Archive

Archive for May, 2011

Generate traffic with traceroute

May 28, 2011 6 comments

I found a very useful tool when practicing the INE labs. How to generate
traffic with traceroute. I’ve used telnet lots of times to generate TCP
traffic on different ports but what if we want to generate UDP traffic instead?
We can used traceroute to our advantage.

The topology is the one I’ve been using for my last posts with two routers
connected by a FastEthernet link.

First we create an access-list on R1 that will deny UDP on ports 9 and 19
but allow everything else.

We will confirm connectivity by doing a ping and then a telnet.

The traffic is passing successfully. Lets check the access-list on R1.

We have matches in the ACL, now lets generate traffic with traceroute.
We will type traceroute and then enter the options.

The important thing here is of course to change the port to something else
than the default port 33434. You can see by the !A in the answer that the
traffic was prohibited. Lets confirm this with looking at the ACL on R1.

And that is how you generate traffic with traceroute. Combined with the telnet
tool we can pretty much simulate most of TCP or UDP traffic. This gives us an
advantage in the lab so that we may test our ACLs to see that they are working
as expected.

Advertisements

RMON – Remote MONitoring

May 27, 2011 Leave a comment

RMON stands for Remote Monitoring. It is an extension to SNMP
that lets us enable event notifications when certain thresholds
are met. We can monitor the performance of interfaces or the CPU
and everything that has an OID in the SNMP MIB. We might want to
check for a high CPU utilization or the number of errors on an
interface.

When we monitor different parameters we can either look for
absolute values or delta values. Absolute values could be that
when the CPU hits 80% send an alarm. A delta value is the difference
between two measurements. If the number of errors on an interface
increases with more than 10 packets send an alarm.

There is not much configuration needed to setup RMON. We need to
configure alarms and events. When we configure the alarm we
set values to look for and a number of the event that we want to
trigger when the value is reached. The event will log the alarm
to syslog or send a SNMP trap when it is triggered.

We will use a very simple topology with two routers and a
FastEthernet link connecting them.

We want to monitor the change (delta) in octets in on the
FastEthernet interface. The value that correspends to octets
in is ifInOctets. We can see all the available parameters that
we can monitor with the show snmp mib command. This list is
huge and it may freeze your session for a while when you
scroll through it.

We need to find what ID our interface has so we can monitor it.
We can find this ID with the show snmp mib ifmib ifindex command.

We can see that the FastEthernet0/0 interface has an ID of 1.

We now have everything that we need to setup RMON. We start by
configuring an alarm. If the number of octets has increased with
less than 20000 an alarm wil be sent and if increasing with more
than 40000 then an alarm will also be sent.

You can see that we received a message directly because of the falling
threshold. The number 1 in rmon alarm 1 is an ID that identifies the
alarm. The number 30 is the sample interval. We check this value every
30 seconds. The number 1 after the rising- and falling-threshold is
what event to trigger.

We can check the parameters that we have configured with show rmon alarms
and show rmon events.

Now lets see if we can trigger the rising threshold. We need to generate
some traffic. We will do this with ping and a timeout of 0.

Has the event been triggered?

Yes it has. We can see the last value reported with the show rmon
alarms command. The rising threshold was triggered and later when
we stopped sending traffic the falling threshold was also met. The
log messages are send to console. If we want to send them to NVRAM
we need to use the logging buffered command.

Now you know how to configure RMON. RMON is very flexible and can
monitor a lot of different values.

Categories: CCIE, SNMP

Lock and key ACL

May 26, 2011 3 comments

The lock and key ACL is one of those features you’re not sure how to use in
production but it is viable for the CCIE lab. The lock and key ACL is a form of dynamic
ACL which requires a key before unlocking access. The lock and key ACL can only
have one dynamic entry per ACL.

We will be looking at a very simple topology with 3 routers. R2 will act as a
firewall for traffic coming from R1 going to R3. We will create an ACL that
denies telnet to R3’s loopback but allows everything else. We will run OSPF for
reachability but configuring it is out of scope for this post.

