Thursday, March 31, 2016

Traffic Policing and bandwidth management

There could be times when you have a single (or multiple) workstations/servers using up a large amount of bandwidth on a particular interface, or you simply need to control the overall flow of ingress or egress traffic on an interface to decrease load on CPU of the router.  If the CPU on the router is near 100% sustained utilization, it could interfere with other functions such as routing protocols and neighbourships etc causing the routes to flap, which could lead to other headaches.

As an example, one of my network implementations at a branch office consists of 2 Cisco routers and a multi-layer switch.  The routers and the switch use EIGRP to build neighbour relationships with each other on the LAN to assist the switch with route selection.  Route via Primary router is preffered using EIGRP metrics.  I also use the secondary router, as the primary (via HSRP) for internet browsing just to keep web traffic segregated from the corporate VPN traffic onto a separate device.
Occasionally I run into an issue where a single user or a server starts to generate large amounts of traffic during office hours causing the CPU on the primary router to spike and causing slowness on the WAN link of this router.  This causes the EIGRP relationship between the router and the switch to flap, causing the switch to dump it's routing table and insert the routes from the secondary router into the routing table, only to re-insert the routes from the primary moments later.
I use traffic policing to rate-limit the overall traffic flow into my LAN interface on the primary router to approx. 50Mbps.  I have worked this figure out simply by experimenting with the highest amount of encrypted traffic that the router can process while also keeping the CPU usage low enough for the routes to NOT flap.

Here is how this is done:


Step 1:  Create an ACL to identify the traffic that should be controlled.  In my case it's ALL traffic inbound on the router's inside interface (LAN).  This can be configured for specific IPs as well

access-list 10 permit any


Step 2:  Configure the inside interface on the router with rate-limiting based on the ACL

 interface gig0/1
rate-limit input access-group 10 50000000 25000 25000 conform-action transmit exceed-action drop
By using the above configuration, I am able to control the flow of traffic as mentioned above.


Posted by at No comments:

Monday, March 28, 2016

Blocking P2P file sharing with Bittorrent

P2P file sharing is a nightmare for any network/security administrator.  Bittorrent apps are extremely "sneaky" in the sense that they get around most security measures by using random TCP ports.  They can also be used to download content that may be harmful to the enterprise such as malware or copyright protected.  If an employee uses bittorrent app and downloads copyright protected media from the internet, it is the company that is held liable and may be penalized for the content downloaded.  I have used various methods to block this type of traffic such as ACLs, layer 7 inspection on the firewalls, NBAR discovery however none of these were able to block such traffic 100% of the times.
Cisco came up with NBAR2 or Next Generation NBAR which uses advanced classification techniques to detect such traffic.  Using the steps below, I have been able to kill the P2P (with Bittorrent) right in it's path, 99.9% of the times.

Requirements:
1                  .  IOS to software Version 15.4(3)M3 or newer
2                  .  Latest NBAR2 package from Cisco that matches the IOS

     IOS Used for this document: c3900e-universalk9-mz.SPA.154-3.M3.bin
     NBAR2 Package Name: pp-adv-isrg2-154-3.M2-20-14.0.0.pack

STEP 1: Upgrade the router IOS to the latest version as stated above
STEP 2: Upload NBAR2 package to router’s flash
STEP 3: Install NBAR2 package:
            #ip nbar protocol-pack flash0:pp-adv-isrg2-154-3.M2-20-14.0.0.pack
            Confirm the correct NBAR package is now installed with the following command:
            #Show ip nbar protocol-pack active
                        Active Protocol Pack:
Name:                            Advanced Protocol Pack
Version:                         14.0
Publisher:                       Cisco Systems Inc.
NBAR Engine Version:             20
Creation Time:                   Wed Mar 25 13:17:24 UTC 2015
File:                            flash0:pp-adv-isrg2-154-3.M2-20-14.0.0.pack
State:                           Active
             
STEP 4: Create a class-map to identify P2P traffic
             class-map match-any P2P-PROTOCOLS
 match protocol edonkey
 match protocol gnutella
 match protocol fasttrack
 match protocol kazaa2
 match protocol bittorrent
 match protocol irc
 match protocol bittorrent-networking  (VERY IMPORTANT)
 match protocol encrypted-bittorrent (VERY IMPORTANT)




STEP 5: Create a policy-map for the above class-map

            policy-map P2P-DROP
 class P2P-PROTOCOLS
             drop

STEP 6: Apply the above policy-map and NBAR protocol discovery to the LAN interface of the router
           
interface GigabitEthernet0/1
 ip nbar protocol-discovery
service-policy input P2P-DROP


Peer to Peer file sharing was successfully blocked following this configuration.




*********Show commands

show ip nbar protocol-discovery
show ip nbar protocol-discovery interface <>
show policy-map interface <name>




Posted by at 6 comments:

Cellular EHWIC reboot without rebooting the router

Enhanced High-speed WAN Interface Cards provide backup connectivity to a Cisco router during a regular high speed service failure.  With the advancement in cellular technology (LTE/4G), more and more businesses are starting to utilize the EHWICs for their primary WAN connectivity.  LTE can provide bandwidths in access of 100Mbps making this an extremely attractive solution.

