Powered by Blogger.
Home » All posts

Syslogs Part III

Posted by Unknown Thursday, May 30, 2013 0 comments

Now we are going to configure our SYSLOG server and will enable the router to send logs, upto severity level 7, to our SYSLOG server:




Great, now we can see the log messages coming to our SYSLOG server:






Isn't it interesting, that all the changes, critical warnings are available to you on a nice looking NMS interface. Such things are really useful in a Network Operations Center. This NMS can also be configured to send email to a group in case some warning arrives that match to our define thresholds. The kiwi SYSLOG manager is another good tool to monitor the log messages on an NMS. We will end our discussion by showing you all the stored logs in buffer on R1 by issuing the following command:






As can bee seen, all the log messages of our router are stored in the router buffer, we can track the history of any critical issue/outage and other many things from these SYSLOGS. 


General: IOS Routing Protocols Poster

Posted by Unknown Wednesday, May 29, 2013 0 comments
I came across an amazing poster on one of the brilliant computer networking blog (www.packetlife.com).

A little intro about Jeremy Stretch:

Jeremy Stretch is a networking engineer and the maintainer of PacketLife.net. He currently lives in the Raleigh-Durham area of North Carolina. Although employed full-time out of necessity, his true passion lies in improving the field of network engineering around the world. You can contact him by email or follow him on Twitter.

PS: All credit goes to Jeremy Stretch, i am just sharing this poster for a broader audience and helping the aspiring network engineers!




Download link for the poster:

http://www.mediafire.com/view/vhu4wcuwwpfblxd/IOS_Interior_Routing_Protocols-Posters.pdf



General: The Importance of Watching the Wire - Packet Life

Posted by Unknown Tuesday, May 28, 2013 0 comments
I came across an interesting problem today that I think serves as an excellent example of why packet analysis is such a critical skill for network engineers.
A few days ago, the internal network belonging to one of my employer's customers was compromised by a malicious party. Since the customer had connectivity into our network by way of a VPN tunnel and we didn't want to knowingly expose ourselves or other customers to the threat, we saw fit to temporarily sever the VPN while the breach was tended to by another party. We also upgraded the site's core switch to better support a feature useful in the analysis of the breach.
Shortly thereafter, we began receiving reports of problems with Internet connectivity from the site. Everything was reachable, it was just... slow. And worse, the issue seemed not to have any uniform effect: One person experiencing the issue might sit next to someone else who was completely immune and who noticed no difference from the day before. This of course made troubleshooting frustrating, to say the least.
First we tried reversing the firmware upgrade on the core switch, as it was reasonable to suspect we may have encountered some obscure bug, but this was quickly revealed to be a red herring as the issue persisted. On-site engineers verified that they could still reach everything (excluding of course our internal resources which were no longer reachable as a result of severing the VPN) and speed tests showed mostly normal results. There was no correlation between affected users and any access switch, VLAN, or IP subnet. We also confirmed about seventeen times that Internet traffic was in fact traveling from end hosts through the firewall directly to the Internet, with no proxy or caching servers in between.
Frustrated with the lack of progress in isolating the issue, I asked for a packet capture to be performed at the site. The testing procedure was as follows:
  • Open a web browser
  • Navigate to about:blank (this ensures that the test begins with a clean slate and guards against any rogue HTTP requests resulting from leaving the prior page)
  • Start a promiscuous packet capture in Wireshark
  • Navigate to packetlife.net and wait for the page to completely load
  • Stop and save the capture.
My motivation for choosing packetlife.net as the test target was more than mere vanity. When you load a major web site like yahoo.com or cnn.com, you're actually generating a huge number of HTTP requests under the hood for content from a dozen or so sources (content delivery networks, embedded advertisements, etc.). By using a simple, familiar site I knew what sort and number of HTTP requests to expect, which makes the job of analyzing each packet in the capture a good deal easier.
After quickly sanity-checking the packet capture to ensure that the test was completed as as designed, my first step was to isolate the initial TCP session triggered by the web request. A quick way to do this if you know the IP address of the remote server is to apply a display filter showing only traffic to or from that IP:
ip.addr==174.143.213.184
Then, right-click on the first TCP packet (the one with only the SYN flag set) and select "Follow TCP Stream". This will apply a new display filter showing only packets which belong to that TCP session. (It will also generate a new dialog showing the contents of the HTTP request, which in many cases can be quite handy but wasn't of interest at this time.)
I reviewed the TCP exchange and everything appeared normal, until I noticed the packet timestamps. After the initial three-way TCP handshake (SYN, SYN/ACK, ACK) completed, there was a delay of about five seconds before the HTTP GET request was transmitted (between packets #32 and #101 in the figure below). Under normal conditions, there should be practically zero delay between the handshake completion and the initial HTTP request, so I knew I was on to something.



