Thursday, July 30, 2009

PPPOE and L2TP Multihop VPDN

There are many different technology in broadband access network, include DSL, cable , ethernet, wireless etc. PPPoe is commonly used by ADSL technology in ISP. L2tp is one of the most used protocol in broadband network, it is commonly used by operators or broadband access provider to extend their network to ISP as a wholesale.

I tried to make basic concept and configuration about how to implement them. For PC, i'm using windowsXP as a pppoe client, cisco 2600 as lac (vpn-server), 7200 as lns (isg-dev2), 7200 as lns-2 (isg2-jtpd) for terminating ppp session from pc


pc will connect with pppoe using a user with domain @imm.com, vpn-server will accept pppoe request and forward and L2TP based on domain to lns (ISG-DEV2). lns than forward the ppp using l2tp multihop to lns-2 based on multihop lac hostname. lns-2 then will terminate the ppp and give the user ip adress.




DIAGRAM :





CONFIGURATION :

1. pppoe :

VPN-SERVER#

!
vpdn-group pppoe
accept-dialin
protocol pppoe
virtual-template 15
lcp renegotiation always
!


2. VPDN Tunnel Switching :

VPN-SERVER#
!
vpdn search-order domain
!
vpdn-group 1
request-dialin
protocol l2tp
domain imm.com
initiate-to ip 11.0.0.1
local name lac
no source vpdn-template
l2tp tunnel password peditea
!

ISGDEV2#

vpdn-group multihop-in
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname lac
local name lns-multi
l2tp tunnel password 0 peditea

3. VPDN MULTIHOP (L2TP)

ISGDEV2#
!
vpdn multihop
vpdn search-order multihop-hostname
!
vpdn-group multihop
request-dialin
protocol l2tp
multihop hostname lac
initiate-to ip 192.168.89.6
local name lns-multi
l2tp tunnel password 0 peditea
!

ISG-JTPD#
!
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname lns-multi
local name lns-server
l2tp tunnel password 0 peditea
!

VERIFYING :



VPN_SERVER#sh vpdn

L2TP Tunnel and Session Information Total tunnels 1 sessions 1

LocID RemID Remote Name State Remote Address Port Sessions VPDN Group
3402 65399 lns-multi est 11.0.0.1 1701 1 1

LocID RemID TunID Intf Username State Last Chg Uniq ID
964 33172 3402 SSS Circuit -imm@imm.com est 00:00:14 344


ISGDEV2#sh vpdn tunnel

L2TP Tunnel Information Total tunnels 2 sessions 2

LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/
Count VPDN Group
30787 61466 lns-server est 192.168.89.6 1 multihop
65399 3402 lac est 11.0.0.2 1 multihop-in


ISG2-JTPD#sh vpdn


L2TP Tunnel and Session Information Total tunnels 1 sessions 1

LocID RemID Remote Name State Remote Address Port Sessions L2TP Class/
VPDN Group
61466 30787 lns-multi est 192.168.89.3 1701 1 1

LocID RemID TunID Username, Intf/ State Last Chg Uniq ID
Vcid, Circuit
8 10696 61466 -imm@imm.com, Vi3 est 00:01:03 491


Reference : http://www.cisco.com/en/US/docs/ios/bbdsl/configuration/guide/bba_understanding_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1049344
Posted by at No comments:
Labels: , , ,

Wednesday, July 29, 2009

Point-to-Point Protocol over Ethernet - using windows & cisco

PPPOE is a network protocol for encapsulation ppp in ethernet network. It is one of dial technology beside pptp and L2TP. It is usually used in adsl network, subcriber can access internet provider using user's credential (username and password) . PPPOE works in layer 2 network meanwhile PPTP work in Layer 3.

What I want to show you is the basic configuration using windows as a pppoe client and cisco 2600 as a pppoe server.

Here is the diagram :

-----------------------------------------------------------------------------------------------------------------


-----------------------------------------------------------------------------------------------------------------

1. Create Virtual-Template :

VPN_SERVER(config)# interface Virtual-Template1
VPN_SERVER(config-if)# ip unnumbered FastEthernet0/1.81
VPN_SERVER(config-if)# ip tcp adjust-mss 1460

2. Enable vpdn and making vpdn-group :

VPN_SERVER(config)# vpdn enable
VPN_SERVER(config)# vpdn-group pppoe
VPN_SERVER(config-vpdn)# accept-dialin
VPN_SERVER(config-vpdn-acc-in)# protocol pppoe
VPN_SERVER(config-vpdn-acc-in)# virtual-template 1
VPN_SERVER(config-vpdn-acc-in)# exit
VPN_SERVER(config-vpdn)# lcp renegotiation always

3. Configure authentication & ip address pool :

Enable AAA and method-list :

VPN_SERVER(config)# aaa new-model
VPN_SERVER(config)# aaa authentication ppp default local
VPN_SERVER(config)# aaa authorization network default local

Create Username :

VPN_SERVER(config)# username fadly password 0 cisco

Create Ip pool :

VPN_SERVER(config)# ip local pool vpn_sce 192.168.100.1 192.168.100.100

Enable ppp authentication and assign pool :

VPN_SERVER(config)# interface Virtual-Template1
VPN_SERVER(config-if)# peer default ip address pool vpn_sce
VPN_SERVER(config-if)# ppp authentication pap chap

4. Enable pppoe in interface :

VPN_SERVER(config)# interface FastEthernet0/0
VPN_SERVER(config-if)# ip address 172.16.0.11 255.255.128.0 secondary
VPN_SERVER(config-if)# pppoe enable

5. Create pppoe client and Dial from windows XP :


























































6. Verify the pppoe session :

VPN_SERVER#sh user
Line User Host(s) Idle Location
* 66 vty 0 fadly idle 00:00:00 172.16.0.134

Interface User Mode Idle Peer Address
Vi1.1 fadly PPPoE 00:00:00 192.168.100.5

VPN_SERVER#


VPN_SERVER#sh vpdn

PPPoE Tunnel and Session Information Total tunnels 1 sessions 1

PPPoE Session Information
UID SID RemMAC OIntf Intf Session
LocMAC VASt state
278 841 0090.f55d.6dbc Fa0/0 Vi1.1 CNCT_PTA
000d.bd6c.3fc0 UP


VPN_SERVER#

VPN_SERVER#sh sss session
Current SSS Information: Total sessions 1

Uniq ID Type State Service Identifier Last Chg
278 PPPoE/PPP connected Local Term fadly 00:04:18


it is very straight forward :)
Posted by at No comments:
Labels: , ,

Tuesday, July 28, 2009

Basic PIX firewall configuration

This is the basic pix firewall configuration and concept

Firewall is networking device that can protect unauthorized internet users from accessing private network. it has the concept of inside / private network and outside / internet by assigning security level. The outside has a security level of 0 and inside has a security level of 100. Meaning that traffic from lower security level interface will not pass higher security level interface. We can modifiy the rule to make the traffic flow from outside interface to inside interface.


Diagram :



Basic Configuration

1. Set the hostname :

pixfirewall# configure terminal
pixfirewall(config)#hostname pix-jtpd


2. Set the password :

Login password :
pix-jtpd(config)# password cisco

Enable password :
pix-jtpd(config)# enable password cisco

3. Verifiying security level :

pix-jtpd# show nameif
Interface Name Security
Ethernet0 outside 0
Ethernet1 inside 100
pix-jtpd#

4. Set ip address :

interface Ethernet0
nameif outside
security-level 0
ip address 192.168.78.182 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.78.186 255.255.255.252

Verify interface ip address :

pix-jtpd# sh interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0 192.168.78.182 YES manual up up
Ethernet1 192.168.78.186 YES manual up up
pix-jtpd#

Ping back to back ip address :

pix-jtpd# ping 192.168.78.181
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.78.181, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
pix-jtpd# ping 192.168.78.185
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.78.185, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
pix-jtpd#

5. Configure default route

pix-jtpd(config)# route outside 0.0.0.0 0.0.0.0 192.168.78.181 1

pix-jtpd# show ip route
C 192.168.78.180 255.255.255.252 is directly connected, outside
C 192.168.78.184 255.255.255.252 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.78.181, outside
pix-jtpd#

