Sunday, November 13, 2011

About Me

Original (November 2011):

I have received a few e-mails from readers asking me questions about myself and what I do, so I thought I'd write a blog entry about it.

I'm a 27 year old Cisco network engineer living in Australia. I work for a large, multinational company, and have been with them for about seven months now and am thoroughly enjoying myself.

I'm currently studying for the CCNP certification, and once completed, I plan to start studying for the CCIE R&S certification.

In my spare time, when I'm not studying or blogging on here, you can usually find me helping out on internet forums. The one I most frequently visit would be the Whirlpool forums where I post under the name Cisco Freak.

Speaking of which, a Whirlpool thread that I started quite some time ago may come in use for some of you who are studying for Cisco certifications. For those of you who are only interested in the links and not the users' posts inbetween, I also created a wiki version of the thread.

When I'm not talking Cisco, I'm either playing with custom firmwares, Linux or some other geeky activity. I have put together a brief list of my extra curricular activities below. If you have any questions or need any assistance with anything I have mentioned, please feel free to pop me an e-mail and I'll do all I can to assist.

And finally, when my free time clears up, my next couple of projects will be:
  • A new website that will assist Cisco newcomers to get through the basics and gradually bring them all the way up to dealing with large, complex networks. The first phase of the site has been completed, however, due to my CCNP studies, I have decided to put the site on the back burner for now.
  • I also plan to create a new Network Security blog. I have always had an interest in Network Security and after having read Cyber War: The Next Threat to National Security and What to Do About it (as suggested by the bloggers on Network World), my interest has increased greatly. 

If anyone has any further questions, please feel free to drop me an e-mail or make a comment on this entry and I'll happily respond.

Update: Below are a couple of photos of my home lab.
 


2015 Updated:

See this page to find out what I've been up to over the years since this entry was originally posted.

As always, if you have any questions or have a topic that you would like me to discuss, please feel free to post a comment at the bottom of this blog entry, e-mail at myciscolabsblog@gmail.com, or drop me a message on Twitter (@OzNetNerd).

Note: This website is my personal blog. The opinions expressed in this blog are my own and not those of my employer.

Saturday, October 8, 2011

Fast GNS3 Router Bootup

As all Cisco IOS users/Cisco engineers will have seen when booting up a switch or a router, the device will decompress the image file which is represented by a series of # signs that flood across the screen. While it does not take an extremely long time to decompress the image, it can seem like it is taking an eternity if your wanting to get a lab up and running so you can test something quickly. Thankfully, GNS3 allows you to skip the decompression process by decompressing the image before hand.

All you need to do is open your IOS' .bin file with WinRar. When you do this, you will see another .bin file. Now all you need to do is extract this "new" .bin file and either rename it, or leave it as is. If you decide to do the former you will need to delete the original .bin file (that you opened with WinRar) and give the new .bin the original's name. (Note: The deletion is necessary as you cannot have two files with the same name in the same directory). If you decide to do the latter, you will need to update your GNS3 configuration so that it uses the new image when booting your virtual routers.

If you haven't already guessed, the original .bin is actually a compressed image and the "new" .bin is the decompressed version of that same image. What WinRar does is decompresses the image so that GNS3 doesn't have to. This can save a lot of time, especially if you use GNS3 regularly.

Note: It is interesting to see the size difference between the compressed (original) and decompressed ("new") images. In my experience I have found more often than not the original image is almost half the size of the "new" image. It may be worth keeping this in mind, especially if you are running low on hard drive space.

As always, if you have any questions or have a topic that you would like me to discuss, please feel free to post a comment at the bottom of this blog entry, e-mail at myciscolabsblog@gmail.com, or drop me a message on Twitter (@OzNetNerd).

Note: This website is my personal blog. The opinions expressed in this blog are my own and not those of my employer.

Wednesday, September 28, 2011

Emulating a Multi Layer Switch in GNS3

As most of you know, you can get switch-like capabilities in GNS3 by inserting a NM-16ESW in to a compatible router. This is necessary because at present, dynamips is unable to emulate a real switch. This is because Cisco switches use hardware ASICs to perform their duties and unfortunately it is difficult/impossible for this to be emulated in software.

This is not so bad though as you may find you can get quite a lot done with an NM-16ESW. You can even use it to emulate a multilayer switch, as I will now demonstrate using the following topology:



As you can see by the interface numbers on R1 (f1/0, f1/1 and f1/2), I'm only using the router's NM-16ESW module, not its integrated layer 3 ports.

Using the "no switchport" command on R1's fa1/0 port will turn it in to a layer 3 interface, and therefore will allow me to assign an IP address to it:

R1(config)#interface FastEthernet1/0
R1(config-if)# no switchport
R1(config-if)# ip address 10.1.1.1 255.255.255.252


Next, I'll configure VLAN10 and 20. (Unfortunately the NM-16ESW requires you use the older "VLAN database" command as opposed to the newer "vlan" command that multilayer switches use):

R1#vlan database
R1(vlan)#vlan 10
R1(vlan)#vlan 20
R1(vlan)#apply

R1(vlan)#exit

Now that the VLAN interfaces are created, I can now assign IP addresses to them:

R1(config)#interface Vlan10
R1(config-if)# ip address 10.10.10.1 255.255.255.252
R1(config-if)#interface Vlan20
R1(config-if)# ip address 10.20.20.1 255.255.255.252


I can also assign ports to the VLANs too. As per the diagram, port Fa1/1 is to be put in VLAN10 and port Fa1/2 is to be put in VLAN20:

R1(config-if)#interface FastEthernet1/1
R1(config-if)# switchport access vlan 10
R1(config-if)#interface FastEthernet1/2
R1(config-if)# switchport access vlan 20


And that's it for R1 at this stage.

In regards the VLAN10, VLAN20 and R2 routers, they  all have very simple configurations, as shown below:

VLAN10:

interface FastEthernet0/0
 ip address 10.10.10.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 10.10.10.1


VLAN20:

 interface FastEthernet0/0
 ip address 10.20.20.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 10.20.20.1


R2:

interface FastEthernet0/0
 ip address 10.1.1.2 255.255.255.252

!
ip route 0.0.0.0 0.0.0.0 10.1.1.1


One other thing to note is that as the connection between R1 and R2 is layer 3, you could remove the default route from R2's configuration and use a routing protocol such as EIGRP to advertise the accessible routes instead:

R1:

router eigrp 10
 network 10.1.1.1 0.0.0.0
 network 10.10.10.1 0.0.0.0
 network 10.20.20.1 0.0.0.0
 no auto-summary


R2:

router eigrp 10
 network 10.1.1.2 0.0.0.0
 no auto-summary
!
no ip route 0.0.0.0 0.0.0.0 10.1.1.1

After performing the above changes, the routing table will look like  this:

R2(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/30 is subnetted, 3 subnets
D       10.20.20.0 [90/284160] via 10.1.1.1, 00:34:06, FastEthernet0/0
D       10.10.10.0 [90/284160] via 10.1.1.1, 00:36:41, FastEthernet0/0
C       10.1.1.0 is directly connected, FastEthernet0/0



As always, if you have any questions or have a topic that you would like me to discuss, please feel free to post a comment at the bottom of this blog entry, e-mail at myciscolabsblog@gmail.com, or drop me a message on Twitter (@OzNetNerd).

Note: This website is my personal blog. The opinions expressed in this blog are my own and not those of my employer.

Saturday, September 24, 2011

GNS3 Duplex Mismatch Messages

When Cisco devices are connected to one another and CDP is enabled (which it is by default), if one port is configured as full duplex but the other is configured as half duplex, the two devices will log "duplex mismatch" messages. This can be very helpful in the real world.  However, when using GNS3 these messages can appear for no reason at all, and they will constantly reappear, over and over again. Things get worse when you've got one router connected to two others, as was the case in the example below: 

01:43:20.579: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet1/0 (not half duplex), with R1 FastEthernet0/0 (half duplex).
01:43:20.911: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet1/1 (not half duplex), with R2 FastEthernet0/0 (half duplex).
01:44:20.839: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet1/1 (not half duplex), with R2 FastEthernet0/0 (half duplex).
01:45:20.567: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet1/0 (not half duplex), with R1 FastEthernet0/0 (half duplex).
01:45:20.971: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet1/1 (not half duplex), with R2 FastEthernet0/0 (half duplex).
01:46:20.607: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet1/0 (not half duplex), with R1 FastEthernet0/0 (half duplex).
01:46:20.935: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet1/1 (not half duplex), with R2 FastEthernet0/0 (half duplex).
01:47:20.579: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet1/0 (not half duplex), with R1 FastEthernet0/0 (half duplex).
01:47:20.983: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet1/1 (not half duplex), with R2 FastEthernet0/0 (half duplex).

As the duplex mismatch is found through CDP, you could always disable CDP on all of your GNS3 routers to stop these messages appear. However, this is not may not be an ideal solution for you, especially if you've got a large lab network. The other alternative is to issue the following command: 

R3(config)#no cdp log mismatch duplex

This command stops the log messages appearing, while still leaving CDP enabled.

As always, if you have any questions or have a topic that you would like me to discuss, please feel free to post a comment at the bottom of this blog entry, or you can send me an e-mail at myciscolabsblog@gmail.com


Note: This website is my personal blog. The opinions expressed in this blog are my own and not those of my employer.

Friday, September 23, 2011

GNS3 IOS Memory Errors

Update: Please see this page for a fix to this issue.

The other day I decided to upgrade my GNS3 IOS to c3725-adventerprisek9-mz.124-15.T14.bin. All seemed to be going well until I tried to issued the "ip nat inside" command on one of the interfaces...

