Menu Close

Category: Practical – Cisco

IOS XRv – no network interfaces in GNS3

A few words about the setup. We operate a remote GNS3 server setup, where all components (server even clients) are version 2.2.25. The remote server is deployed in a Linux container.

Problem

We operate several IOS XRv 9k appliances that were in default state default during the import process. We notice the following problem. Running small topos with an IOS XRv, once the router is loaded it had no network interfaces.

Site-to-Site IKEv2 IPSec VPN using Pre-Shared Key Authentication – simple configuration example for two Cisco routers

This config example shows a Site-to-Site configuration of IPsec VPN established between two Cisco routers. VPN will use IKEv2 protocol with PreSharedKey (PSK) remote-site authentication. Topology simulates a Branch router connected over an ISP to the HQ router. There are several options for how to configure IKEv2. In this example, I’m using the symmetric PSK witch crypto map, where the IKEv2 process is started by identifying interesting traffic using ACL. I’m also not using GRE tunnel for routing interconnection of both sides, instead, simple static default routes are used.

Topology

Configuration runs on GNS3 emulator and I’m using the CSR1000v platform with version 16.12.01a IOS XE as the older ISR platform (7200 15.4 IOS) does not support IKEv2. On real devices, IKEv2 is supported on Cisco ISR Generation 2 (G2) that runs Cisco IOS software version 15.2(4)M or later (for example 29xx ISR), ASA with 8.4.(1) and later (including ASA 5510).

Statefull NAT64 – simple configuration example on Cisco routers

The example shows a simplified configuration of a Statefull NAT64 demo, without DNS64. I instruct the stateful NAT64 router (CSR-1 – CSR100v) to translate IPv6 packets into IPv4 packets (and vice versa) using algorithmic mapping (defined by RFC 6052) of IPv4 addresses of IPv4 routers to and from IPv6 addresses by using manually defined IPv6 prefix 2001:db8::/96). In a similar manner, the IPv6 addresses of IPv6 routes are translated to and from IPv4 addresses.

Topology

R1/R2 run 7200 IOS image., R1 is pure IPv4 router, on the other site, R2 is IPv6 only.

Configuring simple MPLS network

Objective

Create a simple MPLS network and observe partial parts of MPLS functionality. MPLS network consist of four routers, two edge routers - LSE1 and LSE2 whose fastEthernet interfaces are not parts of the MPLS network and two Label Switch Routers - LSR1 and LSR2 interconnected through serial lines.

Topology

Four routers are connected in a chain line topology:

Configruration L2TP over IPsec

Configuration of L2TP over IPsec tunnel connection with Cisco router as a server and MikroTik router as a client.

Configuration of Cisco server

(config)#int loopback 0 
(config-if)#ip address 192.168.1.1 255.255.255.255
(config-if)#exit
(config)#ip local pool l2tp-pool 192.168.1.5 192.168.1.10
(config)#vpdn enable
(config)#vpdn-group l2tp-group
(config-vpdn)#accept-dialin
(config-vpdn-acc-in)#protocol l2tp
(config-vpdn-acc-in)#virtual-template 1
(config-vpdn-acc-in)#exit
(config-vpdn)#no l2tp tunnel authentication
(config-vpdn)#exit
(config)#interface virtual-template 1
(config-if)#ip unnumbered loopback 0
(config-if)#peer default ip address pool l2tp-pool
(config-if)#ppp authentication ms-chap-v2
(config-if)#exit
(config)#crypto isakmp policy 1
(config-isakmp)#encryption aes 256
(config-isakmp)#hash sha512
(config-isakmp)#authentication pre-share
(config-isakmp)#group 2
(config-isakmp)#lifetime 3600
(config-isakmp)#exit
(config)#crypto isakmp key PRESHARED_KEY address 0.0.0.0 !or peer address 
(config)#crypto ipsec transform-set l2tp-ipsec-transport-esp esp-aes 256 esp-sha512-hmac
(cfg-crypto-trans)#mode transport
(cfg-crypto-trans)#exit
(config)#crypto dynamic-map my-dynamic-map 1
(config-crypto-map)#set nat demux
(config-crypto-map)#set transform-set l2tp-ipsec-transport-esp
(config-crypto-map)#exit
(config)#crypto map my-static-map 1  ipsec-isakmp dynamic my-dynamic-map
(config)#interface fastEthernet 4 ! Your WAN interface
(config-if)#crypto map my-static-map
(config-if)#exit

Now we are able to connect to this router with L2TP/IPsec tunnel.

Port-Mirroring

Port-Mirroring

Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitoring of network traffic such as an intrusion detection system, passive probe or real user monitoring (RUM) technology that is used to support application performance management (APM).

In our particular case, the faculty provided us with a Cisco Catalyst 2960 switch. We have configured this switch to mirror all internet-bound data traffic traversing the interface connected to network gateway, to the interface connected to Moloch server. As a result, we can now monitor all inbound and outbound lab traffic.

Switch(config)#monitor session 1 source fa0/1 both  

– This command specifies source interface as fa 0/1. The parameter “both” specifies both directions to be monitored.

Switch(config)#monitor session 1 destination interface fa0/24 

– This command defines the destination interface of mirrored traffic

Port-Mirror

Sources

  • CRZP Komplexný systém pre detekciu útokov a archiváciu dát – Moloch