Archive for July, 2015

Hosting Web Site in DMZ in ASA-GNS3

Posted: July 31, 2015 in CISCO

This is extension of this article ,we’ll add DMZ interface,and Web server in DMZ zone.We’ll configure NAT and Access list to allow client from the internet access to Web site in DMZ network

 

 

Untitled

 

 

Changes in R1 router is only one entry for network 10.2.2.0 in EIGRP confoguration

R2:

interface FastEthernet0/0
ip address 209.165.200.225 255.255.255.248
duplex auto
speed auto
!
interface Serial1/0
ip address 10.1.1.1 255.255.255.0
serial restart-delay 0
!
router eigrp 20
network 10.1.1.0 0.0.0.255
network 209.165.200.0
no auto-summary

 

ASA config:

I addedd ip address for e2 (DMZ) interface,set-security level of 70 and add network 192.168.12.0 to EIGRP config

ciscoasa(config)# int g2
ciscoasa(config-if)# ip address 192.168.12.2 255.255.255.0
ciscoasa(config-if)# security-level 70

ciscoasa(config)# router eigrp 20
ciscoasa(config-router)# network 192.168.12.0 255.255.255.0

 

Configure network object for DMZ server,this object wil be used to translate address of web server to an outside address using static nat (translated address will be 209.165.200.227-“imagined” public IP address)

ciscoasa(config)# object network web-server
ciscoasa(config-network-object)# host 192.168.12.10
ciscoasa(config-network-object)# nat (dmz,outside) static 209.165.200.227

Create Access list that permits any IP protocol from anywhere (any) to web server (192.168.12.10).Because traffic will flow through outside interface to dmz interface,traffic will enter (IN) outside to go  to the DMZ interface:

ciscoasa(config)#access-list 102 extended permit ip any host 192.168.12.10
ciscoasa(config)#access-group 102 in interface outside

Ping from client1 “public” IP 209.162.200.227

ciscoasa# sh xlate
3 in use, 3 most used
Flags: D – DNS, i – dynamic, r – portmap, s – static, I – identity , T – twice
NAT from dmz:192.168.12.10 to outside:209.165.200.227
flags s idle 0:00:19 timeout 0:00:00

As we can see,pings from outside (client1) to web server on dmz (209.165.200.227) are not translated

From client1 type IP address we set in NAT rule (209.165.200.227):

Untitled

 

 

To allow ping between hosts behind inside interface and web server in DMZ zone,and vice-versa:

ciscoasa(config)#access-list 105 extended permit ip host 192.168.12.10 192.168.12.10 network 192.168.2.0  255.255.255.0
ciscoasa(config)# access-group 105 in interface dmz

Untitled

 

 

Advertisements

Cisco ASA (Adaptive Security Appliance) is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. An ASA can be used as a security solution for both small and large networks.

By default,ASA doesn’t allow ICMP from inside to outside interface.

Inside interface is connected to internal network,and outside interface to public network.

Interfaces have associated security levels It’s  numeric value, ranging from 0 to 100, used by the ASA to control traffic flow.  Traffic is permitted from interfaces with higher security levels to interfaces with lower security levels, but not the opposite.  We use Access-lists to permit traffic from lower security levels to higher security levels.  The default security level for an outside interface is 0.  For an inside interface, the default security level is 100.If we need to publish services to the internet the we would use another interface named DMZ (demilitarized zone) with default security level of 50

Untitled

In this example inside interface has IP address of 192.168.2.2 and outside 209.165.200.226.We’ll configure ASA to alow ping from client1 to the internet,we’ll also configure NAT on ASA,so when client access to the internet,from the outside perspective it would appear as if traffic comes from ASA’s outside interface.

