MPLS the Superior WAN

Just when you thought fast switching was the best layer 3 could be.....a new player made a new layer, all the hardware layer 2 addressing mixed with routable layer 3 addressing and just to make it even better throw in the ports to be used, welcome to layer 2.5. I know its not new now but its still awesome. The challenge was given to me to add MPLS VPN technology to an existing network in order to provide secure links between four different sites. The initial network des ign is as below

The objectives are:

1: Provide two separate VPN links between Finance - Payroll and Research - Labs
2: Further secure the Finance - Payroll link with IPSEC
3: Users are currently using the network so equipment cannot be removed (equipment may be added).

I love MPLS its such a dream to work with and simple to understand, to make this work there are a few changes i implemented.

1: With PE1 where it is at the moment is not suitable for me as two separate links are needed which means two VRF's on two interfaces so they would have to be setup on HQ and then tunnelled to PE1 to be put into MP-BGP.This may be done by using sub interfaces and multi-VRF which seems more work than needed i think.I have pushed the MPLS cloud up to the HQ router to allow the VRF's to be kept in their separate instances from there.

2: IPSEC problem, with the Finance segment hanging directly off the HQ router means that the IPSEC tunnel would use the outbound interface towards the P router but since its routing is moved from the VRF to MP-BGP the outbound interface has no idea about the networks behind it so cannot bring up the tunnel. My solution was simply to put another router in for Finance so that its outbound interface would learn about the other side through MP-BGP and the fun may commence.

My new design can be seen in Fig 2 above.

Protocols: In the cloud all mpls interface use OSPF and are in area 0, this link state protocol has been used here for its low administrative overhead and fast convergence on topology changes, only updates are sent every 30 minutes if nothing happens to make sure that everything is still there.

MP-BGP is used to allow the VRF's to communicate.

RIP has been used for all departments except research, don't worry its version 2 to allow for my subnetting scheme. This has been used since they are stub networks they don't need an advanced protocol. The RIP routes are redistributed into BGP and a default route is sent to the departments as its their only way out anyway.

Research is hanging directly off the HQ interface so the route needs to be redistributed into BGP.

BASIC SECURITY:
Security measures should be implemented on the routers to secure them from being accessed illegally.

MOTD - This is important as it can be used to display a warning to anyone wanting to gain access to the equipment saying who owns the network and only authorized users may use it. This may be a deterrent and if you are able to trace and prosecute someone who accessed your network illegally it shows you done all you can to say they shouldn't have been there.

Enable secret - This is a password that is needed to get from user EXEC level to privileged EXEC. By using the command enable secret instead of enable password it hashes that password so that it cannot be seen by a show run or someone peering over your shoulder.

Console password - There needs to be a password on the console port so that anybody who gains physical access to the equipment can't get in without a password.

VTY login - The vty lines 0 - 4 used for remote access need a password to login. They should only allow SSH connections version 2 as telnet is susceptible to sniffing due to sending everything in plain text. As extra protection a access list was put on the vty lines to only allow certain ip addresses establish a connection.

CDP - This protocol is very useful for troubleshooting a network as it gives information about connected neighbours. when enabled it sends this information out of all ports, with a packet sniffer this would be picked up telling them ip addresses, names and ports. It should be disabled on LAN interfaces with the no cdp enable command on the interface.

stay dramatic,

marty

wi-spy with my little eye

Inherent weakness in WiFi
The greatest thing about WiFi 802.11 is that its......wireless, data magically propagating through different mediums to network devices together. The problem with these waves moving through the air is that anyone who stands in there way can hear them

Management frames are send in plain sight at 1mb/s to enable all devices to see them. They can be seen by putting your wireless card into monitor mode and you will see in wireshark all the beacons from AP's . Your MAC address can be seen here which means your identity is not necessarily secret.

If you have set up security associations with a range of AP's when you turn wireless on in windows the first thing it does is probe to see who's there and if an AP they have connected to before is available and yes it sends this information for Mr hack in a box to see. A big risk of this is that if Mr hack knows that your computer is wanting to connect to "home" then they could set up a rogue AP with the ssid "home" and sit by you giving that the strongest signal and it would move onto that rogue AP. If the attacker sets up a route for the Internet which is a highly likely service, you wouldn't even know that you've changed connections! Now all your data and transactions can be looked at and saved yum yum yum.

Lets play a game
Why don't we use the fact that your wireless gives out its identity for a game of wireless hide and seek. You get a gaggle of friends to come over with their wireless devices and log their mac addresses and tell them to go hide around the city center. Use a laptop in monitor mode run wireshark or airodump, something that can make a record the data. Make a simple C program that can read through the messages and look for the logged MAC addresses and make a noise to say when its found one. Now run around town and wait for a beep! The rssi can be used to narrow the search. Happy hunting

The same technique could be used for any wireless goods that may have been stolen, assuming you know the MAC, and its powered on, and its not 300 miles away been swapped for some trainers.

Does anyone still use WEP!?
I would really like some feedback leave a comment, let me embrace your views. Why is WEP still around its security is as good as a padlock with the combination wrote on the back. When looking for wireless signal in various places I keep seeing it pop up, often with a default ssid. A few manufacturers and ISP's will give you an AP that is set up with WEP and the key wrote on the side so that average Joe can plug it in and away they go, brilliant it works their happy. The other use i see is often hotels and you either pay for the key or its given to you and pay to go through a tunnel.

WEP is week, it just hands out the IV in all its packets and as that's only 24bit its only a matter of time until it uses that same one again

I went to go visit a relative and noticed that he was using WEP(128bit) as part of a security audit. I tried to explain the weaknesses in this method and demonstrated how easy it is to crack.

1. Booted up backtrack from usb (1 minute)
2. Used airmon to put the card into monitor mode, airodump to cature data, aireplay to generate data, aircrack to crack the key (30 seconds)
3. Aircrack looked at ~8000 IV's and gave me the WEP key (1 minute on the dot)
4. Put the key in and started using his wifi

All security can be broke given the resources and time, the crucial decision is deciding what level of security is reasonable. I use WPA2-PSK which can be cracked, it could take a year but i could make it my policy to change the PSK monthly, i may not even live in the same house in a year.

Tip top tips - I'm sure nobody does, don't leave defaults on. Its reckless and an insult to professionals.

Queue them up, push them out

The latest lab expedition is to configure Class Based Weighted Fair Queuing to allow for different treatment of voice and http traffic. The way of testing this is by hosting a website on one end of a low bandwidth link that has two pictures in and you are able to match http traffic by key words! so the class maps are able to distinguish between LEFT and RIGHT giving different bandwidth to each. Even though the allotted bandwidth per class isn't greater than the total bandwidth it still uses the full bandwidth but as a ratio of the initial inputs. To get the web server ready you need to do a few things.

1) Grab a picture with a decent size (500k - 1M)
Here is one i prepared earlier for you to download IMAGE, ALT
ADDITIONAL- I have just tried to download the image from within the lab and pictures are getting blocked by admin!
SOLUTION - Go through a proxy, or go ask admin if they will stop filtering pictures.
SECURITY - The above mentioned content filter happily gives out the information "powered by draytek". Know of any exploits for them....?

2) Make a copy of the image and rename it "right" and the original should be "left"

3) Copy this simple html text into notepad and save as index.html in the Apache htdocs folder and drop the two pictures into the folder as well

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>CBWFQ + LLQ </title>
<style type="text/css">
*{width:100%}
.picleft { float:left; width:45%; border-right:#FF0000 20px solid; margin-right:20px}
.picright { float:left; width:45%; border-left:#0000FF 20px solid}
</style>
</head>
<body>
<h1 align="center">Let the race begin!</h1>
<div class="picleft">
<img src="left.jpg" />
</div>
<div class="picright">
<img src="right.jpg" />
</div>
</body>
</html>

4) Sit back and enjoy watching an image crawl on screen just like the good old days
Bonus video
180's on the new ramp GO

Save The Switch, Save The Lab

In Cisco land (the networks lab) its a common sight to see the suicidal blink of the switches stat light as they whimper in ROM-monitor mode after a brutal assault from a student trying to do something too advanced. Maybe that's a bit cruel, the lab equipment is on 24/7 getting copy run start and reloads constantly throughout the day and the flash is taking a beating. The most common sight Ive seen is the IOS image disappearing or corrupt. There were some switches that i had seen had been in ROM mode for weeks missing an IOS without a tech fixing it, i took things into my own hands and fixed two 2960's, let me dispense this information now.....

From ROM mode you first need to initialise the flash file system and support

switch: flash_init
switch: load_helper

so now you have access to some commands and can look around the flash

switch: dir flash:

(example output)
Directory of flash:
13 drwx 192 Mar 01 1993 22:30:48 c3550-i5q3l2-mz-121-0.0.53
11 -rwx 5825 Mar 01 1993 22:31:59 config.text
17 -rwx 27 Mar 01 1993 22:30:57 env_vars
5 -rwx 90 Mar 01 1993 22:30:57 system_env_vars
18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat

the IOS .bin file is in the folder at the top, you can verify the image and attempt to boot manually

switch: boot flash: c3550-i5q3l2-mz-121-0.0.53/c3550-i5q3l2-mz-121-0.0.53.bin

if it returns an boot error than you know the image file is corrupt and need to put a new one on. In my case when i looked into the flash directory there wasn't even an image file there which leads me to believe a student put the wrong command in when trying to delete a file....

Retrieve an IOS image file from cisco or what i did since there are many of the same switches in the lab tftp one from there. set up a tftp server and connect it to the working switch in vlan1, give the switch an ip address on vlan 1 in the same segment as the tftp server. This command says copy from the flash TO tftp.

swalive# copy flash:c3550-i5q3l2-mz-121-0.0.53/c3550-i5q3l2-mz-121-0.0.53.bin tftp:192.168.1.1(server address)

OK the image is acquired now we need to get it onto the broken switch. Were going to use HyperTerminal to send the file through the console using XMODEM. This command says copy from xmodem TO flash

switch: copy xmodem: flash:c3550-i5q3l2-mz-121-0.0.53/c3550-i5q3l2-mz-121-0.0.53.bin

On HyperTerminal go to the TRANSFER tab at the top and select SEND FILE, use options XMODEM and point to the image file acquired. This needs to be done sharpish or the switch will timeout. The transfer will take a while since your limited by the speed of your console connection, the 4.8MB IOS i transferred took 1hr40 so ~8400b/s even though it was a 9600 connection......

All is sorted and issue the magic command to revive the almighty

switch: boot

For me this was not the end! Once booted i found that it had been given an enable secret, no worries ill try the usual suspects, cisco, Cisco, class, password, pass, slightly annoying.... how about iamatoolforlockingthisciscoswitchdownwithanonuniformpass. Damn i cant get in. What next you ask, lets get it back into ROM mode and change the config.text file.

reboot the switch while holding the mode button for a few seconds until it flashes and it will go into ROM mode.

switch: flash_init
switch: load_helper
switch: dir flash:(you will see there is a file called config.text)
switch: rename flash:config.text flash:config.old
switch: boot

The switch is looking for its startup config, config.text, unable to find it it loads with a fresh instance with no config. You can either copy flash:config.old running-config and change the password or start from scratch.

Tip: To speed up the xmodem copy increase the BAUD rate
switch: set BAUD 115200
restart the HyperTerminal session to match. Once finished change it back
switch: unset BAUD

Additional:

This Sunday i spent the weekend AIRSOFTING in a field near Duram using initiative and tactics to win the game and keep the team and myself alive. It was a really fun game and i was 1 of 2 medics looking after 15 team members proving very tiresome. In the first game i was using a kind of Distance vector protocol periodically running around checking everyone was ok while they provided covering fire. However this proved inefficient.....see where I'm going with this. I then moved onto a link state algorithm re converging the team upon shouts of MEDIC!! Some routes were blocked so i had a chat with a node who had build up a full topology of the field via his comms and legged it through the lowest cost path. There was a problem with my gun making a horrible whirring sound so when i took apart home to be inspected. This is what the gun should look like and what the faulty part should look like

And this is what they look like now. You can see the barrel just peaking out the sad bag. the pistons teeth have completely vanished resulting in a complete fail. there should be a soft rubber cushion on the end but it has evaporated! there is no sign of it. Rebuild when i get some free time.

New Tech In The House

Two new items in the household, one for joy/pain the other for recording joy/pain.












On the left is my friend Chebs mountainboard which is used for the sport we are both passionate about. It is a large off road skateboard, a snowboard for grass. We regularly go mountainboarding around our local area doing freestyle, cruising the parks or jumping in the skate park. Last sunday we went to a mboard site that had a race track, drops and jumps it was epic fun. For further information on this go to chebsite were all our fun is documented.

On the right is the GoPro HD Hero as seen on the gadget show tested down a bobsled run and coming out best of the lot. It can do 1080P it has wide angle offering 170" of view and my favorite, it can do video in 60fps so you can have some seriously good slow motion footage! It has been strapped to the mboard and helmet cam, its in a sealed waterproof case. We have had some lovely shots using this slowing down our 180 jumps and tricks. However it is an expensive toy but saves me taking out my DSLR to get good pics.

In the beginning

So what happens here? This is my personal blog where i will take you on an adventure of mystery, revelations and in some cases telnet into my shenanigans. I will be focusing on my network labs by telling you what Ive been configuring, why and results. What new tech is out there and how can it be applied. Upcoming blogs for your eyes!

• my massive mpls lab

build a good size mpls cloud (8 cisco 2811's?) with redundant paths
observe ldp, label popping pushing swapping, PHP
experiment with EXP field
mpls on layer 3 switches

• Qos extraordinaire

Qos is a fascinating subject.........it is. There is layer 2 and 3 Cos and Tos fields to play with, there is queueing techniques, bandwidth considerations, voip codecs, voip VAD(when there is silence doesn't need to send data), voip playback delay, header compression a zillion other voip things.

• The almighty campus network

I love working on layer 3 switches there are a remarkable building block. Its a switch which means lots of ports, lots of bandwidth, massive backplane, its capable of logically separating segments with vlans and aggregating links together! Then they go and stick a 'router' inside it. Applaud the amazing switch that can route at wire speed! plus all the other router functions.

• security

no matter what i do I'm always on the defensive, looking at security problems and solutions. I will put my white trilby on and get the friendly neighborhood backtrack distribution out to aid the pursuit of backdoors.

That is just a sneak preview of things to come. This blog is open for comments, i want to hear what you think about what I'm doing or what you have done or general feedback.

martyn