Booches.nl

Policy-based routing in a nutshell

Lately I received some questions about routing decisions and how to influence the routing decisions via access control lists. The following example shows a simple configuration for policy-based routing. The example uses the following logical setup:

I configured two routers and connected each router to two PVC’s on the same ATM interface. I configured one subnet per location. All normal traffic is router through PVC #1, but all traffic to or from the servers in the picture should be routed to PVC #2.

The top router has SVI VLAN 1 configured to connected to the inside LAN. The first step in configuring policy-based routing is defining which traffic should be routed over PVC #2. I configured the following access-list.

ip access-list extended acl-pbr
permit ip 10.10.10.0 0.0.0.255 host 192.168.1.100
permit ip host 192.168.1.100 10.10.10.0 0.0.0.255

Next you need to configure a route-map with a “match” statement and configure the appropriate “set” conditions.

route-map rm-pbr permit 10
match ip address acl-pbr
set ip next-hop <PVC #2 IP address>

The last step is applying the configured route-map to the correct interface. As stated before, we are using SVI VLAN 1.

interface Vlan1
ip address 10.10.10.254 255.255.255.0
ip policy route-map rm-pbr

As you can see, configuring policy-based routing is very simple, and yet very powerful.

One issue is when testing policy-based routing from the router. By default, locally-generated packets are not inspected by outgoing access-lists. To enable local packets from being re-entered into the router, you should issue the ip local policy route-map <rm-name>.

Cisco Virtual Com

It took some time, but Cisco started to migrate from the blue RJ-45 based console cable to an USB based console cable. The latest types of routers and switches are equipped with both types of connections or only with the USB based connection, like the new IBM blade switches.

The picture below shows the console ports on a Cisco 2921 router.

Sorry for the bad quality, I guess I will never be a good paparazzi. You can see the USB and the RJ-45 connection. To use the USB connection you need to install the Cisco Virtual Com software. The software can be downloaded through the Cisco Download center, like shown below.

The installation process for Windows based workstations is

Configure VPN client on IOS router

One way to remotely access a network is using the Cisco VPN client. Nowadays more and more implementations of SSL VPN are being done and Cisco stopped their development on their VPN client and pushes their Cisco AnyConnect client.

Still the Cisco VPN client is often used to remotely gain access to a network. The Cisco VPN client supports:

• Windows XP, Vista (x86/32-bit only) and Windows 7 (x86/32-bit only);
• Linux (Intel);
• Mac OS X 10.4 & 10.5;
• Solaris UltraSparc (32 and 64-bit);

The Cisco VPN client is available for download if you have a SMARTnet support contract and encryption entitlements. The client can be used in conjunction with VPN concentrators, PIX and ASA firewall and IOS routers. Below you can find a template configuration for enabling the Cisco VPN client on an IOS router (all used IP addresses and credentials are chosen randomly and don’t represent a real configuration). I used the setup from the picture below:

The configuration uses the local database to authenticate users and split-tunneling is configured to only encrypt traffic destined for the LAN network. With split-tunneling enabled you still can access all local resources and the internet.

aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
username rene privilege 15 secret 5 $1$FkgJ$u3uU0rstyeaBXswW0EIX55
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group booches-vpn-client
key pr3sh@r3dk3y
dns 192.168.1.10 192.168.1.11
domain booches.local
pool vpnpool
acl 110
netmask 255.255.255.0
!
crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
!
crypto dynamic-map dynamicmap 10
set transform-set vpn-ts-set
reverse-route
!
crypto map client-vpn-map client authentication list userauthen
crypto map client-vpn-map isakmp authorization list groupauthor
crypto map client-vpn-map client configuration address initiate
crypto map client-vpn-map client configuration address respond
crypto map client-vpn-map 10 ipsec-isakmp dynamic dynamicmap
!
interface FastEthernet0/0
ip address 83.137.194.62 255.255.255.240
ip nat outside
crypto map client-vpn-map
!
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
!
ip local pool vpnpool 10.10.1.1 10.10.1.254
!
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255

Cisco router: determine amount of memory/flash

Somebody asked me how he could determine the amount of DRAM and flash memory on a Cisco router. I always thought that everybody would know how to determine this information, but since this isn’t matter, I will tell you how you can determine the values.

You use the show version command to retrieve the requested information. Below you see an example output of the command on a Cisco 876 router.

Router#show version
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T6, RELEASE SOFTWARE (fc2)
If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 876 (MPC8272) processor (revision 0×200) with 118784K/12288K bytes of memory.
Processor board ID FCZ121160T5
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0×10
4 FastEthernet interfaces
1 ISDN Basic Rate interface
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0×2102

The first highlighted line tells you how much Dynamic RAM (DRAM) and Packet memory are installed in your router. Some platforms use a fraction of their DRAM as Packet memory. The memory requirements take this into account, so you have to add both numbers to find the amount of DRAM available on your router (from a memory requirement point of view).

Some types of routers have separate DRAM and Packet memory, so you only need to look at the first number. Other routers use a fraction of DRAM as Packet memory, so you need to add both numbers to find out the real amount of DRAM.

The second highlighted line tells you how much flash memory is installed in your router. This amount can also be determined by using the command show flash:.

Router#show flash:
24576K bytes of processor board System flash (Intel Strataflash)

Directory of flash:/

2  -rwx    18934284   Mar 1 2002 01:33:35 +01:00  c870-advipservicesk9-mz.124-15.T6.bin

23482368 bytes total (4542464 bytes free)

Maybe I can imagine why somebody doesn’t know where to look, because a show version actually gives you a lot of information. So I hope this posts helps all of you who don’t know where to look.

Cisco IOS 15 licensing

I just read an interesting article about the new licensing on Cisco hardware, especially after the End-of-Sale and End-of-Life Announcement for Cisco IOS Software Release 12.4.

In short the article tells the following:

IOS 12.4 is replaced by IOS 15. IOS 15 is a single software package for the hardware platform that your are using. You have one image with all the features and there’s no need to copy multiple images for different features. By default you can use all the base features and you need a license key to use the Advanced IP feature set.

This licensing can be compared to the licensing of a Cisco PIX, ASA or IPS. Maybe this will be hard for some of you, especially in situations where you replace a broken hardware component (License Transfer Between Two Working Devices).

So pay attention and take some time to dig into the new developments in Cisco IOS 15 licensing.