So /\d+/ and /(\d+) will still match as many digits as possible. but in the latter case they will be remembered in a special variable to be back referenced later.
Programming Perl
Extracting matches
The grouping metacharacters () also allow the extraction of the parts of a string that matched. For each grouping, the part that matched inside goes into the special variables $1 , $2 , etc. They can be used just as ordinary variables:
# extract hours, minutes, seconds
$time =~ /(\d\d):(\d\d):(\d\d)/; # match hh:mm:ss format
$hours = $1;
$minutes = $2;
$seconds = $3;
http://perldoc.perl.org/perlrequick.html
Friday, August 31, 2012
Monday, August 27, 2012
AnyConnect VPN Client on IOS Router with IOS Zone Based Policy Firewall Configuration Example
In Cisco IOS® Software Release 12.4(20)T and later, a virtual interface SSLVPN-VIF0 was introduced for AnyConnect VPN client connections. But, this SSLVPN-VIF0 interface is an internal interface, which does not support user configurations. This created a problem with AnyConnect VPN and Zone Based Policy Firewall since with the firewall, traffic can only flow between two interfaces when both interfaces belong to security zones. Since the user cannot configure the SSLVPN-VIF0 interface to make it a zone member, VPN client traffic terminated on the Cisco IOS WebVPN gateway after decryption cannot be forwarded to any other interface belonging to a security zone. The symptom of this problem can be seen with this log message reported by the firewall:
This issue was later addressed in newer software releases of Cisco IOS. With the new code, the user can assign a security zone to a virtual-template interface, which is referenced under the WebVPN context, in order to associate a security zone with the WebVPN context .*Mar 4 16:43:18.251: %FW-6-DROP_PKT: Dropping icmp session 192.168.1.12:0 192.168.10.1:0 due to One of the interfaces not being cfged for zoning with ip ident 0
AnyConnect VPN Client on IOS Router with IOS Zone Based Policy Firewall Configuration Example
code:
interface Virtual-Template1 ip unnumbered Loopback0 zone-member security inside ! !
Note: reload the router after the change.
Cisco SSL-VPN LAN Access with Zone Based Policy Firewall
Friday, August 24, 2012
Monday, August 20, 2012
Automatically backup your router config
There are many ways to automatically backup a router config
1. SNMP poll from a server
How To Copy Configurations To and From Cisco Devices Using SNMP
2. Use TCL/Expect script from a server
Script to backup Cisco Device Config
3. EEM/Kron policy list on a router
Daily backup
4. Using archive IOS command
How to use archive command to save configuration
I think #4 is the easiest one, all you need is a FTP server.
877wr1(config)#archive
877wr1(config-archive)#time-period
877wr1(config-archive)#write-memory
path ftp://192.168.1.110/backup/$h
!!$h is the variable of hostname
877wr1(config-archive)#?
Archive configuration commands:
default Set a command to its defaults
exit Exit from archive configuration mode
log Logging commands
maximum maximum number of backup copies !! the maximum is 14
no Negate a command or set its defaults
path path for backups
rollback Rollback parameters
time-period Period of time in minutes to automatically archive the running-config
write-memory Enable automatic backup generation during write memory
877wr1#sh archive
The maximum archive configurations allowed is 14.
The next archive file will be named ftp://192.168.1.110/backup/877wr1-1
Archive # Name
1 ftp://192.168.1.110/backup/877wr1-0 <- Most Recent
1. SNMP poll from a server
How To Copy Configurations To and From Cisco Devices Using SNMP
2. Use TCL/Expect script from a server
Script to backup Cisco Device Config
3. EEM/Kron policy list on a router
Daily backup
4. Using archive IOS command
How to use archive command to save configuration
I think #4 is the easiest one, all you need is a FTP server.
877wr1(config)#archive
877wr1(config-archive)#time-period
877wr1(config-archive)#write-memory
path ftp://192.168.1.110/backup/$h
!!$h is the variable of hostname
877wr1(config-archive)#?
Archive configuration commands:
default Set a command to its defaults
exit Exit from archive configuration mode
log Logging commands
maximum maximum number of backup copies !! the maximum is 14
no Negate a command or set its defaults
path path for backups
rollback Rollback parameters
time-period Period of time in minutes to automatically archive the running-config
write-memory Enable automatic backup generation during write memory
877wr1#sh archive
The maximum archive configurations allowed is 14.
The next archive file will be named ftp://192.168.1.110/backup/877wr1-1
Archive # Name
1 ftp://192.168.1.110/backup/877wr1-0 <- Most Recent
Friday, August 17, 2012
ESMTP The AUTH Command
The AUTH command is an ESMTP command (SMTP service extension) that
is used to authenticate the client to the server. The AUTH command sends
the clients username and password to the e-mail server. AUTH can be combined
with some other keywords as PLAIN, LOGIN, CRAM-MD5
and DIGEST-MD5 (e.g. AUTH LOGIN) to choose an authentication mechanism.
The authentication mechanism chooses how to login and which level of security
that should be used.
Below are the AUTH LOGIN commands/mechanisms described.
S: 220 smtp.server.com Simple Mail Transfer Service Ready
C: EHLO client.example.com
S: 250-smtp.server.com Hello client.example.com
S: 250-SIZE 1000000
S: 250 AUTH LOGIN PLAIN CRAM-MD5
C: AUTH LOGIN
S: 334 VXNlcm5hbWU6
C: adlxdkej <<<<<<<<<<<<<<<base64 converted username
S: 334 UGFzc3dvcmQ6
C: lkujsefxlj <<<<<<<<<<<<<<<base64 converted password
S: 235 2.7.0 Authentication successful
The AUTH Command
Below are the AUTH LOGIN commands/mechanisms described.
S: 220 smtp.server.com Simple Mail Transfer Service Ready
C: EHLO client.example.com
S: 250-smtp.server.com Hello client.example.com
S: 250-SIZE 1000000
S: 250 AUTH LOGIN PLAIN CRAM-MD5
C: AUTH LOGIN
S: 334 VXNlcm5hbWU6
C: adlxdkej <<<<<<<<<<<<<<<base64 converted username
S: 334 UGFzc3dvcmQ6
C: lkujsefxlj <<<<<<<<<<<<<<<base64 converted password
S: 235 2.7.0 Authentication successful
The AUTH Command
Difference Between LOOKUP Function and VLOOKUP in Excel
The vector syntax for LOOKUP looks for a matching value in a range of
cells (vertical or horizontal) and returns the value in the matching
vector position of the second supplied range. It is similar to VLOOKUP and HLOOKUP; however, it is limited to a single row or column to hold results.
VLOOKUP looks for a matching value in the first column of a range of cells and returns the value from the same row in the column of the range you specify. The range can have multiple columns. LOOKUP would have only one column to choose from.
To discrbe the difference, I would say LOOKUP has a single column or row range to hold the lookup values, and a single column or row range to hold the return values. The return range does not need to be adjacent to the lookup range, but can be. VLOOKUP can have multiple columns, the first being the lookup column. The other columns hold the result values and are choosen by the column parameter. The VLOOKUP fucntion uses a single multi-cell range.
What's the difference between LOOKUP function and VLOOKUP in Excel?
VLOOKUP looks for a matching value in the first column of a range of cells and returns the value from the same row in the column of the range you specify. The range can have multiple columns. LOOKUP would have only one column to choose from.
To discrbe the difference, I would say LOOKUP has a single column or row range to hold the lookup values, and a single column or row range to hold the return values. The return range does not need to be adjacent to the lookup range, but can be. VLOOKUP can have multiple columns, the first being the lookup column. The other columns hold the result values and are choosen by the column parameter. The VLOOKUP fucntion uses a single multi-cell range.
What's the difference between LOOKUP function and VLOOKUP in Excel?
Thursday, August 16, 2012
Hybrid Access Layer Design
Below is an interesting LAN switching solution, which covers layer two and layer three requirement.
Hybrid Access Layer Design
Hybrid Access Layer Design
Encryption & Cryptographic Hash Function
Encryption
Data Encryption Standard (DES) Key Sizes 56 bits
Triple Data Encryption Algorithm (TDEA or Triple DEA) Key Sizes 168, 112 or 56 bits
Advanced Encryption Standard (AES) Key Sizes 128, 192 or 256 bits
RSA Key Sizes 1,024 to 4,096 bits
RC4 Key Sizes 40–2,048 bits
cryptographic hash function
MD5 Message-Digest Algorithm Digest sizes 128 bits
SHA-1 Digest sizes 160 bits
A cryptographic hash function is a hash function, that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded is often called the "message," and the hash value is sometimes called the message digest or simply digest.
The ideal cryptographic hash function has four main or significant properties:
Data Encryption Standard (DES) Key Sizes 56 bits
Triple Data Encryption Algorithm (TDEA or Triple DEA) Key Sizes 168, 112 or 56 bits
Advanced Encryption Standard (AES) Key Sizes 128, 192 or 256 bits
RSA Key Sizes 1,024 to 4,096 bits
RC4 Key Sizes 40–2,048 bits
cryptographic hash function
MD5 Message-Digest Algorithm Digest sizes 128 bits
SHA-1 Digest sizes 160 bits
A cryptographic hash function is a hash function, that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded is often called the "message," and the hash value is sometimes called the message digest or simply digest.
