Over at www.networking-forum.com, Infinite is studying for his CCIE. I an attempt to cover everything down to the last detail, He has shared his experience with Lock-and-Key security. This is achieved with access-lists.
As he mentions, unsure of it’s Enterprise application but nonetheless an important feature of the IOS software.
Enjoy the link. I thoroughly support this community. Great people and very knowledgable.
References
Get on this one. Handy resource for home labbing or pushing your skills further.
I am currently working on a new Blog Post involving Ultramarines, Dark Angels and Space Wolves combining together against the forces of Chaos. With the different Chapters involved it will require the use of redistribution to create 3-way communication amongst the hosts.
Stay Tuned my Brothers.
Frame Relay. Important Topic within the network world. I am a little overwhelmed with its operational modes, especially surrounding OSPF and Frame Relay. I am getting there but it is definitely slowing my progress down. Had hoped to be into Route Redistribution/Manipulation and making head way into BGP.
Anyone found a good way to help remember Frame Relay concepts?
Today we go through the example of Thunder Hawk Down. Apologies for the slow reply. I had my engagement party on Saturday night and found myself busy getting ready last week.
Just recapping on the objectives.
Objectives
Step 1
Configure Router Hostnames and Line Console Parameters
Here under each router I configure the Hostname to allow for identification of devices. Under line con 0 I configure no exec-timeout. This means my console session will no log out. This is great for GNS3 as idle-pc values stop working and my CPU maxes to 100%. Never use no exec-timeout in a production environment. Logging synchronous stops console messages from interrupting you whilst you type.
HQ
hostname HQ
line con 0
no exec-timeout
logging synchronous
MainGate
hostname MainGate
line con 0
no exec-timeout
logging synchronous
Icebane
hostname Icebane
line con 0
no exec-timeout
logging synchronous
Step 2
Configure Interface IP addresses and Loopbacks
Here I have configured the IP addresses according to the scheme. I have added descriptions to help identify links. The ip ospf network point-to-point command advertises the proper subnet mask into the routing table.
HQ
int s0/0
desc Link to Main Gate
clock rate 64000
ip add 10.137.88.5 255.255.255.252no shut
MainGate
int s0/0
desc Link from HQ
ip add 10.137.88.6 255.255.255.252
no shut
int s0/1
ip add 10.137.88.1 255.255.255.252
desc Link to Crash Site
clock rate 64000
no shut
exit
int lo100
ip add 192.168.100.1 255.255.255.252
ip ospf network point-to-point
int lo200
ip add 192.168.100.5 255.255.255.252
ip ospf network point-to-point
int lo300
ip add 192.168.100.9 255.255.255.252
ip ospf network point-to-point
int lo400
ip add 192.168.100.13 255.255.255.252
ip ospf network point-to-point
Icebane
int s0/1
ip add 10.137.88.2 255.255.255.252
desc Link from Main Gate
ip ospf message-digest-key 1 md5 spacewolf
no shut
exit
int lo100
ip add 172.16.16.1 255.255.255.0
ip ospf network point-to-point
int lo101
ip add 172.16.17.1 255.255.255.0
ip ospf network point-to-point
int lo102
ip add 172.16.18.1 255.255.255.0
ip ospf network point-to-point
int lo103
ip add 172.16.19.1 255.255.255.0
ip ospf network point-to-point
int lo104
ip add 172.16.20.1 255.255.255.0
ip ospf network point-to-point
Confirm links are up and up with show ip int br.
MainGate
MainGate(config-router)#do show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
Serial0/0 10.137.88.6 YES manual up up
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/1 10.137.88.1 YES manual up up
Loopback100 192.168.100.1 YES manual up up
Loopback200 192.168.100.5 YES manual up up
Loopback300 192.168.100.9 YES manual up up
Loopback400 192.168.100.13 YES manual up up
Step 3
Initiate the OSPF Process on the routers. Confirm configuration.
HQ
router ospf 1
router-id 1.1.1.1
network 10.137.88.0 0.0.0.255 area 0
MainGate
router ospf 1
router-id 2.2.2.2network 10.137.88.0 0.0.0.3 area 252
network 10.137.88.4 0.0.0.3 area 0
network 192.168.100.0 0.0.0.255 area 252
Icebane
router ospf 1
router-id 3.3.3.3
network 10.137.88.0 0.0.0.3 area 252
network 172.16.16.0 0.0.7.255 area 164
It is important to set the router-id. This comes in handy for a number of things such. Reading outputs and confirming changes in the OSPF process. In our case, we need it set for the Virtual Link to re-establish communication to the Icebane.
Step 4
Configure OSPF Virtual Link between Icebane and MainGate. Communication must be authenticated.
A sense of urgency has frenzied the Orks. We must securely re-establish contact with our brethren. A quick set of commands will allow connectivity to the downed bird.
