Tag Archives: Cisco

Netios

I just released an alpha release of a little tool that may help network administrators with a large park of Cisco routers or switches :

Netios is a little tool aimed to help network administrators to administrate a large number of Cisco network devices.
Providing it with a list of equipments, it connects within SSH to remotly apply IOS commands.

It can automatically :

retrieve and export in a CSV file the list of local users

update the local user, the enable password

change NTP settings

execute a file of customed IOS commands

retrieve configuration files

It can read the targets from the command line or from a text file.

Its primary goal is to improve the security by making it easier to renew regularly the local password of these equipments, but it can do more convenient things (and I will continue to work to add more of them).

Check there (tools page) for more details and a download link.

Cisco configuration buffer full

I got this weired message while trying to save a configuration :


#wr mem
Building configuration...
% Warning: Saving this config to nvram may corrupt any network management or security files stored at the end of nvram.
Continue? [no]: no
% Configuration buffer full, can't add command:
************************************************************************

Looks scary at first, but normally it should be solved with a single command :


# configure terminal
(config-ter)# service compress-config
(config-ter)# end
# write mem

I guess that there are little chances the issue remains after that, but if so, well, you may be in trouble…

Netflow on MLS switches

I had some trouble today at office with monitoring flows going through a MLS switch.

The Nfsen collector was working well for our routers, but I came to realize there were something definitely wrong with the traffic going through a Cisco 6500 switch.

The traffic reported was way below the real one.

After some research, what I suspected was confirmed by this documentation from Cisco.

Some more steps are required to make Netflow report flow processed by the switching module.

Otherwise, as only the first packet is routed and the following ones are switched by CEF, Netflow will only see the first packet at layer 3.

That explains why the reported traffic was ridicoulously small.

So, where on routers the following commands are enough :

(config)# ip cef
(config)# ip flow-export version 5
(config)# ip flow-export destination 192.168.1.1 1234
(config)# interface fa 1
(config-if)# ip route-cache flow

On MLS switches (like 6500 or 7200), add :

(config)# mls netflow
(config)# mls nde sender
(config)# mls aging long 64
(config)# mls flow ip full

The commands are described there. Unfortunately, as often with Cisco, they may vary depending on the IOS version your are running.

IOS : Configuration buffer full, can’t add command

This error message suddenly showed up on one of my router when I tried to save its running configuration.

service compress-config allowed me to workaround this buffer problem :

router#wr mem
Building configuration...

% Warning: Saving this config to nvram may corrupt any network management or security files stored at the end of nvram.
Continue? [no]: no
% Configuration buffer full, can't add command:
************************************************************************

%Aborting Save. Compress the config.[OK]
router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
router(config)#service compress-config
router(config)#exit
router#wr mem
Building configuration...
Compressed configuration from 21787 bytes to 7991 bytes[OK]

Connecting your GNS3 labs to the real network

There is a nice video tutorial to get your GNS3 lab connected to your physical network.

However, it requires you to use a real network card with a fixed IP for doing that. This is not really handy if, llike me, you use GNS3 on a laptop whose connectivity is frequently switching between cable and wireless, and on different subnets.

I started to look for something more convenient like a virtual interface.

I first thought about declaring a virtual IP on eth0, but no way : briding is layer 2 (based on MAC address), you can’t add eth0:0 to a bridge.

Then I found the very handy dummy interface.

Load the module :

% sudo modprobe dummy
% lsmod | grep dummy
dummy                   3192  0
% ifconfig dummy0
dummy0    Link encap:Ethernet  HWaddr AE:89:91:BD:61:87
BROADCAST NOARP  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

To have the module loaded at boot time, do :

In debian :

% echo dummy >> /etc/modules

In openSUSE, edit this line in /etc/sysconfig/kernel :

MODULES_LOADED_ON_BOOT="dummy"

Then, you could go on with the tutorial linked above, replacing eth0 with dummy0, or use the script I made :

#!/bin/sh

/bin/tunctl -t tap0
/sbin/ifconfig tap0 0.0.0.0 promisc up
/sbin/ifconfig dummy0 0.0.0.0 promisc up
/sbin/brctl addbr br0
/sbin/brctl addif br0 tap0
/sbin/brctl addif br0 dummy0
/sbin/ifconfig br0 10.10.10.99/24 up
/path/to/GNS3-0.6-src/gns3

You may also insert this line if you want to interconnect your lab network with your other networks (it activates kernel’s IP forwarding) :

echo 1 > /proc/sys/net/ipv4/ip_forward

I saved it /usr/local/bin/gns and created a pretty shortcut for the application browser of Gnome :

% cat /usr/share/applications/gns3.desktop
[Desktop Entry]
X-SuSE-translate=true
Encoding=UTF-8
Name=gns3
GenericName=Cisco routers emulator
Exec=/usr/local/bin/gns-start
Terminal=false
Type=Application
X-KDE-SubstituteUID=true
Icon=gnome-window-manager
Categories=GNOME;Network;

This shortcut will prompt you for the root password (unfortunately, when dealing with tap interface, GNS3 requires root access – security could be tighten with SELinux or AppArmor) and launch GNS3 with most of the network stuff prepared.

Just in case you want to clear that all quickly, there is the gns-stop script :

#!/bin/sh
ifconfig br0 down
brctl delif br0 tap0
brctl delif br0 eth0
brctl delbr br0
tunctl -d tap0

Practicing Cisco networking with GNS3 and Dynamips

GNS3 and Dynamips put together give a nice open-source and free alternative to emulate a network with IOS routers. Dynampis is an emulator of Cisco 7200 router, while GNS3 provides a nice graphical environment to design your network and use the virtual routers.

I sometimes use Boson Netsim, which is not only non-free but not so reliable.

However, as I just started to use GNS3 and Dynamips, I don’t know it so well yet and won’t compare any further the two solutions.

On this page, I am just summarizing the few steps to set it up on your Linux system.

First, set up the prerequisite :

$ aptitude install python-qt4

Now, go to gns3.net and download the source code for Linux (direct link).

You may extract the archive in your local application folder :

$ wget http://pfe.epitech.net/frs/download.php/819/GNS3-0.5-src.tar.gz
$ tar -xzvf GNS3-0.5-src.tar.gz -C /opt

Then, you need the dynamips binary from the dynamips blog (direct links for x86 or amd64 platforms).
The file must be executable.

$ wget http://www.ipflow.utc.fr/dynamips/dynamips-0.2.8-RC2-amd64.bin
$ chmod u+x dynamips*.bin
$ mv dynamips-0.2.8-RC2-amd64.bin /opt

Now, start GNS3 :

$ /opt/GNS3-0.5-src/gns3

In the edit menu, select preferences and go the dynamips section.

Just browse to the dynamips binary you dowloaded, to fill the value of the executable path field.

Still from the edit menu, select IOS images and hypervisors. There, you have to add all the IOS images you want to use, one after another. Normally, the default settings for each file loaded are suitable.

Back to the main window, you can drag and drop routers and link them, creating the topology you wish.

For now, just add one router. Right click on it and select start to start it up. Right click again and select console.

Enjoy ! Of course, I strongly recommand that you start reading further from this page.

Resources :

http://www.ipflow.utc.fr/blog/
http://www.gns3.net/
http://www.blindhog.net/tutorials/gns3-linux-install/gns3-linux-install.html

Phocean.net

Computer Security Blog