Friday, July 21, 2017

EIGRP - summarization - part 1

Today I would like to play with EIGRP, check its recommended designs, settings, etc. Below you can see a diagram:




I have a standard configuration (named version) on all of them:

router eigrp TEST1
 !
 address-family ipv4 unicast autonomous-system 100
 !
 topology base
 exit-af-topology
 network 10.1.0.0 0.0.0.255
 network 10.0.0.0 0.0.0.255
 
There are three topics I plan to go through in this and 2 next posts:
1) link failures without summarization
2) link failures with summarization
3) link failures with an EIGRP stub routing feature
Let's start from the basic principals and then we move on.
In stable network we should see 'hello' packets sent every 5 seconds:



R1#debug eigrp packets all
 (UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
R1#
*Jul 20 22:54:20.426: EIGRP: Sending HELLO on Fa0/0 - paklen 20
*Jul 20 22:54:20.426: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Jul 20 22:54:20.466: EIGRP: Received HELLO on Fa1/0 - paklen 20 nbr 10.1.0.6
*Jul 20 22:54:20.466: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
*Jul 20 22:54:21.134: EIGRP: Received HELLO on Fa0/0 - paklen 20 nbr 10.0.0.3
*Jul 20 22:54:21.134: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R1#
*Jul 20 22:54:22.286: EIGRP: Sending HELLO on Fa1/0 - paklen 20
*Jul 20 22:54:22.286: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
R1#
*Jul 20 22:54:23.558: EIGRP: Received HELLO on Fa0/0 - paklen 20 nbr 10.0.0.2
*Jul 20 22:54:23.558: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R1#no
*Jul 20 22:54:24.846: EIGRP: Sending HELLO on Fa0/0 - paklen 20
*Jul 20 22:54:24.846: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Jul 20 22:54:25.358: EIGRP: Received HELLO on Fa1/0 - paklen 20 nbr 10.1.0.6
*Jul 20 22:54:25.358: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R1#
 
The hellos are sent to multicast address 224.0.0.10:



Hello packet doesn't contain too much information but there are some important values which are needed to establish neighborship:
 
 
 
K- values have to match on all routers and by default K1 and K3 are enabled. They are: bandwidth and delay, respectively. Let's see what happens when we change one value on R1:


 On R1 K1 value is 0:

R1#sh run | s eigrp
router eigrp TEST1
!
address-family ipv4 unicast autonomous-system 100
!
topology base
exit-af-topology
network 10.0.0.0 0.0.0.255
network 10.1.0.0 0.0.0.255
metric weights 0 0 0 1 0 0 0
exit-address-family
R1#


 
 
Link Failures without summarization.

Without any summarization the routing table has 21 entries:

R2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 + - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 21 subnets, 2 masks
C 10.0.0.0/24 is directly connected, FastEthernet0/0
L 10.0.0.2/32 is directly connected, FastEthernet0/0
D 10.1.0.0/24 [90/153600] via 10.0.0.1, 00:00:13, FastEthernet0/0
D 10.1.1.0/24 [90/154240] via 10.0.0.1, 00:00:12, FastEthernet0/0
D 10.1.2.0/24 [90/154240] via 10.0.0.1, 00:00:12, FastEthernet0/0
D 10.1.3.0/24 [90/154240] via 10.0.0.1, 00:00:12, FastEthernet0/0
D 10.1.4.0/24 [90/154240] via 10.0.0.1, 00:00:12, FastEthernet0/0
D 10.1.5.0/24 [90/154240] via 10.0.0.1, 00:00:12, FastEthernet0/0
C 10.2.0.0/24 is directly connected, FastEthernet1/0
L 10.2.0.2/32 is directly connected, FastEthernet1/0
D 10.2.1.0/24 [90/103040] via 10.2.0.4, 00:00:40, FastEthernet1/0
D 10.2.2.0/24 [90/103040] via 10.2.0.4, 00:00:40, FastEthernet1/0
D 10.2.3.0/24 [90/103040] via 10.2.0.4, 00:00:40, FastEthernet1/0
D 10.2.4.0/24 [90/103040] via 10.2.0.4, 00:00:40, FastEthernet1/0
D 10.2.5.0/24 [90/103040] via 10.2.0.4, 00:00:40, FastEthernet1/0
D 10.3.0.0/24 [90/153600] via 10.0.0.3, 00:29:54, FastEthernet0/0
D 10.3.1.0/24 [90/154240] via 10.0.0.3, 00:29:54, FastEthernet0/0
D 10.3.2.0/24 [90/154240] via 10.0.0.3, 00:29:54, FastEthernet0/0
D 10.3.3.0/24 [90/154240] via 10.0.0.3, 00:29:54, FastEthernet0/0
D 10.3.4.0/24 [90/154240] via 10.0.0.3, 00:29:54, FastEthernet0/0
D 10.3.5.0/24 [90/154240] via 10.0.0.3, 00:29:54, FastEthernet0/0
R2#


I shutdown an interface Loop5 on R3 to see how EIGRP deals with missing access to 10.3.5.0/24 network.