(The delta time column in the screenshot was added to the default column set to show the difference in seconds between each packet and the one displayed immediately before it.)
One important clue to note is that the delay here is almost exactly five seconds; a round number to us humans. This suggests that some process triggered by or in parallel with the TCP connection is intelligently timing out at five seconds, at which point the HTTP request proceeds.
I clear the display filter and begin sifting through the packets which were captured between the establishment of the TCP session and the first HTTP request. Most of it is ambient noise. There's nothing terribly interesting except for a few unanswered TCP requests from the local host to a remote server that used to be accessible via the VPN tunnel we disconnected earlier. The requests were destined for port 5274; a quick google of the port number yielded no clues. But the answer finally clicked when I looked up the destination IP address: It was a Trend Micro antivirus server.
What does an antivirus application have to do with Internet connectivity? One of the services provided by Trend Micro and countless other AV products is the ability to filter URLs and block access from the local machine to questionable web sites. As I understand it (and I could be wrong, as we're well outside my area of expertise now), the client software hijacks the web browser's HTTP request and sends the URL to a central server which compares it against a blacklist. In this scenario, that server is no longer accessible, and the connection attempt times out after - you guessed it - five seconds. The client then "fails open," meaning that the HTTP request is allowed to continue despite receiving no response from the filtering server. (In hindsight, a big red error page complaining about AV software issues would have all but eliminated our time spent troubleshooting.)
Five seconds may not seem like a substantial amount of time, but remember how I mentioned earlier that large sites tend to pull content from myriad sources just to render a single page? If several of those request are being hijacked and delayed one after another, the cumulative delay can quickly grow to the point where angry phone calls are placed. This explanation also reveals why some users were immune to the issue: They were using an alternate antivirus product, or didn't have the URL filtering feature enabled.
Fortunately, the resolution for this issue ended up being trivial to implement. But how long do you suppose troubleshooting might have gone on had we not taken the time to inspect the wire directly? Hone your packet analysis skills well, as the investment will quickly pay off.

(This great piece of writing has been copied from as awesome blog about computer networking: http://packetlife.net/blog/2013/apr/3/importance-watching-wire/)

Syslogs Part II

Posted by Unknown Saturday, May 25, 2013 0 comments

SYSLOG server Configuration in GNS3:

We are going to configured R1 in GNS3, and using the WhatsUp Gold SYSLOG manager to collect all the logging information from R1. WhatsUP gold SYSLOG manager is a free tool and you can download it after a brief registration on WhatsUP Gold website.  






















