QOS to COS, DSCP or what?

28/11/2012

So, do we DSCP or COS ?

What are the benefits or issues? Based on my current understanding then DSCP is the way forward when working with Cisco based infrastructure. If you mark DSCP on the switch (2960+) then its automatically mapped to its DSCP value as the switch forwards the packet.

As the packet hits the router then unless a specific policy is in place the packet will be forwarded as is with the markings intact.

If the packet passes through an ASA then again as with the router the packet will be forwarded intact. If the the traffic is part of an IPSEC VPN then the ASA will inject the mapping into the encrypted packet and as long as you have a similar trust domain at the far end then the marking will be processed end-to-end.


Useful Links

27/11/2012

http://packetlife.net

http://routergod.com

http://blog.ioshints.info

https://helpamunky.wordpress.com

http://www.gns3.com

http://designinglync.blogspot.co.uk/2011/05/lync-dial-plans-and-normalization-rules.html

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

 

 

 

 


MacBook Pro & USB Serial in Mountain Lion

27/11/2012

I treated myself to a mac. The trouble is how do you connect it to a Cisco router or network device?

Putty is a Windows application and SecureCRT as much as I like it has a price tag. However, if you go through the pain of finding the right drivers as I did with a Lindy serial to USB cable and then connect the cable and open a terminal session:

ls /dev/tty.*

and the output will be along the lines of those below:

/dev/tty.Bluetooth-Modem

/dev/tty.PL2003_X6DH4R1

/dev/tty.usbserial

 

If you use the screen command as shown below:

screen /dev/tty.usbserial

 

Your pretty much onto the console. I will admit that finding the drivers was a pain in the rear and over 2 – 3 hours, I had installed about 5 versions before finding one that worked.

 

 


Cisco ASA hairpin L-2-L and Any Connect 8.4 (3)

27/11/2012

Cisco Any Connect running with a number of people accessing centralised services without any issues bi-directionally. Adding the recommended “ENABLE TRAFFIC BETWEEN TWO OR MORE  HOSTS CONNECTED TO THE SAME INTERFACE” should allow a VPN client either SSL or IPSEC to communicate with a peer connecting via the same method. This should also allow inter-communication with an site connected on a  LAN-2-LAN terminating on the ASA.

However, add a simple NAT statement to not NAT INSIDE to OUTSIDE and it breaks the inter-communication. The options are remove the NAT or add a NAT statement above it. I worked around this by creating a Network_Object_Group and placing a high level summarised subnet for the SSL clients and all of the LAN-2-LAN sites into it. A NAT statement was then generated placing the src interface as the OUTSIDE and the destination interface as the OUTSIDE  and selecting the newly created group for all src and dst translations.

I guess you’d call it a feature . . .


Rancid Ubuntu Install Stage 2.5 – change management

21/11/2012

Rancid has always been one of my favourite network management tools along with Cacti, SolarWinds, Kiwi Cat tools, ManagEngine Netflow and Cisco ACS. I’ve always known that Rancid has some extra features under the hood to allow for occasional and or bulk changes. After having a spare 30 minutes whilst also attempting to keep myself occupied…

Kiwi is out of the window. !!!

After digging around the world library (Google), I came across a script a guy had compiled which in its simplest form reads a text file for a list of devices eg;

192.168.3.1
192.168.3.2
192.168.3.3

The script then reads a text file for a list of required commands eg;

configure terminal
snmp-server chassis-ID AWESOME-SWITCH
exit
wr me
exit

When the script is run you are prompted to locate the input file identified by the script from a defined directory. After keying in the file name and issuing ENTER, the script prompts again for the text file from a defined directory. Again, keying in the file name and issuing ENTER. At this point the script reads the changes and prints them to the console asking if you wish to proceed and asking you to type “yes” (no speech marks) ENTER. Anything more or less than “yes” and the script bombs out. However, “yes” being the all powerful keyword, allows the script to continue allowing the Rancid server to login to each device listed and applying the changes listed. As an additional feature it also outputs all of the session output into a log file with a date/time stamp. My next task will be looking at adding the logs to CVS to simplify the audit process.

The folder structure that I created to make this work for me as identified in the script below was:

USER@LINUX-SVR:/var/lib/rancid/network-change-scripts$

Create a file in this directory with your changes as would be inputted on a command line e.g:

conf t
hostname rancid-changed-me
exit
wr me
exit

USER@LINUX-SVR:/var/lib/rancid/network-change-devices$

Create a file in this directory with your list of hosts e.g:

1.1.1.1
2.2.2.2
3.3.3.3

USER@LINUX-SVR:/var/lib/rancid/network-change-logs$

The script will generate logs dynamically when the script is called.

