Archive for August, 2010

What can my interface do? – Show interface capabilities

August 29, 2010 Leave a comment

Want an easy way to find out what speeds your interface supports? Or what encapsulation it supports? Then show interface capabilites is the command you want. Lets look at an sample output:

Switch#sh int gi0/1 capabilities
Model: WS-C3560X-24
Type: 10/100/1000BaseTX
Speed: 10,100,1000,auto
Duplex: half,full,auto
Trunk encap. type: 802.1Q,ISL
Trunk mode: on,off,desirable,nonegotiate
Channel: yes
Broadcast suppression: percentage(0-100)
Flowcontrol: rx-(off,on,desired),tx-(none)
Fast Start: yes
QoS scheduling: rx-(not configurable on per port basis),
tx-(4q3t) (3t: Two configurable values and one fixed.)
CoS rewrite: yes
ToS rewrite: yes
UDLD: yes
Inline power: no
SPAN: source/destination
PortSecure: yes
Dot1x: yes

This shows that the port is gigabit capable (gigabitethernet kind of gives that away) but it shows that speed can be set to 10, 100 or 1000. Some gigabit ports are fixed speed. It has support for both 802.1Q and ISL, Ciscos proprietary trunking method. The port supports storm-control, it supports rewriting CoS and ToS headers, we have four egress queues for QoS with three thresholds and two of them are configurable. We can use SPAN and the port can be a source or a destination. We also have support for 802.1X. So this command gives us a brief and concise output of all features the interface supports. I will post some other useful commands later on as well.

CCIE – 2 years from now

August 27, 2010 2 comments

My plan is to do the CCIE two years from now. I plan on doing the written in late 2010 or early 2011 and after that prepare for about a year for the lab. Many people do like 1/3 reading and 2/3 labs but I think I will be closer to 50/50. My goal is to know the theory so well that doing the labs is not that difficult since it’s just an extension of the theory. We will see if my plan holds up 🙂 I also now have an OK from work to go for it, which is nice. Right now I have too much work to do any studying there but we will see what happens later on. At least I know I will get the support I need. I’ve done about 50 hours of reading so far and I think I will need at least 300 hours reading and some basic labs on that before taking the written. Doing the whole preparation will probably take more than 1000 hours.

Categories: Announcement Tags: ,

Using Cisco ASA with dual ISPs

August 22, 2010 Leave a comment

It’s getting more common to use dual ISPs since most companys now a days are dependant on a functioning network and Internet connection. In this scenario we will be using a leased line as a primary connection, this connection won’t be encrypted since it is a private point to point connection. The second connection is a VPN tunnel over the Internet, this is what our network looks like:

We will be using a function called sla monitor to achieve our goal. Lets start with the interface config:

interface Ethernet0/0
security-level 50
ip address
interface Ethernet0/1
security-level 0
ip address
interface Ethernet0/2
nameif INSIDE
security-level 100
ip address

We have three interfaces with a security level of 100 for inside, 50 for the leased line and 0 for the Internet connection. We need access-lists to allow the traffic in on our OUTSIDE interfaces:

access-list OUTSIDE_IN extended permit ip
access-list VPN_TRAFFIC extended permit ip

The access-list VPN_TRAFFIC is for defining “interesting” traffic to trigger the VPN tunnel. Apply the access-lists to the relevant interfaces:

access-group OUTSIDE_IN in interface OUTSIDE-LEASED
access-group OUTSIDE_IN in interface OUTSIDE-INTERNET

We need routing for the inside network at the other end:

route OUTSIDE-LEASED 1 track 1

The track 1 statement refers to that we are tracking the static route in case it goes down and the other route is called a floating static route with an administrative distance of 254. This is the config that relates to the tracking:

sla monitor 1
type echo protocol ipIcmpEcho interface OUTSIDE-LEASED
num-packets 5
frequency 5
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability

We are sending 5 ICMP packets with 5 seconds a part to the other end of the leased line. We only need to receive one successful answer to stay on the primary line. If you want to do it differently you could set it to 1 or whatever value suits your topology. This is the configuration that relates to the VPN tunnel, if you don’t need VPN just remove it:

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN-MAP 1 match address VPN_TRAFFIC
crypto map VPN-MAP 1 set peer
crypto map VPN-MAP 1 set transform-set 3DES-SHA
crypto map VPN-MAP interface OUTSIDE-INTERNET
crypto isakmp enable OUTSIDE-INTERNET
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key secret

Categories: Security Tags: , ,

Upgrading the license on a Cisco 3560/3750

August 19, 2010 3 comments

With the new switches like 3560-X it is possible to run a universal IOS image with support for different feature sets like LAN Base, IP Base and IP Services where IP services is the most feature rich version. I did an upgrade from LAN Base to IP Base and thought it would be a good idea to show how it’s done.

