Date

Log

Lessons

12/13

Security configuration using TACACS+

1.        Installed and ran TACACS server in PC.

2.        Configured cisco router to use TACACS server for authenticating users(both console and vty) for the default class.

3.        Added a new user “venu” and password “vijai” in TACACS server

4.        Verified functionality by logging through both console and vty.

5.        That was the end of the very nice journey which I thoroughly enjoyed (no yawning in class)

Cisco configuration:

aaa new-model

aaa authentication login default tacacs+ enable

…

…

tacacs-server host 10.5.1.1

tacacs-server key eecs888

Effect of using “local” mode of authentication:

        When we donot have any authentication server configured we can use “local” authentication and configure additional users using “newuser” command in global mode.

12/11

Route Dampening in cisco:

G4’s router announces 10.4.0.0/16 its private network between its PC-zebra and cisco router(Ref topology)

G5’s cisco router(Matrix) receives the above route through EBGP session from G4’s router.

Matrix is configured to dampen the route 10.4.0.0

Functionality verified by flapping the G4’s router interface to 10.4.0.0/16 network and using flap statistics

Cisco configuration:

router bgp 65005

 no synchronization

 bgp dampening route-map DAMPENROUTE 

 redistribute connected

 neighbor EXTERNALPEERS peer-group

 neighbor EXTERNALPEERS password eecs888

 neighbor 10.5.1.1 remote-as 65005

 neighbor 10.100.48.2 remote-as 65008

 neighbor 10.100.48.2 peer-group EXTERNALPEERS

 neighbor 10.100.64.1 remote-as 65004

 neighbor 10.100.64.1 peer-group EXTERNALPEERS

 neighbor 10.100.80.2 remote-as 65007

 neighbor 10.100.80.2 peer-group EXTERNALPEERS

 no auto-summary

!

ip classless

!

access-list 50 permit 10.4.0.0 0.0.0.0

route-map DAMPENROUTE permit 10

 match ip address 50

 set dampening 15 1000 2000 45

1.        A default penalty of 1000 is added for every flap. 

2.        Maximum suppress duration should be greater than the half-time

12/6

Route Reflectors:

 Scenario:

Tested with routers in G4 and G5

Matrix is configured as RR and Fire, G4’s router, G4’s zebra configured as RR clients.

OSPF within AS65005 which included Matrix, Fire, G4’s cisco, G4’s zebra.

Client to client reflection is enabled.

Fire configured with static route 10.200.0.0/16 and is exported into BGP using network command

The route 10.200.0.0/16 gets into BGP tables of G4’s cisco and G4’s zebra.

(Test done with help from Group4)

Cisco configuration:

router bgp 65005

no synchronization

 redistribute connected

 neighbor CLUSTERPEERS peer-group

 neighbor CLUSTERPEERS remote-as 65005

 neighbor CLUSTERPEERS route-reflector-client

 neighbor 10.5.1.1 peer-group CLUSTERPEERS

 neighbor 10.100.64.1 peer-group CLUSTERPEERS

 neighbor 10.4.0.1 peer-group CLUSTERPEERS

 no auto-summary

Lessons:

No need to use a separate cluster-id.  The router-id itself will be taken as cluster-id.  It gives a consistent view of the router.

12/4

Policy Routing:

Scenario:

   Matrix has EBGP peering with G4, G7, G8’s ciscos

   Fire has EBGP peering with G7, G8’s zebras

   All Group4’s traffic to other groups should transit through Group5’s AS 65005 and enters Group5’s AS through Matrix.

Goal:

   Traffic from G4 to destinations in G7, G6’s AS should exit through Matrix (cisco)

   Traffic from G4 to destinations in G1, G2, G3, G8 should exit through Fire (zebra)

Solution:

   In Matrix on interface to Group4 configure policy routing to set appropriate nexthop.

Cisco configuration:

//only configuration stuff related to policy routing is logged here

interface Ethernet 3/1

 ip address 10.100.64.2 255.255.255.0

 no ip directed-broadcast

 ip policy route-map POLICYROUTE

…

…

access-list 10 permit 192.168.1.144 0.0.0.15

access-list 11 permit 192.168.1.64 0.0.0.15

access-list 12 permit 10.1.1.0 0.0.0.255

access-list 13 permit 10.2.1.0 0.0.0.255

access-list 20 permit 192.168.1.128 0.0.0.15

access-list 21 permit 192.168.1.112 0.0.0.15

!

route-map POLICYROUTE permit 10

 match ip address 10 11 12 13

 set ip next-hop 10.5.1.1

!

!

route-map POLICYROUTE permit 11

 match ip address 20 21

 set ip next-hop 10.100.48.2

!

Lessons:

Policy route configuration is pretty easier than it looks at first glance. 

Able to use source only map also.

11/27

Policy:

         Prefer defaults through Firewall

         Prefer local link for adjacent group’s internal network

         Prefer routes to non adjacent group’s internal networks through Firewall

         Use Cisco – Cisco connection as Primary, zebra-zebra connection as backup to reach adjacent groups networks for local link.

Solution:

1. Accept all routes from firewall and set LocalPref 500 for default and 50 for rest of the routes

Zebra router

2.  Accept default from adjacent AS’s and set LocalPref to 300 (so that default from firewall is preferred)

3. only routes originated by adjacent AS’s from the adjacent groups routers(AS path filter) and set Local_Pref of 300

Cisco router

4. Accept default from adjacent AS’s cisco and set LocalPref to 400(so that it is inferior to one from firewall but superior to default through zebra from adjacent group’s zebra)

5. Accept only routes originated by adjacent AS’s from adjacent groups cisco and set local_pref to 400(so that Cisco-Cisco connection will be primary)

Look at the Configs for zebra and cisco for above policy

Able to effectively implement the (primary/bkup, default/partial – with adjacent groups router) and (default preference – between firewall and adjacent groups router.)

11/22

<Thank Giving Break>

11/20

BGP Defaults

Receive default route 0/0 and set local-pref for route from 192.168.1.1(firewall) to 500 and from 10.100.80.2(Group 7’s router) to 100, and confirm functionality by verifying that default from firewall is accepted.

Configs:

Group5-PC-zebra BGPD:

….

neighbor 192.168.1.1 route-map DEFAULT in

….

access-list DEFACCESS permit 0.0.0.0/0 exact-match

!

route-map DEFAULT permit 10

 match ip address DEFACCESS

 set local-preference 500

Group5-Cisco-Router

….

neighbor EXTERNALPEERS route-map DEFAULTROUTE in

neighbor 10.100.80.2 peer-group EXTERNALPEERS

…..

access-list 21 permit 0.0.0.0

route-map DEFAULTROUTE permit 10

 match ip address 21

 set local-preference 100

!

route-map DEFAULTROUTE permit 11

 match ip address any

Observation:

Group5-Cisco-Router

*  0.0.0.0          10.100.80.2                   100      0 65007 65000 i

*>i                 192.168.1.1                   500      0 65000 i

LocalPref can be manipulated using route-maps on incoming bgp updates.

11/15

BGP aggregate-address summary-only

     Generate an aggregate for aggregating 10.100.64.0/24. 10.100.80.0/24, 10.100.96.0/24 as 10.100.64.0/18

aggregate-address 10.100.64.0 255.255.192.0 summary-only

      Confirmed functionality by checking the bgp table

*> 10.100.64.0/18   0.0.0.0                            32768 I

BGP aggregate-address with a more specific route

     Generate the same aggregate while allowing the more specific route of 10.100.80.0/24

access-list 10 deny   10.100.80.0 0.0.0.255

access-list 10 permit any

route-map LEAKSUM permit 10

 match ip address 10

aggregate-address 10.100.64.0 255.255.192.0 suppress-map LEAKSUM

      Confirmed functionality by checking bgp table

s  10.100.64.0/24   10.100.64.1              0             0        65004 i

s>                                   0.0.0.0                  0         32768   ?

