telnet vrf default ipv4 server max-servers 10
username test password test
domain name rit.com
commit
crypto key generate rsa general-keys
The name for the keys will be: the_default
Choose the size of the key modulus in the range of 512 to 4096 for your General Purpose Keypair. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [1024]:
Generating RSA keys ...
Done w/ crypto generate keypair
[OK]
control-plane
management-plane
inband
interface all
allow SSH
allow Telnet
Now its time to test Telnet access and SSH. We'll test Telnet first and then SSH.
R2#telnet 172.16.100.11
Trying 172.16.100.11 ... Open
IMPORTANT: READ CAREFULLY
Welcome to the Demo Version of Cisco IOS XRv (the "Software").
The Software is subject to and governed by the terms and conditions
of the End User License Agreement and the Supplemental End User
License Agreement accompanying the product, made available at the
time of your order, or posted on the Cisco website at
www.cisco.com/go/terms (collectively, the "Agreement").
As set forth more fully in the Agreement, use of the Software is
strictly limited to internal use in a non-production environment
solely for demonstration and evaluation purposes. Downloading,
installing, or using the Software constitutes acceptance of the
Agreement, and you are binding yourself and the business entity
that you represent to the Agreement. If you do not agree to all
of the terms of the Agreement, then Cisco is unwilling to license
the Software to you and (a) you may not download, install or use the
Software, and (b) you may return the Software as more fully set forth
in the Agreement.
Please login with any configured user/password, or cisco/cisco
User Access Verification
Username: test
Password:
RP/0/0/CPU0:XR1#
Telnet works!
RP/0/0/CPU0:Feb 28 23:57:38.765 : cinetd[159]: %SECURITY-MPP-6-MSG_INFO : Updated Management Plane configuration for service: telnet
Let's test SSH to make sure it works as well.
R2#ssh -l test 172.16.100.11
IMPORTANT: READ CAREFULLY
Welcome to the Demo Version of Cisco IOS XRv (the "Software").
The Software is subject to and governed by the terms and conditions
of the End User License Agreement and the Supplemental End User
License Agreement accompanying the product, made available at the
time of your order, or posted on the Cisco website at
www.cisco.com/go/terms (collectively, the "Agreement").
As set forth more fully in the Agreement, use of the Software is
strictly limited to internal use in a non-production environment
solely for demonstration and evaluation purposes. Downloading,
installing, or using the Software constitutes acceptance of the
Agreement, and you are binding yourself and the business entity
that you represent to the Agreement. If you do not agree to all
of the terms of the Agreement, then Cisco is unwilling to license
the Software to you and (a) you may not download, install or use the
Software, and (b) you may return the Software as more fully set forth
in the Agreement.
Please login with any configured user/password, or cisco/cisco
Password:
RP/0/0/CPU0:XR1#
RP/0/0/CPU0:XR1(config-mpp-inband)#RP/0/0/CPU0:Feb 28 23:57:38.765 : SSHD_[1135]:
%SECURITY-MPP-6-MSG_INFO : Updated Management Plane configuration for service: ssh
RP/0/0/CPU0:XR1(config-mpp-inband)#RP/0/0/CPU0:Feb 28 23:58:00.003 : exec[65830]: %SECURITY-LOGIN-6-AUTHEN_SUCCESS : Successfully authenticated user 'test' from '10.2.3.2' on 'vty0'
RP/0/0/CPU0:Mar 1 00:01:50.598 : exec[65830]: %SECURITY-LOGIN-6-CLOSE : User 'test' logged out
Wednesday, February 28, 2018
Tuesday, February 27, 2018
CCIE SPv4 - LISP or Locator ID Separation Protocol
LISP or Locator ID Separation Protocol is an interesting technology that is designed to de-couple the endpoint from the location the endpoint is located. Normal routing like your probably used to working with is destination based. The idea is to assign a subnet block to a site and then further subnet it down as needed. The site subnet block is typically the longest match from the other sites perspective, until the routing gets inside the site, where the longest match will eventually become a /32 or host route. The key point is that the endpoint is seen from the rest of the network as part of a location or site. LISP is designed to allow an endpoint to be moved between sites and the endpoints IP info doesn't change. We won't be demoing VM mobility, we will be demoing the core operation of LISP.