R1(config)#int fa0/0
R1(config-if)#ip nat inside
% NBAR ERROR: parsing stopped
% NBAR Error : Activation failed due to insufficient dynamic memory
% NBAR Error: Stile could not add protocol node
%NAT: Error activating CNBAR on the interface FastEthernet0/0
*Mar  1 00:00:27.307: %SYS-2-MALLOCFAIL: Memory allocation of 10260 bytes failed from 0x62912920, alignment 0
Pool: Processor  Free: 13696  Cause: Memory fragmentation
Alternate Pool: None  Free: 0  Cause: No Alternate pool
 -Process= "Exec", ipl= 0, pid= 94,  -Traceback= 0x61488C44 0x60015E58 0x6001BDB8 0x6001C410 0x636726CC 0x62912928 0x628F12D8 0x628F6E7C 0x628F25B4 0x628F7104 0x628F25B4 0x628F257C 0x628F4F90 0x628F25B4 0x628F2778 0x62925C0
*Mar  1 00:00:27.311: %NBAR-2-NOMEMORY: No memory available for StILE lmalloc,  -Traceback= 0x61488C44 0x62912944 0x628F12D8 0x628F6E7C 0x628F25B4 0x628F7104 0x628F25B4 0x628F257C 0x628F4F90 0x628F25B4 0x628F2778 0x62925C08 0x6293066C 0x6291D81C 0x6293ABBC 0x6293AF3C
R1(config-if)#
*Mar  1 00:00:27.863: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
*Mar  1 00:00:30.263: %AAA-3-ACCT_LOW_MEM_UID_FAIL: AAA unable to create UID for incoming calls due to insufficient processor memory


Things got worse when I tried issueed the "ip nat outside" command on the other interface... 

R1(config-if)#int fa0/1
R1(config-if)#ip nat outside
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR ERROR: symbol addition
% NBAR Error : Activation failed due to insufficient dynamic memory
% NBAR Error: Stile could not add protocol node
%NAT: Error activating CNBAR on the interface FastEthernet0/1


Then the router complained some more when I issued the "ip nat inside source" command... 

R1(config-if)#ip nat inside source list TEST int fa0/0
R1(config)#
*Mar  1 00:01:28.651: %SYS-2-MALLOCFAIL: Memory allocation of 65536 bytes failed from 0x625B21C8, alignment 0
Pool: Processor  Free: 8836  Cause: Not enough free memory
Alternate Pool: None  Free: 0  Cause: No Alternate pool
 -Process= "Exec", ipl= 0, pid= 94,  -Traceback= 0x61488C44 0x60015E58 0x6001BDB8 0x6001C2C4 0x625B21D0 0x625B3818 0x6254A408 0x62509078 0x625C223C 0x6255B8E0 0x6257DAE8 0x61CDB278 0x61CDB518 0x61C70178 0x61C7596C 0x614D5078
*Mar  1 00:01:28.671: CCE_CP: Can't cce_create_class_group: Can't allocate class group id.


After seeing all this, I got to work trying to resolve the issue. As the log messages clearly say, there is insufficient memory. So I thought I'd just upgrade the memory allocated to the router and all should be well. Unfortunately, all was not well. After increasing the memory and rebooting the router, I received the following error message in the GNS3 Console: 

=> *** Warning: ghostsize is to small for device R1. Increase it with the ghostsize option.

I can only assume that this "ghostsize" option relates to Ghostios, which, according to the GNS3 Quick Start guide is used to: 

"Significantly reduce the amount of real host RAM needed for labs with multiple routers running the same IOS image. With this feature, instead of each virtual router storing an identical copy of IOS in its virtual RAM, the host will allocate one shared region of memory that they will all utilize. So for example, if you are running 10 routers all with the same IOS image, and that image is 60 MB in size you will save 9*60 = 540 MB of real RAM when running your lab. Ghostios is enabled, by default, in GNS3."

A very useful application indeed. However, after an hour or so of searching, I was unable to find any information about the ghostsize option or its syntax, so I had no other option but to return to using my previous IOS, c3725-advipservicesk9-mz.124-4.T8.bin. I know it is old, but it has been reliable and up to this date, has supported all of the features I have needed, so I'm happy to continue using it.

Update: Please see this page for a fix to this issue.

As always, if you have any questions or have a topic that you would like me to discuss, please feel free to post a comment at the bottom of this blog entry, e-mail at myciscolabsblog@gmail.com, or drop me a message on Twitter (@OzNetNerd).

Note: This website is my personal blog. The opinions expressed in this blog are my own and not those of my employer.

Sunday, September 18, 2011

Connecting Your PC to Your Virtual GNS3 Routers

Update: Please also see my "Virtual Equipment + Physical Equipment = Big Lab" post for more information.

As you already know, GNS3 allows you to create virtual routers on your PC. What some people struggle with is connecting their physical PC to their virtual GNS3 network. In this blog entry, I'll explain how this can be done using GNS3's cloud object.

Note: Before you make any changes to your PC's routing table (as per the instructions below), please make sure you know what your doing. Changing the routing table may cause you to lose network connectivity to parts of your network. If this happens to you, rebooting your PC should resolve the issue.