The script looks something like this if the file is called push-config.sh:

USER@LINUX-SVR:/var/lib/rancid/network-change-scripts$ cat push-config.sh

!– Begin config-push.sh —
#!/usr/local/bin/bash
#
# The purpose of this script is to automate configuration changes to a
# large number of devices. The script identifies the device list, as well
# as the change script, and then pushes the changes one by one.
# When the script runs you will be prompted through through the process,

CLOGINPATH=”/usr/lib/rancid/bin/clogin”
CREDENTIALS=”/var/lib/rancid/.cloginrc”
DEVICELISTPATH=”/var/lib/rancid/network-change-devices/”
CHANGESCRIPTPATH=”/var/lib/rancid/network-change-scripts/”
CHANGELOG=”/var/lib/rancid/network-change-logs/changelog-`date +%T-%d-%m-%Y`.log”

clear
echo “=====[ Rancid Config Push Script ]=====”
echo “”
echo “Please enter the proposed device list:”
echo “`ls $DEVICELISTPATH`”
echo “————————————–”
echo -n “> ”
read DEVICELIST

if [ -f $DEVICELISTPATH$DEVICELIST ]
then
echo “”
echo “Device List = \”./device-lists/$DEVICELIST\” (confirmed)”
else
echo “”
echo “Device list = \”./device-lists/$DEVICELIST\” (does not exist!)”
echo “Aborting…”
echo “”
exit
fi

echo “”
echo “Please enter name of change script:”
echo “`ls $CHANGESCRIPTPATH | grep -v “.sh” | grep -v “device-lists”`”
echo “———————————–”
echo -n “> ”
read CHANGESCRIPT

if [ -f $CHANGESCRIPTPATH$CHANGESCRIPT ]
then
echo “”
echo “Change Script = \”./change-scripts/$CHANGESCRIPT\” (confirmed)”
echo “”
else
echo “Device list = \”./change-scripts/$CHANGESCRIPT\” (does not exist!)”
echo “Aborting…”
echo “”
exit
fi

echo “– Proposed Changes –”
echo “`cat $CHANGESCRIPTPATH$CHANGESCRIPT`”
echo “– Proposed Changes –”
echo “”
echo “Are you sure you want to proceed? If so, type \”yes\”:”
echo -n “> ”
read AREYOUSURE

if [ $AREYOUSURE != “yes” ]
then
echo “”
echo “Aborting…”
echo “”
exit
else
echo “”
echo “Implementing Changes…”
echo “”
fi

#for i in `cat $DEVICELISTPATH$DEVICELIST`
# do echo “===[ $i ]===”
# $CLOGINPATH -f $CREDENTIALS -x $CHANGESCRIPTPATH$CHANGESCRIPT $i
#done

for DEVICE in `cat $DEVICELISTPATH$DEVICELIST`
do
echo “===[ $DEVICE ]===”
echo “” >> $CHANGELOG
echo “===[ $DEVICE ]===” >> $CHANGELOG
echo “” >> $CHANGELOG
OUTPUT=`$CLOGINPATH -f $CREDENTIALS -x $CHANGESCRIPTPATH$CHANGESCRIPT $DEVICE`
echo “$OUTPUT” >> $CHANGELOG
done
# — end config-push.sh —

To run the script from a command line in the same directory use ./config-push.sh


Cisco ASA Capture

10/11/2012

The Cisco ASA capture is one of those tools which I initially hated compared to the old debug packet command. However, as with most things you get to grips with the features and it delivers more than you first expected. Once you’ve reached enlightenment its then a slippy slope of despair as it fails, fails and temporarily works. After a few failed attempts and further discussions with peers and colleagues who had little success, I sat down with a work mate and went through each phase of the configuration and worked out a method to achieve a winning result.

In summary, the key components include the access-list. The issues we saw required that we specify by network and then apply deny statements to limit to individual hosts. If this method was not used then the capture would be empty ? go figure…

Access-list example:

access-list CAPTURE-ACL extended permit ip host 1.1.1.1 any
access-list CAPTURE-ACL extended permit ip host 2.2.2.2 any
access-list CAPTURE-ACL extended permit ip any host 1.1.1.1 any
access-list CAPTURE-ACL extended permit ip any host 2.2.2.2 any
access-list CAPTURE-ACL extended deny icmp any any
access-list CAPTURE-ACL extended deny ip 1.0.0.0 255.0.0.0 any
access-list CAPTURE-ACL extended deny ip any 1.0.0.0 255.0.0.0 any
access-list CAPTURE-ACL extended deny ip 2.0.0.0 255.0.0.0 any
access-list CAPTURE-ACL extended deny ip any 2.0.0.0 255.0.0.0 any

The next stage is to create the capture and in this example we use a circular buffer and a 32MB option before rolling back over the pre-captured content (neat trick to follow).

Capture example:

capture WIRE-TRACE access-list CAPTURE-ACL buffer 32000000 interface INSIDE circular-buffer

To view the capture in the console you can issue the “show capture CAPTURE-NAME command.

If you wish to view the content in a web browser as if you were accessing the ASDM then this is available via https://ip address/capture/capture name/

and finally to download the file in .pcap format to open in Wireshark or you favourite packet analyser then use the following url to download the file https://ip address/capture/capture name/pcap

and finally the neat bit..

After remembering reading somewhere about outputting the content from a CLI to a TFTP. We were digging round on the Interweb-Library (Google) and came across a script run from a linux host as a crontab process which used wget to grab the pcap file as a scheduled task and if your through throughput is not to great ensures that you grab the pcap before it rolls over and overwrites the earlier captured content.

Create a file on your linux host using touch or your preferred method and adding the following to the script.

wget -P /FIREWALL ‘https://USER LOGON:PASSWORD LOGON@10.10.10.10/capture/OCC-CAP/pcap’ –no-check-certificate

As an example for the crontab:

* 5 * * * /FIREWALL/grab-capture.sh