PBIT Networking Blog - Samer Saleem

Tuesday, March 28, 2017

MPLS L3VPN multihomed customer AS override

Topology description:
R3 , R4 = Provider Routers / Core network for ISP [P]
R1, R5 = Provider Edge Routers [PE]
R6, R7 = Customer Edge Routers [CE]

MPLS is running across ISP network, starting from PE left side to P routers in core to PE on Right side

ISP is running OSPF as IGP, so PE's inter E0/1 and R3 and R4 all running OSPF to exchange Routes

iBGP is running between R1 and R5 to establish mBGP VPN through ISP Network MPLS

the iBGP is using R1 and R5 Loopback interfaces to establish the connection

in this Lab i used eBGP Connection between CE and PE routers

from PE side we have to configure VRF toward the CE just in case we have more than CE with same IP ranges
BGP configuration on PE will be under Address-family IPv4 VRF
BGP configuration on CE side will be normal and under global routing table

on the PE we have the redistribution if we are using other than BGP between PE and CE
but since we are running EBGP [CE to PE] and iBGP [PE to PE] then there is no need to redistribute

on the Customer edges [sites] we are using BGP with AS 250 on both CE routers
when CE [left] sends prefixes to PE [left] it will include the path attributes, PE left will send to PE right and PE [right] will send to CE [right], CE [right] will check the prefixes and finds the Path attributes of itself on the routes so it will consider it as loop and BGP loop prevention mechanism is to drop any routes that has my AS in the path to the destination [default behavior] so what to do in this case to make both CE sites connects with each other?

there are two ways:
1. Allow AS IN [implemented on CE routers to allow self AS numbers to be with the incoming routes]
2. AS override [implemented on PE sides toward the CE neighbor and it will change the AS number with AS number similar to PE AS number]
3. BGP Site of Origin [tagging routes]

check the configuration below:

PE-LEFT#show run | section router bgp
router bgp 100
bgp log-neighbor-changes
neighbor 5.5.5.5 remote-as 100
neighbor 5.5.5.5 update-source Loopback0
!
address-family vpnv4
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community extended
exit-address-family
!
address-family ipv4 vrf vpn
neighbor 10.0.17.7 remote-as 250
neighbor 10.0.17.7 activate
neighbor 10.0.17.7 as-override
exit-address-family
=========================================

same will be on right side PE
PE-RIGHT# show run | section router bgp
router bgp 100
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source Loopback0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf vpn
neighbor 10.0.56.6 remote-as 250
neighbor 10.0.56.6 activate
neighbor 10.0.56.6 as-override
exit-address-family
PE-RIGHT#

now checking the BGP table on the CE will be like the picture below:

as you can see, we have path contains 100 100 which is the PE BGP AS number.

reachability check from CE right side to CE left side:

Sunday, January 29, 2017

OSPF LSA types understanding

the most important part of OSPF understanding the getting to know LSA "link state advertisements" section

the understanding part should not only be for memorizing the LSA names

but you also need to know how to check each one of them in command line

and how is every LSA is generated and who generates the LSA

so basically as we learned that OSPF is uses hierarchical design and this is done by the backbone area 0

because all area must connect to it in order to reach the other area's

other than that, configuring areas will hide the routes from the other area and limit the LSA flooding that is happening in a single area

so Area 0 will not advertise its LSA flooding when change done internally to other areas like area 1 and area 2

now getting back to the LSA types we have the most important LSA:
LSA1 [ this is for all routers within the same area and each one say's i'm in this area ]
so LSA1 will be generated from all routers for every routers link to be sent to the ABR
LSA2 [ this is for IP address for DR interface within same area ]
all routers will have OSPF adjacency with the DR and BDR and they will generate LSA2 and this is only in OSPF network types where DR is elected, so its in [NMBA, Broadcast networks]
and then DR will send it to all routers so its like a map to be used internally between routers to reach each other.

LSA3 [ this is generated by the Area Border Router which has legs in two areas, and its summary for the networks advertised by the other area so its point of contact between area ]

LSA4 [ is when the ASBR gets routes from EIGRP or RIP into OSPF domain, the ASBR will send to the ABR of that area LSA1 messages and the ABR will generate LSA4 to send to next area.
LSA4 is like identified for the ASBR

LSA5 [ external routes that are coming from another router runs rip or eigrp or others ]
so when Rx redistributes EIGRP into OSPF domain it will send LSA1 to the ABR of that area, then the ABR will generate LSA5

LSA7 [ used in NSSA because routers will not allow LSA5 so it will set LSA5 to LSA7 to be allowed into OSPF domain ]

all of these LSA's can be seen under OSPF database using
#show ip ospf database and adding its arguments to find each LSA self originated or advertised by other routers

Ok, now how to filter LSA's?

STUB = NO LSA4 NO LSA5
TOTALLY STUB = NO LSA3,4,5
NSSA= NO LSA5 but LSA7 is ok and will be translated back at the borders.
TOTALLY NSSA= will generate LSA3 with default Route

Thursday, November 17, 2016

Changing SSH port for a router

SSH by default uses port 22
on a cisco router you can change the port to another port

let's say using port 800

in this case you need to login the router and issue the command
#ip ssh port 800 rotary 1 ! this command will instruct the router SSH to use port 800 in addition to original port

then you need to tell the VTY to use the rotary group 1 so issue the command
#rotary 1

now you have to prevent the old port which is 22 from being used for SSH connection and that's can be done by ACL, so let's create ACL that will permit the port 800 and deny any other

#ip access-list extended SSH
#permit tcp any any eq 800
#deny ip any any

then login to Line VTY again and issue the command #access-class SSH in
and this would apply the new ACL named SSH to the line VTY interface

you can add more flavours for the source you want to permit SSH connections.

now you can test connecting SSH using both ports and you should get connection refused for port 22 and connection via new port (800) should be ok.

Sunday, November 6, 2016

QoS studying

I have finally started to study QoS, and since i have zero experience in QoS i spent some time trying to find the best study material
i have got some suggestions to study some books like End to End QoS and some other books, which i didn't read because the books start deep diving from the beginning, so what i did was searching youtube for some videos and i found Jeremy Cioara video which was so good check the link
the video i think is part of QoS for CCVP certification but definitely its good for CCIE R/S QoS part as well.

so let me list them down :

Videos
A. Jeremy Cioara [ CCVP QoS ]
B. Keith Bogart [ INE Introduction to QoS for CCIE R/S]

Books
INE WorkBook [ great labs ]

Websites

Cisco QoS websites
Networklessons.com

Finally Go Back to INE Videos by Brian Mcgahan

searching bits and bites from here and there would do the trick for you when you are starting with something new, QoS is very important in CCIE R/S study and exam and in real networks as well, because your network always going to have some point of congestion and you need to resolve it with QoS.

Saturday, October 15, 2016

Implementing VRRP on DMZ SWITCHES

Hi All,

recently my employer asked me to configure DMZ on Firewall to be used for any server that will have direct internet access, so i have implemented the DMZ and we started shifting any server that we think it might get attacked to the DMZ for example DNS, NTP and others.

ok, after the DMZ setup finished, we started to think about the redundancy of DMZ switches which is by the way is not Cisco, we use HP in most of our network.

anyhow i have started to check what available options do we have to work to provide HA.

1.stacking
2.HP IRF
3.redundancy protocols [ VRRP ]

so stacking didn't work even with the feature existence on the switch but after thorough check i found out that many people on HP community were suffering from the same issue, they can't get it to work.

anyway, moving to IRF which is good protocol but it requires 10G speed port to work and the maximum speed i had was 1Gbps

so i was left with only VRRP to try get it to work, and i configured it and it was great and added the tracking for the interface facing the Firewall, because if the Firewall interface is down, the Firewall will switch to the standby, but the other parts of DMZ will see the switch as its gateway, so the tracking will make the switch change to standby if the interface facing firewall is down

check the figure below sorry if you find it not detailed nor organized but that's what i have right now:

the configurations used mentioned below:

[DMZ-SECONDARY]

interface Vlan-interface500

ip address 172.16.16.249 255.255.255.0

vrrp vrid 1 virtual-ip 172.16.16.254

vrrp vrid 1 priority 120

undo vrrp vrid 1 preempt-mode

vrrp vrid 1 track 1 reduced 50

[MAIN-DMZ]

interface Vlan-interface500

ip address 172.16.16.250 255.255.255.0

vrrp vrid 1 virtual-ip 172.16.16.254

vrrp vrid 1 priority 150

undo vrrp vrid 1 preempt-mode

vrrp vrid 1 track 1 reduced 50

and the tracking is done as below :

