Network Technologies | IPNET

Cisco: How-to get notifications for IP SLA monitor using EEM

In some previous post, I explained how to configure a basic IP SLA monitor for checking the round-trip time between two Cisco routers. Because in the comments of that post I have been asked how you can get e-mail notification for IP SLA monitor, I have decided to write another post to extend a little bit this topic.

To accomplish e-mail notification for IP SLA monitors we will use Embedded Event Manager (EEM) and some SNMP knowledge.Cisco IOS EEM is a powerful device and system management technology integrated into specific Cisco switches and routers. EEM gives us the ability to customize Cisco IOS behavior based on network events as they happen.

EEM will use a SNMP event to report anomalies in regarding the RTT threshold value. For SNMP to work we need to know and Object name and the OID associated with it. In my example I will use the SNMP Object name: rttMonCtrlOperOverThresholdOccurred (OID: 1.3.6.1.4.1.9.9.42.1.2.9.1.7). On Cisco website you can find more about this SNMP Object and I advice you to read it before going on with this tutorial.

Below you have a basic example about how to get e-mail notification when the threshold of the RTT IP SLA monitor is reached. More examples you can find on Ivan Pepelnjak’s blog: blog.ioshints.info . It’s a good idea to check them also.

The topology remains the same like in the previous post about IP SLA. You can check it here. Please click below to check the tutorial:

If you cannot check the tutorial above, please read this text file, as it contains all the information from the video presentation.

Cisco: 6 best practice security tips for BGP

As we all know, in today’s digital communication world, there is a very big possibility that your network is or was target for a malicious activity. BGP is one of the most targeted routing protocols when we are talking about network attacks.Why? This is quite simple. BGP is your connection to the exterior world (peer networks, Internet and everything which is outside your LAN/MAN), so it is somehow normal to be the main target of the conducted attacks. If in case of the WWW, DNS, E-mail services we can say that maybe an attack was not intentionally made (e.g. a user got infected with some trojan/malware/botnet tool that is attacking random destinations), in the case of BGP, you can be 90% sure that this is an intentionally conducted attack. The main scope of a BGP attack is to flood the network with false information (e.g. false network prefixes) in this way trying to direct interesting traffic to special destinations where this can be sniffed and decoded.

I will present here 6 tips that I’m using the most to protect BGP against malicious information. This is really easy to implement, if you have any basic idea about how to configure BGP protocol, but it can save you from hours of troubleshooting and investigation.

1. Limit the maximum number of prefixes that you learn from BGP peer, to avoid overload of your machine.
2. Deny updates that include a private AS number in the AS Path (64512 – 65535).
3. Use ACLs on your external interface to permit input/output BGP packets only from your defined source and destination
4. Limit TTL in BGP packets to limit the communication only with next-hop peers.
5. Use a password to authenticate peer neighbors.
6. Limit the maximum length of the AS path

Also here I would like to mention, not necessary as a security tip, but more like a best practice, enable when it is possible logging. This can help you to observe some strange behavior that occur on your machines where you are not arround them.

There is no topology present for this tutorial, but we will assume that we have a point-to-point serial connection between 2 routers, R2 (10.0.23.2) and R3 (10.0.23.3). Please click the image below to view the tutorial:

If for some reasons the tutorial above is not available for you, please check this text file which present in text mode everything needed to implement BGP security tips presented above.

Cisco: OSPFv3 point-to-point network configuration

In the previous post I explained some basic stuff about IPv6 and how to configure IPv6 addresses on Cisco’s interfaces. Following this subject, I want to explain now how you can configure unicast dynamic routing protocols for IPv6 networks. The same as IPv4, the v6 generation of IP addresses supports routing protocol like OSPF, RIP and EIGRP, just that their names has been adapted to the v6 generation meaning OSPFv3, RIPng and EIGRP for IPv6.

From the routing protocols above I chose for today OSPFv3, because it is quite easy to understand and, why not, it is one my preferred routing protocols. OSPFv2 and OSPFv3 share the same key concepts, so if you understand the version for IPv4 you will have no problems to understand the one for IPv6. However, you should understand the most significant differences as well:
— to enable OSPFv3, you will have to use interface subcommands compared with the “network” statement under “router ospf” process in OSPFv2
— if there are multiple IPv6 addresses configured on a OSPFv3 enabled interface, then OPSFv3 advertise all the related networks
— OSPFv3 router-id (RID) has to be set in order to enable the routing protocol; this can be set automatically like in the OSPFv2 or manually
— OSPFv3 uses IPv4 for RID; if no IPv4 address is present on the router to be used as RID, than the OSPFv3 process cannot choose it’s RID
— OSPFv3 does not provide natively authentication like OSPFv2 does; for OSPFv3, the IPv6 structure covers this with its internal support for AH and ESP.
That’s about enough for you to configure a basic OSPFv3 routing protocol. If you are interested in more details about OSPFv3, you can check OSPFv3 documentation by Jeff Doyle and Jennifer Carroll on NetworkWorld.com

I will use the same topology like in the previous post. You can check here the IPv6 configuration of the routers. Please click below to see the tutorial:

If for some reasons the tutorial above is not available for you, please check this text file which present in text mode everything needed to enable OSPFv3 point-to-point network configuration between 2 Cisco devices.

Cisco: IPv6 basics and configuration how-to

Today, I had to deal with IPv6 configuration for my CCIE preparation and I said to write a small tutorial about IPv6 for it’s basic stuff. First of all IPv6 is not more complicated that IPv4, it just look like it is. Second, and this is my personal opinion, I think that as long as IPv4 will be on the market and things like NAT can overcome the problem of IP addresses being exhausted, IPv6 will not be implemented on a large scale. Let’s be honest, I’m more OK in a discussion saying that I had a problem with the IP address 192.168.100.100 than to say 2001:128:1F:633:207:85FF:FE80:71B8 (IPv6).

But what we like and what we have to know as network engineer, that’s a different story. For this reason I said that some information about IPv6 and how to configure it and test a point-to-point connection on a Cisco device, would not hurt anyone.

Some essential points about IPv6 (if you want more there is a lot of information on Internet):
-use of 128 bits compared with 32bits )IPv4
-IPv4 are represented in hexadecimal rather than decimal
-use colon-separated field of 16bits rather than 8 bits decimal points separator
The IPv6 can be write down in different formats. Let’s take:
2001:0001:0000:0000:00A1:0CC0:01AB:397A
this can look like:
2001:1:0:0:A1:CC0:1AB:397A – leading zero in each 16bits group can be eliminated
2001:0001::00A1:0CC0:01AB:397A – two or more 16bits “0000” groups can be write like :: (double colons) one time in the IPv6 address
2001:1::A1:CC0:1AB:397A-the simplest form to write the IPv6 address
A small, but very important hint. Take care of the following common mistake when you are writing IPv6 in short format. Let’s say that we have 2001:0000:0000:0000:00A1:0000:0000:397A and you want to write it in short format with the rule that 2 or more “0000” groups can be write like :: , and you write 2001::A1::397A which is wrong, because after this nobody or no device will know where it was 2 groups of zero and where 3. Taking the wrong format, you want to write the long format back and you can write it as: 2001:0000:0000:00A1:0000:0000:0000:397A, and obvious you can see the mistake.
There are more types of IPv6 address which you can find in the table below:
IPv6 addresses type

There are 3 ways in which you can assign an IPv6 to a Cisco device:
-manual = just like in the IPv4
-stateful autoconfiguration = you use a DHCP server that will assign and IPv6 address to the interface
-stateless autoconfiguration = the interface ID in IPv6 is configured locally by the host to be globally unique using the EUI-64 procedure

In short terms the EUI-64 procedure is used to autoconfigure the last 64bits of the 128bits IPv6 address, which is the interface ID portion. EUI-64 method take the MAC address of the interface (48 bits) which is unique and derives the interface ID (64bits). You’ll ask probably how come 48bits become 64bits. EUI-64 insert in the middle of the MAC address a 16bits portion equal to FFFE and set the universal/local bit (7th bit) to indicate global scope. More clearly, let’s say that the interface has the MAC address 00:07:88:80:71:b9 and IPv6 apply the EUI-64 method this will become 0207:88FF:FE80:71b9 (last 64bits = interface ID).

After this short information (trust me it is short compared to detailed books) I hope that the things look a little bit more clear to you regarding IPv6 and you understood that this is not an IT network monster of any kind. Let me show you a small example of how you can configure the Cisco interfaces for IPv6 connectivity. Routing and more advanced stuff in a future post maybe.

For this tutorial I will use the same topology like in the previous post, please have a look to it here, but for the IPv6 configuration will only focus on the LAN side, the connection between R1 and R2. There is already a working IPv4 link between this 2 devices. Please click below to see the example:

If for some reasons the tutorial above is not available for you, please check this text file which consist of the configuration needed to enable IPv6 configuration between 2 Cisco devices.

Cisco: Engineer’s trick to avoid suboptimal path

I was explaining in the previous post what is the difference between optimal and suboptimal path and how to avoid the use of not such a good path in your routed environment. Also there I presented this so call “dirty trick” you can use to force the routing protocol to choose the path that you want, based on the Administrative distance modification.

As I said there is another way (for sure more than one) to do it, using a more elegant approach and from the networking point of view more safe considering the complex routing environment. I will use the same topology like in the previous post to offer you the possibility to compare these 2 methods presented and to choose the one that you understand and fit better to your needs. Also there are some other ways to do it and please feel free to discussed them in the comments section and maybe to present them here in a future post.

We will achive the desired results by setting one community on R1 for the advertised network 192.168.82.1 and dropping the prefixes, marked with the same community, on R2. Please be aware that for this method to work you have to allowed BGP peers to send communities list with the command “neighbor xx.xx.xx.xx send-community …” under “router bgp xxx” process.

Please see the example by clicking the image below: