• Home
  • Blog
  • About
  • Contact
  • Email

Configuring a VTP domain on Cisco switches

3/15/2015

0 Comments

 
VTP domains allow you to manage all of your vlans from a central switch.  This can be a great tool if you are dealing with a large number of vlans spread out over multiple switches.  There are a couple of issues that you must be careful of when you implement a vtp domain, which I will go over shortly.

The first requirement is to make sure that your trunks between switches are up and working.

C3750-Payment#show interface trunk

And the output should look something like:

C3750-Payment#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa2/0/48 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa2/0/48 1-4094

Port Vlans allowed and active in management domain
Fa2/0/48 1-2,4,6,8,10,12,16-37,102-103,256-258

Port Vlans in spanning tree forwarding state and not pruned
Fa2/0/48 1-2,4,6,8,10,12,16-37,102-103,256-258


If there are not any ports listed as a trunk, that needs to be fixed before proceeding. Now that we know the switches are communicating, we can proceed to look at the current vtp configuration.

C3750-Payment#show vtp status

And you should get:

C3750-Payment#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 7
VTP Operating Mode : Transparent
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0×18 0×17 0xE9 0×22 0×49 0×96 0×0C 0×7E
Configuration last modified by 10.10.10.20 at 3-1-93 00:03:25

If the VTP Operating Mode is not “Transparent” on all of the switches, it needs to be set to transparent to prevent problems later.

C3750-Payment(config)#vpt mode transparent

This will reset the Configuration Revision to 0. It is very important that all switches have the configuration revision reset!

Now, on the switch that you want to be the vtp server; set the domain, password, and then change it to server mode.

C3750-Payment(config)#vtp domain Test
VTP domain Test modified
C3750-Payment(config)#vtp password Testpassword
C3750-Payment(config)#vtp mode server
Setting the device to VTP SERVER mode

Make sure all of the vlans that you need are on this switch. Once they are, setup the other switches as clients.

C3750-Client(config)#vtp domain Test
Changing VTP domain name from NULL to Test
C3750-Client(config)#vtp password Testpassword
C3750-Client(config)#vtp mode client
Setting device to VTP CLIENT mode

Check the VTP status on the client to confirm the vtp status has changed and the vlans have been configured.

C3750-Client#show vtp status
VTP Version : 2
Configuration Revision : 62
Maximum VLANs supported locally : 1005
Number of existing VLANs : 38
VTP Operating Mode : Client
VTP Domain Name : Test
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xCD 0×9D 0xFF 0xC3 0×6F 0×63 0×5F 0xF5
Configuration last modified by 10.10.10.2 at 10-16-07 22:16:43
C3750-Client#show vlan

Everything is now configured. Vlan additions can now be made on the switch that is in server mode and they will be propagated down to all of the clients.

Adding a switch to an already established vtp domain is basically the same, just make sure to set the switch to transparent mode first. For more details, check Adding a Cisco switch to a vtp domain.

0 Comments

Adding a Cisco switch to a VTP domain

3/15/2015

0 Comments

 
Adding a switch to a VTP domain is fairly easy to do, but done incorrectly, can bring down a whole network. Fortunatly I have not had this happen to me, but I have heard horror stories. There are a few simple steps to take to make sure everything stays running smoothly.

The very first step to complete as soon as you are ready to put a new switch on a network and join it to the domain, is to make sure that the vtp mode is set to transparent. Setting the mode to transparent ensures that the “Configuration Revision” is set to 0. If the switch has been used in a lab and has vlans configured and a configuration revision that is higher than the domain server, even if the switch being added is in client mode, it will overwrite the server and propagate all of it’s vlans across the network.


This is directly taken from Cisco’s website:

A recently added switch can cause problems in the network. It can be a switch that was previously used in the lab, and a good VTP domain name was entered. The switch was configured as a VTP client and was connected to the rest of the network. Then, you brought the trunk link up to the rest of the network. In just a few seconds, the whole network can go down.

If the configuration revision number of the switch that you inserted is higher than the configuration revision number of the VTP domain, it propagates its VLAN database through the VTP domain.

This occurs whether the switch is a VTP client or a VTP server. A VTP client can erase VLAN information on a VTP server. You can tell this has occurred when many of the ports in your network go into the Inactive state but continue to assign to a nonexistent VLAN.


To make sure this does not happen, before you connect the switch to the network, make sure to set the vtp mode to transparent.


C3750-Client(config)#vtp mode transparent
C3750-Client(config)#exit
C3750-Client#show vtp status
C3750-Client#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 7
VTP Operating Mode : Transparent
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0×18 0×17 0xE9 0×22 0×49 0×96 0×0C 0×7E
Configuration last modified by 10.10.10.20 at 3-1-93 00:03:25

Now that this switch won’t overwrite the server, configure the vtp domain and password, and then change the mode to client.


C3750-Client(config)#vtp domain Test
Changing VTP domain name from NULL to Test
C3750-Client(config)#vtp password Testpassword
C3750-Client(config)#vtp mode client
Setting device to VTP CLIENT mode

Show the vtp status to confirm.


C3750-Client#show vtp status
VTP Version : 2
Configuration Revision : 62
Maximum VLANs supported locally : 1005
Number of existing VLANs : 38
VTP Operating Mode : Client
VTP Domain Name : Test
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xCD 0×9D 0xFF 0xC3 0×6F 0×63 0×5F 0xF5
Configuration last modified by 10.10.10.2 at 10-16-07 22:16:43

And then a show vlan and check the output to make sure all the vlans have propagated.


C3750-Client#show vlan

The only rule you really need when adding switches is to make sure the switch is in TRANSPARENT mode first.
0 Comments

Configure SSH Access on an ASA

3/15/2015

0 Comments

 
If you have recently tried to setup SSH access on a new ASA, it might not have worked the way you wanted. That is because the RSA keys need to be generated first. To do that:

crypto key generate rsa
asa(config)# crypto key generate rsa
INFO: The name for the keys will be: 
Keypair generation process begin. Please wait…

And then configure SSH to be allowed from the inside interface:


ssh 0.0.0.0 0.0.0.0 inside

Now you will be able to login using the default username and password of pix/cisco, Or you can configure AAA and setup your own usernames. Doing this will make the pix username no longer work for SSH.

First, a username needs to be created:


username cisco password c1sc0

And then configure AAA:


aaa authentication ssh console LOCAL

Done!
0 Comments

MSS Exceeded Workaround

3/15/2015

0 Comments

 
After installing a new ASA 5520, I noticed that a few websites were loading very slowly or not at all. The problem seemed to be very intermittent, but reproducible by revisiting the websites at any time of the day. Browsing to the site from outside of the firewall showed the site to be responsive.

I started to watch the live log while browsing to the site and noticed packets being dropped. The log read:

Dropping TCP packet from outside: to inside: , reason: MSS exceeded, MSS 1260, data 1460

Apparently, this is a new security feature for the 7.0+ code for the ASA. Normally, the client and server send their MSS (Maximum Segment Size) while establishing the TCP connection. Once this occurs, neither the client or server should send a packet larger than their peer’s MSS. However, some HTTP servers do not recognize the MSS and send packets that are too large, and are thus dropped by the ASA.

The workaround for this is to allow the firewall to pass the packets whose data exceeds the MSS. Let’s say the server causing the problems ip is 192.168.10.9. First, create and access-list for any host accessing that server.

access-list MSS_Exceeded_ACL permit tcp any host 192.168.10.9

And then create a class map.

class-map MSS_Exceeded_MAP
match access-list MSS_Exceeded_ACL
exit
tcp-map mss-map
exceeded mss allow

Create the policy map.


policy-map MSS_Exceeded_MAP
class MSS_Exceeded_MAP
set connection advanced-options mss-map

Apply the map to the outside interface.

service-policy MSS_Exceeded_MAP interface outside

If there is more than one site, just add the additional sites to the MSS_Exceeded_ACL access list or change it to allow all sites.


access-list MSS_Exceeded_ACL permit tcp any any

For more information about MSS and logging these events, check out the document from Cisco.
0 Comments

Unable to download NAT policy for ACE

3/15/2015

0 Comments

 
I was working on an ASA config and ran into an interesting error. I needed to not perform NAT on the traffic from the inside LAN to the DMZ. I configured an access-list:

access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 10.10.48.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 10.10.49.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 172.31.3.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 172.31.4.0 255.255.255.0

And then specified to not perform NAT:

nat (inside) 0 access-list InsideNoNAT_ACL
nat (inside) 1 0.0.0.0 0.0.0.0

I then needed to add another line to the InsideNoNAT_ACL, and that is where I received the error.

(config)#access-list InsideNoNAT_ACL permit 10.0.0.0 255.0.0.0 172.31.3.0 255.255.255.0
Unable to download NAT policy for ACE

All this error message is saying is that the new line in the access-list was not added to the active NAT table, but was added to the access-list. Upon doing some searching, I read in several places that a reboot fixed the problem. While this is true, it is not necessary. All that needs to be done is to remove and reapply the nat statement.

(config)#no nat (inside) 0 access-list InsideNoNAT_ACL
(config)#nat (inside) 0 access-list InsideNoNAT_ACL

This rebuilds the NAT rules and applies all rules in the ACL. Much better than a reload!
0 Comments

Cisco ASA and ICMP Configurations

3/15/2015

1 Comment

 
As I am sure many of you who have ever worked with a Cisco firewall know, ICMP is not allowed through the firewall by default. If you are just configuring the device, this can make it very difficult to troubleshoot connectivity issues. Thankfully, there are several ways to get around this.


The easiest way to allow higher security level interfaces to ping/trace route to lower security level interfaces is to configure ICMP in the global inspection policy.  This will allow ICMP without having to put in access lists.

This is the default inspection policy on the ASA.

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global

To add ICMP to this policy:

FW-ASA(config)# policy-map global_policy
FW-ASA(config-pmap)# class inspection_default
FW-ASA(config-pmap-c)# inspect icmp

To allow ping and trace route from the internet into the DMZ/Internal networks, access-list will need to be created to allow the traffic, as well as NATs to map from the public IP to the internal IP address.

access-list OUTSIDE_IN_ACL permit icmp any any echo

To configure the NAT (this is for versions of ASA before 8.3)

static (dmz,outside) PUBLIC_IP DMZ_IP netmask 255.255.255.255

Of course, you will need to have a static mapping for every server you want to have reachable from the internet.
1 Comment

    Author

    James Kane
    Bit Plumber

    Archives

    March 2015

    Categories

    All

    RSS Feed

© JK Logic, LLC | All Rights Reserved