jump to navigation

Cisco Dual Wan Fail-Over using SLA Tracking July 3, 2009

Posted by daakeung in Cisco, IT.
Tags: , , , , ,
16 comments
Maintaining a high availability connection is critical in any modern network infrastructure.  Some would have access to the internet via multiple ISPs.
In most cases where the ISPs would not peer via any routing protocol, customers are left to setup fail-over with static routes.
There are two types of failures:
  1. Physical : the router would detect one of its interface not connected, invalidated any next hop routes through it. In turn move to another valid route with a higher metric.
  2. Logical : the router has it’s interface online, but somewhere along the path it has to take to reach the destination is unavailable.
Basic router commands with higher metric will not fail-over with a logical failure.
Using SLA Tracking, we can accomplish this.
Consider the following diagram and configuration:
Cisco Dual WAN

Cisco Dual WAN

Cisco IOS used: c181x-adventerprisek9-mz.124-24.T

! Identify the SLA.
ip sla 10

! Set up the IP address to ping, in this case yahoo.com ip.
icmp-echo 69.147.114.224

! Set how long in milliseconds to wait for a reply.
timeout 1000

! Repeat Rate.
frequency 3

! Start SLA 10 from now to forever.
ip sla schedule 10 life forever start-time now

! Setup track 10 to sla 10 for reachabilty.
track 10 ip sla 10 reachability

! Setup route for testing reach ability to the internet.
ip route 69.147.114.224 255.255.255.255 10.0.0.1

! Setup primary link with track 10 parameter.
ip route 0.0.0.0 0.0.0.0 10.0.0.1 track 10

! Setup fail-over link with higher metric.
ip route 0.0.0.0 0.0.0.0 192.168.0.1 20
Depending on your configuration, you will need to setup NAT on both interfaces.

Advertisements

Cisco OSPF and Windows RRAS OSPF May 24, 2009

Posted by daakeung in Cisco, IT, Microsoft.
Tags: , , ,
1 comment so far

I’ve been battling with getting Windows RRAS ospf and Cisco ios ospf to become neighbours for the past few days.

If you turn on ospf debug in windows and the following shows up :

Rejected an OSPF packet from x.x.x.x to 224.0.0.5 because the OSPF data length in the OSPF header was 48 but the length calculated from the IP Header fields was 60.

You should disable the following on the cisco ios:

router ospf 100

no capability lls

Also, if you are running ISA with RRAS you should disable  “block fragmentation”

For more information:

http://technet.microsoft.com/en-us/library/cc302678.aspx#NetworkAndRoutingIssues

http://www.cisco.com/en/US/docs/ios/12_3/iproute/command/reference/ip2_c1g.html#wp1036468

Using Cisco IOS to determine Serial Number May 8, 2009

Posted by daakeung in Cisco, IT.
Tags: , , , ,
add a comment

Have any of you ever had to find out the S/N of a remote cisco ios device?

You can issue the following IOS command:

show inventory

This produces the PID, the MODEL number of the device and also the Serial Number, this can be useful when auditing your network.

Setting up onboard Dialout v.92 modem on cisco 1811 April 9, 2009

Posted by daakeung in Cisco, IT.
Tags: , , , ,
add a comment

I’ve trolled the internet looking for ways to configure the v92 modem on a cisco 1811, and have managed to paste together pieces to make a dialup connection from the router, please note this configuration will not work with the aux port.

interface Async1
no ip address
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive

!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer pool 1
dialer remote-name ***ISP NAME***
dialer idle-timeout 2000
dialer string ***NUMBER***
dialer hold-queue 10
dialer-group 1
no peer default ip address
ppp authentication pap chap callin
ppp chap hostname ***USERNAME***
ppp chap password 0 ***PASSWORD***
!

access-list 123 permit ip any any — Modify this to mark interesting traffic to bring up the Dialup Connection.
dialer-list 1 protocol ip list 123

Enabling SSH on cisco IOS March 12, 2009

Posted by daakeung in Cisco.
Tags: , ,
add a comment

As many of you know, telnet is unsecured when configuring remote devices. Any intruder can read the information in plain text.

The secure alternative is SSH.

SSH provides encryption of your commands as well as the user/passwords.

To configure ssh on cisco ios, first define a hostname and domain name:

Router(config)#hostname test
test(config)#ip domain name akeung.com

Define local account

test(config)# username darryl password test

Set aaa new model

test(config)#aaa new-model

Generate Key

test(config)#crypto key generate rsa
The name for the keys will be: test.akeung.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]

Set SSH to version 2

test(config)#ip ssh version 2

Set SSH authentication retries

test(config)#ip ssh authentication-retries 3

And finally, change the transport for telnet to SSH

test(config-line)#line vt 0 4
test(config-line)#transport input ssh


Using an access list on a Cisco Device which has an interface configured for dhcp April 29, 2008

Posted by daakeung in Cisco.
Tags: ,
add a comment

Came across this one today at work, while securing one of my routers,

If you intent to secure your cisco device using an access-list on the wan interface, but still need the wan interface to receive a dhcp address.

You accesslist should look something like this:

permit udp any eq bootps any eq bootpc
permit udp any eq bootps any eq bootps
deny ip any any

Always end your wan port access-list by locking everything else off.

Cisco Password Recovery April 19, 2008

Posted by daakeung in Cisco, IT.
add a comment

Here’s a list I came across for recovery procedures on cisco devices:

http://www.cisco.com/warp/public/474/index.shtml

GT&T Woes : Losing connectivity after couple seconds with public dhcp reservation from GT&T April 9, 2008

Posted by daakeung in Cisco.
Tags: , , ,
2 comments

here we go again……..sigh……..why why why why, but why……lol.
A company I work for have been trying to setup a vpn connection using dsl for quite some time now (close to 2 years). Apparently, the way GT&T assigns a static public ip address to the dsl line, is by DHCP reservation. Now this has to be matched to your mac address, putting all this gibberish aside. When you get the lease, ip connectivity works for a few seconds and drops, keep in mind we are using a cisco 1811 router.

When preforming a debug dhcp:

The lease time shows as

*Mar 31 17:58:54.307: DHCP: SRequest placed lease len option: 0

This looked strange, so I called them up and they said that leases last for 30 mins.

so I manually configured the interface as follows:

interface FastEthernet0
ip dhcp client lease 0 0 30

ip address dhcp

duplex auto

speed auto

Release and renewed the lease

The debug dhcp outputted:
*Mar 31 18:02:33.859: DHCP: SRequest placed lease len option: 1800

So far connectivity has been up, and it hasn’t fallen off (as yet)

Hope this has been helpful.