Archive for March, 2008
Default Route via DHCP on an ASA 5505
Mar 22nd
I finally got my ASA 5505 up and running at the house, but I ran into a little problem — the box wouldn’t add the DHCP-provided default route into its routing table. That one threw me for a loop since the box is made for SOHOs, but it makes sense in some corporate, lazy way.
I got an IP from the DHCPD on the 5505, but I couldn’t get to the Internet. I checked the console, and it had an IP from the provider, so I checked ACLs; those were fine. I looked at the log and found this.
%ASA-6-110002: Failed to locate egress interface for UDP from inside:x.x.x.x/1028 to y.y.y.y/53
I had no clue what this really meant until I checked the routing table; there was no default route at all. For some reason, the ASA 5505 was ignoring the default route from the DHCP server upstream. The fix? Assuming your outside interface is VLAN 1, just do this.
interface Vlan1
ip address dhcp setroute
The box will go out and get the DHCP default route by itself, so no need to shut/no shut.
Configuring GLBP
Mar 21st
Believe it or not, I got a request for an article on how to configure GLBP. I’m as shocked as you are, so here it goes.
The Gateway Load Balancing Protocol (GLBP) is another Cisco-proprietary protocol for providing highly-available gateways on a network…but there’s a twist. GLBP, as you can figure out from the name, load-balances the traffic going through the participating routers. With HSRP and VRRP, one host is the active peer and handles all the traffic until it dies, then another peer takes over. With GLBP, all the routers accept traffic.
The key is the virtual MAC address. When you configure a router to use GLBP, it discovers all the other routers configured for GLBP, and an election is held. The winner is called the Active Virtual Gateway (AVG) and assigns virtual MAC addresses to all the members in the group (called Active Virtual Forwarders or AVFs). When a host on the network ARPs for the virtual IP, the AVG answers the request with one of the virtual MAC addresses of the AVFs. The next ARP request gets another virtual MAC, etc. Do this a few times, and the hosts are the network are splitting their traffic among all the AVFs.
Config time!
GLBP0(config)#interface f0/0 GLBP0(config-if)#ip address 192.168.0.10 255.255.255.0 GLBP0(config-if)#glbp 0 ip 192.168.0.1 GLBP1(config)#interface f0/0 GLBP1(config-if)#ip address 192.168.0.11 255.255.255.0 GLBP1(config-if)#glbp 0 ip 192.168.0.1 GLBP2(config)#interface f0/0 GLBP2(config-if)#ip address 192.168.0.12 255.255.255.0 GLBP2(config-if)#glbp 0 ip 192.168.0.1
Very simple. This sets the IP on f0/0 of three routers and enables GLBP group 0 for the IP 192.168.0.1. The group number, 0 in this case, is the same as in HSRP; you can have more than one instance of GLBP on an interface, so you have to tell it what settings go with what group.
After a few seconds of yelling at each other, the routers will have decided who the active and backup AVGs are, who the AVFs are, and what the virtual MACs for the AVFs are. After convergence, you can run the show glbp brief command to see what the status is.
GLBP0#sh glbp brief Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 0 - 100 Listen 192.168.0.1 192.168.0.12 192.168.0.11 Fa0/0 0 1 - Listen 0007.b400.0001 192.168.0.12 - Fa0/0 0 2 - Active 0007.b400.0002 local - Fa0/0 0 3 - Listen 0007.b400.0003 192.168.0.11 -
In our example, the IP 192.168.0.12 is the AVG (GLBP2) with 192.168.0.11 being the backup AVG (GLBP1). You can also see that three virtual MACs have been assigned — 0007.b400.001 – 3.
Those are the basics, but there are a few more things worth mentioning that you should look at on your own.
- By default, the load-balancing method is round robin, but you can set the GLBP balancing method to weighted, which uses configured weights on each router to determine who’s next in line for ARP replies. Use the load-balancing and weighting directives.
- You can set priorities for each router to better control which one becomes the AVG and backup AVG with the priority directive.
- You can have GLBP track objects just as you do with HSRP. Use the weighting track configuration to do so.
- You can put passwords on the GLBP group to protect yourself from random routers trying to participate and hose things up. Look at authentication.
- By default, a higher priority router won’t overthrow a lower one to become the AVG. You can turn this feature on with the preempt directive.
Trunking on a Catalyst Switch
Mar 21st
If you didn’t now already, trunks are connections between switches that carry traffic for all VLANs. It allows you to have, say, VLAN 10 and VLAN 20 on two switches appear as the same network. Unless you’re a really small shop, you’ve already dealt with trunks, so there’s no need for an introduction.
Let’s say we have a Catlyst 2950 switch with multiple VLANs connected to another 2950 configured with those same VLANs. We’ll say we have VLANs 10, 20, and 30 and that the switches are connected to port F0/24 of each switch. First, let’s turn on the trunk.
interface F0/24
switchport trunk encapsulation dot1q
switchport mode trunk
Quite easy there. With this configuration on each switch, the connection between them will carry traffic for all VLANs. The encapsulation directive tells the switches to use the IEEE standard 802.1Q for the trunk, which is VLAN tagging. Cisco has its own trunk encapsulation called ISL, but that’s not compatible with non-Cisco gear. If you have a mix of switches, just use the dot1q encapsulation so you don’t hurt yourself later.
A note on the word “encapsulation” here. Dot1q does not actually encapsulate; it adds 4 bytes to the frame header that marks the VLAN the frame is for. ISL, however, does encapsulate; it takes the whole frame, shoves it into an ISL frame, and sends it on. Since Cisco’s preferred method for a trunk is an encapsulation method, we have the directive “encapsulation” in the configs.
At this point, all VLANs are being carried across the trunk, but what if you want to use multiple trunks and send different traffic across each one? For example, let’s say that you want to have VLAN 10 traffic use a second trunk while the other VLANs use our original trunk. To do that, you get into pruning.
interface F0/24
…
switchport trunk allowed vlan 20, 30interface F0/23
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10
The switchport trunk allowed vlan directive says that only traffic on VLANs 20 and 30 are allowed across F0/24 and only VLAN 10 across F0/23. I use this type of setup to give high-bandwidth VLANs (like VLANs for backups) their own trunk so they won’t eat all the bandwidth of the other VLANs. To use the terminology, F0/24 is pruned to VLANs 20 and 30, while F0/23 is pruned to VLAN 10.
I also want to mention that the word trunking is used differently across different platforms. We have a nearly-totally Cisco LAN, and trunks are the connections that carry all VLANs as described. On other LAN gear, trunking is actually the act of combining port, links, cables, whatever, together to form a single logical connection (Cisco calls this EtherChannel). VLAN tagging is what other manufacturers call a Cisco trunk. It makes sense if you remember that 802.1Q simply tags the frame.
HSRP vs. GLBP
Mar 18th
HSRP (Hot Standby Router Protocol) is a Cisco-proprietary method for supplying a highly-available gateway for hosts to use. GLBP (Gateway Load Balancing Protocol) does the same thing. So, what’s the difference?
HSRP works on layer 3 and provides a standby IP address for hosts on that network to use as their gateway (or other routers to use as a next-hop for a route). Two or more routers are configured with the standby IP on a broadcast interface (usually an Ethernet of some kind), and a passive election is held to determine the active router. This router answers ARP requests for the standby IP with a virtual MAC address, so every host that sends packets to the standby IP winds up sending it to the active router. If the active router dies, another election is held, and a new king is crowned who answers for the virtual MAC; the hosts never know anything happened.
GLBP is a little different and runs on layer 2. Instead of one router taking all the traffic all the time, GLBP provides a mechanism to load-balance the standby IP. I’m sure you figured that out by the name, though. When configured, GLBP provides a standby IP just as HSRP does, but it also provides multiple virtual MAC addresses. When a host on the connected network sends an ARP request, one of the routers answers with the virtual MAC address. The next time a host ARPs, a different router answers with a different virtual MAC address. After all is said and done in our perfect world, you have an equal number of hosts sending traffic to each router doing GLBP via the virtual MACs (this never pans out due to the way machines ARP). If a router dies, one of the other participating routers takes over for that virtual MAC, and the host is none-the-wiser.
If you’re having problems deciding on which one to use, it really all boils down to how many hosts you have on that particular network that you want to be HA. For example, if I had a network that only had two routers as the gateway and a single firewall, I’d use HSRP; there will only be the one firewall ARPing and sending packets the standby IP any traffic so you wind up only using one anyway. If you have a network with a thousand hosts on it (say a web farm), then go with GLBP to balance the traffic across your routers.
GRE Tunnels and Encryption
Mar 18th
GRE tunnels rock. They are interfaces on a router that are used to “connect” to another router somewhere on your LAN, your WAN, the Internet, wherever. The most popular use for them is for router-to-router VPNs.
I’ll let my friend Josh from blindhog.net show you how to do it. He’s got a video on how to configure the tunnels, and another on how to set it up for VPN.
Resetting Sections of the Config
Mar 18th
I was configuring a switch the other day and realized I had configured a trunk on the wrong port. God, I hate that. Instead of dumping the configuration for the port and doing a “no” on each line, I used the default command.
Switch(config)#default interface G0/1
This resets the configuration on interface G0/1 to how it was when Cisco shipped it to you. Much better than killing all the lines of the configuration one-at-a-time, eh?
Default can be used for all sorts of stuff, too. You can reset the configuration for CDP, AAA, NTP…pretty much anything. It can come in handy if you want to reset just one part of the config without touching everything else you’ve configured on the box.
AFOL-KE and Above.net
Mar 17th
It looks like there was another bad BGP announcement over the weekend. This time, a 24-bit network belonging to the country of Kenya was being advertised by Above.net. The heart of the problem is the same as it was with the YouTube problem a few weeks ago: someone who wasn’t authoritative for a network began advertising routes to that network.
