Search this Blog

Wednesday, May 29, 2013

How do you allow only ssh version 2 with aes256-cbc hmac-sha1 to IOS router?

We have a requirement on my IOS router running IOS latest version of 12.4T.

We would like to configure the router so that it only accepts ssh version 2 connection with aes256-cbc hmac-sha1.  Every other ssh connections such as aes192-cbc hmac-sha1 or hmac-md5 will fail.

We can get this to work on a Unix/Linux box in less than 10 seconds.  However, we are not able to get this to work in IOS routers.

Unfortunately  this functionality is not yet available on Cisco IOS (as of 5-29-2013).

Restricting it to only SSH version 2 is possible. To use only SSH v2, you have to fix the version with "ip ssh version" configuration command. Without doing it, you can connect to both SSH v1 and v2. SSH v1 use 3DES while SSH v2 use AES.

Please click here for more information on "Configuring Secure Shell on Routers and Switches Running Cisco IOS".

There isn't a way to restrict the encryption protocol in IOS.
 


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Monday, May 20, 2013

How many configurable static route can you have on Catalyst 3750-X

With LAN Base, Cisco throw in capability for a very small number of static routes. They do this with their 2960 series layer-2 switches as well. Like Antonios says, the switch needs to be set to an approprirate SDM Template to access this limited routing capability. I think the default 3750-X template is the one you need.

With IP Base and above, you are opening up the switch's standard static routing capability. There will be some static route limit, but it's going to be very very high - i.e. nothing like 16.

Both ip base and ip services licenses have the same templates but different features. Please click here to check the details  on "Cisco IOS Software Packaging and Licensing"

c3750x use templates to optimize its works. So, you can select what template is better for your enviroment. Static routes are unicast routes. Please click here to check how many unicast routes are supported by each template.
 

Click here (Cisco login required) for the Datasheet on LAN Base feature set.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

"dsl operating-mode auto" not supported On 15.1(4)M5

We are moving from 877 12.4(15) to 887VA-M 15.1(4)M5. In the old configuration we have:

interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!

In the new router/IOS, the command "dsl operating-mode...."  isn't supported under interface ATM0. Has the syntax changed?

Please note that some of the config for the 887 has moved in to the vdsl controller

!
controller vdsl 0
operating mode auto
!

Please click here for Cisco documentation on "Configuring VDSL Mode"



Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Friday, May 17, 2013

How many licenses do we need for two 6500 with supT2s running VSS?

 Also what does the license state active, not in use mean? It seems contradictory.

show license feature shows enabled no. What does that mean? What features are turned on using  MACSec_Encryption.

Router#sh license all
License Store: Primary License Storage
StoreIndex: 0   Feature: MACSec_Encryption                 Version: 1.0
        License Type: Permanent
        License State: Active, Not in Use
        License Count: Non-Counted
        License Priority: Medium
Router#sh license feature
Feature name             Enforcement  Evaluation  Subscription   Enabled
MACSec_Encryption        yes          no          no             no 
Router#

No license is required for running VSS with sup2T and IOS 15.0SY.

MACSec License is only needed if you are doing encryption for VSL.

License State: Active, Not in Use
AND
show license feature shows enabled no.
This means is MACSec is not configured so license was not activated.



Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, May 15, 2013

"Show logging" clock 1 hour out in the routers

Why would our routers clock be fine (NTP), but if we do a show logging the logs time stamp it 1 hour back?

Clock is 4pm
Show logging is 3pm

If a router is configured to get the time from a Network Time Protocol (NTP) server, the times in the router's log entries may be different from the time on the system clock if the [localtime] option is not in the service timestamps log command. In the example below, the router gets its time from an NTP server and theservice timestamps log datetime command is issued. The show clockcommand displays a time of 14:12:26, yet when a configuration change is made immediately after the show clock command, the log message shows a time of 21:12:28, as shown in this example:

clock timezone PST -8
clock summer-time PDT recurring
service timestamps debug datetime
service timestamps log datetime
logging buffered 16000 debugging
ntp clock-period 17179272
ntp server 161.181.92.152

router#show clock
14:12:26.312 PDT Thu Apr 27 2000
router#config t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#exit
router#
Apr 27 21:12:28: %SYS-5-CONFIG_I: Configured from console by vty0

Resolution
Add the [localtime] option to the service timestamps log command. For example, if the current configuration is service timestamps log datetime, issue this global configuration command:
router(config)#service timestamps log datetime localtime
router(config)#^Z (ctrl z to exit)
router#write mem

The times should now be synchronized between the system clock and the log message timestamps.
 

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, May 1, 2013

MPLS Route Distinquisher l2vpn in comparison to l3vpn connections.

With l3vpn we have 2 mpls label the top label for communicating between the PE and the PE (most likely loopback ip’s of these routers) and we have the mpls vpn (inner) label with consists of the ip prefix + the route distinquisher so mpls know how to differentiate same routes from multiple customers.

Unfortunately now our confusion starts, with l2vpn connections you also have route distinquishers, but why do we have them there? For instance with Juniper you have a remote site ID 1 which is communicating with remote site ID 2 and we do nothing with prefixes at all. So if i say this RD is used for making every l2vpn connection in the cloud unique, is this a correct way of saying it?


The inner label in L3 VPN is not related to the route distinguisher

The VPNv4 prefix is formed by prepending the RD to the original 32 bit IPv4 prefix.

the route distinguisher makes the prefix unique in the signalling plane allowing to discriminate between overlapping prefixes in different VRFs /VPNs.

The inner label is an attribute of the VPNv4 NLRI and is part of the forwarding plane, the sending PE node tells to all the potential peers what inner label it expects to receive when traffic is sent to this specific NLRI.

In Juniper L2VPN signalling is made with MP BGP using a different address family the l2vpn address family.
This is called Kompella L2VPN from the name of its inventor.

As you have guessed also in this case the RD assumes the role of identifying the site. If you can look at the l2vpn MP BGP route you will see the site-id at the end of the composite prefix.

We could say that in L2VPN the prefix is indeed the site id prepended by some other information including the RD.



Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.
 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */