Archive for the ‘access’ tag
ACLs in IPv6 aren’t that different from what you’re used to dealing with in the IPv4 world. You create a list of denies and permits for use with some other structure like filtering, PBR, and all sorts of other stuff. Let’s take a look at building an ACL and filtering traffic with it.
For those playing at home, here’s the setup I used to generate the configs and get the output. Execute some click action for the whole thing.
The first thing you need to know is that all IPv6 ACLs are extended and named. There’s no concept of numbering and using standard list types that include the destination only. This is a good thing in my opinion, and I’ve been doing that in my IPv4 ACLs for many years now. This allows (forces?) you to use descriptive names and very specific entries. Sometimes my entries are too specific, but that’s usually because people don’t include all the requirements. I digress.
Creating an IPv6 ACL is so similar to the way you do it IPV4 that I don’t even want to mention it. I’ll just give an example that we’ll use in a second. As usual, we’re using IOS on Cisco devices.
ipv6 access-list TRANSIT-ACL permit tcp host 2001:DB8:0:1::2 host 2001:DB8::1 eq telnet deny ipv6 any any log
No numbers or ACL types means the config is a lot simpler and cleaner. You can see that TRANSIT-ACL is allowing telnet from 2001:db8:0:1::2 to 2001:db8::1 and denying everything else. Of course, it’s also logging the denies to syslog so we know what’s going on. This shouldn’t be foreign to you at all. Note: This is a lab, and we’re just allowing telnet as a demonstration. You should always yell at people who try to use telnet and show them how to use SSH. Just sayin’.
On a tangent, I just realized that I actually typed deny any any log in the last line, and the router took it to mean all IPv6. Cool.
At some point, you’ll want to see what kind of matches you’re getting on the ACL. You can do a show ipv6 access-list or just a show access-list to see them. Of course, if you have any IPv4 ACLs configured, those will be included in the latter, bu the output of each is the same in relation to IPv6.
R2#show access-lists IPv6 access list TRANSIT-ACL permit tcp host 2001:DB8:0:1::2 host 2001:DB8::1 eq telnet (24 matches) sequence 10 deny ipv6 any any log (19 matches) sequence 20
Here you can see the entries of each ACL and see that this ACL has already been applied somewhere since it has hits. The obvious difference between the output here and that from an IPv4 ACL is the sequence number. In the IPv4 world, the sequence will come before the function (10 permit tcp …). Here, it comes afterwards. I’m not yet sure if this is better or not. I’ll reserve judgement when I get some more experience with it.
If you’ve done ACLs a lot, you can probably tell that this ACL was meant for filtering traffic on an interface. Let’s apply it to F0/1 to do such.
interface FastEthernet0/1 no ip address ipv6 address 2001:DB8:0:1::1/64 ipv6 traffic-filter TRANSIT-ACL in
Make note that we use the traffic-filter directive on the interface along with the ACL name and the direction. Simple stuff.
There is a problem here, though. If you remember your extensive IPv6 training, you know that we no longer have the concept of ARP to map layer-3 addresses to layer-2 addresses. To find layer-2 neighbors, IPv6 devices use neighbor discovery (ND), which itself uses ICMPv6, to look for connected devices. Since ICMPv6 is a layer-3 protocol like IP, when you apply this ACL as indicated, you’ll not find any new neighbors on F0/1. If a new router has a route to 2001:db8:0:1::1, there’s no way to discover the layer-2 address, and I’ll let you guess how that works out. Not very well. The fix is just to allow ICMPv6 into the interface; the details of that will run away very quickly, so I’ll save it for later.
When one device sends ND packets, it uses it’s link local address as the source and the multicast address of FF01::1 (the all routers group) as the destination. You can see that in the log from before we fixed our neighbor problem.
