MAC address tracking with NMS

Let’s assume that I have a port open in my Cisco switch for guest users and I would like to keep track of the new mac-addresses that are added or existing mac-addresses that are removed from that port.

I have a NMS (Network Management System), capable of receiving SNMP, traps that will send me an e-mail alert whenever one of the above mentioned situations happens.

For this test I did use the following IP addresses:
– Cisco switch L3 interface from where the SNMP traps will be send: Lo10, 1.1.1.1 /32
– Cisco switch L2 port where I want to track the mac-address change: Fa0/10
– NMS IP address: 172.31.82.254
– SNMP community string: Cisco

OK, this is a simple example, but it can be useful in some situation or for Cisco exam preparation.

First let’s bring the Lo10 interface UP and configure the IP address. Please keep in mind that without a L3 interface the SNMP configuration will raise an alarm and the system will not work.

interface Loopback10
 ip address 2.2.2.2 255.255.255.255

Next, I’ll configure the SNMP part:

SW(config)#snmp-server host 172.31.82.254 traps Cisco
SW(config)#snmp-server enable traps mac-notification

Following is the actual configuration for mac-address change notification:

SW(config-if)#snmp trap mac-notification change ?
  added    Enable Mac Address added notification for this port
  removed  Enable Mac Address removed notification for this port

The above lines show the possible options. You can use them both if you want to receive notification for adding and removing of the mac-address or any of these options separately. I did use both for this test.

Let’s verify if the configuration is applied correctly:

SW#show mac address-table notification change interface fa0/10
MAC Notification Feature is Disabled on the switch
Interface            MAC Added Trap MAC Removed Trap
---------            -------------- ----------------
FastEthernet0/10     Enabled        Enabled

I find this helpful if you have open ports which require special attention and for some reason you cannot use some technique like dot1x or lock them on static mac-address.


CCIE Home Lab, what to do when your router has too little Flash space for IOS

I already explained in an older post my home lab for CCIE preparation. My BB1-BB3 routers are Cisco 2600 series and the rest of R1-R6 are emulated with Dynamips. The only problem is that one of the C2600 has too little Flash space to hold the required IOS. Memory is sufficient, but Flash not.

The only workaround I have is to load the IOS image from a TFTP server. I will explain here my procedure, maybe it’s useful for somebody else out there.

First, I recently upgrade to Ubuntu 12.04 and for some reason the TFTPD (default tftp server) was not working properly. I found TFTPD-HPA to be a good alernative, so I did install it:

sudo apt-get install tftpd-hpa

After installation you may want to check /etc/default/tftpd-hpa. On my system it looks like this:

# /etc/default/tftpd-hpa
 
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/var/lib/tftpboot"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure"

Next step is to get a IOS image and copy it under /var/lib/tftpboot. If you need a hint, I’m using c2600-adventerprisek9-mz.124-25d.bin which needs only a small amount of memory to be installed on the Cisco 2600 platform and it’s enough for testing.

Now we need to get the IOS image on the C2600 using TFTP. Depending on your topology used for CCIE exam practice, this can be done in different ways.

Currently I’m using the workbooks from Micronicstraining (Narbik’s workbooks, if this sounds more familiar). Previously I used the ones from Internetwork Expert. The idea is that topology is pretty similar and it looks something like this:

MicronicsTraining
Narbik’s workbook topology

My problematic router is the BB3. Somehow I need that BB3 is communicating with my Ubuntu server, as simple as possible, without changing ethernet cables all the time.
You noticed int the above diagram that BB3 has an interface on the SW1 (Fa0/13) and SW1 has F0/1 connected to my Ubuntu server as explained in this post. What I need is to have Fa0/13 and Fa0/1 on the SW1 on the same VLAN for proper communication. Usually I just default the interface and then everything is fine.

On the Ubuntu box, I can have an IP address on the physical card (this will not influence in any way the Dynamips emulated router attached to this interface):

eth1      Link encap:Ethernet  HWaddr 00:e0:b6:06:a6:3b
          inet addr:192.168.182.1  Bcast:192.168.182.255  Mask:255.255.255.0
          inet6 addr: fe80::2e0:b6ff:fe06:a63b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:64 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:14100 (14.1 KB)

By default on the BB3 router I have an IOS image that can fit the Flash size (c2600-i-mz.123-26.bin) and in case that for some reasons the TFTP Server is not reachable, it will boot that image.