The ideal cryptographic hash function has four main or significant properties:
- it is easy to compute the hash value for any given message
- it is infeasible to generate a message that has a given hash
- it is infeasible to modify a message without changing the hash
- it is infeasible to find two different messages with the same hash
Internet Key Exchange
Architecture
Most IPsec implementations consist of an IKE daemon that runs in user space and an IPsec stack in the kernel that processes the actual IP packets.User-space daemons have easy access to mass storage containing configuration information, such as the IPsec endpoint addresses, keys and certificates, as required. Kernel modules, on the other hand, can process packets efficiently and with minimum overhead—which is important for performance reasons.
The IKE protocol uses UDP packets, usually on port 500, and generally requires 4-6 packets with 2-3 turn-around times to create an SA on both sides. The negotiated key material is then given to the IPsec stack. For instance, this could be an AES key, information identifying the IP endpoints and ports that are to be protected, as well as what type of IPsec tunnel has been created. The IPsec stack, in turn, intercepts the relevant IP packets if and where appropriate and performs encryption/decryption as required. Implementations vary on how the interception of the packets is done—for example, some use virtual devices, others take a slice out of the firewall, etc.
IKE Phases
IKE consists of two phases: phase 1 and phase 2.[10]IKE phase 1's purpose is to establish a secure authenticated communication channel by using the Diffie–Hellman key exchange algorithm to generate a shared secret key to encrypt further IKE communications. This negotiation results in one single bi-directional ISAKMP Security Association (SA).[11] The authentication can be performed using either pre-shared key (shared secret), signatures, or public key encryption.[12] Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers; Aggressive Mode does not.[10]
During IKE phase 2, the IKE peers use the secure channel established in Phase 1 to negotiate Security Associations on behalf of other services like IPsec. The negotiation results in a minimum of two unidirectional security associations (one inbound and one outbound).[13] Phase 2 operates only in Quick Mode.[10]
The ISAKMP security association negotiated during Phase 1 includes the negotiation of the following attributes used for subsequent negotiations:
An encryption algorithm to be used, such as the Data Encryption Standard (DES).
A hash algorithm (MD5 or SHA, as used by AH or ESP).
An authentication method, such as authentication using previously shared keys.
A Diffie-Hellman group. Diffie and Hellman were two pioneers in the industry who invented public-key cryptography. In this method, instead of encrypting and decrypting with the same key, data is encrypted using a public key knowable to anyone, and decrypted using a private key that is kept secret. A Diffie-Hellman group defines the attributes of how to perform this type of cryptography. Four predefined groups derived from OAKLEY are specified in IKE and provision is allowed for defining new groups as well.
Internet Key Exchange
IPSec Key Exchange (IKE)
Tuesday, August 14, 2012
Spanning Tree Protocol priorities
Spanning Tree Protocol (STP) is vital for detecting loops within a switched network. Spanning
tree works by designating a common reference point (the root bridge) and
systematically building a loop-free tree from the root to all other
bridges. All redundant paths remain blocked unless a designated link
fails.
Spanning Tree Protocol operation
Select a root bridge.
Determine the least cost paths to the root bridge.
Disable all other root paths.
Modifications in case of ties.
In summary, the sequence of events to determine the best received BPDU (which is your best path to the root) is
Bridge ID = priority (16 bits) + ID [MAC address] ( 48bits)
default bridge priority is 32768
Port ID = priority (4 bits) + ID [Interface number] ( 12bits)
default port priority is 128
http://en.wikipedia.org/wiki/Spanning_Tree_Protocol
http://packetlife.net/blog/2008/may/5/spanning-tree-protocol-priorities/
http://www.cisco.com/warp/public/473/spanning_tree1.swf
Spanning Tree Protocol operation
Select a root bridge.
Determine the least cost paths to the root bridge.
Disable all other root paths.
Modifications in case of ties.
