NetworkJutsu

Networking & Security Services | San Francisco Bay Area

Blog

Enable IPv6 on Cisco Catalyst 3560

By 3 Comments

When you’re building a Cisco home lab, make sure to buy switches and/or routers that will satisfy the requirements of the track you’re currently studying for. You may also want to future proof your home lab for other Cisco tracks. Future proofing was one of the reasons why I didn’t buy 1841 for my lab and bought 2801 instead. 1841s will not satisfy the requirements of Voice track, which is one of the Cisco tracks that I would like to learn more about. Anyway, CCNP R&S (Routing and Switching) and CCIE R&S requires you to know IPv6. While CCNP does not specifically require to run IPv6 on 3560, it will most likely be used in the CCIE lab exam. I do know that INE materials require you to enable IPv6 on Catalyst 3560 to practice and master the topic.

By default, Catalyst 3560s does not allow you to turn on IPv6 without changing SDM (Switching Database Manager). I did not know this before, so when I tried it on my Catalyst 3560, I got the following:

3560(config)#ipv6 ?
% Unrecognized command

I wasn’t expecting that error, so I went to Cisco’s website and started practicing on how to use Cisco DOC CD – only resource during the CCIE lab exam. Luckily, I was able to find the instructions on how to do it. But, if you want more information then please visit this configuration guide.

Without further ado, here’s a tutorial on how to enable IPv6 on Catalyst 3560.

3560(config)#sdm prefer dual-ipv4-and-ipv6 default
Changes to the running SDM preferences have been stored, but cannot take effect until the next reload.
Use 'show sdm prefer' to see what SDM preference is currently active.
3560(config)#do wr mem
Building configuration...
[OK]
3560#reload

To verify that SDM has been changed:

3560#sho sdm prefer
 The current template is "desktop IPv4 and IPv6 default" template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1024 VLANs.
 number of unicast mac addresses:                  2K
 number of IPv4 IGMP groups + multicast routes:    1K
 number of IPv4 unicast routes:                    3K
   number of directly-connected IPv4 hosts:        2K
   number of indirect IPv4 routes:                 1K
 number of IPv6 multicast groups:                  1K
 number of directly-connected IPv6 addresses:      2K
 number of indirect IPv6 unicast routes:           1K
 number of IPv4 policy based routing aces:         0
 number of IPv4/MAC qos aces:                      0.5K
 number of IPv4/MAC security aces:                 1K
 number of IPv6 policy based routing aces:         0
 number of IPv6 qos aces:                          0.5K
 number of IPv6 security aces:                     0.5K

To verify that IPv6 can now be issued:

3560(config)#ipv6 ?
 access-list      Configure access lists
 cef              Cisco Express Forwarding for IPv6
 dhcp             Configure IPv6 DHCP
 general-prefix   Configure a general IPv6 prefix
 hop-limit        Configure hop count limit
 host             Configure static hostnames
 icmp             Configure ICMP parameters
 local            Specify local options
 mld              Global MLD Snooping enable for Catalyst Vlans
 neighbor         Neighbor
 prefix-list      Build a prefix list
 route            Configure static routes
 router           Enable an IPV6 routing process
 source-route     Process packets with source routing header options
 unicast-routing  Enable unicast routing

To enable IPv6, issue the command below:

3560(config)#ipv6 unicast-routing

It is pretty easy to configure, but if you didn’t know anything about SDM, then you’re probably going to blame the IOS version that is installed, I certainly did.

I hope this helps and thank you for reading!

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

show ip flow top-talkers

By 7 Comments

Who is hogging your precious WAN bandwidth? That’s probably one of the things that you’re asking on your mind when you receive an alert about a certain WAN link has reached its full capacity. Well, you’re in luck. In newer Cisco IOS, it will allow you to enable NetFlow and Top Talkers which gives you the ability to view who are the current top talkers in your network. I really believe that the commands that I am about to show you should be part of your standard configuration on routers.

