Afenioux's Blog page

3am; darkness; Maintenance window closing. Safety net: rollback.

IS-IS tuning

Written by Arnaud no comments

Here is a sample configuration of ISIS for Cisco routers. This example is a level2 only zone (like a backbone area 0 in OSPF).

Note : Loopback addresses are (or should be) always configured with /32 netmask.
It's a good practice to dedicate a contiguous range for all your loopback addresses, this range is most of time the first of your supernet (i.e. your "big" network allocation), or the one with a zero.

Let's begin to create an loopback interface and annonce this IP (In this example we will use the first /24 of our "big" range for loopbacks) :

interface Loopback100
 ip address 10.0.0.1 255.255.255.255
 ip router isis

We configure the physical interface, annonce the connected range in ISIS and lower hello interval to 1 second :
interface gi0/0/0

 ip address 10.10.10.8 255.255.255.252
 ip router isis
 isis network point-to-point
 isis metric 20 level-2
 isis hello-interval 1

 

And finally the configuration of the protocol :
router isis
 log-adjacency-changes
 no hello padding
 spf-interval 1 1 100
 lsp-gen-interval 1 1 100
 is-type level-2-only
 metric-style wide level-2
 net 49.0000.0000.0008.00
 passive-interface loopback 100

Each node in ISIS must have a different "net" (= ID), it's a good practice to begin with 49 and end with 00 (see links below).
It is really important to lower sfp-interval to get a faster convergence (~1sec) , lsp-gen-interval helps also but only a few compared to sfp-interval.
Padding is useless (come on, MTU to 9000 for everybody!), so we deactivate it. And we don't need to generate hello packets on the loopback interface, never.

Here are a few commands really important to troubleshoot :
sh isis neighbors
sh isis database
sh isis topology
sh ip route isis

And if you need to announce/originate a default route (make sure your routeur knows how to reach "THE Internet", blackhole spotted otherwise) :
router isis
 default-information originate always

I definitelly recommand reading :
https://rekrowten.wordpress.com/2014/01/27/learn-is-is-spf-prc-and-lsp-timers-optimisation-part-17/
and, if you have a lot of time, and some Juniper knowledge, is wonderful post :
https://inetzero.com/isis-training-and-junos-configuratio/

Classified in : cisco Tags : none

Switch CAM, TCAM and SDM

Written by Arnaud no comments


Cisco Catalyst switches use CAM and TCAM to store MAC addresses, ACL, QoS tables in order to have wire-speed switching : they are ASICs and search the entire memory in one operation.

The CAM (Content Addressable Memory) stores MAC addresses, VLAN and ports assignments. During a lookup, the CAM returns the address where the data is stored (the inverse of regular RAM). It is used on L2 swich.
The TCAM (Ternary Content Addressable Memory) is used on L3 switch to store the routing table (it is also used to store ACL and QoS information). During the lookup, keys are network and mask and result can be next-hop or action (permit or deny) for ACL.

Very well explained and detailed post : https://supportforums.cisco.com/document/60831/cam-vs-tcam

To see CAM and CAM usage (Theses commands were used on a 3750):

show mac address-table dynamic
show mac address-table count

To see TCAM usage :

show platform tcam utilization 

To see routes that could'nt be inserted into TCAM :

show platform ip unicast counts

To view the number of route entries for each protocol :

show ip route summary

 

If you find a high number of prefixes not in TCAM, and a high TCAM usage, you should considering changing the SDM (switch database management) template.

To see the currently used SDM :

show sdm prefer

To see anoter SDM template :

show sdm prefer dual-ipv4-and-ipv6 routing 
 
To apply a new sdm :

 
conf t
 sdm prefer dual-ipv4-and-ipv6 routing
reload
 
In the worst case when the TCAM is full, "ip cef" is desactivated and switching is done by CPU,
to see CPU usage :
show processes cpu history

CEF (Cisco Express Forwarding) is a forwarding model in which all routing information is put into the FIB (forwarding information base). The FIB is used to store IP routing information (prefixes and next-hop), in addition to the FIB, CEF uses adjacency tables to store Layer 2 addressing information.

