So Now You’re Back. From Outer Space.

Oooh. Shiny. Cisco UCS Chassis

Oooh… Shiny. Cisco UCS Chassis.

Hello again. It’s been almost a year since I last posted here. What have I been doing?

I’ve been working my arse off at a job I love. It’s been a good year, business-wise. With a seemingly endless stream of projects, I ruthlessly rearranged my priorities and applied better time management. Billed 25% more than the previous year. Had a lot of fun growing my customer base and deploying interesting new equipment.

And, since it *IS* the Caribbean, there was a certain amount of lounging about on pristine beaches with bottles of rum, I will not lie. But with judicious scheduling, the hangovers do not overlap with customer deployments. (Or, if they do, there is a nice cold server room to sit in with just the sympathetic command line blinking back at you.)

To those readers who were kind enough to comment on my posts and who messaged me, thank you so very much. I really appreciate your feedback.

Posted in v4vendetta | 3 Responses

Cisco Router – Configuring NTP Client and Server

Doc: Great Scott! Jennifer could conceivably encounter her future self! The consequences of that could be disastrous!
Marty: Doc, what do you mean?
Doc: I foresee two possibilities. One, coming face to face with herself 30 years older would put her into shock and she’d simply pass out. Or two, the encounter could create a time paradox, the results of which could cause a chain reaction that would unravel the very fabric of the space time continuum, and destroy the entire universe! Granted, that’s a worse case scenario. The destruction might in fact be very localized, limited to merely our own galaxy.
Marty: Well, that’s a relief.

– Back to the Future Part II
– Robert Zemeckis and Bob Gale

NTP Server and NTP client

NTP Server and NTP client

Configuring a Cisco router as an NTP Client

To view the system time on a router, use the show clock detail command:

Marty>
Marty>en
Marty#show clock detail
*00:00:50.151 UTC Mon Mar 1 1993
No time source

The asterisk in front of the time indicates that the time value is not authoritative. A time of March 1 1993 is the default time value when you turn on a router that has neither NTP configured, nor a manually-configured time.

So let’s set up Marty as an NTP client with the ntp server command:

Marty#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Marty(config)#ntp server 8.8.8.1

To view the NTP associations, use show ntp associations command:

Marty#show ntp associations

      address         ref clock     st  when  poll reach  delay  offset    disp
 ~8.8.8.1          0.0.0.0          16     -    64    0     0.0    0.00  16000.
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

No ref clock and reach(ability) value of 0 usually means the NTP server is not responding to our NTP client. We have not set up an NTP server yet, so that’s probably why the NTP client isn’t getting a response.

To view more details about the NTP associations, use the show ntp associations detail command:

Marty#show ntp associations detail
8.8.8.1 configured, insane, invalid, unsynced, stratum 16
ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
precision 2**5, version 3
org time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
rcv time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
xmt time AF3BD180.285DEA34 (00:04:16.157 UTC Mon Mar 1 1993)
filtdelay =     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filtoffset =    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filterror =  16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

Yep, “insane” and “invalid” and a ref time of 1900 means our NTP server has not responded. The clock on the NTP client has not changed, even though it now says that its time source is NTP. And there is an asterisk before the time value, indicating that the time is not authoritative:

Marty#show clock detail
*00:02:16.051 UTC Mon Mar 1 1993
Time source is NTP

Now let’s switch over to the NTP server and set it up.

Configuring a Cisco router as an NTP Server

On the router that is going to be our NTP master, the out put from show clock detail shows that it is using a user-configured time:

DocBrown#show clock detail
22:08:45.951 PST Thu Nov 12 2015
Time source is user configuration

To make it an NTP master server, use the ntp master command.

DocBrown(config)#ntp master

Verifying the connection from the NTP Client

Now let’s go back to our NTP client and see if it has picked up the time from the NTP master:

Marty#show clock
*00:03:52.959 UTC Mon Mar 1 1993
Marty#show ntp asso d
8.8.8.1 configured, insane, invalid, unsynced, stratum 16
ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
precision 2**5, version 3
org time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
rcv time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
xmt time AF3BD180.285DEA34 (00:04:16.157 UTC Mon Mar 1 1993)
filtdelay =     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filtoffset =    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filterror =  16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

No joy. the NTP client is still stuck in 1993. Maybe the NTP server is unreachable?