This is the topology.

All 3 routers have been configured with transit links and a
loopback address of 1.1.1.1, 2.2.2.2 or 3.3.3.3. All the magic
will occur on R2.

First we verify that we have reachability from R1 to R3 through
ICMP and telnet.

Reachability is good. Now we will start configuring the dynamic ACL on R2.

Lets try if we can telnet from R1.

As expected we can telnet to the Fa0/0 interface but not the loopback.

Now we need to create an user on R2 that will unlock the dynamic
ACE on R2. We also need to use the autocommand feature.

Now we have created the user and enabled the autocommand feature.
The autocommand will execute a command when the user logs in. The
enable-access feature is used to activate they dynamic ACE in the ACL.
We also need to enable local login on the VTY lines on R2.

Now we will login to R2 from R1 and see if we can telnet to R3.

After authenticating we get kicked out and the ACE has now been activated. We can now
telnet to R3’s loopback.

Lets look at the ACL on R2.

You can see that there is a dynamic entry allowing us to telnet to the loopback of R3.

So summarizing lock and key is a cool feature that is not very usable in real life but a
good tool to have on your lab exam.

You can download the configs, both initial and final and the .net file from here.
Don’t forget to set image dir and working dir.

Categories: CCIE, Security Tags: , ,

Transport preferred none

May 18, 2011 Leave a comment

Have you ever mistyped a command and the router thinks you want to telnet
another device? Sure you have and so have I. The most common solution is
to turn off name lookups.

no ip domain-lookup

This will tell the router to not use DNS for looking up names and will
speed up the failing of the command. However if you need to have DNS
enabled we can’t use this solution and there is a cleaner way of doing
it.

line vty 0 4
transport preferred none

By default telnet is the preferred protocol and when mistyping the router
will try to telnet the “name” you typed. If we set it to none the router
won’t try to telnet when mistyping and you can have DNS enabled which is
the best of two worlds. If you want to telnet to another device you have
to type telnet 1.1.1.1 instead of just 1.1.1.1 but that is a small price
to pay.

Categories: Useful commands

Filtering traffic with a route-map

May 18, 2011 4 comments

This post describes how to filter packets with a route-map. I have never used
a route-map for the sole purpose of filtering packets before. I ran into this
while doing a vol2 lab and the task was to filter ICMP packets coming in
on a frame-relay interface and out on VLAN 162. The packets should only
be filtered if they were between 100 and 200 bytes long. The topology is
the same as in my previous post.

My first thought was to use MQC to accomplish this but we were not allowed
to do so. We were not allowed to use FPM either. That only leaves us with
a route-map. Often policy routing is not allowed in the CCIE lab unless
specified but in this case it is our only option.

First we create an ACL that matches all ICMP. All configuration is applied to R6.

ip access-list extended ICMP
permit icmp any any

Then we create the route-map and do some matches.

route-map DROP
match ip access-group name ICMP
match interface FastEthernet 0/0
match length 100 200
set interface Null0
int s0/0/0.1
ip policy route-map DROP

The packets have to match all three criterias. The packet must match the ACL ICMP
which means it’s an ICMP packet. The packet is between 100 and 200 bytes long. The
packet is being output on interface FastEthernet 0/0 meaning the VLAN 162 subnet.
We apply the policy to the S0/0/0.1 interface which is the frame-relay interface.
Remember that traffic destined to the router is not affected by this policy, only
transit traffic will be affected. This means that packets won’t be dropped if we
try to ping R6.

Lets confirm that the policy is working. We turn on policy debugging on R6.

Rack24R6#debug ip policy
Policy routing debugging is on

RS.22.24.BB1>ping
Protocol [ip]:
Target IP address: 192.10.24.1
Repeat count [5]:
Datagram size [100]: 50
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 50-byte ICMP Echos to 192.10.24.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/26/32 ms
RS.22.24.BB1>ping
Protocol [ip]:
Target IP address: 192.10.24.1
Repeat count [5]:
Datagram size [100]: 150
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 150-byte ICMP Echos to 192.10.24.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
RS.22.24.BB1>

The testing is done from BB1. You can see that when the packets are only 50 bytes long
there is no dropping ocurring. If we use a size of 150 bytes packets are being dropped.
The policy is working, lets look at debug output on R6.