 

Source : http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/... and http://www.ciscopress.com/articles/article.asp?p=425816&seqNum=2

Classified in : cisco Tags : none

L2 ACL / MAC ACL vs Port Security

Written by Arnaud no comments

Cisco devices can filter mac addesses inbund with port-security or ACL, but remember ACL are checked on hardware with ASICS on the ports, and Port Security is checked in soft (and can cause big trubble when used in restrict/protect mode when many violations occur):

---Port-security on cat 6500---

in the example we allow 100 mac addresses on this trunk port, but only 2 specific mac on the vlan 4 (interface conf mode): 

 switchport port-security
 switchport port-security maximum 100
 switchport port-security maximum 2 vlan 4
 switchport port-security mac-address 0000.1111.2222 vlan 4
 switchport port-security mac-address 0000.1111.3333 vlan 4
 
But default, if the maximum mac addresses is reached, the port will be shutdown, you can auto-reenable the port after an amount of time with (global config mode):
 errdisable recovery cause psecure-violation
 errdisable recovery interval 300

You can also choose other actions if a port violation occurs (interface conf mode):

switchport port-security violation { protect | restrict | shutdown }
protect : Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count.
restrict : Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count.
shutdown :Shuts down the port if there is a security violation.
 
---MAC ACL on Cat6500---
We have to specify the mac ACL first, as you can see, we can specify by VLAN (global config mode) :

 
mac access-list extended MY-ACL
 permit host 0123.4567.8910 any ip vlan 100
 permit host 0123.4567.8911 any 
 
NB : You can apply mac filtering on a lot of protocols/options
 
And apply on the interface :
 mac access-group MY-ACL in
 
---Sources---
Classified in : cisco Tags : none

Enable SSH && disable telnet

Written by Arnaud no comments

Telnet is "bad", this is how to enable ssh and disable telnet login, and BTW we only want ssh v2 as v1 is vulnerable to several attacks:
When asked choose a least 1024bits for the key

hostname switch
ip domain-name mydomain.tld
aaa new-model
crypto key generate rsa
ip ssh version 2
line vty 0 15
 transport input ssh

Remember to add ACL, this is always a good thing

access-list 99 permit 192.0.2.0 0.0.0.255
ipv6 access-list ACL-RESTRICTED-IN
 permit ipv6 2001:db8::/32 any

line vty 0 15
 access-class 99 in
 ipv6 access-class ACL-RESTRICTED-IN in

when you create your ACL, remember it's even better to only accept login from your network

Source and nice explanation of the banners : http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/...

OH! BTW if you use clogin/rancid to log into your equipments, make sure your MOTD does not have any # or the auto-enable won't work...
I told you : MOTD (with #) + SSH + clogin = no auto enable

 
Classified in : cisco Tags : none

Vlan Shaping

Written by Arnaud no comments
conf t
  mls qos

  class-map match-any vlan123
   match vlan 123

  policy-map ratelimit
   class vlan123
   police cir 1000000000
   confirm-action transmit
   exceed-action drop

  int gi0/1
    service-policy input ratelimit
Classified in : cisco Tags : none

Limit user access (views)

Written by Arnaud no comments

limit commands to admin 15 :

privilege exec level 15 ssh
privilege exec level 15 telnet

Create a view for a user :

enable view
conf t
  parser view readonly
    secret 5 ???
    commands exec include show vlan
    commands exec include show
    exit
  username test view readonly password 0 ????

sources :
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html#wp1058080
http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/107614-64.html#topic2

Classified in : cisco Tags : none

Configuring Netflow

Written by Arnaud no comments

Old style :

interface Gi0/1
   ip flow ingress

 ip flow-export source Gi0/2
 ip flow-export destination 192.168.0.2 2055
 
New Style :
 
interface Gi0/1
  ip route-cache flow sampled
  ip route-cache distributed
 
ip flow-export version 5
ip flow-export destination 192.168.0.2 2055
ip flow-sampling-mode packet-interval 100
 
 
Or even :
flow-sampler-map SAMPLER
 mode random one-out-of 100

ip flow-export version 5
ip flow-export destination 192.168.0.2 2055

interface Gi0/1
 flow-sampler SAMPLER
 
 
Debug :
show ip flow sampling
sh ip flow export

 

Classified in : cisco Tags : none

Logging

Written by Arnaud no comments

you can check your log in buffer :

#show logging

By default the buffer is 4k (aprox 60 lines), you can change it with :

(config)#logging buffered 23456

Remove logging to console :

(config)#no logging console

Disable specific logging in the buffer :

(config)#logging discriminator nologthr msg-body drops string_or_regexp_to_match 
(config)#logging buffered discriminator nologthr

To only have notifications (level 5) and more important logs :

(config)#logging buffered 40960 notifications

Add proper time format to your logs :
(config)#service timestamps log datetime localtime show-timezone

Log when someone fail (or success) to log in :

(config)#login on-failure log
(config)#login on-success log
Classified in : cisco Tags : none
Rss feed of the category