[MAIN-DMZ]dis track all

Track ID: 1

Status: Positive

Duration: 34 days 16 hours 4 minutes 32 seconds

Notification delay: Positive 0, Negative 0 (in seconds)

Reference object:

Track interface :

Interface status : Inserted

Interface : GigabitEthernet1/0/1

Protocol : None

Thursday, June 9, 2016

Sending VPN logs to your email

every VPN connection site to site or SSL or Remote access usually the might face problems that need your troubleshooting and diagnosing

the process may need your access to CLI and enable logging and debugging in order to find the problem which might be in right time when the user had the problem

so in here i will create configuration steps that help you receive the logs from your Firewall [ ASA ] to your email account

in this case you can check logs for failed connections at your inbox and you can find the error codes and check what the issue from there....

1. add the source of the emails to be send from and the destination of the emails that would be your email account

to do that from ASDM :

Configuration > device management > logging > email setup

then add source email address and then add destination email

2. create your event list that will be used to identify events and severity to be monitored

configuration > device management > logging > event lists

add your list and name it and choose the events that you will need to be triggered for in our case we will choose for example : SSL, VPN, Auth

then Now you have to enable this list

Go to Logging Filters and choose E-mail logging in the path Configuration > device management > logging > logging filters

choose the E-Mail loggin from the options available in the page

then click on Edit

choose the event list from the drop box, which you created in event list before

choose Ok and apply then save configurations

you should now receive emails in your inbox for the authentication process of remote access VPN and if there is any problem with authentication which will help you identify if there is a problem and how to solve it depends on error code and description

the logs should be something like this

<165>Jun 09 2016 13:12:00: %ASA-5-713120: Group = HIS_VPN, Username = name, IP = x.x.x.x, PHASE 2 COMPLETED (msgid=a0779307)

hope this was helpful

Monday, June 6, 2016

Threat Detection on Cisco ASA Firewall

Threat Detection is feature that you can enable on Cisco ASA Firewall and we will use the ASA5512-X in our example:

Check below simple topology,

enabling the threat detection can be done on CLI using the following

# threat-detection basic-threat [ enables basic threat detection ]
#threat-detection scanning-threat shun except object-group NOT-ATTACKER
#threat-detection statistics [ this command will enable advanced threat detection ]
#threat-detection statistics tcp-intercept rate-interval 5 burst-rate 25 average-rate 25

on ASDM [ Configuration>Firewall>Threat Detection

while the NOT-ATTACKER is object group that contains IP's that you dont want to be in the shun list
and it will be excepted from the action the firewall will take for the other event triggers.

to check the enable features by the command #threat-detection statistics [ advanced ] then you can use the command below:

# show running-config all threat-detection
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection scanning-threat shun except object-group NOT-ATTACKER
threat-detection statistics access-list
threat-detection statistics host number-of-rate 1
threat-detection statistics port number-of-rate 1
threat-detection statistics protocol number-of-rate 1
threat-detection statistics tcp-intercept rate-interval 5 burst-rate 25 average-rate 25

Note:
as you possibly have some smart phones that connects to your network, you might face threats from inside your network, its better to add your Inside subnets to the exception list, in order not to block any host from your networks

ASA# show object-group id NOT-ATTACKER
object-group network NOT-ATTACKER
description: this object group contains hosts excluded from shun
network-object 10.211.0.0 255.255.0.0
network-object 192.168.200.0 255.255.252.0
network-object 172.16.16.0 255.255.255.0
network-object 10.80.90.0 255.255.255.0

Check the statistics below that shows what have been done from events that was considered as threat

ASA# show threat-detection rate
Average(eps) Current(eps) Trigger Total events
10-min ACL drop: 43 42 14 26160
1-hour ACL drop: 45 43 0 163347
10-min ICMP attk: 0 0 0 5
1-hour ICMP attk: 0 0 0 29
10-min SYN attck: 41 38 471 25067
1-hour SYN attck: 42 38 79 151824
10-min Scanning: 120 114 52852 72070
1-hour Scanning: 123 115 34517 444929
10-min Bad pkts: 34 33 0 20596
1-hour Bad pkts: 35 33 0 128188
10-min Firewall: 78 75 0 47003
1-hour Firewall: 81 77 0 293105
10-min DoS attck: 0 0 0 242
1-hour DoS attck: 0 0 0 1541
10-min Interface: 80 237 2 48218
1-hour Interface: 83 79 0 301326

Samer R. Saleem