Skip to main content

Posts

Showing posts from 2009

Stateful NAT

Stateful NAT allows you to configure routers to synchronise their NAT tables.  It is useful in situations where you have redundant gateways and need the traffic to flow uninterrupted in the event of a failover. The first thing to setup is the stateful NAT mapping id.  This determines how the routers communicate their NAT information.  You can configure the synchronisation to use either UDP or TCP.  The redundancy name should be used in the HSRP configuration later. ip nat Stateful id 1 redundancy HSRP_IN mapping-id 1 as-queuing disable protocol udp We now need to create the NAT and HSRP settings on the interfaces.  Obviously we are setting the NAT inside and outside.  The HSRP is tracking the opposite interface so that the priority is reduced if it fails triggering a failover.  interface FastEthernet0/0 ip address 10.44.0.2 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto standby ip 10.44.0.1 standby priority 110 standby preempt standby

Shutting Cisco 3750 Stackwise ports

Today I came across a customers 3750 switch stack which had a flapping stackwise link. The stackwise link was transitioning up/down around 3 times a second and causing massive issues with connectivity and EIGRP routing for the site. Previously I believed that I would need to physically remove the Stackwise cable in order to restore service by shutting the flapping link. It seems it is possible to shut the Stackwise port from the CLI although it is done from enable mode rather than Configure terminal. The command is.. Switch#switch 1 stack port 1 ? disable Disable stack port enable Enable stack port The first number 1 would indicate the switch number in the stack and the second number 1 after the port is the Stackwise port number you want to shut. Make a note of which switch and port you shut as it will not show up in the config or the show outputs which could prove tricky when you want to reenable it.. You can determine the status of the ports using the command below but not how

Resilient VPN's - Part 1

I have been working on building a resilient VPN architecture for our monitoring network. One of the stipulations was that it was not to use GRE tunnels and must be capable of terminating at any number of peer VPN devices on the customers network. Routing must work automatically and no manual intervention is required. The problem you get with using plain IPSEC tunnels is that first you need some way of knowing if the tunnel is up. Then you have to adjust the routing on the customer side so that traffic destined to your network exits their network via the router with the currently active IPSEC tunnel. This is not an easy task and has taken a while to come up with some workable designs to deploy. I have settled on IPSEC HA in our datacentre and using Reverse route injection on the customer network to push our subnets into their dynamic routing protocol. I will go through the RRI solution in the next post for now lets have a look at the IPSEC HA configuration. IPSEC HA is available on the

WOL over the Internet

If like me you have ever wanted to wake up your computers at home from a remote location to grab some files or start some tasks off then you need Wake on LAN. This technology has been around for a while and basically allows a computer to wake up when it recieves a special UDP packet which contains 16 copies of its MAC address. Do a search on Wikipedia if you want to learn more about how the technology works. You will also have to ensure that your PC is capable of using WOL and that your OS is setup to allow it. We need some way of broadcasting the WOL packet onto the LAN from the internet. Firstly add the ip directed-broadcast command to the LAN interface to which your PC is connected. This allows the router to "explode" a unicast packet into a broadcast on your LAN. We now need to create a static nat which will convert your packet from the internet into a broadcast address on the LAN. In this case we are using port 7 but you could use any port of your choice for this.

Moving the SSH port on a CISCO router

If you admin your routers over the internet you probably know you should be using SSH. Telnet being sent in clear text is easily sniffed and your passwords captured. However Cisco routers use the standard TCP port 22 for their SSH service. As soon as you open this up to the world and turn on SSH access logging you will start to see hundreds of IP's connecting to your device and running dictionary attacks against you using standard username and password combinations. The majority of these IP's seem to originate from China or Russia and they find your open port extremely quickly. This is very anoying it fills up your log files with these attacks and uses up your system resources dealing with them. I believe they are simply running scans for any open TCP port 22. For this reason I decided I could cut down the amount of attacks by moving the SSH port to a different number. One thing you should know before we start is that there is no way to actually change the SSH port number o

XBOX Live with Cisco NAT

When you connecting your XBOX 360 to XBOX Live through a CISCO router you are likely to get told that your NAT type is strict. This is because the CISCO routers do not support UPnP like most home routers. In order to resolve this issue you will need to configure your router to allow certain ports through and create some static NAT entries. Whilst a lot of games will work quite happily with NAT type strict you will notice finding other players for multiplayer matches is very slow. Gears of War 2 however will simply never find any other players if you have NAT type strict. There are 3 important ports needed for XBOX Live and they are TCP 3074 (used to connect to XBOX live and transfer data i.e. marketplace downloads, new content etc...) UDP 3074 which is used for delay sensitive traffic (multiplayer game sessions use this port) and UDP 88 (which is used for Kerberos. This is how you authenticate to the Microsoft XBOX Live servers) The first thing you need to do is to create a static NAT

Top Talkers

Ever had slow WAN links and wanted to see exactly who was using up the bandwidth. What you need is the Top Talkers feature. You will first need to turn on NetFlow against the interface in question like so... interface serial 0/0 ip flow egress ip flow ingress Then we enable the top talkers feature ip flow-top-talkers top 20 sort-by bytes cache-timeout 3600000 The top command defines how many flows you want in the list in this case we will display the top 20 flows. The sort-by command determines how the flows are ordered. The choices are either bytes or packets. Generally bytes is more useful as it shows the weightier flows as top. You can also sort by packets this can help show a server which is perhaps sending a lot of smaller packets. The last command is cache-timeout this specifies the length of time the list of top talkers remains before being recalculated. The shorter the period the more system resources it uses. Once you have this configured you can view the top talker list by

Setup Netflow Collectors

Netflow is a great feature which provides detailed information on connection flows passing through your router or switch. You can use the data raw from the IOS CLI or export it to a Netflow collector for graphing and analysis. There are many free software packages out there for this and a google search will point you in the right direction. To get Netflow up and running you first need to configure the interfaces you want to get the flow data from. interface serial0/0 ip flow egress ip flow ingress The Egress command obviously turns on NetFlow for transmitted data whilst Ingress is data into the interface. (On older IOS version ip flow ingress was turned on with the command ip route-cache flow ) Now we can configure the NetFlow collector we wish to export the data to. ip flow-export source Loopback0 ip flow-export version 5 ip flow-export destination x.x.x.x 9996 The first command specifies the interface the NetFlow data will be sourced from. In this case we are using a loopback int

Blocking based on Time of Day Access-Lists

I came across an interesting problem the other day where someone had a 15Gb usage cap on their ADSL during the day but unlimited usage from midnight to 8am. Someone who lived in their house was partial to downloading large files and they wanted to restrict them from doing this until they were in the unlimited usage period. What was required was essentially a class map which matches based on both the time of day and the protocols in use. I could then drop traffic by applying a policy-map against an interface. The first thing I did was to create a class-map which would match any of the peer to peer protocols like so.... class-map match-any Peer2Peer match protocol bittorrent match protocol edonkey match protocol gnutella match protocol kazaa2 match protocol fasttrack match protocol winmx match protocol directconnect Next I created a time range called OFFPEAK. I made the time range between 08:00 and 23:59 which is the period where the restrictions apply. time-range OFFPEA