R1 configuration

See https://zarzyc.wordpress.com/2014/09/04/connecting-the-gns3-to-real-network-device/ for connecting GNS3 router to the internet

R1(config)#int fa0/0
R1(config-if)#no shut
R1(config-if)#ip address dhcp
R1(config-if)#ip nat outside
R1(config-if)#int s1/0
R1(config-if)#ip address 10.1.1.2 255.255.255.0
R1(config-if)#no shut
R1(config-if)#ip nat inside
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.1  !DG for my laptop physical NIC
R1(config)#router eigrp 20
R1(config-router)#network 10.1.1.0 0.0.0.255
R1(config-router)#no auto-summary
R1(config-router)#redistribute static  !advertise route to the internet to all EIGRP neighbors
R1(config)#access-list 3 permit 192.168.3.0 0.0.0.255   !network where client resides
R1(config)#access-list 4 permit 209.165.200.0 0.0.0.255 !asa outside network
R1(config)#access-list 5 permit 192.168.2.0 0.0.0.255   !asa inside network
R1(config)#ip nat inside source list 3 interface FastEthernet0/0 overload !nat rules
R1(config)#ip nat inside source list 4 interface FastEthernet0/0 overload
R1(config)#ip nat inside source list 5 interface FastEthernet0/0 overload

 R2 config

interface Serial1/0
ip address 10.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 209.165.200.225 255.255.255.248
router eigrp 20 
network 10.1.1.0 0.0.0.255
network 209.165.200.0
no auto-summary

ASA config

!interface to the internet

ciscoasa# config t
ciscoasa(config)# int g0
ciscoasa(config-if)# ip address 209.165.200.226 255.255.255.248
ciscoasa(config-if)# nameif outside

!interface to the inside network

ciscoasa# config t
ciscoasa(config)# int g1
ciscoasa(config-if)# ip address 192.168.2.2 255.255.255.0
ciscoasa(config-if)# nameif inside

!for asa,we must use real net mask,no wildcard mask
ciscoasa(config)# config t
ciscoasa(config)# router eigrp 20
ciscoasa(config-router)# network 209.165.200.0 255.255.255.0
ciscoasa(config-router)# network 192.168.2.0 255.255.255.0
ciscoasa(config-router)# no auto-summary

!create access lists to allow traffic from "inside" (192.168.3.0) to the internet (any),unlike !CISCO router and switches,for ASA access lists we must use real network masks

ciscoasa(config)#access-list 102 extended permit icmp 192.168.3.0 255.255.255.0 any echo
!echo reply comes from location we pinged (any) so we allowed ICMP reply from internet !(any) to our internal-"inside" network (192.168.3.0):
ciscoasa(config)#access-list 102 extended permit icmp any 192.168.3.0 255.255.255.0 echo-reply
!apply this ACL to the traffic flowing from the inside network IN to the outside interface
ciscoasa(config)#access-group 102 in interface outside

IN and OUT directions can be confusing :),for better understanding go to  http://www.virtxpert.com/ins-outs-of-cisco-asa-acls/

Alternativelly,we can use Modular Policy Framework (MPF) to enable ICMP traffic

A class map identifies traffic to which we want to apply actions (we created class map named icm-traffic-we can set any name we want):

ciscoasa(config)# class-map icmp-traffic

Default class map is called default-inspection-traffic.The “default_inspection_traffic” is all traffic that is predefined for various protocols,among them ICMP.

ciscoasa(config-cmap)# match ?

mpf-class-map mode commands/options:
access-list                 Match an Access List
any                         Match any packet
default-inspection-traffic  Match default inspection traffic:
ctiqbe----tcp--2748      dns-------udp--53
ftp-------tcp--21        gtp-------udp--2123,3386
h323-h225-tcp--1720      h323-ras--udp--1718-1719
http------tcp--80        icmp------icmp
ils-------tcp--389       ip-options-----rsvp
mgcp------udp--2427,2727 netbios---udp--137-138
radius-acct----udp--1646 rpc-------udp--111
rsh-------tcp--514       rtsp------tcp--554
sip-------tcp--5060      sip-------udp--5060
skinny----tcp--2000      smtp------tcp--25
sqlnet----tcp--1521      tftp------udp--69
waas------tcp--1-65535   xdmcp-----udp--177
dscp                        Match IP DSCP (DiffServ CodePoints)
flow                        Flow based Policy
port                        Match TCP/UDP port(s)
precedence                  Match IP precedence
rtp                         Match RTP port numbers
tunnel-group                Match a Tunnel Group

ciscoasa(config-cmap)# match default-inspection-traffic
ciscoasa(config-cmap)# exit

