Sunday, April 30, 2017

Why & How to Configure Basic DHCP Snooping?

DHCP Snooping is a security configuration which can be done in switches to mitigate Rouge DHCP attacks. These type of attacks are performed by hackers to spoof DHCP information to carry out man in the middle attacks. Because DHCP is the server which tells hosts about the default gateway, DNS etc attackers can change the traffic flow to go through a bogus gateway which they can capture packets.

To stop this, you can configure DHCP Snooping (DHCP Inspection) to accept the DHCP server packets (Offer, Ack etc) only from trusted ports. In the diagram, you can see the DHCP server (trusted) which is connected to the CORE, and the Rouge DHCP (untrusted) which is connected to the SW.

When you configure DHCP Snooping in a switch, all ports become untrusted. You have to configure the trusted ports manually on the ports where the packets from the trusted DHCP server are receiving. In this topology, they are e0/0 of CORE & e0/0 of SW.

I am using IOS 15.2 & here are the basic essential commands to configure snooping..

Assuming VLANs and trunks are configured correctly;
(Here I have only VLAN 1)


CORE(config)#ip dhcp snooping
CORE(config)#ip dhcp snooping vlan 1
CORE(config)#int e0/0
CORE(config-if)#ip dhcp snooping trust

SW(config)#ip dhcp snooping
SW(config)#ip dhcp snooping vlan 1
SW(config)#no ip dhcp snooping information option
SW(config)#int e0/0
SW(config-if)#ip dhcp snooping trust

You can also rate limit the incoming DHCP requests coming from DHCP clients per second by issuing additional commands too which will help to prevent DHCP Exhaustion Attacks..
The above commands will get DHCP snooping working basically..

By default, SW will insert DHCP Option 82 into all DHCP packets it receives from the client. Also by default, CORE will drop those packets as soon as it receives them. A switch with DHCP Snooping enabled will drop packets on untrusted ports that contain Option 82 or have a non-zero giaddr (e.g. 0.0.0.0). This is what is seen in debug on CORE when SW sends a DHCPDISCOVER out port e0/0.

Remember that port e0/1 on CORE is an untrusted port for DHCP Snooping, so it drops the packets by default because Option 82 exists. That traffic never makes it to CORE.

The Option 82 helps to deliver the DHCP messages only to the client for which they are intended. It is turned on by default. The way it does it is using The Circuit ID that identifies the port to which the client is connected (the VLAN and the physical port location in a switch) & The Remote ID that identifies the access switch to which the client is connected (by the MAC address of the switch)

To overcome this problem, you can enter the following command on global configuration mode of CORE to allow option 82;
CORE(config)#ip dhcp snooping information option allow-untrusted

And also if you want to allow option 82 in your network and if the DHCP server is a Cisco device (if CORE switch is the DHCP server in this topology), you will have to enter following command on the DHCP server to identify option 82.
CORE(config)#ip dhcp relay information trust-all

Or you can do in on specific interface only by allowing the following command,
CORE(config-if)#ip dhcp relay information trusted

Or you can simply stop SW from inserting option 82 by entering the following command in global configuration mode of SW;
SW(config)#no ip dhcp snooping information option

That's what I have done in the above topology because it is the easiest solution.

If you are just connecting only a one switch to connect both the client PC and the DHCP server (in same broadcast domain) this is not an issue..

Note:
Dropping DHCP server packets is not the only thing DHCP Snooping does.
Inspecting the DHCP client traffic on untrusted ports and verifies it with the mac address table and dropping the traffic if it is not matching is another thing DHCP Snooping does automatically..

Preventive Actions If a Rouge DHCP detected??

Most of the time this can happen accidentally because of an ADSL router etc. In a case like that, you will get a complain from users that they receive a different IP range which causes a communication failure. What you must do is just issue a ipconfig /all in command prompt in Windows PC and see the DHCP server IP and then issue an arp -a to find the mac address of the DHCP server and trace to the port it is connected via the switch command prompt and shut it down..
If you have configured DHCP snooping correctly this won't be an issue..

