Archive for category Network Basics

Getting Cisco Netflow to work on Solarwinds

I don’t have the details as to which version of IOS does what, we just call it the “new netflow” where you separately specify the exporter, the monitor, etc.  It’s usefulness comes from it’s ability to be specific and puts to bed once and for all the whole “is it version 5 or 9 Netflow?” question since you have control over it.

Here is a basic setup that uses UDP 2055 for Solarwinds instead of the standard 9991.

flow record NF-Record1
     match ipv4 protocol
     match ipv4 source address
     match ipv4 destination address
     match transport source-port
     match transport destination-port
     match interface input
     collect transport tcp flags
     collect routing forwarding-status
     collect interface output
     collect counter packets long
     collect counter bytes long
     collect timestamp sys-uptime first
     collect timestamp sys-uptime last
!
flow exporter NF-Export1
     destination aaa.bbb.ccc.ddd   <-- IP Address of collector/Solarwinds system
     source Loopback0
     transport udp 2055
     template data timeout 60
!
flow monitor NF-Monitor1
     record NF-Record1
     exporter NF-Export1
     cache timeout inactive 30
     cache timeout active 60
     cache entries 1000

interface Gig x/xxx   <-- the interface to be monitored
  ip flow monitor NF-Monitor1 input

I added additional collection stats out of habit in the flow record, it’s worth investigating what other flags/packets your interested in.

To view the exporter settings do a

show flow exporter
4500-Switch#sho flow exporter 
Flow Exporter NF-Export1:
  Description:              User defined
  Export protocol:          NetFlow Version 9
  Transport Configuration:
    Destination IP address: aaa.bbb.ccc.ddd
    Source IP address:      eee.fff.ggg.hhh
    Source Interface:       Loopback0
    Transport Protocol:     UDP
    Destination Port:       2055
    Source Port:            56118
    DSCP:                   0x0
    TTL:                    255
    Output Features:        Not Used

To switch between Netflow Version 5 and 9, issue the export-protocol netflow-v5 or netflow-v9 from within the exporter config as see below as command completion:

4500-Switch(config)#flow exporter NF-Export1
4500-Switch(config-flow-exporter)#export-protocol ?
  netflow-v5  NetFlow Version 5
  netflow-v9  NetFlow Version 9

Share

No Comments

Fixing Static Addresses on Verizon FIOS

Verizon has a bug in their business offering for multiple static IP addresses.

When using a professional firewall that such as a Cisco ASA, I could only get 1 address to respond from offsite.

The first problem was solved by going to DSLReports.com, you have to call Verizon and convince them to instant message the group that runs the ONT’s (the termination that is onsite) to set the MAC filter to 5.

After that only 1 IP address worked per device. I could ping each other but Verizon served traffic could not see me. A quick TCP-Dump of the external segment showed the problem:

arp who-has 98.109.50.34 (00:1e:4a:87:32:59) tell 0.0.0.0
arp who-has 98.109.50.35 (00:1d:70:26:3c:53) tell 0.0.0.0

The address 0.0.0.0 is slightly illegal, the ASA ignores the ARP request and the Verizon gateway never binds the Mac to the translated IP addresses. This means that inbound static addresses didn’t work and only the physical interface address could be used for the outbound global pool.

I managed to get Verizon to admit the bug, the Alcatel equipment was partially to blame and I would imagine that the (non-professional) “firewall” that comes with the account had been modified to respond to an ARP request from 0.0.0.0 They projected it would be fixed Q1 of the next year… that was 15 months ago.

I found that the service (that I am paying for) could be made to work. I adapted a short Perl script to send ARP replies to the Verizon gateway router every 30 seconds or so, as if it was responding to an ARP request.

arp reply 98.109.50.36 is-at 00:1d:70:26:2c:53

Here I am telling the gateway that .36 is bound to the same address as .35. I was immediately able to ping the address .36 remotely, alls it took was a Linux system and the perl script below. I don’t believe that the ARP replies can be generated inside the ASA and be made to traverse the firewall; several types of lower traffic can using the ethertype command but ARP’s get absorbed. I haven’t tried proxy-arp to see if it relays the bogus advertisement as it breaks so many rules of paranoia that I doubt that the ASA would propagate it.

At the moment I have plugged in a dedicated Ethernet interface from my VMWare stack and am running a virtual Linux machine for the sole purpose of “poisoning” the ARP table. The FIOS service itself screams, though we wouldn’t ever consider using their DNS, but leave it to Verizon to pull up short on static IP address support.

Bil Herd

#!/usr/bin/perl
use Net::ARP;
use strict;
use warnings;
for (;;){
Net::ARP::send_packet(

‘eth0’, # Device
‘98.109.50.1’, # Verizon gateway, not really 0.0.0.0 of course

‘98.109.50.36’, # address that we want Verizon to respond

’00:1E:EC:9F:DB:67′, # Source MAC Mac of our address

’00:1d:70:26:cc:53, # Destinaton MAC address for ARP
‘reply’ # ARP operation
)
;
print “packet sent\n”;
sleep(30);
}

To install the Net::ARP module using CPAN:

perl -MCPAN -e ‘install Net::ARP’

Share

, , , , , , , , , ,

10 Comments

Migrating from Cisco Pix to Cisco ASA

One of the most notable differences between Cisco ASA devices  and Cisco Pix devices  to be aware of is that the  ASA devices don’t  support the PPTP  protocol, (think of it as sanity catching up to your organization) and that the ASA5505 doesn’t support EZVpn server mode. While these may sound trivial, suddenly changing the way employees connect can feel like a cultural issue.

