Friday, December 17, 2010

Generate DNS Import from Solarwinds Orion NCM

It's nice to have entries in your internal DNS for router interface names; it makes stuff like traceroute a whole lot easier to read. Many small-to-mid-size companies use Solarwinds products for network management.

This perl script takes the output that you get from using Solarwinds Network Configuration Manager to run the "show ip interface brief | exclude unassigned" command on a group of Cisco IOS devices and massages it into a format that looks like this:

hostname-interfaceName-interfaceNumber a.b.c.d

where a.b.c.d is the IP address assigned to the interface. This format is suitable for import into many DNS servers.

This code doesn't attempt to abbreviate interface names at all, but it could easily be modified to do so.

I run this on Windows using Cygwin and it works fine. The only caveat is that you need to have the dig command installed.

# takes output from a Solarwinds Orion NCM command script
# that runs "show ip interface brief | exclude unassigned"
# and produces a "hostname IP" output for import into DNS
# this makes traceroutes more readable
# usage: ./ < inputfile.txt
# inputfile.txt will look like this
# when produced by Orion NCM 6.x:
#  (
# Interface   IP-Address      OK? Method Status Protocol   
# Loopback0    YES NVRAM  up     up     
# Vlan163    YES NVRAM  up     up     
# Vlan165    YES NVRAM  up     up  
while (<>){
    chomp; # remove newline characters

# find the line with the hostname in it by searching

# for the "(" character
if ($_=~/\(/) {

    # split that line on the . character
    @hostnameFields = split /\./,$_;
    # hostname is the first element before the first .


# identify lines with "up" in them to remove garbage
if ($_=~/\s+up\s+/) {

    #split the good lines into space-separated fields
    @fields=split  /\s+/,$_;
    #find RFC1918-like addresses only
    if ($fields[1]=~/^10\.|172\.|192\./){
        # skip IP addresses that are already in DNS
          unless (`dig -x $fields[1] +short`) {
          #substitute - for / and : in dns names
          #print in "hostname-interface ipaddr" format
          print "$hostname-$fields[0] $fields[1]\n";    

Monday, December 6, 2010

Encrypted GRE Tunnel with ASA for Encryption Offload

I have a requirement to connect two internal routers over a high-speed, 3rd party, non-Internet network. The two routers need to run EIGRP with each other. We want to encrypt the link, but the routers don't support IPSec in their current configuration. Purchasing IPSec acceleration hardware for them is expensive, but we happen to have two ASAs in inventory that aren't currently in production.

The simplest solution for this is to connect the two routers with a GRE tunnel, then use the ASAs to encrypt the GRE traffic.

While I've worked with ASAs quite a bit as stateful packet filters and as remote access VPN headends, it's been a really long time since I've used one in a point-to-point VPN. I thought I'd blog about the lab proof-of-concept so that I don't forget everything about the configuration.

My lab topology looks like this:


R4 and R5 have a standard GRE tunnel configured between them, running EIGRP to advertise their loopbacks. The tunnel destination is statically routed.

On R4:

interface Loopback0
ip address

interface FastEthernet0/0
description link to ASA1
ip address

interface Tunnel50
description GRE tunnel to R5, will be encrypted by ASA1

ip address
tunnel source FastEthernet0/0
tunnel destination

ip route

router eigrp 1


On R5:

interface Loopback0
ip address

interface FastEthernet0/0

description link to ASA2

ip address


interface Tunnel50

description GRE tunnel to R4, will be encrypted by ASA2

ip address
tunnel source FastEthernet0/0

tunnel destination

router eigrp 1



no auto-summary

[Note: the difference in the EIGRP configs isn't a mistake. The lab routers are running two different images, one of which has auto-summary disabled by default. The other has it enabled by default, so I had to explicitly turn it off.]

This is a pretty standard GRE configuration that is used all the time to make a virtual point-to-point circuit across any other network. I'm intentionally leaving out the MTU complications for now.