*Jul 21 14:04:07.287: EIGRP: Received UPDATE on Fa0/0 - paklen 44 nbr 10.2.0.2
*Jul 21 14:04:07.287: AS 100, Flags 0x0:(NULL), Seq 227/35 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
*Jul 21 14:04:07.291: {type = 602, length = 44}
*Jul 21 14:04:07.295: {vector = {afi = 1, tid = 0}
*Jul 21 14:04:07.295: {routerid = 10.3.5.5
*Jul 21 14:04:07.299: {offset = 0, priority = 0, reliability = 255, load = 1,
*Jul 21 14:04:07.299: mt
R4#u = {1500:[00, 05, DC]), hopcount = 2,
*Jul 21 14:04:07.299: delay = 281474976710655, bw = 100000,
*Jul 21 14:04:07.303: reserved = 00, opaque_flags = 00}
*Jul 21 14:04:07.303: {nh:00000000}
*Jul 21 14:04:07.307: {180A0305}
*Jul 21 14:04:07.311: }
*Jul 21 14:04:07.311: EIGRP: Enqueueing ACK on Fa0/0 - paklen 0 nbr 10.2.0.2 tid 0
*Jul 21 14:04:07.311: Ack seq 227 iidbQ un/rely 0/0 peerQ un/rely 1/0 route: 10.3.5.0/24
*Jul 21 14:04:07.319: EIGRP: Sending ACK on Fa0/0 - paklen 0 nbr 10.2.0.2 tid 0
*Jul 21 14:04:07.319: AS 100, Flags 0x0:(NULL), Seq 0/227 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 1/0
*Jul 21 14:04:07.323: EIGRP: Enqueueing QUERY on Fa0/0 - paklen 0 tid 0 iidbQ un/rely 0/1 serno 129-129
*Jul 21 14:04:07.327: EIGRP: Sending QUERY on Fa0/0 - paklen 44 tid 0
*Jul 21 14:04:07.327: AS 100, Flags 0x0:(NULL), Seq 38/0 interfaceQ 0/0 iidbQ un/rely 0/0 serno 129-129
*Jul 21 14:04:07.327: {type = 602, len
R4#gth = 44}
*Jul 21 14:04:07.327: {vector = {afi = 1, tid = 0}
*Jul 21 14:04:07.327: {routerid = 10.3.5.5
*Jul 21 14:04:07.327: {offset = 0, priority = 0, reliability = 255, load = 1,
*Jul 21 14:04:07.327: mtu = {1500:[00, 05, DC]), hopcount = 2,
*Jul 21 14:04:07.327: delay = 281474976710655, bw = 100000,
*Jul 21 14:04:07.327: reserved = 00, opaque_flags = 04}
*Jul 21 14:04:07.327: {nh:00000000}
*Jul 21 14:04:07.327: {180A0305}
*Jul 21 14:04:07.327: }
*Jul 21 14:04:07.339: EIGRP: Received ACK on Fa0/0 - paklen 0 nbr 10.2.0.2
*Jul 21 14:04:07.339: AS 100, Flags 0x0:(NULL), Seq 0/38 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
*Jul 21 14:04:07.339: EIGRP: FastEthernet0/0 multicast flow blocking cleared
*Jul 21 14:04:07.379: EIGRP: Received REPLY on Fa0/0 - paklen 44 nbr 10.2.0.2
*Jul 21 14:04:07.379: AS 100, Flags 0x0:(NULL), Seq 229/38 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ
R4# un/rely 0/0
*Jul 21 14:04:07.383: {type = 602, length = 44}
*Jul 21 14:04:07.383: {vector = {afi = 1, tid = 0}
*Jul 21 14:04:07.383: {routerid = 10.3.5.5
*Jul 21 14:04:07.383: {offset = 0, priority = 0, reliability = 255, load = 1,
*Jul 21 14:04:07.383: mtu = {1500:[00, 05, DC]), hopcount = 2,
*Jul 21 14:04:07.383: delay = 281474976710655, bw = 100000,
*Jul 21 14:04:07.383: reserved = 00, opaque_flags = 00}
*Jul 21 14:04:07.383: {nh:00000000}
*Jul 21 14:04:07.383: {180A0305}
*Jul 21 14:04:07.383: }


As you can see R4 received update that network 10.3.5.0/24 is not accessible and then R4 sent query asking R2 about any alternative path to this network. In queries and replies there is a delay value = 281474976710655, what is interpreted by wireshark as ‘infinity’:





 
 
As you can see the network is pretty noisy. Now if any network is down behind R5, all devices receive update about it, despite there is no backup path. With more devices and bigger routing tables the number of updates would be huge. We can fix it by enabling summarization to limit number of information exchanged between routers. I will continue the topic in the next post.

