Booches.nl

Cisco Spanning Tree Scalability

A colleague (Twitter: @Toonieh) mentioned spanning-tree scalability in a Cisco network. He had an article about this matter. All the credits on this post go to him. I found the article on internet and post it here to be able to find it quickly..

In a Layer 2 looped topology design, spanning tree processing instances are created on each interface for each active VLAN. These logical instances are used by the spanning tree process in processing the spanning tree-related packets for each VLAN. These instances are referred to as active logical ports and virtual ports. Both active logical ports and virtual ports are important values to consider in spanning tree designs because they affect STP convergence time and stability. These values are usually only of concern on the aggregation layer switches because they typically have a larger number of trunks and VLANs configured than other layers in the data center topology.

Click here for the original article

Cisco ASA – Reset TCP connection

“Normal” TCP applications use a three-way handshake to establish a session. After data has been send the session is closed. Some legacy applications don’t always close a TCP session. They keep the session open, even when the session is idle for a long time (+ 2 hours). When the session is idle and a client wants to send data, the clients sends a PSH packet followed by the new data. Both stations use the original session information to maintain the connection.

This behavior is problematic when components, like firewalls are along the path between the two clients. A Cisco ASA firewall for example automatically flushes a TCP session when it’s idle for 1 hour. When the clients start sending data after an idle period of 1 hour, by starting with a PSH command, the firewall doesn’t recognize the session anymore and drops the traffic. Both clients need to flush / restart their TCP session to establish a new valid session through the firewall.

The Cisco ASA firewall has the option to change the default idle timers and even send a reset (RSET) to both clients when the idle timer is reached. The Reset bit in TCP is designed to allow a client to abort / terminate the TCP session with another client. This forces both clients to re-establish a new session, which is learned and maintained by the firewall. This prevents a session from getting dropped in the firewall when it’s idle for more than one hour.

To configure a TCP reset you need to specify the “interesting” traffic for a reset through an access-list and specify the reset parameters via a policy-map like shown below.

access-list reset_tcp extended permit ip 192.168.10.0 255.255.255.0 host 10.10.10.205
!
class-map cm_reset_tcp
match access-list reset_tcp
!
policy-map global_policy
class cm_reset_tcp
set connection timeout idle 0:15:00 reset

The configuration snippet resets a connection when it’s idle for 15 minutes between the network 192.168.10.0/24 and the host 10.10.10.205. The sessions are initiated by the remote network. You can view the connection parameters with the show conn command.

fw01# show conn address 192.168.10.2 address 10.10.10.205 detail
TCP DMZ:192.168.10.2/31731 Inside:10.10.10.205/4000,
flags UIOB, idle 3m11s, uptime 51m56s, timeout 15m0s, bytes 165157

The output shows the configured idle timeout of 15 minutes, the real idle timeout and the uptime of the connection.

Cisco 888G with KPN 3G connection

Something I don’t see and don’t do very often is the configuration of a router including a 3G connection. So this blog post helps me during the process of configuring future connections. For todays configuration I am using the Dutch carrier KPN to establish the 3G connection. As hardware I am using a Cisco 888G router with a PCEX-3G-HSPA-G module. The most difficult during the configuration is the retrieval of the correct provider information. For this KPN connection is used the following credentials:

• - APN name: fastinternet
• - PPP CHAP username: <empty>
• - PPP CHAP password: <empty>
• - DNS: ns1.kpn-gprs.nl (62.133.126.28) & ns2.kpn-gprs.nl (62.133.126.29)

Don’t forget to use the above DNS servers when using a 3G connection from KPN. All other DNS servers, including Google’s DNS servers, won’t work.