Here's the interface configuration for ASA1:

interface Ethernet0/2
description link to R4
nameif inside
security-level 100

ip address

interface Ethernet0/1

description link to ASA2 representing 3rd party network
nameif outside
security-level 0
ip address

and here's the same configuration from ASA2:

interface Ethernet0/2
description link to R5
nameif inside
security-level 100
ip address

interface Ethernet0/1

description link to ASA1 representing 3rd party network
nameif outside
security-level 0

ip address

Next, we need to configure IPSec on the ASAs. This is pretty similar to doing the same thing on a IOS router, with a couple of differences:
crypto ipsec transform-set ESP_3DES esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map P2P_CRYPTO_CM 10 match address R5_PHYSICAL

crypto map P2P_CRYPTO_CM 10 set peer

crypto map P2P_CRYPTO_CM 10 set transform-set ESP_3DES

crypto map P2P_CRYPTO_CM interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
access-list R5_PHYSICAL extended permit ip host host

When I first set this up, I forgot the unfamiliar crypto isakmp enable outside command, and it took me a few minutes of looking at debugs to figure out why the ASA was dropping the IKE Phase 1 packets.

The other part that's different from the IOS configuration is the presence of a "tunnel-group" that defines the tunnel type and the IKE pre-shared key:

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key *****

I also needed to turn off NAT control so that the ASA wouldn't drop packets without a pre-defined NAT translation:

no nat-control

The configuration on the other ASA is identical, except that the crypto ACL and peer addresses are reversed, just like they would be in an IOS configuration.

Thursday, December 2, 2010

Detecting a Transparent Proxy with Wireshark/Tshark

Recently I got pulled into a debate between two colleagues who were troubleshooting a problem where some users could access a website over SSL, and others couldn't. One person was arguing that the problem was caused by client misconfiguration, and the other was arguing that it wasn't. Following my mantra "when in doubt, capture packets", we captured some traffic and had a look. I'm not going to go through the entire troubleshooting process; rather I'm going to focus on what was ultimately causing the problem. Here's the packet sequence, output from Tshark with some of the TCP details removed to make it fit:

921 13.795492 -> TCP 50306 > https [SYN]
926 13.837731 -> TCP https > 50306 [SYN, ACK]
927 13.837753 -> TCP 50306 > https [ACK]
928 13.838086 -> SSL Client Hello
932 13.840253 -> TCP https > 50306 [RST]
943 13.879563 -> TCP https > 50306 [ACK]
944 13.879588 -> TCP 50306 > https [RST]
945 13.880052 -> TCP https > 50306 [RST]
946 13.881491 -> TLSv1 Server Hello
947 13.881513 -> TCP 50306 > https [RST]
948 13.881535 -> TLSv1 Certificate, Server Hello Done
949 13.881545 -> TCP 50306 > https [RST]
950 13.881554 -> TCP https > 50306 [RST]
953 13.882063 -> TCP https > 50306 [RST]

The key thing to note here is the delta between the SYN and SYN/ACK: about 42ms. When I was viewing this in Wireshark I set a packet time reference on packet #921, using the "Ctrl T" keyboard shortcut; this makes it easier to see the delta values.

I then set another time reference on packet 931, the TLSv1 Client Hello. Immediately following this, less than 1 millisecond later, we see a RST come back from the server. Red flag! Since we already established the probable latency between the hosts as ~42ms using the SYN - SYN/ACK pair, this is extremely suspicious.

A few packets later, we see a TLSv1 Server Hello message inbound, AFTER the RST. The delta? Approximately 42ms, exactly what we'd expect.

I immediately inferred from this that a transparent proxy content filter was spoofing the RST due to something that it deemed to be objectionable content, and for whatever reason it wasn't notifying the user.

I talked to the administrator for the content filter, and indeed, a policy had been incorrectly applied to some users that blocked the content in question.

Another win for packet capture.

Thursday, November 18, 2010

playing with VLAN-based QoS

A friend of mine brought up an interesting question yesterday:

Will the "mls qos vlan-based" command mark packets if the packets aren't routed by the SVI where the service policy is applied?

I had never even considered this before, so I guessed "no" before reading the docs. Then I set it up in the lab, and the answer (superficially) still seemed to be "no". Then, however, I executed the old RTFM maneuver: the docs made it sound like the answer should be "yes". So I thought I'd have a closer look. Here are the details.

The test topology looks like this:


  • R5 & R6 are 2800 series routers.
  • Switch1 and Switch2 are 3560s.
  • Cat3750, unsurprisingly, is a Catalyst 3750, and the subject of the test.

All of the inter-switch links are 802.1q trunks, and the two routers are connected to access ports in VLAN 6.

  • R5's interface IP address is, with a loopback of
  • R6's interface IP address is, with a loopback of
  • R5 and R6 are running OSPF on all interfaces and are neighbors when the test begins.