In summary, the sequence of events to determine the best received BPDU (which is your best path to the root) is
- Lowest root bridge ID - Determines the root bridge
- Lowest cost to the root bridge - Favors the upstream switch with the least cost to root
- Lowest sender bridge ID - Serves as a tie breaker if multiple upstream switches have equal cost to root
- Lowest sender port ID - Serves as a tie breaker if a switch has multiple (non-Etherchannel) links to a single upstream switch
Bridge ID = priority (16 bits) + ID [MAC address] ( 48bits)
default bridge priority is 32768
Port ID = priority (4 bits) + ID [Interface number] ( 12bits)
default port priority is 128
Data rate and STP path cost
The table below shows the default cost of an interface for a given data rate.http://en.wikipedia.org/wiki/Spanning_Tree_Protocol
http://packetlife.net/blog/2008/may/5/spanning-tree-protocol-priorities/
http://www.cisco.com/warp/public/473/spanning_tree1.swf
Monday, August 13, 2012
TCL + Cisco IOS + Kron
Task: performance scheduled system health check on a Cisco router and email the result automatically.
In the sendmail.tcl script, use below statement to save the "Cisco IOS show result" into mail body
set show_clock [exec {show clock}]
set show_ip_interfaces [exec {show interface summary}]
append body "\n" "$show_clock"
append body "\n" "$show_ip_interfaces"
Configuring the router with the Tcl ios_config command
And then you can schedule task using kron
kron occurrence sendmail in 1 oneshot
kron policy-list sendmail
cli tclsh sendmail.tcl
Cisco Kron +TCL
In the sendmail.tcl script, use below statement to save the "Cisco IOS show result" into mail body
set show_clock [exec {show clock}]
set show_ip_interfaces [exec {show interface summary}]
append body "\n" "$show_clock"
append body "\n" "$show_ip_interfaces"
Configuring the router with the Tcl ios_config command
And then you can schedule task using kron
kron occurrence sendmail in 1 oneshot
kron policy-list sendmail
cli tclsh sendmail.tcl
Cisco Kron +TCL
Friday, August 10, 2012
MAC of Switch and Router
Switch has a base MAC address and different MAC for every interface
MAC addresses should be unique on each network. They can be same in different networks. i.e MAC-address /layer 2 information changes with each hop.
1]
"Every interface of router have same MAC"
This is right behaviour as each interface of the router will be connected to different network. So it will be highly unlikely that mac-addresss clash would take place.
2]
In case of switch "It shows different MAC for every port"
This is also correct as switches can be used as Layer 3 and as well as in a layer 2 environment. Chances are mac-addresses might clash within same network. Consider cases like SVI/VLAN interfaces, routed interfcaes or plain layer interfaces. So it required unique mac on each interface.
There are three types of BPDUs:
MAC addresses should be unique on each network. They can be same in different networks. i.e MAC-address /layer 2 information changes with each hop.
1]
"Every interface of router have same MAC"
This is right behaviour as each interface of the router will be connected to different network. So it will be highly unlikely that mac-addresss clash would take place.
In case of switch "It shows different MAC for every port"
This is also correct as switches can be used as Layer 3 and as well as in a layer 2 environment. Chances are mac-addresses might clash within same network. Consider cases like SVI/VLAN interfaces, routed interfcaes or plain layer interfaces. So it required unique mac on each interface.
A bridge sends a BPDU frame using the unique MAC address of the port itself as a source address, and a destination address of the STP multicast address 01:80:C2:00:00:00.
There are three types of BPDUs:
- Configuration BPDU (CBPDU), used for Spanning Tree computation
- Topology Change Notification (TCN) BPDU, used to announce changes in the network topology
- Topology Change Notification Acknowledgment (TCA)
BPDUs are exchanged regularly (every 2 seconds by default) and enable
switches to keep track of network changes and to start and stop
forwarding at ports as required.
HWIC-2FE and HWIC-4ESW Q&A
Q. What are the 1- and 2-port Fast Ethernet HWICs?
A. The Cisco® 1- and 2-Port Fast Ethernet High-Speed WAN Interface Cards (HWICs) are singlewide interface cards, available as a 1-port HWIC (HWIC-1FE) and as a 2-port HWIC (HWIC-2FE), that provide Cisco modular and integrated services routers with additional Layer 3 routed ports.
Q. Are there features not supported on the Fast Ethernet HWICs?
A. Yes. Features specifically not supported include Cisco Inter-Switch Link (ISL) trunking, Connectivity Fault Management (CFM), flow control, and online insertion and removal (OIR, hot-swappable).
Q. Can these interfaces be used as switch ports?
A. No, these are native Layer 3 interfaces, designed for routing. They can be configured to bridge using the router CPU. There is no switching application-specific integrated circuit (ASIC), nor are switching features supported.
Cisco 1- and 2-port Fast Ethernet High-Speed
Q. What are the 4- and 9-port Cisco® EtherSwitch® high-speed WAN interface cards (HWICs)?
A. The 4- and 9-port Cisco EtherSwitch HWICs are modular HWICs that provide line-rate Layer 2 switching across Ethernet ports using Cisco IOS® Catalyst® Software.
