The watchful eye of EEM

Posted on February 23, 2012 by admin

EEM is an amazing thing. It’s flexibility and power can really help us out in times of need, even when we accidentally shut down a port that can kill our connection to a router or switch.

Let’s say I want to make sure that in the event of a port getting shut down, we want to bring it straight back up to minimise downtime and make sure that we can get to the switch.
Continue reading →

ASA – Limit Internet usage during peak times

Posted on February 14, 2012 by admin

Who’s actually got the time to find who is wasting precious bandwidth?

We can stop hosts from wasting resources by policing traffic.

Continue reading →

EIGRP over GRE tunnels, over IPSEC VPN

Posted on February 8, 2012 by admin

This is a fairly strange lab, well strange in that it’s a band-aid solution.

Firstly, here are the list of restrictions and requirements:

Routers R2 and R3 are managed. You cannot modify their configuration and the service provider will not allow you to run routing protocols on their routers. They encrypt all traffic between your sites over an IPSEC VPN. They could also have used another device, such as an ASA. The key here is that there is no support for GRE tunnels, though the traffic is required to be encrypted.
The site on the right hand side love trying new things out. They have just added router R5 into the mix and before they put a server in place connected to it’s fa0/1 interface, they have created a loopback adapter to verify connectivity between sites.
The addressing design isn’t complete for R5′s new network yet, so it has been suggested that a dynamic routing protocol is used to minimise administrative overhead at the site on the left hand side.
Client 1 needs to be able to talk to Client 2.
Client 1 needs to be able to talk to 172.31.254.9 (the loopback on R5)

Continue reading →

Multicast over GRE tunnels

Posted on February 6, 2012 by admin

Here’s a common scenario:

You have R1 at your site, R5 at your remote site and you need multicast traffic flowing between them.

The routers in the light blue area are to be considered as routers that are out of your control, you cannot enable multicast routing at all.

So how do we do it:

Get everything talking. Make sure that R1 can talk to R5′s loopback of 9.9.9.9.
Create a tunnel on R1 and R5.
Enable multicast routing on R1 and R5.
Enable PIM on R1 and R5′s tunnel interfaces.
Confirm!

Continue reading →

VRF-Lite route leaking with MP-BGP and a little PBR

Posted on January 25, 2012 by admin

Here’s a fairly simple example of route leaking.

Goals:

lo0 and lo1 on R1 should be associated with their respective VRF’s.
VRF red and blue should leak routes between both of their routing tables.
lo0 should be able to speak to R2, even though the route for R2 will be in the global routing table, so we need to leak from global to VRF.

Continue reading →

ASA 8.4 Easy Static NAT

Posted on January 23, 2012 by admin

There are plenty of sites that go into depth for this topic so much better than I will here, but I’d like to share this tidbit:

Let’s assume that you wish to allow port 22/tcp from the Internet to one of your hosts.

You can simply do the following:
object network SSHServer host 192.168.1.1 nat (inside,outside) static interface service tcp 22 22

Then just amend your ACL that is applied to the outside interface as normal, such as:
access-list 101 extended permit tcp any any eq 22

I know a lot of people balk at the idea of NAT without ASDM on ASA 8.4, though I find it to be simpler to work with than NAT on older ASA images.

OSPF Authentication

Posted on January 23, 2012 by admin

This quick lab is about securing areas in OSPF.

The requirements:

Area 0 should not use any kind of authentication.
Area 1 should use authentication with participating routers using the key: “s3cure”.
Plain text (or simple) authentication should not be used, you’ll need to use MD5.

The video will begin with all routers using no authentication, we’ll then add it.

Continue reading →

Cisco ASA on BT Infinity

Posted on January 19, 2012 by admin

If you want to use a Cisco ASA on a BT Infinity connection, connect the ASA to the OpenReach box then configure the ASA to
interface Vlan2 nameif outside security-level 0 pppoe client vpdn group BTINFINITY ip address pppoe setroute ! vpdn group BTINFINITY request dialout pppoe vpdn group BTINFINITY localname bthomehub@btbroadband.com vpdn group BTINFINITY ppp authentication chap vpdn username bthomehub@btbroadband.com password ***** store-local

The password specified as ***** can be changed to anything.

Cisco ASA – Clearing IPSEC SA’s

Posted on January 19, 2012 by admin

This is something that comes up fairly often, with VPN amendments and if things don’t sort themselves out, sometimes you have to step in.
Continue reading →

Can an IP address really have 0 in the fourth octet?

Posted on January 19, 2012 by admin

I get asked this fairly often and it’s always a good question to give to someone who is learning how to subnet.

Continue reading →

netwrx.co.uk

Networking labs, examples and such.

The watchful eye of EEM

ASA – Limit Internet usage during peak times

EIGRP over GRE tunnels, over IPSEC VPN

Multicast over GRE tunnels

VRF-Lite route leaking with MP-BGP and a little PBR

ASA 8.4 Easy Static NAT

OSPF Authentication

Cisco ASA on BT Infinity

Cisco ASA – Clearing IPSEC SA’s

Can an IP address really have 0 in the fourth octet?