LISP has many individual components that enable it to work. The following is a list of components that make up LISP and what they do.
EID - Endpoint ID, this is the server’s IP address
RLOC - Routing Locator, this is the router’s interface IP address
M-DB - Mapping Database, this ts the association between the EID and the RLOC
MS - Map Server, this holds the EID to the RLOC mappings, similar to DNS in operation
MR - Map Resolver, this is used to respond to map-request messages
MS/MR - combined MR and MS on the same device. If the MR and MS are on different devices, the ALT mechanism is used to communicate between the MR and MS
iTR - Ingress tunnel router, this is used to ask the Map Resolver for the EID to RLOC mapping. It encapsulates packet in LISP (UDP).
eTR - Egress tunnel router, this is used to decapsulate LISP and forwards to the destination. It also registers the EID/RLOC mapping to the Map Server
xTR - Combines the eTR and iTR on the same device.
In the above topology, R1 will be the MR/MS binding the IPv4 and IPv6 communication. R5-R8 are customer endpoints that will use LISP to achieve reachability. A default route on each of the customer devices for IPv4 and IPv6 is used to enable connectivity to the core of the network. The loopbacks of the customer devices are not advertised and uses LISP encapsulation to achieve reachability. We will configure the customer devices first and then the MR/MS. The key thing to remember here is the customer devices only need to be able to reach the MR/MS, how is irrelevant.
We'll test reachability to R1.
R5#ping 10.1.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/7 ms
R5#ping 2001:1:3::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:1:3::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/10 ms
R5
router lisp
eid-table default instance-id 1
database-mapping 172.16.100.5/32 IPv4-interface GigabitEthernet1.35 priority 10 weight 10
database-mapping FC00:100::5/128 IPv6-interface GigabitEthernet1.35 priority 10 weight 10
ipv4 itr map-resolver 10.1.3.1
ipv4 itr
ipv4 etr map-server 10.1.3.1 key R5
ipv4 etr
ipv6 itr map-resolver 2001:1:3::1
ipv6 itr
ipv6 etr map-server 2001:1:3::1 key R5
ipv6 etr
exit
R6
router lisp
eid-table default instance-id 1
database-mapping 172.16.100.6/32 IPv4-interface GigabitEthernet1.613 priority 10 weight 10
database-mapping FC00:100::6/128 IPv6-interface GigabitEthernet1.613 priority 10 weight 10
ipv4 itr map-resolver 10.1.3.1
ipv4 itr
ipv4 etr map-server 10.1.3.1 key R6
ipv4 etr
ipv6 itr map-resolver 2001:1:3::1
ipv6 itr
ipv6 etr map-server 2001:1:3::1 key R6
ipv6 etr
exit
R7
router lisp
eid-table default instance-id 1
database-mapping 172.16.100.7/32 IPv4-interface GigabitEthernet1.147 priority 10 weight 10
database-mapping FC00:100::7/128 IPv6-interface GigabitEthernet1.147 priority 10 weight 10
ipv4 itr map-resolver 10.1.3.1
ipv4 itr
ipv4 etr map-server 10.1.3.1 key R7
ipv4 etr
ipv6 itr map-resolver 2001:1:3::1
ipv6 itr
ipv6 etr map-server 2001:1:3::1 key R7
ipv6 etr
exit
R8
router lisp
eid-table default instance-id 1
database-mapping 172.16.100.8/32 IPv4-interface GigabitEthernet1.48 priority 10 weight 10
database-mapping FC00:100::8/128 IPv6-interface GigabitEthernet1.48 priority 10 weight 10
ipv4 itr map-resolver 10.1.3.1
ipv4 itr
ipv4 etr map-server 10.1.3.1 key R8
ipv4 etr
ipv6 itr map-resolver 2001:1:3::1
ipv6 itr
ipv6 etr map-server 2001:1:3::1 key R8
ipv6 etr
exit
We'll configure the MR/MS on R1 and then test reachability.
router lisp
site R5
authentication-key R5
eid-prefix instance-id 1 172.16.100.5/32
eid-prefix instance-id 1 FC00:100::5/128
exit
!
site R6
authentication-key R6
eid-prefix instance-id 1 172.16.100.6/32
eid-prefix instance-id 1 FC00:100::6/128
exit
!
site R7
authentication-key R7
eid-prefix instance-id 1 172.16.100.7/32
eid-prefix instance-id 1 FC00:100::7/128
exit
!
site R8
authentication-key R8
eid-prefix instance-id 1 172.16.100.8/32
eid-prefix instance-id 1 FC00:100::8/128
exit
!
ipv4 map-server
ipv4 map-resolver
ipv6 map-server
ipv6 map-resolver
exit
Now that we have configured everything, there are a couple debugs that we need to enable to verify that LISP is indeed working.
debug lisp control-plane map-server-map-request
debug lisp control-plane map-server-registration
I apply these debugs to R5 and R1. We'll kick off pings from R5s loopback to R8s loopback.
R5#ping 172.16.100.8 source lo0 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 172.16.100.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.100.5
..!!!!!!!!
Success rate is 80 percent (8/10), round-trip min/avg/max = 31/50/85 ms
R1 MR/MS Debug output
*Feb 27 20:39:57.608: LISP: Received map request for IID 1 172.16.100.8/32, source_eid IID 1 172.16.100.5, ITR-RLOCs: 10.3.5.5 2001:3:5::5, records 1, nonce 0x7A8E686A-0x4DBE7E22
*Feb 27 20:39:57.608: LISP-0: MS EID IID 1 prefix 172.16.100.8/32 site R8, Forwarding map request to ETR RLOC 10.4.8.8.
*Feb 27 20:39:59.718: LISP: Processing received Encap-Control(8) message on GigabitEthernet1.111 from 10.4.8.8:4342 to 10.1.3.1:4342
*Feb 27 20:39:59.718: LISP: Processing received Map-Request(1) message on GigabitEthernet1.111 from 172.16.100.5:4342 to 172.16.100.5:4342
*Feb 27 20:39:59.718: LISP: Received map request for IID 1 172.16.100.5/32, source_eid IID 1 172.16.100.8, ITR-RLOCs: 10.4.8.8 2001:4:8::8, records 1, nonce 0x2201BAFC-0x8C9419A4
*Feb 27 20:39:59.718: LISP-0: MS EID IID 1 prefix 172.16.100.5/32 site R5, Forwarding map request to ETR RLOC 10.3.5.5.
*Feb 27 20:40:05.821: LISP: Processing received Map-Register(3) message on GigabitEthernet1.13 from 10.3.5.5:4342 to 10.1.3.1:4342
*Feb 27 20:40:05.821: LISP: Processing Map-Register no proxy, map-notify, no merge, no security, no mobile-node, not to-RTR, no fast-map-register, no EID-notify, ID-included, 1 record, nonce 0x7512519E-0x955C6AEB, key-id 1, auth-data-len 20, hash-function sha1, xTR-ID 0xAF71BB66-0x921F3EDE-0x29EA8B9A-0x981D5175, site-ID unspecified
*Feb 27 20:40:05.821: LISP: Processing Map-Register mapping record for IID 1 172.16.100.5/32, ttl 1440, action none, authoritative, 1 locator
10.3.5.5 pri/wei=10/10 LpR
*Feb 27 20:40:05.821: LISP-0: MS registration IID 1 prefix 172.16.100.5/32 10.3.5.5 site R5, Updating.
R5#show ip route 172.16.100.6
% Subnet not in table
You can see that there isn't an exact route for R6's loopback.
R5#sh ip cef 172.16.100.6
172.16.100.6/32
nexthop 10.3.5.3 GigabitEthernet1.35
We can see that there is a CEF entry for R6's loopback. It states the outgoing interface is G1.35. However there is no indication that LISP is used.
