Sunday 25 August 2019

SSH Configuration Examples in Cisco (IOS,IOS-XE,NX-OS,IOS-XR) and Juniper(JunOS)



Here are the configuration examples:
whereas:
192.168.100.100 = Jumphost IP (Allowed IP to SSH into the device)

Juniper

system {
    services {
        ssh {
            root-login deny;
            protocol-version v2;
            connection-limit 5;
            rate-limit 5;


policy-options {
    prefix-list PERMIT-SSH {
       192.168.100.100/32;
         }

firewall {
    family inet {
        filter PROTECT-ENGINE {
    term PERMIT-SSH {
                from {
                    source-prefix-list {
                        ALLOWED-IP;
                    }
                    protocol tcp;
                    port [ ssh ];
                }
                then {
                    count PERMIT-SSH;
                    accept;
                }
            }

            term DENY-SSH {
                from {
                    protocol tcp;
                    destination-port ssh;
                }
                then {
                    count DENY-SSH;
                    discard;
                }
            }


   interfaces {

 lo0 {
        unit 0 {
            family inet {
                filter {
                    input PROTECT-ENGINE;

 Set format:
set system services ssh root-login deny
set system services ssh protocol-version v2
set system services ssh connection-limit 5
set system services ssh rate-limit 5

set policy-options prefix-list  ALLOWED-IP 192.168.100.100/32

set firewall family inet filter PROTECT-ENGINE term PERMIT-SSH from source-prefix-list ALLOWED-IP
set firewall family inet filter PROTECT-ENGINE term PERMIT-SSH from protocol tcp
set firewall family inet filter PROTECT-ENGINE term PERMIT-SSH from port ssh
set firewall family inet filter PROTECT-ENGINE term PERMIT-SSH then count PERMIT-SSH
set firewall family inet filter PROTECT-ENGINE term PERMIT-SSH then accept

set firewall family inet filter PROTECT-ENGINE term DENY-SSH from protocol tcp
set firewall family inet filter PROTECT-ENGINE term DENY-SSH from destination-port ssh
set firewall family inet filter PROTECT-ENGINE term DENY-SSH then count DENY-SSH
set firewall family inet filter PROTECT-ENGINE term DENY-SSH then discard

set interfaces lo0 unit 0 family inet filter input PROTECT-ENGINE


Cisco:

Prerequisites in configuring SSH for Cisco devices include SSH key generation, please refer to Cisco Official Documentation.
command: crypto key generate rsa

Preferably, RSA key bits at least 2048, else use 1024 for better security

IOS:
ip ssh version 2
line vty 0 4
 access-class 101 in
 exec-timeout 5 0
 password 7 01234ABC
 login authentication VTY
 transport input ssh

access-list 101 permit tcp host 192.168.100.100 any eq 22


IOS-XE:
ip ssh version 2
login quiet-mode access-class SSH-ACL
ip access-list extended SSH-ACL
 permit tcp host 192.168.100.100 any eq 22
 deny   tcp any any eq 22

line vty 0 4
 access-class SSH-ACL in
 exec-timeout 5 0
 password 7 01234ABCDEF
 login authentication VTY
 transport input ssh


NEXUS OS:
feature ssh
interface mgmt0
  ip access-group acl_101 in
 vrf member management

ip access-list acl_101
10 permit tcp 192.168.100.100/32 any eq 22
20 deny ip any any log


IOS-XR:
ssh client source-interface Loopback0
ssh server v2
!
line template VTYTEMPLATE
 secret 5 $encrpytedlocalpass
 users group root-system
 users group cisco-support
 accounting exec VTY
 accounting commands VTY
 authorization exec VTY
 authorization commands VTY
 login authentication VTY
 exec-timeout 5 0
 access-class ingress SSH-VTY
 transport input ssh

vty-pool default 0 4 line-template VTYTEMPLATE

or (simpler)
line default
 secret 5 $encrpytedlocalpass
 login authentication default
 timestamp
 exec-timeout 5 0
 access-class ingress SSH-VTY
 session-timeout 5
 transport input ssh
!

