Just another Cisco blog
Archive for January, 2010
Cisco IOS Firewall Tutorial
Jan 25th
Awhile ago a friend asked me for a write up on IOS Firewall/CBAC. At the time I hadn’t felt like writing about it as I don’t use it much, but I recently had to configure it, so I thought I may as well take a break from Juniper posts and do the article.
The IOS Firewall uses CBAC (Context-Based Access Control) to inspect traffic flows at the upper layers. CBAC will inspect the outgoing traffic while maintaining stateful intformation for each session. It will then open pinholes in the firewall/incoming ACL to allow appropriate traffic back in. Something I forgot to point out, CBAC can be very CPU intensive, your traffic. Keep that in mind before and do some testing before deploying it on your network. Here’s the topology:
We have our router running IOS firewall, its WAN connection is on Fa0/1 out to the internet, and its LAN connection is on Fa0/0, which connects to some servers and workstations. Let’s configure the firewall:
Who’s A JNCIA-ER?
Jan 21st
I am!
Last week I decided to put the CCIE on hold for awhile due to the new troubleshooting section. I feel like I could use another year or so of experience under my belt before trying to tackle that monster. I’ve been meaning to sit the CCDA exam for a few weeks now, but haven’t really gotten motivated enough to do it. Then I started tinkering with Juniper…
I went through the Fast Track stuff and did the pre-assessment last Sunday to get the 50% off. Oh a whim, I decided to do some studying and see how bad the test is, with the 50% off it’s only ~$60, so it wouldn’t upset me too bad if I failed.
Basic JUNOS Configuration
Jan 20th
Today we’ll go over a very basic JUNOS configuration, we will configure the hostname, user account, IP addresses and a default route. The purpose of this article is to provide a look and feel for JUNOS.
First let’s login and take care of the basics:
root> configure [edit] root# set system host-name Olive1 [edit] root# set system login user colby class super-user authentication plain-text-password New password: Retype new password: [edit] root# commit and-quit commit complete Exiting configuration mode |
This is a simple config, we enter configuration mode, we set the hostname of the router then we configure a user named “colby” in the “super-user” class. “Super-user” is a pre-defined class in JUNOS, this class has full control of the router.
Anyone familiar with IOS can see that this is pretty different. The commands all start with “set” and they can be quite a bit longer. Let’s take a look at the hierarchical view of what we just did:
system {
host-name Olive1;
login {
user colby {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$IKhmMCbo$XNAWMDS"; ## SECRET-DATA
}
}
}
} |
Definitely not what I’m used to, but not so bad. Now we’ll configure the same thing with multiple commands from the hierarchy:
JUNOS First Impressions
Jan 18th
I’ve decided to jump head-first into JUNOS. My short(ish) term goal is to find a position with a service provider. I’ve read that Juniper owns a very significant portion of the SP core, so any exposure to JUNOS can only be a good thing (or so I hope). JUNOS is (obviously) very different from IOS. This is mainly about my experience as an IOS guy starting out with JUNOS.
Likes
- JUNOS is modular, which means more process separation and stability.
- JUNOS has less versions (no ipbase, advanced enterprise, etc.
- Commit feature – This allows you to input multiple commands before making them active.
- Rollback feature – JUNOS saves the last 50 committed configs, allowing you to revert to an old config.
- Command completion is a little better in JUNOS, you can use spacebar or tab. It will also pick up things that IOS wouldn’t, like user-set variables in the config.
Great Perl Script
Jan 15th
Jason from SYN/ACK Networks did a write up on his Perl script (rtrcommander) which helps when you need to modify a large number of routers quickly. I figured I’d post it here so I’ll never lose it, hopefully some of you guys will find it useful as well.
Check out his post for a good explanation. Here’s the script itself:
#!/usr/bin/perl
#
# This file is part of Mr. Audit.
#
# Mr. Audit is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Mr. Audit is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Foobar. If not, see <http://www.gnu.org/licenses/>.
#
###################################################################################
#
# This script gets the configs for every device in the audit database.
# The configs are used by other scripts for the automated audit.
#
# Mr. Audit was written by Jason Rowley - jrowley<at>convergedinnovations<dot>com
#
# This script is version 2.00
# Last updated September 17, 2009 @ 18:14 EST
#
###################################################################################
use Net::Telnet::Cisco;
use Getopt::Std;
use IO::Prompt;
use FileHandle;
### variables
#my $DEBUG = "true";
my $DEBUG = "false";
my $VERSION = "2.0";
my $logfile = "";
my $combined = 0;
my $username = "";
my $password = "";
my $host = "";
### arrays
my @routerlist = ();
my @commandlist = ();
###
### Begin main
###
init();
getrtrs();
getcmds();
foreach (@routerlist)
{
chomp($_);
$host = $_;
print "\nHOSTNAME: $host\n";
openrtr();
sendcmds();
closertr();
}
exit;
###
### Initializes stuff
###
sub init
{
usage() unless $ARGV[0];
my $opt_string = 'hu:p:r:c:l:';
getopts( "$opt_string", \%opt ) or &usage;
usage() if $opt{h};
if (!$opt{u})
{
$username = prompt("username: ");
chomp($username);
}
else
{
$username = $opt{u};
}
if (!$opt{p})
{
### got username, prompt for password
$password = prompt("password: ", -e => '*');
chomp($password);
}
else
{
$password = $opt{p};
}
if (!$opt{r})
{
print "Missing router list\n";
usage();
exit;
}
if (!$opt{c})
{
print "Missing command file\n";
usage();
exit;
}
if ($opt{l})
{
$logfile = $opt{l};
$combined = 1;
}
}
###
### Displays help
###
sub usage
{
print STDERR << "EOF";
New and Improved Router Commander $VERSION
Usage:
$0 [-h] -u <username> [-p <password>] -r <rtrlist> -c <cmdlist> [-l <loglocation>]
-h : prints this message
-u : username
-p : password - if not specified, will be prompted
-r : file containing list of routers
-c : file containing commands to run
-l : file where we should log to; defaults to "ipaddress.log"
Examples:
rtrcmd -u username -p password -r routerlist -c commandlist
rtrcmd -u username -r routerlist -c commandlist -l mycombinedlogfile.txt
EOF
exit;
}
###
### Get routers
###
sub getrtrs
{
my $rf = $opt{r};
open (RF, $rf);
@routerlist = <RF>;
close(RF);
}
###
### Get commands
###
sub getcmds
{
my $cf = $opt{c};
open (CF, $cf);
@commandlist = <CF>;
close(CF);
}
###
### Send commands
###
sub sendcmds
{
foreach (@commandlist)
{
chomp($_);
print "Sending: $_\n";
my @temp = $::OPENRTR->cmd("$_");
if ($combined == 1)
{
open LOGFILE, ">>$logfile" or die $!;
print LOGFILE @temp;
close LOGFILE;
}
}
}
sub openrtr
{
if ($combined == 1)
{
if ($::OPENRTR = Net::Telnet::Cisco->new(Host => $host, Errmode => "return"))
{
if ($::OPENRTR->login($username, $password))
{
my @temp = $::OPENRTR->cmd("term len 0");
}
else
{
print "Invalid username or password while trying $host\n";
$::OPENRTR->close;
exit;
}
}
else
{
print "Could not connect to $host\n";
exit;
}
}
else
{
if ($::OPENRTR = Net::Telnet::Cisco->new(Host => $host, Input_log => "$host.log", Errmode => "return"))
{
if ($::OPENRTR->login($username, $password))
{
my @temp = $::OPENRTR->cmd("term len 0");
}
else
{
print "Invalid username or password while trying $host\n";
$::OPENRTR->close;
exit;
}
}
else
{
print "Could not connect to $host\n";
exit;
}
}
}
sub closertr
{
$::OPENRTR->close;
} |
Recent Comments