R5#sh ip cef 172.16.100.6 internal
172.16.100.6/32, epoch 2, flags [sc, lisp elig, defrt], refcnt 6, per-destination sharing
sources: LISP, IPL
feature space:
Broker: linked, distributed at 1st priority
subblocks:
SC owned,sourced: LISP remote EID - locator status bits 0x00000001
LISP remote EID: 192 packets 18297 bytes fwd action encap
LISP source path list
path list 7FBED44A9A30, 3 locks, per-destination, flags 0x49 [shble, rif, hwcn]
ifnums:
LISP0.1(14): 10.6.13.6
1 path
path 7FBED44C7178, share 10/10, type attached nexthop, for IPv4
nexthop 10.6.13.6 LISP0.1, IP midchain out of LISP0.1, addr 10.6.13.6 7FBED44B0E10
1 output chain
chain[0]: IP midchain out of LISP0.1, addr 10.6.13.6 7FBED44B0E10
IP adj out of GigabitEthernet1.35, addr 10.3.5.3 7FBEC6C63158
Dependent covered prefix type LISP, cover 0.0.0.0/0
2 IPL sources [active source]
Dependent covered prefix type inherit, cover 0.0.0.0/0
ifnums:
GigabitEthernet1.35(11): 10.3.5.3
path list 7FBED44A9D50, 2 locks, per-destination, flags 0x69 [shble, rif, rcrsv, hwcn]
path 7FBEC1DE5238, share 1/1, type recursive, for IPv4, flags [dsnt-src-via, cef-intnl]
recursive via 0.0.0.0/0<nh:172.16.100.6>[IPv4:Default], fib 7FBEC93DEDE8, 1 terminal fib, v4:Default:0.0.0.0/0
path list 7FBED408A5B0, 3 locks, per-destination, flags 0x69 [shble, rif, rcrsv, hwcn]
path 7FBEC1DE5970, share 1/1, type recursive, for IPv4
recursive via 10.3.5.3[IPv4:Default], fib 7FBEC1DE4B20, 1 terminal fib, v4:Default:10.3.5.3/32
path list 7FBED408A470, 2 locks, per-destination, flags 0x49 [shble, rif, hwcn]
path 7FBEC1DE5820, share 1/1, type adjacency prefix, for IPv4
attached to GigabitEthernet1.35, IP adj out of GigabitEthernet1.35, addr 10.3.5.3 7FBEC6C63158
output chain:
LISP eligibility check 0x7FBED44C31F8 for IPv4:Default, 4 locks
<L> PushCounter(LISP:172.16.100.6/32) 7FBED44C2E30
IP midchain out of LISP0.1, addr 10.6.13.6 7FBED44B0E10
IP adj out of GigabitEthernet1.35, addr 10.3.5.3 7FBEC6C63158
<N> IP adj out of GigabitEthernet1.35, addr 10.3.5.3 7FBEC6C63158
As you can see from the capture, the ping from R5 to R6 via IPv6 is encapsulated in LISP that is encapsulated in UDP. Encapsulation is really, ICMPv6 inside IPv6 inside LISP inside UDP inside IPv6.
R5#ping fc00:100::6 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FC00:100::6, timeout is 2 seconds:
Packet sent with a source address of FC00:100::5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 51/54/58 ms
Thanks for stopping by!
Rob Riker, CCIE #50693
Thursday, September 21, 2017
CCNA Security - L2 Security - Port Security
Port Security as the name of the feature states, is security of the port. It limits the number of MAC address that can be learned and how they are learned. By default there is no port security enabled on a Cisco Catalyst switch. It first has to be enabled and then the different attributes that can be configured can be applied.
Operationally whenever a switch port learns a MAC address, whether through normal ARP or Gratuitous ARP, the MAC address is stored in the CAM table. This table builds a binding for the MAC to Port, so whenever traffic is forwarded and the MAC address is the destination MAC, the CAM table is referenced to determine which port forward the traffic out of. This covers why a MAC address is needed. Why would we ever needed to enable a feature to control how many MAC addresses could be learned?
A practical deployment would be a conference room switchport that has a switch plugged into one of the wall jacks. If the wall jack port is an access port, then multiple MAC addresses could be learned in on that port. This maybe acceptable for some networks but not others. Port Security could be used to limit how many MAC addresses are learned and how they are learned. Then apply some enforcement if a violation occurs. Depending on the violation, re-enabling a port maybe required.
To enable Port Security use the following commands: - Caveat, the port must be static Access
SW1(config-if)#switchport port-security
Command rejected: GigabitEthernet0/0 is a dynamic port.
interface GigabitEthernet0/0
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky ca01.133c.0000
switchport port-security
Step 1 is enable the port as an access port.
Step 2 is enable the port-security feature under the interface
Step 3 is enable the MAC address learning mechanism, in this case we used "sticky"
Do this on all the interfaces that you want to enable this feature on, if enabled with the "sticky" feature, the learned MAC address will be treated as a "static" MAC entry.
interface range g0/0 - 3
switchport mode access
switchport port-security mac-address sticky
switchport port-security
SW1#sh mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 ca01.133c.0000 STATIC Gi0/0
1 ca02.05f8.0000 STATIC Gi0/1
1 ca03.13e8.0000 STATIC Gi0/2
1 ca04.0cb4.0000 STATIC Gi0/3
Total Mac Addresses for this criterion: 4
Since we enabled the port security feature on the interfaces listed above, the learned MAC addresses are learned and stored as static MACs.
SW1#sh run | in interface|ca
interface GigabitEthernet0/0
switchport port-security mac-address sticky ca01.133c.0000
interface GigabitEthernet0/1
switchport port-security mac-address sticky ca02.05f8.0000
interface GigabitEthernet0/2
switchport port-security mac-address sticky ca03.13e8.0000
interface GigabitEthernet0/3
switchport port-security mac-address sticky ca04.0cb4.0000
So now that we have it enabled and ports have learned MACs, let's verify everything.
SW1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi0/0 1 1 0 Shutdown
Gi0/1 1 1 0 Shutdown
Gi0/2 1 1 0 Shutdown
Gi0/3 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
This output lists the MAC addresses that have been learned and how many have been learned.
SW1#show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 ca01.133c.0000 SecureSticky Gi0/0 -
1 ca02.05f8.0000 SecureSticky Gi0/1 -
1 ca03.13e8.0000 SecureSticky Gi0/2 -
1 ca04.0cb4.0000 SecureSticky Gi0/3 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
This output lists the addresses learned, the method they were learned by and the port they were learned in on.
SW1#show port-security address forbidden
----------------------------------
Globally Forbidden MAC Addresses
----------------------------------
-----------------------------------------
No of Global Forbidden Addresses : 0
-------------------------------------
Forbidden Mac Addresses
------------------------------------------
Mac Address Ports
----------- -----
-----------------------------------------
Total Forbidden Addresses in System : 0
This output identifies any MACs that are not allowed to be learned by the switch.
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : ca01.133c.0000:1
Security Violation Count : 0
This output shows the details of a given interface, G0/0 here, and the specifics of the port security implementation.
This port has port security enabled.
The status is secure-up meaning that port is security and operationally up.
The violation mode is shutdown meaning that if a violation were to occur, the port would be shutdown.
The total amount of MAC addresses that can be learned in on this interface is 1 which is the configured default once port security is enabled.
The total MAC address is how many MACs have been learned.
Configured MAC addresses is if you manually entered a MAC at the port level.
Sticky MAC addresses is our deployment and we have 1.
The Last Source Address:VLAN, this shows the MAC learned in on the port and the VLAN that port is currently in.
What happens when there is a violation?
R1(config-if)#mac-address 0000.0000.0001
R1(config-if)#do sh int f0/0 | in bia
Hardware is DEC21140, address is 0000.0000.0001 (bia ca01.133c.0000)
We configure a new MAC on the F0/0 interface of R1. Any traffic that is generated by this router on this interface will be seen with MAC 0000.0000.0001, which will cause an issue. The issue is SW1 on G0/0 has learned a different MAC, the BIA address in (Parenthesis).
*Sep 22 00:21:21.865: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/0, putting Gi0/0 in err-disable state
*Sep 22 00:21:21.873: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.0000.0001 on port GigabitEthernet0/0.
*Sep 22 00:21:22.866: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
*Sep 22 00:21:23.868: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down
This output show that a new MAC address was learned in on G0/0 and is a violation, the violation enforcement is to shutdown the port and place the port into err-disable mode.
SW1#sh port-security interface g0/0
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0000.0000.0001:1
Security Violation Count : 1
The port is now secure-shutdown. It can not be used currently.
SW1#sh int status
Port Name Status Vlan Duplex Speed Type
Gi0/0 err-disabled 1 auto auto unknown
To fix this issue we will have to remove the manually configured MAC on R1, shutdown and then no shutdown the G0/0 interface on SW1.
R1(config-if)#no mac-address 0000.0000.0001
R1(config-if)#do sh int f0/0 | in bia
Hardware is DEC21140, address is ca01.133c.0000 (bia ca01.133c.0000)
SW1(config)#int g0/0
SW1(config-if)#shut
SW1(config-if)#
*Sep 22 00:26:59.642: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to administratively down
SW1(config-if)#no shut
*Sep 22 00:27:06.441: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*Sep 22 00:27:07.441: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
SW1#sh port-security interface g0/0
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
We can now see that the interface has recovered and no MAC info, Last Source, has been learned. We can generate some traffic from R1 and now populate that field.
R1(config-if)#do ping 10.10.20.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.20.20, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 24/69/144 ms
SW1#sh port-security interface g0/0
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : ca01.133c.0000:1
Security Violation Count : 0
Now the field is populated and all is well.
Thanks for stopping by!
Rob Riker, CCIE #50693
Monday, July 24, 2017
Security - IOS to IOS Site to Site VPN with Crypto Maps and Pre Shared Keys
I'm back in the saddle again and this time it is with security. My job role has changed where I now do more security, pre sales and implementation. As a Solutions Integration Architect, I design and deploy solutions for customers. Because of the role and focus shift, Security is where I spend my time now. I currently have a CCNA in Security that I earned back in 2013, it's dated and I'm beginning the process of upgrading it to the current standard 210-260 IINS. I won't take the exam, but I will re-learn what I have forgotten and add to what I didn't already know.
IOS to IOS site to site VPNs with crypto maps secured with pre-shared-keys are a very common solution used today by companies all over the world. Very simple in the grand scheme to configure and verify. Our demonstration will consist of 2 CSR1000v's and 2 Windows 7 Pro VMs running in ESXi 6.0. The goal is to setup a VPN on the CSRs to allow the 2 Windows 7 VMs to communicate with each other. Sec-PC1 and Sec-PC4 will be our test devices. I already have this solution working, I will be copying and pasting the working configurations here. R1 and R4 do have reachability with each other, but I will prove this works with a couple of ping/traceroute outputs.
\
This is from Sec-PC1 RDPd into Sec-PC4 where Sec-PC4 is pinging Sec-PC1 repeatedly.
IOS to IOS site to site VPNs with crypto maps secured with pre-shared-keys are a very common solution used today by companies all over the world. Very simple in the grand scheme to configure and verify. Our demonstration will consist of 2 CSR1000v's and 2 Windows 7 Pro VMs running in ESXi 6.0. The goal is to setup a VPN on the CSRs to allow the 2 Windows 7 VMs to communicate with each other. Sec-PC1 and Sec-PC4 will be our test devices. I already have this solution working, I will be copying and pasting the working configurations here. R1 and R4 do have reachability with each other, but I will prove this works with a couple of ping/traceroute outputs.
\
R1#ping 10.2.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/20 ms
R4#ping 10.1.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/20 ms
Since we will be using IKEv1/ISAKMP with pre-shared-keys, the configuration will be relatively basic.
R1's configuration
!
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 2
crypto isakmp key cisco address 10.2.4.4
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode tunnel
crypto map CMAP 1 ipsec-isakmp
set peer 10.2.4.4
set transform-set TSET
match address ACL
crypto map CMAP
!
ip access-list extended ACL
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
!
interface GigabitEthernet1.11
crypto map CMAP
R4's configuration
!
