Category: Cisco

            • Show Interface Reference

              Show Interface Reference

              router#sh int Serial3/0/23:0

              Serial3/0/23:0 is up, line protocol is up
Hardware is PA-MC-2T3+
Description: SDA Freight Data Corporation T1 CIR/CT3 (sdafda)75hcre000944-001
Internet address is 207.199.99.137/30
MTU 1500 bytes, BW 256 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, crc 16, loopback not set
Keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
Last input 00:00:03, output 00:01:08, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/1/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
20950 packets input, 1992090 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
1 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 1 abort
31524 packets output, 10804297 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions no alarm present
Timeslot(s) Used: 1-4, subrate: 256Kb/s, transmit delay is 0 flags
non-inverted data

              Interface and Line Protocol Status
              Line State Possible Causes and Actions
              Serial x is up, line protocol is up This status indicates that the interface is functioning properly
              Serial x is down, line protocol is down This status indicates that the router is not sensing a carrier detect (CD) signal.

              Possible Causes:

              -Telephone company problem.
              -Faulty or incorrect cabling
              -Hardware failure

              Suggested Actions:

              -Check the LED’s on the CSU/DSU to see if the CD light is active.
              -Verify that the cables are connected properly.
              -Reset your equipment
              -Contact your leased-line provider
              -Replace faulty equipment

              Serial x is up, line protocol is down Possible Causes:

              -Local or remote router misconfigured
              -Keep-alives not being sent by remote router
              -Leased-line or other carrier service problems, such as noisy lines or faulty switch
              -Timing problem on cable, possibly caused by the CSU/DSU not being set correctly.
              -Failed local or remote CSU/DSU.
              -Router failure.

              Serial x is up, line protocol is up (looped) Possible Causes:

              -Loop exists in the circuit. Contact your leased line provider or owner of remote router to remove loop.

              Serial x is administratively down, line protocol is down. Possible Causes:

              - Router configuration includes the shutdown interface configuration command.
              - Duplicate IP address.

              Hardware
              This field describes the type of hardware that the interface is connected to. In this case, this Serial interface is part of a channelized T3.
              Description
              This field is simply used to describe the interface by the network administrator. It has not bearing on connectivity.
              Internet address
              This is the IP address and subnet mask assigned to the interface in question. In this case, the IP address is 207.199.99.137 and it has a subnet mask of 255.255.255.252.
              MTU, BW, DLY, rely, and load

              * MTU – Maximum Tranmission Unit. By default, this is 1500 bytes, which describes the largest packet that can be sent through the interface before the packet is fragmented.
              * BW – Bandwidth. This field is defined by the network administrator and has no actual effect on the bandwidth of a line. It is simply used for describing the load on a specific interface.
              * DLY – Delay. Amount of micro seconds of delay. I do not have any more information on this at this time.
              * rely – Reliability. Reliability of the interface as a fraction of 255 (255/255 is 100% reliability), calculated as an exponential average over five minutes (default).
              * load – Load Average. Load on the interface as a fraction of 255 (255/255 is completely saturated), calculated as an exponential average over five minutes (default).

              Encapsulation and Loopback

              * Encapsulation is the type of Data-Link encapsulation. This is commonly either PPP, HDLC (Cisco’s proprietary PPP), Frame-Relay, and ATM.
              * Loopback specifies whether the loopback bit is set in the D channel signalling.

              Last input

              * The last input is the number of hours, minutes, and seconds since the last packet was successfully received by an interface. This is useful for determining when a dead interface.
              * The last output is the number of hours, minutes, and seconds since the last packet was successfully transmitted by an interface. This is useful for determining when a dead interface failed.
              * The output hang is the number of hours, minutes, and seconds (or never) since the interface was last reset because of a transmission that took too long.

              Last clearing

              This shows the elapsed time, in seconds, since the last clearing of the interface counters that will be described in a later section on counters.
              Output queue, input queue, drops

              Number of packets in output and input queues. Each number is followed by a slash, the maximum size of the queue, and the number of packets dropped due to a full queue. Output drops can be caused when the output media cannot accept frames and the output queue reaches the maximum value before it starts dropping packets. Output drops may not necessarily indicate a problem since an explorer frame being dropped because it has already traveled on a particular ring can increment the output drops counter. Increasing input drops on the other hand, can be serious and should be looked into carefully. Input drops can be caused by insufficient system buffers – see 0 no buffer in the show interfaces tokenRing 0 output above. The incrementing no buffer counter of the show interfaces output may correlate to the incrementing misses counter of the show buffers output, and the appropriate buffer pool may need to be tuned.
              5 minute input/output rate