Associate actions with prevoiusly created class maps by creating a policy map named my-policy and inspect icmp traffic

ciscoasa(config)# policy-map my-policy
ciscoasa(config-pmap)# class icmp-traffic
ciscoasa(config-pmap-c)# inspect icmp
ciscoasa(config-pmap-c)# inspect icmp error
ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit

Finally,assign policy map to outside interface

ciscoasa(config)# service-policy my-policy interface outside

To summarize:

class-map:identifies the traffic (icmp in our case,defined in default-inspection-traffic)

policy-map:action to take on traffic specified in class map (inspect icmp)

service-policy:where to apply actions specified in policy map (outside interface)

Enable icmp debugging on ASA:

ciscoasa# debug icmp trace
debug icmp trace enabled at level 1

Ping 8.8.8.8 from the client and observer debugging output:

Untitled

On R1,see NAT table:

R1#sh ip nat translations
Pro Inside global                          Inside local                      Outside local                Outside global
tcp 192.168.137.63:1202       192.168.3.10:1202        2.22.213.235:80        2.22.213.235:80

From the inside perspective,trafic is originated from the client
Configuring NAT in ASA firewall

Create object network for internal network (192.168.3.0) named mynetwork:

ciscoasa(config)# object network mynetwork
ciscoasa(config-network-object)# subnet 192.168.3.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic interface

Creates a NAT rule for traffic sourced from devices
from the inside (192.168.3.0) to the outside,translate the source address of the inside networ and substitute the source address of the outside interface of the ASA (209.165.200.226).Ping again internet from client1 and observe nat translation table

Pro Inside global                          Inside local                      Outside local            Outside global

icmp 192.168.137.63:10785   209.165.200.226:10785   8.8.8.8:10785         8.8.8.8:10785

Traffic from client1 (192.168.3.10) appears as if it’s from ASA server’s outside interface

VPN (Virtual Private Network) provide secure method of transmitting data over public network (internet).Site-to-Site VPN provide secure tunnel between diffrent networks.

In this example we will configure VPN Site-to-Site network between R2 and R3 routers

Untitled

Configure connectivity in out network

ISP configuration:

ISP(config)#router eigrp 20
ISP(config-router)#network 10.1.1.0 0.0.0.255
ISP(config-router)#network 10.2.2.0 0.0.0.255
ISP(config-router)#no auto-summary

R2:

R2(config)#router eigrp 20
R2(config-router)#network 10.1.1.0 0.0.0.255
R2(config-router)#network 192.168.10.0 0.0.0.255
R2(config-router)#no auto-

R3:

R3(config)#router eigrp 20
R3(config-router)#network 10.2.2.0 0.0.0.255
R3(config-router)#network 192.168.30.0 0.0.0.255
R3(config-router)#no auto-summary

For clients i used routers

client1(config)#router eigrp 20
client1(config-router)#network 192.168.10.0 0.0.0.255
client(config-router)#no auto-summary

client2(config)#router eigrp 20
client2(config-router)#network 192.168.30.0 0.0.0.255
client2(config-router)#no auto-summary

Configure ISAKMP policy on R2 and R3

Routers R2 and R3 first need to negotiate Internet Key Exchange (IKE) Phase 1 tunnel. There are two modes of IKE1,main  and aggressive. Main mode is considered more secure.IKE1 tunnel established connections between R2 nad R3 routers.This tunnel doesn’t forward packets,it protects management traffic related to the VPN between the two routers (R2 and R3 in our case).

When R2 and R3 routers negotiate IKE1 tunnel,they need to agree upon following:

Hash algorithm: message digest 5 algorithm (MD5) or Secure Hash
(SHA).
Encryption algorithm: Digital Encryption Standard (DES) (weak), Triple DES (3DES) or Advanced Encryption Standard (AES)
Diffie-Hellman (DH) group- modulus size (length of the key) to use for the DH key exchange. Group 1 uses 768 bits, group 2 uses 1024, and group 5 uses 1536. DH is used to generate shared secret key (symmetric keys) that may be used by the two VPN peers for sym-metrical algorithms, such as AES.DH exchange itself is asymmetrical,and the resulting keys that are generated are symmetrical.
Authentication method: Used for verifying the identity of the VPN peer on the
other side of the tunnel.Pre-shared key (PSK) is used only for the authentication or RSA signatures (which leverage the public keys contained in digital certificates).
Lifetime: How long this IKE Phase 1 tunnel should be active. (default 3600 seconds)
A shorter lifetime is considered more secure.

Now we neeed to configure policy on R2 and R3,ie configure these 5 items above:

R2(config)#crypto isakmp policy 10 !10 is arbitrary
R2(config-isakmp)#authentication ?
pre-share  Pre-Shared Key
rsa-encr   Rivest-Shamir-Adleman Encryption
rsa-sig    Rivest-Shamir-Adleman Signature

R2(config-isakmp)#authentication pre-share !we'll use pre-shared key
R2(config-isakmp)#encryption ?
3des  Three key triple DES
aes   AES - Advanced Encryption Standard.
des   DES - Data Encryption Standard (56 bit keys).

R2(config-isakmp)#encryption aes
R2(config-isakmp)#hash ?
md5  Message Digest 5
sha  Secure Hash Standard
R2(config-isakmp)#hash sha
R2(config-isakmp)#group ?
  1  Diffie-Hellman group 1
  2  Diffie-Hellman group 2
  5  Diffie-Hellman group 5

R2(config-isakmp)#group 5
R2(config-isakmp)#lifetime ?
    lifetime in seconds

R2(config-isakmp)#lifetime 3600
R2(config-isakmp)#end

The same must be configured on R3:

R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share !authentication
R3(config-isakmp)#encryption aes 256       !encryption
R3(config-isakmp)#hash sha                 !hash algorithm
R3(config-isakmp)#group 5                  !DH group
R3(config-isakmp)#lifetime 3600            !lifetime

Show isakmp policy:

R3(config)#do sh crypto isakmp policy

Global IKE policy
Protection suite of priority 10
encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
hash algorithm:         Secure Hash Standard
authentication method:  Pre-Shared Key
Diffie-Hellman group:   #5 (1536 bit)
lifetime:               3600 seconds, no volume limit

We used pre-shared keys as authentication method and now we must set one and IP address of remote VPN endpoint:

On R2 we set R3’s s1/1 interface address (10.2.2.1),and on R3 R2’s  s1/0 interface address (10.1.1.1)

R2(config)#crypto isakmp key mykey address 10.2.2.1
R3(config)#crypto isakmp key mykey address 10.1.1.1

Configure transformation set

Routers needs to negotiate one configuration parameter in order to form security associaton (specifies security properties that are recognized by communicating hosts).That configuration parameter is named transformation set and is used to create  IKE Phase 2 tunnel which encrypts actual data between R2 and R3.

R2(config)#crypto ipsec transform-set 10 ?
ah-md5-hmac   AH-HMAC-MD5 transform
ah-sha-hmac   AH-HMAC-SHA transform
comp-lzs      IP Compression using the LZS compression algorithm
esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes       ESP transform using AES cipher
esp-des       ESP transform using DES cipher (56 bits)
esp-md5-hmac  ESP transform using HMAC-MD5 auth
esp-null      ESP transform w/o cipher
esp-seal      ESP transform using SEAL cipher (160 bits)
esp-sha-hmac  ESP transform using HMAC-SHA auth