*> 10.100.64.0/18     0.0.0.0                              32768   i

*  10.100.80.0/24   10.100.80.2             0             0        65007 i

*>                                0.0.0.0                    0         32768   ?

s> 10.100.96.0/24   10.100.80.2           0             0        65007 I

Set no-export community attribute in the above leaked route.

access-list 11 permit 10.100.80.0 0.0.0.255

route-map COMM-SET permit 10

 match ip address 11

 set community -34799596 no-export

route-map COMM-SET permit 11

 match ip address any

neighbor 10.100.48.2 send-community

neighbor 10.100.48.2 route-map COMM-SET out

     Confirmed functionality by checking bgp table in Router8, Router3

Router 8

BGP routing table entry for 10.100.80.0/24

    10.100.48.1 from 10.100.48.1 (10.100.80.1)

      Origin incomplete, metric 0, localpref 100, valid, external, best, ref 2

      Community: -34799596 no-export

Options with aggregate:

summary-only – advertises only the aggregate

suppress-map – to suppress a subset of specific routes which form the aggregate

advertise-map – to select a set of routes which form this aggregate

attribute-map – to modify attributes of the resulting aggregated route.

11/13

BGP access lists

      Set up the Local_Pref for updates originated by HeadEnd Firewall (192.168.1.0/28, 129.237.80.0/21)

ip as-path access-list 5 permit ^65000_

route-map FWPREFER permit 10

          match as-path 5

          set local-preference 400

neighbor 192.168.1.1 route-map FWPREFER in

1.        Local_pref can be set using BGP policy on any E-BGP routes received.

2.        Understood BGP decision process.

11/8

BGP access lists

       Understanding configuration of access lists.

       Objective to behave as transit AS only to adjacent Ass

1.        Configure access lists in G5-PC, G5-R so that both of them will accept updates with ASPATH length <= 1 with setting up rules on incoming BGP updates from each of the neighbors.

ip as-path access-list 3 permit ^6500.$

ip as-path access-list 4 deny ^.+$

route-map BGPACCEPT permit 10

            match as-path 3 4

neighbor 10.100.48.2 route-map BGPACCEPT in

2.        Confirmed right behavior by verifying that G3,2,1 are not reachable from G7.

1.        access-lists, prefix-lists are most fundamental form of address or information mathching

2.        One or more access lists can be tagged as a route-map rule

3.        Multiple route-maps go into a filter rule.

11/6

BGP configuration contind.

       Understanding synchronization (with IGP) problems

       Tested with (G5-PC ßIBGPà G5-R,  G5-R ßEBGPà G4-R)

      Objective was to get the route 10.4.0.0/16 announced by G4-R installed in G5-PC with

1.        synchronization disabled in bgp

2.        IGP enabled between I-BGP peers

3.        With static route for the NextHop in routing update.

OSPF testing to announce the external links to other AS through IGP (10.100.64.0/24)

1         BGP will not advertise a update received from I-BGP peer unless the nexthop address in the update can be reached via an update from IGP or a static route.

2         Though G5-PC has reachability information to reach 10.100.64.0/24 through I-BGP update, it cannot be used for NextHop resolution for another update received from I-BGP peer.

3         Discrepancy in cisco, zebra behavior.  In zebra I-BGP updates for connected routes from G5-R get installed in G5-PC.  In cisco the I-BGP update for connected routes from G5-PC doesn’t get installed in G5-R. 

4         For exporting DMZ links in the OSPF area

a.        Zebra:  just say redistribute connected and the link 192.168.1.0/28 will be exported as AS-External LSA.

b.       Cisco:  Need to specifically say that 10.100.64.0.24 is in Area 5.

c.        The behavior didn’t change even with Area ID 0.

11/2

BGP configuration contind.

        Configured IBGP peering between “Matrix” and “Fire”(G5’s PC)

        Stuck with problem of I-BGP peer not installing the routes learned from other I-BGP peer

        Stuck with another problem of not able to export BGP routes into OSPF and vice versa.

1.        I-BGP peer changes nexthop to an EBGP route when advertising to another I-BGP peer

2.        Siginificant difference between redistribute and network commands.

10/30

Learned about BGP configuration

        Configured “Matrix” as EBGP peer to Group4,7,8 Routers

        Enabled BGP MD5 authentication with the EBGP peers

1.        EBGP peers need to be directly connected(unless special configuration)

2.        Authentication:

a.        No authentication

b.       MD5 authentication

10/25

Learned about OSPF authentication

        Supported:

        simple password

        MD5 authenticaiton(auth 2)

Configuring OSPF costs:

Topology: 

       Four routers(Matrix, Fire, G4PC, G4Router) connected in a square in Area 4

       Matrix is ABR with one interface connecting to Area 0

       G8PC’s traffic for other areas pass through G4RouteràMatrix--> backbone 

       Changed cost of G4Router à Matrix to be 300

        Verified G4PC’s traffic to other areas pass through FireàMatrixàBackbone

1.        OSPF authentication mechanisms

a.        Message digest keyid table attached per interface

b.       send update with the youngest key

c.        If I dont have a entry with keyid then packets received with that keyid will be rejected

d.       Can have multiple of MD5 keys, but send with youngest key, and match any of the keys in the table for received packets.

e.        auth type 0-6 are the same(can work with another).

f.         Auth 7 doesnt seem to work with any other auth types.

2.        Configuring OSPF interface costs and its effects

10/23

Makeup Class:

Configured OSPF on all the interfaces and verified connectivity all the routers in the lab and head end firewall

Participated in discussion to device a AREA plan for OSPF configuration

Configured OSPF according to the plan and verified correctness through OSPF database

1.        Concept of Backbone area in OSPF

10/18

<FALL BREAK>

10/16

Participated in the process of configuring RIP authentication uniformly for the entire Lab.

Played around with various combinations of OSPF configuration between Fire and Matrix

Both in the same area

Each one in different area with same OSPF processes

Each in different area with separate OSPF processes.

1.        Concept of OSPF areas

10/11

Figured out why the effort to produce routing loop failed

RIPv2 sends triggered updates upon downing a directly connected interface.  So when G8’s interface connectivity to rest of the Lab routers is brought down G8 sends immediate triggered updates to Matrix and Fire.  So there was no chance for routing loop buildup

Got information from Group3 that Routing loops can be created by changing to RIPv1 and making Matrix to send Routing updates at a frequency larger than other two routers in the triangular topology.

The evil route 192.168.1.0/24 figured out to be because of enabling RIP autosummary in a subnet environment.

Configured OSPF between Matrix and Group4 and between Matrix and Fire.

Verified functionality by checking ospf database.

1.        Siginificance of “rip autosummary”

2.        Basic OSPF configuration

3.        OSPF rfc

10/09

Figured out lots of stuff in the weekend (to figure out why boot up failed)

Connection to G8 was down because G8 was misconfigured as 10BaseT instead of AUI (should have figured out earlier)

Understood the boot up sequence for cisco7200 (boot, bootLDR, IOS)

Initially tested with different version of IOS to check whether there is incompatibility between bootLDR and IOS versions.

Figured out Boot LDR image was not compatible with 7200. 

Upgraded the bootLDR image from the boot prompt.

Set environment variables BOOTLDR to the right bootldr image.

Configured RIP on all the router interfaces(pretty simple)

Checked connectivity by pinging to other groups routers.

Problem with evil route 192.168.1.0/24 originated by unknown originator. 

For some reason IOS12.0(8)S doest has command “sh ip rip”.  So wasn’t able to check RIP database.

Configured RIP authentication between Matrix and Fire and then between Matrix and Group8

Tried to create Routing Loop(by disabling Split Horizon) with 3 Routers (Matrix, Fire, G8’s router) in a triangle topology with G8 as the only entry point to rest of the network.  The test failed, couldn’t figure out the reason.

1.        Cisco 7200 boot sequence

2.        Configuration of cisco 7200

3.        “network” command in RIP

4.        RIP rfc

5.        Routing Loops in RIP

a.        Split Horizon

b.       Poisson reverse

c.        Triggered updates

6.        RIP authentication

10/04

Establish connectivity based on new topology(prepared “working” cross over cables for back to back router connectivity)(most time consuming job)

Lots of problems(seems to be):

Every time router bootsup after two failed attempts to load the boot loader

The connection with Group8 to their AUI port is always “down”.

1.        How to make Ethernet cables with RJ45 connectors.

10/02

Got new router Cisco7200 (from worst to best). 

Participated in discussion how to use the 192.168.x.x, 10.x.x.x space efficiently(no need for efficiency) and decided to use 192.168.x.x space for backbone Ethernet and 10.x.x.x space for connectivity between routers.

Adapt to the new wiring system in the lab

Adapt to the new topology

1.        What a difference between 4000 and 7200

2.        Address space planning

09/27

Played with Rip debugging of events and packets.

Also interesting to know that the RIP routes don’t go away that easily (learned to use “ip route delete *)

Got new ip addressing scheme.

1.        RIP timeout mechanism

09/25

Downloaded and installed zebra 0.92a in Fire.

Configured RIPv2 in Matrix and Fire.

Verified exchange of RIP updates between Matrix and Fire.

Planned to change the router (instead of going ahead and upgrading router memory)

1.        Zebra has separate control interface for each of the protocols and for the zebra process itself.

2.        Configuring RIP(Easiest configuration I have ever seen)

09/20

Lots of problem with IOS 9.1 image.

Configured Ethernet0 interface in Matrix and verified connectivity with Fire(PC).

Not able to get the serial interface connections to other groups working

Figured out that the serial interface module is not working

Installed additional flash memory (2 MB) to take total flash to 4MB

Tried installing 12.0 and figured out that Main memory size is only 4MB whereas requirement is 16MB

1.        How to install additional FLASH to cisco 4000 board

2.        Memory units in Cisco routers

3.        Interface configuration for Cisco routers.

09/18

Iptables implementation of NAT requires kernel > 2.4

Ipchains provide the same functionality (at minimal level) as Iptables.  Ipchains was available with 2.2.9 kernel

Assigned Private address space from 10.x.x.x domain for network between PC and Router.

Configured to translate address from 10.x.x.x(internal network) to 192.168.x.x(external) domain(backbone network) using Ipchains, and checked connectivity with Lab firewall from router.

1.        Settingup NAT

09/13

Continuing with IOS9.1

IOS9.1 doesn’t have

1.        console facility to move between command history

2.        NTP

3.        No IPv6 support

Configured the DNS server for the router to EECS DNS server 129.237.32.1

Divided the allocated address block 192.168.1.80/28 into 3 subblocks of

192.168.1.80/29 – Between (G5-PC, G5-Router)

192.168.1.88/30 – Between (G5-Router, G8 – Router)

192.168.1.92/30 – Between (G5-Router, G3 – Router)

1.        How hard is to work with older IOS image after seeing some one using the latest image

2.        Setting up the DNS server for router.

3.        Subnetting.

09/11

Change PC-Router connectivity through a crossover cable

Downloaded IOS 12 image to PC tftp server from gateway tftp server

Tried settingup IOS12.0 in Router.  Failed because of insufficient flash memory in Cisco 4000 (only 2MB)

Figured out that we can add 2MB additional Flash memory to the router.  Made order for Flash memory through Dr.Evans.

Enabled forwarding in PC and check connectivity from Router to Lab firewall.  Didn’t work because return path not configured in Lab gateway router.

Interesting part is we were able to figure out that the ARP requests are not related back since the Fire wall doesn’t know to whom the ARP request to be sent(using tcpdump on PC’s eth0 interface on backbone).

1.        Back to back Ethernet interfaces has to be connected using cross over cables

2.        Files can be copied in and out of Cisco Routers using TFTP server.

3.        Configuration Register settings

4.        Internals of a router (Main board, Router modules, Flash memories) Hardware.

5.        Concept of step by step debugging of connectivity failure in a LAN using tcpdumps and ARPs

09/06

Established connectivity between PC and Router(AUI port) through switch(substitute for cross over cable)

Setup TFTP server in PC

Got the configuration of router console working

Initial familiarity with router.

1.        AUI port

2.        Settingup TFTP server

3.        Router User Interface Levels

09/04

Verified PC connectivity to Lab Firewall(192.168.1.1) by pinging

Finished setup and control of router console from the host machine(using minicom)

1.        Setting up static route(route add)

2.        Configuring minicom

3.        (Speed 9600 bits per second, 8 databits, 0 parity bits, 1 stop bit, No Flow Control)

4.        The concept of  Router console.

08/28

Debian Linux installation

Debian Linux has very nice “apt-get” utility