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 2
crypto isakmp key cisco address 10.1.1.10
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode tunnel
crypto map CMAP 1 ipsec-isakmp
set peer 10.1.1.10
set transform-set TSET
match address ACL
crypto map CMAP
!
ip access-list extended ACL
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
!
interface GigabitEthernet1.24
encapsulation dot1Q 24
ip address 10.2.4.4 255.255.255.0
crypto map CMAP
Let's breakdown the crypto, access-list and crypto map configuration and understand what is happening. The "isakmp" policy is considered the "phase 1" portion of the VPN, this is configured so that the VPN endpoints each have identical configurations and those configurations are used to prove the endpoints are who they say they are. This is essentially the "control-plane" for VPNs. The ISAKMP policy identifies the "policies" that each endpoint must agree on, if no agreement is found, Phase 1 fails. The "isakmp key" is the private key exchanged between VPN peers used to authenticate each other. The "key cisco" is the actual private key, the address is the remote end of the VPN endpoint.
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 2
crypto isakmp key cisco address 10.1.1.10
This portion is the "phase 2" portion of the crypto configuration or the data plane. this identifies the encryption protocol used to protect the data.
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode tunnel
The access-list called ACL is also referred to as the "proxy acl" which basically means, any traffic that is matched in this ACL will be encrypted and sent over the VPN. It is required to match on interesting traffic, it is a data plane filter. The remote end swaps the source and destination, so 192.168.4.0/24 and 192.168.1.0/24 are reversed so that return traffic is appropriately matched.
ip access-list extended ACL
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
The crypto map is what "glues" all of this together, it is identified by the ipsec-isakmp, it sets the remote VPN peer, identifies the encryption protocol and uses the ACL to identify what traffic is to be encrypted.
crypto map CMAP 1 ipsec-isakmp
set peer 10.1.1.10
set transform-set TSET
match address ACL
Now we have to apply the crypto map the outgoing interface. The crypto map can be applied to many outside interfaces, in this case, only one is needed. Once this is applied, there is a syslog generated identifying that ISAKMP is now enabled
interface GigabitEthernet1.24
crypto map CMAP
R4(config-subif)#crypto map CMAP
R4(config-subif)#exit
R4(config)#i
.Jul 24 01:05:17.161: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Now, the reason you have read this far, is it actually working? Here is how you verify Phase 1 and Phase 2. The phase 1 shows that R1 and R4 have an active "QM_IDLE" connection, QM being quick mode, ISAKMP SA is authenticated and can be used for subsequent Quick Mode (Phase 2) exchanges. This indicates that the bidirectional ISAKMP connection is up and the VPN endpoints are successfully authenticated
Phase 1
R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.1.10 10.2.4.4 QM_IDLE 1004 ACTIVE
Phase 2 is the actual data plane, the thing to look for, bolded, is the pkts encrypt and decrypt. This indicates that the unidirectional SA are both sending and receiving traffic.
Phase 2
R4#show crypto ipsec sa
interface: GigabitEthernet1.24
Crypto map tag: CMAP, local addr 10.2.4.4
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 10.1.1.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 259105, #pkts encrypt: 259105, #pkts digest: 259105
#pkts decaps: 244184, #pkts decrypt: 244184, #pkts verify: 244184
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.2.4.4, remote crypto endpt.: 10.1.1.10
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1.24
current outbound spi: 0x14644456(342115414)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x9935538F(2570408847)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2047, flow_id: CSR:47, sibling_flags FFFFFFFF80000048, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4607554/1027)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x14644456(342115414)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2048, flow_id: CSR:48, sibling_flags FFFFFFFF80000048, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4607309/1027)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Proof from the Windows 7 VMs
This is from Sec-PC1 RDPd into Sec-PC4 where Sec-PC4 is pinging Sec-PC1 repeatedly.
This is from Sec-PC1 ping Sec-PC4 repeatedly.
Thanks for stopping by!
Rob Riker, CCIE #50693, CCNA Security
Sunday, February 5, 2017
CCIE SPv4 - MPLS Traffic Engineering - Directing Traffic to the TE Tunnel - Static Routing
Software versions:
IOS XE 15.5
IOS XR 5.3
The topology for this demo:
IOS XE 15.5
IOS XR 5.3
The topology for this demo:
In this post, we will begin taking customer traffic and mapping it to the TE tunnel. There are several options available, so we'll take the first option, which you have seen in previous posts, static routing. Super simple to implement, relatively easy to verify, we'll take a look at both IOS and IOS XR for all of our examples.