*Mar 1 01:10:07.735: %IPV6-6-ACCESSLOGDP: list TRANSIT-ACL/20 denied icmpv6 FE80::C002:15FF:FE58:0 -> FF02::1 (134/0), 2 packets R2# *Mar 1 01:15:07.739: %IPV6-6-ACCESSLOGDP: list TRANSIT-ACL/20 denied icmpv6 FE80::C002:15FF:FE58:0 -> FF02::1 (134/0), 2 packets R2# *Mar 1 01:21:07.735: %IPV6-6-ACCESSLOGDP: list TRANSIT-ACL/20 denied icmpv6 FE80::C002:15FF:FE58:0 -> FF02::1 (134/0), 1 packet
This look pretty standard, but you can see that the message content includes the ACL name followed by the sequence number. Now you can see exactly which entry is denying the traffic instead of having to go through the whole 8482482-line ACL to see what happened. I’m digging that a lot.
Make sure you check out Packetlife’s post on IPv6 ACLs as well. As always, there’s good stuff going on there.
Cadbury Creme Eggs questions to me.
Here are some more notes from my IIUC studies. As always, corrections requested.
- Broadcasts messages to a group for a one-way communication
- Paging groups are used to limit which phones get the broadcast
- Paging can be unicast or multicast
- Unicast groups limited to 10 members
- Multicast requires mcast support on the network
- Paging configurations can be unicast, multicast, or multiple-group
! Unicast Paging
! When 1044 is dialed, ephone 1 is paged
! Multicast Paging
! When 1045 is dialed, ephone 2 is paged
R1(config-ephone-dn)#paging ip 126.96.36.199 port 2000
! Multiple Group Paging
! When 1046 is dialed, both ephones 1 and 2 are dialed
R1(config-ephone-dn)#paging group 44, 45
- There is a limit of 10 DNs in the paging group.
After-hours Call Blocking
- Allows you to configure time ranges and patterns that cannot be called during those ranges
- Three steps
- Defines days and/or hours that are considered after-hours
- Specify patterns to be blocked
- Create exemptions
R1(config-telephony)#after-hours day mon 18:00 07:00 <- afterhours = 6pm to 7am
R1(config-telephony)#after-hours day tue 18:00 07:00
R1(config-telephony)#after-hours day wed 18:00 07:00
R1(config-telephony)#after-hours day thu 18:00 07:00
R1(config-telephony)#after-hours day fri 18:00 07:00
R1(config-telephony)#after-hours date Dec 25 00:00 00:00 <- Christmas is after hours
R1(config-telephony)#after-hours block pattern 1 91900……. 7-24 <- Pattern index 1 blocks 900 numbers 7day/24hours
R1(config-telephony)#after-hours block pattern 2 91………. <- Pattern index 2 block all long distance after hours
R1(config-telephony)#login timeout 15 clear 18:00 <- Allows logins for entering a PIN for after-hours exemption; times out in 15 minutes and clears at 18:00
R1(config-ephone)#after-hours exempt <- the boss's phone can call anywhere except the 7-24 patterns
R1(config-ephone)#ping 1234 <- Your phone can log in with this PIN for after-hours access
- Phones have to be restarted or reset for the Login key to be enabled.
- It's important to see who is calling international numbers every day at lunch.
- Call Detail Records (CDRs) record who called what number when for how long plus more stuff.
- CME logs CDRs to the logging buffer, syslog, or both.
- Logging buffers clear when a router loses power, but it may be better than nothing. <- Don't do this ever! Get a syslog server!
R1(config)#logging buffer 512000 <- Set the logging buffer size to 512000 bytes
R1(config)#dial-control-mib retain-timer 120 <- Roll records out in 120 minutes
R1(config)#dial-control-mib max-size 100 <- Only keep last 100 records
- Sending to syslog allows you to keep more records
R1(config)#logging 192.168.0.2 <- Log to this server
- Account codes are used for billing.
- Each department or unit can enter a code that appears in the CDR for use later.
- Users press the Acct key when the call is ringing or connected to enter their code.
Music on Hold
- Do I have to explain what MoH is?
- WAV or AU file in flash
- Files must be G.711 or G.729
- G.711 is recommended since it is of higher quality
- Can be delivered via unicast or multicast
R1(config-telephony)#moh piratedmusic.au <- Plays a local audio file as MoH
R1(config-telephony)#multicast moh 188.8.131.52 port 2001 <- multicast the MoH
Here are some more notes from my IIUC studies. As always, corrections requested.
- Allows users to look up names
- Allows names to show up when dialing or receiving a call
- Most phones have a directory button; some have a menu options for the directory
R1(config-ephone-dn)#name Roger Smith
- Directory entries can be added manually
R1(config-telephony)#directory entry 1 1700 Corporate Fax
R1(config-telephony)#directory entry 2 1701 HR Fax
- By default, sorting is done alphabetically by first name.
- Sorting can be changed
- Can be done by the user or through CLI
- User presses CFwdAll button, enters a number, and #; pressing CFwdAll again cancels forwarding.
- CLI forwarding is more flexible
R1(config-ephone-dn)#call-forward busy 1800
R1(config-ephone-dn)#call-forward noan 1800 timeout 25 <- if no answer after 25 seconds
R1(config-ephone-dn)#call-forward max-length 0 <- disabled forwarding
R1(config-ephone-dn)#call-forward max-length 4 <- restricts forwarded number to a length of 4 digits
- H.450.3: A voice gateway redirects the forward to another gateway instead of using the phone as a proxy
- Direct path from originator to destination
- Frees up network resources by keeping path direct
- Keeps latency and jitter down by avoiding long looping paths and a hairpin turn at the phone
- Forwarding patterns can help restrict where calls can be forwarded
R1(config-telephony)#call-forward pattern 1… <- allows forwarding to a 4-digit number starting with 1
- H.450.2: A voice gateway redirects transfers to another gateway instead of using the phone as a proxy.
- The user doing the transfer is dropped from the conversation after transfer is complete.
- Generically, there are two types of forwarding.
- Blind: sends the caller to the number blindly
- Consult: allows you to talk to the endpoint before transferring the call
- CME has three types of forwarding.
- full-blind: blind transfers using H.450.2 or SIP REFER
- full-consult: consult transfers using H.450.2 or SIP REFER if second line is available; if not, fall back to full-blind
- local-consult: Cisco-proprietary method for full-consult
- or -
- Transfer patterns work similarly to forwarding patterns
- Call parking allows a user to retrieve a call from any phone by "parking" the call to an extension.
- The call can be picked up from any phone able to dial that extension.
- Park numbers can be assigned randomly or manually.
R1(config-ephone-dn)#park-slot <- makes this DN a park slot
- Call parking has several options.
- reserved-for dn: Only that DN can use this park-slot
- timeout seconds: Ring the phone phone that parked the call after that many seconds to remind them of the park
- limit count: After that many timeout intervals, drop the call. Not good for customers.
- notify dn [ only ]: Notify that DN when a timeout is reached
- recall: Sends the call back to the original phone when the timeout is reached
- transfer dn: Sends the call to this DN when the timeout is reached
- alternate dn: If the DN in the transfer command is not available, go here
- retry seconds: Try to transfer again after this many seconds
- The phone must be reset for call parking to take effect.
- Allows users to pick up other ringing phones
- Best to use pickup groups so the sales guys don't pick up support calls by accident
- There are three methods to pickup a call.
- Directed pickup: A user picks up a ringing phone by pressing PickUp followed by the target DN.
- Local group pickup: A user picks up a ringing phone in his pickup group by pressing GPickUp then *.
- Other group pickup: A user picks up a ringing phone in another pickup group by pressing GPickUp then the other group number.
- Technically is a speed dial and auto-answer combination
- Intercom button is pressed, which dials a DN bound to another phone; that phone automatically answers on mute.
- The DNs involved usually (?) can't be dialed.
- e.g., A101
R1(config-ephone-dn)#intercom A98 label "Boss"
R1(config-ephone-dn)#intercom A99 label "Lackey"
- Other options
- barge-in: Places existing calls on hold on the other end and barges n
- no-auto-answer: Rings instead of auto answers
- no-mute: Doesn't mute when auto answering. Can you say spying?
More study notes. Correct if wrong, though I hope I get some of it right since I already since I'm an R&S guy. :$
- switchport mode access: This config makes the port an access port that carries the primary and voice VLAN traffic
- switchport mode trunk: This config akes the port a trunk unconditionally, but it will still send DTP messages
- switchport nonegotiate: This config keeps the port from sending DTP messages.
- switchport mode dynamic auto: If the port receives DTP messages, it will become a trunk. If not, it will be an access port.
- switchport mode dynamic desirable: The port actively sends DTP messages trying to become a trunk. This is the default configuration on a Cisco switch.
Cisco IP Phone Boot Process
- Phone connects to an Ethernet switch and gets power if needed
- Switch tells the phone the correct voice VLAN through CDP
- Phone sends DHCP request for its voice VLAN
- DHCP offer includes the TFTP server from which to download the config
- Phone downloads the config from the TFTP server
- Phone contacts the call processing server as dictated in the config file
DHCP Settings on a Cisco Router or L3 Switch
R1(config)#ip dhcp pool MYPOOL
R1(dhcp-config)#network 192.168.0.0 255.255.255.0
R1(dhcp-config)#option 150 ip 192.168.0.20 <– Tells the phone to download the config from this TFTP server
R1(config)#ip dhcp excluded-address 192.168.0.1 192.168.0.100 <– Don't use these IPs when handing out DHCP
Why should you use NTP for a CME setup?
- Phones display correct time
- Voicemails have the correct time
- CDRs are timestamped accurately
- Router logs are timestamped accurately
- Time-based access worked predictably
R1(config)#ntp server 184.108.40.206
R1(config)#clock timezone MYTZ -5 <– Sets the timezone to a zone called MYTZ that's 5 hours behind UTC
I got my CCNP certification library the other day to finally get myself another cert, so I’ve been doing some reading of late. The thing I hate about certs is that, even if you have all the experience in the world, there’s always a whole mess of academic stuff that no one really knows or cares about. One of those things is the Cisco Network Hierarchical Model. This model is purely academic and comes with the caveat that you may or may not want to need to use this model in your situation. In other words, here’s what we recommend, but do what you want to make your network run properly.
This model tells us to configure our network in three layers — the access, distribution, and core layers.
- The access layer is where hosts are connected to the network. This includes your closet switches for your users and any other switches where your servers connect up. This layer is OSI layer-2 only and includes physical segments and VLANs. When I think of this layer, I immediately think of a Catalyst 2950 or 3550.
- The distribution layer aggregates the access layers into a central layer-3 device (a router or L3 switch) for distribution between access devices or up to the core. This is where you lock down access with ACLs. When I think of the distribution layer, I think of a 3750 or 4500.
- The core layer combines your distribution layers at layers 3 and 4 and simply ships data from distribution layer to distribution layer. There’s no access control so that everything is as speedy as possibly. I think of 6500s or 7600 at this layer.
Did you notice that this seems to be LAN-based? You’re not imagining things. This model is for deploying a campus network where every host is in the same building or very close, so Ethernet dominates connectivity. You could apply other technologies, such as OC3s or DS0s on the core, I imagine, but there’s no mention of WANs at all in the model description.
Speaking of WANs, where’s my Internet access? Where’s my HTTP server farm? Where’s my firewall? Where’s my management system? Those questions are left answered in this model. This is where the caveat comes into play. You have to be able to place those devices in the network in the most efficient and effective place. Your Internet access will probably be in the core. The server farms, by definition, are just hosts, so you would create another access layer for those. Since you need to firewall those servers off, you’ll put their access layer under their own distribution layer with the firewall at the top for access control. Management is just another access layer, but the distribution layer where that lives isn’t quite as clear.
Like I said, it’s an academic model, so there’s no definitive answers for anything, but it has a lot of information in there that you may or may not have considered.