17. November 2012 · Comments Off on Cisco ASA 5500 Dual ISP Connection [Failback] · Categories: Cisco · Tags: , , , , ,

Starting from version 7.2(1) and upwards, the Cisco ASA 5500 series firewall supports now the Dual-ISP capability. You can connect two interfaces of the firewall to two different ISPs and use the new “SLA Monitor” feature (SLA=Service Level Monitoring) to monitor the link to the primary ISP, and if that fails, the traffic is routed to the Backup ISP.

asa 5500 dual isp connection

Assume that the Primary ISP (ISP-1) has assigned to us the public IP address 100.100.100.1 with gateway 100.100.100.2. Also, the Backup ISP (ISP-2) has assigned us the public IP 200.200.200.1 with gateway 200.200.200.2. Normally all traffic should flow through ISP-1, but if the physical link (or route) to that ISP fails, then traffic should be redirected to the Backup ISP. We can configure an SLA monitor service which will be checking every 30 seconds (using a ping echo request) the availability of the primary Gateway IP address (100.100.100.2). If there is no response in 20000 milliseconds (20 sec), then the default route will be redirected to the Backup ISP. The configuration is shown below:

asa5500(config)# sla monitor 100
asa5500(config-sla-monitor)# type echo protocol ipIcmpEcho 100.100.100.2 interface outside
asa5500(config-sla-monitor-echo)# timeout 20000
asa5500(config-sla-monitor-echo)# frequency 30
asa5500(config)# sla monitor schedule 100 life forever start-time now
asa5500(config)# track 1 rtr 100 reachability
asa5500(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1 track 1
asa5500(config)# route backup-isp 0.0.0.0 0.0.0.0 200.200.200.2 254

Of course the configuration above assumes that you have already configured two interfaces connected to the ISPs, the first one with name ‘outside’ (security level 0) and the second one with name ‘backup-isp’ (security level 1).

12. August 2012 · Comments Off on Anyconnect without the portal? · Categories: Cisco · Tags: , ,

In ASDM go to Remote Access VPN > Network Client Access > Group Policies  and select the group policy you would like to change and click edit. In the group policy screen click on More Options, then make uncheck Clientless SSL VPN and SSL VPN Client is checked. Apply the change.

After this change users will hit the SSL VPN web page, log in, and then be connected with the anyconnect client. The credentials from the SSL Login web page will pass through to the AnyConnect client. If AnyConnect was not installed, it will be after the log in.

07. August 2012 · Comments Off on Recovering Passwords for the ASA 5500 Series Adaptive Security Appliance · Categories: Cisco · Tags: , , ,

To recover passwords for the ASA, perform the following steps:

Step 1 Connect to the ASA console port according to the instructions in “Accessing the Appliance Command-Line Interface” section.

Step 2 Power off the ASA, and then power it on.

Step 3 After startup, press the Escape key when you are prompted to enter ROMMON mode.

Step 4 To update the configuration register value, enter the following command:

rommon #1> confreg 0x41

Update Config Register (0x41) in NVRAM…

Step 5 To set the ASA to ignore the startup configuration, enter the following command:

rommon #1> confreg

More »

21. July 2012 · Comments Off on Keep SecureCRT Synchronized Between Computers with Dropbox · Categories: Cisco · Tags: , ,

Anyone who has ever used SecureCRT as their ssh client knows how easy, powerful and convenient it is to use.  However one of the biggest problems with SecureCRT is keeping your saved sessions in sync across multiple desktops, laptops, etc.  If you change jobs, switch between a laptop and desktop, or between a work computer and a home computer you have to copy the config folder or manually recreate every saved session on each computer. It can be a big hassle.

Well today we have a great solution for instantly syncing all of your session information across as many computers as you need and even will sync with any new computers you buy in the future.

The trick to solving this issue is to store your VanDyke config folder in a
Dropbox folder!

What is Dropbox?  Dropbox is a free cloud storage system that allow you to privately store and access any files you want, up to 2 Gig.

So here’s how it works. More »

18. July 2012 · Comments Off on How To Calculate OSPF Cost · Categories: Cisco · Tags: , , ,

As a CCNA / CCNP candidate you are expected to understand how to set and interpret the OSPF cost function on your Cisco devices

During your career as a Cisco network engineer you will have to deal with setting and manipulating the OSPF costs on an interface.

OSPF uses a metric called “Cost” to calculate the metric of path. The cost is a cumulative value which is an incremental metric.

The cost is as a default based on the bandwidth of the interface. The Higher the interface bandwidth the lower the cost that is associated to that interface, to see the cost that is assigned to any given interface which is participating in OSPF issue the following command:

Router# show ip ospf interface

The output of this command will show the current cost given to this interface. The costs of the interface is calculated by taking the bandwidth of the interface and dividing this number by a value known as the “auto-cost reference-bandwidth”. This auto-cost reference-bandwidth is an integer used to calculate a standard metric across OSPF and is set to 100,000,000. The cost is calculated as follows:

100,000,000/BW More »

18. July 2012 · Comments Off on OSPF Special Area Types · Categories: Cisco · Tags: , , , ,

18. July 2012 · Comments Off on Calculating EIGRP Metric · Categories: Cisco · Tags: , ,

IGRP metric for a path to destination is calculated by the following rather complex mathematical formula:

IGRP Metric for the path =
[K1 * (B) + (K2 * (B))/(256-(Load)) + K3*(D)] * [K5/((Reliability) + K4)]

where:

K1, K2, K3, K4, K5: all are constants. Default values are: K1=K3=1, K2=K4=K5=0
(B) = 10,000,000 / (Smallest bandwidth in kilobits, along the path)
(Load): Outgoing interface load at this router, measured from integer 1 (0%) to 255 (100%)
(D) = Sum of outgoing interface delays along the path, starting from this router, in micro seconds, then divide by 10
(Reliability): Outgoing interface reliability at this router, measured from integer 1 (0%) to 255 (100%)

When we fill K1 to K5 constants with default values into the formula, it becomes very simple:

IGRP Metric for the path = (B) + (D)

Wait, what about EIGRP metric? EIGRP metric is just equal to the calculated IGRP metric value multiplied by 256.

EIGRP Metric for the path = 256 * (IGRP Metric for the path)

Of course, after the router calculates metric values of all candidate paths to the destination, it choose the path with the smallest metric value, to put in its routing table.

18. July 2012 · Comments Off on Concepts of Spanning Tree Protocol · Categories: Cisco · Tags: , ,

18. July 2012 · Comments Off on OSPF Stub Areas · Categories: Cisco · Tags: , , , , ,

OSPF Stub Areas

OSPF stub areas limit the parts of the network where specific LSAs are allowed. The idea being that if an OSPF router receives an LSA it must process it, which takes a certain amount of processor and memory resources. By limiting the types of LSAs that can reach specific networks, the devices within these stub areas do not have to be as powerful but still retain reachability to the rest of the OSPF network.

There are three main types of OSPF stub areas:

  • Stub Areas
  • Totally Stubby Areas
  • Not So Stubby Areas

Stub Areas

An area that is configured as a stub is able to receive all types (as discussed above) of LSA except an LSA Type 5. Any routes that are destined for external networks are forwarded using a default route that is injected into the network in place of the LSA Type 5.

Totally Stubby Areas

Like a stub area, a totally stubby area is unable to receive LSA Type 5 packets. Along with this, the area is also unable to receive LSA Type 3 packets that include network advertisements (Not External) from other areas. Again, like a stub area, all traffic that is destined for these networks (both internal and external networks outside the area) is destined for a default router that is injected in place of both the LSA Type 3 and Type 5.

Not So Stubby Areas (NSSA)

A NSSA is almost exactly the same as a normal stub area but allows an ASBR (Autonomous System Boundary Router) to exist within the area. With a typical stub area, it is not possible to locate an ASBR inside the area as LSA type 5 packets are not allowed. A NSSA gets around this by using an LSA Type 7 packet in place of the LSA Type 5 packet within the NSSA; once this traffic from the ASBR exits the NSSA it is converted to an LSA Type 5 for transmission to the rest of the OSPF network.

