IOS

A collection of 27 posts

CCIE

EIGRP Filtering (GNS3 lab)

In this GNS3 lab we're looking as the various options on how we can filter updates between EIGRP speakers and then how that affects the traffic flow (as EIGRP is a distance vector protocol we can filter updates :))This is just a lab to look at the different methods of

CCIE

6to4 Tunnelling (GNS3 Lab)

This is a quick lab to look over how 6to4 tunnelling can be implemented using GNS3 1.3 and 3725 (running c3725-adventerprisek9-mz124-15.image). The topology will be as below but the important part if the colouring of the network segments and noticing the middle/core is purely IPv4 only! Our

CCIE

DMVPN setup with PSK (GNS3 Lab)

Dynamic Multipoint VPNs (DMVPN) offer a low admin overhead and scalable VPN solution. It is also efficient at routing traffic as it can dynamically reconfigure itself from a hub and spoke to a partial or full mesh topology! This means that not all traffic has to pass through the hub

Cisco

jun2acl (Juniper to Cisco ACL Script)

Recently we've needed to migrate an inherited environment  away from Juniper Junos and onto Cisco IOS. As part of this a lot (!) of old an quite nasty firewall filter config needed to be converted to Cisco ACL style. Unfortunately (maybe for a good reason???) there doesnt already seem to be

CCIE

EIGRP (Named vs Legacy)

Just a quick look over the basic differences with the newer style of EIGRP config. It really is quite a bit nicer (more logcal?) layout in the config with things like authentication moving under the eigrp config so its easy to see related config under one section of show run

BGP

BGP RTBH setup using exaBGP

In this post I'll describe a basic setup using Cisco IOS, IOS XR and exaBGP that will function as a BGP remotely triggered blackhole (RTBH) allowing you to null route any source/destination prefix. The example topology will be as below: exaBGP by a very nice man called Thomas Mangin

Cisco

Generate DSCP marked pings

Today it was useful to confirm a switch was passing DSCP marked packets as expected and handling 'ef' marked packets. To do this on a cisco switch we can use the extended ping feature and set the Type of Service (ToS) to a decimal value that is equivalent to the

Cisco

SNMP ACL (after community check?!)

Not my usual kind of post of "how to do ...blah" but something I'd come across yesterday that was a little interesting/annoying/silly. Best practice dictates you apply an ACL to your SNMP config so only configured hosts can poll a router/switch even if the community is known.

Cisco

Connectivity problems to a NAT'd host via a VPN on Cisco IOS

Problem where a client on one side of a VPN tunnel cannot communicate with another host on the other side that has a static nat entry. The host 10.0.0.2 is a mail and web server (tcp/25 & tcp/80) that provides these services to hosts on the

Cisco

Show "free" (not used for a while) ports on Cisco switch with one command

Reasonably common task I come accross is to find free ports on switches (ports that havent been used for sometime). Sometimes its very easy where you can use an NMS or similar to give you a pretty output to show ports and their last input/output. However in my experience

Android

OpenVPN server on Fedora 16 connecting Cyanogenmod (7.1) Android phone [bridged]

I have already posted about openVPN on Ubuntu  but the config for Fedora is a little different so here's a updated post. I did the following setup using * Cyanogenmod 7.1 * OpenVPN 2.2 * Samsung Glaxy S 2 * Cisco 1800 router * Fedora 16 server I've used this quite a lot

CCNP Security

Cisco IOS Certificate Server set-up and client enrolment (GNS3 Lab)

A quick step by step overview of how to configure the certificate server on a Cisco IOS device. The certificate server functionality was added in version 12.3(4). It is only available in in security images or higher. We can use this functionality to provide scalable authentication for VPN

Cisco

Cisco (type 7) password decryption and encryption with Perl

I've often seen password decryption tools for the Cisco (type 7) passwords and wondered how they worked. To learn more about that and Perl I thought I'd give it a go :) The short story is it just seems to XOR each character against a value in an array. I'm sure

ASA

Cisco pipe options and some regex examples

Just a quick post about using the pipe (|) command on Cisco devices to help format the output of any command. Add the pipe to any show command then ? can show the available options. Below is from a 6500. 6509#show run | ? append Append redirected output to URL (URLs supporting append

Cisco

Display the specific port used in an etherchannel for given src/dst info

Etherchannel on Cisco switches uses a hashing algorithm to determine which interface within the bundle to send the data over i.e. The port choice is deterministic and will always be the same unless ports are added to the bundle or the hashing algorithm is changed. It also means that

640-553 CCNA Security

Role Based CLI access to Cisco IOS using Views

Just having a play around with role based access and "views". Not a feature I've used much in production. Below we will configure a view that only allows the use of the show interface commands. Then we will configure a use that when logging in via telnet or ssh will

Android

Setting up OpenVPN for Android phone (NAT & ZBFW on Cisco 1801)

I've been looking to get a decent "native" VPN setup on my android phone for a while. There doesn't seem to be native support for IPSEC VPNs terminating on Cisco routers. Long request topic for it [here] although ASA8.4(1) supposedly has support I haven't had a chance to

Cisco

IOS ping with rotating data pattern/payload

Came across an interesting problem where depending on the ping payload the loss would vary quite a bit when being sent over a WAN link. Pings using windows machines were seeing higher loss than from linux boxes. It turns out windows uses a rotation from A-W for its ping payload

640-553 CCNA Security

Simple Zone Based IOS Firewall (GNS3 Lab)

Just a post about the basic config and options of Cisco IOS zone based firewall using the Topology below Grab the initial configs and GNS3 .net file [HERE]. From the initial configs all interfaces have connectivity to each other. First off lets configure the zones and assign each interface to

640-553 CCNA Security

Steps to configure an IPSEC site to site VPN on a Cisco IOS device (GNS3 Lab)

Just some short notes on basic IOS vpns using the topology below as an example. All the configuration examples are for the router Lefty. Grab the GNS3 .net file and initial configs [HERE] if you want to try. The following five steps need to configured in order to create an

ASIC

ASIC to port mapping

Just a couple of commands to show the ASIC/port mapping on most cisco switches. show interfaces capabilities module Is used on smaller switches e.g. 3750 m00nie-C3750#show platform pm if-numbers interface gid gpn lpn port slot unit slun port-type lpn-idb gpn-idb ---------------------------------------------------------------------- Gi1/0/1 1 1 1

aaa

Password-less ssh login using pki to Cisco IOS

A cool feature in IOS I recently came across was the ability to configure SSH login using PKI. As far as I can see this feture was added in version 15.0 Already assuming the basic SSH server is running on the IOS device here's how we add the ability

642-691 BGP+MPLS

BGP Route Reflectors (GNS3 lab)

One problem of having a large number of routers running IBGP with each other in a full mesh is the volume of IBGP connections needed. The formula to see the number of connections needed for a full IBGP mesh is n(n-1)/2 so  with 20 routers we would end

642-691 BGP+MPLS

Changing MED value in BGP (GNS3 lab)

BGP Multiexit Discriminator (MED or MULTI_EXIT_DISC) is an optional nontransative attribute (Type code Value 4). It is usually used to exchange info about a preferred to external BGP neighbours. MED is passed between ASs unlike LOCAL_PREF but each time it is passed to another new AS it

annoying

Stop your Cisco device interrupting your typing

One annoying "feature" of Cisco devices is that they often output info when your typing into the console making you loose your place and unable to see what you are typing in. Router(config)#host m00nies-router m00nies-router(config)#^Z m00nies-router#sho *Aug 20 09:46:38.867: %SYS-5-CONFIG_I: Configured