Q. Can I assign each switch port to a unique VLAN? If so, are there any limitations?
A. Each switch port can be assigned to its own VLAN, effectively providing four additional routed ports. However, there are serious performance and feature limitations to doing this. The VLAN interfaces are truly Layer 3 switching interfaces and are treated uniquely among interface types on the router. Many features are NOT supported or tested on these interfaces, including Point-to-Point Protocol over Ethernet (PPPOE) termination, Layer 2 Tunneling Protocol Version 3 (L2TPv3) termination, MAC address assignment, Layer 3 QoS, and others. You should carefully test any desired feature and solution prior to deploying it.
Q. What is the connection speed to the router backplane of the EtherSwitch HWICs?
A. The 4-port HWIC connects to the backplane with a maximum throughput of 100 Mbps, while the 9-port HWIC can support a maximum bandwidth of 200 Mbps. Actual performance will depend on many factors, including performance of the hosting router, other services configured on the hosting router, and the type of traffic stream being generated.
Q. What is intra-chassis stacking?
A. Intra-chassis stacking is defined as the ability to have multiple Cisco EtherSwitch HWICs connected with any two Cisco EtherSwitch ports in the same router. An example of intra-chassis stacking is placing two Cisco EtherSwitch HWICs in the same router connected together through any four ports on the HWICs.
Intra-chassis stacking is limited to two HWICs in any router. The HWICs must be connected externally using the Fast Ethernet interfaces and a crossover cable. Intra-chassis stacking allows all the Fast Ethernet interfaces on the two HWICs to participate in the same Layer 2 domain.
Q. What is the maximum number of VLANs supported for the Cisco EtherSwitch HWICs?
A. Both Cisco EtherSwitch HWICs support up to 15 VLANs on the Cisco Integrated Services Routers
Q. Is online insertion and removal (OIR) supported for the Cisco EtherSwitch HWICs?
A. The HWIC architecture does NOT support the OIR specification. OIR for the 4- and 9-port HWICs is not supported on the Cisco Integrated Services Routers.
Cisco EtherSwitch 4- and 9-Port High-Speed WAN Interface Cards
Q. What is a Cisco® Enhanced High-Speed WAN Interface Card (EHWIC)?
A. The Cisco High-Speed WAN Interface Card (EHWIC) is an updated and enhanced version of the current HWIC for the Cisco Integrated Services Router Generation 2 (ISR G2). The EHWIC offers greater speeds (up to 800 Mbps bidirectionally) and higher port density than the current WIC. It also has a third row of pins for increased power to the cards, as well as support for Enhanced Power over Ethernet (EPoE) with up to 20 watts per port. Furthermore, the EHWICs have a connection to the traditional router CPU and the new Multi-Gigabit Fabric (MGF) backplane. EHWICs are available in single-wide and double-wide form factors.
Cisco Enhanced High-Speed WAN Interface Cards
Overview of Cisco Interface Cards for Cisco Access Routers
A. The Cisco® 1- and 2-Port Fast Ethernet High-Speed WAN Interface Cards (HWICs) are singlewide interface cards, available as a 1-port HWIC (HWIC-1FE) and as a 2-port HWIC (HWIC-2FE), that provide Cisco modular and integrated services routers with additional Layer 3 routed ports.
Q. Are there features not supported on the Fast Ethernet HWICs?
A. Yes. Features specifically not supported include Cisco Inter-Switch Link (ISL) trunking, Connectivity Fault Management (CFM), flow control, and online insertion and removal (OIR, hot-swappable).
Q. Can these interfaces be used as switch ports?
A. No, these are native Layer 3 interfaces, designed for routing. They can be configured to bridge using the router CPU. There is no switching application-specific integrated circuit (ASIC), nor are switching features supported.
Cisco 1- and 2-port Fast Ethernet High-Speed
Q. What are the 4- and 9-port Cisco® EtherSwitch® high-speed WAN interface cards (HWICs)?
A. The 4- and 9-port Cisco EtherSwitch HWICs are modular HWICs that provide line-rate Layer 2 switching across Ethernet ports using Cisco IOS® Catalyst® Software.
Q. Can I assign each switch port to a unique VLAN? If so, are there any limitations?
A. Each switch port can be assigned to its own VLAN, effectively providing four additional routed ports. However, there are serious performance and feature limitations to doing this. The VLAN interfaces are truly Layer 3 switching interfaces and are treated uniquely among interface types on the router. Many features are NOT supported or tested on these interfaces, including Point-to-Point Protocol over Ethernet (PPPOE) termination, Layer 2 Tunneling Protocol Version 3 (L2TPv3) termination, MAC address assignment, Layer 3 QoS, and others. You should carefully test any desired feature and solution prior to deploying it.