Saturday, April 22, 2017

Setup PAC Manager on Trusty (Ubuntu 14.04) - Free Alternative to SecureCRT

If you are going to use Linux and free software you will need a SSH client like SecureCRT to access your network devices remotely. SecureCRT is a widely used industrial SSH client but it is not free. Of course you can use the Linux terminal itself but you will face limitations like session management etc. Here is the free solution, PAC Manager.  Actually it is more advanced than SecureCRT..

Be the root user..
sudo su

Enter following commands..
wget -q -O - http://archive.getdeb.net/getdeb-archive.key | sudo apt-key add -

sh -c 'echo "deb http://archive.getdeb.net/ubuntu trusty-getdeb apps" >> /etc/apt/sources.list.d/getdeb.list'

Update the packages list..
apt-get update

Install the PAC Manager..
apt-get install pac

If a dependency problem occurred,
apt-get install -f

Now open the app..





















Click on New Connection & give the ip address and the username, pw.. Save and Close.























Now click on the session name and you will log in..


Installing TeamViewer on Trusty (Ubuntu 14.04)

Download the TeamViewer from their website through your web browser and you can install it via GUI.. My preferred method is to use the CLI..

Be the root 1st..
sudo su

Download TeamViewer 10 from here

Navigate to the directory where it is downloaded and Install the package..
dpkg -i teamviewer-10-0-36281-multi-ubu.deb

If the installation process stopped due to a dependencies problem enter the following command..
apt-get install -f 


Add a Device in Cacti with SNMP v2c & Monitoring

If you want to install Cacti on Trusty (Ubuntu 14.04) workstation, please refer this & if you want to how to add Monitor plugin please refer this.

I am  going to add a Cisco Router..

Log in to Cacti and go to Console -> Devices

Click Add at the upper right side corner..

Now Fill the blanks as following.. (click on the image to view in full size)
























Give the IP address of the Host name..
Tick Monitor Host..
Select ICMP Ping as Downed Device Detection & ICMP Ping as Ping Method..
Select Version 2 as SNMP version..
Give your Community String to SNMP Community..
Hit Save..

Now let's see the router side configuration..

Give the Community String with read-only rights..
R(config)#snmp-server community TEST r0

To allow SNMP traps to be sent to Cacti..
R(config)#snmp-server enable traps
R(config)#snmp-server host <ip address of Cacti> version 2c TEST

Friday, April 21, 2017

Add Monitor Plugin to Cacti on Trusty (Ubuntu 14.04)

Monitor plugin lets you to view the up/down status of your hosts at a glance.. It will sound an alarm when the devices go down using icmp pings or snmp up time..

If you want to install Cacti on Trusty workstation, please refer this.

Be the root user 1st..
sudo su

Get the plugin..
wget "http://docs.cacti.net/_media/plugin:monitor-v1.3-1.tgz"

Rename the downloaded file..
mv plugin\:monitor-v1.3-1.tgz monitor-v1.3-1.tgz

Move the file to the plugins folder..
cp monitor-v1.3-1.tgz /usr/share/cacti/site/plugins

Change the directory to the plugins folder..
cd /usr/share/cacti/site/plugins

Unzip the folder..
tar -zvxf monitor-v1.3-1.tgz

Everything done so far is shown in the following capture...























Now log in to Cacti and go to Console -> Plugin Management
You will see something like below..


You can see the blue icon in actions column.. Click on it



















A new green icon will appear..
Click on it, it will turn to a red icon..



Now the plugin is added.. You will see a new tab for the plugin next to Console & Graphs..

Install Cacti on Trusty (Ubuntu 14.04)

Recently I was trying to create a free Network Administration Workstation for enterprises for a project. If it should be free of course Linux and Free software comes in handy. Also this machine should work 24/7 for years, so for this workstation, I tried with CentOS-07, Ubuntu 16.04, Ubuntu 14.04 aka Trusty.

From the above three, Trusty ends up winning. It was the easiest OS to install packages for this application. So this post is about installing the RRD-Tool (Round Robin Database Tool) Cacti which collects time series data such as network bandwidth, temperature, CPU load of network devices and which is used to monitor up/down status of devices/links with SNMP and which can act as a Syslog server too.. This is the 1st step of creating the Free Network Administration Workstation..

Download the Ubuntu 14.04 desktop from here and install it.
Don't upgrade the system to latest Ubuntu version..

Be the root user 1st..
sudo su

Enter the following commands to upgrade the packages..
apt-get update
apt-get upgrade

Install Apache web server, MySQL database, PHP..
apt-get install apache2 mysql-server php5 libapache2-mod-php5


(click on images to view in full size)

Process will halt to ask for a MySQL root password..








Install RRD-Tool..
apt-get -y install rrdtool

Install SNMP..
apt-get -y install snmp snmpd

Install Cacti..
apt-get -y install cacti cacti-spine


Process will halt again to ask for the configuration parameters for the database..

Select apache2..






Hit Yes..











Enter the MySQL root password you gave in a previous step..









Enter a password for cacti to register with the MySQL database..









Start the SNMP service..
/etc/init.d/snmpd start

Now open the web browser and go to the following link..
http://<ip-address of the Trusty machine>/cacti   or
http://127.0.0.1/cacti


Hit Next..














Hit Next..








Hit Finish..

































Enter the username: admin
                password: admin

It will then ask to reset the password..

Now you can give the password you want..


















To speed up the Poller process, select spine from Console -> Cacti Settings -> Poller



















Note:- Do not update the system by update notifications. It will stop your SNMP function.
After the Cacti installation, go to System Settings > Software Updates > Updates and set it to be like the following to stop further unnecessary interrupting updates..


Thursday, April 13, 2017

Put Several Router Interfaces in Same Subnet (BVI Configuration of IOS)

For some network designs, you may need to put 2 or more interfaces on a same router to operate in one subnet. Example situations are redundant high availability links, ip saving (point-to-point links) etc.. You can do this by creating a BVI (Bridge Virtual Interface) in IOS..

VLAN 10 is created in both SW1 & SW2 as the subnet of 192.168.10.0/24 & the interface IPs of SW1 & SW2 for VLAN 10 are 192.168.10.1 & 192.168.10.2 respectively..

VLAN 10 is allowed in the trunk links in between 2 switches and e0/0 port of both switches are access ports for VLAN 10..


Now let's move on with R1's configuration..



1. Enable Integrated Routing & Bridging
R1(config)#bridge irb

2. Specify Spanning Tree Protocol for this BVI
R1(config)#bridge 10 protocol ieee

10 is the BVI number..

3. Specify Protocol to be Routed in this BVI
R1(config)#bridge 10 route ip

4. Configure IP for this BVI
R1(config)#int bvi 10
R1(config-if)#ip address 192.168.10.3 255.255.255.0

When you give an IP to the BVI, it will create a MAC address for that and put it in ARP table..









5. Assign Physical Ports to the BVI
R1(config)#int e0/0
R1(config-if)#bridge-group 10

R1(config)#int e0/1
R1(config-if)#bridge-group 10

BVI configuration is now over.. Even though R1's e0/0 port fails switches can access the router interface from R1's e0/1 port via the same IP..

Configuring HSRP & DHCP to Work Together

If you are going to setup DHCP on HSRP configured switches / routers, here are the things to consider..

Set up is simple.
VLAN 10 - 192.168.10.0/24 is configured in both core switches and both are in same HSRP cluster and the virtual IP is 192.168.10.1 which is the gateway for PCs.

Interface IPs of VLAN 10 for CORE1 & CORE2 are 192.168.10.2 & 192.168.10.3 respectively.

DHCP is to be configured on both switches for VLAN 10.

In a situation like this, you must split the DHCP pool in to 2 portions and you must exclude the 1st portion from the 2nd and the 2nd portion from the 1st.

Let's see why.. In order to see what will happen if not, let's configure and find out..

You can see my DHCP configuration from the following captures. (click on the images to full size)

I have configured DHCP identically on both switches.
Also I have excluded only the interface VLAN IPs & the virtual IP.




Let's power on the PC1 and see what happens. (still PC2 not powered on..)

PC1 has acquired an IP which is 192.168.10.4


Let's see who released the IP..








As you can see, CORE2 is the one who has released the IP..
Let's see who is the active switch in HSRP cluster..







As you can see from the output of CORE2, CORE1 is the active switch. CORE2 is the standby switch but CORE2 was the one who released the IP to PC1.

This means there is no connection of HSRP and DHCP. 1st DHCP server which responded to the DHCP discover packets will be the DHCP server to the client PCs. 

If the next PC got DHCP offers by the CORE1, IP conflict can happen because CORE1 does not know which IPs were released by CORE2. That's why we have to split the dhcp pool in to 2 portions..

Let's power down CORE2 and power up PC2, so that PC2 can only acquire IPs from CORE1..




Now you can see a DHCP address conflict error appeared. CORE1 is offering the 192.168.1.4 IP which is the 1st IP to release without knowing it is used by another PC..
But it will release the next IP available in the pool to the PC2 without much trouble..






You can see the conflicts from show ip dhcp conflict command..

Conclusion:-
Correct DHCP configuration will be like the following for both switches..










Even though this will stop the conflicts for a while, when these switches reboot, they will not know the leased IPs and starts conflicts again though the gateway functions well by HSRP.. So still the best option is to use a dedicated DHCP server cluster..

Tuesday, April 11, 2017

Monitoring & Controlling IP Phones Remotely

Here is a free 3rd party troubleshooting tool which can be used to monitor and take control of a Cisco IP phone remotely. As a network administrator, you will need this to test the functionality of the phones you manage. I got to know about it recently & thought to share how I use this interesting app..

Note:- Only following Cisco IP phone models will be supported..
6921, 6941, 6945, 6961, 7911, 7921, 7925, 7926, 7931, 7937, 7940, 7941, 7942, 7945, 7960, 7961, 7962, 7965, 7970, 7971, 7975, 8961, 9951, 9971

Enable Services
Go to Cisco Unified Serviceability page and go to Tools > Service Activation
Make sure the following services are enabled..
Cisco Call Manager
Cisco TFTP
Cisco CTI Manager
Cisco AXL Web services
Cisco Call Manager SNMP service

SNMP Configuration
Now go to Cisco Unified Serviceability > SNMP V1/V2c > Community String
Select your server from the drop down menu and click find..
Click add new to create a new community string or you can use existing string if available.
If you are creating a new string, select ReadNotifyOnly or ReadOnly from access privileges.
Just remember the string you gave..

Create Application User
Now go to Cisco Unified CM Administration page & go to User Management > Application User
Create a new user with an ID & a password. These settings will be used to log into the app later..
This is where you add phones which you want to control.
Click Find More Phones button in the device information area and select and add phones which you need to control..
After adding any phone, save it.. (click on the images to see in full size)


















Download & Install the App
Go to https://support.singlewire.com/s/software-downloads/a17C0000008Db3aIAC and download the app. It is completely free for everyone.. (singlewire.com)

If you are using Windows 10 like me, may be it will not install properly just by double clicking the .exe file. Instead it will display the error "Installer UI Mode Error"

If so right click and go to Properties > Compatibility & tick and select Run this program in compatibility mode for Windows 7











After installation completes it will ask you to enter the license key. It is in your downloaded folder. Open it..













Configuring & Using the App

Now go to Edit Preferences 1st.
Provide the required fields..
Here is the place you will enter the Community String..




Now you should be able to control the phones you added at the Application User page by just giving the ip address of the phone.

You can get the IP of the phone from CUCM..





Here is a 7945 phone I tested..
When ever you want to take control of a phone, what you should do is to add the phone to application user and give the IP of the phone to the app..

Monday, April 10, 2017

How Proxy Settings in Web Browsers Works?

Normally what a proxy doing is just hiding your identity to the outside world. It can also be used to filter traffic by deep packet inspection. In your enterprise a firewall will do this too. This post is about the proxies we deploy in a server in your LAN which will allow you to access internet via a web browser.

In the 1st capture you can see the normal traffic path to internet from user's PC. What a network administrator does is that he will block all the traffic to internet via an Access List etc and will only allow the proxy server IP to reach out to internet.

So if you hit a ping to a server at internet will be dropped and a trace route will be dropped at 192.168.1.254

So when the LAN user needs to access the internet, network admin will configure proxy settings in your web browser. What he will do actually is he will give the proxy server IP and the port number in advanced settings in web browser. After that the user will be able to browse internet from that web browser only because only those traffic will be directed to the proxy by the PC.

For the internet traffic from the configured web browser will be like in the 2nd capture. The gateway will see they are generating from proxy server it self.

Still pings and trace routes from PC command prompt will be dropped at 192.168.1.254 because those traffic will not be forwarded to the proxy.