NetworkJutsu

Networking & Security Services | San Francisco Bay Area

Blog

Recommended EtherChannel Load Balancing

By Leave a Comment

CCDP ARCH book states that the recommended way to load balance an EtherChannel is to use Layer 4 load balancing.

How to enable enable Layer 4 load balancing on EtherChannel:

Switch (config)# port-channel load-balance src-dst-port

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

Cisco STP Toolkit

By Leave a Comment

STP (Spanning Tree Protocol) is a great invention by Radia Perlman. The protocol was designed to ensure that Layer 2 Ethernet network is loop-free. “Algorhyme” is a poem by Radia Perlman that pretty much summarizes what STP is. While this is a great invention, it needed some improvements. Say hello to Cisco’s STP Toolkit.

Cisco STP Toolkit is a collection of STP extensions that improves the performance of the original IEEE 802.1D STP algorithm. Here are the extensions included in the STP Toolkit:

  • PortFast – Mostly used in access ports, but can be used in trunk ports. If you choose to enable PortFast on trunk ports, make sure you’re not creating a loop. This extension causes an access port or trunk port to go to Forwarding STP state immediately, basically skipping the listening and learning state.
  • UplinkFast – Used in uplink ports to speed up STP convergence after a direct failure.
  • BackboneFast – Speeds up STP convergence after an indirect failure. This extension needs to be enabled on all network devices to take advantage of the feature.
  • Loop Guard – Helps prevent Layer 2 loop when there is an unidirectional link failure. It prevents an alternate or root port from becoming a designated port if it stops receiving BDPUs, it transitions to loop-inconsistent state.
  • Root Guard – Prevents external switches becoming a root. These are normally enabled on ports connecting to downstream switches. When a superior BPDU is received from an interface where root guard is enabled, the switch port will transition to root-inconsistent state.
  • BPDU Guard – When PortFast is enabled on a port, this STP extension helps prevent bridging loops by transitioning a switch port to err-disabled upon receiving a BPDU.
  • BPDU Filter – This STP extension prevents PortFast-enabled ports from sending and receiving BPDUs – effectively disabling STP at the edge which can lead to bridging loops. This is not a recommended configuration per the authors of CCDP ARCH Self-Study Guide.
  • UDLD (Unidirectional Link Detection) – This STP extension prevents bridging loops by monitoring the fiber optic and/or twisted-pair links and detecting if a one-way or unidirectional communication exists. If it detects a unidirectional communication, it will shut down the interface and there will be a system alert.

Some Cisco documentation include UDLD and BPDU Filter and some do not. Just for the sake of completion, I included them both here.

I hope this has been helpful and thank you for reading!

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

How to enable SSH on Cisco Routers and Switches

By Leave a Comment

UPDATE: Please read my updated post regarding SSH on Cisco IOS.

On my previous blog post, I talked about one of the things a Network Engineer must do to harden Cisco routers and switches. Today, I am adding another one to the list. I will try to keep adding to this list to raise the importance of security.

As the title says, I am going to show you on how to enable SSH on Cisco IOS devices. The commands are pretty much the same in pretty much all of the IOS versions. If the commands listed here didn’t work, then use the IOS help menu.

The majority, if not all, of the people, know that Telnet sends data in clear text. That said, usernames and passwords are up for grabs. Imagine an unauthorized user logging into company’s Cisco IOS devices and deleting the configuration and rebooting them. When that happens, someone would be let go pretty soon.

To enable SSH on Cisco IOS, you need to have crypto feature in the IOS. If the IOS does not support crypto, then you’re out of luck. If you have a SMARTnet contract, I suggest you upgrade the IOS. For legacy hardware, the only choice is to upgrade it to a newer version. Please check Cisco Feature Navigator to check your IOS if it supports the crypto feature.

Enabling SSH on Cisco IOS

Without further delay, below are the commands to enable SSH on Cisco IOS. With this method, Cisco IOS requires the user to specify the host name and domain name.

Router(config)#host R1
R1(config)#ip domain name domain.com
R1(config)#crypto key generate rsa general-keys modulus 2048
R1(config)#ip ssh version 2
R1(config)#line vty 0 15
R1(config-line)# transport input ssh

Alternatively, Cisco IOS user could enable SSH without specifying the domain name, as shown below. In this case, I am using 4096-bit key size for the RSA keys.

R1(config)#crypto key gen rsa modulus 4096 label SSH_KEY
The name for the keys will be: SSH_KEY
% The key modulus size is 4096 bits
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 103 seconds)
R1(config)#
*Dec 15 20:38:36.581: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#ip ssh rsa keypair-name SSH_KEY
R1(config)#
*Dec 15 20:39:38.227: %SSH-5-DISABLED: SSH 1.99 has been disabled
*Dec 15 20:39:38.228: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#ip ssh ver 2
R1(config)#line vty 0 15
R1(config-line)#transport input ssh

While you don’t need to use the transport input ssh command, it is recommended to disable Telnet altogether. By default, line vty 0 to 15 has the command transport input all configured but not showed in the running configuration or startup configuration. That said, it will allow you to use either SSH or Telnet.