First, I set up a QoS policy on the 3750 that would make packets distinguishable from each other:

ip access-list extended ALL
permit ip any any
class-map match-any FOO
match access-group name ALL
policy-map IN-MARKING
class FOO
set ip dscp cs2
class class-default
set dscp cs1

Then I applied the policy-map to an unrouted SVI for VLAN 6:

interface Vlan6
no ip address
service-policy input IN-MARKING

Then I set R6's access port for VLAN-based QoS:

interface FastEthernet1/0/2
switchport access vlan 6
switchport mode access
mls qos vlan-based
spanning-tree portfast

Since all traffic should be marked as CS2, the OSPF hello packets being exchanged between R5 and R6 should get marked immediately if the policy is working, but I also generated some ICMP and telnet traffic just for good measure.

My superficial, pre-RTFM diagnosis, said it wasn't working:

c3750#sh policy-map interface

Service-policy input: IN-MARKING

Class-map: FOO (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name ALL
0 packets, 0 bytes
5 minute rate 0 bps

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
0 packets, 0 bytes
5 minute rate 0 bps

After my RTFM episode, I started wondering if the packets were getting marked anyway, but not counted by the switch. Idecided to try applying a service policy on R5 that would have rather dramatic effects if the packets were in fact marked:

class-map match-any CM_CS2
match ip dscp cs2
policy-map PM_DROP_CS2
class CM_CS2


R5(config)#int f0/0
R5(config-if)#service-policy input PM_DROP_CS2
*Nov 18 15:37:18.097: %OSPF-5-ADJCHG: Process 1, Nbr on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired

R5#sh policy-map interface f0/0 input class CM_CS2

Service-policy input: PM_DROP_CS2

Class-map: CM_CS2 (match-any)
20 packets, 1880 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs2 (16)
20 packets, 1880 bytes
5 minute rate 0 bps

So... in conclusion: the "mls qos vlan-based" command does indeed work for service policies applied to interfaces that don't route packets for the VLAN... essentially, the command causes the access port to inherit the QoS policy applied to the SVI, and the SVI doesn't count them. This does actually make sense, but it took working through the lab to make my brain process it correctly.

Thursday, October 28, 2010

Links to Network World Blog Posts

Last spring I wrote a series of guest blog posts on Network World, so I thought I'd link them here for future reference:

IOS Output Filters
More IOS Output Filters
Finding IP Addresses
NetFlow Part 1
NetFlow Part 2
NetFlow Part 3
When in Doubt, Capture Packets

Monday, September 27, 2010

Counting Regex Matches on Catalyst Switches

As an old-time Unix/Linux guy, I’ve been wanting the IOS equivalent of the “wc -l” command for oh, about a million years now. Juniper has had this in JunOS for quite some time, via their “count” command. In Unix/Linux shell environments, “wc -l” counts the number of lines in the input. This is very useful for things like counting the number of unused ports on a switch. Until recently, I was stuck with using SSH one-liners to pipe IOS commands through a shell filter, like this:

$ ssh 'sh int status | i not|disa' | wc -l

In English: this executes the command “show interface status | include not|disa” via SSH on the remote device, which returns all the lines that are in either the “notconnected” or “disabled” status. Then it feeds those lines to the “wc -l” command, which counts the lines.

A couple of months ago, however, I noticed that recent versions of IOS for the Catalyst access switches (3560/3750, and probably the 2960--I haven’t tested the latter) have a “count” filter:

Switch#sh int status | count ?
LINE Regular Expression

Switch#sh int status | count not|disa
Number of lines which match regexp = 19

Anyway, nothing particularly groundbreaking here, just a nice feature that’s long overdue--I hope it gets ported into other IOS images as well.

Friday, July 2, 2010

Cisco Live 2010

This was my 6th consecutive year at CiscoLive (formerly known as Networkers), and as always I had a great time. I thought I'd write down a few brief thoughts on my sessions and other experiences this year.

802.1x 8-Hour Techtorial
This was the first time I've done a "techtorial" (Cisco's term for a 4 or 8 hour expanded seminar that costs extra) since 2006, and it was probably the best one I've done. All of the presenters were excellent, and they did a great job of keeping the class engaged by switching frequently between lecture and live demonstrations by three different instructors. They also included a real-world case study, presented by the actual customer involved (a large Canadian university). Cisco has a tendency to make up artificial case studies (or anonymize them to the point of making them pointless), so it was great to see a live customer on stage, presenting the entire implementation process, warts and all.

LISP - A Next Generation Networking Architecture
I have read a fair bit about LISP over the last couple of years, but this was the first time I've gone to a session on it. Basically, Dino and company are trying to solve three or four of the biggest problems in networking in one fell swoop: 1) global routing table size, 2) certain types of IPv4/IPv6 transport issues, 3) virtual machine mobility, and possibly 4) other mobility problems. I really don't have the background to evaluate a protocol that's designed to solve extremely difficult problems at a global scale, but it was fascinating to see the thought process and design issues involved.

Routed Fast Convergence and High Availability
I have been hearing about this session for years, and it didn't disappoint. I was already familiar with most of the tools discussed, but the devil is in the details, and I came away with a much better understanding of many techniques used to achieve fast convergence in routed networks.

Smart Grid: Developing a Communications Architecture for the Utility of the Future
I didn't intend to visit this session initially, but the speaker was late for my scheduled session, and I had no interest in sitting around waiting for him to show up. This session was happening nearby, and I knew that Bill Parkhurst is something of a network architecture guru, so it was an easy pick. Even though I have absolutely no background in the electrical utility world, this was a very useful session from a general professional development perspective.

Unified HA Network Design: The Evolution of the Next Generation Network
If I could recommend only one session on large-scale network design, this would be it. These guys are working on the largest, most failure-sensitive networks on the planet, and they're giving away what they've learned. What more needs to be said?

Advanced Security Management & Incident Response
This was my second time attending this session (the last time was in 2007), and it was definitely worth attending a second time. I really like operationally-focused sessions (as opposed to product-focused ones), and that's what this one is all about. The presenters are front-line senior incident responders in Cisco's internal security organization, and it's great to see how they deploy Cisco tools and even (gasp) non-Cisco tools to respond to actual security incidents. I really hope they can convince the powers-that-be to let them run this as an expanded, 8-hour techtorial on security operations.

Those are the highlights of my sessions. I didn't attend a single session this year that was actually bad, but those were the ones that stood out the most.

Other thoughts: the meals were above average compared to previous years, except for breakfast. I hate getting to a breakfast and seeing nothing but bread products and some random, lonely looking fruit. The CCIE party was great; probably the best one I've attended. The CCIE NetVet reception with John Chambers was also excellent. My biggest complaint continues to be the ominous warnings about a $100 fee to replace a lost conference badge. I've never lost mine, but this just seems patently ridiculous.

As always, though, simply meeting other networking-focused professionals and renewing friendships with people I've known from previous years was the best part of the show.

Hoping to be back next year!

Wednesday, May 5, 2010

guest blogging

I'm guest blogging on IOS tips and tricks this month at Network World.

Friday, April 16, 2010

Friday, April 9, 2010

Wireshark Network Analysis

For the last week I've been reading Laura Chappell's new book, Wireshark Network Analysis. I pre-ordered the book and was looking forward to it eagerly.

Overall, it's a superb book. First and foremost, I appreciate the fact that the writing has some personality to it. I've really enjoyed the author's footnotes, anecdotes, and humor.

Second, I like the fact that it's exhaustively thorough with both features and examples. There are relatively few cases where the Chappell simply describes a feature without offering an example of how it might be used in practice. Where she does so, the example is obvious enough to be unnecessary.

Particularly good are the examples of practical Wireshark tips and tricks in the protocol-specific sections. As an advanced Wireshark user with a thorough background in the internals of common network protocol operations, I was worried that this would be just another set of explanations of how various protocols work. Those explanations are there, but they are interspersed with many great tips and tricks about how to analyze the protocols more quickly and efficiently with Wireshark. I kept thinking, "why didn't I ever think of using that trick before?"

There is a lot here for both beginning and advanced Wireshark users.

I don't have a lot of criticisms to make: I thought the security sections were interesting, but a little dated. Exotic network and transport layer attacks just aren't all that common anymore; it would have been cool to have seen some analysis of a modern application-layer attack in action.

The other thing I would have liked is a discussion of the Lua scripting-language extensions to Wireshark. There is very little out there on the Internet about this so far, and most of what exists is oriented toward expert-level programmers. I was a bit disappointed to not even find Lua in the index. Still, the book is already huge, and adding a section on scripting might have made it unreasonably long. Maybe a volume 2?

Summary: if you use Wireshark, just buy it. This is an amazingly practical, hands-on book that will make you faster and more productive when analyzing network captures.

Blogging disclaimer: I paid full retail price for the book (and managed to somehow miss all the promo coupons) and am not being compensated in any way for this review.

Monday, January 4, 2010

computer crime and the small/medium business

Good post on the little-known computer crime wave targeting small/medium businesses: