list the matches the traffic you wish to capture. I am wanting to capture traffic traversing my router, destined to and from 32.55.55.32

Router(config)# access-list 140 permit ip host 32.55.55.32 any
Router(config)# access-list 140 permit ip any host 32.55.55.32

This ACL will capture all traffic to and from this IP address.

Next we need to enable the Cisco packet monitoring service:

Router# monitor capture buffer holdpackets

Now we can filter the monitored traffic by filtering it through our access-list:

Router# monitor capture buffer holdpackets filter access-list 140

Now for some tweaks so that we actually get complete packet data for inspection in Wireshark

Router# monitor capture buffer holdpackets size 10240 max-size 9500

Now we need to name our particular packet capture. I have called mine "testcap"

Router# monitor capture point ip cef testcap all both
Router# monitor capture point associate testcap holdpackets

Now we can start our capture!

Router# monitor capture point start testcap

Once you think you have acquired enough packets, to stop the capture, type:

Router# monitor capture point stop testcap

Now you can export your data to your tftp server by typing in the following command. You can then open the .pcap file in Wireshark for viewing

Router# monitor capture buffer holdpackets export tftp://10.0.0.55/testcap.pcap

Once uploaded you can clear your capture buffer by typing the following:

Router# no monitor capture buffer holdpackets

Router# no monitor capture point ip cef testcap all both

To check if there are any current captures or parameters configured, you can use the following command:

Router# sh monitor capture point all

Wednesday 19 June 2013

Example of CBWFQ QoS and Shaping

Shaping to 30mbps Maximum:

ip access-list extended ShapeMe
 permit ip 172.16.0.0 0.0.0.255 any
 permit ip any 172.16.0.0 0.0.0.255
!
class-map match-any ShapeMe
match access-group name ShapeMe
!
policy-map ShapeMe
class ShapeMe
shape average 30m
! Will shape at 30mbps maximum
!
int g0/0
service-policy output ShapeMe
! Apply to output interface. If needed in both ingress and egress, apply to both inside and outside interfaces


Priority for SQL Traffic?


ip access-list extended SQL
 permit tcp 10.113.32.0 0.0.3.255 10.113.176.0 0.0.3.255 range 1433 1434
 permit tcp 10.113.176.0 0.0.3.255 10.113.32.0 0.0.3.255 range 1433 1434

class-map match-any SQL
match access-group name SQL

policy-map SQL
class SQL
priority 1024
! Guarantees 1mbps at all times

int g0/0
service-policy output SQL
! Apply to output interface. If needed in both ingress and egress, apply to both inside and outside interfaces

What is I just want to shape traffic by the interface that it enters? Eg an internet or WAN interface?

! Since you can only shape on output, not input, in this example I will shape the Upstream and Downstream CIR rate to 100mbps down and 40mbps up. The inbound or internet interface is GigabitEthernet0/1. GigabitEthernet0/0 is the LAN side.

class-map match-any QoS_DOWN
 match input-interface GigabitEthernet0/1

class-map match-any QoS_UP
 match any

policy-map QoS_DOWN
 class QoS_DOWN
  shape average 100m

policy-map QoS_UP
 class QoS_UP
  shape average 40m

interface GigabitEthernet0/0
description LAN Interface
 service-policy output QoS_DOWN

interface GigabitEthernet0/1
description Internet Interface
 service-policy output QoS_UP

Sunday 19 May 2013

Configuration Example for Cisco 857/877W Config for Bigpond or Telstra Internet Direct


This config is straight out of a Cisco 857W router running on Bigpond. It has Wifi enabled with WPA2 AES encription. The Cisco is running IOS version 12.4.


service password-encryption
service internal
!
hostname <hostname>
!
enable secret <your enable password>
!
no aaa new-model
!
dot11 ssid <Your SSID>
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii <Your Wireless Key>
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.138 10.0.0.254
!
ip dhcp pool LocalNet
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.138
   domain-name internet.local
   dns-server 10.0.0.138
   lease 365
!
ip cef
ip domain name internet.local
ip name-server <nameserver 1>
ip name-server <nameserver 2>
!
username admin secret <admin password>
!
bridge irb
!
interface ATM0
no shutdown
no ip address
atm ilmi-keepalive
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
no shutdown
!
interface FastEthernet1
no shutdown
!
interface FastEthernet2
no shutdown
!
interface FastEthernet3
no shutdown
!
interface Dot11Radio0
no shutdown
no ip address
!
encryption vlan 1 mode ciphers aes-ccm
!
ssid <Your SSID>
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
world-mode dot11d country AU both
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
ip virtual-reassembly
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname <ISP Username>
ppp chap password <ISP Password>
!
interface BVI1
description LAN & WLAN Bridge
ip address 10.0.0.138 255.255.255.0
ip nat inside
ip virtual-reassembly
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 23 permit 10.0.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
end

Wednesday 15 May 2013

Enabling SNMP and Netflow for Solarwinds NPM and NTA on Cisco ISR, ASR and ASA firewalls

This assumes that your Solarwinds collector and Netflow analyser are on 192.168.0.55.

For Cisco ASR's or ISR's with Flexible Netflow:

Firstly, lets create an ACL for our Solarwinds Server:

ip access-list standard Solarwinds
  permit host 192.168.0.55
!

Now we can enable SNMP:

snmp-server community tceo RO Solarwinds
snmp-server location Mario's Pizza Shop
snmp-server contact Mario Bros

Now to enable NetFlow:

flow record NETFLOW_RECORD
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 collect interface output
 collect counter bytes
 collect counter packets
!
flow exporter NETFLOW_EXPORT
 destination 192.168.0.55
 transport udp 2055
!
flow monitor NETFLOW_MONITOR
 exporter NETFLOW_EXPORT
 record NETFLOW_RECORD


Choose which interface to monitor traffic on for both ingress and egress. In this case I'm picking GigabitEthernet0/0/0

interface GigabitEthernet0/0/0
 ip flow monitor NETFLOW_MONITOR input
 ip flow monitor NETFLOW_MONITOR output
!

To check if all is working as expected, you can type the following command:


sh flow monitor

For Cisco ISR's without Flexible Netflow:


Firstly, lets create an ACL for our Solarwinds Server:


ip access-list standard Solarwinds
  permit host 192.168.0.55
!

Now we can enable SNMP:

snmp-server community public RO Solarwinds
snmp-server location Marios Pizza Shop
snmp-server contact Mario Bros
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

Now to enable NetFlow:

ip flow-export version 9
ip flow-export destination 192.168.0.55 2055

Choose which interface to monitor traffic on for both ingress and egress. In this case I'm picking Gi0/0

interface GigabitEthernet0/0
  ip flow ingress
  ip flow egress
!

To check if all is working as expected, you can type the following command:


sh ip cache flow

If you just want to use Netflow without the export to a Netflow collector, just negate the "ip flow-export" commands.

For ASA Firewalls:


This process is a bit more complicated on a Cisco ASA firewall that the above Cisco configuration.

Firstly we name our Solarwinds Server:

name 192.168.0.55 Solarwinds

Enable SNMP:

snmp-server host dmz Solarwinds community public
snmp-server location Marios Pizza Shop
snmp-server contact Mario Bros
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

Now to enable Netflow - first we create an ACL for what traffic you wish to monitor - typically everything:

access-list netflow-export extended permit ip any any

Now we set the Netflow parameters:

flow-export destination <output interface name> Solarwinds 2055
flow-export template timeout-rate 3
flow-export delay flow-create 10

Configure our Netflow Classes:

class-map netflow-export-class
 match access-list netflow-export
!

Configure our Policies:

policy-map global_policy
 class netflow-export-class
  flow-export event-type all destination Solarwinds
!