Popular DOC-CD

Where the $%#@ is it? Some Popular DOC-CD Locations

By Anthony Sequeira, #15626

Hello faithful blog readers. We all know there are some real treasures in the DOC-CD that can assist dramatically in the lab exam. Here are some of our reader’s favorites. Thanks to my friend Ruhann over in South Africa for the post idea!

All navigation begins from http://www.cisco.com/web/psa/products/tsd_products_support_configure.html

I. Bridging and Switching

II. IP IGP Routing

III. BGP

a. Best Path Selection

Cisco IOS Software - 12.2 S Family - 12.2 SB - C.G. - Cisco IOS IP Configuration Guide, Release 12.2 - Part 2: IP Routing Protocols - Configuring BGP - How BGP Selects Paths

b. Regular Expressions

Cisco IOS Software - 12.4 Family - 12.4 Mainline - C.G. - Cisco IOS Terminal Services Configuration Guide, Release 12.4 - Appendixes - Regular Expressions

IV. IP and IOS Features

a. NTP

Cisco IOS Software - 12.4 Family - 12.4 Mainline - C.G. - Cisco IOS Network Management Configuration Guide, Release 12.4 - Performing Basic System Management - Setting Time and Calendar Services

V. IP Multicast

VI. QoS

a. RTP Port Range

Cisco IOS Software - 12.4 Family - 12.4 Mainline - Reference Guides - Command References - Cisco IOS Quality of Service Solutions Command Reference - frame-relay ip rtp priority

VII. Security

a. ACL Favorites

Security - Firewall Appliances - Cisco ASA 5500 Series Adaptive Security Appliances - C.G. - Cisco Security Appliance Command Line Configuration Guide, Version 8.0 - Reference - Addresses, Protocols, and Ports

b. Regular Expression

Cisco IOS Software - 12.4 Family - 12.4 Mainline - C.G. - Cisco IOS Configuration Fundamentals Configuration Guide - Part 1: Using the Cisco IOS Command-Line Interface - Understanding Regular Expressions

**Common ports : http://packetlife.net/cheatsheets/#reference

Debug output collection

Useful command for logging on console from IE.

When you work with a remote rack by using an access-server (e.g. 25xx) with the async lines connected to the console ports of the pod’s routers, you effectively have only one terminal window opened. Using ctrl-Shift-6-x you can quickly switch between terminal lines; however, if you need to monitor “debug” command output on one terminal line, while performing some activity on the other you may face some difficulties.

For example, when you enable debug crypto isakmp on one router, and then switch to the other router, to generate packets with ping command, you may lose some of the debugging output, while switching back to the original router. Two obvious ways to resolve this issue exist: first one - open multiple terminal windows; next one - use logging buffered command to collect the debug logs into logging buffer. The third, not so well-known way to cope with the issue, is to use service telnet-zeroidle command on the access server.

What this command does, is announces TCP receive window with the value of zero for “idle” (currently non-active) connections. How does this work? When a TCP “server” is told that the other side’s TCP receive window is zero, the server starts buffering data to be send, until the other side “un-shrinks” the window again. Now, since all sessions from an access-server are effectively reverse-telnet connections to the access-server itself, by advertising TCP window value of zero, we make access-server buffer router’s console output (e.g. from debug commands), until the respective session becomes active again. In effect, with service telnet-zeroidle enabled, you may start, say, debug crypto isakmp on one router, switch to other, type ping x.x.x.x, then get back to the original router just to grab all the debug output at once - without any loss! Just make sure, your large debugging output runs fit into TCP xmit buffer, and don’t be scared by flood of output when you get back to an idle connection!

IPsec VPN High Availability with HSRP

IPsec VPN High Availability with HSRP

This is a feature of that support VPN with HSRP, redundant IPsec peer for VPN network.
Some notes for this topic:
-HSRP only support on Ethernet and some L2 ATM, such as LANE...
-With the test on 12.4, there're difference in time to recover the VPN connection b/w two peers. Recover time from secondary router ( previously standby) is faster. Preempt delay time is not in effect.

IEEE bridge-group in Zone-based FW

Here is a solution for configuring a transparent firewall policy for traffic across bridge group.

Two or more interfaces are configured in IEEE bridge-group and routing to other subnets via Bridge Virtual Interface (BVI). The transparent firewall only apply to traffic crossing the bridge, not for traffic that leaves the bridge-group via BVI.

Configure policy-map to inspect X windows :
conf t
ip port−map user−Xwindows port tcp from 6900 to 6910
!
class−map type inspect match−any Xwindows−class
match protocol user−Xwindows
!
policy−map type inspect servers−clients−policy
class type inspect Xwindows−class
inspect
!

Configure bridge & assign zones to router interfaces

conf t
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
zone security clients
zone security servers
!
int vlan 1
bridge−group 1
zone−member security clients
!
int vlan 2
bridge−group 1
zone−member security servers


Configure BVI interface and assign zone security member

!
interface bvi1
zone-member security private

Cisco IOS SSL VPN note

I just found CSD application in IOS SSL VPN needs a special link to configure CSD policies. There's no way to configure it via CLI.
Login “https://gateway_addr/csd_admin.html” to start the policy admin, the username is “admin”, and the password is enable password or enable secret of the router .
By default, the CSD policies deny all services enabled by SSL VPN.

WebVPN user name = phuc ; IP address = 47.1.1.2 ; context = SSLVPN
No of connections: 0
Created 00:06:40, Last-used 00:05:36
CSD secure desktop Disabled
CSD cache cleaner Disabled
CSD Session Policy
CSD Web Browsing Disabled
CSD Port Forwarding Disabled
CSD Full Tunneling Disabled
CSD File Access Disabled
User Policy Parameters
Framed IPv4 address = 255.255.255.255
Group name = SSL-Policy
Group Policy Parameters
banner = "This is default Policy Group"
url list name = "Internal"
url list name = "DMZ"
idle timeout = 3600 sec
session timeout = 43200 sec
port forward name = "Portlist"
nbns list name = "NBNS-SRV"
functions =
file-access
file-browse
file-entry
svc-enabled

citrix disabled
address pool name = "SSL-Pool"
default domain = "ccie.edu"
home page = "http://win2003/certsrv/mscep"

Cisco Secure Desktop (CSD) extends the security of SSL VPN technology. CSD provides a separate partition on a user’s workstation for session activity. This vault area is encrypted during sessions and completely removed at the end of an SSL VPN session.

Radius server and Cisco IOS 12.4-15(T)

I had this experience after sometime got problem b/w this IOS and ACS radius server, ACS TACAC S is still no issue. The communication is always got respond of failed decrypt.

Aug 2 07:45:05.173: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Aug 2 07:45:05.173: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Aug 2 07:45:05.173: RADIUS(00000000): Config NAS IP: 172.16.45.5
Aug 2 07:45:05.177: RADIUS(00000000): sending
Aug 2 07:45:05.181: RADIUS(00000000): Send Access-Request to 192.168.1.219:1645 id 1645/11, len 50
Aug 2 07:45:05.181: RADIUS: authenticator 34 A3 1C B8 15 6E 99 72 - D1 78 5D C5 60 0B DE CF
Aug 2 07:45:05.181: RADIUS: User-Name [1] 6 "phuc"
Aug 2 07:45:05.181: RADIUS: User-Password [2] 18 *
Aug 2 07:45:05.181: RADIUS: NAS-IP-Address [4] 6 172.16.45.5
Aug 2 07:45:05.197: RADIUS: Received from id 1645/11 192.168.1.219:1645, Access-Reject, len 32
Aug 2 07:45:05.201: RADIUS: authenticator 81 12 BD 60 C8 C8 FE 77 - 8A D6 8F 84 0E 8E 99 AD
Aug 2 07:45:05.205: RADIUS: Reply-Message [18] 12
Aug 2 07:45:05.205: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [Rejected??]
Aug 2 07:45:05.205: RADIUS: response-authenticator decrypt fail, pak len 32
Aug 2 07:45:05.205: RADIUS: packet dump: 030B00208112BD60C8C8FE778AD68F840E8E99AD120C52656A65637465640A0D
Aug 2 07:45:05.217: RADIUS: expected digest: FFFFFFD012FFFFFFE42CFFFFFFECFFFFFFFA2EFFFFFF8105FFFFFFC5FFFFFF9DFFFFFFE8FFFFFFEDFFFFFFA4FFFFFF9B13
Aug 2 07:45:05.225: RADIUS: response authen: FFFFFF8112FFFFFFBD60FFFFFFC8FFFFFFC8FFFFFFFE77FFFFFF8AFFFFFFD6FFFFFF8FFFFFFF840EFFFFFF8EFFFFFF99FFFFFFAD
Aug 2 07:45:05.237: RADIUS: request authen: 34A31CB8156E9972D1785DC5600BDECF
Aug 2 07:45:05.241: RADIUS: Response (11) failed decrypt
Aug 2 07:45:10.089: RADIUS: Retransmit to (192.168.1.219:1645,1646) for id 1645/11
Aug 2 07:45:10.109: RADIUS: Received from id 1645/11 192.168.1.219:1645, Access-Reject, len 32
Aug 2 07:45:10.113: RADIUS: authenticator 81 12 BD 60 C8 C8 FE 77 - 8A D6 8F 84 0E 8E 99 AD
Aug 2 07:45:10.117: RADIUS: Reply-Message [18] 12
Aug 2 07:45:10.121: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [Rejected??]

I had to configure aaa server on routers with "non-standard" keyword, ex:
"radius-server host 192.168.1.219 auth-port 1645 acct-port 1646 non-standard key shasta"

Everything works fine after that. There's no problem like that with IOS 12.4-10 main version.

Iperf bandwidth performance measurement

The tool is nice for those don't have chance to work with expensive tools from Spirent, Adtech. This I heard from 6200networks blog .

Iperf was developed by NLANR/DAST as a modern alternative for measuring maximum TCP and UDP bandwidth performance. Iperf allows the tuning of various parameters and UDP characteristics. Iperf reports bandwidth, delay jitter, datagram loss.