The BB3 startup-configuration looks like this:

interface FastEthernet0/0
 ip address 192.168.182.13 255.255.255.0
!
boot system tftp c2600-adventerprisek9-mz.124-25d.bin 192.168.182.1

What you have to remember:
1. Start your TFTP server and assure that it has the correct IP address on the interface where you will server IOS files
2. Start your switch (if you have one in between Cisco router and the TFTP server) and be sure that the interfaces are able to exchange packet (same VLAN, etc)
3. Start your Router

In case you did miss any of the above steps, you’ll see something like this:

%SYS-4-CONFIG_NEWER: Configuration from version 12.4 may not be correctly understood
 Slot is empty or does not support clock participate
 WIC slot is empty or does not support clock participate
%SYS-6-READ_BOOTFILE_FAIL: tftp://192.168.182.1/c2600-adventerprisek9-mz.124-25d.bin File read failed -- Timed out.
 
 Hello from IFS_TYPE_ROM successful type-check
 
%SYS-6-BOOT_MESSAGES: Messages above this line are from the boot loader.
boot of "tftp:c2600-adventerprisek9-mz.124-25d.bin 192.168.182.1" using boot helper "flash:c2600-i-mz.123-26.bin" failed
error returned: File read failed -- Timed out
loadprog: error - on file open
boot: cannot load "tftp:c2600-adventerprisek9-mz.124-25d.bin 192.168.182.1"

and the router will boot your image stored locally on Flash.

Instead of doing all this work, which may generate some headache, I could just buy another router with enough Flash (and Memory). Currently I don’t want to make this investment, so I’ll stick with the above scenario.


[Infographic] The Journey to Cisco Certification Success

I found this great Infographic on Pinterest and I felt the need to share it though my blog. Even if not all information are 100% accurate of complete, it’s still a nice view that worth spending some minutes to check.


Cisco Menu for Console Server

Let’s say that you have a Cisco router that you use as console server to connect to your devices in the CCIE testing rack. If you want to allow other people to access your rack for training and don’t want to mess explaining how to connect to different device from the console router, then you need a menu for easy access.

We will define a menu on your console server. We’ll start by going to configure terminal mode and hit the command menu ?:

Console-Server(config)#menu ?
  WORD  Name of this menu

Looks like we need to define a name for your menu, so I’ll name it “CS” menu and hit another ? mark:

Console-Server(config)#menu CS ?
  clear-screen  Use termcap database to clear screen
  command       Set menu command
  default       Item number to use for RETURN
  line-mode     require <enter> after typing selection
  options       Set per-item options
  prompt        Set prompt string
  single-space  single-space menu entries on display
  status-line   Display user status at top of screen
  text          Set text of menu line
  title         Set menu title

This command will output your options for the menu configuration. I will start by cleaning the screen after entering the menu CS:

Console-Server(config)#menu CS clear-screen

Next, I want to know where people are connecting and what’s the purpose of this console server, so I will add a title to my menu:

Console-Server(config)#menu CS title ^
Enter TEXT message.  End with the character '^'.
Welcome to FirstDigest.com CCIE Rack
^

We have now a menu with a title, but let’s tell users how to use this menu:

Console-Server(config)#menu CS prompt ^
Enter TEXT message.  End with the character '^'.
Choose and option and press Enter:
^

To really need your user to press Enter, you need to specify this option in your menu:

Console-Server(config)#menu CS line-mode

If you don’t add the above option, the picked options from menu it’s automatically run without waiting for the key Enter.
We have the menu defined and the necessary information in place. Let’s add some functionality to this menu.
First I want to give user the option to see the IP address where he’s connected:

Console-Server(config)#menu CS command 1 sh ip int brief | e una
Console-Server(config)#menu CS text 1 Check the Console Server IP Address  
Console-Server(config)#menu CS option 1 pause

What I did above? Well, I added the necessary command to check the IP Address. This command can be modified to meet your requirements. For me this is enough since I have only one interface with IP address. This command is invisible to the connected user. I mean if you press the key 1 and then Enter, you get the output. Still, we don’t want our users to guess what they have to do, so we’ll add some text.

The visibile choice for your user is added with the “text” option and my phrase is “Check the Console Sever IP Address”. Of course this can be customized as you need.

Last option is the “pause” option. If you don’t add the “pause” then your user will see no output,as the command will be run in the background and will return to prompt.

You have to notice that the item 1 (in my case) is the parameter that bound together all options for this specific part of the menu. It will be display of course for key 1 on your keyboard.

Next, we’ll give the user the option to disconnect from the console server:

Console-Server(config)#menu CS command 2 exit
Console-Server(config)#menu CS text 2 Disconnect from Console Server

Let’s add some connections to our Cisco devices in the rack. I will add only a couple of connection, as an example. You can extended and customize this commands as you want:

Console-Server(config)#menu CS command 3 telnet 10.1.1.1 2001
Console-Server(config)#menu CS text 3 Connect to R1
Console-Server(config)#menu CS command 4 telnet 10.1.1.1 2002
Console-Server(config)#menu CS text 4 Connect to R2          
Console-Server(config)#menu CS command 5 telnet 10.1.1.1 2003
Console-Server(config)#menu CS text 5 Connect to R3
.
.
.
.

We have the menu configured now. To check what we did configure, I usually do:

Console-Server#sh run | i menu

The menu section is completed, but we need to add this menu to a user and force this user to use our menu. I will create a user which will run the menu CS as soon as he or she is connected to the console router. My user has a privilege 15 level. If you are concerned with security, you can set another privilege level, but be sure to configure that level to support the commands that you have in your menu. Also I will configure another user, for my usage, or in case that something goes wrong to be able to connect remotely and fix the issue. This “Admin” user will not run automatically the menu we just create.

Console-Server(config)#username Tester privilege 15 password tester2012
Console-Server(config)#username Tester autocommand menu CS
Console-Server(config)#username Admin password cisco2012
! I will enable also telnet to test from remote host
Console-Server(config)#line vty 0 4
Console-Server(config-line)#login local

I will simulate a remote connection to check if everything is working fine:

R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
 
 
User Access Verification
 
Username: Tester
Password: 
 
Welcome to FirstDigest.com CCIE Rack
 
 
    1          Check the Console Server IP Address
 
    2          Disconnect from Console Server
 
    3          Connect to R1
 
    4          Connect to R2
 
    5          Connect to R3
 
 
Choose and option and press Enter:

The menu is there. I will try some options to see if it’s working properly:

Choose and option and press Enter:
1
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up
Choose and option and press Enter:
2
 
[Connection to 10.1.1.1 closed by foreign host]

I recommend that you verify the menu functionality before you go “live”. You can check the menu directly on the Console Server:

Console-Server#menu CS

I hope this short tutorial will help you. If you have questions or something is not clear from my explanation please use the comments and I will try to help you.


IP Prefix-List tricky question

A few days ago I did encounter a task in one of these preparation workbooks for CCIE R&S Lab which was very tricky. This task is not a hard one and does not require extensive knowledge (it can be a CCNP level question as well), but the way the question is formulated can create confusion.I would appreciate your comments on this topic.

The task states that I have a number of subnets from which the followings are important for
our issue:

10.4.1.4/30
10.4.2.8/29
10.4.3.16/28
10.4.4.32/27
10.4.5.64/26
10.4.6.128/25

The other present subnets are something like 10.7.x.x. I add this here just to see that it does not affect the result of this task.

The request is to configure a prefix-list following these rules:

– allow all subnets in 10.4.0.0
– as specific as possible, I should not allow other prefixes
– minimum number of prefix-lists

Considering the above one I did consider the following to be the correct answer:

ip prefix-list ONE permit 10.4.0.0/21 ge 25 le 30

However the proposed solution was:

ip prefix-list ONE seq 5 permit 10.4.0.0/22 ge 23 le 30
ip prefix-list ONE seq 10 permit 10.4.4.0/22 ge 23 le 28

Both solutions are working, nevertheless which one would be the correct one in the exam?

I asked this question on the GroupStudy List, and Maarten Vervoorn came up with a new proposal:

ip prefix-list ONE seq 5 permit 10.4.0.0/22 ge 28 le 30
ip prefix-list ONE seq 10 permit 10.4.4.0/22 ge 25 le 27

Also a good solution, but is the best solution? Hard to say. The advice that I got is that if you have such task in the lab exam to describe the issue to your proctor, explain all possible solution so he or she can see that you fully understand the multiple solutions and base on the answer pickup the best solution. I think this is the only way to solve this kind of questions. If you have other ideas, I would like to hear them.