Static routing for TE tunnels is the simplest, effectively you are telling the TE headend how to get to the PE remote end. R3 will be sending traffic to XR1, remember that TE tunnels are unidirectional in nature. I have used TE tunnels from previous posts to leverage in this and future ones. I won't focus on tunnel creation but more on the steering of traffic over the tunnel. The tunnel we want to use is up and operational.
mpls traffic-eng lsp attributes DUAL_COLOR
affinity 0x11 mask 0x11
interface Tunnel3
ip unnumbered Loopback0
tunnel mode mpls traffic-eng
tunnel destination 192.168.1.11
tunnel mpls traffic-eng path-option 3 dynamic attributes DUAL_COLOR
ip route 192.168.1.13 255.255.255.255 Tunnel3
R3#show mpls traffic-eng tunnels tunnel 3
Name: R3_t3 (Tunnel3) Destination: 192.168.1.11
Status:
Admin: up Oper: up Path: valid Signalling: connected
path option 3, type dynamic (Basis for Setup, path weight 2)
!
RSVP Path Info:
My Address: 10.14.3.3
Explicit Route: 10.14.3.14 10.11.14.14 10.11.14.11 192.168.1.11
As we can see, the tunnel is up and working, pointing to XR1 in this case.
R3#sh ip route 192.168.1.11
Routing entry for 192.168.1.11/32
Known via "static", distance 1, metric 0 (connected)
Routing Descriptor Blocks:
directly connected, via Tunnel3
Route metric is 0, traffic share count is 1
Since we have configured a static route to steer traffic over the TE tunnel, we have an exit interface of Tunnel 3.
R3#sh ip cef 192.168.1.11 detail
192.168.1.11/32, epoch 2, flags [attached], per-destination sharing
local label info: global/30
3 RR sources [non-eos indirection, heavily shared]
attached to Tunnel3
We see that the CEF table has allocated a global label of 30 and an exit of Tunnel3.
R3#sh mpls forwarding-table labels 30 detail
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
30 Pop Label 192.168.1.11/32 0 Tu3 point2point
MAC/Encaps=18/22, MRU=1500, Label Stack{24011}, via Gi1.143
000C29769933000C290626448100008F8847 05DCB000
No output feature configured
Per-destination load-sharing, slots: 0 2 4 6 8 10 12 14
The transport label we'll use is 24011 to get to XR4. We'll do an MPLS traceroute to see if the core is correct.
R3#traceroute mpls traffic-eng tunnel 3
Type escape sequence to abort.
0 10.14.3.3 MRU 1500 [Labels: 24011 Exp: 0]
L 1 10.14.3.14 MRU 1500 [Labels: implicit-null Exp: 0] 9 ms
! 2 10.11.14.11 8 ms
The core trace looks good. let's verify from R8 to R12.
R8#sh ip route vrf BGP 12.12.12.12
Routing Table: BGP
Routing entry for 12.12.12.12/32
Known via "bgp 8", distance 20, metric 0
Tag 50693, type external
Last update from 83.0.0.3 00:00:12 ago
Routing Descriptor Blocks:
* 83.0.0.3, from 83.0.0.3, 00:00:12 ago
Route metric is 0, traffic share count is 1
AS Hops 2
Route tag 50693
MPLS label: none
We can see that normal BGP route propagation is working as expected. We see a route to R12's lo12121212 in R8's VRF BGP RIB.
R8#traceroute vrf BGP 12.12.12.12 source 8.8.8.8
Type escape sequence to abort.
Tracing the route to 12.12.12.12
VRF info: (vrf in name/id, vrf out name/id)
1 83.0.0.3 3 msec 1 msec 0 msec
2 10.14.3.14 [MPLS: Labels 24011/24027 Exp 0] 8 msec 5 msec 6 msec
3 10.11.14.11 [MPLS: Label 24027 Exp 0] 5 msec 17 msec 20 msec
4 112.0.0.12 24 msec * 10 msec
Seeing label 24011 as the transport label shows us that the TE tunnel is being used.
Thanks for stopping by!
Rob Riker, CCIE #50693
Subscribe to:
Posts (Atom)