Category Archives: Cisco

Cisco, Debian, DMVPN, Network, Routing, Security

DMVPN with Linux

February 14, 2009 patrickpreuss 14 Comments

I know since i discovered the DMVPN in 2004/5 this is a very intelligent combination of IPsec, GRE and NHRP. Many Thanks to the Guys at Cisco, Christoph, Frederick and all other.

This week i discovered “opennhrp” on sourceforge.

It took me a minute or two to have a VM with debian up and the needed tools installed.

I used VMWare with a bridged ethernet interface for testing, installed debian 4.0 netinstall iso and upgraded to sid / testing, so i got Kernel Version 2.6.26-1-686.

Then downloaded ipsec-tools-0.8-alpha20090126.tar.bz2 from the site. you have to install some libs and tools to build ipsec tools, like kernel headers and so on:-) and done some configure and make stuff.

I went to make opennhrp, well all done with out a problem to here.

Next i configured racoon and ipsec-tools and opennhrp like this:

   /etc/ipsec-tools.conf 
   #!/usr/sbin/setkey -f
   spdflush;
   spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
   spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;

   /etc/racoon/racoon.conf 
   path pre_shared_key "/etc/racoon/psk.txt";
   remote anonymous {
      exchange_mode main,aggressive;
      lifetime time 24 hour;
      # nat_traversal on;
      script "/etc/opennhrp/racoon-ph1down.sh" phase1_down;
      proposal {
         encryption_algorithm 3des;
         hash_algorithm sha1;
         authentication_method pre_shared_key;
         dh_group 5;
      }
   }
   sainfo anonymous {
      lifetime time 12 hour;
      encryption_algorithm 3des, blowfish 448, rijndael;
      authentication_algorithm hmac_sha1, hmac_md5;
      compression_algorithm deflate;
   }

   /etc/racoon/psk.txt
   10.2.0.90 1234


   /etc/opennhrp/opennhrp.conf
   interface gre1
      map 172.255.255.1/24 10.2.0.90 register cisco
      cisco-authentication 1234
      shortcut

No get the Tunnel UP:

   ip tunnel add gre1 mode gre key 1234 ttl 64
   ip addr add 172.255.255.2/24 dev gre1
   ip tunnel change gre1 local 10.0.81.115
   ip link set gre1 up

Now its time to get on the other side.

We are using a Cisco 1812 with c181x-advsecurityk9-mz.124-15.T7.bin running.

   crypto isakmp policy 10
      encr 3des
      authentication pre-share
      group 5
   !
   crypto isakmp key 1234 address 0.0.0.0 0.0.0.0
   !
   crypto ipsec transform-set TRANSFORMSET_3 esp-3des esp-sha-hmac
      mode transport
   !
   crypto ipsec profile Profile3
      set transform-set TRANSFORMSET_3
   !
   interface Tunnel888
      ip address 172.255.255.1 255.255.255.0
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip mtu 1400
      ip flow ingress
      ip nhrp authentication 1234
      ip nhrp map multicast dynamic
      ip nhrp network-id 10064
      ip nhrp holdtime 360
      ip nhrp max-send 200 every 10
      ip route-cache same-interface
      ip tcp adjust-mss 1350
      load-interval 30
      tunnel source 10.2.0.90
      tunnel mode gre multipoint
      tunnel key 1234
      tunnel protection ipsec profile Profile3

and viola

   Router# sh dmvpn interface tunnel 888
   Load for five secs: 8%/3%; one minute: 9%; five minutes: 10%
   Time source is NTP, 22:14:22.148 CET Sat Feb 14 2009
   Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
   N - NATed, L - Local, X - No Socket
   # Ent --> Number of NHRP entries with same NBMA peer
   Tunnel888, Type:Hub, NHRP Peers:1,
   # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
   ----- --------------- --------------- ----- -------- -----
   1 10.0.81.115 172.255.255.2 UP never D

   Router# ping 172.255.255.2
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 172.255.255.2, timeout is 2 seconds:
   !!!!!
   Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

this looks great:-)
Many thanks Timo for doing such a impressiv work. I like the cisco for they impressiv boxes and i also like opensource software.

— edit February 15, 2009 at 12:09 am —

I found after a while no packets traveling, the nhrp registration had gone on the cisco side may be holdtimers differ so added “holding-time 360” to the opennhrp.conf , a opennhrpctl purge fixed the problem.

Cisco, Visio, WAAS

Cisco Visio Icons

February 13, 2009 patrickpreuss Leave a comment

Recently i have been asked to hold a presentation about the network design we had developed for our key project. My Company had decided to unify the computing infrastucture and client enviroment for all relateted companies.

So i will do a presentation on Cisco WAAS Platform on Tuesday next week, and i needed uptodate visio stencils for my presentation. Here i found them http://www.cisco.com/web/about/ac50/ac47/2.html .