We are using below mentioned topology for our LAB:























First of all, we enable logging severity level 7 on our router (R1):

R1(config)#Logging console 7

This will enable all sorts of logging on the router. Now let's store all this logging information in our logging buffer:

R1(config)#Logging buffered 7

It's better to specify logging buffer size too. Okay, one other thing, I would like to show you here , is the logging options available on Cisco routers:






















( more stuff will be coming soon :) ) 


MY CCNA Lab GNS3 files

Posted by Unknown Thursday, May 23, 2013 0 comments
Please use below mentioned link to download my CCNA lab GNS3 topology files, that i have created to practice anything related to CCNA.

http://www.mediafire.com/download/r3aidauhxoidxh5/CCNA_LAB.rar

Mostly i have used C2691. Only for IPv6 practice i have used Cisco7206VXR (as i was having enough RAM and processing power on my new laptop :) ) The Lab topology is as follow:



Download C2691 image for GNS3 from :

Default SIP-to-SS7 ISUP Cause Codes

Posted by Unknown Monday, April 29, 2013 0 comments
Hello Guys, today i am going to share a very informative chart with you. Most of you, who are in VoIP or Telecommunications field, they would know how helpful this chart is. Most of the time, we VoIP engineers need this chart to dig different sort of problem in VoIP/ Telecom Network. This chart is the property of http://www.dialogic.com

Please feel free to let me know your questions and confusions.

Default SIP-to-SS7 ISUP Cause Codes


ISUP Cause Value
SIP Response
Normal event
1 – unallocated number
404 Not Found
2 – no route to network
404 Not Found
3 – no route to destination
404 Not Found
16 –  normal call clearing
--- (*)
17 – user busy
486 Busy here
18 – no user responding
408 Request Timeout
19 – no answer from the user
480 Temporarily unavailable
20 – subscriber absent
480 Temporarily unavailable
21 – call rejected
403 Forbidden (+)
22 – number changed (s/ o diagnostic)
410 Gone
22 – number changed ( w/ diagnostic)
301 Moved permanently
23 – redirection to new destination
 410 Gone
26 – non-selected user clearing
404 Not Found (=)
27 – destination out of order
502 Bad Gateway
28 – address incomplete
484 Address incomplete
29 – facility rejected
510 Not implemented
31 – normal unspecified
480 Temporarily unavailable Resource unavailable
34 – no circuit available
503 Service unavailable
38 – network out of order
503 Service unavailable
41 – temporary failure
503 Service unavailable
42 – switching equipment congestion
503 Service unavailable
47 – resource unavailable
 503 Service unavailable Service or option not available
55 – incoming calls barred within CUG
403 Forbidden
57 – bearer capability not authorized
403 Forbidden
58 – bearer capability not presently available
503 Service unavailable
65 – bearer capability not implemented
488 Not Acceptable here
70 – Only restricted digital information bearer capability is available (National use)
488 Not Acceptable here
79 – service or option not implemented
501 Not implemented
Invalid message

87 – user not member of CUG
403 Forbidden
88 – incompatible destination
503 Service unavailable


102 – Call Setup Time-out Failure
504 Gateway timeout
111 – Protocol Error  Unspecified
500 Server internal error Interworking
127 – Internal Error - interworking unspecified
500 Server internal error



500 – Server internal error (default)







(*) ISDN Cause 16 will usually result in a BYE or CANCEL
(+) If the cause location is ‘user’ than the 6xx code could be given rather than the 4xx code. the cause value received in the H.225.0 message is unknown in ISUP, the unspecified cause value of the class is sent.
(=) ANSI procedure

