Monday, April 4, 2011

Cisco Best Practice - Turn off http, telnet and enable https, ssh

ip domain-name cisco.local
ip ssh version 2
no ip http server
ip http secure-server
line vty 0 15
transport input ssh

Configuring Cisco EtherChannel Load Balancing Method

- Use soure and destination IP address when calculating which link to send traffic across

Switch(config)#port-channel load-balance src-dst-ip

Unidirectional Link Detection (UDLD) Cisco Switch Configuration

- Unidirectional links can cause problems such as spanning-tree loops, black holes, and non-deterministic forwarding
- Unidirectional Link Detection (UDLD) detects a Unidirectional link and disables the interface

Switch(config)#udld enable

Rapid Per-VLAN Spanning-Tree (PVST+) Cisco Switch Configuration

- Instance of RSTP per VLAN
- Improves detection of indirect failures over classic spanning tree (802.1D)
- Even if network doesn't have any layer 2 loops you still should enable spanning tree for protection against unexpected layer 2 loops

Switch(config)#spanning-tree mode rapid-pvst

Virtual Trunk Protocol (VTP) Cisco Switch Configuration Best Practices

Virtual Trunk Protocol (VTP) allows you to configure a VLAN on one switch and have it propogate to all the other switches in the network. Cisco Best Practice is to not use VTP because of the potential issues it can cause and to put the switch in transparent mode.

Switch(config)#vtp mode transparent

Enable Stateful Switchover (SSO) on Cisco Switch Supervisor Modules

Stateful Switchover (SSO) synchronizes process and configuration information between supervisor modules to enable a fast transparent failover.

Router(config)# redundancy
Router(config-red)# mode sso
Router(config-red)# end
Router# show redundancy states
my state = 13 -ACTIVE
peer state = 8 -STANDBY HOT
Mode = Duplex
Unit = Primary
Unit ID = 5

Redundancy Mode (Operational) = sso
Redundancy Mode (Configured) = sso
Split Mode = Disabled
Manual Swact = Enabled
Communications = Up

client count = 29
client_notification_TMR = 30000 milliseconds
keep_alive TMR = 9000 milliseconds
keep_alive count = 1
keep_alive threshold = 18
RF debug mask = 0x0
Router#

Set Cisco Stack Master Placement in Switch Stack

- Multiple Catalyst 2960-S or 3750-X switches configured in stack
- One switch in stack (Master Switch) controls operation of stack
- When 3 or more switches in stack configure switch that does not have uplinks as master switch

Set Stack Master Switch:
switch [switch number] priority 15

Ensure original master MAC address remains stack MAC address after failure:
stack-mac persistent timer 0

Sunday, April 3, 2011

Configure QoS Rate Limiting and Priority Queuing Cisco ASA/PIX Firewall

Note: Only packets with normal priority can be policed. Packets with high priority are not policed.

- Maximum rate for tcp_traffic class is 56,000 bits/second, maximum burst size is 10,500 bytes/second
- Traffic in the voice class has no policed maximum speed or burst rate because it belongs to a priority class
- Priority queue on interface outside queue-limit is 2048 packets, and tx-ring-limit is 256 packets

hostname(config)#access-list tcp_traffic permit tcp any any
hostname(config)#class-map tcp_traffic
hostname(config-cmap)#match access-list tcp_traffic

hostname(config)#class-map voice
hostname(config-cmap)#match dscp ef

hostname(config)#policy-map qos
hostname(config-pmap)#class tcp_traffic
hostname(config-pmap-c)#police output 56000 10500
hostname(config-pmap-c)#class voice
hostname(config-pmap-c)#priority

hostname(config)#service-policy qos interface outside

hostname(config)#priority-queue outside
hostname(config-priority-queue)#queue-limit 2048
hostname(config-priority-queue)#tx-ring-limit 256

Configuring Loopback Interfaces on a Cisco Router

- Primarily used for troubleshooting, router management, and protocol enhancement

router#(config)interface loopback0
router#(config-int)

The "Do" Command on a Cisco Router

The "do" Command allows you to run "show" commands while in config mode so that you don't have to exit back to privileged mode to chech your work when you are configuring a router.

Example:

router(config)#do show interface f0/1

router(config-if)#do show run

Saturday, April 2, 2011

Netgear WNDR3700 Dual Band Wireless-N Gigabit Router default login username password

Default IP address: 192.168.1.1
Default username: "admin"
Default password: "password"

D-Link DIR-655 Xtreme N Gigabit Router default login username password

Default IP address: 192.168.0.1
Default username: "admin"
Default password: Blank

Cisco Linksys e3000 High Performance Wireless-N Router default login username password

Default IP address: 192.168.1.1
Default username: Blank
Default password: "admin"

Buffalo NFiniti WZR-HP-G300NH default login username password

Default IP address: 192.168.11.1
Username and password: Set on first access

Belkin N600 HD default login username password

Default IP address: 192.168.1.1
Default username and password: None

2-Wire 2701HGV-B (AT&T) default login username password

Default IP address: 192.168.1.25
Default username: None
Default password: Printed on the bottom of the modem

Dynamic Multipoint VPN (DMVPN) Cisco Router Configuration Example

How to Configure Dynamic Multipoint VPN (DMVPN) on a Cisco Router:

DMVPN uses a hub and spoke configuration to build site-to-site VPNs with a full mesh topology. I often use DMVPN as a backup solution for MPLS.

DMVPN Hub Router Configuration:

ip vrf INET-PUBLIC
rd 65512:1

interface GigabitEthernet0/0/4
ip vrf forwarding INET-PUBLIC
ip address 10.4.32.33 255.255.255.248
no shutdown
!
ip route vrf INET-PUBLIC 0.0.0.0 0.0.0.0 10.4.32.35

crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr aes 256
hash sha
authentication pre-share
group 2
crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
keyring DMVPN-KEYRING
match identity address 0.0.0.0 INET-PUBLIC
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 espsha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile FVRF-ISAKMP-INET-PUBLIC

interface Tunnel10
bandwidth 10000
ip address 10.4.34.1 255.255.254.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 200 35
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 200
tunnel source GigabitEthernet0/0/3
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE

DMVPN Spoke Router Configuration:

ip vrf INET-PUBLIC
rd 65512:1

interface GigabitEthernet0/1
ip vrf forwarding INET-PUBLIC
ip address dhcp
ip access-group ACL-INET-PUBLIC in
no shutdown

ip access-list extended ACL-INET-PUBLIC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit icmp any any echo
permit icmp any any echo-reply
permit udp any any eq bootpc

crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
hash sha
authentication pre-share
group 2
!
crypto isakmp keepalive 30 5
!
crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
keyring DMVPN-KEYRING
match identity address 0.0.0.0 INET-PUBLIC
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 espsha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile FVRF-ISAKMP-INET-PUBLIC


interface Tunnel10
bandwidth 1500
ip address 10.4.34.201 255.255.254.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco123
ip nhrp map 10.4.34.1 172.16.130.1
ip nhrp map multicast 172.16.130.1
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 10.4.34.1
ip nhrp registration no-unique
ip nhrp shortcut
ip tcp adjust-mss 1360
ip summary-address eigrp 200 10.5.40.0 255.255.248.0
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE

Friday, April 1, 2011

Configure IP Multicast Routing on Cisco Router

Rendezvous Point Routers (two):

ip multicast-routing
!
interface Loopback0
ip pim sparse-mode
!
interface Loopback1
ip address 10.4.40.252 255.255.255.255
ip pim sparse-mode
!
interface Port-Channel1
ip pim sparse-mode
!
interface GigabitEthernet0/0/4
ip pim sparse-mode
!
ip pim rp-address 10.4.40.252 10
access-list 10 permit 239.1.0.0 0.0.255.255

Other Routers:

ip multicast-routing
!
interface Loopback0
ip pim sparse-mode
!
interface Port-Channel1
ip pim sparse-mode
!
interface GigabitEthernet0/0/4
ip pim sparse-mode
!
ip pim rp-address 10.4.40.252 10
ip pim register-source Loopback0
access-list 10 permit 239.1.0.0 0.0.255.255

- The access-list limits the network size the RP is responsible for.
- IP PIM sparse-mode (Protocol Independent Multicast) is enabled on all interfaces.
- Rendezvous Point (RP) should be placed close to IP Multicast sources in core.
- Two or more RPs are configured with the same IP address on loopback interfaces.

Configure SNMP on Cisco Router

snmp-server community cisco RO
snmp-server community cisco123 RW
snmp-server trap-source Loopback0

Thursday, March 31, 2011

QoS Hierarchical Class-Based Weighted Fair Queuing Cisco Router Configuration Example

HCBWFQ QoS Configuration Example on a Cisco Router:

This is an example of a QoS policy where the connection to the service provider is Ethernet and the contracted bandwidth is 20 Mbps. This requires the use of a parent policy which then references a subordinate (child) policy.