While this issue didn’t have nearly the impact that the YouTube incident had, just ask the people in Kenya who were offline for several hours while things were broken. It’s just another item to add to your list of reasons that BGP needs to be fixed.
NAT on a PIX/ASA
Mar 13th
NATting sucks and can be confusing. I’m sure everyone agrees to that, but you have to use it at some times. In a PIX/ASA, it’s easy to configure a simple setup, but can be super-complicated in larger networks. In a simple lab, we have set up an ASA with inside and outside interfaces, with the inside as your internal and outside as the Internet.
The NAT setup here is easy.
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
This NATs everyone on the inside (0.0.0.0 with a mask of 0.0.0.0, or 0/0) to the IP of the outside interface (overload in the IOS world). The nat command says who gets NATted; the global command says what they get NATted to. Notice the number “1″ in both commands; this is the NAT group and allows you to have some flexibility in your NAT strategy. In essence, if you match a nat line with a “1″ in it, you’ll be matched to a “1″ on the global list.
What if you add a DMZ interface and don’t want to NAT when your inside network talks to it? That, my friend, is a little more complicated. We’ll assume your internal network is 10.0.0.0/24 and your DMZ is 192.168.0.0/24.
access-list NONAT permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0global (outside) 1 interface
That was painful, but what did it do? That’s a very good question.
We have multiple nat lines on the inside, so the firewall starts at the top and works its way down (there are exceptions). The first nat line has a group of 0, which is very special. If you match group 0, you are not NATted at all, and your connection is passed as-is with no changes. In our second example, you match if the ACL matches, so, if you’re going from the inside network to the DMZ, you won’t be NATted. If your connection didn’t match this line (like you’re downloading porn from the Internet), the firewall goes to the next line, which says to NAT everyone to group 1 just as we did in the first example.
Another twist here is the “nat (dmz) 1 0.0.0.0 0.0.0.0″ line. This says that anything from the DMZ is NATted to group 1 just as the inside traffic is.
So, if the inside network connects to the DMZ, it doesn’t get NATted. If the inside goes to the Internet, it gets NATted to the outside IP of the firewall. If the DMZ connects to the Internet, it gets NATted to the outside IP as well, but what if the DMZ connects to the inside? That’s another story. 
Commenting Access-lists
Mar 12th
There’s a very-overlooked feature of access-lists — the remark. Yes, this is very basic, but it’s worth mentioning, as it has saved me anguish time and time again.
I use remarks to document each line of an ACL (on IOS, PIX, FWSM, ASA, etc.) so that when I go back later, I actually know what I did. They’re simple to use, and, I promise you, you’ll thank yourself for using it when the CTO asks why access to TCP/80 is open from the Internet to the development server.
Easy to use.
access-list 101 remark This line allows access from the Internet to the development server. See ticket 1234
access-list 101 permit tcp any host 1.2.3.4 eq 80
Now, when you get asked the inevitable question, you can look at the line and know to check ticket 1234 for more information. The remark is just a string, so you can put what you want. I like to put source and destination hostnames, protocol/port, ticket number, and date/time the line was entered for reference like this.
access-list 2001 remark *** I’net — HTTP -> dev.example.com, Ticket 1234, 12Mar2008-0853 ***
It works with the ip access-list command as well.
ip access-list extended INBOUND
remark *** I’net — HTTP -> dev.example.com, Ticket 1234, 12Mar2008-0853 ***
It might be a good idea to use a remark to document what the ACL itself does. For example, on a firewall with 28974 interfaces, you might want to do something like this.
access-list DMZ1_OUT remark This ACL allows traffic out of the DMZ interface
access-list DMZ1_OUT remark *** ….
access-list DMZ1_OUT permit …
Wireless Headsets
Mar 5th
We all have these at our desks. Not the bluetooth guys for your [tag]phone[/tag] (we could talk about that for a while), but the 900MHz headsets that your company gave you for those long and annoying calls with the boss. These things rocks, but they are oh-so [tag]insecure[/tag].
A coworker who fields support calls has one, and we decided to see how far we could go with these. We were shocked to discover that he could field a call 2 full stories downstairs from his desk. I was able to take mine 1 story away without even a single bit of static in it. I’m sure I could have taken it farther, but construction kept me from going any farther.
So, what, you say? The [tag]headsets[/tag] can only talk to their own base station, right? Well, yeah, but that doesn’t really mean much. The correct question to ask is whether or not the data is encrypted, and the answer is no. Let’s do the math, then:
No Encryption + Long Range = DANGER!
Check out this article from Steve Stasiukonis of Secure Network Technologies, Inc. In his job as an auditor, Steve discusses how he was able to gather confidential information by listening to wireless headsets in an office and use that information to gain access to the building for three days!
The moral of the story: Protect your data — no matter what kind of data it is.
The second moral: Assume everything is insecure unless demonstrated to be secure.