To enable Top Talkers, issue these commands:

ip flow-top-talkers
 top 10
 sort-by bytes

Enabling Top Talkers is not enough, you also need to enable NetFlow on an interface. According to Cisco, if the router is running Cisco IOS prior to release 12.2(14)S, 12.0(22)S, or 12.2(15)T, the command used to enable NetFlow on an interface is ip route-cache flow. If the router is running Cisco IOS release 12.2.(14)S, 12.0(22)S, 12.2(15)T, or later the command used to enable NetFlow on an interface is ip flow ingress. However, I’ve used ip route-cache flow on a router running Cisco IOS 15.0 and it worked just fine. Try the first one first before using the latter. I have not tried it yet, but you may need to use ip flow egress as well if ip route-cache flow does not work.

In this scenario, I enabled NetFlow on Serial0/2/0.

configure terminal
interface Serial0/2/0
 ip route-cache flow

Once you are done configuring NetFlow on the interface, then you can now issue:

Router#sh ip flow top-talkers
SrcIf    SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Se0/2/0  10.1.1.33    Fa0/0 10.2.2.9     06 050E 1BC7  2156K
Se0/2/0  10.1.1.140   Fa0/0 10.2.2.78    06 0A26 10C0  1629K
Se0/2/0  10.1.1.144   Fa0/0 10.2.2.55    06 0A26 0CA6  1352K
Se0/2/0  10.1.1.120   Fa0/0 10.2.2.77    06 0A26 05E8   535K
Se0/2/0  10.1.1.106   Fa0/0 10.2.2.86    06 0A26 086A   361K
Se0/2/0  10.1.1.131   Fa0/0 10.2.2.90    06 0A26 0A7A   135K
Se0/2/0  10.1.1.112   Fa0/0 10.2.2.80    06 0A26 0C28   109K
Se0/2/0  10.1.1.137   Fa0/0 10.2.2.80    06 0A26 0D95    75K
Se0/2/0  10.1.1.142   Fa0/0 10.2.2.82    06 0A26 120B    71K
Se0/2/0  10.1.1.116   Fa0/0 10.2.2.83    06 0A26 0922    47K
10 of 10 top talkers shown. 30 flows processed.

I really think this is a great tool to have in your routers. It will basically help you identify who is congesting your WAN link. I’ve seen scenarios where Security (Loss Prevention) guys, like to see what’s going on in the remote branch and they use their little PC to remotely view the security cameras inside the remote branch. In some environment, that’s a no-no especially if the mission critical applications are being affected. If the QoS (Quality of Service) was designed and implemented correctly, then you shouldn’t have to worry about Security guys viewing and streaming recoded videos because the mission critical applications should have guaranteed bandwidth when there’s a congestion.

I hope this has been helpful and thank you for reading!

Reference

NetFlow MIB and Top Talkers

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

CCIE R&S v4 Home Lab

By 5 Comments

Update: New home lab for CCIE R&S v5.

As you may know, I am studying for the CCIE written and lab exam. To help with my CCIE studies, I have decided to build my own CCIE home lab. Sure, you can rent CCIE racks and there are tons of them out there. However, you don’t get the convenience of being able to turn it on and off at your own time. Another alternative of having a rack is building a GNS3 or Dynamips server to run Cisco IOS. It is a very inexpensive way to study for CCIE and it works great for other people. While Cisco uses IOU (IOS on Unix) on their troubleshooting section, they’re not running any emulators for the configuration section. That said, configuring routers and switches on a real gear will mimic the same results. Other CCIE aspirants will disagree on this logic; however, I’ve met and read forum member’s posts who has the same reasoning as I do. Besides, I started building my home lab back in 2005 when I first entered the Cisco Network Academy Program (CNAP). I added more routers and switches to my home lab when I studied for my CCNP exams, so few more routers and switches here and there wouldn’t be such a big deal. Though, it did cost me a lot of money.

Internetwork Expert (INE) was my first choice in CCIE lab preparation. At the time I decided that I am going to pursue CCIE, it was the most talked about CCIE training vendor and all of them were positive. It probably still is, but I haven’t had a chance to visit and read forums lately. That said, I decided to build my lab as close as possible with what they use for their CCIE workbooks since they have a specific topology for their CCIE workbooks. Fortunately, the hardware specifications and topology for the CCIE workbooks are open for public and can be found here. As mentioned earlier, I started building my home lab back in my CCNA days. That said, the gears are quite different compared to INE’s specs. Having different equipment turned out to be a challenge because the interfaces are different. I find myself trying to figure out which interface is which when I am doing labs. That said, I created my own topology with the right interfaces so I can at least save some time when I am labbing.

CCIE Home Lab

I think I should stop talking now and give you an idea of how my CCIE home lab looks like. Here’s the list of my CCIE home lab equipment:

DevicePlatformDRAMFlashWIC(s)Software
Backbone 1 (BB1)2620XM128MB48MB1 x NM-8A/SAdvanced Enterprise Services 12.4(18)A
Backbone 2 (BB2)252016MB16MBN/A12.2(15)T17
Backbone 3 (BB3)252016MB16MBN/A12.2(15)T17
Router 1 (R1)2620XM128MB48MB1 x WIC-2TAdvanced Enterprise Services 12.4(18)A
Router 2 (R2)2620XM128MB48MB1 x WIC-2TAdvanced Enterprise Services 12.4(18)A
Router 3 (R3)2620XM128MB48MB2 x WIC-2TAdvanced Enterprise Services 12.4(18)A
Router 4 (R4)2801256MB64MB1 x WIC-2TAdvanced Enterprise Services 12.4(24)T4
Router 5 (R5)2801256MB64MB1 x WIC-2TAdvanced Enterprise Services 12.4(24)T4
Router 6 (R6)2801384MB128MB1 x WIC-2TAdvanced Enterprise Services 12.4(24)T4
Switch 1 (SW1)3560-24TS128MB32MBN/AEnhanced Multilayer Image (EMI) 12.2(44)SE
Switch 2 (SW2)3560-48TS128MB32MBN/AEnhanced Multilayer Image (EMI) 12.2(44)SE
Switch 3 (SW3)3550-48TS64MB16MBN/AEnhanced Multilayer Image (EMI) 12.2(25)SEC2
Switch 4 (SW4)3550-48TS64MB16MBN/AEnhanced Multilayer Image (EMI) 12.2(25)SEC2
Terminal Server251116MB16MBN/A12.2(15)T17

The image below is the picture of my home lab without the cables.

The image below is the Frame Relay topology.



The image below is the Ethernet connectivity topology.

I hope I can inspire more network engineers to pursue Cisco’s highly coveted and prestigious CCIE Routing & Switching certification. It will take a lot of your time and money, but it will be all worth it once you get your own five-digit number! Heck, by just studying for the exam will make you a better network engineer.

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

How to configure tac_plus (TACACS+ daemon) on Ubuntu Server

By 9 Comments

In this blog post, I will cover on how to build and configure TACACS+ on Ubuntu Server using tac_plus. While this is an old blog post, the instructions covered here are still valid in Ubuntu Server 16.04 LTS. I highly recommend that you integrate two-factor authentication (2FA) as well, which is covered here.

If you are looking for an alternative to Cisco Secure Access Control Server (ACS) and how to implement it, then you came to the right place. Since you are looking for an alternative, I think it is safe to assume that you’ve seen how much is the price tag of Cisco Secure ACS (EoS/EoL now – functionality is now on Cisco ISE) and you think it’s too expensive for your network – my quote was $17K. A lot of companies do not have a budget for something like that. The Great Recession also didn’t help since a lot more companies are tightening their belt, especially in IT projects and that’s not something new.

Related: Adding Two-Factor Authentication (2FA) to TACACS+ running on Ubuntu 16.04

Having said all of that, how can Network Engineers harden the networking devices that is also cost efficient? Well, let’s thank Cisco for that by releasing the source code of TACACS+ back in the day and of course the open source community. The source can still be downloaded from Cisco’s FTP site. Cisco has not updated this source code for probably more than a decade but Open Source community has made some changes to it so features may be better than the source code. However, if you’re just looking for a simple AAA (Authentication Authorization Accounting) then tac_plus will be fine. This is actually one of the topics in a Cisco Press book called Network Administrators Survival Guide.

Tac_plus is a TACACS+ daemon for Linux that is based on the original Cisco TACACS+ source code.

Security is paramount to any organization, so hardening the organization’s networking devices add a layer to organization’s security. A security enthusiast once told me that security is more effective if you deploy in several layers. By deploying security in layers, organizations can mitigate security risks. Cisco Secure ACS can add a layer to organization’s security by providing AAA. The appliance or software serves as NAS (Network Access Server) and it supports two security protocols, RADIUS (Remote Access Dial-In User Service) and TACACS (Terminal Access Controller Access Control Server).

Related: Deploying TACACS+ on a Docker container

The main difference between the two protocols is how they encrypt the packet. RADIUS only encrypts the password and the rest are unencrypted, so the username, authorized services, and accounting can be captured. On the other hand, TACACS+ encrypts the entire packet which is more secure. If you are tasked to deploy AAA in your organization, make sure that you opt with the TACACS+ implementation and not RADIUS.

This article will talk about how to deploy TACACS+ using the publicly available source code from Cisco. Without further delay, here’s the tutorial on how to implement TACACS+.

What’s needed

In this tutorial, you will need the following:

  • Know how to download, install, and update the latest Ubuntu Linux (latest at this time of writing is Ubuntu 11.04 – preferably  Server Edition).
  • Know how to use VI editor or any text editor under Linux environment.
  • Physical machine(s) or virtual machine(s)
  • 6GB hard drive space is more than enough. Though, if you’re concern of keeping tons of accounting logs, then please feel free to increase the size.
  • 256MB of RAM should be enough. Start small and monitor your memory usage.

Instructions

Below are the steps in successfully implementing TACACS+ to your routers and switches.

Download, Install and Update

Download, install and update Ubuntu 11.04 Server Edition on your machine(s). While one machine is enough, I suggest deploying two for backup. If getting another physical/virtual machine is an issue, then do not worry about it. There is a backup user account that will be created in this tutorial, so when the TACACS+ is not available Network Administrators/Technicians/Engineers can still authenticate and issue commands.

Download and install  TACACS+. To download TACACS+, issue the command below:

sudo apt-get install tacacs+

Edit tac_plus Configuration File

Once installed, you’re now ready to edit the tac_plus configuration file. I will try to break down the configuration file to explain what it does.

Using VI editor to edit the configuration file. Feel free to use nano or other text editors available.

admin@ubuntu:~$ vi /etc/tacacs+/tac_plus.conf

The default configuration of the TACACS+ accounting log is /var/log/tac_plus.acct. Feel free to change this to your liking. However, I suggest you change the read and write permissions using chmod, so that only certain users or groups are allowed to edit or view the file.

accounting file = /var/log/tac_plus.acct

Define TACACS+ Key

Define your TACACS+ key here. Remember this key since it will be used later on your AAA configuration.

key = tacacskey123

User Accounts And Groups

In this section, I will create three user accounts and assign them to their proper group.

#*************************
#***USERS ACCOUNTS HERE***
#*************************
user = NetworkEngineer1 {
        member = Network_Engineers
}
user = FieldTech1 {
        member = Field_Techs
}
user = Manager1 {
        member = Managers
}

In this tutorial, I will not use the built-in DES encryption of TACACS+ daemon. Due to the fact that DES has been cracked back in the late 90s. I will be using Linux’s default authentication and incorporate that to tac_plus.conf.

This section will create groups, specify their authentication method (in this case using /etc/passwd – Linux user authentication), and what authorized commands are available to the groups.

Network engineers have all commands available to them. The default service = permit parameter tells TACACS+ daemon that all commands are allowed for this group. The login = file /etc/passwd parameter tells the daemon to look for the user account and password matches in the file. If it matches, allow the account to log in to the router and switch. The enable = file /etc/passwd tells the daemon that it needs to match the password of the user account. If it matches, allow to enter privileged EXEC mode, also known as enable mode.

#*************************
#***   GROUPS HERE     ***
#*************************
group = Network_Engineers {
        default service = permit
        login = file /etc/passwd
        enable = file /etc/passwd
}

Permissions

Field Technicians, on the other hand, has a default service = deny parameter which tells the daemon that all other commands except for user EXEC commands are allowed. Having said that, you will need to permit the commands that they’re allowed to use. Service = exec and priv-lvl = 2 allows us to give a higher privilege than an ordinary user. We do not want to give this group a privilege level of 15, meaning the same level as the network engineers. I will not explain all the parameters here since I believe they’re pretty much self-explanatory for an IT professional who knows Cisco IOS.

group = Field_Techs {
        default service = deny
        login = file /etc/passwd
        enable = file /etc/passwd
        service = exec {
        priv-lvl = 2
        }
        cmd = enable {
                permit .*
        }
        cmd = show {
                permit .*
        }
        cmd = do {
                permit .*
        }
        cmd = exit {
                permit .*
        }
        cmd = configure {
                permit terminal
        }
        cmd = interface {
                permit .*
        }
        cmd = shutdown {
                permit .*
        }
        cmd = no {
                permit shutdown
        }
        cmd = speed {
                permit .*
        }
        cmd = duplex {
                permit .*
        }
        cmd = write {
                permit memory
        }
        cmd = copy {
                permit running-config
        }
}

Managers are given access as well, however, the only privilege EXEC mode allowed is show running-config. Feel free to add more commands necessary for your boss and/or your boss’ boss.

group = Managers {
        default service = deny
        login = file /etc/passwd
        enable = file /etc/passwd
        service = exec {
        priv-lvl = 2
        }
        cmd = enable {
                permit .*
        }
        cmd = show {
                permit .*
        }
        cmd = exit {
                permit .*
        }
}

Creating a test user account and the group might be a good idea, so you can test things out that have been added to this configuration. This particular test user will only have a cleartext password.

user = test {
        member = Test_Group
}
group = Test_Group {
        default service = deny
        service = exec {
        priv-lvl = 2
        login = password1
        enable = password1
}

Restart tac_plus Daemon

Most of the time in Linux/Unix environment, you need to restart the daemon before your configuration will take effect.

admin@ubuntu:~$ sudo /etc/init.d/tacacs_plus restart
password for admin:
 * Restarting TACACS+ authentication daemon tacacs+                      [ OK ]
admin@ubuntu:~$

User Accounts

It is now time to create the user account under Linux.

admin@ubuntu:~$ sudo adduser test
Adding user `test' ...
Adding new group `test' (1001) ...
Adding new user `test' (1001) with group `test' ...
The home directory `/home/test' already exists.  Not copying from `/etc/skel'.
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for test
Enter the new value, or press ENTER for the default
	Full Name []:
	Room Number []:
	Work Phone []:
	Home Phone []:
	Other []:
Is the information correct? [Y/n] y

Change Password

For the password, please use the organization’s standard on default passwords. Always remind the users to change their password when they first log in. To change the password, have the user issue the command below.

test@ubuntu:~$ passwd
Changing password for test.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

If I am showing you how to add a Linux user account, then I should be showing you how to remove an account as well, since all organizations lose good and/or bad employees all the time. Not deleting an account is a big no-no and obviously a huge security risk.

admin@ubuntu:~$ sudo deluser test
 password for admin: Removing user `test' ... Warning: group `test' has no more members. Done.

Changing IP Address

When you first install Ubuntu, it uses DHCP and that’s not a great idea for a server – at the time of writing. You will need to change the IP configuration on this server, so you can specify the IP of the TACACS server(s) on routers and switches.

admin@ubuntu:~$ sudo vi /etc/network/interfaces

Look for the following:

# The primary network interface
auto eth0
iface eth0 inet dhcp

Once found, change it to something similar:

# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.10.100
        netmask 255.255.255.0
        network 192.168.10.0
        broadcast 192.168.10.255
        gateway 192.168.10.254

Again, if you change something it needs to be restarted.

admin@ubuntu:~$ sudo /etc/init.d/networking restart
 * Reconfiguring network interfaces...                                   [ OK ]
admin@ubuntu:~$

If you chose to have two TACACS+ servers and you used a VM, then you don’t need to do a whole lot. Just clone your TACACS+ VM, change the hostname and IP address and you’re done. Make sure your two TACACS+ VMs are not on the same physical host, so your implementation is fault tolerant.

Cisco Configuration

The how to configure AAA on Cisco routers and switches is covered here and the how to configure AAA on Cisco ASA is covered here. To create ACL on tac_plus, please see this post.

Final Words

TACACS+ is now ready to go. Congratulations, you just accomplished one part of hardening your organization’s networking devices!

Do not be afraid of Linux. There are a lot of freebies out there that can help your organization to save money on network tools and etc. Being free, it won’t be as fancy as the paid software but it will get the job done.

I hope this tutorial has been helpful and thank you for reading!

Are you ready to improve your network security?

Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.

ENGAGE US

You might also like to read

TACACS+ (tac_plus daemon) ACL
Adding two-factor authentication (2FA) to TACACS+
How to configure AAA on Cisco router/switches
Enabling AAA on Cisco ASA

Reference

TACACS+ and RADIUS Comparison

Want to learn more about AAA?

AAA Identity Management Security

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

How to configure AAA on Cisco router/switches

By Leave a Comment

I talked about tac_plus here which talks about how to build and configure TACACS+ server. In this blog post, I will cover how to configure AAA on Cisco routers and switches that worked in conjunction with the tac_plus covered in the previous blog.

Backup Local Account

I think the first important step before enabling AAA on Cisco routers and switches is to create a backup local account. Though, one could also configure the device to just use the enable secret as a way to log in. I personally prefer the local account.

username backup password strongpassword

Pointing Cisco device to TACACS+ server

Once local user account is configured, you also need to point your networking devices to the TACACS+ server.

tacacs-server host 192.168.10.100
tacacs-server host 192.168.10.101
!
tacacs-server directed-request
tacacs-server key tacacskey123

Configuring AAA

Now, you’re going to configure the AAA to our networking devices. Start by enabling AAA in the global configuration mode

aaa new-model

These two lines enable authentication part and will tell our networking devices to use TACACS first before using local account. Should both of your TACACS+ servers go down, allow local user account to be used.

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable

These commands enable the authorizing commands for the user or group. In some TACACS+ implementation, you do not need to use aaa authorization commands 0 default group tacacs+ none but for our implementation, we’re going to include it.

aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization config-commands

These commands will start recording what commands are being issued to our networking devices. If you do not have a tool for tracking configuration changes like RANCID, then this can be a valuable tool to see what was done. However, reading the accounting log in the TACACS+ is messy. I suggest you implement RANCID if the organization does not have tools like AlterPoint Network Authority or Solarwinds Network Configuration Manager.

aaa accounting update newinfo periodic 5
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting send stop-record authentication failure
aaa accounting network default start-stop group tacacs+
aaa session-id common

Now, we need to pick a source interface on how to talk to our TACACS+ server. There are scenarios where our routers and/or multilayer switches have two or more links going to our data center, so using a loopback is always a good idea. For layer two switches, our management VLAN interface will be just fine.

ip tacacs source-interface loopback0

Congratulations, you just accomplished one part of hardening your organization’s networking devices!

Are you ready to improve your network security?

Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.

ENGAGE US

You might also like to read

How to configure tac_plus (TACACS+ daemon) on Ubuntu Server
TACACS+ (tac_plus daemon) ACL
Adding two-factor authentication (2FA) to TACACS+

Want to learn more about AAA?

AAA Identity Management Security

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.