routing and switching | IPNET

Cisco: SSH enable | disable | reconfigure tutorial

One of the most used method for remote access today is SSH protocol. Even most on the network engineer say what is so complicated in the process of the enable , disable , reconfigure of the SSH process, my experience proved me that it can be really complicated, if you mess up stuff there.

One of the situation that I see very often, is that after a network engineer (administrator, beginner…) reconfigure SSH or hostname / domain-name on the Cisco routers is that they tell that is not working anymore with some errors like “key missing” or “key not matching” or more errors relating to the RSA keys. And in almost 90% from the cases was due to wrong order of operation during the SSH reconfigure.

Let’s say that we have a functional SSH access, and then we have to change the hostname and domain-name of the Cisco machine. As you know, SSH relay on RSA keys for connectivity, which relay on hostname and domain-name of the machine when the keys are creating. Most common error is that the network person change the hostname, domain-name, then delete the keys and reconfigure a new one…this is the happy case and for some routers and IOS platform is working. But, there is the worst one, when the person in charge change the domain-name and the hostname and then, he/she expect ssh to work like before. But it does not!

Please check the tutorial below for the correct order of operation in enabling, disabling or reconfiguring the SSH protocol on a Cisco device. For this tutorial I will use 2 point-to-point connected routers R0 and R1. I will enable SSH on R1 and then connect to it from R0.

Cisco: Spoof detection

Spoofing is a kind of network attack to compromise your network security with the intention of traffic capture which will enable an attacker to get access to confidential data. Usually a spoof attach is associated with IP spoofing, which means that the source IP of the packet which arrive to your device has been changed with intention. For example, let’s assume that you are having a plain http communication with mail server and you want to login to your mail account. You sent the intial TCP connection to the real IP of the mail server. If in this moment an attacker can spoof the traffic and reply to your machine with a fake source IP (pretending that it’s the IP address of the mail server), then the next packets (including packets which contain login/password) will be sent to the attacker machine.

The spoof detection configuration on Cisco is very simple (at least the methods that I know), but I said to put it here maybe somebody need it. We have 2 routers connected with a crosslink cable, as we need IP address on interface and interface to be UP in order to do the “show…” verification.

Please see the tutorial below:

Cisco: How-to limit HTTP traffic on weekdays during working hours

Some time ago a person asked me to set the HTTP traffic to 256 kbits during weekdays from 8:00 – 16:00, to limit “the fun” in the office while other are working. In theory I’m against this type of policy, because if you have a team of network engineers and they have to access cisco.com in the same time for information and other stuff like IOS download, then this will take a lot of time. Of course if you see that the productivity is going down because 80% of the traffic is to YouTube site (nothing against them, just picked randomly), then such measures are welcomed.

Since the discussion below is beyond the scope of this tutorial and represent only a personal opinion, let me tell you what I’ll show in the tutorial below. On Fa0/0 (out connection) we will limit the HTTP responses sent out to 256kbps from Monday to Friday between 8:00 and 16:00

Please see the tutorial below:

Cisco: Multilink PPP over Frame Relay (MLPoFR)

In this tutorial I propose to show something that is not very used these days, or at least not every day, but which can be tricky if you don’t know how to approach this type of configuration. To understand this, I assume that you know the basics about PPP, FR and Multilink. I will make a short summary here but I will not go into details:

PPP or Point-to-Point protocol is used to establish direct connection between two network points. It can provide authentication, encryption privacy and compression.
FR or Frame-Relay is a telecommunication service used mostly on the WAN side towards your provider or carrier and it relay on frames for data transmission.
Multilink is used for bundle together 2 or more channels / circuits for communication improvement.

Here we will use these 3 technology to create something called MLPoFR. For security we will use authentication. Please download here the topology. Please be aware that in the topology you cannot see actually 2 links there (it a limitation of GNS3), but trust me the links are there. To be more convenient and quick the R1 of the topology is preconfigured.

Please see the tutorial below:

Cisco: Deny false information routing injection into OSPF domain

In a well controlled environment, false information routing should not reach your OSPF domain, as network engineer take care what to advertise and what not into OSPF. But there are cases when you have to deal with 3rd party companies somehow, and you want to be sure that nothing in injected by mistake into your domain. Also this can be a task for CCIE RS lab exam.

And since I specified that this can be an exam task, let take some “DO NOT USE” rule and we have to accomplish the task above without using the command “ip ospf authentication message-digest”. Download the used topology here. R1 from the topology is pre-configured. The OSPF timers have been reconfigured to hello 1 second and dead interval 5 seconds, not to wait “forever” until it rebuilds the adjacency.

Please see the tutorial below: