IOS - // A Networking Blog

NTP – Network Time Protocol

Cisco, Route, Switch03/22/2021

NTP is a layer 3 protocol. NTP is used for proper time, which is critical in networks. Making sure the network devices are all synchronized with the same time can help with management. Networking devices utilize time for several reasons:

Logging output
Debugging output
User ‘show’ commands
Network management/Reporting tools
Certificates – If time is incorrect your certificates can become out-of-date

Where do we get the time?

All devices have an internal system clock.
Most are battery driven and maintain the time/date when the device reloads
Devices with battery driven system clocks can also distribute this information to remove devices VIA NTP.

Sources Of Time

Manual configuration ie: clock set command
NTP
SNTP
VINES

NTP

IETF Standard – RFC 1305 and RFC 5905
UDP port 123 (source and destination)
NTP nodes obtain time from an authoritative source:
-Atomic clock
-GPS
-Radio
-Other network devices

NTP Device Roles

Client – Device that periodically polls a server for time/calendar information.
Server – Provides the information to the client.
Stratum 1 – Most accurate clock
Stratum 2 – Time server that is one hop away from stratum-1 device, etc
The default for an ntp master is stratum 8.
When using authentication the clients authenticate the server.

IOS Configuration (server aka Master)

clock set hour:minute:seconds day month year
conf t
ntp master [1 - 15]

IOS Configuration (Client)

conf t
ntp server x.x.x.x

IOS Server Authentication Config

ntp authentication-key 1 md5 something
ntp trusted-key 1

IOS Client Authentication Config

ntp authentication-key 1 md5 something
ntp trusted-key 1
ntp authenticate
ntp server x.x.x.x key 1

Verification

show ntp status
show ntp associations
show ntp stat | i in sync

**look for asterisk , clock is synced or synchronized references.**

**show ntp association detail will show authenticated**

BGP Practice Lab

Cisco, Route03/13/2021

NOTE: THIS LAB IS NOT COMPLETE IT IS SETUP SO BGP GOES DOWN DUE TO AN ISSUE WITH KEEP ALIVES. EVERY 3 MINUTES BGP WILL GO DOWN AND THEN THE DYNAMIC ROUTING PROTOCOL WILL TAKE PLACE. AFTER THIS BGP WILL COME UP AGAIN FOR ANOTHER 3 MINUTES AND KEEP REPEATING. THIS IS AN EXAMPLE OF WHY YOU USE STATIC ROUTING ACROSS EXTERNAL PEERS. THERE ARE OTHER SOLUTIONS..FIND THEM!

BGP’s primary purpose is to interconnect autonomous systems.
Autonomous system (ASN) – Networks or a group of networks under the same administrations control and have a common routing policy.
BGP is the glue that holds the internet together!
BGP is designed to carry large amounts of routes.
BGP removes the strain of carrying large amounts for IGPs.
ISP speak ‘customer routes’
External and Internal BGP use different policies.
IBGP is not able to replace IGP’s. IBGP is meant to work alongside an IGP to create an efficient network.

External BGP

External peers must be directly connected.
TTL of 1 is given
Time-to-live (TTL) tells a router whether or not the packet has been in the network too long and should be discarded – it times out at 0 and is discarded. Each hop is -1.
This is to avoid long peering from occurring.
TTL-Security is used to provide security to make sure neighbors are directly connected. This works by using a TTL of 255. This must be enabled on both peers (routers).

BGP Configuration Categories

Configuration consists of two categories.
Session commands tell BGP how to create the session.
session commands can be global or per address family(Apply to all address families or just one)
Policy commands control the routes.
Policy commands are ALWAYS per address family.

Internal Peering

No requirement for direct connectivity when doing iBGP.

Huh?

After the configuration has been completed and we have verified R2 and R4’s loopbacks are being advertised to one another we check the BGP table and find something interesting.
RIB-failure!!?? Normally failure is never a good thing but in this case we can see that we have an internal route that’s not being added to our routing table.
We can check to see if their is a better route for our destination and we certainly see that the route is being learned VIA OSPF which has a lower admin distance than iBGP – thus winning the route.

vIOS1 Configuration

vIOS1#sh runn
 Building configuration…
 Current configuration : 3589 bytes
 !
 ! Last configuration change at 15:13:59 UTC Sat Mar 13 2021
 !
 version 15.6
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 !
 hostname vIOS1
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 ethernet lmi ce
 !
 !
 !
 mmi polling-interval 60
 no mmi auto-configure
 no mmi pvc
 mmi snmp-timeout 180
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 multilink bundle-name authenticated
 !
 !
 !
 !
 !
 redundancy
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface Loopback0
  ip address 192.168.0.1 255.255.255.255
  ip ospf 1 area 0
 !
 interface GigabitEthernet0/0
  ip address 192.168.69.1 255.255.255.0
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/2
  ip address 192.168.26.1 255.255.255.0
  ip ospf 1 area 0
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/3
  no ip address
  shutdown
  duplex auto
  speed auto
  media-type rj45
 !
 !
 router eigrp 69
  network 192.168.0.0
  network 192.168.69.0
 !
 router ospf 1
 !
 router bgp 600
  bgp log-neighbor-changes
  neighbor 192.168.0.2 remote-as 900
  neighbor 192.168.0.2 ebgp-multihop 255
  neighbor 192.168.0.2 update-source Loopback0
  neighbor 192.168.0.4 remote-as 600
  neighbor 192.168.0.4 update-source Loopback0
  !
  address-family ipv4
   neighbor 192.168.0.2 activate
   neighbor 192.168.0.2 send-community
   neighbor 192.168.0.4 activate
   neighbor 192.168.0.4 send-community
  exit-address-family
 !
 ip forward-protocol nd
 !
 ip bgp-community new-format
 !
 no ip http server
 no ip http secure-server
 !

vIOS2 Configuration

vIOS2#sh runn
 Building configuration…
 Current configuration : 3368 bytes
 !
 ! Last configuration change at 15:19:15 UTC Sat Mar 13 2021
 !
 version 15.6
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 !
 hostname vIOS2
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 ethernet lmi ce
 !
 !
 !
 mmi polling-interval 60
 no mmi auto-configure
 no mmi pvc
 mmi snmp-timeout 180
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 multilink bundle-name authenticated
 !
 !
 !
 !
 !
 redundancy
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface Loopback0
  ip address 192.168.0.2 255.255.255.255
 !
 interface GigabitEthernet0/0
  ip address 192.168.69.2 255.255.255.0
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/2
  no ip address
  shutdown
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/3
  no ip address
  shutdown
  duplex auto
  speed auto
  media-type rj45
 !
 !
 router eigrp 69
  network 192.168.0.0
  network 192.168.69.0
 !
 router bgp 900
  bgp log-neighbor-changes
  neighbor 192.168.0.1 remote-as 600
  neighbor 192.168.0.1 ebgp-multihop 255
  !
  address-family ipv4
   network 192.168.0.2 mask 255.255.255.255
   neighbor 192.168.0.1 activate
   neighbor 192.168.0.1 send-community
  exit-address-family
 !
 ip forward-protocol nd
 !
 ip bgp-community new-format
 !
 no ip http server
 no ip http secure-server

vIOS4 Configuration

vIOS4#sh runn
 Building configuration…
 Current configuration : 3363 bytes
 !
 ! Last configuration change at 15:18:58 UTC Sat Mar 13 2021
 !
 version 15.6
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 !
 hostname vIOS4
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 ethernet lmi ce
 !
 !
 !
 mmi polling-interval 60
 no mmi auto-configure
 no mmi pvc
 mmi snmp-timeout 180
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 multilink bundle-name authenticated
 !
 !
 !
 !
 !
 redundancy
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface Loopback0
  ip address 192.168.0.4 255.255.255.255
  ip ospf 1 area 0
 !
 interface GigabitEthernet0/0
  no ip address
  shutdown
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/2
  ip address 192.168.26.2 255.255.255.0
  ip ospf 1 area 0
  duplex auto
  speed auto
  media-type rj45
 !
 interface GigabitEthernet0/3
  no ip address
  shutdown
  duplex auto
  speed auto
  media-type rj45
 !
 router ospf 1
 !
 router bgp 600
  bgp log-neighbor-changes
  neighbor 192.168.0.1 remote-as 600
  neighbor 192.168.0.1 update-source Loopback0
  !
  address-family ipv4
   network 192.168.0.4 mask 255.255.255.255
   neighbor 192.168.0.1 activate
   neighbor 192.168.0.1 send-community
  exit-address-family
 !
 ip forward-protocol nd
 !
 ip bgp-community new-format
 !
 no ip http server
 no ip http secure-server

Cisco Switch Configuration for ISE

Cisco, ISE, Switch02/15/2021

Switch Configuration

Example configuration used

conf t
 radius server ISE_RADIUS
 address ipv4 10.0.30.40 auth-port 1645 acct-port 1646
 key Temp1234!@#$
 exit
 aaa group server radius ISE
 server name ISE_RADIUS
 ip radius source-interface vlan 30
 exit
 aaa authentication dot1x default group ISE
 aaa authorization network default group ISE
 aaa authorization exec default group ISE local if-authenticated
 aaa accounting update perdiodic 3
 aaa accounting dot1x default start-stop group ISE
 aaa server radius dynamic-author
 client 10.0.30.40 server-key Temp1234!@#$
 radius-server attribute 6 on-for-login-auth
 radius-server attribute 8 include-in-access-req
 radius-server attribute 25 access-request include
 end

Explanation

Explain commands

ISE Configuration

Add in the name, description, IP address, Device profile, Model name, Software version.
Enable the RADIUS Authentication Settings and input the shared secret then submit to add the switch in.

To verify after you click on submit you will now see the device listed under the Network Devices section.

Authorization Profile

Policy Set

Verification

On the switch you can issue:

show cdp neighbor
show authentication session
show aaa server

On ISE GUI you can review the live session and logs under the RADIUS section in Operations:

Troubleshooting

No authentication sessions are showing on the network device.

Run an authentication test using the network device and review the logs in ISE.
Verify the aaa server configuration

test aaa group radius test-user test-password new-code

In ISE GUI:

Verify NTP is matching for Logs

Verify the NTP server matches on all devices.
Cisco Switch:

ISE Server:

Napalm and Cisco IOS

Automation, Cisco, Devnet, Python07/05/2020

Copy and pasta into a text file name it CHANGES.cfg

vlan 999 name BLACKHOLE default int ra fa 1/0/10 - 20 int ra fa 1/0/10 - 20 sw mo acc sw acc vlan 999 vlan 120 name TEST

Copy and pasta into a text file name it whatever you like with a .py python extension.

import json from netmiko import ConnectHandle from napalm import get_network_driver
driver = get_network_driver('ios') c3750 = driver('10.0.10.24','lab','lab') c3750.open()
print ('Accessing..') c3750.load_merge_candidate(filename='CHANGES.cfg')
print ('Comparing Config Changes to Current Running Configuration.') diffs = c3750.compare_config() if len(diffs) > 0: print(diffs) c3750.commit_config() else: print('No changes needed.') c3750.discard_config()
print ('Saving Config..') c3750.commit_config() print ('Config Saved..') c3750.close() print ('Connection Closed..')

Netmiko: Configure multiple devices with multiple commands (Cisco IOS)

Automation, Cisco, Devnet07/04/2020

Create a script and save it as config.py
Create a text file with your IOS script inside – This example is named c3750_lab_design

Save the file in the same folder path you save the script.

Example of Cisco IOS Script:

vtp mode transparent spanning-tree mode rapid-pvst udld enable errdisable recovery cause all port-channel load-balance src-dst-ip ip name-server 10.0.10.3 no ip http server no ip http secure-server
snmp-server community python1 RO snmp-server community python2 RW
ntp server 0.us.pool.ntp.org
clock timezone CST -6 clock summer-time CST recurring service timestamps debug datetime msec localtime service timestamps log datetime msec localtime
vlan 10 name Data vlan 11 name Voice vlan 12 name Test
interface vlan 1 description In-band Management
ip default-gateway 10.0.10.1 ip dhcp snooping vlan 100,101
no ip dhcp snooping information option ip dhcp snooping ip arp inspection vlan 10 spanning-tree portfast bpduguard default
interface range Fa 1/0/1 - 20 switchport switchport access vlan 10 switchport voice vlan 11 switchport host switchport port-security maximum 5 switchport port-security switchport port-security aging time 5 switchport port-security aging type inactivity switchport port-security violation restrict ip arp inspection limit rate 100 ip dhcp snooping limit rate 100 ip verify source
interface range Fa 1/0/21 - 48 switch tr en do switchport mode trunk end wr

Pages: 12

Configure multiple Cisco IOS devices with Netmiko

Automation, Cisco, Devnet07/04/2020

Copy pasta script and save as config.py:

from netmiko import ConnectHandler
c3750_s1 = { 'device_type': 'cisco_ios', 'ip': '10.0.10.24', 'username': 'lab', 'password': 'lab' }
c3750_s2 = { 'device_type': 'cisco_ios', 'ip': '10.0.10.25', 'username': 'lab', 'password': 'lab' }
c3750_s3 = { 'device_type': 'cisco_ios', 'ip': '10.0.10.26', 'username': 'lab', 'password': 'lab' }
all_devices = [c3750_s1, c3750_s2, c3750_s3]
for devices in all_devices: net_connect = ConnectHandler(**devices) for n in range (2,21): print ("Creating VLAN " + str(n)) config_commands = ['vlan ' + str(n), 'name Python_VLAN' + str(n)] output = net_connect.send_config_set(config_commands) print (output)

Execute the script and then check the devices for configuration changes.

Netmiko SSH Script to Cisco 3750 Switch

Automation, Cisco, Devnet07/04/2020

Open your favorite editor and copy pasta:

from netmiko import ConnectHandler c3750 = { 'device_type': 'cisco_ios', 'ip': '10.0.10.24', 'username': 'lab', 'password': 'lab' }
net_connect = ConnectHandler(**c3750) output = net_connect.send_command('show ip int brief') print (output)
config_commands = ['int loop 0', 'ip address 1.1.1.1 255.255.255.0'] output = net_connect.send_config_set(config_commands) print (output)
for n in range (2,21): print ("Creating VLAN " + str(n)) config_commands = ['vlan ' + str(n), 'name Python_VLAN' + str(n)] output = net_connect.send_config_set(config_commands) print (output)

Save the file as config.py and execute the script:
python config.py

If we check on our switch we can see that our script has created new vlans.

Setting Up SSH On A Cisco Switch

Cisco07/04/2020

Create a username with proper credentials. Enable ssh on VTY Lines 0 – 4. Setup a domain and generate a crypto key. Then save the configuration.

enable conf t username lab pass lab username lab priv 15
line vty 0 4 login local transport input all
ip domain-name ge.local crypto key gene rsa 2048
end wr

Create an IP address for management if the device not have a physical management port:

vlan 1 ip add 10.0.10.24 255.255.255.0

Verify the management interface is up:

Verify SSH access from remote device:

Factory Resetting a Cisco Switch

Cisco07/04/2020

Steps to reset a Cisco Switch (we’re using a Cisco 3750v2 for this example). The 3750v2 is a great labbing switch – I used this model for my CCNP.

It should be noted a better way to do this would be renaming the config.text on the flash. From mode switch:

rename flash:config.text flash:config.old

Scenario: You need access to an IOS device and are locked out. You have physical access to the device and don’t care about the previous config – you need a vanilla config.

On windows I really like using MobaXterm this application is packed with a ton of features! Check it out: https://mobaxterm.mobatek.net/download.html