Cisco Multicast Security - IOS Base

A Must read on Multicast Security. One thing that I really like about this article is the illustrations provided. Most documents talk about these feature sets, but never illustrate how they work and for me personally it helps grasp these topics.

 
http://www.cisco.com/web/about/security/intelligence/multicast_toolkit.html

Reverse Engineering - DHCP & NetFlow

Most often than not, you will be required to reverse engineer different environments that are undocumented. I have been tasked with swapping out another 6509 for a 6509E and adding a secondary 6509E for redundancy.

One of the items I discovered that was unique to this environment was the DHCP configurations someone put in but never documented them and some NetFlow that was running but never being exported. It also was against policy for this environment.

 You will learn a lot while reverse engineering. Take for example this DHCP configuration; I have always implemented what was shown to me in Cisco books and never to the extent of what I found.  Another important lesson is to know what dependencies one configuration has to another, this is how things break if you don't over analyze. I obviously masqueraded some of the items due to security concerns and these two configurations have no dependency on each other.

DHCP CONFIG:

ip dhcp pool AP
   host 10.200.10.58 255.255.255.0
   client-identifier 0100.c0b7.2d38.07
   bootfile config.ini
   default-router 10.200.10.254
   domain-name joel.com
   option 150 ip 10.200.10.102
   lease 7

ip dhcp pool AP
   host 10.200.10.59 255.255.255.0
   client-identifier 0100.c0b7.2d37.c3
   bootfile config.ini
   default-router 10.200.10.254
   domain-name joel.com
   option 150 ip 10.200.10.102
   lease 7

Document I used to figure out what was going with this configuration:
http://www.cisco.com/en/US/docs/ios/12_1/iproute/command/reference/1rddhcp.html#wp1018363

Verfication:

6509E#show ip dhcp binding
IP address Client-ID/ Lease expiration Type
Hardware address
10.200.10.58 0100.c0b7.2d38.07 Infinite Manual
10.200.10.59 0100.c0b7.2d37.c3 Infinite Manual

NetFlow Config:

6509E#show running-config | include netflow
mls netflow interface
6509E#show run int vlan 30
Building configuration...
Current configuration : 174 bytes
!
interface Vlan30
 description AP
 ip address 10.200.10.254 255.255.255.0
 ip flow ingress
end

Document I used to figure out what was going with this configuration:
http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_02.html#wp1012875

Verification:

6509E#show ip cache flow
-------------------------------------------------------------------------------
Displaying software-switched flow entries on the MSFC in Module 6:
IP packet size distribution (98171M total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .174 .019 .012 .007 .013 .054 .007 .002 .003 .004 .001 .016 .000 .000
    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .080 .073 .523 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
  534 active, 3562 inactive, 2284418974 added
  2945144932 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 33992 bytes
  0 active, 1024 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet     1685390      0.3         1    47      0.7       0.8      14.3
TCP-FTP        1258810      0.2         1    51      0.5       0.5      12.0
TCP-FTPD        282755      0.0         1    48      0.0       0.0      14.4

Vlan Access-Map and mac address access-list

How do you prevent intravlan communication? If you wanted to prevent InterVlan communications, you would create a RACL and apply it to the L3 interface. But when you want to prevent IntraVlan communications, you will need to a VACL. I will demonstrate how to create a VACL and apply it. Additionally, how you can also filter down to the mac address of a host rather than the ip address.

We will use figure 1 to visualize the configuration and once done we will have completed the following actions.

1.     Prevent PC1 from talking to PC2

2.     Prevent PC1 from talking to PC3

3.     Allow all other communication between hosts

4.     Apply VACL to Vlan 100

Figure 1

Configuration:

access-list 100 permit ip host 192.168.100.1 host 192.168.100.2
!
mac access-list extended macfilter
permit host 4055.39a8.101f host 4055.39a8.103f
!
vlan access-map Vlan_100_Filter 10
action drop
match ip address 100
!
vlan access-map Vlan_100_Filter 20
action drop
match mac address macfilter
!
vlan access-map Vlan_100_Filter 30
action forward
!
vlan filter Vlan_100_Filter vlan-list 100

Verification:

Cisco_4948E_01#show vlan filter
VLAN Map Vlan_100_Filter is filtering VLANs:
  100
Cisco_4948E_01#show vlan access-map Vlan_100_Filter
Vlan access-map "Vlan_100_Filter"  10
  Match clauses:
    ip  address: 100
  Action:
    drop
Vlan access-map "Vlan_100_Filter"  20
  Match clauses:
    mac address: macfilter
  Action:
    drop
Vlan access-map "Vlan_100_Filter"  30
  Match clauses:
  Action:
    forward

Cisco_4948E_01#show ip access-lists 100
Extended IP access list 100
    10 permit ip host 192.168.100.1 host 192.168.100.2
Cisco_4948E_01#show access-list macfilter
Extended MAC access list macfilter
    permit host 4055.39a8.101f host 4055.39a8.103f

I could of just filtered based on the ip addresses of the host rather than creating a mac acl but I wanted to demonstrate the feature. I have not seen it widely deployed.

Cisco 6509E Redundant Mode VS Combined Mode

Today while setting up a spare chassis to be used for burning in cards only, I noticed something that I never ran into.  Two out of the 8 modules that I had loaded into the chassis were showing a status of PwrDeny (See Example 1.1). We can correct this by installing higher wattage power supplies or changing the power mode from redundant to combined mode. I personally would prefer to install the higher wattage power supplies, but due to circumstances out of my control, I ended up changing the power mode to combined. Pros and Cons are below as well.

Redundant Mode:
When running in Redundant Mode, each power supply provides approximately 50% of its capacity to the chassis. In the event of a failure, the unaffected power supply will then provide 100% of its capacity and an alert will be generated. As there was enough to power the chassis ahead of time, there is no interruption to service in this configuration. This is also the default and recommended way to configure power supplies

Combined Mode:
In combined mode, each power supply provides approximately 83% of its capacity to the chassis. This allows for greater utilization of the power supplies and potentially increased PoE densities

Source: http://en.wikipedia.org/wiki/Catalyst_6500

Example 1.1

6509E_BURN_IN#show mod
Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
  1   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX     XXXXXXXXXXXX
  2    8  CEF720 8 port 10GE with DFC            WS-X6708-10GE      XXXXXXXXXXXX
  3   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX     XXXXXXXXXXXX
  4   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX    XXXXXXXXXXXX
  5    5  Supervisor Engine 720 10GE (Active)    VS-S720-10G      XXXXXXXXXXXX
  6    5  Supervisor Engine 720 10GE (Hot)       VS-S720-10G        XXXXXXXXXXXX
  7   16  CEF720 16 port 10GE                    WS-X6716-10GE      XXXXXXXXXXXX
  8   16  CEF720 16 port 10GE                    WS-X6716-10GE      XXXXXXXXXXXX

Mod MAC addresses                       Hw    Fw           Sw           Status
--- ---------------------------------- ------ ------------ ------------ -------
  1  0023.5e7f.4ac0 to 0023.5e7f.4aef   3.0   12.2(18r)S1  12.2(33)SXI6 Ok
  2  001e.f7f8.21e8 to 001e.f7f8.21ef   1.4   12.2(18r)S1  12.2(33)SXI6 Ok
  3  0012.4376.c1d0 to 0012.4376.c1ff   2.1   Unknown      Unknown      PwrDeny
  4  0021.55df.1ed0 to 0021.55df.1eff   2.8   12.2(18r)S1  12.2(33)SXI6 Ok
  5  0025.84bf.7b08 to 0025.84bf.7b0f   3.1   8.5(3)       12.2(33)SXI6 Ok
  6  001e.4a7e.e468 to 001e.4a7e.e46f   3.1   8.5(3)       12.2(33)SXI6 Ok
  7  e05f.b974.a680 to e05f.b974.a68f   1.0   12.2(18r)S1  12.2(33)SXI6 Ok
  8  e05f.b974.a860 to e05f.b974.a86f   1.0   Unknown      Unknown      PwrDeny

Mod  Sub-Module                  Model              Serial       Hw     Status
---- --------------------------- ------------------ ----------- ------- -------
  1  Distributed Forwarding Card WS-F6700-DFC3B     SAL12437YGQ  4.7    Ok
  2  Distributed Forwarding Card WS-F6700-DFC3C     SAL1223SNM7  1.0    Ok
  3  Centralized Forwarding Card WS-F6700-CFC       SAD0843019H  2.0    PwrDeny
  4  Distributed Forwarding Card WS-F6700-DFC3B     SAL1219Q4TH  4.6    Ok
  5  Policy Feature Card 3       VS-F6K-PFC3C       SAL1407B9EV  1.1    Ok
  5  MSFC3 Daughterboard         VS-F6K-MSFC3       SAL1407BJ77  2.1    Ok
  6  Policy Feature Card 3       VS-F6K-PFC3C       SAL1408BN6M  1.1    Ok
  6  MSFC3 Daughterboard         VS-F6K-MSFC3       SAL1407BFWL  2.1    Ok
  7  Distributed Forwarding Card WS-F6700-DFC3C     SAL15139YZ9  1.4    Ok
  8  Distributed Forwarding Card WS-F6700-DFC3C     SAL1513A3BP  1.4    PwrDeny

Mod  Online Diag Status
---- -------------------
  1  Pass
  2  Pass
  3  Not Applicable
  4  Pass
  5  Pass
  6  Pass
  7  Pass
  8  Not Applicable

Confirming The Current Mode:
6509E_BURN_IN#show power redundancy-mode
system power redundancy mode = redundant

Changing The Power Mode:
6509E_BURN_IN(config)#power redundancy-mode combined
6509E_BURN_IN(config)#
6509E_BURN_IN(config)#end
!
6509E_BURN_IN#show power redundancy-mode
system power redundancy mode = combined



 

 

Capturing 802.11 Frames in Wireshark

Figured I would pass this along. I started reading chapter 15 in the CCNP Switch certification Guide; Integrating Wireless LANs. While reading the first few pages, I quickly wanted to get a sniffer out and check out all of these 802.11 frame specifications that it references.

Some examples are DIFS(duration timer) and the random back off timer.  I decided to fire up Wireshark, but the frames kept appearing as 802.3(Ethernet) frames. This is known as "fake" Ethernet headers. Unfortunately, with the current WIFI card installed in my laptop, I won’t be able to sniff  802.11 traffic.  

Per Wire Shark:
Without any interaction, capturing on WLAN's may capture only user datapackets with "fake" Ethernet headers. In this case, you won't see any 802.11 management or control packets at all, and the 802.11 packet headers are "translated" by the network driver to "fake" Ethernet packet headers.

http://wiki.wireshark.org/CaptureSetup/WLAN

You can also download a 802.11 capture and learn how to read it by following this document.

http://www.cse.ust.hk/~muppala/csit5610/labs/Wireshark_labs/Wireshark_802_11.pdf


 

Keeping Current as a Network Engineer & Working your way to becoming a Network Architect

Keeping Current:
It’s crucial to always stay current in any industry that you work in. You want to be the one bringing new ideas to the table and possibly have new solutions to common problems that companies face. Some of the following websites I follow to keep myself current in the Network Industry along with the Data Center Industry are below.

http://www.datacenterknowledge.com/
 
http://www.networkworld.com/topics/lan-wan.html

Certifications are also a great way to keep current and enhance your skill sets.

Working your way to becoming a Network Architect:
My long term goal is to become a Network Architect and I have found that reading a ton of White Papers along with test results from third party vendors is going to greatly help me achieve this goal. Cisco puts out some great white papers on proven design guides that I highly recommend for anyone to read. The following link is a perfect example and yes I read the entire white paper along with others.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/HA_campus_DG/hacampusdg.html

This has helped me tremendously in being able to design a better network and with my CCNP studies. Cisco also has another great resource, it’s called Cisco Validated Design Program. Check out the following link, its design guides for pretty much every type of network. These are proven and tried design guides from true industry experts.

http://www.cisco.com/en/US/netsol/ns741/networking_solutions_program_home.html

Reading benchmark or test results is another great way to get a key understanding on how to evaluate a product before you buy it and what to look for in new hardware.  I follow this website and a majority of Vendors put third party evaluation results on their own website.

http://www.networktest.com/

9 Common Spanning Tree Mistakes

Great read on STP common mistakes. Article is from 2013.

http://www.networkworld.com/community/blog/9-common-spanning-tree-mistakes?

Interface-Range Command on Non Contiguous Ports

Ever needed to make changes to multiple interfaces that are not within the same range? I know I have and always wondered how to update interfaces that were not sequntially ordered. Here is how.

We need to create a macro and then invoke it before we apply our changes.

Creating the macro:

Cisco_4948E_01#config t
Cisco_4948E_01(config) define interface-range joel GigabitEthernet1/20 , GigabitEthernet1/22 , GigabitEthernet1/24

Invoking the Macro: This now put us into interface configuration mode

Cisco_4948E_01(config)#interface range macro joel
Cisco_4948E_01(config-if-range)#
Cisco_4948E_01(config-if-range)#description macro-test

Verification that our change were successful:

Cisco_4948E_01#show interfaces description | include macro-test
Gi1/20                         down           down     macro-test
Gi1/22                         down           down     macro-test
Gi1/24                         down           down     macro-test