Final Words

Hopefully, this will be included in your standard configuration for all Cisco routers and switches that you have. Telnet is a considered a security risk, so enabling SSH will mitigate security risk on your network.

I hope this has been helpful and thank you for reading!

Are you ready to improve your network security?

Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.

ENGAGE US

You might also like to read

Securing Cisco IOS SSH server

Want to learn more about the basics of securing Cisco networks?

CCNA Security Official Cert Guide

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

Configure Frame Relay Switching on a Cisco router

By Leave a Comment

Whether you are building a CCIE home lab or not, this will help you configure a Cisco router to act as a Frame Relay switch.

To better understand the topology of this particular scenario, I attached a Visio diagram below.

Without further ado, here are the commands to turn your Cisco router to a Frame Relay switch.

FR (config)#frame-relay switching
!
interface serial 1/1
 description R1 to R2 and R1 to R3
 encapsulation frame-relay
 clock rate 128000
 frame-relay lmi-type cisco
 frame-relay intf-type dce
 frame-relay route 102 interface serial1/2 201
 frame-relay route 103 interface serial1/3 301
!
interface serial 1/2
 description R2 to R1
 encapsulation frame-relay
 clock rate 128000
 frame-relay lmi-type cisco
 frame-relay intf-type dce
 frame-relay route 201 interface serial1/1 102
!
interface serial 1/3
 description R3 to R1
 encapsulation frame-relay
 clock rate 128000
 frame-relay lmi-type cisco
 frame-relay intf-type dce
 frame-relay route 301 interface serial 1/1 103
!
end

To verify that this configuration works, let’s configure all three routers and ping the IP of the interfaces.

R1 configuration:

R1 (config)#interface Serial0/0
 no ip address
 encapsulation frame-relay
!
interface Serial0/0.102 point-to-point
 ip address 2.2.2.1 255.255.255.0
 frame-relay interface-dlci 102
!
interface Serial0/0.103 point-to-point
 ip address 3.3.3.1 255.255.255.0
 frame-relay interface-dlci 103
!
end

R2 configuration:

R2 (config)#interface Serial0/0
 no ip address
 encapsulation frame-relay
 frame-relay lmi-type cisco
!
interface Serial0/0.201 point-to-point
 ip address 2.2.2.2 255.255.255.0
 frame-relay interface-dlci 201
!
end

R3 configuration:

R3 (config)#interface Serial0/0
 no ip address
 encapsulation frame-relay
!
interface Serial0/0.301 point-to-point
 ip address 3.3.3.3 255.255.255.0
 frame-relay interface-dlci 301
!
end

Ping verification:

R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/15/44 ms
R1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/15/48 ms
R2#ping 2.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/19/76 ms
R3#ping 3.3.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/23/80 ms

Congratulations, you’ve just configured a Cisco router to act as a Frame Relay switch!

I hope this has been helpful and thank you for reading!

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

Network Performance Testing Tool

By Leave a Comment

Knowing the performance of your network and having tool(s) to measure it is important. There are a lot of network performance tool out there and IXIA’s IxChariot is probably the most popular software out there in terms of network performance testing. This software has a lot of features and scripts that will help Network Engineers to view the performance of their network. I actually know someone who uses this software to measure MOS (Mean Opinion Score) and to compare throughput in different WLAN products. Great software comes with price tag, while I do not have the price list of IxChariot, let’s just assume that the organization that you work for do not have the budget to buy such a software. Fortunately, there is a freeware called Iperf or Jperf that can help with your network performance testing.

Iperf is a free cross-platform network testing tool that allows you to create TCP or UDP data streams and measure your network’s throughput. Jperf is basically the same as Iperf, but is displayed in GUI (Graphical Unit Interface) form instead of CLI (Command Line Interface). While GUI is nice, I don’t really like anything written in Java due to past personal experiences, so I try to stick with CLI as long as it is easy to use. I think Iperf is pretty easy to use – thanks to its help file. While it is easy to use, does not mean that I know everything there is to know about it. I am still learning how to use all the command line switches available in this tool. My experience is limited to just putting a load in a circuit and/or just measuring throughput in a WLAN environment, so feel free to experiment using the tool.

As mentioned, this software is cross-platform, so you can choose to run it on Windows or Linux. If you’re using Windows box to run Iperf, you can download the file here. If you’re using Linux, then the link above will suffice. Since I am an Ubuntu Server Edition user, I like using apt-get to download and install software. To download Iperf on Ubuntu, type the command below:

admin@ubuntu:~$ sudo apt-get iperf

Downloading Iperf on one machine is just half of it. You need another end-point to measure network performance. Iperf, IxChariot, and other similar tools are client-server based software. That said, there should be two end-points running the software, one as a server and the other as a client. In this article, I will show you a combination of Linux and Windows as the end-points – Linux is running as server and Window as a client. This is just a very basic test to measure my throughput at home.

On the server side (Linux), issue the command below:

admin@ubuntu:~$ iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------

On the client side (Windows), issue the command below:

C:Users\Administrator\Desktop>iperf -c 192.168.0.100 -n 500000M -i 1

Once issued, you should see something like this on the client side:

------------------------------------------------------------
Client connecting to 192.168.1.45, TCP port 5001
TCP window size: 8.00 KByte (default)
------------------------------------------------------------
[376] local 192.168.1.20 port 50740 connected with 192.168.0.100 port 5001
[ ID] Interval       Transfer     Bandwidth
[376]  0.0- 1.0 sec  9.20 MBytes  77.2 Mbits/sec
[376]  1.0- 2.0 sec  9.04 MBytes  75.8 Mbits/sec
[376]  2.0- 3.0 sec  9.78 MBytes  82.1 Mbits/sec
[376]  3.0- 4.0 sec  9.91 MBytes  83.2 Mbits/sec
[376]  4.0- 5.0 sec  9.90 MBytes  83.0 Mbits/sec
[376]  5.0- 6.0 sec  9.28 MBytes  77.9 Mbits/sec
[376]  6.0- 7.0 sec  9.56 MBytes  80.2 Mbits/sec
[376]  7.0- 8.0 sec  9.59 MBytes  80.4 Mbits/sec
[376]  8.0- 9.0 sec  9.60 MBytes  80.5 Mbits/sec
[376]  9.0-10.0 sec  8.56 MBytes  71.8 Mbits/sec
[376]  0.0-11.0 sec   104 MBytes  79.5 Mbits/sec

The command above just basically tells Iperf to send 500,000 megabytes worth of TCP data and report the measurement every second. To learn more about the available options, issue the command below:

C:Users\Administrato\rDesktop>iperf - help
Usage: iperf [-s|-c host] [options]
       iperf [-h|--help] [-v|--version]
Client/Server:
  -f, --format    [kmKM]   format to report: Kbits, Mbits, KBytes, MBytes
  -i, --interval  #        seconds between periodic bandwidth reports
  -l, --len       #[KM]    length of buffer to read or write (default 8 KB)
  -m, --print_mss          print TCP maximum segment size (MTU - TCP/IP header)
  -o, --output     output the report or error message to this specified file
  -p, --port      #        server port to listen on/connect to
  -u, --udp                use UDP rather than TCP
  -w, --window    #[KM]    TCP window size (socket buffer size)
  -B, --bind         bind to , an interface or multicast address
  -C, --compatibility      for use with older versions does not sent extra msgs
  -M, --mss       #        set TCP maximum segment size (MTU - 40 bytes)
  -N, --nodelay            set TCP no delay, disabling Nagle's Algorithm
  -V, --IPv6Version        Set the domain to IPv6
Server specific:
  -s, --server             run in server mode
  -U, --single_udp         run in single threaded UDP mode
  -D, --daemon             run the server as a daemon
Client specific:
  -b, --bandwidth #[KM]    for UDP, bandwidth to send at in bits/sec
                           (default 1 Mbit/sec, implies -u)
  -c, --client       run in client mode, connecting to 
  -d, --dualtest           Do a bidirectional test simultaneously
  -n, --num       #[KM]    number of bytes to transmit (instead of -t)
  -r, --tradeoff           Do a bidirectional test individually
  -t, --time      #        time in seconds to transmit for (default 10 secs)
  -F, --fileinput    input the data to be transmitted from a file
  -I, --stdin              input the data to be transmitted from stdin
  -L, --listenport #       port to recieve bidirectional tests back on
  -P, --parallel  #        number of parallel client threads to run
  -T, --ttl       #        time-to-live, for multicast (default 1)
  -Z, --linux-congestion   set TCP congestion control algorithm (Linux only)
Miscellaneous:
  -x, --reportexclude [CDMSV]   exclude C(connection) D(data) M(multicast) S(settings) V(server) reports
  -y, --reportstyle C      report as a Comma-Separated Values
  -h, --help               print this message and quit
  -v, --version            print version information and quit
[KM] Indicates options that support a K or M suffix for kilo- or mega-
The TCP window size option can be set by the environment variable
TCP_WINDOW_SIZE. Most other options can be set by an environment variable
IPERF_, such as IPERF_BANDWIDTH.
Report bugs to iperf-users@lists.sourceforge.net

Being freeware it won’t have all the bells and whistles of the paid software equivalent, so expect some disappointments. However, if you’re just looking for basic stuff that is a little bit powerful than IXIA’s Qcheck application, then this is definitely the tool you need.

I hope this has been helpful and thank you for reading!

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.