class-map match-any VOICE
match dscp ef
!
class-map match-any INTERACTIVE-VIDEO
match dscp cs4 af41
!
class-map match-any CRITICAL-DATA
match dscp af31 cs3
!
class-map match-any DATA
match ip dscp af21
!
class-map match-any SCAVENGER
match ip dscp af11 cs1
!
class-map match-any NETWORK-CRITICAL
match ip dscp cs6 cs2
!
class-map match-any BGP-ROUTING
match protocol bgp

policy-map MARK-BGP
class BGP-ROUTING
set dscp cs6

policy-map WAN
class VOICE
priority percent 10
class INTERACTIVE-VIDEO
priority percent 23
class CRITICAL-DATA
bandwidth percent 15
random-detect dscp-based
class DATA
bandwidth percent 19
random-detect dscp-based
class SCAVENGER
bandwidth percent 5
class NETWORK-CRITICAL
bandwidth percent 3
service-policy MARK-BGP
class class-default
bandwidth percent 25
random-detect

policy-map WAN-INTERFACE-G0/0
class class-default
shape average 20000000
service-policy WAN

interface GigabitEthernet0/0
service-policy output WAN-INTERFACE-G0/0

IPv6 Quick Facts

- Successor of IPv4
- 128-bit long addresses
- Customer usually gets a /64 subnet
- Not need for NAT anymore
- No Broadcasts
- No ARP
- Stateless Address Configuration without DHCP
- Improved Multicast
- Easy IP Renumbering
- Minimum MTU Size is 1280
- Mobile IPv6
- Mandatory IPsec support
- Extension Headers
- Jumbograms up to 4 GiB

To get a good idea of how many more IPs there are with IPv6 vs IPv4 imagine that if the IPv4 address space was the size of a golf ball then the IPv6 address space would be the size of the Sun!

Cisco Router EIGRP Configuration Example

This example configures EIGRP between a Cisco Router and Cisco LAN Distribution or Core Switch.

BGP routes are redistributed into EIGRP with a default metric (only bandwdith and delay used for metric calculation).

Cisco Router:

router eigrp 100
default-metric 100000 100 255 1 1500
network 10.4.0.0 0.0.255.255
redistribute bgp 65511
passive-interface default
no passive-interface Port-channel1
eigrp router-id 10.4.128.241 (loopback0)
no auto-summary

Cisco Switch:

router eigrp 100
network 10.4.0.0 0.0.255.255
passive-interface default
no passive-interface TenGigabitEthernet1/1/1
no passive-interface TenGigabitEthernet2/1/1
no passive-interface Port-channel1
eigrp router-id 10.4.32.240 (loopback0)
no auto-summary

Cisco Router BGP Configuration Example

You will need to use BGP to connect to most MPLS carriers or if you have two Internet providers and want to multi-home.

(Note: private ASN range is 64512 to 65534)

In this example eBGP is configured to the provider (192.168.3.2), eigrp is redistributed into BGP, and iBGP is configured between to 2 customer routers (10.4.32.241 and .242).

router bgp 65511
no synchronization
bgp router-id 10.4.32.241 (loopback0)
bgp log-neighbor-changes
network 0.0.0.0 (propagate default route)
network 192.168.3.0 mask 255.255.255.252 (advertise customer to provider network)
redistribute eigrp 100 (redistribute eigrp into BGP)
neighbor 10.4.32.242 remote-as 65511
neighbor 10.4.32.242 update-source Loopback0
neighbor 10.4.32.242 next-hop-self
neighbor 192.168.3.2 remote-as 65401
no auto-summary

Configure Layer 3 port-channel (EtherChannel) between Cisco Router and Switch

Router:

interface Port-channel1
ip address 10.4.4.2 255.255.255.252
!
interface GigabitEthernet0/0/0
no ip address
channel-group 1
no shutdown
!
interface GigabitEthernet0/0/1
no ip address
channel-group 1
no shutdown

Switch:

interface Port-channel1
no switchport
ip address 10.4.4.1 255.255.255.252
!
interface GigabitEthernet1/0/3
no switchport
no ip address
channel-group 1 mode on
no shutdown
!
interface GigabitEthernet2/0/3
no switchport
no ip address
channel-group 1 mode on
no shutdown

Configure AAA Tacacs+ Authentication on Cisco Router

enable secret network1engineer
service password-encryption
username admin password network1engineer

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable

tacacs-server host 192.168.1.5
tacacs-server key gheigeiegih

ip tacacs source-interface Loopback0

Configure NTP on Cisco Router

Configure NTP to synchronize to a local NTP server in the network. The local server then references an outside source. One of the outside sources I use is pool.ntp.org.

ntp server 10.10.10.48
ntp source Loopback0
!
clock timezone PST -8
clock summer-time PDT recurring
!
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime

Cisco Anyconnect VPN Premium vs Essentials Licensing Explained

I recently contacted Cisco to ask a few questions about the differences between the Anyconnect Premium License vs the Essentials License.

The main thing that the Essentials License does not offer is clientless access and Cisco Secure Desktop.

Here is the detailed info:

I found out that you CAN still web deploy the client with the Essentials License. So if someone connects to your outside ASA interface via a web browser they will be able to download the client.