Note: Once the PC is connected to the virtual GNS3 network, it will act as if it were connected to a real network. For example, you will be able to use it has a DHCP server,Web server, Syslog server, packet sniffer, etc, as well as a normal networked PC.

Note: PC Firewall software as well as Malware Prevention software installed on your PC can prevent this process from working. If you find this guide does not work for you, please disable all Firewall and Malware Prevention software and try again. 

1) First, you'll need to install a loopback adapter on your PC.

2) Next, you'll need to fire up GNS3 as an Administrator. To do this, you have to right click on the GNS3 icon, and select "Run as Administrator".

Note: Using an Administrator account is not enough. You still need to follow the above instruction.

3) Once GNS3 has started, locate the "Cloud" node in the "Node Types" panel and drag it in to the workspace.

4) Double click on the "Cloud" node, then, when the new screen opens click on the "NIO Ethernet" tab. At the top of the screen you'll see the "Generic Ethernet NIO (Administrator access required)" dropdown menu.

Click on the dropdown and select the "MS Loopback Adapter" option, then click "OK".

5) Next, create your GNS3 topology the way you normally would. Give a thought to your IP address plan too.

Note: Make sure your IP address plan does not conflict with the network that your physical PC connects to. Failing to do so may prevent your setup from working.

6)  Connect the Cloud node to one of the routers in your topology the same way you connect other devices to one another.

Once you have done the above, your GNS3 topology should look like this:




7) As you can see from the example topology above, the physical's PC's address is going to 10.50.50.2. To configure this, in Windows, navigate to the "Manage Network Connections" settings and locate your "MS Loopback Adapter". Configure the adapter with the above mentioned IP address.

8) Your PC will now be connected to the virtual network. This can be confirmed by sending a couple of pings: 

ping 10.50.50.1

Pinging 10.50.50.1 with 32 bytes of data:
Reply from 10.50.50.1: bytes=32 time=63ms TTL=255
Reply from 10.50.50.1: bytes=32 time=62ms TTL=255
Reply from 10.50.50.1: bytes=32 time=32ms TTL=255
Reply from 10.50.50.1: bytes=32 time=50ms TTL=255

Ping statistics for 10.50.50.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 32ms, Maximum = 63ms, Average = 51ms


However, pings to all other virtual network subnets will not work at this stage. This is because your PC will be using the default route configured on your physical network card to try to access these networks. To fix this, continue on to Step 9.

9) What you'll need to do now is install a route on your PC, telling it to route traffic destined to virtual networks through your loopback adapter.

For this example you'd need to issue the following command: 

route add 172.16.15.0 mask 255.255.255.0 10.50.50.2 

Note: You will need to add a route for every subnet you are using in your virtual GNS3 network and point it out of your loopback interface.

Once you have done that, your data will be able to flow freely between the virtual network and your physical PC.

And that's it! Your done!

Here is an example of a Syslog server running on the physical PC. It is receiving log messages from both R1 and R2 (10.50.50.1 and 172.16.15.2 respectively):




Update: Please also see my "Virtual Equipment + Physical Equipment = Big Lab" post for more information.

UPDATE
Please see my new website for a step by step guide, including screenshots and network diagrams.

As always, if you have any questions or have a topic that you would like me to discuss, please feel free to post a comment at the bottom of this blog entry, e-mail at myciscolabsblog@gmail.com, or drop me a message on Twitter (@OzNetNerd).

Note: This website is my personal blog. The opinions expressed in this blog are my own and not those of my employer.

Tuesday, August 30, 2011

URL Redirects using NAT

In my previous post, "Router URL Filtering using NBAR", I explained how it was possible to block users from accessing websites simply by using NBAR, a class-map and a policy-map.

In this post I'll describe how you can redirect your users' web requests instead of simply blocking them. This time we'll use NAT instead of NBAR.

For this example, let's say you'd prefer everyone on your network to use Google instead of Yahoo, so every time someone goes to Yahoo.com, they'll be re directed to Google.com.au

To do this, you'll need to obtain the web server IP addresses for both Yahoo and Google. This can be done easily enough with a ping: 

Pinging yahoo.com [98.137.149.56] with 32 bytes of data:

Pinging google.com.au [74.125.237.51] with 32 bytes of data:


Now all we'll need to do is put these two IP addresses in to a single NAT entry and we're done, like so: 

ip nat outside source static 98.137.149.56 74.125.237.51

As mentioned in previous post however, using IP addresses instead of domain names is not ideal as large websites such as Google, YouTube, etc, use multiple IP addresses for their websites and therefore the above method will not get you a 100% success rate.

As always, if you have any questions or have a topic that you would like me to discuss, please feel free to post a comment at the bottom of this blog entry, e-mail at myciscolabsblog@gmail.com, or drop me a message on Twitter (@OzNetNerd).

Note: This website is my personal blog. The opinions expressed in this blog are my own and not those of my employer.

Monday, August 29, 2011

Router URL Filtering using NBAR

There are many ways you can block users from accessing websites they shouldn't be, such as firewalls, proxy servers, DNS servers, etc. However, if you have a small setup, chances are you may not have any of these in place already, and you may be reluctant add another piece of equipment to your network.

This is where your Cisco router can come to the rescue again.

(Note: No matter how small your network is, it is highly recommended that you do use firewall(s) to protect your network, whether they come in the form of software installed on each PC, or CBAC configured on your border router).

Using NBAR and a policy map, you can have your URL filtering set up in a matter of seconds. Here's an example: 

class-map match-any BLOCKED_SITES
 match protocol http host "*facebook*"
 match protocol http host "*youtube*"
!
!
policy-map DROP_TRAFFIC
 class BLOCKED_SITES
   drop
!
interface Dialer1
 service-policy output DROP_TRAFFIC


The configuration is quite self explanatory.

Step 1: You simply create a class-map and use the "match protocol" command to specify the URLs you'd like to block.

(Note: You can use Regular Expressions to match the URL. This is what the asterisks (*) mean in the example strings above).

Step 2: Create a policy-map that tells the router what to do with traffic that matches the criteria set out by the class-map.

Step 3: Apply the policy-map to your Internet facing interface, in the outbound direction.

You can then verfiy that your configuration is working by issuing the sh policy-map interface dialer 1 command: 

Router#show policy-map interface dialer 1
 Dialer1

  Service-policy output: DROP_TRAFFIC

    Class-map: BLOCKED_SITES (match-any)
      36 packets, 44247 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http host "*facebook*"
        10 packets, 8391 bytes
        5 minute rate 0 bps
      Match: protocol http host "*youtube*"
        26 packets, 35856 bytes
        5 minute rate 0 bps
      drop


Unfortuantely, URL filtering is not 100% reliable and can be circumvented quite easily, however, it is a good technique to know nevertheless.

Note: Some people feel that using an outbound ACL on your Internet facing interface is sufficient. However, as the ACL statically defines a public IP address, if the website's IP address changes or if the site is load balanced over several IPs, the ACL will not be sufficient. By applying your filter based on the URL, you can be sure that the site will always be blocked so long as it never changes its name.

As always, if you have any questions or have a topic that you would like me to discuss, please feel free to post a comment at the bottom of this blog entry, e-mail at myciscolabsblog@gmail.com, or drop me a message on Twitter (@OzNetNerd).

Note: This website is my personal blog. The opinions expressed in this blog are my own and not those of my employer.

Subnetting Made Easy - Formula

I covered subnetting in my earlier posts, Subnetting Made Easy, Part 1 and Subnetting Made Easy, Part 2.

In the latter mentioned post, I explained how you can use simple additions or subtractions to work out the First Usable Address, the Last Usable Address and the Broadcast Address of a subnet.

As the post was quite long, I thought I should re post the formulas in case they got lost in the sea of text.

Here they are:

First Address = Network Address + 1
Broadcast Address = Next Network Address - 1
Last Address = Broadcast Address - 1 

If they make no sense to you, please re-read my previous post.

As always, if you have any questions or have a topic that you would like me to discuss, please feel free to post a comment at the bottom of this blog entry, e-mail at myciscolabsblog@gmail.com, or drop me a message on Twitter (@OzNetNerd).

Note: This website is my personal blog. The opinions expressed in this blog are my own and not those of my employer.

Sunday, August 28, 2011

Subnetting Made Easy, Part 2

In my previous post, "Subnetting Made Easy, Part 1", I demonstrated the way I use to find the Network Address, First Usable Address, Last Usable Address and Broadcast Address when given any IP address and subnet mask. This time I will demonstrate how this process can also be used when dealing with multiple, consecutive subnets.

To make things easier, I'll use the same setup as last time.

As per my previous blog entry, we found that the network address was 195.70.16.156. We also knew that we were only going to be dealing with the fourth octet as this is a /30 address. We then converted this information in to binary format and were left with this:

128 64 32 16  8  4 2 1
SN  SN SN SN SN SN H H
1   0  0  1   1  1 1 1

Now, let's get started on the next part. To put a clear division between the Subnet Bits and the Host Bits, what I like to do is put a line between them, like this:

128 64 32 16  8  4  |  2 1
SN  SN SN SN SN SN  |  H H
1   0  0  1   1  1  |  1 1

Now we can clearly see that the last Subnet Bit is 4. This instantly tells us that if we want to create additional, identical subnets, all of the Network Addresses are going to be 4 apart. To help me better explain what I mean, I'll use the below table.