!
ipv4 access-list SSH-VTY
 10 permit tcp host 192.168.100.100 any eq ssh
 20 deny ipv4 any any log
!
control-plane
 management-plane
  inband
   interface all
    allow SSH peer
     address ipv4 192.168.100.100
      !
at No comments:

TACACS (AAA) Configuration in Juniper and Cisco(IOS-XR,IOS-XE,IOS,NX-OS)

Configuring Juniper and Cisco to authenticate (also including authorization and accounting) to Tacacs+ server

10.10.10.10 - Tacacs+ AAA server
20.20.20.2 -  Loopback IP

Juniper:


system {
    host-name JUNIPER-ROUTER1;
       }
    authentication-order [ tacplus password ];
    root-authentication {
        encrypted-password "$r00tp44sw0rdh3r3/1"; ## SECRET-DATA
    }
    tacplus-server {
        10.10.10.10 {
            secret "$4ut0g3n3r4t3t4c4c5p455w0rd1"; ## SECRET-DATA
            single-connection;
            source-address 20.20.20.2;
        }
       }
    accounting {
        events interactive-commands;
        destination {
            tacplus {
                server {
                    10.10.10.10 {
                        secret "$4ut0g3n3r4t3t4c4c5p455w0rd2"; ## SECRET-DATA
                        single-connection;
                        source-address 20.20.20.2;
                    }
           }

firewall {
    family inet {
 filter FIREWALL-RE {
            /* TRUSTED TACACS */
            term TACACS-ACL {
                from {
                    source-address {
                        10.10.10.10/32;
                     
                    }
                    protocol tcp;
                    port tacacs;
                }
                then {
                    count TACACS-ACL;
                    accept;
                }
            }     

In set format:

set system host-name JUNIPER-ROUTER1
set system authentication-order tacplus
set system authentication-order password
set system root-authentication encrypted-password "$r00tp44sw0rdh3r3/1"
set system tacplus-server 10.10.10.10 secret "$4ut0g3n3r4t3t4c4c5p455w0rd1"
set system tacplus-server 10.10.10.10 single-connection
set system tacplus-server 10.10.10.10 source-address 20.20.20.2
set system accounting destination tacplus server 10.10.10.10 secret "$4ut0g3n3r4t3t4c4c5p455w0rd2"
set system accounting destination tacplus server 10.10.10.10 single-connection
set system accounting destination tacplus server 10.10.10.10 source-address 20.20.20.2


set firewall family inet filter FIREWALL-RE term TACACS-ACL from source-address 10.10.10.10/32
set firewall family inet filter FIREWALL-RE term TACACS-ACL from source-address 20.20.20.2/32
set firewall family inet filter FIREWALL-RE term TACACS-ACL from protocol tcp
set firewall family inet filter FIREWALL-RE term TACACS-ACL from port tacacs
set firewall family inet filter FIREWALL-RE term TACACS-ACL then count TACACS-ACL
set firewall family inet filter FIREWALL-RE term TACACS-ACL then accept



Cisco:

IOS:

aaa authentication login VTY group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host 10.10.10.10 single-connection
tacacs-server key 7 1234567890
ip tacacs source-interface Loopback0


IOS-XE:
aaa authentication login VTY group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

tacacs server TACACS-SERVER
 address ipv4 10.10.10.10
 key 7 1234567890

ip tacacs source-interface Loopback0


NEXUS OS
aaa authentication login default group tacacs
aaa authentication login console group tacacs
aaa authorization config-commands default group tacacs local
aaa authorization commands default group tacacs local
aaa accounting default group tacacs

tacacs+ distribute
ip tacacs source-interface mgmt0
tacacs-server host 10.10.10.10 key 7 "tacacs_pass"
aaa group server tacacs+ tacacs
    server 10.10.10.10


IOS-XR
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands VTY start-stop group tacacs+
aaa authorization exec VTY group tacacs+ none
aaa authorization commands VTY group tacacs+ none
aaa authentication login VTY group tacacs+ line local

tacacs source-interface Loopback0 vrf default
tacacs-server host 10.10.10.10 port 49
 key 7 1234567890123456789
at No comments:

Static Route Configuration Examples in Cisco (IOS-XR) and Juniper for BGP aggregated prefix advertisements


In order to advertise the aggregated routes (and default routes) via BGP, it should exists in the routing table, that's the #1 rule. If these summarized routes (/16) are not existing and only smaller subnets are learned via the IGP(e.g. OSPF,IS-IS), then configure static route and next hop e.g. Null0.

Juniper:

routing-options {
    graceful-restart;
    rib inet6.0 {
       static {
          route fd41:c8be:2153:f400::/64 discard;
          route ::0/0 {
                discard;
                no-install;
    static {
        route 172.16.0.0/16 discard;
        route 0.0.0.0/0 {
            discard;
            no-install;

In display set format:
set routing-options graceful-restart
set routing-options rib inet6.0 static route fd41:c8be:2153:f400::/64 discard
set routing-options rib inet6.0 static route ::0/0 discard
set routing-options rib inet6.0 static route ::0/0 no-install

set routing-options static route 172.16.0.0/16 discard
set routing-options static route 0.0.0.0/0 discard
set routing-options static route 0.0.0.0/0 no-install


Cisco:

router static
 address-family ipv4 unicast
  0.0.0.0/0 Null0
  172.16.0.0/16 Null0
 !
 address-family ipv6 unicast
  ::/0 Null0
  fd41:c8be:2153:f400::/64 Null0


In formal:
router static address-family ipv4 unicast 172.16.0.0/16 Null0
router static address-family ipv4 unicast 0.0.0.0/0 Null0
router static address-family ipv6 unicast ::/0 Null0
router static address-family ipv6 unicast fd41:c8be:2153:f400::/64 Null0


at No comments:

Originating BGP advertisements and BGP community tagging (Juniper and Cisco(IOS-XR) configuration)

Originating BGP advertisement can be configured to any iBGP peer router. Here's the sample configuration of originating BGP routes and community tagging in Cisco and Juniper.






Assuming these are the summarized prefixes that you want to advertise via BGP.
111.111.0.0/16
222.222.0.0/16


Juniper:

 routing-options {
 graceful-restart;
  router-id 1.1.1.1;
    autonomous-system 11111;

protocols {
 bgp {
        group RR-IBGP {
            type internal;
            description RR-IPv4;
            local-address 192.168.100.6;
            family inet {
                unicast;
            }
            authentication-key "$1$N3tBioBwfdFsFVwgoGDh.3C0oL"; ## SECRET-DATA
            export bgp-statement;
            neighbor 192.168.100.5 {
                description iBGP to Route Reflector;
            }

policy-statement bgp-statement {
     term SITE1 {
            from {
                route-filter 111.111.0.0/16 exact;
                route-filter 222.222.0.0/16 exact;
   }
            then {
                community add SITE1;
              accept;
            }


 community SITE1 members 12345:111;


In display set:
set routing-options graceful-restart


set routing-options router-id 1.1.1.1
set routing-options autonomous-system 11111

set protocols bgp group RR-IBGP type internal
set protocols bgp group RR-IBGP description RR-IPv4
set protocols bgp group RR-IBGP local-address 192.168.100.6
set protocols bgp group RR-IBGP family inet unicast
set protocols bgp group RR-IBGP authentication-key "$1$N3tBioBwfdFsFVwgoGDh.3C0oL"
set protocols bgp group RR-IBGP export bgp-statement
set protocols bgp group RR-IBGP neighbor 192.168.100.5 description iBGP to Route Reflector

set policy-options policy-statement bgp-statement term SB from route-filter 111.111.0.0/16 exact
set policy-options policy-statement bgp-statement term SB from route-filter 222.222.0.0/16  exact
set policy-options policy-statement bgp-statement term SITE1 then community add SB
set policy-options policy-statement bgp-statement term SITE1 then accept

set policy-options community SITE1 members 12345:111


Cisco:

 prefix-set SITE1
 111.111.0.0/16,
 222.222.0.0/16
end-set

route-policy bgp-statement
 if destination in SITE1 then
  set community (12345:111)
  endif
end-policy



router bgp 11111
 nsr
 bgp router-id 1.1.1.1
 bgp graceful-restart
  address-family ipv4 unicast
  network 111.111.0.0/16
  network 222.222.0.0/16

 neighbor-group RR-IBG
  remote-as 11111
  password encrypted 2185073C7B74154C
  description RR IBGP GROUP IPV4
  update-source Loopback0
  address-family ipv4 unicast
   soft-reconfiguration inbound
 !
 neighbor 192.168.100.5
  use neighbor-group RR-IBG
  description RR-IPv4
  address-family ipv4 unicast
   route-policy iBGP-policy-in in
   route-policy bgp-statement out


 In Formal:

prefix-set SITE1
 111.111.0.0/16,
 222.222.0.0/16,
end-set

route-policy bgp-statement
 if destination in SITE1 then
  set community (12345:111)
  endif
end-policy


router bgp 11111 nsr
router bgp 11111 bgp router-id 1.1.1.1
router bgp 11111 bgp graceful-restart
router bgp 11111 address-family ipv4 unicast
router bgp 11111 address-family ipv4 unicast network 111.111.0.0/16
router bgp 11111 address-family ipv4 unicast network 222.222.0.0/16
router bgp 11111 neighbor-group RR-IBG
router bgp 11111 neighbor-group RR-IBG remote-as 11111
router bgp 11111 neighbor-group RR-IBG password encrypted 2185073C7B74154C
router bgp 11111 neighbor-group RR-IBG description RR IBGP GROUP IPV4
router bgp 11111 neighbor-group RR-IBG update-source Loopback0
router bgp 11111 neighbor-group RR-IBG address-family ipv4 unicast
router bgp 11111 neighbor-group RR-IBG address-family ipv4 unicast soft-reconfiguration inbound
router bgp 11111 neighbor 192.168.100.5
router bgp 11111 neighbor 192.168.100.5 use neighbor-group RR-IBG
router bgp 11111 neighbor 192.168.100.5 description RR-IPv4
router bgp 11111 neighbor 192.168.100.5 address-family ipv4 unicast
router bgp 11111 neighbor 192.168.100.5 address-family ipv4 unicast route-policy iBGP-policy-in in
router bgp 11111 neighbor 192.168.100.5 address-family ipv4 unicast route-policy bgp-statement out

at No comments:

Tuesday 20 August 2019

FIxing IOU Keygen Error (Running IOS on Linux in Eve-NG)



If you keep getting this error when generating key as license for  running IOL or IOS On Linux, (also called IOU or IOS On Unix) in EVE-NG

darwin@eve-ng:/$ cd /opt/unetlab/addons/iol/bin

darwin@eve-ng:/opt/unetlab/addons/iol/bin$ python keygen.py
*********************************************************************
Cisco IOU License Generator - Kal 2011, python port of 2006 C version
hostid=bada0c0f, hostname=eve-ng, ioukey=bada0e51
Traceback (most recent call last):
  File "./keygen.py", line 18, in <module>
    md5input=iouPad1 + iouPad2 + struct.pack('!i', ioukey) + iouPad1
struct.error: 'i' format requires -2147483648 <= number <= 2147483647

Step 1:
Solution: Modify the python script, change i to L
From: md5input=iouPad1 + iouPad2 + struct.pack('!i', ioukey) + iouPad1
To:     md5input=iouPad1 + iouPad2 + struct.pack('!L', ioukey) + iouPad1

Run again:
darwin@eve-ng:/opt/unetlab/addons/iol/bin$ python keygen.py
*********************************************************************
Cisco IOU License Generator - Kal 2011, python port of 2006 C version
hostid=bada0c0f, hostname=eve-ng, ioukey=bada0e51

Step 2: Add the following text to ~/.iourc:
[license]
eve-ng = f2630dfba88daedd;

You can disable the phone home feature with something like:
 echo '127.0.0.127 xml.cisco.com' >> /etc/hosts

Step 2: Input the license key in "iourc" file
vi iourc

[license]
eve-ng = f2630dfba88daedd;


Step 3: Test IOL

darwin@eve-ng:/opt/unetlab/addons/iol/bin$ LD_LIBRARY_PATH=/opt/unetlab/addons/iol/lib /opt/unetlab/addons/iol/bin/i86bi-linux-l3-adventerprisek9-15.4.2T.bin 1
***************************************************************
IOS On Unix - Cisco Systems confidential, internal use only
Under no circumstances is this software to be provided to any
non Cisco staff or customers.  To do so is likely to result
in disciplinary action. Please refer to the IOU Usage policy at
wwwin-iou.cisco.com for more information.
***************************************************************