              Average number of bits and packets received and transmitted per second in the last five minutes.
              Counters

              * Packets input – Total number of error-free packets received.
              * Broadcasts – Total number of broadcast or multicast packets received.
              * Runts – Number of packets discarded because they are smaller than the medium’s minimum packet size.
              * Giants – Number of packets that are discarded because they exceed the medium’s maximum packet size.
              * Throttle – This counter indicates the number of times the input buffers of an interface have been cleaned because they have not been serviced fast enough or they are overwhelmed. Typically, an explorer storm can cause the throttles counter to increment. It’s important to note that every time you have a throttle, all the packets in the input queue get dropped. This causes very slow performance and may also disrupt existing sessions.
              * Parity – Number of parity errors on the HSSI.
              * RX Disabled – Indicates inability to get a buffer when accessing a packet.
              * Input Errors – Sum of all errors that prevented the receipt of datagrams. This may not balance with the sum of the enumerated output errors, because some datagrams may have more than one error and others may have errors that do not fall into any of the specific categories.
              * CRC – Cyclic redundancy checksum generated mismatch. CRC errors also are reported when a far-end abort occurs and when the idle flag pattern is corrupted. This makes it possible to get CRC errors even when there is no data traffic.
              * Frame – Number of packets received incorrectly having a CRC error and a noninteger number of octets.
              * Overrun – Number of times the serial receiver hardware was unable to hand received data to a hardware buffer because the input rate exceeded the receiver’s ability to handle the data.
              * Ignored – Number of received packets ignored by the interface because the interface hardware ran low on internal buffers.
              * Abort – Number of packets whose receipt was aborted.
              * Bytes – Total number of bytes, including data and MAC encapsulation, transmitted by the system.
              * Underruns – Number of times that the far-end router’s transmitter has been running faster than the near-end router’s receiver can handle. This may never happen (be reported) on some interfaces.
              * Congestion Drop – Number of messages discarded because the output queue on an interface grew too long.
              * Output Errors – Sum of all errors that prevented the final transmission. This may not balance with the sum of the enumerated output errors, because some datagrams may have more than one error and others may have errors that do not fall into any of the specific categories.
              * Interface Resets – Number of times an interface has been completely reset.
              * Restarts – Number of times the controller was restarted because of errors.
              * Carrier Transitions – Number of times the carrier detect signal of a serial interface has changed state.

              [[Category:Cisco]]

              Posted in Cisco | No Comments »

            • Cisco IPIP Tunnels

              Linux (192.168.2.1):

              /sbin/ip tunnel add tunl1 mode ipip remote 192.168.1.1
/sbin/ifconfig tunl1 192.168.3.2 pointopoint 192.168.3.1 netmask 255.255.255.252 mtu 1500

              Cisco (192.168.1.1):

              interface Tunnel0
ip address 192.168.3.1 255.255.255.252
ip mtu 1500
tunnel source 192.168.1.1
tunnel destination 192.168.2.1
tunnel mode ipip

              Posted in Cisco | No Comments »

            • Cisco OSPF over GRE tunnel

              Components Used

              -Cisco 7206VXR (NPE200) Router <br/>
              -Debian 2.6.8-1-386<br/>

              Network MAP

              The ideea of this plan is to see the network behind the 7200 Router on the Linux server using OSPF.

              1. Private network has : 172.20.0.0/16<br/>
              2. Cisco Router has several VLANs but I`ll use only : 172.20.6.252/32 ( its the default GW for workstations) . Its real ip is : *.*.*.130/32<br/>
              3. Firewall : the firewall blocks incoming connections from any “outside” host.<br/>
              4. GRE tunnel : I`ve choosed 172.19.0.0/24 ( Linux will be 172.19.0.3 and Cisco will use : 172.19.0.2)<br/>
              5. Linux server has on eth1 : *.*.*.131/32 and its default GW *.*.*.129/32<br/>
              6. My workstation has : different ips..<br/>

              == Checking connectivity ==

              linux:~# ping *.*.*.130 -i.1
PING *.*.*.130 (*.*.*.130) 56(84) bytes of data.
64 bytes from *.*.*.130: icmp_seq=10 ttl=248 time=58.9 ms
64 bytes from *.*.*.130: icmp_seq=11 ttl=248 time=58.5 ms
64 bytes from *.*.*.130: icmp_seq=12 ttl=248 time=58.5 ms
64 bytes from *.*.*.130: icmp_seq=13 ttl=248 time=81.3 ms

              linux:~# telnet *.*.*.130
Trying *.*.*.130...
telnet: Unable to connect to remote host: Connection refused

              So as you probably see firewall is blocking connections.

              == ACLS ==

              #(config) access-list 101 permit gre any any
#(config) access-list 101 permit gre host 172.19.0.2 host 172.19.0.3

              == Configure Tunnel interface Cisco ==

              linux:~ # telnet *.*.*.130
Trying *.*.*.130...

Connected to *.*.*.130.

Escape character is '^]'.

Username: xxx
Password:

>en
Password:
#
cisco(config)#int tun0
cisco(config-if)#ip address 172.19.0.2 255.255.255.0
cisco(config-if)#no ip redirects
cisco(config-if)#ip nat inside
cisco(config-if)#tunnel source FastEthernet2/0.50
cisco(config-if)#tunnel destination LinuxServer
cisco(config-if)#exit
cisco(config)#ip route 172.19.0.0 255.255.255.0 Tunnel0

              == Linux server ==

              /etc/network/interfaces

              iface tun0 inet static
address 172.19.0.3
netmask 255.255.255.0
broadcast 172.19.0.255
up ifconfig tun0 multicast
pre-up iptunnel add tun0 mode gre local *.*.*.131 remote *.130 ttl 255
pointopoint 172.19.0.2
post-down iptunnel del tun0

              linux:~# /etc/init.d/networking restart

              linux:~# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr D0-31-73-83-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.19.0.3 P-t-P:172.19.0.3 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
RX packets:22 errors:0 dropped:0 overruns:0 frame:0
TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1928 (1.8 KiB) TX bytes:2456 (2.3 KiB)

              linux:~# ip tun s
sit0: ipv6/ip remote any local any ttl 64 nopmtudisc
gre0: gre/ip remote any local any ttl inherit nopmtudisc
tun0: gre/ip remote *.*.*.130 local *.*.*.131 ttl 255

              == Debug ==

              linux:~# ping -i.1 172.19.0.2
PING 172.19.0.2 (172.19.0.2) 56(84) bytes of data.
64 bytes from 172.19.0.2: icmp_seq=1 ttl=255 time=59.6 ms
64 bytes from 172.19.0.2: icmp_seq=2 ttl=255 time=67.9 ms
64 bytes from 172.19.0.2: icmp_seq=3 ttl=255 time=60.9 ms
64 bytes from 172.19.0.2: icmp_seq=4 ttl=255 time=59.6 ms
64 bytes from 172.19.0.2: icmp_seq=5 ttl=255 time=61.9 ms

              cisco# ping 172.19.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/61/64 ms
cisco#

              So now we have our tunnel up and running.

              == Configuring OSPF ==

              [http://en.wikipedia.org/wiki/Open_Shortest_Path_First]
              [http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ospf.htm]

              === Cisco ===

              cisco#sh running-config | begin router
router ospf 100
log-adjacency-changes
area 1 range 172.19.0.0 255.255.255.0
area 2 range 172.20.0.0 255.255.0.0
redistribute static subnets route-map internal-routes
network 172.19.0.0 0.0.0.255 area 1
network 172.20.0.0 0.0.255.255 area 2
network 172.22.209.208 0.0.0.15 area 2
network 172.22.209.224 0.0.0.31 area 2
network 172.31.254.114 0.0.0.0 area 0
network 172.31.254.122 0.0.0.0 area 0
network 172.31.254.208 0.0.0.7 area 0
network 172.31.254.240 0.0.0.7 area 0
network 172.31.255.0 0.0.0.255 area 0
network 192.168.120.0 0.0.0.255 area 2

              === Linux ===

              ”’zebra.conf”’

              hostname Linux
password qwerty
enable password qwerty
!
interface eth1
!
interface tun0
multicast

              
'''ospfd.conf'''

hostname Linux
password st0ne
enable password passwd
log file /var/log/quagga/ospf.log
!
interface tun0
no ip ospf authentication-key
ip ospf network point-to-point
!
router ospf
ospf router-id 172.19.0.3
area 1 range 172.19.0.0/24
network 172.19.0.0/24 area 1
network 172.20.0.0/16 area 2
!
line vty
access-class permit-connect-only-locals
exec-timeout 0 0
!

              linux:~# /usr/lib/quagga/zebra -f /etc/zebra.conf &
linux:~# /usr/lib/quagga/ospfd -f /etc/ospfd.conf &
</pre>
<pre>
linux:~# ip r l
172.16.19.42 via 172.19.0.2 dev tun0 proto zebra metric 12 equalize
192.168.100.3 via 172.19.0.2 dev tun0 proto zebra metric 12 equalize
192.168.131.3 via 172.19.0.2 dev tun0 proto zebra metric 12 equalize
192.168.132.60 via 172.19.0.2 dev tun0 proto zebra metric 12 equalize
172.16.19.45 via 172.19.0.2 dev tun0 proto zebra metric 12 equalize

              So we`ve started recieving routes.. Now we can “see” all the network behind the Cisco router.

              == Debugging ==

              cisco# sh ip ospf neighbor
.........
172.19.0.3 1 FULL/ - 00:00:30 172.19.0.3 Tunnel0

              cisco# sh protocols tun0
Tunnel0 is up, line protocol is up
Internet address is 172.19.0.2/24

              ………………………………………..

              cisco# sh ip ospf
Routing Process "ospf 100" with ID 172.31.255.228 and Domain ID 0.0.0.100
Supports only single TOS(TOS0) routes
Supports opaque LSA
It is an area border and autonomous system boundary router
Redistributing External Routes from,
static, includes subnets in redistribution
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 673. Checksum Sum 0x14FAA2D
Number of opaque AS LSA 0. Checksum Sum 0x0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 3. 3 normal 0 stub 0 nssa
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 17
Area has no authentication
SPF algorithm executed 90578 times
Area ranges are
Number of LSA 900. Checksum Sum 0x1BB4B9D
Number of opaque link LSA 0. Checksum Sum 0x0
Number of DCbitless LSA 1
Number of indication LSA 1
Number of DoNotAge LSA 0
Flood list length 0
Area 1
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm executed 4 times
Area ranges are
172.19.0.0/24 Active(11111) Advertise
Number of LSA 189. Checksum Sum 0x590BCE
Number of opaque link LSA 0. Checksum Sum 0x0
Number of DCbitless LSA 1
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
Area 2
Number of interfaces in this area is 12
Area has no authentication
SPF algorithm executed 831 times
Area ranges are
172.20.0.0/16 Active(1) Advertise
Number of LSA 840. Checksum Sum 0x1BBCA35
Number of opaque link LSA 0. Checksum Sum 0x0
Number of DCbitless LSA 4294861955
Number of indication LSA 4294861953
Number of DoNotAge LSA 0
Flood list length 0

              linux:~#!telnet
telnet localhost 2604
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Hello, this is Quagga (version 0.98.3).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

User Access Verification

Password:
Password:
> en
Password:
# sho ip ospf interfa
eth0 is down
OSPF not enabled on this interface
eth1 is up
OSPF not enabled on this interface
eth2 is down
OSPF not enabled on this interface
gre0 is down
OSPF not enabled on this interface
lo is up
OSPF not enabled on this interface
sit0 is down
OSPF not enabled on this interface
tun0 is up
Internet Address 172.19.0.3/24, Peer 172.19.0.2, Area 0.0.0.1
Router ID 172.19.0.3, Network Type POINTOPOINT, Cost: 10
Transmit Delay is 1 sec, State Point-To-Point, Priority 1
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:08
Neighbor Count is 1, Adjacent neighbor count is 1

              # sho ip ospf neigh

Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
172.31.255.228 1 Full/DROther 00:00:36 172.19.0.2 tun0:172.19.0.3 0 0 0

              An other way without configuring ospfd is to use iproute. Lets say you want to ssh to an server behind the Cisco Server :

              linux:~# echo 201 www >> /etc/iproute2/rt_tables
linux:~# /sbin/iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2
linux:~# /sbin/ip route add default via 172.19.0.2 dev tun0 table ssh
linux:~# /sbin/ip rule add fwmark 2 table ssh
linux:~# /sbin/ip route flush cache

              Posted in Cisco | No Comments »

            • Cisco Netflow to detect infected hosts

              Using IOS with NetFlow Enabled to Detect Infected Hosts

              Netflow is a technology for obtaining traffic flow information across a network and can help identify infected hosts. Netflow must be enabled on an interface with the command ip route-cache flow. The following example shows infected hosts attempting to infect random systems on a destination port of 445, which shows in the output as the hexadecimal string 01BD. Other ports used by worm and bot variants are 7778 which is hexadecimal 1E62, 8888 which is hexadecimal 22B8, 8594 which is hexadecimal 2192, 8563 which is hexadecimal 0890, 33333 which is hexadecimal 8235, 11173 which is hexadecimal 2BA5, 8080 which is hexadecimal 1F90, 6667 which is hexadecimal 1A0B, and 69 which is hexadecimal 0045.

              The destination port 445 output is most useful at the network edge. Within the network where legitimate connections are using port 445, the other listed ports may be used to correlate the port 445 data and identify infected hosts.

              Router>show ip cache flow | include 01BD

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Fa2/0 XX.XX.XX.242 Fa1/0 XX.XX.XX.119 06 0B88 01BD 1
Fa2/0 XX.XX.XX.242 Fa1/0 XX.XX.XX.169 06 0BF8 01BD 1
Fa2/0 XX.XX.XX.204 Fa1/0 XX.XX.XX.63 06 0E80 01BD 1
Fa2/0 XX.XX.XX.204 Fa1/0 XX.XX.XX.111 06 0CB0 01BD 1
Fa2/0 XX.XX.XX.204 Fa1/0 XX.XX.XX.95 06 0CA0 01BD 1
Fa2/0 XX.XX.XX.204 Fa1/0 XX.XX.XX.79 06 0C90 01BD 1

              Posted in Cisco | No Comments »

            • Why would you disable ‘ip routing’ on a router?

              When you issue the command ‘no ip routing’ on a router, it will disable the ability of the router to forward packets from one interface, which is the primary function of a router. When you do such a thing, a router becomes something similar to a standard host/PC. That is why the ‘ip default-gateway’ command comes into play – that command is serving then function of the default gateway as configured on a PC.

              So if you want your router to actually route packets, then don’t disable IP routing.

              There are a couple of cases where you could safely disable IP routing on a router (but when you do so, it’s not correct to refer to the box as a router anymore):
              - when you use the ‘router’ purely as a frame-relay switch
              - when you use the ‘router’ purely as an ethernet bridge
              - when using X25 routing

              Default route, or gateway of last resort:
              ip default-gateway – only if ip routing is disabled (default gw linux style)
              ip default-network – if ip routing is disabled – router considers routes to that network for installation as the gateway of last resort on the router.
              ip route 0.0.0.0 0.0.0.0 – set gateway of last resort.

              ip route 0.0.0.0 next-hop //supposed to be used for an L3 box (router)
              ip default-gateway next-hop //supposed to be used for an L2 box (switch)

              Posted in Cisco | No Comments »

            • IP GRE Cisco Linux

              Creating Tunnel interface on Cisco

              interface Tunnel0
              ip address 172.19.2.2 255.255.255.0
              tunnel source IP_ADDR
              tunnel destination IP_ADDR
              ip nat inside

              interface FastEthernet3/0
              ip address IP_ADDR 255.255.255.252
              ip nat outside
              no ip mroute-cache
              load-interval 30
              duplex full

              Adding routes

              ip route 172.19.3.0 255.255.255.0 tunnel0

              ip access-list standard Ips
              permit 172.19.2.2
              permit 172.19.3.3

              route-map VPN permit 10
              match ip address Ips

              Configuring NAT

              ip nat inside source route-map VPN interface FastEthernet3/0 overload
              ip nat inside source static tcp 172.19.3.3 2200 fas3/0_ip_addr 7200 extendable

              !!! ip nat outside must be on the external interface where internet comes !!!

              Linux Tunnel

              [root@fastline ~]# ip tun add tun0 mode gre local LOCAL remote REMOTE ttl 255 <br/>
              [root@fastline ~]# ip add add 172.19.3.3 dev tun0 <br/>
              [root@fastline ~]# ip link set tun0 up <br/>
              [root@fastline ~]# ip r a 172.19.2.0/24 dev tun0 <br/>
              [root@fastline ~]# echo “201 tun” >> /etc/iproute2/rt_tables <br/>
              [root@fastline ~]# ip rule add from 172.19.3.3 lookup tun <br/>
              [root@fastline ~]# ip route add default via 172.19.2.2 table tun <br/>
              [root@fastline ~]# /sbin/ip route flush cache <br/>

              This way all traffic from 172.19.3.3 will be forwarded to 172.19.2.2.

              ip r a 66.197.0.0/24 dev tun0 (Traffic from this network will go via tunnel)

              Forwarding Traffic
              Forward specific traffic:

              [root@fastline ~]# iptables -A PREROUTING -t mangle -p tcp –dport 22 -j MARK –set-mark 0×22<br/>
              [root@fastline ~]# iptables -t mangle -L -v<br/>
              Chain PREROUTING (policy ACCEPT 28 packets, 346K bytes)
              pkts bytes target prot opt in out source destination
              1 40 MARK tcp — any any anywhere anywhere tcp dpt:ssh MARK set 0×22

              [root@fastline ~]# ip rule add fwmark 0×22 lookup tun
              [root@fastline ~]# ip route add default via 172.19.2.2 table tun

              Posted in Cisco | 2 Comments »