I wanted to use PBR on our DMVPN tunnels to set the next-hop address to a Layer 3 switch on the LAN. We set it up and it seemed to work fine. Then it was noticed that is a site went down even briefly and the tunnel dropped, the tunnel would never re-establish itself (The tunnel interface remained line up/protocol down). We recreated the problem in our lab and it consistently failed. We moved the tunnel to an IOS router and that wasn’t affected.
It was eventually revealed that apparently, PBR is handled differently in IOS-XE and IOS routers.
The problem occurs when a route-map is attached to an interface with only a “set” operation and no “match” (When there is no match specified there is an implicit “match any any”) OR when a match “any any” is used. Read more…
Here’s a tip to become alerted when an interface is down (in this case a VPN tunnel). The script can be adapted to look for any pattern in the syslog and send a triggered email message:
event manager environment _ifDown_rcpt somebody@somewhere.com
event manager session cli username “admin”
event manager applet MailOnIfDown
event syslog occurs 1 pattern “%LINEPROTO-5-UPDOWN.* Tunnel” period 1
action 1.0 mail server “smtp-server@somewhere.com” to “$_ifDown_rcpt” from “router-hostname@somewhere.com” subject “DON’T PANIC – Tunnel Changed State!” body “$_syslog_msg”
!
end
Read more…
This recipe describes a simple method to send DHCP bindings from a Cisco router to a remote TFTP server running on Windows. A batch file renanes and date-stamps the file and another batch file removes the archived files after a retention period:
EEM SCRIPT ON CISCO ROUTER:
(Note: the cron entry sends the file every 5 minutes)
event manager session cli username “your_username” (NOTE: this is required if tacacs+ is running on the router)
event manager applet copy-dhcp-bindings
event timer cron cron-entry “*/5 * * * * ”
action 0.5 cli command “enable”
action 1.0 cli command “show ip dhcp binding | redirect tftp://[ip_address]/bindings.txt”
!
end Read more…
This recipe describes how to use SNMP to determine the traffic offered and drop rate for a QoS policy configured on a Cisco router.
The steps here describe which OIDs to interrogate in the CISCO-CLASS-BASED-QOS-MIB
STEP 1:
Get the SNMP ifIndex for the interface where the QoS policy is attached:
CiscoRouter#sh snmp mib ifmib ifindex | i GigabitEthernet0/1
GigabitEthernet0/1: Ifindex = 22
(or by using SNMP):
root@Linux# snmpwalk -v2c -c communityname 10.0.200.12 1.3.6.1.2.1.2.2 | grep -i GigabitEthernet0/1
RFC1213-MIB::ifDescr.22 = STRING: “GigabitEthernet0/1” Read more…
To locate a VM Host on a Cisco switch, enable the sending of CDP (Cisco Discovery Protocol) packets on the VMWare host, the syntax is:
# esxcli network vswitch standard set –c both –v vSwitch# (Note: Replace # with the vSwitch number)
In ESXCLI 5.1, you can now retrieve additional network statistics at a physical NIC (vmnic), on a per VLAN (portgroup) which needs to be configured and on a per VM port (vNIC). Here is a quick diagram to help you visualize where you can retrieve network statistics: Read more…
IOS:
show snmp mib ifmib ifindex
IOS XR:
show snmp interface Read more…
First implemented by the National Security Agency (NSA) in 1993, the Secure Hashing Algorithm (SHA) is used by certification authorities such as Verisign and Thawte to sign certificates and Certificate Revocation Lists. SHA is used to generate unique hash values from files.
This is the SHA-1 hash fingerprint from the bbc.co.uk website:
root@raspberrypi:/# echo | openssl s_client -connect bbc.co.uk:443 2>/dev/null | openssl x509 -fingerprint -noout
SHA1 Fingerprint=EA:D2:F2:79:18:A0:CD:2B:10:3B:12:01:CF:B1:9E:CC:AF:0F:28:0C
SHA versions:
- SHA0 Obsoleted
- SHA1 Currently the most widely implemented
- SHA2 Stronger than SHA-1 due to longer hash (SHA224, SHA256, SHA384 and SHA512)
As part of their SHA-2 migration plan, Microsoft, Google, and Mozilla have announced that they will stop trusting SHA-1 certificates. Google began phasing out trust in SHA-1 certificates in November 2014. Read more…
show run | i ^interface|^_ip address
! Gives you the every line in your running config that starts with (that’s what the ^ is all about) “interface” or ” ip address”, essentially giving you all of your interface IP’s in an IOS-pastable format. The underscore represents a space. Useful for displaying IP addresses with their associated masks and interfaces. Read more…
nMap uses a list of “default” applications in the nmap services file, used to list services running on scanned open ports. To see the “real” application execute nMap using the “-sV” option. Read more…
Following on from the brief personal aide-memoir: OpenSSL – Generate CSR and Test x509 Certificate, this post contains the recipe to generate a self-signed certificate and use this as a CA, to sign other certificates. This is because the term “Self signed certificate” is really incorrect, the proper phrase ought to be “Being your own Certificate Authority”, (or CA)
– You have the “root key”
– And you can “sign” other certificates
Read more…