HQ
int s0/0
ip ospf message-digest-key 1 md5 spacewolf
router ospf 1
area 0 authentication message-digest
MainGate
int s0/0
ip ospf message-digest-key 1 md5 spacewolfint s0/1
ip ospf message-digest-key 1 md5 spacewolfrouter ospf 1
area 0 authentication message-digest
area 252 authentication message-digest
area 252 virtual-link 3.3.3.3 message-digest-key 1 md5 spacewolf
Icebane
int s0/1
ip ospf message-digest-key 1 md5 spacewolf
router ospf 1
area 0 authentication message-digest
area 164 authentication message-digest
area 252 authentication message-digest
area 252 virtual-link 2.2.2.2 message-digest-key 1 md5 spacewolf
It is extremely important to set this up correctly. Under the OSPF process you must enable area-wide authentication. This is done on each other. In the case of MainGate there is an interface in each area. This means the command must be entered for each area the BDR sits in.
This is demonstrated by the area 0 and area 252 commands.
MD5 must be configured area wide then on the virtual links. The Virtual Links authentication type must match the area authentication type. In this case we need a secure link so we are going to use Message-Digest.
Area 252 virtual-link 3.3.3.3 command on the MainGatec creates the virtual link. On Icebane, it must be configred as 252 virtual-link 2.2.2.2. The reason Icebane uses area 252 is that the virtual link must be configured with the area that it traverses to reach Area 0.
Adding on the message-digest-key 1 md5 spacewolf ensures that the md5 authentication is used on the virtual link. The number 1 stipulates the key #, md5 the type, and the passkey of spacewolf. The passkey is case sensitive.
Under each interface the command ip ospf message-digest-key 1 md5 spacewolf command must be issued. This specifies md5 authentication using key 1 and the type of auth as md5. The use of the passkey spacewolf is used here.
You can confirm the status of the virtual link by issuing the following
MainGate# show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 3.3.3.3 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 252, via interface Serial0/1, Cost of using 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:04
Adjacency State FULL (Hello suppressed)
Index 2/3, retransmission queue length 0, number of retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
Message digest authentication enabled
Youngest key id is 1
The second line states that OSPF_VL0 (the virtual link we set up) to 3.3.3.3 (Icebane) is up. The second last line shows MD5 is being used and the key number 1 which we set to use the passkey of spacewolf is being used.
Step 5
Verify
Now some show commands
Icebane(config-router)#do show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static routeGateway of last resort is not set
172.16.0.0/24 is subnetted, 5 subnets
C 172.16.20.0 is directly connected, Loopback104
C 172.16.16.0 is directly connected, Loopback100
C 172.16.17.0 is directly connected, Loopback101
C 172.16.18.0 is directly connected, Loopback102
C 172.16.19.0 is directly connected, Loopback103
10.0.0.0/30 is subnetted, 2 subnets
C 10.137.88.0 is directly connected, Serial0/1
O 10.137.88.4 [110/128] via 10.137.88.1, 00:09:10, Serial0/1
192.168.100.0/24 is variably subnetted, 4 subnets, 2 masks
O 192.168.100.12/30 [110/65] via 10.137.88.1, 00:09:40, Serial0/1
O 192.168.100.8/30 [110/65] via 10.137.88.1, 00:09:40, Serial0/1
O 192.168.100.4/30 [110/65] via 10.137.88.1, 00:09:40, Serial0/1
O 192.168.100.1/32 [110/65] via 10.137.88.1, 00:09:41, Serial0/1
Voila! Connection to area 0 and 252. This is show by the connection to 10.137.88.4 network (Serial link from HQ to MainGate). A quick ping to confirm.
Icebane(config-router)#do ping 10.137.88.5
Sending 5, 100-byte ICMP Echos to 10.137.88.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/53/88 ms
“Icebane, Icebane, this is Brother Commander Longfang do you copy? We are closing on your position. Hold tight. Over”
A foul stench permeated the air. Blood, Bile and bullet casings were scattered amongst the green tide. The surging sea of Greenskins had been calmed to a pool of death. The sight before the Space Wolves was enough to turn the most seasoned warriors bowels to water. Yet, they moved onwards with a sense of loss setting in.
“Co…Comm…Darius” a meek voice called out in amongst the sea of Orks “Thank you”. It was Captain Jelk of the 2nd Heavy Division. He had been severely injured and desperately required a medic. With communications restored, a Thunderhawk with the Clans Apothecaries arrived on site within minutes and plucked the stranded and injured troops to safety.
Darius surveyed the scene. He muttered to no one in particular, “On the wings of darkness do these Orks ride. Something else gives hast to their passage. Praise Russ that we find them soon.”
Again, another great book of the day. Help bridge the New word old world divide with SIP Trunking. This book in the VoIP series is one for the collection.
- By Christina Hattingh, Darryl Sladden, ATM Zakaria Swapan
- Published by Cisco Press.
- Series: Networking Technology: IP Communications.
- Pages: 360
The first complete guide to planning, evaluating, and implementing high-value SIP trunking solutions Most large enterprises have switched to IP telephony, and service provider backbone networks have largely converted to VoIP transport. But there’s a key missing link: most businesses still connect to their service providers via old-fashioned, inflexible TDM trunks.
http://www.ciscopress.com/deals
Up next, the answers to Thunder Hawk Down.
Ciscopress.com offer the book of the day. Digital copies of their books for $9.99. Massively reduced, these e-books come personalized with your name. 
For the past couple of days, the CCNP ROUTE 642-902 OCF has been up for sale. Good price for a good book. Great for the iPad or Laptop.
The sickening screech of scraping metal roared up the embankment on the horizon. Blood curdling screams of terror. brought home the stark reality of the situation. Thunder Hawk Icebane succumbed to Ork Rokkit Fire. “Brother Commander Darius Longfang, deploy the links and secure the channels. We need to re-establish contact with the Icebane.” a voice crackled down the vox caster. As the Wolves pushed their advance, the Orks proved to be a endless green tide of destruction. It was only a matter of time before Icebane was overwhelmed and the survivors of the crash surrounded and killed. Communication must be made to inform them that help was on its way.
Objectives
I will post the answers shortly.
Simple. Sign it. http://etherealmind.com/cisco-ios-petition-reloaded/
We the undersigned ask Cisco to consider our petition for an open and usable IOS Emulator for learning, study and training.
We are the people who are learning about Data networking and Cisco IOS software. As students and practitioners, we need to learn theory and knowledge and then to take that knowledge and practice on Cisco IOS software.
We want to be able to practice that knowledge, and demonstrate our competence. We know that you are considering the value. This petition is to show our need for this solution. Wendel Odom discusses the possibility Cisco Considers IOS for Certifcation Self Study and we are calling for Cisco to make an option available.
This experience and knowledge we gain gives us the capability to make the most of Cisco equipment for our employers, your customers. We help drive the best return on investment, and keep the network performing in the way that your customers expect.
We can test configurations prior to making and be better prepared. We can develop more complex configurations than would otherwise be possible, and not blame the equipment afterwards.
We resolve problems more quickly, we make better designs and we have greater confidence in our work. We raise less support cases (and reduce your costs) by being to perform our own testing and validation.
Whether we are resellers, consultants, students or just interested in learning, we all need an practical method to access IOS and practice.
Therefore, we are asking Cisco Systems to make a version of IOS available for educational and testing purposes.
Grimnar’s Black Fangs. Magingald IV.
<<<.//TRNMSN.SEC.CH.412-a.\\>>>
…buffering…
“The importance of security is paramount, Brother Captain. You must implement the right type of Authentication on our OSPF links. Our secure channels must stay open while we are besieged or all will be lost. The heretics will attempt to compromise your network and you must strengthen our defenses. Praise the Emperor and see you on the other side. Fang Leader Grimnar out”
OSPF authentication is setup under the interface. The command ip ospf authentication enables clear text authentication. Next command specifies the key, in this case cisco. The neighbors with expire due to authentication mismatch.
Now the same is configured on the opposite link and the neighbors agree on authentication and establish a neighbor relationship.
The command show ip ospf interface serial 0/0 shows that Simple password authentication is enabled.
Dangers lurk from beyond the void. If heretics manage to infiltrate the network a simple packet capture could be all that stops them from joining the OSPF process and tampering with your links. This capture of a OSPF hello packet shows the Auth Type: Simple Password. Also shows the Auth Data: cisco captured from the Hex information. 636973636f000000 translates into cisco. This is bad and a major security flaw that Fang Leader Grimnar wanted addressed.
The ip ospf authentication message-digest command initiates MD5 hashing on the pass key.
The passkey of cisco is set below with the ip ospf message-digest-key 1 md5 cisco
This is replicated on the other end of the link. The link expires and then comes back online using the MD5 key.
Above is verification of the implementation of the MD5 key.
Show above is the packet capture of the MD5 key in use. Before it had the plain text key of cisco clearly visible. Now there is Auth Type : Cryptographic which states cryptography is being used. Auth Data this time is hashed. No easy password extraction this time.
Here is the show running config of the router. Look there. Although we are using MD5 authentication out password is still visible. If the heretics broke into our config our Chapters passwords would be compromised.
This command will hash and ‘hide’ the passwords we using throughout our routers. Any password stored in clear text will be hashed.
As mentioned prior, the clear text passwords are now stored in a more secure fashion.
As our landing party has made it’s beachhead we now have established secure communication between our landing craft and the landing zone. Well done Brothers. This day is for the Emperor.
Networking 40,000 