Wednesday, 5 August 2020

SNMPv3 config on Cisco routers/Switches

   
1) Create an access-list to allow SNMP source servers.

access-list 10 permit 10.10.10.10
access-list 10 permit 10.10.10.11
access-list 10 permit 10.10.10.12

All SNMP servers must be allowed in above ACLs.

2) Now, Create the new Group using below command.

snmp-server group GROUP1 v3 auth read access 10

3) Create new credentials using the group "GROUP1"

snmp-server user SNMP_USER v3 auth md5 PASSWORD-AUTH priv aes 128 PASSWORD2-PRIV

All bold text are variables.
Posted by at No comments:
Labels: ,

Monday, 3 August 2020

Enable Password vs Enable Secret command on cisco routers/switches

We all know that enable password is used to change from user mode to priviledge mode.

Enable password command will configure the password in unencrypted form whereas Enable secret command encrypts the password using MD5 hashing algorithm.

Enable secret command is always recommended.

Secret password will take precedence over enable password command.
Posted by at No comments:
Labels:

Thursday, 18 June 2020

uRPF and its modes : Strict vs Loose

Unicast Reverse Path Forwarding (Unicast RPF) Is a security feature to address the spoofed address attack. it is recommended to configure it on the L3 interfaces of the routers to verify the reach-ability of the source address in packets. Packet will be dropped in case source IP address is not valid. 

Unicast RPF works in one of below modes:

1. Strict mode: Router will perform two checks:. 

     A. Router checks the routing entry for the source address of the packet and will drop the packet in case no route is present on the routing table for the source address.
    B. Router will ensure that the source of incoming packet is reachable via same interface. Router will drop the packet in case source address is learned via different interface than from the one, packet in ingress ed.

 Command:- 

 Int eth1/1
ip verify unicast reverse-path    --<<< Old command but still available on some platforms
      or
IP verify unicast source reachable-via rx

 ip verify unicast reverse-path (Unicast RPF)

 2.  Loose mode(default mode): Only make sure that route for the source address is present in the routing table.

 Int eth1/1
IP verify unicast source reachable-via Any

 Note:-  Above matching criteria is not applicable for default route and will not allow traffic where source is only matching the default route. the " Allow-default" keyword is used to change this behaviour and traffic will be allowed where source address is matching only the default route.






Posted by at No comments:
Labels: ,

Wednesday, 17 June 2020

BGP: x.x.x.x Active open failed - no route to peer, open active delayed 9216ms (35000ms max, 60% jitter)


BGP: x.x.x.x Active open failed - no route to peer, open active delayed 9216ms (35000ms max, 60% jitter)


I was working on an issue and got above logs while doing the debug of BGP on the cisco router.

Below are the two thing which we need to test to resolve such issues.

1. Specific route for the BGP neighbor IP address. BGP neighborship is dependent on it and default route won't work.

2. Ebgp multihop. Make sure to configure the eBGP multihop command while making the ebgp neighborship on the indirectly connected routers.
Posted by at 1 comment:
Labels:

Monday, 2 March 2020

Cisco Traditional Vs Smart Licensing

Below are few important distance between Cisco traditional license and new smart licensing.

Traditional (node locked) licencing
Smart (dynamic) licencing
Manual individual license procurement and installation
Device initiates a call home and requests the licenses it needs.
Node-locked licences - license is associated with a specific device.
Pooled licences - licences are company account-specific, and can be used with any compatible device in your company. You can activate or deactivate different types of licenses on the device without actually installing a license file on the device.
No common install base location to view licenses purchased or software usage trends
Licenses are stored securely on Cisco servers accessible all the time.
No easy means to transfer licenses from one device to another.
Licenses can be moved between product instances without a license transfer. This greatly simplifies the reassignment of a software license as part of the Return Material Authorization (RMA) process.
Limited visibility into all software licenses being used in the network. Licenses are tracked only on per node basis.
Complete view of all Smart Software Licenses used in the network using a consolidated usage report of software licenses and devices in one easy-to-use portal.
Posted by at No comments:

Tuesday, 18 February 2020

IP NAT inside source vs IP NAT outside source


IP NAT inside source vs IP NAT outside source



For more information please refer to below cisco link

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13773-2.html
Posted by at No comments:
Labels:

Friday, 14 February 2020

ISR 4331/4531 features in Evaluation mode


Below are the features available in Evaluation mode.

 #sh license feature

Feature name Enforcement Evaluation Subscription Enabled  RightToUse
appxk9         yes          yes         no         no     yes       
uck9           yes          yes         no         no     yes       
securityk9     yes          yes         no         yes    yes       
ipbasek9       no           no          no         yes    no        
cme-srst       yes          yes         no         no     yes       
hseck9         yes          no          no         yes    no        
throughput     yes          yes         no         no     yes       
internal_service yes        no          no         no       no   
How to enable RTU package on ISR 4331/4531

 config t
license accept end user agreement
yes
exit
license right-to-use move appxk9
config t
license boot level appxk9
end
wr mem

 How to enable evaluation license

 license feature appxk9
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)