Marty#ping 8.8.8.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Marty#sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0                  88.88.88.2      YES NVRAM  up                    up
Serial0                    unassigned      YES NVRAM  administratively down down

The NTP server does not respond to my ping. Oh for fecks sake, I have configured the NTP client with the wrong IP address for the NTP server. Of course it cannot get a time if it is trying to contact the wrong IP address. So let’s change the NTP client to use the correct IP address:

Marty#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Marty(config)#no ntp server 8.8.8.1
Marty(config)#ntp server 88.88.88.1
Marty(config)#exit
Marty#ping 88.88.88.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 88.88.88.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/12/28 ms

Now the NTP client is configured with the correct IP address for the NTP server. So let’s check its clock:

Marty#show clock detail
06:13:06.605 UTC Fri Nov 13 2015
Time source is NTP

Yep, Marty has picked up the time from Doc Brown. And there is no longer an asterisk in front of the time value, meaning that the time on Marty is now authoritative.

Marty#sh ntp associations

      address         ref clock     st  when  poll reach  delay  offset    disp
*~88.88.88.1       127.127.7.1       8     4    64  377     7.0   12.34     0.1
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
Marty#sh ntp associations detail
88.88.88.1 configured, our_master, sane, valid, stratum 8
ref ID 127.127.7.1, time D9EFFDD5.E89DD4AA (06:12:37.908 UTC Fri Nov 13 2015)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 377, sync dist 3.571
delay 6.97 msec, offset 12.3388 msec, dispersion 0.06
precision 2**18, version 3
org time D9EFFDFA.3E4C8002 (06:13:14.243 UTC Fri Nov 13 2015)
rcv time D9EFFDFA.3C089F3E (06:13:14.234 UTC Fri Nov 13 2015)
xmt time D9EFFDFA.3A316B5A (06:13:14.227 UTC Fri Nov 13 2015)
filtdelay =     7.03    6.97    6.97    6.96    7.03    6.99    7.00    7.03
filtoffset =   12.37   12.34   12.37   12.36   12.39   12.39   12.40   12.41
filterror =     0.02    0.03    0.05    0.06    0.08    0.09    0.11    0.12

One more thing. Marty is displaying time in UTC, whereas DocBrown is configured for PST. Not a problem if the two routers are in different timezones, but it makes for easier for log analysis if all the devices on a network are set to the same timezone. During, or after an incident, you’re looking for a picture of what is happening (or, has happened) on the network. You want to check logs on different machines, and it makes for easier correlation of this-happened-then-that-happened if you do not have to mentally adjust the timestamps on different devices.

So, let’s move Marty to PST as well.

Marty(config)#clock timezone PST -8 
Marty(config)#exit
Marty#show clock detail
22:27:48.883 PST Thu Nov 12 2015
Time source is NTP

Additional Information:

clock set command in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2

clock timezone command in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2

show clock command in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2

Posted in geek, mecha, v4vendetta | Tagged , , | 2 Responses

Cisco Router – Configuring Time Manually

Marty: You’re not gonna believe this. We have to go back to 1955
Doc: I don’t believe it!
Marty: That’s right, Doc. November 12th, 1955.
Doc: Unbelievable that Old Biff could’ve chosen that particular date. It could mean that that point in time inherently contains some sort of cosmic significance, almost as if it were the temporal junction point of the entire space-time continuum. On the other hand, it could just be an amazing coincidence.

– Back to the Future Part II
– Robert Zemeckis and Bob Gale

To view the system time on a router, use the show clock command:

DocBrown>en
Password:
DocBrown#show clock
*04:53:21.590 UTC Wed Mar 1 1993

The asterisk in front of the time indicates that the time value is not authoritative. A time of March 1 1993 is the default time value when you turn on a router that has neither NTP configured, nor a manually-configured time.

A show clock detail confirms that no time source has been configured:

DocBrown>en
Password:
DocBrown#show clock detail
*04:55:06.999 UTC Wed Mar 1 1993
No time source

To set up the system time manually, use clock timezone (to set the timezone) and the clock set (to set the time). Configure the timezone before you configure the time because any change from the default UTC timezone will also alter the system time, and you’ll have to reconfigure the time again. So, save a step and do the timezone first:

DocBrown#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
DocBrown(config)#clock timezone PST -8
DocBrown(config)#exit

DocBrown#clock set 22:04:00 12 November 1955
                                        ^
% Invalid input detected at '^' marker.

DocBrown#clock set 22:04:00 12 November ?
    Year

DocBrown#clock set 22:04:00 12 November 2015

Doc Brown cannot go back to 1965 because the acceptable range of values for year is 1993 to 2035. So, let’s send him to 2015 instead.

To verify, use the show clock command:

DocBrown#show clock
22:04:05.311 PST Thu Nov 12 2015

The asterisk in front of the time is gone now, indicating that the time value is authoritative.

Now show clock detail shows that it is a user-configured time:

DocBrown#sh clock detail
22:48:59.047 PST Thu Nov 12 2015
Time source is user configuration

Additional Information:

clock set command in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2

clock timezone command in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2

show clock command in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2

Posted in geek, mecha, v4vendetta | Tagged , , , , | 6 Responses

Cisco ASA – 802.1q VLAN Tagging

The Cisco ASA supports 802.1q tagging, which inserts a tag into the original Ethernet frame. The 802.1q tag contains 4 fields:

  1. TPID (Tag Protocol Identifier)
  2. 16-bit field. A value of 0x8100 identifies the frame as an IEEE 802.1q-tagged frame.

  3. Priority
  4. 3-bit field describing the frame priority level. Value can range from 0 to 7.

  5. CFI (Canonical Format Indicator)
  6. 1-bit field. If the value is 1, the MAC address is in noncanonical format. If the value is 0, the MAC address is in canonical format.

  7. VID (VLAN Identifier)
  8. T2-bit field, identifying the VLAN to which the frame belongs. Value can range from 0 to 4095.

802.1q Tag Inserted into an Ethernet Frame

802.1q Tag Inserted into an Ethernet Frame

Configuration Example

On my Cisco ASA 5520, I’ve set up the GigabitEthernet0/1 interface with a generic setup (name and IP address). I’ve created two subinterfaces off GigabitEthernet0/1: GigabitEthernet0/1.10 which belongs to VLAN 10, and GigabitEthernet0/1.20 which belongs to VLAN 20. I’ve given the subinterfaces new MAC addresses with the mac-address command. The show run interface coughs up this information:

ciscoasa# sh ru int
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 5.5.5.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.30.1.1 255.255.255.0
!
interface GigabitEthernet0/1.10
 mac-address 1010.1010.1010
 vlan 10
 nameif SubnetTen
 security-level 100
 ip address 10.30.10.1 255.255.255.0
!
interface GigabitEthernet0/1.20
 mac-address 2020.2020.2020
 vlan 20
 nameif SubnetTwenty
 security-level 0
 ip address 10.30.20.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only

I have a packet sniffer (Wireshark) snuffling up the packets coming out of the GigabitEthernet0/1 interface. It will also capture packets originating from the two subinterfaces.

So now let’s generate packets and see what the 802.1q tag looks like. First, let’s generate an untagged packet from the ASA. When I tell the ASA to ping 10.30.1.10, the ASA first does an ARP for the destination.

ciscoasa# ping 10.30.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.1.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

And Wireshark picks up Ethernet frames like the one below, which are untagged since they originate from the GigabitEthernet0/1 interface (which has an IP address of 10.30.1.1 and is therefore the interface used to reach the 10.30.1.0 network):

Untagged Ethernet Frame Captured in Wireshark

Untagged Ethernet Frame Captured in Wireshark

When I tell the ASA to ping 10.30.10.10, the ASA uses the GigabitEthernet0/1.10 interface to ARP for the destination.

ciscoasa# ping 10.30.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.10.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Now Wireshark picks up Ethernet frames like the one below, which originate from MAC address 10:10:10:10:10:10 and are tagged with VLAN 10:

Ethernet Frame Tagged with VLAN 10 Captured in Wireshark

Ethernet Frame Tagged with VLAN 10 Captured in Wireshark

And when I tell the ASA to ping 10.30.20.10:

ciscoasa# ping 10.30.20.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.20.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

We get frames originating from MAC address 20:20:20:20:20:20 that are tagged with VLAN 20:

Ethernet Frame Tagged with VLAN 20 Captured in Wireshark

Ethernet Frame Tagged with VLAN 20 Captured in Wireshark

Additional Information:

nameif command in the Cisco ASA 8.4 and 8.5 Command Reference.

security-level command in the Cisco ASA 8.4 and 8.5 Command Reference.

ip address command in the Cisco ASA 8.4 and 8.5 Command Reference.

mac-address command in the Cisco ASA 8.4 and 8.5 Command Reference.

show run interface command in the Cisco ASA 8.4 and 8.5 Command Reference.

vlan command in the Cisco ASA 8.4 and 8.5 Command Reference.

Posted in geek, mecha, v4vendetta | Tagged , , , , , , , , | 2 Responses

Cisco ASA 5520 – Creating Subinterfaces

5:05 p.m. at the courier’s office.

Me and the cabling guys arrive to do the network cutover. We knock on the funny little door where customers pick up their packages. It is a Dutch door, split horizontally at waist-level like a stable door. During business hours, they swing open the upper half of the door, and the whole affair serves as a reception counter for the steady trickle of customers that amble by to collect their packages. At waist-height, just where top and bottom half meet, there is a narrow ledge where you can perch a package, or sign a clipboard. You only ever open the bottom half of the door if you need to walk through it.

But at 5:05 p.m., everyone in the office has buggered off, and it does not matter which half of the door we jiggle. We’re locked out. Our customer (the IT manager for the courier’s office) is running late. Fabulous. Do we wait here, or go find a pub?

The youngest of our cabling guys eyes the open transom above the door speculatively. He hops up on the narrow ledge and hands himself through the open transom with a fluid motion, feet-first. He lands with a soft thud on the other side of the door, and unlocks it from the inside for us, with a flash of gold teeth. I’ve seen David Belle do this move before on TV. The French King of Parkour.

We clap the grinning cabling guy on the shoulder and shuffle through the entryway; a single door frame that actually contains 3 doors.

Why Use Subinterfaces?

On the Cisco ASA 5510 and higher models, you can configure subinterfaces on any physical, redundant or EtherChannel interface. So, a single interface can be divided into multiple logical interfaces, each tagged with a different VLAN ID. An interface (physical, redundant, EtherChannel) with one or more VLAN subinterfaces is automatically configured as an 802.1q trunk.

By using VLANs and subinterfaces, you have the ability to separate traffic that is sharing the same physical interface. Thus, you do not need to add additional physical interfaces.

The number of VLANs per physical interface is limited by licensing. (See licensing requirements for each model here.)

Configuration Example

On my Cisco ASA 5520, I’ve enabled the GigabitEthernet0/1 interface with the no shutdown command, but I have not configured anything else. The show run interface coughs up this information:

ciscoasa(config-if)# sh ru int         
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 5.5.5.1 255.255.255.0 
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only

I’m going to add a subinterface for the 10.30.10.0/24 network on the GigabitEthernet 0/1 interface, and give it a name and IP address:

ciscoasa# con t
ciscoasa(config)# int g 0/1.10
ciscoasa(config-subif)# vlan 10
ciscoasa(config-subif)# nameif SubnetTen
INFO: Security level for "SubnetTen" set to 0 by default.
ciscoasa(config-subif)# ip address 10.30.10.1 255.255.255.0

And I’m adding another subinterface for the 10.30.20.0/24 network:

ciscoasa(config-subif)# int g 0/1.20
ciscoasa(config-subif)# vlan 20
ciscoasa(config-subif)# nameif SubnetTwenty
INFO: Security level for "SubnetTwenty" set to 0 by default.
ciscoasa(config-subif)# ip address 10.30.20.1 255.255.255.0

Now a show run interface command shows that two subinterfaces have been created on the GigabitEthernet 0/1 interface:

ciscoasa(config-subif)# sh ru int
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 5.5.5.1 255.255.255.0 
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.10
 vlan 10
 nameif SubnetTen
 security-level 0
 ip address 10.30.10.1 255.255.255.0 
!
interface GigabitEthernet0/1.20
 vlan 20
 nameif SubnetTwenty
 security-level 0
 ip address 10.30.20.1 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif    
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only

Additional Information:

nameif command in the Cisco ASA 8.4 and 8.5 Command Reference.

security-level command in the Cisco ASA 8.4 and 8.5 Command Reference.

ip address command in the Cisco ASA 8.4 and 8.5 Command Reference.

shutdown command in the Cisco ASA 8.4 and 8.5 Command Reference.

show run interface command in the Cisco ASA 8.4 and 8.5 Command Reference.

vlan command in the Cisco ASA 8.4 and 8.5 Command Reference.

Posted in geek, mecha, v4vendetta | Tagged , , , , , | 3 Responses