18. July 2012 · Comments Off on LSA types defined in OSPF · Categories: Cisco · Tags: , ,

The LSA types defined in OSPF are as follows:

  • Type 1 – Router LSA – the router announces its presence and lists the links to other routers or networks in the same area, together with the metrics to them. Type 1 LSAs are flooded across their own area only. The link-state ID of the type 1 LSA is the originating router ID.
  • Type 2 – Network LSA – the designated router (DR) on a broadcast segment (e.g. Ethernet) lists which routers are joined together by the segment. Type 2 LSAs are flooded across their own area only. The link-state ID of the type 2 LSA is the IP interface address of the DR.
  • Type 3 – Summary LSA – an Area Border Router (ABR) takes information it has learned on one of its attached areas and it can summarize it (but not by default) before sending it out on other areas it is connected to. This summarization helps provide scalability by removing detailed topology information for other areas, because their routing information is summarized into just an address prefix and metric. The summarization process can also be configured to remove a lot of detailed address prefixes and replace them with a single summary prefix, also helping scalability. The link-state ID is the destination network number for type 3 LSAs.
  • Type 4 – ASBR-Summary LSA – this is needed because Type 5 External LSAs are flooded to all areas and the detailed next-hop information may not be available in those other areas. This is solved by an Area Border Router flooding the information for the router (i.e. the Autonomous System Boundary Router) where the type 5 originated. The link-state ID is the router ID of the described ASBR for type 4 LSAs.
  • Type 5 – External LSA – these LSAs contain information imported into OSPF from other routing processes. They are flooded to all areas (except stub areas). For “External Type 1” LSAs routing decisions are made by adding the OSPF metric to get to the ASBR and the external metric from there on, while for “External Type 2” LSAs only the external metric is used. The link-state ID of the type 5 LSA is the external network number.
  • Type 6 – Group Membership LSA(Only supported on a few routers) – this was defined for Multicast extensions to OSPF (MOSPF)[1], a multicast OSPF routing protocol which was not in general use. MOSPF has been deprecated since OSPFv3[2] and is not currently used. It may be reassigned in the future.
  • Type 7 – Routers in a Not-so-stubby-area (NSSA) do not receive external LSAs from Area Border Routers, but are allowed to send external routing information for redistribution. They use type 7 LSAs to tell the ABRs about these external routes, which the Area Border Router then translates to type 5 external LSAs and floods as normal to the rest of the OSPF network.
  • Type 8 – A link-local only LSA for OSPFv3. A Type 8 LSA is used to give information about link-local addresses and a list of IPv6 addresses on the link. In OSPFv2, however, the Type 8 was originally intended to be used as a so-called External-Attributes-LSA for transit autonomous systems where OSPFv2 could replace the internal Border Gateway Protocol (iBGP). In these networks, the BGP destinations would be carried in LSA Type 5 while their BGP attributes would be inserted into LSA Type 8. Most OSPFv2 implementations never supported this feature.
  • Type 9 – a link-local “opaque” LSA (defined by RFC2370) in OSPFv2 and the Intra-Area-Prefix LSA in OSPFv3. It is the OSPFv3 LSA that contains prefixes for stub and transit networks in the link-state ID.
  • Type 10 – an area-local “opaque” LSA as defined by RFC2370. Opaque LSAs contain information which should be flooded by other routers even if the router is not able to understand the extended information itself. Typically type 10 LSAs are used for traffic engineering extensions to OSPF, flooding extra information about links beyond just their metric, such as link bandwidth and color.
  • Type 11 – an AS “opaque” LSA defined by RFC 5250, which is flooded everywhere except stub areas. This is the opaque equivalent of the type 5 external LSA.[3]

The opaque LSAs, types 9, 10, and 11, are designated for upgrades to OSPF for application-specific purposes. For example, OSPF-TE has traffic engineering extensions to be used by RSVP-TE in Multiprotocol Label Switching (MPLS). Opaque LSAs are used to flood link color and bandwidth information. Standard LSDB flooding mechanisms are used for distribution of opaque LSAs. Each of the three types has a different flooding scope.

For all types of LSAs, there are 20-byte LSA headers. One of the fields of the LSA header is the link-state ID.