11/05/2014
vtp mode transparent
!
!
vlan 111
name PVLAN-111-PRIMARY
private-vlan primary
private-vlan association 222,333
!
vlan 222
name PVLAN-222-COMMUNITY
private-vlan community
!
vlan 333
name PVLAN-333-ISOLATED
private-vlan isolated
!
!
interface FastEthernet0/1
Description * * PVLAN-COMMUNITY * *
switchport private-vlan host-association 111 222
switchport mode private-vlan host
!
interface FastEthernet0/2
Description * * PVLAN-COMMUNITY * *
switchport private-vlan host-association 111 222
switchport mode private-vlan host
!
interface FastEthernet0/3
Description * * ISOLATED * *
switchport private-vlan host-association 111 333
switchport mode private-vlan host
!
interface FastEthernet0/4
Description * * PVLAN-PROMISCUOUS * *
switchport private-vlan mapping 111 222,333
switchport mode private-vlan promiscuous
!
#
# show vlan private-vlan
Primary Secondary Type Ports
——- ——— —————– ——————————————
111 222 community Fa0/1, Fa0/2, Fa0/3, Fa0/8
111 333 isolated Fa0/4, Fa0/8
#
#show vlan private-vlan type
Vlan Type
—- —————–
111 primary
222 community
333 isolated
#
Leave a Comment » | CCNP, Layer2, Layer3, SWITCH, Switching, Uncategorized | Permalink
Posted by swampie51
18/04/2014
The Cisco ASA introduced a feature to allow a granular control of VPN access (under one form or another) based on LDAP group membership. This post is after working through a number of configurations that just did not work or worked in a sporadic manner. This configuration is based on AnyConnect Essentials SSL/IPSEC VPN authentication and access. I learnt that just because it does not work could infer two possibilities:
1) Its configured wrong
2) Its a Bug (this caused me 4 hours of head scratching on 8.4(5))
The configured LDAP attribute map is as follows:
ldap attribute-map LDAP-ATTRIB-MAP
map-name memberOf Group-Policy
map-value memberOf CN=VPN_Admins,OU=VPNADMIN,OU=OX14_Users,DC=OX14,DC=LOCAL GPO-ALLOW
map-name primaryGroupID Group-Policy
map-value primaryGroupID 513 GPO-NOACCESS
The configuration identifying this LDAP value “memberOf CN=VPN_Admins,OU=VPNADMIN,OU=OX14_Users,DC=OX14,DC=LOCAL” maps to a VPN Group Policy on the ASA of GPO-ALLOW. In a means to deny any other users from connecting is matched with “primaryGroupID 513” (Domain Users) maps to a VPN Group Policy on the ASA of GPO-NOACCESS. The LDAP attribute map is then assigned to a AAA LDAP server group.
Your friend in this is the debug console and specifically “debug LDAP 255”. When looking at the output of the debug you can see the LDAP groups being matched to the ASA Group Policies.
memberOf: value = CN=VPN_Admins,OU=VPNADMIN,OU=OX14_Users,DC=OX14,DC=LOCAL
mapped to Group-Policy: value = GPO-ALLOW
mapped to LDAP-Class: value = GPO-ALLOW
memberOf: value = CN=VPN_Users,OU=VPNUSER,OU=OX14_Users,DC=OX14,DC=LOCAL
mapped to Group-Policy: value = GPO-NOACCESS
mapped to LDAP-Class: value = GPO-NOACCESS
I’ll update this soon with a full point and click ASDM guide.
Leave a Comment » | Uncategorized | Tagged: ANYCONNECT, ASA, LDAP ATTRIBUTE, VPN | Permalink
Posted by swampie51
31/03/2013
The following link was one I found when investigating the use of 1131AG access points. The positioning on a ceiling is certainly better qualified after reviewing this document.
http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/product_data_sheet09186a008008883b.html
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Permalink
Posted by swampie51
24/02/2013
Update the 000-default file with the following details below to add basic authentication.
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
order deny,allow
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride none
order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory “/usr/lib/cgi-bin”>
AuthType Basic
AuthName “CVS REPO”
AuthUserFile /etc/apache2/.htpasswd
AllowOverride All
Require valid-user
</Directory>
The command below will allow you to create a new user and it will lead you through adding a password for that user.
network@S-ABD-RANCID:$ sudo htpasswd -c .htpasswd myuser
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Permalink
Posted by swampie51
24/02/2013
To permit ANY packets that come from an IPsec tunnel without checking any ACLs such as the OUTIDE_ACCESS_IN The following example enables IPsec traffic through the ASA without checking ACLs:
hostname(config)# sysopt connection permit-vpn
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Permalink
Posted by swampie51
24/02/2013
VLAN TRUNKING PROTOCOL is designed to ease administration of a large number of switches. It manages addistions, deletions and renaming. You can only apply one VTP domain to a switch.