At times, you may need to try and reset the modem.  This can be accomplished either by rebooting the router (which may not be desirable) or simply using the below commands to reboot the modem alone.


service internal
test cellular 0/0/0 modem-power-cycle


Posted by at No comments:

Sunday, March 27, 2016

Configuring a Cisco router to act as a DHCP server on the LAN


Typically, an enterprise's LAN may contain one or more dedicated DHCP servers to serve IP addresses on one or more subnets.  These servers may also serve as domain controllers and provide DNS for the LAN.  Sometimes at a smaller branch office location, there may not be a dedicated DHCP server.  You can use your Cisco router running IOS to act as the DHCP server at such locations.

Setting up a DHCP server on the router is fairly straightforward, you define a name for the DHCP pool, specify the network and mask for the subnet you are providing DHCP services for, specify the default gateway for the DHCP scope, DNS servers and optionally lease times etc.
You can also setup any DHCP reservations.  Router will skip the range of reserved IPs when assigning IP addresses on the LAN


ip dhcp exluded-address 10.10.10.2 10.10.10.50
!
ip dhcp pool local-pool
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server <IP-Address>
!
interface GigabitEthernet0/1
desc LAN
ip address 10.10.10.1 255.255.255.0
no shutdown
!


Above code creates a DHCP reservation for IPs ranging between 10.10.10.2 to 10.10.10.50
(10.10.10.1 is an IP address assigned to the router's LAN interface therefore it's automatically skipped).
DHCP pool called local-pool is configured to assign IPs on subnet 10.10.10.0 with a /24 mask
Router's LAN interface is setup as the default gateway for the subnet
DNS-Server is set. You can set this to any servers of your choice.

Also note, if you have more than one subnets on the network for which you want to setup separate DHCP scopes for, you may have to create a trunk between the router's LAN interface and the switch.  This can be achieved using the Router on a Stick solution.

Posted by at No comments:

Wednesday, March 23, 2016

IOS recovery on an embedded AP in a Cisco router if the AP is in rommon - Applies to AP801


Sometimes if you lose network connectivity while in the middle of AP IOS upgrade on a Cisco router with an embedded WAP, the flash on the the AP itself may get corrupted.  This will cause the AP to boot in ROMMON with no access to the flash0:
You can issue format flash0: command to format the flash drive.  Once that's done, follow the below steps to load IOS onto the embedded AP.
Embedded AP is connected internally with the host router via an internal console and an internal switchport (wlan-gig0/0)

 1. Ensure AP is clean and does not contain any bootloader configuration commands, issue the below command on the host router:
service-module wlan-ap0 reset bootloader
**ABOVE COMMAND WILL RELOAD THE AP AND BRING IT BACK TO ROMMON**

 2. Assign a static IP to the AP
set IP_ADDR 172.18.1.3
set NETMASK 255.255.255.0
set DEFAULT_ROUTER 172.18.1.45  (Host router's BVI IP address)

3. On the host router, create a bridge interface and assign a static IP in the same subnet to the BVI interface:

  bridge irb
 bridge 1 protocol ieee
 bridge 1 route ip

 int gig0/0
no ip address
bridge-group 1

 int vlan 1
no ip address
bridge-group 1

 int bvi1
ip add 172.18.1.45 255.255.255.0

 NOTE: You will need to assign IP UNNUMBERED to interface wlan-ap0.  I used ip unnumbered bvi1 command on the interface.


 4. On the AP, issue below commands

ether_init
tftp_init
flash_init

  Now issue the below command to download the IOS from a tftp-server.  Ensure you have connectivity with the TFTP-Server.

 tar -xtract tftp://172.18.1.50/<AP-IOS.tar> flash:
AP should now load the new IOS.  This may take a while.  Once complete, issue the BOOT command to reload the AP with the new IOS.
Posted by at 1 comment:

About Me

Hello everyone,  welcome to my blog. This is my first time writing one and I am super excited to get started! I hope you will enjoy this journey with me and hopefully come upon some useful tips that may help you with your own projects.  I also welcome any edits or corrections so please feel free to write to me directly and I will include your edits with proper credit.
In this first article I will talk briefly about myself, followed by the idea and my reason for starting this journey.  So without further ado, let's get started.
As you have likely guessed from the title, my name is Ricky. I am currently working for a firm as a Senior Network Administrator in the Greater Toronto Area. I have been in the field of networking for more than 10 years. I started out as a Junior Network Engineer for a very well known Canadian retail corporation. Prior to that I graduated with Honours from Sheridan Community College with an Advanced Diploma in Systems Analyst.  I have been around computers all my life and it was just natural for me to follow my passion into the field of Information Technology.   I acquired my first Cisco certification, CCNA in Routing & Switching back in 2011.  This was  followed by a CCNA Security and CCNA Wireless soon after.  I find that my work requires me to learn not one or two skills but a variety of them all at the same time and more.  Over the last several years, I have learned many skills and tricks simply by hands-on experience and not taught by any courses.  It is these skills that I will try to share with you on this blog with the hope that someone may find something useful in solving any issues that may come up on their own networks.

Posted by at No comments:
Subscribe to: Posts (Atom)