Friday, July 1, 2016

F5 Lab Guide Set Up

----------------------------------------------------------------------------------------------
F5 Lab Guide Set Up
----------------------------------------------------------------------------------------------



I have to learn and practice iRules. That's why I decided to set up my lab. Below you can find my notes. For some of you it may be easy but I wanted to be clear enough even for people with basic computer/network skills.
----------------------------------------------------------------------------------------------



Required components:

1)VMware Player

2)BIG-IP: BIGIP-11.3.0.39.0-scsi.ova

  https://f5.com/products/trials/product-trials

  You have to select 1 option, register and generate license which will be sent by email (you have to start downloading).

3)Application servers (min 2) - Centos 64-bit (minimal ISO):

  http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1511.iso

4) Client server

  http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Everything-1511.iso

----------------------------------------------------------------------------------------------

Install steps:

1) install VMware Player

   Once you install VMware check what subnet is allocated for your VM interfaces (may be different from what I have):


Ethernet adapter VMware Network Adapter VMnet1:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::fcb8:569:6ada:d9cc%50
   IPv4 Address. . . . . . . . . . . : 192.168.80.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter VMware Network Adapter VMnet8:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::c884:6070:5f40:e90d%51
   IPv4 Address. . . . . . . . . . . : 192.168.174.1                  
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :



2) install BIG-IP package

 a) Home->Create a New Virtual Machine and click Import
 b) Accept license and wait couple of minutes
 c) Before you start VM change network settings:
    - select your new VM and click 'Edit virtual machine settings'
    - you should be in the 'Hardware' tab and find 'Network Adapter' (you should have 4)
    - select 1st one (management access) and set: Custom: VMnet8 (NAT)
    - select 2nd one (client interface) and set: Custom: VMnet1 (Host-only)
    - select 3rd one (server interface) and set: Custom: VMnet2
    - click OK

3) install (2x) Linux server (Centos)

 a) Home->Create a New Virtual Machine
 b) Select 2nd option: Installer disc image (iso) and select your image, then click Next
 c) Change default name to Server1/Server2 (just example), then click Next
 d) Akcept Disk settings and click Next
 e) Review settings and click Finish
 f) Select 1st option "Install CentOS 7"
 g) Select desired languge theme and click Continue
 h) Select Date&Time and select your timezone
 i) Select Installation Destination, review it and click 'Done' (top-left corner)
 j) You may change network settings (optional, we will change it during setup)
 k) Click Begin Installation
 l) Select and set a Root Password and click 'Done' (top-left corner)
 m) Wait couple of minutes - installation in progress...
 n) Click Reboot


----------------------------------------------------------------------------------------------

Set-up steps:


*****************************************************************
how to use vi editor:

- once you type: vi filename
- before you can edit you have to type ':i' to enter edit mode
- once you finish click 'Esc' and you will be back in read mode
- to save file: ':w'
- to exit file: ':q'
- to save and exit: ':wq'
*****************************************************************


1) Application server1

  a) set a static IP (you can also do it during installation): 


     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      please check what is your interface name by:
          ls /etc/sysconfig/network-scripts/
     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


     vi /etc/sysconfig/network-scripts/ifcfg-eno16777736

     You need to change following parameters here:

     -BOOTPROTO="static"
    
     and add 3 new:

     -IPADDR=192.168.175.133
     -NETMASK=255.255.255.0
     -GATEWAY=192.168.175.110

   b) add a default gateway

      vi /etc/sysconfig/network-scripts/route-eno16777736

      default 192.168.175.110 dev eno16777736

   c) Web Application  (answer always 'Y')

      - install following packages:

      yum groupinstall "Web Server"
      yum install httpd
      yum install php
      yum install php php-mysql

      - set up Apache:

      vi /etc/httpd/conf/httpd.conf

      Find: #ServerName www.example.com:80 and add below:

      ServerName localhost

      - restart httpd service:

      service httpd restart

      or you can also restart your machine:

      shutdown -r now

    d) add a test webpage (otherwise you will see only 'welcome' page from Apache')

      cd /var/www
      vi index.html

      and add "Server1 IP address 192.168.175.133"

      so once you hit this server you will know on which one you are.


2) Application server2

     Repeat the same steps and modify IP address to 192.168.175.134


3) BIG-IP

     Default passwords: GUI admin/admin
                        CLI root/default
   
     https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13148.html


     a) set management IP:

       modify /sys global-settings mgmt-dhcp disabled
  
       create /sys management-ip 192.168.174.100/24

     b)  you can confirm you have correct IP:

        list /sys management-ip

     c) check what is your management route:

        list /sys management-route

     d) set correct default route for management interface:

        modify /sys management-route default gateway 192.168.174.1

     e) set admin password:

        modify auth user admin password XXXXXX

     f) save your settings:

        save /sys config partitions all
    
     g) open CLI (console or ssh)

        ssh 192.168.174.100

        and activate licenses:


       get_dossier -b XXXXX-XXXXX-XXXXX-XXXXX-XXXXXX

       copy that dossier and paste here:  https://secure.f5.com/Infopage/index.jsp

       once you generate license just download it and add to the file: /config/bigip.license

       vi /config/bigip.license

       and paste that license.Reload license:

       reloadlic

       Access WebGUI and finish activation process.


     h) add VLANs (from Web GUI)

        Menu: Network->VLANs: click Add with any name like Vlan1 and allocate physical interfaces 1.1 (untagged)
        Menu: Network->VLANs: click Add with any name like Vlan2 and allocate physical interfaces 1.2 (untagged)

     i) enable physical interfaces:

        Menu: Network->Interfaces, interfaces 1.1 and 1.2 should be enabled now

     j) add Self IPs:

        we should have one IP assigned for server's network and one for client's network:

        Menu:Network->Self IPs->Create:

        Name: serverNetwork
        IP: 192.168.175.110 (default gateway for my servers)
        Netmask: 255.255.255.0
        Vlan: vlan2
        
        Name: ClientNetwork
        IP: 192.168.80.110
        Netmask: 255.255.255.0
        Vlan: vlan1


     k) we are ready now to configure VIP

        - add a new Pool with 2 members: Menu: Local Traffic->Virtual Server->Pools select Add
        - add a new name PoolOfServers (example)
        - select http Healt Monitor
        - fill data of the 1st application server: node name: Server1, Address: 192.168.175.133, Port: 80        
        - click Add in the New Members section
        - repeat the same with 2nd server (192.168.175.134)
        - click Finished
        - add VIP: menu: Local Traffic->Virtual Servers->Virtual Server List and click Create
        - add: Name: VIP-test1, Address: 192.168.80.150, Service Port: 80, HTTP profile: http, default pool: PoolOfServers
        - click Finished
       
 
---------------------------------------------------------------------------------------------

Now you should be able to test the VIP (192.168.80.150) but your client should be in Vmnet1 in my case (192.168.80.0/24)

If you have any problems with understanding or something is unclear just let me know. I'll try to help you.

---------------------------------------------------------------------------------------------

Wednesday, February 3, 2016

IKEv1 aggresive mode

I know that IKEv2 is getting popular but still IKEv1 has a huge presence in production networks. There are many reasons but I’m not going to focus on them. I would rather focus on one issue I see from time to time: ikev1 and an aggressive mode. Just to remind you, there are two modes of ikev1: aggressive and main. The first one is much faster, only three messages are exchanged, but it isn’t secure as the main mode (with six messages). The main problem with the aggressive mode is the first two messages  contain data which may help to perform attack on your VPN.

For this test I set up VPN on ASA with ‘aggressive mode’ enabled:

ciscoasa# sh run crypto
crypto ipsec ikev1 transform-set TS esp-3des esp-md5-hmac
crypto map MAPA 10 match address ACL
crypto map MAPA 10 set peer 192.168.111.128
crypto map MAPA 10 set ikev1 transform-set TS
crypto map MAPA interface inside
crypto ikev1 enable inside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
ciscoasa#
ciscoasa# sh run tunnel
tunnel-group 192.168.111.128 type ipsec-l2l
tunnel-group 192.168.111.128 ipsec-attributes
 ikev1 pre-shared-key *****
ciscoasa#

To be 100% sure the aggressive mode is enabled:

ciscoasa(config)# no crypto ikev1 am-disable

There is one tool, quite old but still very useful: ike-scan  



Let’s try to scan my ASA:

 
 

You can use the flag ‘-P’ to see hash of the PSK:



The flag ‘-P’ is valid only with the aggressive mode as the main mode doesn’t reply with hash in 2nd message. You can also save the hash directly to the file (‘-Pfilename.txt), what is useful when you run a script:



 As we can see the file contain the hash:

  
Then we can use another tool (psk-crack) to decode the hash. It took just 10 minutes to find the pre-share-key:



As you can see it didn’t take too much time to find out what is your PSK.  I know my PSK was simple but you can use a dictionary attack on much powerful machine. One lesson from today’s lab: never use the aggressive mode and migrate to PKI if possible.