SIP Status Code to ISDN Cause Code Mapping


Response received Cause value in the REL

400 –  Bad Request 41 – Temporary failure
401 –  Unauthorized 21 – Call rejected (*)
402 –  Payment required 21 – Call rejected
403 –  Forbidden 21 – Call rejected
404 –  Not Found 1   – Unallocated number
405 –  Method not allowed 63 –  Service or option unavailable
406 – Not acceptable 79 – Service/option not implemented (+)
407 – Proxy authentication required 21 – Call rejected (*)
408 – Request timeout 102 – Recovery on timer expiry
410 – Gone 22  –  Number changed (w/o diagnostic)
413 – Request Entity too long 127 – Interworking (+)
414 – Request –URI too long 127 – Interworking (+)
415 – Unsupported media type 79 – Service/option not implemented (+)
416 – Unsupported URI Scheme 127 – Interworking (+)
402 – Bad extension 127 – Interworking (+)
421 – Extension Required 127 – Interworking (+)
423 – Interval Too Brief 127 – Interworking (+)
480 – Temporarily unavailable 18 – No user responding
481 – Call/Transaction Does not Exist 41 – Temporary Failure
482 – Loop Detected 25 – Exchange – routing error
483 – Too many hops 25 – Exchange – routing error
484 – Address incomplete 28 – Invalid Number Format (+)
485 – Ambiguous 1 – Unallocated number
486 – Busy here 17 – User Busy
487 – Request Terminated --- (no mapping)
488 – Not Acceptable here --- by warning header
500 – Server internal error 41 – Temporary Failure
501 – Not implemented 79 – Not implemented, unspecified
502 – Bad gateway 38 – Network out of order
503 – Service unavailable 41 – Temporary Failure
504 – Service time-out 102 – Recovery on timer expiry
505 – Version Not supported 127 – Interworking (+)
513 – Message Too Large 127 – Interworking (+)
600 – Busy everywhere 17 – User busy
603 – Decline 21 – Call rejected
604 – Does not exist anywhere 1 – Unallocated number
606 – Not acceptable --- by warning header

SYSLOGs

Posted by Unknown Sunday, April 28, 2013 0 comments

SYSLOG or system logging is one of many interesting concepts in Cisco world. Log messages monitoring and audit is one of the main parts of a network engineer life. Log messages are displayed in real time on the route, once we make some changes in the network, or if any issue happens to our network devices. We can also send these log messages from the router to a centralized NMS for monitoring in a Network Operations Center.  IOS can log messages to :

  • Console
  • Monitor (VTY, AUX) usually enabled via terminal monitor command in global config mode.
  • Buffer
  • Trap (SYSLOG) to send logs to an NMS


One important thing to understand is the concept of logging levels. Logging levels simply specify the type of log messages we want to send to our desired logging buffer/terminal/server.  Different logging levels can be set via logging console command:



Let understand severity level concept:


Severity level 3 means 0, 1 , 2, 3 ( severity level  0/1/2/3 enabled), and the router will send all corresponding severity level log messages to our desired destinations.
If we don’t want to mention the severity level # , we can specifity the name of the logging severity, for which we want the router to send all updates, for example if we want to send all Critical Condition logs, we can enable it via the following command :

R1(config)#logging console critical

The severity level command comes in handy, when we want to enable different types of logging in one go. 

In the second part of this article, i will discuss the practical implementation of SysLog in GNS3.


SNMP: Simple Network Management Protocol

Posted by Unknown Saturday, April 27, 2013 1 comment

SNMP: Simple Network Management Protocol

SNMP is used for monitoring of network devices, collects logs and health statistics of different device nodes. SNMP data can be collected on a centralized NMS (Network Management System), the collected data can be plotted for a better representation of the overall network health. SNMP collects all of its data via SNMP Pooling and SNMP traps. Some famous SNMP supported NMSs are IBM Tivoli, PRTG and MRTG grapher. Many free SNMP based software is also available in the open source community.

Quick Facts about SNMP:
  • SNMP Poll uses UDP 161
  • SNMP Trap uses UDP 162
  • SNMPv3 allows username authentication and packet encryption
  • SNMP Inform requires packet acknowledgement, while SNMP Trap does not
  • SNMP versions: SNMPv1, SNMPv2c & SNMPv3
SNMP Configuration in GNS3

Suppose, we are setting in a NOC (Network Operations Center). Our network is up and running, our task is to configure an SNMP based NMS to monitor our Core Network Router (R1), which is critical for our network operations. We are using a very popular NMS, known as PRTG (Packet router traffic Grapher). PRTG is a very popular used NMS, very good, efficient and excellent graphical interface, which gives us a very remarkable view of our critical network elements.