Rack24R6#
May 14 14:23:41.110: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1, len 50, FIB policy rejected(no match) – normal forwarding
May 14 14:23:41.130: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1, len 50, FIB policy rejected(no match) – normal forwarding
May 14 14:23:41.162: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1, len 50, FIB policy rejected(no match) – normal forwarding
May 14 14:23:41.202: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1, len 50, FIB policy rejected(no match) – normal forwarding
May 14 14:23:41.222: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1, len 50, FIB policy rejected(no match) – normal forwarding
Rack24R6#
May 14 14:24:02.058: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1, len 150, FIB policy match
May 14 14:24:02.058: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1, len 150, PBR Counted
May 14 14:24:02.058: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1 (Null0), len 150, FIB policy routed(drop)
Rack24R6#
May 14 14:24:04.058: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1, len 150, FIB policy match
May 14 14:24:04.058: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1, len 150, PBR Counted
May 14 14:24:04.058: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1 (Null0), len 150, FIB policy routed(drop)
Rack24R6#
May 14 14:24:06.058: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1, len 150, FIB policy match
May 14 14:24:06.058: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1, len 150, PBR Counted
May 14 14:24:06.058: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1 (Null0), len 150, FIB policy routed(drop)
Rack24R6#
May 14 14:24:08.058: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1, len 150, FIB policy match
May 14 14:24:08.058: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1, len 150, PBR Counted
May 14 14:24:08.058: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1 (Null0), len 150, FIB policy routed(drop)
Rack24R6#
May 14 14:24:10.062: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1, len 150, FIB policy match
May 14 14:24:10.062: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1, len 150, PBR Counted
May 14 14:24:10.062: IP: s=54.24.1.254 (Serial0/0/0.1), d=192.10.24.1 (Null0), len 150, FIB policy routed(drop)

The first five packets don’t match the policy so they use normal forwarding. The next five
packets are being dropped. We can also see this with show route-map.

Rack24R6#sh route-map
route-map DROP, permit, sequence 10
Match clauses:
ip address (access-lists): ICMP
interface FastEthernet0/0
length 100 200
Set clauses:
interface Null0
Policy routing matches: 15 packets, 1810 bytes

And this is how flexible route-maps are, we can use them to modify metrics, redistribute and
even filter traffic.

Categories: CCIE, Security Tags: , ,

Filtering traffic with VLAN access maps

May 18, 2011 6 comments

While doing a vol2 lab I got stumped by one of the tasks in the lab.
The task was to filter ICMP packets coming from the backbone destined
to a network on the internal routers. The topology looks like this.

We need to filter ICMP packets from BB2 but we may not apply this on
R1 and/or R6. We are of course not allowed to do any changes in the
backbone either. So what is left? We have an Ethernet segment connecting
the routers together, they are all connected to a switch. This means
that we can apply a VLAN filter. VLAN filters are good for filtering
traffic that does not leave the VLAN. For traffic crossing network
boundaries we can use regular ACL’s but they won’t work for intra VLAN
traffic.

The configuration is pretty straight forward and has a lot of resemblance
to a route-map. First we create a VLAN access-map.

Rack24SW2(config)#vlan access-map ICMP_FILTER 10
Rack24SW2(config-access-map)#action drop
Rack24SW2(config-access-map)#match ip address 100
Rack24SW2(config-access-map)#exit
Rack24SW2(config)#vlan access-map ICMP_FILTER 20
Rack24SW2(config-access-map)#action forward
Rack24SW2(config-access-map)#exit

We want to drop traffic when there is a match in access-list 100. If there is
not a match permit the traffic.

Then we create the access-list.

Rack24SW2(config)#access-list 100 permit icmp 205.90.31.0 0.0.0.255 any echo

The 205.90.31.0/24 network is one of the backbone networks but the addressing is
not what’s important here.

Then we need to apply the filter to the VLANs that should be filtered.

Rack24SW2(config)#vlan filter ICMP_FILTER vlan-list 162

We have a few show commands that will show us what filters are in use.

Rack24SW2#show vlan filter
VLAN Map ICMP_FILTER is filtering VLANs:
162

Rack24SW2#show vlan filter vlan 162
Vlan 162 has filter ICMP_FILTER.

Rack24SW2#show vlan filter access-map ICMP_FILTER
VLAN Map ICMP_FILTER is filtering VLANs:
162

In this configuration we permitted the traffic that should be dropped in an ACL. Could we
have done the reverse? An alternate solution is to make an action of forward and then
deny the ICMP traffic. Lets look at this.

Rack24SW2(config)#vlan access-map ICMP_FILTER 10
Rack24SW2(config-access-map)#action forward
Rack24SW2(config-access-map)#match ip address 100
Rack24SW2(config-access-map)#exit
Rack24SW2(config)#vlan access-map ICMP_FILTER 20
Rack24SW2(config-access-map)#action drop
Rack24SW2(config-access-map)#exit

The logic is reversed here. We forward only certain traffic and drop the rest. We also
need to modify ACL 100.

Rack24SW2(config)#access-list 100 deny icmp 205.90.31.0 0.0.0.255 any echo
Rack24SW2(config)#access-list 100 permit ip any any

ICMP from 205.90.31.0 will be denied and all IP allowed, should work like a charm right?
And it might, for a while… There’s a pitfall in this configuration, we have allowed
all IP but there is one other quite important protocol used in Ethernet segments. We
use it when we know the IP address of a host but need to find out the MAC address. Yes,
it is ARP. With this ACL all ARP will be dropped. Some traffic might go through due to
that we have entries in the cache but as soon as they time out there will be a problem.
If we need to allow ARP we can do that by creating a MAC access-list.

Rack24SW2(config)#mac access-list extended PERMIT_ARP
Rack24SW2(config-ext-macl)#permit any any 0x806 0x0

So now you know how to filter traffic within a VLAN. There is almost always more than
one solution but we need to be careful when thinking through alternate solutions.

Categories: CCIE, Security Tags: , ,

Drastically decreasing CPU load in Dynamips

May 16, 2011 68 comments

Running Dynamips takes a lot of CPU and memory and running a full CCIE topology on
a Windows machine can be tough. I do a lot of studying on my commute to my job
and I run some smaller labs but I have not been able to run a full topology on
my laptop until now.

I came across a post on IEOC (Internetwork Experts forum) on how to
dramatically decrease CPU usage. Original credit goes to Journeyofanetworkengineer.

There is a value called idlemax which is related to the famous idle-PC value.
There is not much information on what this value does. According to Greg
at Hacki forum idlemax specifies how many times the address that the idle-PC
value references is used before going to sleep. The default value is 1500.

I’m not sure about the magic behind this, maybe someone with more expertise
in Dynamips can explain this but lowering this value dramatically decreases
the CPU usage.

I was able to run the full INE topology at 20-40% CPU load on my Core2 duo
@ 2.13 GHz and 4 GB RAM. Without idlemax applied my CPU runs at close to
100% load.

This is before idlemax.

This is after idlemax.

This is what a hypervisor entry looks like in the .net file.

[localhost:7200]
udp = 10000
workingdir = C:\GNS3\Working
 [[3725]]
  image = C:\GNS3\IOS\c3725-adventerprisek9-mz.124-15.T10.extracted.bin
  ram = 128
  ghostios = True
  idlepc = 0x614ac21c
  idlemax = 100

We will need four entries like this with an unique port for localhost and unique port for UDP.
You can download my complete .net file here if you need it for reference.

If you use this tip please post in comments how much your CPU was decreased and if you
have any stability issues when running it at 100.

Categories: CCIE, Dynamips Tags: , ,