Monday, February 22, 2010

BSCI - EIGRP - #sh ip eigrp neigbors cmd

A common question when reviewing the output of the #sh ip eigrp neighbors cmd is 'What on earth does 'H' stand for??'

Well, here it is......

H (handle): A number used internally by the Cisco IOS software to track a neighbor. It records the order in which the neighbors were learned.

 So there you have it...still no clearer why the word Handle was used but at least you now know what it means :o)

Starting the BSCI

Today sees me start the BSCI course at my local Cisco Networking Academy.

I'll be doing more lab work in GNS3, I've already made a good start with my notes covering off EIGRP, and I'll be going over both Jeremy Cioara's CBT Nuggets videos and Chris Bryant's Train Signal videos.

Fingers crossed, here we go...

Friday, February 19, 2010

Upgrade your Cisco PIX 525 firewall

Following on from the Cisco Advisory posted here on the 18th feb I thought it would be a good time to cover off exactly how you went about performing the upgrade. This article relates to upgrading a Cisco PIX 525 firewall however the process is similar for Cisco ASA devices too.

Install Notes:
  • If you have a pair, one with 'Fail over License' and the other with unrestricted license (in #sh ver) apply the upgrade to the FailOver node first. If you loose the node then you still have your unrestricted node for use. Otherwise if it goes wrong for what ever reason your Fail Over License' device will reboot every 24 hours
  •  The article states to connect to the Outside interface. You can infact connect to any available interface you choose not just the Outside if thats easier.
  • If you are conducting a minor release upgrade you can perform the procedure on both firewalls at the same time. TFTP transfer the image file then reboot the firewalls together. Conduct your post install checks and you should be good to go.
  • Cisco DTE adapter 
  • Console cable   
  • Ethernet cable (crossover ideally)
  • A tftp sever application such as SolarWinds TFTP Server  
  • Passwords for your device
  • Pix724-30.bin file (or which ever file it is you are upgrading to)
    • Connect the console cable to the Primary F/W via the Cisco DTE adapter
    • Open HyperTerminal - COM1;9600;8;none;1;none
    • Log on the 1st F/W using your password details
    • Do #sh fail - to check which is the active node
    • Do #sh ver - copy the Serial Number/Running Active Key to a file and save for future reference should things go bad
    • Do #sh run and copy your running in to notepad as a precaution 
    • Power down the Secondary node - this is because you can't have a fail over pair with differing OS versions when performing an upgrade to a major release e.g 6.3 to 7.2.4
    • Next do #sh ip - and check for the 'Outside' IP address
    • Pick a suitable IP from the same scope and apply it to the LAN connection on the laptop - eg
    • Connect the Laptop to the 'Outside' port on the F/W - DON'T forget to reconnect the 'Outside' cable once done!
    • Back to HyperTerminal  do #ping - to check the F/W can communicate with the laptop (if it doesn't, check the arp - #sh arp and #clear arp and try again)
    • Start tftp32 on the laptop
    • Change the 'Current Directory' in the TFTP server or make a note of the path to the folder with your pix724-30.bin file in it
    • Back to HyperTerminal, do #copy tftp:// flash - This will copy the upgrade OS to flash memory
    • Do #write mem - to commit the changes
    • Once done do #reload
    • Once back up log back in and check that it is the active node (#sh fail), check the OS version (#sh ver), check to see active connections (#sh conn), check the vpn settings (#sh crypto - if applicable)
    • Once you are satisfied its complete power down the primary F/W and power up the secondary F/W
    • Run through the steps again
    • Once complete power up the Primary F/W and reload the secondary F/W at the same time
    • Log in to the Primary F/W and do #sh fail - check that it’s the active node, if it isn't restart the secondary F/W again
    • Log in to the secondary F/W and check it is the secondary node - you should get a synching message whilst you log on.
    • Finally go through the checks again and make sure you are happy
     Post Upgrade tasks:
    •  If you run any VPN's through the firewall test these as applicable
    • Advise any other teams/engineers your upgrade has been successful
    • Enjoy a well earned cup of your favourite brew :o)

    Monday, February 15, 2010

    Using Cisco SDM in GNS3

    One of the great things about GNS3 is that you can practice your labs using real IOS images. The same goes for Cisco SDM. Tasks such as configuring GRE over IPSec tunnels or applying IOS Firewall can be made so much easier via the Cisco SDM.

    In this entry I'm going to show you how I configured my laptop to access the Cisco SDM within my GNS3 lab.

    This lab assumes you are using a Windows XP system, you use IE, and your Java version is  jre-1_5_0_09-windows-i586-p.exe (other versions of JRE may be fine but this is what works for me).

    1) Configure a loopback interface on your laptop.
    The first task is to configure a loopback interface. To do this go to:
    • Start - Settings - Control Panel - Add Hardware
    • Select Next when the wizard starts and then 'Yes, I have already connected the hardware', select Next
    • You are presented with a list of currently installed devices, scroll to the bottom and choose 'Add a new hardware device', select Next
    • Check the button for 'Intsall the hardware that I manually select from a list' and select Next
    • Select 'Network Adapters' and then select Next
    • On the next screen choose 'Microsoft' from the left column and then 'Microsoft Loopback Adapter' from the right column, select Next and then Next again to install.
    2)  Create your lab
    Build your lab and make sure that you install an FE-TX interface on the router/firewall you'd like the laptop to connect to. Save the lab and close it.

    3) Make a note of the Loopback hardware address
    Go to the directory for GNS e.g.) C:\Program Files\GNS3 and locate the file 'Network device list.cmd'
    Run this and make a note of the output for the new loopback address you set up in point 1 e.g)
     Name      : Local Area Connection 2
    Desciption: Microsoft Loopback driver
    N.B - copy the equivilent output that I've marked in Bold

    4) Insert the output for your Loopback interface in to your lab
    • Navigate to the saved location for your lab and and right click on the file e.g) then select edit network file (if prompted for an application choose Notepad).
    • Locate the device you wish to add your Loopback connection to and insert the interface address like the example below:  [[ROUTER R3]]
              model = 3620
              console = 2003
              slot0 = NM-4T
              s0/0 = R2 s0/1
              slot1 = NM-1FE-TX
              f1/0 = NIO_gen_eth:\Device\NPF_{19DB09AF-0DC2-43C6-B9B7-69A0E722FA45}
              x = 108.0
              y = 19.0
    • Save this.
    5) Open GNS3 and open the Lab you have just added your loopback interface. 
    • If correctly configured you should now see a cloud marked something like C0 or C1 connecting to your FE interface on the router you choose to assign the connection to.
    •  Assign IP addresses on the same subnet to both the loopback interface on your windows XP system and the FE-TX interface on your network device.
    • Ping the IP addresses from either side and you should have connectivity. If you don't, trouble shoot accordingly

    Now you have a functioning connection into your lab you can do many things. For example download and install Cisco SDM launcher for PC and then enter the internal IP address for the router in your lab you'd like to connect to.

    You can also set up a syslog server. Install Kiwi Syslog Server and then configure your network devices to send logging information to the IP address assigned to your loopback interface.

    You might want to install a RADIUS server on your XP system and then foward all RADIUS authentication requests to your loop back adapter.

    These are just some examples of what you can do once you have your Loopback configure. Enjoy!