“no ip bootp server” vs “ip dhcp bootp ignore”

October 20, 2008 at 4:12 pm | Posted in Blogroll, IOS services | 1 Comment

Are there any differences btw these two commands?

no ip bootp server
ip dhcp bootp ignore

From the command reference, it looks like that the later is just a newer command, that replaces the privious legacy one.

For this sort of new command introduction, no matter how I type (e.g. for IP SLA, RTR, SAA) I would expect the config appears in IOS in the newest format.

However, when I type the old command command “no ip bootp server” in IOS, it appears exactly as I type, and not the the newer command “ip dhcp bootp ignore”, as I would expect.

Cisco IOS IP Addressing Services Command Reference

ip dhcp bootp ignore

To enable a Dynamic Host Configuration Protocol (DHCP) server to selectively ignore and not reply to received Bootstrap Protocol (BOOTP) request packets, use the ip dhcp bootp ignore command in global configuration mode. To return to the default behavior, use the no form of this command.

ip dhcp bootp ignore
Usage Guidelines
A DHCP server can forward ignored BOOTP request packets to another DHCP server if the ip helper-address command is configured on the incoming interface. If the ip helper-address command is not configured, the router will drop the received BOOTP request.

Cisco IOS Configuration Fundamentals Command Reference

ip bootp server

To enable the Bootstrap Protocol (BOOTP) service on your routing device, use the ip bootp server command in global configuration mode. To disable BOOTP services, use the no form of the command.

ip bootp server
no ip bootp server

12.2(8)T  The ip dhcp bootp ignore command was introduced.

Usage Guidelines

By default, the BOOTP service is enabled. When disabled, the no ip bootp server command will appear in the configuration file.

The integrated Dynamic Host Configuration Protocol (DHCP) server was introduced in Cisco IOS Release 12.0(1)T. Because DHCP is based on BOOTP, both of these services share the “well-known” UDP server port of 67 (per RFC 951, RFC 1534, and RFC 2131; the client port is 68). To disable DHCP services (DHCP relay and DHCP server), use the no service dhcp command. To disable BOOTP services (in releases 12.2(8)T and later), but leave DHCP services enabled, use the ip dhcp bootp ignore command.

If both the BOOTP server and DHCP server are disabled, “ICMP port unreachable” messages will be sent in response to incoming requests on port 67, and the original incoming packet will be discarded. If DHCP is enabled, using the no ip bootp server command by itself will not stop the router from listening on UDP port 67.

Examples

In the following example, BOOTP and DHCP services are disabled on the router:

Router(config)# no ip bootp server 
Router(config)# no service dhcp

Configuring MAC Address Notification Traps

September 30, 2008 at 11:06 am | Posted in IOS services, Switching | Leave a comment

MAC address notification enables you to track users on a network by storing the MAC address activity on the switch. Whenever the switch learns or removes a MAC address, an SNMP notification can be generated and sent to the NMS. If you have many users coming and going from the network, you can set a trap interval time to bundle the notification traps and reduce network traffic. The MAC notification history table stores the MAC address activity for each hardware port for which the trap is enabled. MAC address notifications are generated for dynamic and secure MAC addresses; events are not generated for self addresses, multicast addresses, or other static addresses.

It looks like that MAC address logging can NOT be made to a Syslog server!

DOC CD Navigation

  • Catalyst 3550 Multilayer Switch Software Configuration Guide, Rel. 12.2(25)SEE
  • Administering the Switch
  • Managing the MAC Address Table
  • Configuring MAC Address Notification Traps

Example:

Switch(config)# snmp-server host 172.20.10.10 traps private
Switch(config)# snmp-server enable traps mac-notification
Switch(config)# mac address-table notification
Switch(config)# mac address-table notification interval 60
Switch(config)# mac address-table notification history-size 100
Switch(config)# interface fastethernet0/4
Switch(config-if)# snmp trap mac-notification added

Configuring DNS on Cisco IOS routers

September 6, 2008 at 11:56 pm | Posted in IOS services | Leave a comment

Configuration

Client R1#
----------

ip name-server 2.2.2.2
! ip domain-lookup is enabled by default
ip domain-lookup

Server R2#
----------

ip dns server
! ip domain-lookup is enabled by default
ip domain-lookup

ip host R2 2.2.2.2
ip host R1 1.1.1.1
! We can point to another DNS server
ip name-server 61.8.8.8

! but DO NOT point name-server to itself
! NO ip name-server 2.2.2.2

Verification

R1#ping R2

Translating “R2″…domain server (2.2.2.2) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.0.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms
R1#
*Apr  7 11:35:07.163: Domain: query for R2 type 1 to 2.2.2.2
*Apr  7 11:35:07.195: DOM: dom2cache: hostname is R2, RR type=1, class=1, ttl=1, n=4Reply received ok

R2#debug domain
Domain Name System debugging is on
R2#
*Apr  7 02:18:27.683: DNS: Incoming UDP query (id#2)
*Apr  7 02:18:27.683: DNS: Type 1 DNS query (id#2) for host ‘R2’ from 12.0.0.1(58198)
*Apr  7 02:18:27.683: DNS: Query for my own hostname: R2
*Apr  7 02:18:27.683: DNS: Spoofing reply to query (id#2)
*Apr  7 02:18:27.683: DNS: Finished processing query (id#2) in 0.004 secs

REPRODUCE ROUTER CRASH

Router may crash if we configure it as a DNS server, and also point “ip name-server” to itself.

R2#c
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip name-server 2.2.2.2
R2(config)#
R2#
R2#
R2#

!
! The R2 successfully serves the DNS queuries
! for valid hostnames (When “ping R2” is issued on R1 router)

R1#ping R2

Translating “R2″…domain server (2.2.2.2) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.0.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms

*Apr  7 11:35:58.539: Domain: query for R2 type 1 to 2.2.2.2
*Apr  7 11:35:58.571: DOM: dom2cache: hostname is R2, RR type=1, class=1, ttl=1, n=4Reply received ok

R2#
*Apr  7 02:19:19.059: DNS: Incoming UDP query (id#3)
*Apr  7 02:19:19.059: DNS: Type 1 DNS query (id#3) for host ‘R2’ from 12.0.0.1(54174)
*Apr  7 02:19:19.059: DNS: Query for my own hostname: R2
*Apr  7 02:19:19.059: DNS: Spoofing reply to query (id#3)
*Apr  7 02:19:19.059: DNS: Finished processing query (id#3) in 0.000 secs
R2#
R2#

! The R2 crashes when “ping R3” is issued on R1 router

R1#ping R3

Translating “R3″…domain server (2.2.2.2)
*Apr  7 11:36:22.991: Domain: query for R3 type 1 to 2.2.2.2
% Unrecognized host or address, or protocol not running.

timed out

*Apr  7 11:36:55.459: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to down
*Apr  7 11:36:55.459: %OSPF-5-ADJCHG: Process 1, Nbr 12.0.0.2 on Serial0/1 from FULL to DOWN, Neighbor Down: Interface down or detached

! As R2 cannot resolve IP for hostname R3, it tries to forward the queury to
! the next DNS server with IP address of itself. And the request keeps

! looping within R2.
!
!

R2#

DNS: Re-sending DNS query (type 1, id#4) to 2.2.2.2
DNS: Incoming UDP query (id#4)
DNS: Type 1 DNS query (id#4) for host ‘R3’ from 2.2.2.2(53)
DNS: Re-sending DNS query (type 1, id#4) to 2.2.2.2
DNS: Incoming UDP query (id#4)
DNS: Type 1 DNS query (id#4) for host ‘R3’ from 2.2.2.2(53)
DNS: Re-sending DNS query (type 1, id#4) to 2.2.2.2
DNS: Incoming UDP query (id#4)
DNS: Type 1 DNS query (id#4) for host ‘R3’ from 2.2.2.2(53)
DNS: Re-sending DNS query (type 1, id#4) to 2.2.2.2
DNS: Incoming UDP query (id#4)
DNS: Type 1 DNS query (id#4) for host ‘R3’ from 2.2.2.2(53)
DNS: Re-sending DNS query (type 1, id#4) to 2.2.2.2
DNS: Incoming UDP query (id#4)
DNS: Type 1 DNS query (id#4) for host ‘R3’ from 2.2.2.2(53)
DNS: Re-sending DNS query (type 1, id#4) to 2.2.2.2
DNS: Incoming UDP query (id#4)
DNS: Type 1 DNS query (id#4) for host ‘R3’ from 2.2.2.2(53)
DNS: Re-sending DNS query (type 1, id#4) to 2.2.2.2
DNS: Incoming UDP query (id#4)
DNS: Type 1 DNS query (id#4) for host ‘R3’ from 2.2.2.2(53)
DNS: Re-sending DNS query (type 1, id#4) to 2.2.2.2
DNS: Incoming UDP query (id#4)
Doc CD Navigation

Active FTP vs Passive FTP

September 2, 2008 at 1:39 pm | Posted in IOS services | 2 Comments

Resource: Active FTP vs. Passive FTP, a Definitive Explanation

Active FTP

In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server’s command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client’s specified data port from its local data port, which is port 20.

From the server-side firewall’s standpoint, to support active mode FTP the following communication channels need to be opened:

  • FTP server’s port 21 from anywhere (Client initiates connection)
  • FTP server’s port 21 to ports > 1023 (Server responds to client’s control port)
  • FTP server’s port 20 to ports > 1023 (Server initiates data connection to client’s data port)
  • FTP server’s port 20 from ports > 1023 (Client sends ACKs to server’s data port)

This has a problem from a firewall perspective, because the server actively open a connection to port N+1. Also this cannot work with PAT where a NAT table have to be generated from inside, for the return traffic to come in.

Passive FTP

In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.

From the server-side firewall’s standpoint, to support passive mode FTP the following communication channels need to be opened:

  • FTP server’s port 21 from anywhere (Client initiates connection)
  • FTP server’s port 21 to ports > 1023 (Server responds to client’s control port)
  • FTP server’s ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
  • FTP server’s ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client’s data port)

As a FTP client, by default, routers work in passive mode. To enable active mode, we need to config:

R5(config)#no ip ftp passive
R5(config)#do sh run | in ftp
no ip ftp passive
R5(config)#do copy ftp://150.1.4.1/test.txt null:

Ftp server feature is no longer supported in newer IOS due to security reasons. In old IOS, we can enable FTP server using the following config.

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip http server
R1(config)#ftp-server enable
R1(config)#ftp-server topdir flash:

Bellow are ACL to allow Active and Passive FTP traffic

ip access-list extended FROM_OUTSIDE
! Active FTP
permit tcp any host 150.1.4.1 range ftp-data ftp 
! Passive FTP
permit tcp any host 150.1.4.1 eq ftp
permit tcp any host 150.1.4.1 range 1023 65535


				
			

Enhanced Object Tracking – Boolean Operator

August 21, 2008 at 5:38 pm | Posted in IOS services | Leave a comment

Object tracking can support boolean operators (and / or), to enable us to create a complex tracking object for a complex tracking task.

Scenario example:

Configure the router in such a way that if 12.0.0.1 is not reachable, AND route 123.0.0.0/8 is lost, the router should change HSRP status from active to standby.

Configuration:

R1#
ip sla monitor 50
type pathEcho protocol ipIcmpEcho 12.0.0.2 source-ipaddr 12.0.0.1
timeout 200
frequency 3
ip sla monitor schedule 50 start-time now

track 50 rtr 50

track 100 ip route 123.0.0.0 255.0.0.0 reachability

track 200 list boolean or
object 50
object 100

interface FastEthernet0/0
ip address 10.1.0.21 255.255.0.0
speed 100
full-duplex
standby 1 ip 10.1.0.1
standby 1 priority 110
standby 1 preempt
standby 1 track 200 decrement 50

Verification

R1#sh ip sla monitor operational-state 50
Entry number: 50
Modification time: 16:20:11.891 UTC Thu Aug 21 2008
Number of Octets Used by this Entry: 53816
Number of operations attempted: 11
Number of operations skipped: 0
Current seconds left in Life: 3567
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 120
Latest operation start time: 16:20:41.915 UTC Thu Aug 21 2008
Latest operation return code: OK

R1#sh track 50
Track 50
Response Time Reporter 50 state
State is Up
1 change, last change 00:00:14
Latest operation return code: OK
Latest RTT (millisecs) 68

R1#sh track 100
Track 100
IP route 123.0.0.0 255.0.0.0 reachability
Reachability is Down (no route)
1 change, last change 00:00:15
First-hop interface is unknown

R1#sh track 200
Track 200
List boolean or
Boolean OR is Up
2 changes, last change 00:00:37
object 50 Up
object 100 Down

Server Load Balancing

August 21, 2008 at 4:56 pm | Posted in IOS services | Leave a comment

Server load balancing basics:

  • IOS Server load balancing hides multiple physical machines behind a single virtual IP adress, extending NAT logic.
  • Weight can be assigned to individual servers in order to influence load-balancing ratio
  • Sticky connections allow all connections from one client to the same server for consistency
  • Other features such as synguard, caching, fail/unfail detection, etc.

Configuration example:

Rack1R3#sb
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                129.1.3.3       YES NVRAM  up                    down
Serial1/0                  129.1.13.3      YES NVRAM  up                    up
Serial1/1                  129.1.23.3      YES NVRAM  up                    up
Loopback0                  150.1.3.3       YES NVRAM  up                    up

Rack1R3#
ip slb serverfarm SERVERS
predictor leastconns
bindid 1
real 129.1.3.100
weight 16
maxconns 500
inservice
real 129.1.3.101
weight 32
maxconns 1000
inservice
!
ip slb vserver WEB
virtual 150.1.3.100 tcp www
serverfarm SERVERS
idle 1800
synguard 1000
inservice

Doc CD navigation

  • Cisco IOS IP Application Services Configuration Guide, Release 12.4
  • Cisco IOS Server Load Balancing

Logging MAC addresses

August 17, 2008 at 11:44 am | Posted in IOS services | 4 Comments

Lab 11 Task 1.6.

  • A recent security breach which involved the compromising of the company’s future business plans was tracked down to a notebook computer that was located in VLAN 28 with a MAC address of 0001.02ac.9ab2. After checking the MAC address tables of SW1 and SW2 you have determined that the notebook computer is not currently plugged into the network.
  • In order to help track down this device in the future configure SW2 to notify the network management station at 187.X.3.100 whenever a new MAC address is learned in VLAN 28.
  • The network management server will be expecting community-string to be CISCOTRAP.

Solution
SW2:
interface FastEthernet0/24
snmp trap mac-notification added
!
snmp-server enable traps MAC-Notification
snmp-server host 187.1.3.100 CISCOTRAP MAC-Notification
mac-address-table notification

Task 1.6 Breakdown
To enable SNMP trapping when a MAC address is added or removed from the CAM table, issue the global configuration commands mac-address-table notification and snmp-server enable traps MAC-Notification. Then, these traps are selectively enabled on a per-interface basis by issuing the snmp trap mac-notifications interface level command. These traps are then forwarded to an NMS station located at 187.1.3.100 using the community string CISCOTRAP.

Task 1.6 Verification

Verify SNMP MAC Address logging configuration:
Rack1SW2#clear mac-address-table dynamic interface fa0/24
Rack1SW2#show mac-address-table notification
MAC Notification Feature is Enabled on the switch
Interval between Notification Traps : 1 secs
Number of MAC Addresses Added : 1
Number of MAC Addresses Removed : 0
Number of Notifications sent to NMS : 1
Maximum Number of entries configured in History Table : 1
Current History Table Length : 1
MAC Notification Traps are Enabled
History Table contents
———————-
History Index 0, Entry Timestamp 348747, Despatch Timestamp 348747
MAC Changed Message :
Operation: Added Vlan: 28 MAC Addr: 0060.7015.ac7a Dot1dBasePort: 24

Logging all changes made to a router

August 16, 2008 at 3:54 pm | Posted in Blogroll, IOS services | Leave a comment

The task is to configure the router to log all changes made to the running configuration, and to send the logs to a syslog server. If the syslog server is not availble, log the change locally for a max of 500 entries.

RSRack1R6#
archive
log config
logging enable
logging size 500
notify syslog
logging 187.1.5.155

! Testing, enter a command, then remove it after ward
ip dhcp excluded-address 1.1.1.1 1.1.1.100
no ip dhcp excluded-address 1.1.1.1 1.1.1.100

RSRack1R6#sh archive log config all
idx   sess           user@line      Logged command
1     1        console@console  |  logging enable
2     1        console@console  |  logging size 500
3     1        console@console  |  notify syslog
4     1        console@console  |  exit
5     1        console@console  |   exit
6     1        console@console  |logging 187.1.5.155
7     2        console@console  |ip dhcp excluded-address 1.1.1.1 1.1.1.100
8     3        console@console  |no ip dhcp excluded-address 1.1.1.1 1.1.1.100
Doc CD Navigation

  • Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4
  • Part 8: Managing Configuration Files
  • Configuration Change Notification and Logging
  • Configuration Examples for the Configuration Change Notification and Logging Feature

TCL script to check end to end reachibility

August 10, 2008 at 1:15 pm | Posted in Blogroll, IOS services | Leave a comment

TCL is a great tool to check full reachablility. Below is a simple script to check end to end connectivity

tclsh
foreach i {
150.1.1.1
192.10.1.1
141.1.123.1
}  {ping $i}

However, for a large network with a lot of IP to check, the output of this ping script might be hard to see.  An “improved ” version is below, which only show IP address with successful pings, and those unreachible really stand out.

tclsh
proc ping-igp {} {
foreach i {
150.1.1.1
192.10.1.1
141.1.123.1
} {
if { [regexp “!!!”  [exec “ping $i timeout 1” ]]} { puts “$i”} else { puts “$i  failed” }
}
}

To invoke this script, just type ping-igp under the TCL shell prompt. The output is something like:

150.1.1.1
192.10.1.1 — failed
141.1.123.1

How to enter ‘?’ as a part of password

August 9, 2008 at 2:12 pm | Posted in Blogroll, IOS services | Leave a comment

You can use Ctrl-V or Esc Q to tell the system to accept the following keystroke as a user-configured command entry (rather than as an editing command).

For example, to enter the following command in IOS

username cisco password c?sco

we need to type (without space in the password):

usename cisco password c Ctrl-v ?sco      or
usename cisco password c Esc-q ?sco

Doc CD Navigation

  • Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4
  • Part 1: Using the Cisco IOS Command-Line Interface (CLI)
  • Using the Cisco IOS Command-Line Interface
  • Using CLI Editing Features and Shortcuts
  • Designating a Keystroke as a Command Entry

Designating a Keystroke as a Command Entry

You can configure the system to recognize a particular keystroke (key combination or sequence) as command aliases. In other words, you can set a keystroke as a shortcut for executing a command. To enable the system to interpret a keystroke as a command, use the either of the following key combinations before entering the command sequence:

Keystrokes

Purpose

CtrlV or Esc, Q

Configures the system to accept the following keystroke as a user-configured command entry (rather than as an editing command).


Next Page »

Create a free website or blog at WordPress.com.
Entries and comments feeds.