The universal image has a name like this: c3560e-universalk9-mz.122-53.SE2.bin. To get the licenses you need to register your Product Activation Key (PAK) that you receive after ordering the license. You also need to now the productnumber and the serial number for the device that the license is for. The product number can be WS-C3560X-24T-L and the serial number is a string of letters and numbers, the same goes for the PAK number.

When the registration is done you will receive a .lic file whic is a combination of the PAK number, a date and some other numbers. You will need to upload this file to the switch. I used FTP to upload the file:

copy ftp://user:password@ flash:
Accessing ftp://user:password@…
Loading filename.lic !
[OK – 1152/4096 bytes]
1152 bytes copied in 0.092 secs (12522 bytes/sec)

The file is now copied to flash. After that we need to install the license, the syntax is license install:

Switch#license install flash:filename.lic
Installing licenses from “flash:filename.lic”
1/1 licenses were successfully installed
0/1 licenses were existing licenses
0/1 licenses were failed to install

The license is now installed but we need to reboot the switch before it goes active. We will also get a message logged to the console that looks like this:

*Mar 1 00:07:42.279: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c3560x Next reboot level = ipbase and License = ipbase
*Mar 1 00:07:42.539: %LICENSE-6-INSTALL: Feature ipbase 1.0 was installed in this device. UDI=WS-C3560X-24T-L:$PAKNR StoreIndex=1:Primary License Storage

After the reboot we can use show license to see what licenses are installed:

Switch#sh license
Index 1 Feature: ipservices
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Priority: None
License Count: Non-Counted
Index 2 Feature: ipbase
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Priority: Medium
License Count: Non-Counted
Index 3 Feature: lanbase
Period left: Life time
License Type: Permanent
License State: Active, Not in Use
License Priority: Medium
License Count: Non-Counted

We can see here that there is an IP Services license available for evaluation if we need to do that. And that is how licensing works.

Categories: Other Tags: , ,

Transfering files with FTP (Cisco ASA)

August 16, 2010 8 comments

Trivial File Transfer Protocol (TFTP) has been the natural choice for transfering files on a Cisco device for a long time but it has some weaknesses:

  • It’s not reliable, since it doesn’t use TCP
  • Since it’s not using TCP every packet has to be acknowledged before the next one can be sent
  • No support for encryption of traffic
  • Takes long time to transfer large files

So why do we still use TFTP, mostly because it’s simple to setup and that we are used to it. File Transfer Protocol (FTP) overcomes most of the weaknesses of TFTP. It’s reliable because it uses TCP for transport. We send several packets before needing to acknowledge. It’s much faster. It is not encrypted but if that is a must Secure Copy (SCP) can be used.

Transfering a file from a FTP server to a Cisco ASA is very easy. First you need a FTP server, I use Quick ‘n Easy FTP Server Lite. This is the syntax to transfer a file:

copy ftp://user:password@serverip/filename disk0:

Change user and password to the real user and password and the servip is the IP used by the FTP-server. Filename is the name of the file to transfer. Disk0 is the destination for the file. I did some upgrades of ASA last week and I was shocked how much faster it is than TFTP so I highly recommend you start using it.

Categories: Other, Security Tags: , ,

CCIE certification guide

August 14, 2010 Leave a comment

I’m trying to read as much as I can and I’m almost halfway through the certification guide. It’s a good read so far and knowing that Narbik has checked the content means it’s good technical quality. It doesn’t go very deep into all areas because then the book would be 5000 pages instead of 1000 but it gives you a good feeling for what you need to study and I would imagine that this book would be essential for anyone going after the IE. When I’m done with this I’ll probably go with the Doyle books next.

Categories: Books Tags: ,

Caveats with new Java versions for Cisco ASA

August 13, 2010 Leave a comment

I recently upgraded some ASA firewalls to version 8.3(2) and ASDM 6.3(2). ASDM relies on JAVA to work. I had JAVA 1.6.0(20) installed on my Windows 7 laptop but ASDM would not work with this version. What’s strange and very lame is that when you try to connect to the firewall with ASDM and the JAVA version is not OK nothing happens. The page just times out, no error message or anything. So you start to think that you have configured something wrong but no you haven’t. I had to downgrade to 1.6.0 to get it to work. Surely Cisco could output an error message or a tool for testing if your JAVA is OK. Rant over… 🙂

Categories: Security Tags: , , ,