Q. What is the connection speed to the router backplane of the EtherSwitch HWICs?
A. The 4-port HWIC connects to the backplane with a maximum throughput of 100 Mbps, while the 9-port HWIC can support a maximum bandwidth of 200 Mbps. Actual performance will depend on many factors, including performance of the hosting router, other services configured on the hosting router, and the type of traffic stream being generated.
Q. What is intra-chassis stacking?
A. Intra-chassis stacking is defined as the ability to have multiple Cisco EtherSwitch HWICs connected with any two Cisco EtherSwitch ports in the same router. An example of intra-chassis stacking is placing two Cisco EtherSwitch HWICs in the same router connected together through any four ports on the HWICs.
Intra-chassis stacking is limited to two HWICs in any router. The HWICs must be connected externally using the Fast Ethernet interfaces and a crossover cable. Intra-chassis stacking allows all the Fast Ethernet interfaces on the two HWICs to participate in the same Layer 2 domain.
Q. What is the maximum number of VLANs supported for the Cisco EtherSwitch HWICs?
A. Both Cisco EtherSwitch HWICs support up to 15 VLANs on the Cisco Integrated Services Routers
Q. Is online insertion and removal (OIR) supported for the Cisco EtherSwitch HWICs?
A. The HWIC architecture does NOT support the OIR specification. OIR for the 4- and 9-port HWICs is not supported on the Cisco Integrated Services Routers.
Cisco EtherSwitch 4- and 9-Port High-Speed WAN Interface Cards
Q. What is a Cisco® Enhanced High-Speed WAN Interface Card (EHWIC)?
A. The Cisco High-Speed WAN Interface Card (EHWIC) is an updated and enhanced version of the current HWIC for the Cisco Integrated Services Router Generation 2 (ISR G2). The EHWIC offers greater speeds (up to 800 Mbps bidirectionally) and higher port density than the current WIC. It also has a third row of pins for increased power to the cards, as well as support for Enhanced Power over Ethernet (EPoE) with up to 20 watts per port. Furthermore, the EHWICs have a connection to the traditional router CPU and the new Multi-Gigabit Fabric (MGF) backplane. EHWICs are available in single-wide and double-wide form factors.
Cisco Enhanced High-Speed WAN Interface Cards
Overview of Cisco Interface Cards for Cisco Access Routers
Wednesday, August 8, 2012
Cisco Integrated Services Routers Generation 2 (ISR G2)
Cisco Integrated Services Routers Generation 2
Platform list:
Cisco 3900 Series
Cisco 2900 Series
Cisco 1900 Series
Cisco 890, 880, 860 Series
http://www.cisco.com/en/US/prod/collateral/routers/ps10538/aag_c45_556315.pdf
Cisco Integrated Services Routers Generation 2
Platform list:
Cisco 3900 Series
Cisco 2900 Series
Cisco 1900 Series
Cisco 890, 880, 860 Series
http://www.cisco.com/en/US/prod/collateral/routers/ps10538/aag_c45_556315.pdf
Cisco Integrated Services Routers Generation 2
Software Activation Terminology and Details
Universal Image
Each
1900, 2900 and 3900 system is loaded with a universal Cisco IOS image.
Universal IOS image contains all Cisco IOS features. The level of Cisco
IOS functionality available is determined by the combination of one or
more licenses installed on the device.
There will be two versions of universal images supported on the next generation ISRs.
1.
Universal images with the "universalk9" designation in the image name:
This universal image offers all the Cisco IOS features including strong
crypto features such as VPN payload, Secure UC etc.
2.
Universal images with the universalk9_npe" designation in the image
name: The robust licensing encryption solution provided by Cisco
Software Activation satisfies requirements for the export of encryption
capabilities. However, some countries have import requirements that
require that the device does not support any strong crypto functionality
such as VPN payload etc. in any form. To satisfy the import
requirements of those countries, this universal image does not support
any strong payload encryption such as VPN payload, secure voice etc.
This image supports threat defense features through SECNPE-K9 license.
Unique Device Identifier (UDI)
The
Unique Device Identifier is made up of two components: the Product ID
(PID) and Serial Number (SN). Serial Number is an 11 digit number which
uniquely identifies a device. The Product ID identifies the type of
device. This information can be found using the "show license UDI"
command on the router CLI. This information is also present on a
pull-out label tray found on the device. You may have to remove "V01"
that follows the PID. eg. use only "CISCO2921/K9", instead of
"CISCO2921/K9 V01".
Q. What tunnel count and performance throughput are available on the Cisco ISR G2 routers with the SECK9 license?
A. The SEC-K9 permanent licenses apply to the Cisco 1900, 2900, and 3900 ISR G2 platforms; these licenses limit all encrypted tunnel counts to 225 tunnels maximum for IP Security (IPsec), Secure Sockets Layer VPN (SSLVPN), a secure time-division multiplexing (TDM) gateway, and secure Cisco Unified Border Element (CUBE) and 1000 tunnels for Transport Layer Security (TLS) sessions.
The SEC-K9 license limits encrypted throughput to less than or equal to 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps. This requirement applies for the Cisco 1900, 2900, and 3900 ISR G2 platforms.
A. The SEC-K9 permanent licenses apply to the Cisco 1900, 2900, and 3900 ISR G2 platforms; these licenses limit all encrypted tunnel counts to 225 tunnels maximum for IP Security (IPsec), Secure Sockets Layer VPN (SSLVPN), a secure time-division multiplexing (TDM) gateway, and secure Cisco Unified Border Element (CUBE) and 1000 tunnels for Transport Layer Security (TLS) sessions.
The SEC-K9 license limits encrypted throughput to less than or equal to 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps. This requirement applies for the Cisco 1900, 2900, and 3900 ISR G2 platforms.
TCP MSS Adjustment
When a host (usually a PC) initiates a TCP session with a server, it
negotiates the IP segment size by using the MSS option field in the TCP
SYN packet. The value of the MSS field is determined by the maximum
transmission unit (MTU) configuration on the host. The default MSS value
for a PC is 1500 bytes.
The PPP over Ethernet (PPPoE) standard supports a MTU of only 1492
bytes. The disparity between the host and PPPoE MTU size can cause the
router in between the host and the server to drop 1500-byte packets and
terminate TCP sessions over the PPPoE network. Even if the path MTU
(which detects the correct MTU across the path) is enabled on the host,
sessions may be dropped because system administrators sometimes disable
the ICMP error messages that must be relayed from the host in order for
path MTU to work.
The ip tcp adjust-mss command helps prevent TCP sessions from being dropped by adjusting the MSS value of the TCP SYN packets.
The ip tcp adjust-mss command is effective only for TCP connections passing through the router.
In most cases, the optimum value for the max-segment-size
argument is 1452 bytes. This value plus the 20-byte IP header, the
20-byte TCP header, and the 8-byte PPPoE header add up to a 1500-byte
packet that matches the MTU size for the Ethernet link.
If you are configuring the ip mtu command on the same interface as the ip tcp adjust-mss command, it is recommended that you use the following commands and values:
•
ip tcp adjust-mss 1452
ip tcp adjust-mss 1452
•ip mtu 1492
ip mtu 1492Monday, August 6, 2012
Tunnel Mode SSL VPN
interface Loopback252
description Cisco SSL VPN Client for WebVPN
ip address 192.168.4.1 255.255.255.0
interface Virtual-Template2
ip unnumbered Loopback252
ip nat inside
ip virtual-reassembly
!
ip local pool ILP_WVPN_CLIENT 192.168.4.100 192.168.4.105
webvpn gateway ssl-gw1
hostname webvpn1
ip interface Dialer0 port 443
ssl trustpoint SSL
inservice
!
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.176.pkg sequence 1
!
webvpn context vpn1
title "Welcome"
secondary-color black
title-color black
ssl authenticate verify all
!
policy group vpn1
functions svc-enabled
svc address-pool "ILP_WVPN_CLIENT"
svc default-domain "cisco.com"
svc keep-client-installed
svc split exclude local-lans
svc split dns "yourLocalDomain.com" ! this domain will be resolved by the tunnel DNS
svc split exclude 10.0.0.0 255.0.0.0 ! exclude your local network
svc dns-server primary 192.168.4.1
svc dns-server secondary 8.8.8.8
virtual-template 2
default-group-policy vpn1
gateway ssl-gw1
inservice
!
end
P.S. statement "svc split [exclude|include]" can NOT be used at the same time.
