Category: Network Technologies

Cisco Easy VPN Router-to-Router

Cisco Easy VPN is not a new technology. Actually it is pretty old, but still used by many companies or people to connect remote site / remote workers to headquarter.

A few days ago I was looking to connect a remote site in a simple way but still secure and a colleagues suggested me to use Easy VPN. It supposed to be a simple configuration and it was after solving all issues that came into play.

First of all, I needed an Easy VPN Router(client) – to – Router(server). The other method is some client (PC) with software connection to Router / PIX / ASA / VPN Concentrator (Server). Something like this:

CiscoEasyVPN

[adsense_id=”1″]

The idea is that behind the Client router, I will have a group of people who need to connect to the headquarter, so I don’t want each of them to use personal VPN connections. In search of possible configurations, I’ve found this Cisco configuration example. The only issue in that document is that the Easy VPN tunnel needs manual intervention to connect, which I want to avoid.

For those who need a quick and secure Easy VPN connection here is my sample configuration:

EasyVPN-Server

!! We define a new AAA model for authentication and authorization
!! for remote VPN clients
aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!! Generic username and password
username cisco password 0 cisco123
!
!! We configure a crypto isakmp policy. The number and encryption are your choice
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!! We add a key and ! Important ! “save-password” command
!! “Save-password” allow client to save the password in an automatic vpn connection
!! scenario
crypto isakmp client configuration group vpngrp
key cisco123
save-password
!
!! The IPSec transform set; You can pick a stronger one like esp-aes 256, but
!! for this example will work fine
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
!! We get everything together in a crypto dynamic map
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!! Add the crypto map on the WAN interface or where your VPN tunnels will terminate
interface x/y
description WAN
crypto map clientmap

EasyVPN-Client

!! On the remote side we define an Easy VPN client
!! connect auto – means it will connect automatically
!! network-extension – connection between remote side LAN and server LAN will
!! not need NAT
!! peer is the VPN server IP address
!! xauth mode has to be local for auto connection without manual intervention
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
peer 192.168.0.2
username cisco password cisco123
xauth userid mode local
!
 !! Apply the already defined crypto to WAN interface
!! This will be automatically the Outside interface, even if you don’t
!! add the “outside” keyword at the end of the command
interface x/y
description WAN
crypto ipsec client ezvpn ez
!
!! Apply it on ALL L3 LAN interfaces that needs to communicate over VPN
!! more, you need to specifiy the keyword “inside”
interface x/y
description ANY L3 LAN interface (SVI / Physical)
crypto ipsec client ezvpn ez inside

To test if your tunnel is up, issue the following command on the EasyVPN client router

#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : TEST
Inside interface list: GigabitEthernet0/0, GigabitEthernet0/1
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Allowed
Current EzVPN Peer: 192.168.0.2

As you can see the Current State shows IPSEC_ACTIVE

Other commands that will help you see if everything is ok (this can be run on client or server side)
#show crypto isakmp sa
! Look for the “state” (it has to be QM_IDLE) and
! “status” (has to be ACTIVE)

#show crypto ipsec sa
! Look for #pkts encaps and #pkts decaps; the decimal values should be close

I hope this will help you. If anything is unclear please ask in comments.

[adsense_id=”1″]

Posted on by Calin 2

Would you do such things to an ISR 819?

Lucky there is a big disclaimer at the beginning of this video. Otherwise I would be tempted to test such things and then plug it in to see if it still start (at least) and run.

It’s a nice commercial from Cisco, but to be honest I feel bad for this poor device:

[adsense_id=”2″]

Posted on by Calin 0

Interface software loop

If you ever worked in an environment where you have to deal with leased / dedicated lines provider by your SP (service provider) then you know that whenever it’s a problem on the line they request, if possible, to put a loop on the line from one end toward the other end, so they can do some measurements. Usually from my experience with SP, this is a standard approach in case that they don’t know exactly what problem is with your line or where the issue occurred, especially if they use sub-providers of their own.

Lately I saw some questions on Cisco support forums regarding the usage of software loops on Ethernet interfaces so I’ve decided to write a small how-to about the basic configuration of a soft loop on different interfaces.

Controller (E3, T3) soft loop on all channels

configure terminal
! Apply the loop on the controller interface to loop the entire (e.g.) T3 interface (all 28 x T1 channels)
controller t3 3/0
loopback [local | network | remote]

Mandatory parameter:

loopback – place the loop

Optional:

local –  Loops the data back toward the router and sends an AIS signal out toward the network

network –  Loops the data toward the network at the T1 framer

remote – Sends a far-end alarm control (FEAC) request to the remote end requesting that it enter into a network line loopback. FEAC requests (and therefore remote loopbacks) are only possible when the T3 is configured for C-bit framing.

Controller (T3, E3) soft loop on one channel (T1, E1)

If your controller is channelized for T1, E1, you can avoid to loop the entire controller, but choose to apply the soft loop on only one channel:

configure terminal
! Apply the soft loop under interface configuration rather than controller
interface  Serial3/0:1
loopback [local | network {line | payload} | remote {line {fdl {ansi | bellcore} | inband} | payload [fdl] [ansi]}]

Mandatory:

loopback – applies the soft loop

Optional:

local –  Loops the router output data back toward the router at the T1 framer and sends an AIS signal out toward the network.

network – Loops the data back toward the network before the T1 framer and automatically sets a local loopback at the HDLC controllers (line) or loops the payload data back toward the network at the T1 framer and automatically sets a local loopback at the HDLC controllers (payload

remote line fdl –  Sends a repeating, 16-bit ESF data link code word; ansi—Places the CSU into loopback, per the ANSI T1.403 Specification; bellcore—Places the SmartJack into loopback, per the TR-TSY-000312 Specification

remote line inband –  Sends a repeating, 5-bit inband pattern (00001) to the remote end requesting that it enter into a network line loopback.

payload – Sends a repeating, 16-bit ESF data link code word to the remote end requesting that it enter into a network payload loopback. Enables the remote payload Facility Data Link (FDL) ANSI bit loopback on the T1 channel. Rarely it’s necessary to specify fdl or ansi keywords

To be honest I never used here more than local or network parameters. The other ones I add them here with explanation, but never use them.

Serial interfaces (PA-E3 or a PA-T3 port adapter)

configure terminal
! Apply the soft loop on the serial interface
interface Serial3/0
! If the interface is a port on a PA-E3
loopback [dte | local | network {line | payload}]
! If the interface is a port on a PA-T3
loopback [dte | local | network {line | payload} | remote]

Mandatory:

loopback – apply the soft loop

Optional:

dte – Sets the loopback after the LIU toward the terminal.

local – Sets the loopback after going through the framer toward the terminal.

network – Sets the loopback toward the network before going through the framer (line) or after going through the framer (payload).

remote (only T3) – Sends a far-end alarm control (FEAC) to set the remote framer in loopback.

Ethernet interfaces

configure terminal
! Apply the soft loop on a Ethernet interface
interface GigabitEthernet
loopback [driver | mac] 

Mandatory:

loopback – apply the loop

Optional (only on Gigabit Interfaces):

driver – apply the loop at the transceiver level

mac – apply the loop at the MAC controller level

You can use the loopback driver and loopback mac interface configuration commands with the 2-Port 10/100/1000 Gigabit Ethernet SPA. These commands do not apply to the 4-Port 10/100 Fast Ethernet SPA.To properly enable internal loopback, you must disable autonegotiation (under interface configuration, you have to apply no negotiation auto)
Due to different card/router models, IOS versions and specific SP configuration  not all the commands will fit exactly how described above, but at least this is a starting point to check when you need to enable a soft loop. If you are a beginner you may wonder why I’m calling it soft loop. This is because is a software loop, opposite to a hardware loop which implies that wires are physically looped.

[adsense_id=”2″]

Posted on by Calin 2

Cisco QoS at-a-glance

Stephan, a  colleague of mine,  found the following documents digging through multiple pages of Cisco.com. The documents present a nice view of different QoS approaches and the most  important information. Somehow like “cheatsheets”. They were helpful to us when need to implement QoS in some parts of the network that we administer. I hope they will help you as well.

Maybe you’re wondering why I’m adding them here, since the documents are already somewhere in Cisco.com. As you probably know, Cisco has constantly changing their website in the last months and a lot of documentation is misplaced in the Cisco.com sitemap. We already had problems finding all links, so I said why not share it here as they are already public made by Cisco.

You’ll find a Download button under each document, for PDF version and at the end of this post there is a Link to download all documents in an archive. If somebody needs only one document and has a poor Internet connection why to force them to download the full archive.

Cisco's Campus QoS Design
Cisco – Campus QoS Design

Cisco's Branch QoS Design
Cisco – Branch QoS Design

Cisco IPv6 QoS

Cisco – IPv6 QoS

Cisco's QoS Best Practices

Cisco – QoS Best Practices

Cisco QoS Design for IPsec VPNs

Cisco – QoS Design for IPsec VPNs

Cisco's QoS Design For MPLS VPN Service Providers

Cisco – QoS Design for MPLS VPN Service Providers

QoS Strategy for DoS Worm Attack Mitigation

Cisco – Scavenger class – QoS Strategy for DoS Worm Attack

Cisco's QoS Design for MPLS VPN Subscribers

Cisco – QoS Design for MPLS VPN Subscribers

QoS Baseline

Cisco – QoS-Baseline

Cisco's WAN QoS Design

Cisco – WAN QoS Design

As said in the beginning, if you’d prefer, you download all QoS graphs in one archive.

Let me know your opinions on the above approach on QoS from Cisco. Is is accurate? Do you apply them in your organization weather for Campus, WAN, VPN or even Security?

Posted on by Calin 1

TCP Slow Start And Wan Optimization Compression

This video looks like a good joke, but to be honest it explain in the most simple way how TCP Slow Start and Wan Optimization work. If you have problems explaining networks concepts, than for sure when somebody ask you about TCP Slow Start and Wan Optimization, you’ll remember the two guys running with oranges.

Combine the video below with some technical explanation and you can put together a nice presentation:

Posted on by Calin 1