Legend:
N = Network Address
First = First Usbale Address
Last = Last Usable Address
B/C = Broadcast Address
|----------------------
| N | First| Last| B/C|
|----------------------
|   |      |     |    |
|----------------------
|   |      |     |    |
|----------------------

Once again, looking at the previous entry, we found the following information:

Network Address: 195.70.16.156
First Usable Address: 195.70.16.157
Last Usable Address: 195.70.16.158
Broadcast Address: 195.70.16.159


When inserted in to the table, it looks like this:

|----------------------
| N | First| Last| B/C|
|----------------------
|156|  157 | 158 | 159|
|----------------------
|   |      |     |    |
|----------------------

Now, as mentioned above, we know that the Subnets are going to be 4 bits apart. This means all we need to do is add 4 to the current network address. e.g 156 + 4 = 160. Then, to get the next network address after that, we'd do 4 + 160 = 164. And so on. Using this forumula, the table now looks like this:

|----------------------
| N | First| Last| B/C|
|----------------------
|156|  157 | 158 | 159|
|----------------------
|160|      |     |    |
|----------------------
|164|      |     |    |
|----------------------
|168|      |     |    |
|----------------------


Now all we need to do is some more basic maths. Using the following formulas, we can fill in the rest of the table:


First Address = Network Address + 1
Broadcast Address = Next Network Address - 1
Last Address = Broadcast Address - 1


There are two things to note here. As you can see, the Last Address formula requires that you first find out what the Broadcast Address is.

The second thing to note is that the "Next Network Address" that the Broadcast Address formula is referring to is network address of the following subnet. For example, as per the table above, if we were working on the network address 195.70.16.160, we know the next network address is 195.70.16.164.

Speaking of which, let's do that now.

Using the above formulas and the 195.70.16.160 Network Address, this is what we end up with:


First Address = 160 + 1 = 161
Broadcast Address = 164 - 1 = 163
Last Address = 163 - 1 = 162

|----------------------
| N | First| Last| B/C|
|----------------------
|156|  157 | 158 | 159|
|----------------------
|160|  161 | 162 | 163|
|----------------------
|164|      |     |    |
|----------------------
|168|      |     |    |
|----------------------

 Then if we do the same with for the 195.70.16.164 subnet, this is what we'd end up with:

|----------------------
| N | First| Last| B/C|
|----------------------
|156|  157 | 158 | 159|
|----------------------
|160|  161 | 162 | 163|
|----------------------
|164|  165 | 166 | 167|
|----------------------
|168|      |     |    |
|----------------------

I'll leave the 195.70.16.168 network blank so that you can have a try yourself.

Note: You may notice that all of the numbers are simply four higher than one another each time you go down a row. It is not advisable to just keep adding four to the numbers because while it may work in this case, if you were dealing with different subnet masks it wouldn't, however, the formula still would.

Update

Please see my "Subnetting Made Easy, Part 3" post for more information.

As always, if you have any questions or have a topic that you would like me to discuss, please feel free to post a comment at the bottom of this blog entry, e-mail at myciscolabsblog@gmail.com, or drop me a message on Twitter (@OzNetNerd).

Note: This website is my personal blog. The opinions expressed in this blog are my own and not those of my employer.

Saturday, August 27, 2011

Subnetting Made Easy, Part 1

There are a wide range of techniques people use to work out their network, host and broadcast addresses. I prefer to take the binary approach as I find it the quickest and easiest method, and is never wrong.

Remember, the four most important things to know about a subnet is the following:

Network Address:
First Usable Address:
Last Usable Address:
Broadcast Address:

Let's say for example, we were given the IP address 195.70.16.159 and told that it is in a /30. This is how I'd go about filling in the template above...

First of all, as IP addresses are 32 bits long, and each octet is 8 bits in length, we know that:
  • Bits 0 to 8 are covered in the first octet.
  • Bits 9 to 16 are covered in the second octet.
  • Bits 17 to 24 are covered in the third octet.
  • Bits 25 to 32 are covered in the fourth octet.
So, as this subnet address has 30 bits in it, we know we're dealing with the fourth octet.

Now, because know bits 25 to 30 are subnet bits (referred to as SN below), we also know that the remaining two bits are host bits (referred to H below). Here is what it looks like when written down:


25 26 27 28 29 30 31 32
SN SN SN SN SN SN H  H
x  x  x  x  x  x  x  x


Now let's replace the bit numbers with their values:


128 64 32 16  8  4 2 1
SN  SN SN SN SN SN H H
x   x  x  x   x  x x x
 

Now, let's replace the x's with the value of the fourth octet in the address, which in this case, is 159.


128 64 32 16  8  4 2 1
SN  SN SN SN SN SN H H
1   0  0  1   1  1 1 1
 

If you are wondering how I came up with the above, it is very simple. All I did was:
  • Subtract 128 from 159, which left me with 31
  • I then subtracted 16 from 31, whcih left me with 15
  • I then subtracted 8 from 15, which left me with 7
  • I then subtracted 4 from 7, which left me with 3
  • I then subtracted 2 from 3, which left me with 1
  • I then subtracted 1 from 1, which left me with 0

Note: While this may sound overly complicated, it is actually very quick and easy to do when doing it on a piece of paper.

Now to find out the network address all we do is add the SN bits that have a 1 underneath them, together. (128 + 16 + 8 + 4 = 156).

When you add this 156 to the first three octets of the address, we're left with the Network Address 195.70.16.156.

Now, as we know that the first usable address is always the Network Address plus one, all we need to do is perform the following calculation: (156 + 1 = 157).

This gives us a First Usable Address of 195.70.16.157.

Now let's skip the Last Usable Address for a moment and find the Broadcast Address. To find out what it is, all we need to do is add all of the H bits together (regardless of whether they are a 1 or a 0) and then add this number to the Network Address. (2 + 1 + 156 = 159).

This gives us a Broadcast Address of 195.70.16.159.

And finally, let's work out the last usable address. This process is similar to finding the First Usable Address, however, instead of adding one to the network address, we actually subtract one from the Broadcast Address. (159 - 1 = 158).

This gives us a Last Usable Address of 195.70.16.158.


And there we have it! Our temaplte is complete. For easy reference, here it is again:

Network Address: 195.70.16.156
First Usable Address: 195.70.16.157
Last Usable Address: 195.70.16.158
Broadcast Address: 195.70.16.159

For more subnetting information, please see Subnetting Made Easy, Part 2.

As always, if you have any questions or have a topic that you would like me to discuss, please feel free to post a comment at the bottom of this blog entry, e-mail at myciscolabsblog@gmail.com, or drop me a message on Twitter (@OzNetNerd).

Note: This website is my personal blog. The opinions expressed in this blog are my own and not those of my employer.

Friday, August 26, 2011

Single Public IP NATing to Multiple Hosts


In my previous blog entry, Multiple Public IP NATing to Multiple Hosts, I described how you can use "one to one" NATing to allocate one public IP address per internal host. This is a great solution for those who have multiple public IPs, however, these usually come at an added monthly cost.

An alternative to this method would be to run your services on different port numbers. For example, if you have three web servers, you could run one on port 80, the next on port 8080 and the last one on port 8081. However, some System Administrators do not like forcing their applications to run on non-standard ports and some applications may not even offer you the option.

So how do we fix this issue you ask? Rather than do the port change on the application(s) themselves, you can simply do it on the router itself. This is a great solution because the applications themselves do not need to be changed and you've got a central point of configuration for all of the port changes. Also, should you decide to invest in additional IP addresses later on down the track, you can migrate the server(s) to their new IP address(es) by simply changing a few lines of configuration.

Using the diagram below, I'll describe how you can achieve this:




Using the  "ip nat inside source static tcp/udp" command, we can map port 23 (telnet) for each of the LAN hosts (192.168.45.2, 192.168.45.3 and 192.168.45.4) to different ports (23, 2300 and 2301 respectively). 

R1(config)#do sh run | inc ip nat inside source static
ip nat inside source static tcp 192.168.45.2 23 94.56.43.2 23 extendable
ip nat inside source static tcp 192.168.45.3 23 94.56.43.2 2300 extendable
ip nat inside source static tcp 192.168.45.4 23 94.56.43.2 2301 extendable


What this means is that if we try to telnet to:
  • 94.56.43.2 on port 23, we'll connect to 192.168.45.2
  • 94.56.43.2 on port 2300, we'll connect to 192.168.45.3
  • 94.56.43.2 on port 2301, we'll connect to 192.168.45.4
As mentioned above, the beauty of configuring the port changes on the internet router itself (R1), we don't need to force telnet to run on different ports on the other hosts LAN hosts (R2, R3 and R4).

Let's look at some examples. Here is R1's NAT table before any traffic has been sent: 

R1(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
tcp 94.56.43.2:23      192.168.45.2:23    ---                ---
tcp 94.56.43.2:2300    192.168.45.3:23    ---                ---
tcp 94.56.43.2:2301    192.168.45.4:23    ---                ---


Now I'll initiate some telnet sessions from R1 to 94.56.43.2 and it's multiple ports. I'll start with port 23: 

R5#telnet 94.56.43.2 23
Trying 94.56.43.2 ... Open


Now let's take a look at the NAT translation table: 

R1(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
tcp 94.56.43.2:23      192.168.45.2:23    203.43.94.1:42931  203.43.94.1:42931
tcp 94.56.43.2:23      192.168.45.2:23    ---                ---
tcp 94.56.43.2:2300    192.168.45.3:23    ---                ---
tcp 94.56.43.2:2301    192.168.45.4:23    ---                ---


Now I'll try ports 2300 and 2301: 

R5#telnet 94.56.43.2 2300
Trying 94.56.43.2, 2300 ... Open
R5#
R5#telnet 94.56.43.2 2301
Trying 94.56.43.2, 2301 ... Open


And now let's take another look at the NAT translation table: 

R1(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
tcp 94.56.43.2:23      192.168.45.2:23    ---                ---
tcp 94.56.43.2:2300    192.168.45.3:23    203.43.94.1:23292  203.43.94.1:23292
tcp 94.56.43.2:2300    192.168.45.3:23    ---                ---
tcp 94.56.43.2:2301    192.168.45.4:23    203.43.94.1:49225  203.43.94.1:49225
tcp 94.56.43.2:2301    192.168.45.4:23    ---                ---


As always, if you have any questions or have a topic that you would like me to discuss, please feel free to post a comment at the bottom of this blog entry, e-mail at myciscolabsblog@gmail.com, or drop me a message on Twitter (@OzNetNerd).

Note: This website is my personal blog. The opinions expressed in this blog are my own and not those of my employer.

Multiple Public IP NATing to Multiple Hosts

I have seen quite a lot of ask the question, "how do I NAT multiple public IPs to multiple inside hosts?". I think what confuses most people is when they are given two different subnets. As per the diagram below, R1 has a 203.43.94.x address for its internet connection and a 94.56.43.x range for its internal hosts.

This type of configuration is known as "one to one" NATing. What it does is statically map an internal host's IP address to an external IP address.

Note:  Please also see my Single Public IP NATing to Multiple Hosts post for a similar setup but using only a single public IP address.

As per the diagram below, the mappings are as follows:
  • R2's Private IP is 192.168.45.2 and its public IP is 94.56.43.2
  • R3's Private IP is 192.168.45.3 and its public IP is 94.56.43.3
  • R4's Private IP is 192.168.45.4 and its public IP is 94.56.43.4
With these mappings, all traffic sent from R2 on to the internet will leave with a source IP address of 94.56.43.2. When traffic is sent from R3 on to the internet, it's source IP address will be 94.56.43.3, and so on.

The true is in reverse too. For example, when traffic from the internet is sent to 94.56.43.2, it will be sent to the host with the IP address 192.168.45.2 (R2), when traffic from the internet is sent to 94.56.43.3, it will be sent to the host with IP 192.168.45.3 (R3), and so on.




In the above topology, Routers R1 through to R4 are used to emulate a LAN network, and the connection between R1 and R5 are used to emulate a standard internet connection.

Please note that routers R2 through to R4 can be replaced by any network enabled device(s). I have only used routers in this example as they are the only devices that can be emulated by GNS3.

As you would on any network host (e.g a PC, laptop, server, etc), router's R2 through to R4 have basic configurations on them - simply an IP address and a default route pointing to R1's fa0/0 interface. Here is an example: 

R2:

R2#sh run int fa0/0
Building configuration...

Current configuration : 97 bytes
!
interface FastEthernet0/0
 ip address 192.168.45.2 255.255.255.0
 duplex auto
 speed auto
 


R5 also has a basic configuration on it, however, in the real world it would be administered by an ISP so I won't delve in to it's setup.

Now let's talk about R1. This is where all the magic happens.

Interface fa0/0 and fa0/1 are configured the way you'd expect - (note the "ip nat inside" and "ip nat outside" commands: 

R1:

interface FastEthernet0/0
 ip address 192.168.45.1 255.255.255.0
 ip nat inside
!
interface FastEthernet0/1
 ip address 203.43.94.2 255.255.255.252
 ip nat outside


This is a standard setup for any NAT configuration. Now for the special part: 

ip nat inside source static 192.168.45.2 94.56.43.2
ip nat inside source static 192.168.45.3 94.56.43.3
ip nat inside source static 192.168.45.4 94.56.43.4


It's as simple as that! In case you are unfamiliar with the "ip nat inside source static" command, it is actually very simple. The first IP address is that of the internal host and the second IP address is the public IP address you'd like to map to the internal host.

Now let's take a look at R1's NAT table: 

R1(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
--- 94.56.43.2         192.168.45.2       ---                ---
--- 94.56.43.3         192.168.45.3       ---                ---
--- 94.56.43.4         192.168.45.4       ---                ---


And now let's send some some test traffic and see the results. As R5 is used to emulate an internet host, we'll use it to send test data to the internal hosts through their corresponding public IP addresses.

Here is a ping from R5 to R2's public IP, 94.56.43.2: 

R5#ping 94.56.43.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 94.56.43.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/50/96 ms
R5#


And here is the NAT table on R1: 

R1(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 94.56.43.2:0      192.168.45.2:0     203.43.94.1:0      203.43.94.1:0
--- 94.56.43.2         192.168.45.2       ---                ---
--- 94.56.43.3         192.168.45.3       ---                ---
--- 94.56.43.4         192.168.45.4       ---                ---


And for the next example, we'll telnet from R5 through to R4: 

R5#telnet 94.56.43.4
Trying 94.56.43.4 ... Open


And here is the NAT table on R1: 

R1(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
--- 94.56.43.2         192.168.45.2       ---                ---
--- 94.56.43.3         192.168.45.3       ---                ---
tcp 94.56.43.4:23      192.168.45.4:23    203.43.94.1:23781  203.43.94.1:23781
--- 94.56.43.4         192.168.45.4       ---                ---


As always, if you have any questions or have a topic that you would like me to discuss, please feel free to post a comment at the bottom of this blog entry, e-mail at myciscolabsblog@gmail.com, or drop me a message on Twitter (@OzNetNerd).

Note: This website is my personal blog. The opinions expressed in this blog are my own and not those of my employer.