Category Archives: Cisco

Authenticating Cisco VoIP Phones via Dot1x

Posted by on January 13, 2012 No comments

If anyone has attempted to authenticate Cisco VoIP phones via Dot1x and Microsoft Network Policy Server then you know there are a few small issues. First the username that the phones send to the Radius server exceeds the length allowed by Windows. Secondly it is not a straightforward setup to get the phones to properly authenticate.

First in Windows Server 2008, Microsoft removed support for EAP-MD5 authentication. However you can re-add this support to NPS by modifying the registry according to Microsoft KB922574.

Because phones are the exception to my normal radius policies, I used a separate Connection Request Policy for VOIP phones. I created one with the condition to match UserName = “CP-*”. This should ensure that this policy only applies to Cisco phones(because all their usernames start with CP-*).

Next we need to shorten the username which the phone sends so that we can match it to a valid Windows Domain Account. To do this we use the separate VOIP Connection Request Policy. Under Settings > Attributes we need to override the Username attribute using a match and replace. For example we find “CP-7975G-” and replace with “”. This will essentially remove the first part of the username and leave us with the “SEP…” username. A separate match will have to be configured for every model of Cisco phone which needs to be authenticated.

Finally we need to configure the authentication methods. Under Settings > Authentication Methods we want to Override Network Policy Authentication Settings. We add the EAP Type “MD5-Challenge” and then check Encrypted Authentication (CHAP). This allows us to use a single Network Policy and override it when necessary using our VOIP Connection Request Policy.

The only thing left to do is ensure that a Windows Domain Account is created and the Account Password is Stored using Reversible Encryption. Then enter the account password as the MD5 shared secret on the phone, turn Dot1x on the port and you’re good to go. If you’re using a Cisco switch, ensure you have dual-host authentication enabled so you can also authenticate a computer hanging off the phone.

If you need a little help troubleshooting NPS and can’t find events in MS Event Viewer from CMD Prompt, Run As Admin, type: “auditpol /set /subcategory:”Network Policy Server” /success:enable /failure:enable”. NPS logs are in Event Viewer/CustomViews/Server Roles/Network Policy Server

CLI Shortcuts

Posted by on October 18, 2011 2 comments

In my attempt to become a CLI wizard I felt like I needed to gain a little more speed and control when I’m at the command line. Holding down arrow keys or the backspace key is really a time waster, and not very accurate. So I dug around a little and found these shortcut combos. I’ve tested them in PuTTY on both a Cisco and Juniper device.

Move to Begining of Line
Ctrl+a

Move to End of Line
Ctrl+e

Move Forward a Word
Alt+f

Move Backward a Word
Alt+B

Delete a Line (On Cisco, Only Worked From End of Line)
Ctrl+x or Ctrl+u

Delete a Character (Under Cursor)
Ctrl+d

Delete Word Forward (In Front of Cursor)
Alt+d or Esc+d

Delete Word Backwards (Behind Cursor)
Ctrl+w or Alt+Backspace

Clear Line From Cursor Forward
Ctrl+k

Link Aggregation Showdown – Juniper, Cisco, VMware

Posted by on July 25, 2011 3 comments

A friend and I got into a discussion regarding supported link aggregation methods between VMware and various networking vendors. As I was trying to inform him of the differences, I was sure to do my research and I thought I would share.

He was using Cisco switches and wanted to run LACP because he thought that Cisco’s Etherchannel did not have any negotiation protocol unless you used LACP. He then thought that VMware would support LACP, since it was an open standard after-all. We have both been bitten by misconfigured link aggregations when connecting to VMware. It turns out he was wrong here on both fronts. First of all, VMware only supports static configuration for link aggregation (NIC teaming as they call it.) Secondly, Cisco’s Etherchannel does support negotiation using PAgP(Cisco Proprietary), if configured to do so. I just wanted to point this out for future reference. So I put together a quick cheat sheet for him to use building link aggregation bundles across vendors.

Static Link Aggregation:
VMware – Configure the port group NIC teaming to “Route Based on IP Hash”
Cisco – 

port-channel # mode on

Juniper – 

set interface <name> ether-options 802.3ad ae#

Link Aggregation Negotiation (LACP):
VMware – Not Supported
Cisco – 

port-channel # mode active

Juniper – The Static Configuration + 

set interface ae# aggregated-ether-options lacp active

Link Aggregation Negotiation (PAgP):
VMware – Not Supported
Cisco – 

port-channel # mode desirable

Juniper – Not Supported

There are also passive configuration options for both LACP and PAgP, however I prefer to always statically define my port roles. These are also not complete configs for either Cisco or Juniper, I merely wanted to point out the differences in the commands between the different vendors.

OSPF Quick Notes

Posted by on May 6, 2011 5 comments

OSPFv2 – RFC2328
OSPFv3 – RFC5340
Opaque LSA Option – RFC2370

All OSPF Routers Multicast Address – 224.0.0.5
All OSPF DRs Multicast Address – 224.0.0.6

OSPF Packet Types

  • Type 1 – Hello – Used to discover & maintain neighbors
  • Type 2 – DBD – (Data Base Descriptor) Used in adjacency formation process to exchange LSAs
  • Type 3 – LSR – (Link State Request) Used when LSDB becomes stale or is missing an LSA
  • Type 4 – LSU – (Link State Update) Contains LSAs
  • Type 5 – LSAck – (Link State Acknowledgement) Acknowledges LSAs
    *An individual link-state acknowledgment packet can contain an acknowledgment for a single link-state update packet or for multiple link-state update packets. – JNCIS-ENT Routing Study Guide

OSPF Adjacency States

  • Down – Initial state, waiting for start event
  • Init – Hello sent but bidirectional communication not established
  • 2Way – Hello received, bidirectional communication established
  • ExStart – Routers negotiate who in in charge of LSDB sync
  • Exchange – Exchange LSA headers, if missing data send LSR
  • Full – LSDBs fully sync’d

OSPF Router Types

  • DR – Designated Router – Represent multiple routers on a broadcast link
  • DR forms Full adjancies with all DROthers and the BDR
  • BDR – Backup Designated Router
  • BDR forms Full adjancies with the DR and all DROthers, does not advertise learned link state info
  • DROther – Other routers on a broadcast link
  • DROthers form 2Way adjacencies with each other
  • ABR – Area Border Router – Router with links to at least 2 different areas
  • ASBR – Autonomous System Boundary Router – Injects information from outside the OSPF AS
  • Backbone Router – Any router with a link to the Backbone Area
  • Internal Router – Any router with all links in the same area

OSPF Area Types
*Multiple areas are used to shrink LSDB size and isolate troubles

  • Backbone Area (Area 0) – Distributes routes between different areas
  • Stub Area – No AS External LSAs (Type 4 & 5) are flooded, ABR floods default route
  • Totally Stubby Area – Receives only default route (No Type 3, 4, or 5)
  • Not-So-Stubby-Area – Can receive and leak external routes in area, but external routes from other areas are not flooded (No Type 4 & 5)

OSPF Route Types

  • External – Redistributed from other protocols (LSA Type 5 & 7)
  • Inter-Area – (Summary Routes) Originate from other areas (LSA Type 3 & 4)
  • Intra-Area – (Internal Routes) Originate within same area (LSA Type 1 & 2)

OSPF LSA Types

  • Type 1 – Router – Intra-Area Adjacencies (DROther to DR)
  • Type 2 – Network – Describe Broadcast Segment (DR to DROthers)
  • Type 3 – Summary – Area Summary Sent by ABR to other areas
    *OSPFv3 – Inter-Area-Prefix-LSA
    • As re-injected into other areas LSA type doesn’t change
  • Type 4 – ASBR Summary – ASBR Description Sent by ABR to other areas
    *OSPFv3 – Inter-Area-Router-LSA
    • As re-injected into other areas LSA type doesn’t change
  • Type 5 – AS-External – Sent by ASBR describing prefixes from other protocols
    *OSPFv3 – AS-External-LSA
    • As re-injected into other areas LSA type doesn’t change
  • Type 6 – Used by Multicast OSPF, deprecated in OSPFv3
  • Type 7 – NSSA External – Sent by ASBRs in NSSAs
    • Translated to Type 5 LSA by NSSA ABR
  • Type 8 – External Attributes (Intended to mimic capability of iBGP)
    *OSPFv3 – Link-LSA
  • Type 9 – Opaque LSA (Link Scope)
    *OSPFv3 – Intra-Area-Prefix-LSA
  • Type 10 – Opaque LSA (Area Scope)
  • Type 11 – Opaque LSA (AS Scope)

What is QFabric?

Posted by on February 24, 2011 3 comments

Yesterday Juniper released another piece to the Project Stratus puzzle. Project Stratus is Juniper’s attempt at a 3-2-1 process of flattening the data center hierarchy model. They introduced the new QFX3500 switch, and the concept of QFabric. As always, Twitter went crazy. I did enjoy the back and forth, it was educational listening to different perspectives from people much smarter than myself. A small debate broke out whether or not Juniper’s QFabric was different from Cisco’s FabricPath. I’m writing this article to hopefully entice some other opinions or blog replies. I’m sure not an expert, but I’m going to do my best to explain what I think the differences are. I’m not going to say one is better than the other, but to myself they do appear different.

Hardware

The QFX3500 is a 1U 48port 10GE switch, fully L2/L3 capable. This box seems similar to the Cisco Nexus 5548 switch. Not much to get excited about here, it was about time Juniper released something comparable.

Is there a major difference? I’m thinking no.

The Design, Stratus, QFabric

Project Stratus is supposed to consist of the QFX3500s linked back to a large chassis switch, which has yet to be released, using Juniper’s new QSFP+ ports. This is supposed to yield an extension of the control plane(packets are processed once at ingress to the “fabric”), and a single point of management. This concept sounds to me like how the Nexus 7000 can now support Nexus 2000s hanging off of it. I see two differences here: 1. Cisco does it with standard SFP+ ports(I made the mistake of not researching the standard QSFP+ ports Juniper uses), and 2. The Nexus 2000 is little more than a dumb line-card and does not do any packet processing. I’m not sure if the method how the Stratus/QFX3500 or the Nexus 7k/2k uplink is much different(i.e. fex-fabric ports vs. Juniper’s yet to be released config info), I plan on doing some more research into that.

Is there a major difference? I think a few small details, but the design is quite similar.

FabricPath = QFabric?

According to Cisco, FabricPath “brings the stability and scalability of routing to Layer 2.” FabricPath is more of a L2 domain control innovation, or a stop-gap to TRILL/SPB, than a control plane extension. However, if you look at the FEX Fabric that links Nexus 5k>2k or 7k>2k, now that is a more accurate comparison to QFabric. With FEX Fabric and QFabric, the packet is processed once, and forwarded directly to it’s destination. FabricPath still relies on multiple switch hops to operate. I think Juniper looks at from the view that if the network operates like one giant switch fabric, then there are no multiple hops and therefore no need for TRILL/SPB.

Is FabricPath = QFabric? I don’t think so. But it does sound similar to Cisco’s FEX Fabric.

Vaporware?

Yes. Juniper has only released the QFX3500 switch, which today can be used as a standard 10GE ToR switch. For Project Stratus to come together they still have to release their director chassis switch which will then use QFabric to interconnect the QFX3500s.

Final Thoughts

First I’m a little disappointed in Juniper for being so vague. If I hadn’t already talked to our Juniper reps about this release, I think I would be even more confused. Is QFabric similar to FabricPath? I still don’t think so, but I’m open to being educated. Is QFabric revolutionary? At first I thought it was, but after seeing the Twitter-discussion, I’m not so sure now. Please feel free to reply/inform/complain, I’m on Twitter @robertjuric.

IOS – VLAN Access Lists

Posted by on November 9, 2010 No comments

So we all know how to filter traffic as it passes between VLANs or between L3 interfaces using standard ACLs. But what do we do about filtering traffic withing a VLAN? Say we want to isolate a single host by disallowing it to communicate with other hosts in the same subnet? Step in the VACL. The switch TCAM performs the VACL matching and action as packets are switched within the VLAN or routed to a different VLAN. There is no need to specify inbound or outbound direction. VACLs are configured as VLAN access maps much like a route map.

You first have to configure the VACL:

Switch(config)# vlan access-map <map-name> [sequence-number]

The access-maps are processed in sequence-number order. You are able to have multiple matching conditions followed by an action.

Switch(config-access-map)# match ip address {acl-number | acl-name}
Switch(config-access-map)# match mac address <acl-name>
Switch(config-access-map)# action {drop | forward | capture} | redirect <port>}

The next step is to apply the VACL to the VLAN:

Switch(config)# vlan filter <map-name> vlan-list <vlan-list>

You are able to apply the VACL to multiple VLANs using the vlan-list.

This has been a quick and dirty look at VACLs, another tool for your toolbox.

HWIC-3G-CDMA-V Notes

Posted by on June 22, 2010 3 comments

I deployed our first 3G enabled router on the Verizon network last week. Configuring the CDMA HWIC is similar to configuring the GSM, except for the fact that I had to activate the modem first. With the GSM HWIC I was able to insert an already active SIM card and start running. The CDMA does not use a SIM card and has to use either OTA (Over The Air) or manual activation. To activate the CDMA modem I first ran a ‘show cellular 0/0/0 radio‘ to verify I had a signal and ‘show cellular 0/0/0 network’ to discover the SID (SystemID) and the NID (NetworkID) of the network.  The command to perform manual activation is:

cellular slot/wic_slot/port cdma activate manual mdn msid sid nid msl

For the MDN and MSDIN I used the 10 digit telephone number. The SID and NID can be found in the show radio command and for the MSL I just used ’0′.

Once activation was complete I was ready to roll. One thing I noticed was when I tried to run the chat script to reduce network attach time, the script failed out. I have not had any problems with network attach times with this CDMA HWIC. Also, because of my newly learned EasyVPN skills, no static IP addresses or static IP tunnels were necessary to get this site online. I have to say coupled with EasyVPN, this is starting to become a more easily deploy-able solution. I hope that the 3G technology can meet our business needs, as it would provide much greater flexibility

Edit/Update 7/27/2010:

I just attempted to activate another HWIC-3G-CDMA-V, but on a new IOS version, and I found out the command has changed somewhat. I was running Adv. Security 15.0(1)M2. The command was:

cellular 0/0/0 activate manual mdn msid msl

Again the MDN and the MSID are basically the 10-digit mobile number number and I used ’0′ for the Verizon MSL.

HWIC-3G-GSM – Network Attach Time

Posted by on March 1, 2010 2 comments

As of last week I now have two 3G cellular enabled routers running two different plants. One painful issue we experienced with our first installation was the long network attach time, or the time for the HWIC to get a signal. In the case of a power outage, or router reload, the time for the card to find a signal again was painfully slow. After a few incidents and much research I finally found in the Cisco documentation stating for North American installs you should run a one-time CHAT script to narrow the network search range to North American Bands only. I experimented with this CHAT script on my second install and saw a major improvement. I then went back and ran the script on my first installation with the same results. I feel that it is safe now to add to my list of documentation.

For the initial configuration notes see my original post here.

(config#) chat-script prl “” “at” TIMEOUT 5 “OK” AT!ENTERCND=”A710″ TIMEOUT 5 “OK” AT!CUSTOM=”PRLREGION”,02 TIMEOUT 5 “OK” “AT!RESET”

(config#) int cellular 0/0/0
(config-if#) shutdown
(config-if#) exit

(config#) debug chat

(config#) start-chat prl 0/0/0

(config#) int cellular 0/0/0
(config-if#) no shutdown
(config-if#) exit

The first part of this snippet creates the script. We then shut down the cellular interface. Turn on CHAT debugging so we can verify that the script is applied successfully. Run the script, and after verification, bring the interface back up. Be sure to do a ‘no debug all’ to turn off debugging.

Feel free to leave any feedback in the comments.

STP Configuration

Posted by on February 12, 2010 No comments

This is a brief overview of the commands necessary to properly setup STP

1. Set STP Mode
(config)# spanning-tree mode rapid-pvst

2. Influence STP Topology – Specify Root and Secondary Switches
(config)# spanning-tree vlan vlan-id root primary
Tells the switch to use pick a priority value, for the specified VLAN, that will force the switch to become the root switch. The same command can be given as ‘root secondary’ to specify the backup switch. You can also use spanning-tree vlan <vlan-id> priority <#> command to modify the base priority, however it is preferred to specify the root switch.

3. Influence STP Topology – Influence RP Selection
If you have two links to the root switch, port cost will decide which becomes the root port. Since port cost is by default based on bandwidth, when there is a tie it is decided by the lowest MAC address. You can influence this decision by manually lowering the port cost on the port you would like to be used as the root port:
(config-if)# spanning-tree vlan <vlan-id> cost <#>

*When setting the root switch or port costs you can either use the ‘vlan vlan-id‘ command or omit it and apply the changes to all VLANs.

4. Enable Other Features
On switch ports that will only be used as access ports it is best to configure PortFast and BPDU Guard:
(config-if)# spanning-tree portfast
(config-if)# spanning-tree bpdu guard enable
You can also specify BPDU guard to be on by default any time PortFast is enabled with the global command:
(config)# spanning-tree portfast bpduguard default
When BPDU guard finds a problem it will disable the port until you manually reset it. To have the port reenable itself use errdisable recovery:
(config)# errdisable recovery cause bpduguard
The default timeout is 300 seconds, you can modify this setting with:
(config)# errdisable recovery interval <###>

Below are some default settings and the commands to modify them:

Setting Default Commands
Bridge ID Priority + MAC spanning-tree vlan vlan-id root {primary | secondary}
spanning-tree vlan vlan-id priority priority
Interface Cost 100Mbps=19, 1Gbps=4, 10Gbps=2 spanning-tree vlan vlan-id cost cost
Port Fast Disabled spanning-tree portfast
BPDU Guard Disabled spanning-tree bpduguard enable

To alleviate some of the need for STP, but still retain port failure high availability you can configure ports in EtherChannels with multiple interfaces added to a port channel:
(config-if)# channel-group <group#> mode on

And finally some helpful debug and show commands:
show spanning-tree vlan <vlan-id>
show spanning-tree summary totals
show etherchannel <#> summary
debug spanning-tree events

Feel free to comment any suggestions or corrections!

STP Notes Continued

Posted by on February 10, 2010 No comments

STP, RSTP, PVST+, RPVST

STP (802.1d) – Spanning Tree Protocol – Covered Here

RSTP (802.1w) – Rapid STP
Improves convergence times by reducing waiting times when reacting to changes in topology. Renames port states to Discarding, Learning, and Forwarding. Implements a feature to characterize connectivity methods called either Link-type (Switch-to-Switch) or Edge-type(Switch-to-Device). Adds additional port roles to include Root Port, Designated Port, Alternate Port (like a backup RP), Backup Port (when 2 links exist in the same collision domain), and Disabled port (shutdown ports). In RSTP, instead of waiting to forward Hello BPDUs from the root switch, switches independently create Hello BPDUs.

PVST+, PVRST or RPVST
Allows creation of spanning trees for each VLAN. By doing so you are able to load-balance VLANs across trunks by setting different port costs for the different VLAN spanning-trees. The ability to create separate spanning trees for each VLAN is made possible by extending the Bridge ID. As I noted earlier the Bridge ID is made up of a priority and part of the MAC address. PVST and RPVST go a step further and extend the priority field into a smaller priority field and a System ID field which holds the VLAN ID. This will create a different BID for each VLAN.