There are 3 versions of VTP and only two of those are actively used (V3 is CAT/OS). VTP is a method of synchronising the vlan databases of switches. The term domain is used to identify a cluster/group of switches. If the databases are to be shared then the domain name and any passwords set must match (not totally true, read below for more details).
VTP advertisements are based upon the revision number and are sent when a change is made or every 5 minutes. The advertisments are multicast frames.
A summary advertisment is sent out every 300 seconds and if a change occurs.
A subset advertisment after a configuration change. VLAN name, SAID value, type and MTU.
A request from client switch used to obtain up to date information.
Each change made to a vlan will increase the revision number. A switch will compare revision numbers when it receives an advertisement. A switch will overwrite its VTP database if the update from one of it’s peers is higher (potentially making an automatic change to the assigned vlan’s). The advertisement is forwarded onto any neighbours. If the switch receives a VTP advertisement with a lower revision it will reply with it’s advertisement to update it’s neighbour.
The roles are:
SERVER: This is the default and will allow the switch to create, delete and rename vlan’s.
CLIENT: Apparently clients cannot make changes. However, I have seen events where client switches have been able to pass on updates to server peers.
TRANSPARENT: Allows the creation, deletion and renaming vlan’s but all information remains local. This mode will forward VTP information to its peers.
The use of show vtp status identifies the version in use, the revision number and the number of vlans that are being passed around via VTP.
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Permalink
Posted by swampie51
24/02/2013
Q-in-Q allows already tagged frames across a network by tunnelling them inside a single vlan. The process adds a second 802.1Q tag to each frame. As the packets traverse the network the network the infrastructure see’s the outside tag and forwards based on that vlan. Q-in-Q tunnels are usually implemented by service providers to encapsulate a customers multiple vlans into a single vlan.
Eg: as a simple example
Customer vlans 1,2,3,4,5
Service provider vlan 100
Customer switch trunk vlans 1-5 —-> (service provider dot1q-tunnel vlan 100) ——> vlans 1-5
This is enabled with:
switchport mode dot1q-tunnel
The tunnel interfaces should be setup at either end of the overall link.
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Permalink
Posted by swampie51
24/02/2013
ISL: Cisco proprietary and encapsulates the original frame in a 26 byte header and a 4 byte trailer. The ISL vlan’s are 1-1001.
802.1Q: Open standard and inserts a field in the 802.1P header, just after the source mac-address. The 802.1Q vlan’s are 0-4094.
If a mixture of ISL and 802.1Q is in use then the matching vlan’s can map across up to the ISL limit.
Points to note include if a non trunking port receives and ISL encapsulated frame then the frame is dropped. This is because the header and trailer cause the frame to exceed the MTU and may be counted as an error.
If an 802.1Q frame is received on a non trunking port then the source and destination mac-addresses are checked and the frame is switched normally at Layer2.
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Permalink
Posted by swampie51
24/02/2013
DTP sends out adverisments every 30 seconds and ports can become a trunk either by configuration or dynamically. A port can be in one of five modes:
ACCESS: A user port in a single clan.
TRUNK: A port has negotiated its a trunk with its peer.
NON-NEGOTIATE: The port is a trunk and does not negotiate with any peers.
DYNAMIC DESIRABLE: Dynamically negotiates with its peer and will become a trunk if the other end is set to trunk,dynamic desirable or dynamic auto.
DYNAMIC AUTO: Passively waits to negotiate DTP with its peer. The peer must be configured as a trunk or dynamic desirable.
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Permalink
Posted by swampie51
14/02/2013
The process of upgrading/downgrading the AP/LAP’s can be covered as with most networking in many ways. This method is one of my favourites and allows you to copy the code off of an existing LWAP node.
To copy off of an LWAP node:
archive upload-sw tftp:///c1130-rcvk9w8-mx.DEFAULT
Download IOS onto the device:
archive download-sw /force-reload /overwrite tftp:///c1130-rcvk9w8-mx.DEFAULT
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Permalink
Posted by swampie51
27/01/2013
Amir Mohammed, Henning Speckels, Nigel Sims, Julian Shead, Alastair Read, Paul Stayt, Jonathan Myers, Aaron Milton-Eldridge, Peter Massey.
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Tagged: Oxfordshire County Council - Jan 2013 - Network Team | Permalink
Posted by swampie51
03/01/2013
Follow these steps to reset the password that allows the Admin user access to the ACE module:
Connect to the console port of the ACE module in the Catalyst 6500 series switch.
Reboot the ACE module from the Catalyst 6500 series CLI.
“no power enable module x”
“power enable module x”
During the bootup process, Press ESC when the “Waiting for 3 seconds to enter setup mode…” message appears on the terminal (see the example below). If you miss the time window, wait for the ACE module to properly complete booting, reboot the ACE module from the Catalyst 6500 series CLI, and try again to access the setup mode by pressing ESC. The setup mode prompts if you want to reset the admin password. Enter y. The “Resetting admin password to factory default” message appears. The ACE module deletes the admin user password configuration from the startup configuration and resets the password back to the factory default value of admin.
<<abridged>>
Starting lcpfw process…
inserting IPCP klm
Warning: loading /itasca/klm/klm_session.klm will taint the kernel: no license
See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Module klm_session.klm loaded, with warnings
inserting cpu_util klm
create dev node as ‘mknod /dev/cpu_util c 236 0’
getting cpu_util dev major num
making new cpu_util dev node
Session Agent waiting for packets .
Waiting for 3 seconds to enter setup mode…
Entering setup sequence…
Reset Admin password [y/n] (default: n): y
Resetting admin password to factory default…
XR Serial driver version 1.0 (2004-11-08) with no serial options enabled
<<abridged>>
Loading.. Please wait…Done!!!
The boot process continues as normal and you are able to enter the admin password at the login prompt.
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Permalink
Posted by swampie51
29/12/2012
export http_proxy=http://:port
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Permalink
Posted by swampie51
29/12/2012
!
interface Vlan100
ip address 172.16.255.254 255.255.0.0
ip helper-address 172.16.255.250
ip pim sparse-mode
ip policy route-map ROUTE-PROXY-TRAFFIC-POLICY
!
!
access-list 101 permit tcp 172.16.1.0 0.0.0.255 any eq www
access-list 101 permit tcp 172.16.1.0 0.0.0.255 any eq 443
!
!
access-list 102 permit ip 172.16.1.0 0.0.0.255 any eq 50
access-list 102 permit ip 172.16.1.0 0.0.0.255 any eq 51
access-list 102 permit udp 172.16.1.0 0.0.0.255 any eq 500
access-list 102 permit udp 172.16.1.0 0.0.0.255 any eq 4500
!
!
!
route-map ROUTE-PROXY-TRAFFIC-POLICY permit 10
match ip address 102
set ip next-hop 172.16.255.253
!
route-map ROUTE-PROXY-TRAFFIC-POLICY permit 50
match ip address 101
set ip next-hop 172.16.255.252
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Permalink
Posted by swampie51
29/12/2012
If you actively use visio and are fed-up of the auto-connect as much as I was.. this is for you!
Enable or disable AutoConnect in all drawings
- On the Tools menu, click Options.
- Click the General tab.
- Under Drawing window options, select the Enable AutoConnect check box.
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Permalink
Posted by swampie51
29/12/2012
A banner should be an informational warning/notification and not be a welcome to my device. I love a good banner and ascii, makes it all the more fun.
banner motd #
_~_
. / ^ -\ .
|\| (o) (o) |/|
|—–.OOOo–U–oOOO.——————|
| |
| * Authorised Access Only * |
| |
|_______________Oooo.__________________|
.oooO ( )
( ) ) /
\ ( (_/
\_)
This host is: $(hostname)
#
!
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Permalink
Posted by swampie51
11/12/2012
Having the need to look at a converged network/telephony strategy with Microsoft LYNC and a request (not requirement) for users to be able to access the LYNC telephony over a Cisco wireless solution. Thinking a little out of the box I had got to the point of considering how to run ATM over a lightweight solution.
Along came AVC.. it certainly looks like a great step forward and I cant wait to have an opportunity to plau.
http://www.youtube.com/watch?feature=player_detailpage&v=h6ZLSc_lYEg
http://www.cisco.com/en/US/solutions/collateral/ns1015/ns483/ns780/at_a_glance_c45-649117.pdf
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Permalink
Posted by swampie51
09/12/2012
I was looking at applying some filters to the ASDM logging viewer the other day and spent 5 minutes adding one of each type just to see what would be seen within the configuration. Its pretty straight forward and very similar to Wireshark filters. Nb. the use of a “;” where multiple filters are applied.
ASA Firewall Filters:
# Only source IP: FILTER:srcIP=172.16.0.50
# Only port 21: FILTER:srcPort=21;
# Source IP and port 21: FILTER:srcIP=172.16.0.50;FILTER:srcPort=21;
# Destination IP: FILTER:dstIP=10.206.164.41;
# Severity Level (4=WARNINGS): FILTER:sev=4;
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Permalink
Posted by swampie51
02/12/2012
One of my earlier posts covered routing Netflow Exports to a server over IPSEC. The previous covered method relied on the use of GRE tunnels and loopback interfaces to forward the export to a central router which in-turn then forwarded them onto the collector.
The question of why bother and just not use a Cisco ASA to terminate the VPN could be raised and I guess the requirements and the methods of the outgoing connectivity will have input. However, the ASA will support the exporting of Netflow over and IPSEC tunnel and adding no funky workarounds. The two key things to remember are:
Add the collector to your INSIDE interface
Ensure the collector is covered by Interesting traff
Leave a Comment » | About Me, ACE, CCNP, CSM, DMVPN, Firewall, IP SLA, iPAD/iPhone, IPSEC, IUWNE, Layer2, Layer3, Linux, LYNC, Monitoring, Proxy, Rancid, Routing, SWITCH, Switching, Troubleshooting, Uncategorized, VPN, Wireless | Permalink
Posted by swampie51