6. Configuring NAT and define subscriber network :

a. Set ip address to name :
pix-jtpd(config)# name 192.168.32.0 subscriber

b. Set subscriber route :
route inside chat-subs 255.255.255.0 192.168.78.185 1

c. Setting nat :
inside network :
pix-jtpd(config)# nat (inside) 1 chat-subs 255.255.255.0
pix-jtpd(config)# nat (inside) 1 192.168.78.184 255.255.255.252

global network :
global (outside) 1 192.168.78.188 netmask 255.255.255.255

NOTE : must configure route from PE to global (outside)

d. Veryfiy nat is working :

pix-jtpd# sh xlate
94 in use, 3299 most used
PAT Global 192.168.78.188(1095) Local 192.168.32.30(2182)
PAT Global 192.168.78.188(1053) Local 192.168.32.30(59266)
PAT Global 192.168.78.188(1052) Local 192.168.32.30(65524)
PAT Global 192.168.78.188(1051) Local 192.168.32.30(50954)

7. Making Rule / Access-list

Setting ACL :

pix-jtpd(config)# access-list acl_grp extended permit icmp any any
pix-jtpd(config)# access-list acl_grp extended permit tcp any any
pix-jtpd(config)# access-list acl_grp extended permit ip any any

Apply to the interface :

pix-jtpd(config)# access-group acl_grp in interface outside
pix-jtpd(config)# access-group acl_grp in interface inside

Have a good try :D
Posted by at No comments:
Labels: , ,

Dhcp Fixed Address

Some hosts will required fixed ip address, such as : web server, printer etc. Host which require fixed ip address need to be mapped with its mac-address. This is sample configuration of dhcp server :

root@fadly-desktop:~# vi /etc/dhcp3/dhcpd.conf

host fadly {
hardware ethernet 00:90:F5:5D:6D:BC;
fixed-address 192.168.78.206;
}

subnet 192.168.78.204 netmask 255.255.255.252 {
option broadcast-address 192.168.78.207;
option routers 192.168.78.205;
option subnet-mask 255.255.255.252;
}

option domain-name 202.155.0.10;
Posted by at No comments:
Labels: , ,

Friday, July 17, 2009

Cisco - Linux Dhcp-relay setting

This is the configuration of router as dhcp-relay and linux as dhcp server

Diagram :
----------------------------------------------------------------------------------------------------------------------------------------


----------------------------------------------------------------------------------------------------------------------------------------

1. Interface configuration :

!
interface GigabitEthernet0/0.11
description ### Test Internet ###
encapsulation dot1Q 11
ip dhcp relay information trusted
ip dhcp relay information option vpn-id none
ip vrf forwarding vpn_internet
ip address 192.168.78.201 255.255.255.252
ip helper-address 192.168.78.198
end

----------------------------------------------------------------------------------------------------------------------------------------

Config note :

ip dhcp relay information trusted

Usage Guidelines

By default, if the gateway address is set to all zeros in the DHCP packet and the relay information option is already present in the packet, the Cisco IOS DHCP relay agent will discard the packet. If the ip dhcp relay information trusted command is configured on an interface, the Cisco IOS DHCP relay agent will not discard the packet even if the gateway address is set to all zeros. Instead, the received DHCPDISCOVER or DHCPREQUEST messages will be forwarded to the addresses configured by the ip helper-address command as in normal DHCP relay operation.


ip dhcp relay information option vpn-id

To enable the system to insert VPN suboptions into the DHCP relay agent information option in forwarded BOOTREQUEST messages to a DHCP server and set the gateway address to the outgoing interface toward the DHCP server, use the ip dhcp relay information option vpn-id command in interface configuration mode. To remove the configuration, use the no form of this command.

refference : http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_dhc2.html#wp1012293

2. Edit dhcp configuration :

root@desktop:# vi /etc/dhcp3/dhcpd.conf

ddns-update-style none;

default-lease-time 600;
max-lease-time 7200;

#authoritative;

log-facility local7;

option subnet-mask 255.255.255.252;
option broadcast-address 192.168.78.203;
option routers 192.168.78.201;

subnet 192.168.78.200 netmask 255.255.255.252 {
range 192.168.78.202;
}


3. Checking log :

Jul 15 18:17:22 -desktop dhcpd: DHCPDISCOVER from 00:0a:e4:36:03:a0 via 192.168.78.201
Jul 15 18:17:23 -desktop dhcpd: DHCPOFFER on 192.168.78.202 to 00:0a:e4:36:03:a0 (LENOVO-2EB43090) via 192.168.78.201
Jul 15 18:17:23 -desktop dhcpd: DHCPREQUEST for 192.168.78.202 (192.168.78.198) from 00:0a:e4:36:03:a0 (LENOVO-2EB43090) via 192.168.78.201
Jul 15 18:17:23 -desktop dhcpd: DHCPACK on 192.168.78.202 to 00:0a:e4:36:03:a0 (LENOVO-2EB43090) via 192.168.78.201
Jul 15 18:17:25 -desktop dhcpd: DHCPREQUEST for 192.168.78.202 from 00:0a:e4:36:03:a0 (LENOVO-2EB43090) via eth1
Jul 15 18:17:25 -desktop dhcpd: DHCPACK on 192.168.78.202 to 00:0a:e4:36:03:a0 (LENOVO-2EB43090) via eth1