SSL VPN
SSL VPN in IOS 12.4T
Cisco SSL VPN Configuration ( easy / simple example )
Cisco IOS SSL VPN Policy Groups
AnyConnect VPN Client on IOS Router with IOS Zone Based Policy Firewall Configuration Example
Configuring Cisco SSL VPN AnyConnect (WebVPN) on Cisco IOS Routers
description Cisco SSL VPN Client for WebVPN
ip address 192.168.4.1 255.255.255.0
interface Virtual-Template2
ip unnumbered Loopback252
ip nat inside
ip virtual-reassembly
!
ip local pool ILP_WVPN_CLIENT 192.168.4.100 192.168.4.105
webvpn gateway ssl-gw1
hostname webvpn1
ip interface Dialer0 port 443
ssl trustpoint SSL
inservice
!
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.176.pkg sequence 1
!
webvpn context vpn1
title "Welcome"
secondary-color black
title-color black
ssl authenticate verify all
!
policy group vpn1
functions svc-enabled
svc address-pool "ILP_WVPN_CLIENT"
svc default-domain "cisco.com"
svc keep-client-installed
svc split exclude local-lans
svc split dns "yourLocalDomain.com" ! this domain will be resolved by the tunnel DNS
svc split exclude 10.0.0.0 255.0.0.0 ! exclude your local network
svc dns-server primary 192.168.4.1
svc dns-server secondary 8.8.8.8
virtual-template 2
default-group-policy vpn1
gateway ssl-gw1
inservice
!
end
P.S. statement "svc split [exclude|include]" can NOT be used at the same time.
SSL VPN
SSL VPN in IOS 12.4T
Cisco SSL VPN Configuration ( easy / simple example )
Cisco IOS SSL VPN Policy Groups
AnyConnect VPN Client on IOS Router with IOS Zone Based Policy Firewall Configuration Example
Configuring Cisco SSL VPN AnyConnect (WebVPN) on Cisco IOS Routers
Thursday, August 2, 2012
Using FVRF and IVRF in DMVPN
Using FVRF and IVRF in DMVPN
1. OVERVIEW
This document provides configuration guidance for users of Cisco® Dynamic Multipoint VPN (DMVPN) technology on Cisco IOS®
IPSec routers. The Cisco 7600 Series platform is an exception because
it does not support FVRF. The IVRF configuration described below shall
work on the Cisco 7600 Series and the Cisco Catalyst®
6500 Series as well. The testing was performed on Cisco 1841 integrated
services routers running Cisco IOS Software Releasae 12.3(11)T3. The
objective of the testing was to configure and test interaction of DMVPN
with Front VRF (FVRF) as well as internal VRF (IVRF).
Advantage:
The advantage of using an FVRF is primarily to carve out a separate
routing table from the global routing table (where tunnel interface
exists). The advantage of using an IVRF is to define a private space to
hold the DMVPN and private network information. Both these
configurations provide extra security from anyone trying to attack the
router from the Internet by separating out routing information. These
VRF configurations can be used on both DMVPN hub and spoke.
What is the configuration difference?
In case of FVRF, the tunnel destination lookup needs to be done in
FVRF. Secondly, since the Internet-facing interface is in a VRF, the
ISAKMP key lookup is also done in the VRF. As for using IVRF, the
tunnel, private subnets, and routing protocol need to be defined in the
IVRF space. The tunnel destination and ISAKMP key are looked up in
global space for this scenario.
Wednesday, August 1, 2012
DOS batch ping multiple hosts script
DOS batch ping multiple hosts script
Name: batchping.bat
You also need myhosts.txt which should contain the hosts IP that you want to ping, and batchping.log which will log the result.
---script begin---
@echo off
del /Q batchping.log
for /f %%i in (myhosts.txt) do call ::pingit %%i
:pingit
if "%1"=="" goto END
ping -n 1 %1 >nul
if errorlevel 1 goto FAIL
echo %1 - is good >> batchping.log
goto END
:FAIL
echo %1 - is not pingable >> batchping.log
:END
---script end---
http://forums.hexus.net/networking-broadband/116568-dos-windows-ping-utility-multiple-hosts.html
http://www.krishnababug.com/2009/09/ping-mutiple-ips-bat-file.html
Name: batchping.bat
You also need myhosts.txt which should contain the hosts IP that you want to ping, and batchping.log which will log the result.
---script begin---
@echo off
del /Q batchping.log
for /f %%i in (myhosts.txt) do call ::pingit %%i
:pingit
if "%1"=="" goto END
ping -n 1 %1 >nul
if errorlevel 1 goto FAIL
echo %1 - is good >> batchping.log
goto END
:FAIL
echo %1 - is not pingable >> batchping.log
:END
---script end---
http://forums.hexus.net/networking-broadband/116568-dos-windows-ping-utility-multiple-hosts.html
http://www.krishnababug.com/2009/09/ping-mutiple-ips-bat-file.html
Subscribe to:
Posts (Atom)