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706


Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.4(2)T, DEVELOPMENT TEST SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 27-Mar-14 01:08 by prod_rel_team


This product contains cryptographic features and is subject to United
--omitted lines --
at No comments:

Configuring Port Monitoring in Cisco Catalyst 4948 (via network optical tap)


SPAN mirrors receive or transmit (or both) traffic on one or more source ports to a destination port for analysis.
A copy of the packets received or sent by the source interfaces are sent to the destination interface

Prerequisites:

Need to understand how optical tap works, here's some interesting information (ctto)
Link:https://community.fs.com/blog/do-you-know-about-optical-tap-test-access-point-cassettes.html



https://en.wikipedia.org/wiki/Network_tap#/media/File:Optical-tap-schema-wiki.gif




Setup:
Cisco Catalyst 4948
2 Routers connected via Optical Tap

Network Diagram:


:
Step 1: Connect physically the links as per above diagram.  Connect UTP cable from switch to PC's ethernet port

Step 2: Configure 4948 Switch
Cisco 4948 Configuration:
4948#conf t
interface TenGigabitEthernet1/49
 description 10GE Conn to Router1 (via optical tap)
 switchport access vlan 100
 switchport mode access
 ip access-group dhcp-traffic in
 load-interval 30
 udld port disable
 no cdp enable
 no shutdown
!
interface TenGigabitEthernet1/50
 description 10GE Conn to Switch1 (via optical tap)
 switchport access vlan 200
 switchport mode access
 ip access-group dhcp-traffic in
 udld port disable
 no cdp enable
 no shutdown

 interface GigabitEthernet1/47
 description GE Connection to RemoteServer
 load-interval 30
 spanning-tree bpdufilter enable
 no shutdown

 monitor session 15 source interface Te1/49 - 50
monitor session 15 destination interface Gi1/47
monitor session 15 filter packet-type good rx
monitor session 15 filter ip access-group dhcp-traffic


[Optional]
If want to filter by traffic, e.g DHCP, you can configure an ACL and apply in interface accordingly
 ip access-list extended dhcp-traffic
 permit udp any eq domain any
 permit udp any any eq domain
 permit udp any range bootps bootpc any range bootps bootpc
 deny   ip any any


Step 3: Verify configuration and traffic. Status should be "monitoring"

4948-Switch#show monitor session all
Session 15
----------
Type                   : Local Session
Source Ports           :
    Both               : Te1/49-52
Destination Ports      : Gi1/47
    Encapsulation      : Native
          Ingress      : Disabled
         Learning : Disabled
Filter Pkt Type        :
    RX Only       : Good
IP Access-group        : dhcp-traffic


4948-Switch#show int gi1/47
GigabitEthernet1/47 is up, line protocol is down (monitoring)
  Hardware is Gigabit Ethernet Port, address is 649e.f3ec.0b6e (bia 649e.f3ec.0b6e)
  Description: GE Connection to RemoteServer
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000-TX
  input flow-control is on, output flow-control is on
  Auto-MDIX on (operational: on)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 3059552617
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec

Step 4: If confirmed have traffic, open any packet analyzer like "Wireshark" or "tcpdump" accordingly.
at No comments:

Monday 19 August 2019

Isolating IGP (OSPF & ISIS) traffic by increasing Metric in IOS-XR routers

@OSPF

Set the max-metric in OSPF and OSPFv3 in IOS-XR devices:

RP/0/RSP0/CPU0:IOS-XR(config)#router ospf 65555
 max-metric router-lsa external-lsa
 !
router ospfv3 65555
 stub-router router-lsa v6-bit
  always

Save the changes:
RP/0/RSP0/CPU0:IOS-XR(config)#commit

Verify:
show ospf database

@ISIS

Increase ISIS metric

router isis XXXX
set-overload-bit

Save the changes:
RP/0/RSP0/CPU0:IOS-XR(config)#commit

Verify:
show isis database


at No comments:
Subscribe to: Posts (Atom)