Another difference and one I wouldn’t  have guessed until I saw it on a customer system was that capitalization alone is not enough to distinguish names on the ASA, you cannot assign Test1 to an IP address and TEST1 to a different address, they are the same reference.  Again think of it as sanity enforcement, your organization should not be using the caplock key as an address discriminator.  The PDM “name” function is not supported at all as well as a handful of other warnings when importing.

There is a utility from Cisco available to assist in importing, alas I have never used it because I like to know exactly what is changing. Yes this can be a big  job when working with 20,000 lines of configuration but the last job I did of that size was 100% successful, not just 99%,  due to understanding the details of each conversion issue. My process is to reflect the changes back into the source and then re-import until there is a completely  clean import.

VPN organization is also very different, there are tunnel groups, isakmp definitions and group policies, these require an understanding of the intent and the security policies behind your VPN rules.

For those needing help with converting from Pix to ASA you may want to get an expert involved, especially to understand the impact on security policy as after all the firewall device is meant to be the implementation of a security policy, it should not be the security policy itself.

For help in migrating or configuring Cisco ASA security appliances or VPN connectivity and architecture email security @ idsbusiness.com

I also recommend a followup security scan if ever there is any doubt, one should be done periodically anyways so post conversion is an ideal time.

Bil Herd

Share

, , , , , , , , , , , ,

No Comments

Trunking on Home and Small Office Switches

I bought a couple of the Cisco/Linksys  SLM200x series switches (SLM2005 ,SLM2008) gig switches, for under $100 each.  I wasn’t going to go for hundreds of dollars to get an IOS switch like I am used to plus the IOS stuff is still 10/100 for the bulk of the ports.

I was real happy to see the “Enable Jumbo Frames” check-box, I started to suspect that I could use one wire to connect two networks while keeping them separate.  Jumbo frames means a packet that is 4 bytes bigger than a standard Ethernet packet can still get through.

Whats 4 bytes bigger?  A packet that has been tagged with 802.1q trunking protocol headers. Whats interesting about 802.1q is that the native VLAN is still the normal size, I suspect there is a lot of equipment out there that works because the native packet makes it through and the trunked packets appear to alien too get any further.  Cisco’s trunking protocol InterSwitch Linking(ISL) encapsulates every VLAN and means that you cant be flipping and trunking the interconnects between two switches without running to each side of the connection or being very careful in the order you do things.

In my case I have a business vlan I wanted separate from a test vlan and then on top of that I had VOIP. To do trunking I made sure the native vlans lined up on both ends and then selected a 2nd vlan on both sides of the link between the two switches using the vlan selector in the web based configuration.  I checked “allow jumbo frames” and for good measure I disabled the egress filters that select tagged packets, even though there was a setting for “all” packets.

Now you can break out a single port by making it be just a member of the 2nd VLAN.  In my case I spent $20 for a new gig Intel Ethernet card for the desktop and brought the trunk right into the desktop.  Again made the native line up and selected the next vlan.  My system now shows a total of three connectoids in Windows, one for natural interface and one each for each VLAN. I get IP addresses and DNS from 2 DHCP servers on two separate networks.

Oh yeah, you have to boot the switches after doing this much to them , I suspect that they need to build some forwarding tables from scratch.

Other nice things about the SLM series other than they are manageable in general: There are several ways to set up for QOS, port based or traffic type, and you can modify the priority mechanism a little or go to strict priority.  Just setting the port my phone was plugged into to be a hi priority port yielded the first 98% of the results I was looking for using strict priority.

They also do port monitoring for sniffiing and have a full multi-VLAN Spanning Tree implementation including portfast.  The device is sold as a Light Managed switch but for SoHo it’s as managed as I needed, especially VLANs at gig speeds I am cutting down on a few cables by sharing.

Share

, , , , , , , , ,

No Comments

Blocking ICMP

This is old news, real old, but I still run across it from time to time.  Customers block ICMP in their firewall or other places.

Internet Control Messaging Protocol is more than just ping (I remember the early Mac’s didn’t implement ICMP or at least echo/ping in their IP stack).

ICMP among other things tells equipment up and down the line a few interesting things, not least is when they need to fragment a packet into smaller packets.  Symptoms range from telnet or web works and email or ftp don’t, some of the time.  In short to the casual observer (known as a user), it is one more thing that works randomly.

Nowadays it’s more important then ever with the proliferation of VPN’s,  to get your fragging done as thoroughly as possible, before the packet gets sucked into the VPN terminus.  Why?  You cant fragment an encrypted packet, in fact it’s not even TCP (IP Protocol type 9) anymore it is type 50/ESP or type 47/GRE, and because it’s encrypted you really cant bust it into smaller parts and calculate checksums, etc.

Exchange clients don’t work on all workstations across VPN’s?  There were various versions of MS patches hat appeared to break the MTU discovery mechanism that says use smaller packets.

Share

, , , , , , , , , ,

No Comments