Cisco

Cisco IOS CLI Modes

January 26, 2009 patrickpreuss Leave a comment

Cisco IOS CLI Modes
EXEC Prompt	Router> enable
Privileged EXEC Prompt	Router# configure terminal
Gobal Configuration Mode	Router(config)# interface FastEthernet0/0

Configuration Modes
Interface Configuration Mode	Router(config-if)#interface FastEthernet 0/0.1
SubInterface Configuration Mode	Router(config-subif)# line console 0
Line Configuration Mode	Router(config-line)#
Controller Configuration Mode	Router(config-controller)# router rip
Router Configuration Mode	Router(config-router)#end

Cisco, WAAS, WAE

Packetcapture auf der WAAS

January 25, 2009 patrickpreuss Leave a comment

Kürzlich hab ich entdeckt das man auf der WAAS Packete mit schneiden kann.

Auf der WAE ist tcpdump installiert, den kann man in der gewohnten weise zum sniffern gebrauchen.

# tcpdump -s 0 -w /local1/out.pcap
# copy disk ftp a.x.y.z / out.pcap /local1/out.pcap
# delfile /local1/out.pcap

Der Rest ist dann ganz normale Arbeit für wireshark.

Cisco, Computer, DMVPN

Ich wuste es doch meine Router sind Telephone

January 19, 2009 patrickpreuss Leave a comment

So So ich wuste es doch meine Router sind Telephone oder doch nicht. Nach dem wir auf unseren Zentralen DMVPN Routern das 12.4.15T7 IOS Release eingespielt hatten, sahen wir einen massiven Anstieg im Memory duch den CDP Process. Ein Debug der cdp events ergab folgende Log Meldungen:

Jan 19 12:12:51.513 UTC: CDP-EV: Lookup for ip phone with idb= Tunnel105 ip= a.b.x.y mac= 0000.0000.0000 platform= Cisco 1721
Jan 19 12:12:51.517 UTC: CDP-EV: Lookup for ip phone with idb= Tunnel105 ip= a.b.x.y mac= 0000.0000.0000 platform= Cisco 1812
Jan 19 12:12:52.141 UTC: CDP-EV: Lookup for ip phone with idb= Tunnel105 ip= a.b.x.y mac= 0000.0000.0000 platform= Cisco C836

Funny, mal sehen was das heist:-)

Cisco, Computer, DMVPN

I know it my routers are ip-phones

January 19, 2009 patrickpreuss Leave a comment

Funny, mal sehen was das heist:-)

Cisco, Routing, WAAS, WAE

Cisco WAAS mit IOS Router

January 15, 2009 patrickpreuss Leave a comment

Die Configuration auf einem IOS Router ist analog zu der Configuration auf den Switchen, deshalb werd ich die hier nicht wiederholen.

Die Configuration auf der WAAS wird nicht fest configuriert sondern über wccp ausgehandelt.

[sourcecode]
wccp router-list 1 10.2.0.145
wccp tcp-promiscuous router-list-num 1
wccp version 2
egress-method negotiated-return intercept-method wccp

[/sourcecode]

If you feel this helps a bit or may be not ? Please leave a comment.

Cisco, Routing, WAAS, WAE

Cisco WAE und 3560

January 15, 2009 patrickpreuss Leave a comment

Hi
hm was auf den Routern so einfach ist kann einen auf dem Switch zu verzweiflung bringen.

Also erstmal den Switch auf die 12.2 46 SE IP Services updaten,
und auf das SDM Template auf IP Routing umstellen.
SDM steht hier für Switch Database Manager, mit diesem kann man die 3560 Switche fuer verschiedene einsatz Gebiete optimieren.
conf t sdm prefer routing end write reload
nach dem reload haben wir dann folgende Einstellungen:
switch#sh sdm prefer The current template is "desktop routing" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.

number of unicast mac addresses: 3K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 11K number of directly-connected IPv4 hosts: 3K number of indirect IPv4 routes: 8K number of IPv4 policy based routing aces: 0.5K number of IPv4/MAC qos aces: 0.5K number of IPv4/MAC security aces: 1K
Auf dem Switch dann WCCPv2 wie folgt konfiguriern:
ip wccp 61 redirect-list acl-wccp-61 ip wccp 62 redirect-list acl-wccp-62 ! interface FastEthernet0/21 description Switch wave no switchport ip address 10.0.136.9 255.255.255.248 no ip proxy-arp ! interface Vlan 1 description LAN no switchport ip address 10.0.136.1 255.255.255.248 ip wccp 61 redirect in ! interface FastEthernet0/24 description WAN no switchport ip address 10.0.134.81 255.255.255.0 ip wccp 62 redirect in ! ip access-list extended acl-wccp-61 permit tcp 10.0.0.0 0.0.255.255 10.0.136.0 0.0.0.255 permit tcp 10.0.0.0 0.0.255.255 10.0.137.0 0.0.0.255 deny ip any any ip access-list extended acl-wccp-62 permit tcp 10.0.136.0 0.0.0.255 10.0.0.0 0.0.255.255 permit tcp 10.0.137.0 0.0.0.255 10.0.0.0 0.0.255.255 deny ip any any !
Auf der WAVE oder WAE WCCPv2 wie folgt konfigurien:
interface GigabitEthernet 1/0 ip address 10.0.136.10 255.255.255.248 ! ip default-gateway 10.0.136.9 ! wccp router-list 1 10.0.136.9 wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign wccp version 2
Dann viel spass mit der WAVE:
switch#sh ip wccp 61 detail Load for five secs: 5%/0%; one minute: 7%; five minutes: 6% Time source is NTP, 14:40:49.402 UTC Thu Jan 15 2009


      WCCP Client ID:          10.0.136.10

      Protocol Version:        2.0

      State:                   Usable

      Redirection:             L2

      Packet Return:           GRE

      Packets Redirected:    0

      Connect Time:          00:53:54

      Assignment:            MASK
      Mask  SrcAddr    DstAddr    SrcPort DstPort

      ----  -------    -------    ------- -------

      0000: 0x00001741 0x00000000 0x0000  0x0000

Value SrcAddr DstAddr SrcPort DstPort CE-IP ----- ------- ------- ------- ------- ----- 0000: 0x00000000 0x00000000 0x0000 0x0000 0x0A00880A (10.0.136.10) .... outout omited ...... 0063: 0x00001741 0x00000000 0x0000 0x0000 0x0A00880A (10.0.136.10)

Cisco, Computer, DynDNS

DynDNS mit einem Cisco Router

December 25, 2008 patrick.preuss Leave a comment

ip ddns update method dyndns
HTTP
add http://:@members.dyndns.org/nic/update?system=dyndns&hostname=>h<&myip=>a<
interval
maximum 1 0 0 0
!
interface Dialer 1
ip ddns update hostname haha.homelinux.org
ip ddns update dyndns

Cisco, Computer, Multicast, Routing

IPTV mit T-Home

December 17, 2008 patrick.preuss Leave a comment

Um IPTV mit einem Cisco Router ans rennen zu bekommen muss ein igmp Proxy auf dem Cisco Configuriert werden. Die nachfolgende Konfiguration ist aus der Cisco Dokumention abgeleitet, es kann sein das noch die Timer angepasst werden müssen. Da ich selber keinen VDSL Zugang habe ist das noch einwenig Theorie.

--- snip ---
ip multicast-routing
ip igmp snooping
!
interface Vlan1
  ip pim sparse-dense-mode
  ip igmp helper-address udl Dialer 2
  ip igmp version 3
  ip igmp mroute-proxy Dialer 2
!
interface Dialer 2
  ip pim sparse-dense-mode
  ip igmp version 3
  ip igmp unidirectional-link
!
--- snip ---

Cisco Customizing IGMP

Bitte vergest nicht auch die Firewall regeln Anzupassen:


--- snip ---

ip access-list extended OUTSIDE

  9 permit ip any 224.0.0.0 15.255.255.255



--- snip ---

Alternativ sollte auch folgende Konfiguration gehen.


--- snip ---

ip access-list extended OUTSIDE

  7 permit ip 217.0.119.0 0.0.0.255 224.0.0.0 15.255.255.255

  8 permit ip 193.158.35.0 0.0.0.255 224.0.0.0 15.255.255.255

--- snip ---

Zum Testen habe ich folgenden Aufbau gewählt:

Als Telekom Router

Cisco 1712

--- snip ---
ip multicast-routing
!
interface FastEthernet 0
  description to Customer
  ip address 192.168.2.2 255.255.255.0
  ip pim sparse-dense-mode
  
!
interface Ethernet 0
  description to IPTV Server
  ip address 192.168.4.1 255.255.255.0
  ip pim sparse-dense-mode
!
--- snip ---

Als Home Router

Cisco 1812

--- snip ---
ip multicast-routing
ip igmp snooping
!
interface Vlan 1
  description IPTV Client
  ip address 192.168.200.1 255.255.255.0
  ip igmp helper-address udl Vlan 2
  ip igmp version 3
  ip igmp mroute-proxy Vlan 2
  ip pim sparse-dense-mode
!
interface Vlan 2
  description to Internet
  ip address 192.168.2.1 255.255.255.0
  ip igmp version 3
  ip pim sparse-dense-mode
  ip igmp version 3
  ip igmp unidirectional-link
!
--- snip ---

Als IP TV Server

Apple Macbook 13′
OS X 10.5.6
VLC 0.9.8

zum Starten des Streams hab ich den “Netzwerk Streaming Assistenten” verwendet. Die Stream Parameter sind “UDP Multicast”, 239.0.0.42, TTL 10 und natürlich ein Video;-)

Als Multicast Receiver diente ein IBM ThinkCenter R51 oder so mit Windows und VLC 0.9.8 installiert.

Patrick Marc Preuss