The SIM card is locked by default with a password, so I first needed to unlock the SIM card. The unlocking of the SIM is accomplished with the following command:

router#cellular 0 gsm sim unlock <pin code>

The next thing to do is creating a gsm modem profile. With the modem profile you can configure different profiles with different APN, authentication, username and password combinations. For my connection I only need to specify the APN name, like shown below:

router#cellular 0 gsm profile create 1 fastinternet

Another important step is the configuration of a chat-script. The chat-script is used to define the Attention Dial Tone (ATDT) commands when the dialer is initiated. For gsm connections, the script always has the following syntax:

router(config)#chat-script <script name> “” “ATDT*99*<modem profile number>#” TIMEOUT <timeout value> CONNECT

Getting back to my configuration I configured the following chat-script:

router(config)#chat-script gsm-chat-script “” “ATDT*99*1#” TIMEOUT 30 “CONNECT”

Next you need to configure regular dial-on-demand (DDR) routing for the cellular interface. My cellular interface is used as the primary internet connection, so I included the necessary NAT statements on the interfaces.

interface Cellular0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer pool-member 1
async mode interactive

!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string gsm-chat-script
dialer persistent
ppp chap hostname <APN name>
ppp chap password 0 <provider password>
ppp ipcp dns request
no cdp enable

!
dialer-list 1 protocol ip permit

The last two steps involve the configuration of a default route and line configuration mode. I configure a regular default route with the Dialer 1 interface as next-hop interface. The line configuration mode, includes the following commands for the KPN connection.

line 3
script dialer gsm-chat-script
modem InOut
no exec
rxspeed 7200000
txspeed 5760000

That’s it. Just configure a routed or VLAN interface. Some NAT and ACL statements and you are ready to go. You can use several

show cellular 0 <commands>

commands for troubleshooting or information about your connection.

Cisco ASA – Full recovery

While trying to perform a password recovery on a Cisco ASA, I noticed that the password recovery feature was disabled on the appliance. Without the password recovery feature enabled, you can recover the Cisco ASA, but the file system will be wiped completely.

During the boot of the Cisco ASA you need to press ESC to enter rommon and you will receive the following warning.

WARNING:  Password recovery and ROMMON command line access has been
disabled by your security policy.  Choosing YES below will cause ALL
configurations, passwords, images, and files systems to be erased.
ROMMON command line access will be re-enabled, and a new image must be downloaded via ROMMON.

Erase all file systems? y/n [n]: y

Permanently erase Disk0: and Disk1:? y/n [n]: y

All data from disk0: will be erased after which you will gain access to the rommon of the appliance. To perform the full recovery you need to enter the following commands:

rommon #0> interface <interface id>
rommon #1> address <IP address>
rommon #2> file <image name>
rommon #3> server <IP address TFTP server>
rommon #4> tftp

The new image will be loaded to the Cisco ASA appliance and the appliance will boot with its default configuration. After the Cisco ASA is booted you have the format disk0:. When you issue the show disk0: command before the format, you will notice that there is no free space on the disk. After the format you need to upload the appropriate ASA and ASDM image.

Be aware that after performing a full recovery the previous VPN-3DES-AES activation keys and other licenses will be lost. You can get a new activation key at http://www.cisco.com/go/license.

Juniper SSG to Cisco ASA VPN with overlapping subnets

I needed to configure a site-to-site VPN connection between a Juniper SSG firewall and a Cisco ASA firewall. The configuration of a VPN connection is very straightforward, but this time the networks behind the firewalls are overlapping.

I have configured the Cisco ASA multiple times in such scenario, but the configuration of the Juniper SSG was new for me. I found a good article in the Juniper Knowledge Base. The article helped me to configure the VPN connection on the Juniper SSG firewall. The “tricky” part is the configuration of the MIP’s on the tunnel interface and the policy from the VPN network to the Trust network.

The only difference in my configuration is the definition of proxy ID’s within the VPN profile configuration. My scenario involves multiple subnets behind the Juniper SSG firewall en behind the Cisco ASA firewall. For every combination of subnets (Security Association) you have to configure a separate tunnel interface and VPN profile.