The simple flow of the topology is as follows:

A 2691 router is connected to a cloud (in GNS3, Cloud is used to connect the router to our PC physical interface). PRTG NMS has been configured on PC1 (local host). The topology is given below:


The IPs used:

  • Fast Ethernet 0/0 ( R1) : 192.168.0.99/24
  • NMS PC1 IP : 192.168.0.100/24
SNMP enabled via the following commands on R1:

We need to configure a community string (community string is a sort of snmp password) for our snmp server on the router, in our case as we are using community string “PRTG” (using PRTG as the community string for simplicity):

snmp-server community PRTG RW

Above command, simply means that we have enabled PRTG as a password for our snmp-server. You need to use this password while configuring the SNMP settings on your NMS, in our case its PRTG. In the next step we are going to set our SNMP server host address:











Host means our SNMP server IP address, in our case it is: 192.168.0.101/24.

And you can also select which version of SNMP you want to use by:











We have done our configuration on PRTG server and have enabled the monitoring of Fast Ethernet 0/0 interface of R1. The NMS output can be shown as:



In the above example we have configured our NMS to monitor R1 Health and R1 Fast Ethernet 0/0 interface status. The sample outputs from NMS are:




Some more amazing graphs:



All the logs related to our above simple network are maintained:




SNMP Packets:

To check SNMP in action, we can use: debug snmp packets command. The sample debug output for above network is:




SNMP is the most interesting topic to study and configure, you can download many propriety and open source SNMP based NMS tools from internet to experiment with.

Shah Hussain (c) 






Changes made to ICND1 and ICND2 Exams

Posted by Unknown Monday, April 1, 2013 0 comments

List of Changes in ICND1 and ICND2 exams


A comprehensive analysis of changes made to ICND1 and ICND2 exams. Please follow these guidelines, if you are going to prepare for your ICND1 and ICND2 exams.

Changes in ICND1:


Candidates who currently have a CCENT or have passed 640-820 ICND1 exam and would like to pursue a CCNA Routing and Switching certification using the 200-101 ICND2 exam or any of the other Associate-level exams, the following shows content that has been added to the new curriculum and exam for 100-101 ICND1. Candidates are  encouraged to gain the knowledge difference before attempting to take the Associate-level exams.

Topics Removed from the ICND1 Exam: 

• Securing the Network 
• Understanding the Challenges of Shared LANs 
• Solving Network Challenges with Switched LAN Technologies 
• Wireless LANs 
• Using Cisco SDM 
• Configuring Serial Encapsulation 
• Enabling RIP 

Topics Added to the ICND1 Exam: 

• Implementing VLSM 
• Scaling the Network with NAT and PAT 
• Managing Traffic Using ACLs 
• Implementing VLANs and Trunks 
• Routing Between VLANs 
• Implementing single area OSPF 
• Introducing Basic IPv6 
• Understanding IPv6 
• Configuring IPv6 Routing 


Changes in ICND2:


Candidates who currently have a CCNA Routing and Switching certification and are preparing to recertify, should be made aware that the 200-101 ICND2 exam has been redesigned. Candidates are encouraged to review the topic modifications before attempting to take the 200-101 ICND2 exam.

Topics Removed from the ICND2 Exam: 

 • Routing Between VLANs 
• Securing the Expanded Network 
• Implementing VLSM 
• Scaling the Network with NAT and PAT 

Topics Added to the ICND2 Exam: 

 • Troubleshooting VLAN Connectivity 
• Understand Spanning Tree Protocol 
• Understand and configure Etherchannel 
• Understand Layer 3 Redundancy Protocols 
• Troubleshooting IPv4 Network Connectivity 
• Troubleshooting IPv6 Network Connectivity 
• Implementing EIGRP 
• Troubleshooting EIGRP 
• Implementing EIGRP for IPv6 
• Multi-area OSPF IPv4 Implementation 
• Understanding and configuring OSPFv3 
• Understanding and configuring clients for SNMP, Syslog and Netflow 
• Managing Cisco devices 
• Understanding and verifying Cisco licensing

Well, please prepare all these topics before appearing for your CCNA/ICND exams.


The Mystery of Network Time Protocol

Posted by Unknown Friday, March 29, 2013 2 comments

NTP : Network Time Protocol Services on CISCO routers.

Time synchronization is very critical on CISCO routers, as without accurate date and time settings, we would not be able to generate any meaningful logs on the routers. Most of the time, all the devices on a network are in synch with famous NTP servers on the internet. All the NTP servers are in synch with some Radio or Atomic Clock. Atomic clock is the defacto standard for time keeping in the world.  Atomic clocks are also used as the primary standard for controlling television broadcast wave frequency and in global positioning systems!

If our network is not connected to the internet, we can define one or two routers/switches on our network as an NTP server. We can also create different NTP peers to create redundancy and to avoid any inaccurate tuning of time.

Some quick facts about NTP:

  • NTP uses UDP as transport protocol
  • Client/Server Protocol ( Client request time from Server)
  • All NTP communication is in UTC (Universal Coordinated Time) or GMT ( Greenwich Mean Time) Format
  • NTP Startum is the value of the number of hops an NTP server is away from Root Servers, Stratum 1 value is the best value. 


In addition to above points, we can enable NTP authentication to avoid any malicious time hack on our account. We can enable NTP authentication on the client, to authenticate the NTP server prior to synchronizing with it. I think we have enough info about NTP and good to go for a small configuration example. Once again, we are using GNS3!

NTP server and Client configuration in GNS3:

In our simple NTP demonstration, we will configure two 2691 routers, one as a Server and the other as a Client. The server router is called the Master router, or in simple words, every router try to get in synch with the Master Router on the network for time keeping. Below mentioned topology is used:


R1: Master Router/NTP Server
R2: Client Router

R1: Fast Ethernet 0/0 ( 192.168.2.1/24) / R2: Fast Ethernet 0/0 ( 192.168.2.2/24)

Just imagine, we traveled via a time machine into the future, 2020, and the task is to configure our NTP servers J

As a starting step we set clock on Master router:



As the time is set, in the next step we designate our R1 as Master by issuing ntp master command:






To confirm , all the values set on our NTP Master router, use below command:











Okay, we are good to go. Now we will configure R2 as our NTP Cleint:













And after an instant, it got synchronized with its master:











We can also check ntp associations detail via:


























The above command, confirm that the originating time and the received time are totally in synchronization.
And the time can be confirmed via simple show clock command once the whole synchronization process is done:

Cient_NTP_Router#show clock detail
13:40:46.290 UTC Wed Jan 1 2020
Time source is NTP


From the above command, it can be seen that for R2, the Time source is NTP J

NTP Authentication:

NTP Authentication is one of the major requirements in production networks, as it avoids any unwanted changed to our routers and switched time clock. It's enabled on the client, to authenticate the server before accepting it as its Master. The configuration needed on the client to enable authentication are:

Cient_NTP_Router(config)#ntp authenticate
Cient_NTP_Router(config)#ntp authentication-key 1 md5 NTPDOMAIN
Cient_NTP_Router(config)#ntp trusted-key 1
Cient_NTP_Router(config)#ntp server 192.168.2.1 key 1


We only need to define the key and md5 hash value (NTPDOMAIN) on our server, which we have defined on our client:

Master_NTP_Router(config)#ntp authentication-key 1 md5 NTPDOMAIN

And that’s it!

NTP Peers: beside the Master router, we can enable other routers as NTP peers with the client routers. NTP peers create a bidirectional sort of NTP settings, in which Peer continuously updates each other time settings. In our above GNS3 topology, we have put another router, R3, as an NTP peer with R2:

































I think, i should stop now, or for the next few weeks, you will dream about NTP!! :) Enjoy.






Copyright © My CISCO Journal . All rights reserved.