Have a good try.. :)
Posted by at No comments:
Labels: ,

Wednesday, July 15, 2009

Dynamips Dynagen Tutorial

(First ): Download dynagen at http://dynagen.org

Go to download menu, you will be redirected to http://sourceforge.net
Go to Dynagen source / Linux : click dynagen-0.11.0.tar.gz
Point your mouse to use direct link, right click then copy link location, http://downloads.sourceforge.net/sourceforge/dyna-gen/dynagen-0.11.0.tar.gz?use_mirror=nchc

Download from Linux terminal :
root@desktop:~# wget http://downloads.sourceforge.net/sourceforge/dyna-gen/dynagen-0.11.0.tar.gz?use_mirror=nchc


(Second) : Create directory & extract tarball

Create Directory : root@desktop:~# mkdir /home/dynamips
Move source file to dynamips folder : root@desktop:~# mv dynagen-0.11.0.tar.gz /home/dynamips
Extract tarball : root@desktop:~# tar zxvf dynagen-0.11.0.tar.gz
Go to folder : root@desktop:~# cd /home/dynamips/dynagen-0.11.0
Check README file :root@desktop:/home/dynamips/dynagen-0.11.0#more README.txt
----------------------------------------------------------------------------------------------------------------------------------------

This version of Dynagen requires at least version 0.2.8-RC1 of Dynamips

----------------------------------------------------------------------------------------------------------------------------------------

(Third) : Download dynamips that is match to dynagen requirement

Go to http://www.ipflow.utc.fr/blog/
point your mouse to this link 0.2.8-RC2 binary for Linux x86 platforms, right click and copy link location
http://www.ipflow.utc.fr/dynamips/dynamips-0.2.8-RC2-x86.bin

Download from Linux terminal :
root@desktop:/home/dynamips/dynagen-0.11.0# wget http://www.ipflow.utc.fr/dynamips/dynamips-0.2.8-RC2-x86.bin

Change privilege :
root@desktop:/home/dynamips/dynagen-0.11.0# chmod 777 dynamips-0.2.8-RC2-x86.bin


(Fourth) : Create Symlink (Symbolic link)
Go to folder : cd /usr/bin
symlink using alias for dynamips program : /usr/bin# ln -s /home/dynamips/dynagen-0.11.0/dynamips-0.2.8-RC2-x86.bin dynamips
symlink using alias for dynagen program : /usr/bin# ln -s /home/dynamips/dynagen-0.11.0/dynagen dynagen


(Fifth) : Download, Extract & Copy IOS image
Download IOS (I will not tell you how to get the IOS)
extract the IOS to make router boot up faster than ziped IOS
Create directory to store IOS :
root@desktop:/home/dynamips/dynagen-0.11.0# mkdir Images
navigate to folder : cd Images
copy IOS file : cp /home/C7200-K9.BIN C7200-K9.BIN

(Sixth) : Running Sample Lab
Go to sample labs .net file : root@desktop: cd /home/dynamips/dynagen-0.11.0/sample_labs/simple1#
Edit simple1.net : vi sample1.net
----------------------------------------------------------------------------------------------------------------------------------------
[localhost]

[[7200]]
# image = \Program Files\Dynamips\images\c7200-jk9o3s-mz.124-7a.image
# On Linux / Unix use forward slashes:
image = /home/dynamips/dynagen-0.11.0/Images/C7200-K9.BIN
npe = npe-400
ram = 160

[[ROUTER R1]]
s1/0 = R2 s1/0

[[router R2]]
# No need to specify an adapter here, it is taken care of
# by the interface specification under Router R1


# R1 s1/0 ----- R2 s1/0

----------------------------------------------------------------------------------------------------------------------------------------

(Seventh) : Run dynamips instance 7200 in background (&)

root@desktop:/home/dynamips/dynagen-0.11.0/sample_labs/simple1# dynamips -H 7200 &
[1] 7267
root@desktop:/home/dynamips/dynagen-0.11.0/sample_labs/simple1# Cisco Router Simulation Platform (version 0.2.8-RC2-x86)
Copyright (c) 2005-2007 Christophe Fillot.
Build date: Oct 2 2008 01:17:18

ILT: loaded table "mips64j" from cache.
ILT: loaded table "mips64e" from cache.
ILT: loaded table "ppc32j" from cache.
ILT: loaded table "ppc32e" from cache.
Hypervisor TCP control server started (port 7200).


(Eighth) : Run Dynagen simple1.net
root@desktop:/home/dynamips/dynagen-0.11.0/sample_labs/simple1#dynagen simple1.net

Dynagen management console for Dynamips and Pemuwrapper 0.11.0
Copyright (c) 2005-2007 Greg Anuzelli, contributions Pavel Skovajsa

=> list
Name Type State Server Console
R1 7200 running localhost:7200 2000
R2 7200 running localhost:7200 2001
=>

(Ninth) : Access / Telnet R1 & R2

----------------------------------------------------------------------------------------------------------------------------------------
root@desktop:~# telnet localhost 2000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connected to Dynamips VM "R1" (ID 0, type c7200) - Console port

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#int serial 1/0
R1(config-if)#no shutdown

----------------------------------------------------------------------------------------------------------------------------------------

root@desktop:~# telnet localhost 2001
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connected to Dynamips VM "R2" (ID 1, type c7200) - Console port

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#int serial 1/0
R2(config-if)#no shutdown

----------------------------------------------------------------------------------------------------------------------------------------

R1#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
R2 Ser 1/0 15 R 7206VXR Ser 1/0

----------------------------------------------------------------------------------------------------------------------------------------

R2#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
R1 Ser 1/0 158 R 7206VXR Ser 1/0

----------------------------------------------------------------------------------------------------------------------------------------
Set ip address :

R1(config)#int ser 1/0
R1(config-if)#ip add 10.1.0.1 255.255.255.0

R2(config)#int ser 1/0
R2(config-if)#ip add 10.1.0.2 255.255.255.0
R2(config-if)#

Ping : R1 to R2

R1#ping 10.1.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms

(Tenth) : Turn off the router, Stop dynagen and dynamips

Turn off the router :

=>
=> stop R1
C7200 'R1': stopping simulation.
100-VM 'R1' stopped
=> stop R2
100-VM 'R2' stopped
C7200 'R2': stopping simulation.
=>

Stop Dynagen simple1.net

Exit dynagen :
=> exit
Exiting...
Shutdown in progress...
Shutdown completed

Stop dynamips :

root@desktop:/home/dynamips/dynagen-0.11.0/sample_labs/simple1# ps -ax |grep dynamips
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
7267 pts/0 Sl 39:08 dynamips -H 7200
7699 pts/0 R+ 0:00 grep dynamips

root@desktop:/home/dynamips/dynagen-0.11.0/sample_labs/simple1# kill -9 7267


To optimize your pc, you have to set the idle-pc. idle-pc depend on IOS, to get the value use this step :

=> idlepc get R1
Please wait while gathering statistics...

Please wait while gathering statistics...
Done. Suggested idling PC:
0x608c5bc8 (count=48)
0x608c5bcc (count=35)
0x608463cc (count=59)
0x60847050 (count=71)
Restart the emulator with "--idle-pc=0x608c5bc8" (for example)
1: 0x608c5bc8 [48]
2: 0x608c5bcc [35]
* 3: 0x608463cc [59]
4: 0x60847050 [71]


Edit simple1.net : vi sample1.net


[localhost]

[[7200]]
# image = \Program Files\Dynamips\images\c7200-jk9o3s-mz.124-7a.image
# On Linux / Unix use forward slashes:
image = /home/dynamips/dynagen-0.11.0/Images/C7200-K9.BIN
npe = npe-400
ram = 160
idlepc = 0x608463cc

Save file

simple1#dynagen simple1.net

=> idlepc show R1
R1 has an idlepc value of: 0x608463cc
=> idlepc show R2
R2 has an idlepc value of: 0x608463cc
=>

Have a good try ;)

here is the usefull link to try dynamips and dynagen from iementor
http://www.iementor.com/Introduction_to_Dynamips.pdf
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)