Testing AAA Authentication with ACS – Part 1
Confirming that local authentication on the switch and ACS is working after you finished your configuration perform the following:Run the "test" command on the switch
sw1#test aaa group tacacs+ ro PASSWORD legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
sw1#test aaa group tacacs+ admin99 PASSWORD legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User authentication request was rejected by server.
Even though the second attempt was rejected it still confirms that ACS rejected the request and is fully operational.
Step 1. Lets have a look at the ACS server. Once logged in navigate to "Monitoring and Reports" and click "Launch Monitoring and Report Viewer"
Step 2. A new window pops up. Navigate to "Reports", "Catalog", and click "AAA Protocols".
Step 3. On the right pain under reports click "TACACS Authentication. As you can see the first 2 entries correlate to what was seen on the switch. A pass and a fail.
Step 4. Lets look at some more details by clicking the magnifying glass under details. Lets look at the authentication that passed. As you can see there is alot of details. The big thing here is the "Status"
Step 5. Lets look Continue reading
MPLS LDP-IGP Synchronization
This post represents the solution and explanation for quiz-8. Adding a new link into the MPLS cloud created an outage for the customer. Read to understand how LDP-IGP Synchronization might help.
Firewalls: Expensive, Broken Routers
In a previous post on IPS, I made a fairly negative comment on the value that you get from enterprise firewalls in the modern environment. At the time, I said that I was just going leave that comment hanging and see what happened. Well, precisely no one challenged me on it, which means either everybody […]
Author information
The post Firewalls: Expensive, Broken Routers appeared first on Packet Pushers Podcast and was written by Neil Anderson.
Using IP SLA Delay Feature to Safely Monitor Lossy Links
IP SLA is a great feature if you want to add some automation and intelligence into the network. SLA is no SDN/OpenFlow, but it can be very useful. It can also take down a network. Let’s say you are using DMVPN for a number of spoke locations in your network. You have a primary Internet […]
Author information
The post Using IP SLA Delay Feature to Safely Monitor Lossy Links appeared first on Packet Pushers Podcast and was written by Charles Galler.
Compiling Firmware for Opengear ACM5000
Opengear gave me two ACM5000 units as a part of my attendance at Network Field Day 4 in October of last year. The gift has not influenced my opinion of the company nor their product: I continue to think they're a bunch of amazingly clever people, and that they make the best out-of-band access equipment on the market. I recommend them without hesitation nor reservation.I've been waiting anxiously for the release of the Custom Development Kit (CDK) based on release 3.6 code, and it's finally out. The README that comes with the CDK is a bit dated, and not super easy to follow, so I'm sharing my notes on rolling custom firmware here.
I started with Ubuntu 12.04.2 Server i386 installed inside VMware Fusion on my MacBook. I pretty much took the defaults, allowing VMware to manage the install for me (how cool is this feature?)
Remote Access
Pretty soon I was looking at an Ubuntu login prompt in the VMware console, I logged in and then did:
sudo apt-get -y update
sudo apt-get -y upgrade
sudo apt-get -y install openssh-server
ifconfig eth0
Downloads
Now I could log in via SSH, so I was done Continue reading
Weird NX-OS stuff
Some weird NX-OS stuff!
For enabling 'FEX' feature on the Nexus 7K switches, following steps are required:
config t
vdc Production
install feature-set fex
feature-set fex
Wonder why FEX cannot be enabled by entering feature fex or feature-set fex on the switch.
When you do a 'show feature', FEX shows up as disabled. On a 'show feature-set', FEX shows up as enabled.
After configuring an interface as a fex-fabric mode,
Cisco developed two commands on NX-OS to do the same thing. Define a hostname for the switch. 'switchname' and 'hostname'.
No feedback really required here. Boring post. I could just delete it. Naah I'll keep it. Peace m/.
Nexus 7000 vPC configuration
vPC configuration on a pair of NX7K switches
For a pair of Nexus 7009 switches running NX-OS 6.0(4), configuring vPC (virtual Port Channel) was an easy breezy task. In a few minutes and less than 15 commands, the two switches stood up as a vPC pair. There are 3 non default VDCs and each VDC has its own vPC domain, vpc peer-links and vpc peer-keepalive links. Cisco recommends each VDC has its own unique vPC domain ID. The port-channel ID need not be unique across the VDCs. Also, vPC will not work if port-channel members are interfaces allocated to separate VDCs.
On the CLI, switch to the non default VDC.
Each feature needs to be enabled on individual VDCs. Simply enabling it on the admin VDC does not propagate the features to the non default VDCs. For vPC, we need link aggregation control protocol for port-channel load-balancing (LACP) and the vPC feature.
feature lacp
feature vpc
The two switches need to exchange heartbeats to maintain a vPC role over the vPC keep alive links. Cisco recommends this traffic must be isolated to a VRF. If we do not specify a VRF for the keep alive link, by default Continue reading
VPN-IPSEC
Its been a while but I am going to try to post weekly.Here is a sample configuration for IPSEC VPN between in 2 routers.
Note: 172.16.1.X/32 are loopback interfaces.
R1
Define IKE Phase 1 Policy (ISAKMP)
(config)#crytpo isakmp policy 10
(config-isakmp)#encryption aes 256
(config-isakmp)#authentication pre-share
(config-isakmp)#hash sha
(config-isakmp)#group 2
Define pre-shared key
(config)#crypto isakmp key 0 $pass@word$ address 192.168.1.2
Define IKE Phase 2 Policy (IPSEC)
(config)#crypto ipsec transform-set TRANS-R1-R2 esp-aes 256 esp-sha-hmac
Create ACL to match interesting traffic
(config)#access-list 150 permit ip 172.16.1.1 0.0.0.0 172.16.1.2 0.0.0.0
Create Crypto Map
(config)#crypto map VPN-MAP-R1-R2 10 ipsec-isakmp
(config-crypto-map)#set peer 192.168.1.2
(config-crypto-map)#set transform-set TRANS-R1-R2
(config-crypto-map)#match address 150
Apply Cypto Map to Interface
(config)#interface fas0
(config-if)#crypto map VPN-MAP-R1-R2
Create a route
(config)#ip route 172.16.1.2 255.255.255.255 fas0
R2
Define IKE Phase 1 Policy (ISAKMP)
(config)#crytpo isakmp policy 10
(config-isakmp)#encryption aes 256
(config-isakmp)#authentication pre-share
(config-isakmp)#hash sha
(config-isakmp)#group 2
Define pre-shared key
(config)#crypto isakmp kep 0 $pass@word$ address 192.168.1.1
Define IKE Phase 2 Policy (IPSEC)
(config)#crypto ipsec transform-set TRANS-R1-R2 esp-aes 256 esp-sha-hmac
Create ACL to match interesting Continue reading
IPv6 Next-Hop Best Practices
The concept of a link-local address is new to some, seeing as the term is not widely talked about in IPv4 circles, despite the fact that some folks see them daily. In IPv4, the range 169.254.1.0 through 169.254.254.255 has been reserved for this purpose. You may see this in the “ipconfig” output of a windows host that failed to pull a DHCP address. In IPv6, fe80::/10 is reserved for this purpose, though link-local addresses are always configured with a fe80::/64 prefix.IPv6 Next-Hop Best Practices
The concept of a link-local address is new to some, seeing as the term is not widely talked about in IPv4 circles, despite the fact that some folks see them daily. In IPv4, the range 169.254.1.0 through 169.254.254.255 has been reserved for this purpose. You may see this in the “ipconfig” output of a windows host that failed to pull a DHCP address. In IPv6, fe80::/10 is reserved for this purpose, though link-local addresses are always configured with a fe80::/64 prefix.Surprised by Spam
I attended my first in person meeting of the ISOC Advisory Council this last week — I’m a newly minted co-chair, and already haven’t been participating as much as I should (just like I don’t blog here as much as I should, a situation I’m undertaking to resolve!). We had a long discussion on the […]
Author information
The post Surprised by Spam appeared first on Packet Pushers Podcast and was written by Russ White.
IPv6 Host Networking and Insomnia
I’ve been running IPv6 on my home network for a while. The solution in place has evolved over time, from terminating tunnels to a linux VM using gogo6 all the way to front-ending with a Cisco ISR using Hurricane Electric, the goal has always been the same - to practice what I preach. Running IPv6 at home and REFUSING to turn it off when problems arise is one of the best ways to learn the protocol.IPv6 Host Networking and Insomnia
I’ve been running IPv6 on my home network for a while. The solution in place has evolved over time, from terminating tunnels to a linux VM using gogo6 all the way to front-ending with a Cisco ISR using Hurricane Electric, the goal has always been the same - to practice what I preach. Running IPv6 at home and REFUSING to turn it off when problems arise is one of the best ways to learn the protocol.Juniper PTX3000 – thin is in…
Juniper just launched the PTX3000, which has some nice features – such as being small enough to be installed by one technician, and pushing 0.5Gbps per cubic inch. The thing is, we still can’t work out who is going to buy these things…
Anywhoo, here’s the info on the Juniper website, with a nice side-view so you can marvel at its 10 inches:
Six Things About F5 BIGIP v11 iApps
F5 Networks’ Local Traffic Manager (LTM) is my load balancer – okay, Application Delivery Controller, if you insist – of choice. The LTM platform is as feature-rich and well-supported as they come, with all sorts of customizability as well as the iRule scripting language (a superset of TCL) that lets you do fancy transaction manipulation. […]
Author information
The post Six Things About F5 BIGIP v11 iApps appeared first on Packet Pushers Podcast and was written by Ethan Banks.
Administrative Distance, prefix length, metric… Who is the winner?
The Concept Procedural tasks Result table Conclusion The concept The idea of the lab is to test the RIB best route election criteria of a border router. To do so, four overlapping subnets are configured in different parts of the network and available to a border router through different routing protocols. One of them is […]
Packet Design Acquired by Private Equity Firm; Appoints New CEO
Leader in IP Network Route Analytics Receives Cash Infusion to Accelerate Growth
SANTA CLARA, CA — March 19, 2013 — Packet Design, the leading provider of IP network route analytics software announced today that it has been acquired by Lone Rock Technology Group, an Austin-based private equity firm specializing in enterprise software. S3 Ventures, an early stage venture firm with a focus on information technology and also based in Austin, joins Lone Rock as a major investor in the company. With the deal, Packet Design announced it has appointed Scott Sherwood, a network and systems management industry veteran, as its new CEO.
Since it was founded in 2003, Packet Design has pioneered the complex science of route analytics. Its patented technology provides unique visibility into routing and traffic behavior across the entire cloud. Network managers at hundreds of the largest service providers, mobile operators, cable and broadband providers, enterprises and government agencies spanning five continents rely on the intelligence Packet Design provides to optimize the performance and control of their networks.
“We believe Packet Design’s technology, world-class talent, and marquee customers position it extremely well in a market growing over 12% CAGR, and we are excited by the Continue reading
My Tools for Studying
Anyway, I thought it would be neat to document the tools I'm using today. It'll be interesting to read this in a couple of years to see how things have changed again and maybe it'll give a fellow cert-chaser some ideas for today.