R2(config)#crypto ipsec transform-set 10 esp-aes 256 ?
ah-md5-hmac   AH-HMAC-MD5 transform
ah-sha-hmac   AH-HMAC-SHA transform
comp-lzs      IP Compression using the LZS compression algorithm
esp-md5-hmac  ESP transform using HMAC-MD5 auth
esp-sha-hmac  ESP transform using HMAC-SHA auth
<cr>

! transform-set named 10,ESP encryption esp-aes 256,authentication esp-sha-hmac
R2(config)#crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
R3(config)#crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac

Defining traffic which needs to be encrypted

We need to encrypt traffic between R2 (192.168.10.0) and R3 (192.168.30.10),so we need to use extendes ACL’s (extenede ACL is set close to source)

R2(config)#access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
R3(config)#access-list 101 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

 

Creating crypto map

Crypto map associate traffic defined in ACL (acl 101) to VPN peer

Create crypto map named mymap with sequence number 10 (arbitrary),define access list,set peer and trasnform set

R2(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#match address 101                  !ACL 101
R2(config-crypto-map)#set peer 10.2.2.1                  !R3's interface
R2(config-crypto-map)#set transform-set 10               !set created earlier

R3(config-crypto-map)#match address 101
R3(config-crypto-map)#set peer 10.1.1.1
R3(config-crypto-map)#set transform-set 10
R3(config-crypto-map)#exit

Apply crypto maps to R2 and R3’s interfaces

R2#config t
R2(config)#int s1/0
R2(config-if)#crypto map mymap
R2(config-if)#
*Mar  1 01:56:41.887: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R3#config t
R3(config)#int s1/1
R3(config-if)#crypto map mymap
R3(config-if)#
*Mar  1 01:53:11.379: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3#sh crypto ipsec transform-set
Transform set 10: { esp-256-aes esp-sha-hmac  }
will negotiate = { Tunnel,  },


R3#show crypto map
Crypto Map "mymap" 10 ipsec-isakmp
Peer = 10.1.1.1
Extended IP access list 101
access-list 101 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
Current peer: 10.1.1.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
myset,
}
Interfaces using crypto map mymap:
Serial1/1

From client1 ping client2:

client1#ping 192.168.30.11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.11, timeout is 2 seconds:
!!!!!

Capture traffic between client1 and f0/0 interface of R2, and between F0/0 interface of R3 and client2,as you can see,traffic is not encrypted.

Untitled2

Now capture traffic between R2 and R3:

Untitled

Traffic is encrypted when leaves R2’s s1/0 interface (ESP),and decrypted on R3 f0/0 interface

InterVLAN routing on Layer 3 Switch

Posted: July 28, 2015 in CISCO

VLANs divide one broadcast domains into multiple broadcrast domains,which are isolated so packets must be routed in order to pass between them.This is known as inter-VLAN routing. On Catalyst switches it is accomplished by creating Layer 3 interfaces (Switch virtual interfaces (SVI).VLANs are useful in situations where you need the functionality of multiple parallel physical networks but you’d rather not want to spend the money on buying additional hardware.

In this example we will create 2 VLANs on multilayer switch,router traffic between them and the internet

Untitled

Add 10.10.10.10/24 address to R1 f0/0 interface and create route to the internet

R1(config)#int fa0/0
R1(config-if)#ip add
R1(config-if)#ip address 10.10.10.10 255.255.255.255.0
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

192.168.1.1 is Default gateway of my internet connection.For info how to connect GNS3 routers to the internet see

https://zarzyc.wordpress.com/2014/09/04/connecting-the-gns3-to-real-network-device/

Configure switch

SW(config)#int f1/0
SW(config-if)no switchport  !makes the interface Layer 3 capable
SW(config-if)#ip address 10.10.10.20 255.255.255.0    ! interface to R1's f0/0 interface SW(config-if)exit SW(config)#ip routing                                                !enable IP routing SW(config)ip route 0.0.0.0 0.0.0.0 10.10.10.10         !default route to the internet SW(config)int vlan 2 SW(config-if)#ip add 20.20.20.10 255.255.255.0  !IP address for VLAN2 (it would be gateway !for clients in VLAN2 SW(config-if)#no shut SW(config-if)exit SW(config)int vlan 3 SW(config-if)#ip add 30.30.30.10 255.255.255.0 ! IP address for VLAN3 (it would be gateway !for clients in VLAN3 SW(config-if)#no shut SW(config-if)exit SW(config)int f1/2 SW(config-if)switchport access vlan 2  !configure f1/2 to allow traffic for VLAN2 SW(config)int f1/1 SW(config-if)switchport access vlan 3  !configure f1/1 to allow traffic for VLAN3

Advertise VLANs routes on both router R1 and switch (I used OSPF routing protocol)

SW(config)#router ospf 20
SW(config-router)#network
SW(config-router)#network 10.10.10.0 0.0.0.255 area 0
SW(config-router)#network 20.20.20.0 0.0.0.255 area 0
SW(config-router)#network 30.20.20.0 0.0.0.255 area 0

R1(config)#router ospf 20
R1(config-router)#network
R1(config-router)#network 10.10.10.0 0.0.0.255 area 0
R1(config-router)#network 20.20.20.0 0.0.0.255 area 0
R1(config-router)#network 30.20.20.0 0.0.0.255 area 0

Configure client1’s IP address with some address in 20.20.20.0 range with 255.255.255.0 mask and 20.20.20.10 as default gateway and client2 with address in 30.30.30.0 range,255.255.255.0 mask and 30.30.30.10 as DG

For clients and switch to access the internet we need to configure NAT on R1.I explained NAT configuration in one of my prevoius post so i won’t go into details here.

R1(config)#int f0/1
R1(config-if)#ip nat outside
R1(config-if)#int f0/0
R1(config-if)#ip nat inside
R1(config)#access-list 1 permit 10.10.10.0 0.0.0.255
R1(config)#access-list 2 permit 20.20.20.0 0.0.0.255
R1(config)#access-list 3 permit 30.30.30.0 0.0.0.255
R1(config)#ip nat inside source list 1 int f0/1 overload
R1(config)#ip nat inside source list 2 int f0/1 overload
R1(config)#ip nat inside source list 2 int f0/1 overload

You shold be able to ping hosts in both VLANs and the internet

Untitled

VLAN Trunking Protocol

Posted: July 27, 2015 in CISCO

The VLAN Trunking Protocol (VTP) is a protocol to create, manage and maintain network with many interconnected switches.It can add,delete,and rename VLANs from a central switch (called server),without need to manually  configure every switch.Changes made on one,server switch,are propagated to other switches (configured as a client switch.By default,switch is set to server mode.

In this example i added two switches,one will be in server and another one in client mode

Untitled

Let’s configure switch named server:

Set VTP domain and password.A VLAN Trunking Protocol (VTP) domain is one switch or several interconnected switches sharing the same VTP informations. A switch can be configured only in one VLAN Trunking Protocol (VTP) domain. Switches in different VTP domains do not share information.

Switch#configure terminal
Switch(config)#hostname server
server(config)#vtp domain mydomain
Changing VTP domain name from NULL to mydomain
server(config)#vtp password 1234
Setting device VLAN database password to 1234

I set domain to  mydomain and password to 1234. The password must be set  on all switches in the VTP domain. The password must be the same password on all switches.

server(config)#do sh vtp status

VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 255
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : mydomain
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x09 0xC6 0x71 0xCE 0x32 0x0D 0x6A 0xA1
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)

Take attention to revision number.It indicates the level of revision for a VTP packet.When you make changes in VTP packet (add/delete vlans),this number increment.This information is used in order to determine whether the received information is more recent than the current version.At this moment,we didn’t add any VLAN,so revision number is currently 0.

This switch will propagate changed to other ones and that’s why it’s set to sever mode (default).If you need to change mode type vtp mode command from config t:

server(config)#vtp mode ?
client Set the device to client mode.  ! in client mode we cannot modify vlans,only receive info from server switch
server Set the device to server mode.
transparent Set the device to transparent mode.

VTP transparent switches do not participate in VTP.It doesn’t advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements,transparent switches do forward VTP changes to other switches

Lets test above statements.

Create some VLAN’s on Server switch:

server(config)#vlan 2
server(config-vlan)#vlan 3
server(config-vlan)#vlan 4
server(config-vlan)#vlan 5

server(config-vlan)#do sh vtp stat

VTP Version : 2
Configuration Revision : 4
Maximum VLANs supported locally : 255
Number of existing VLANs : 9
VTP Operating Mode : Server
VTP Domain Name : mydomain
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled

Note that revision number has changed from 0 to 4.In order for our client switch to receive changes from server switch,we must set domain,password and mode on client switch:

client#config t
client(config)#vtp domain mydomain
Changing VTP domain name from NULL to mydomain
client(config)#vtp password 1234
Setting device VLAN database password to 1234
client(config)#vtp mode client
Setting device to VTP CLIENT mode.

We need to configure port on server switch as trunk port in order to transfer VLAN data.On the client server we don’t need to configure port to trunk because,by default port is set to dynamic auto (This mode makes the interface able to convert the link to a trunk.It becomes a trunk interface if the neighboring interface is set to trunk or desirable mode)

client(config)#sh int fa0/1 switchport 
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic auto

On server switch configure Fa0/1 port as trunk and allow access to VLAN’s we created in previous step:

server#config t
server(config)#int fa0/1
server(config-if)#switchport mode trunk
server(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
server(config-if)#switchport trunk allowed vlan 2-4

Switch to client switch and observer changes:

client#sh vtp status
VTP Version : 2
Configuration Revision : 4
Maximum VLANs supported locally : 255
Number of existing VLANs : 9
VTP Operating Mode : Client
VTP Domain Name : mydomain
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x69 0x04 0x82 0x5B 0x12 0x01 0x0C 0xD2
Configuration last modified by 0.0.0.0 at 3-1-93 00:59:53

Note that revision number has changed from 0 (default) to 4 and number of VLAN’s increased from 5 (default) to 9

see available VLAN’s:

client#sh vlan

2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active

As you can see,all changes has propagated drom server to client switch

Adding transparent switch to current topology

We’ll now add another switch,set VTP domain,password,mode to transparent and port,connected to client switch,as trunk port.(to pass VLAN info),and allow VLAN’s configured on server switch (2-5)

Untitled

Switch#configure terminal
Switch(config)#hostname transparent
transparent(config)#vtp domain mydomain
Changing VTP domain name from NULL to mydomain
transparent(config)#vtp password 1234
Setting device VLAN database password to 1234
transparent(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
transparent(config)#int fa0/2
transparent(config-if)#switchport mode trunk
transparent(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
transparent(config)#switchport trunk allowed vlan 2-5

Because this switch is set in transparent mode,any changes from client switch won’t be propagated (revision and VLAN numbers are at default values):

transparent(config-if)#do sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 255
Number of existing VLANs : 5
VTP Operating Mode : Transparent
VTP Domain Name : mydomain
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x09 0xC6 0x71 0xCE 0x32 0x0D 0x6A 0xA1
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

Add another switch (switch1),set it to client mode and connect to transparent switch

Set VTP domain,password,mode to VTP client,port connected to transparent switch (fa0/1) as trunk,allow VLAN’s (2-5)

Untitled

Switch#configure terminal
Switch(config)#hostname client1
client1(config)#vtp domain mydomain
Changing VTP domain name from NULL to mydomain
client1(config)#vtp password 1234
Setting device VLAN database password to 1234
client1(config)#vtp mode client
Setting device to VTP CLIENT mode.
client1(config)#int fa0/1
client1(config-if)#switchport mode trunk
client1(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
client1(config-if)#switchport trunk allowed vlan 2-5
client1(config-if)#do sh vtp status
VTP Version : 2
Configuration Revision : 4
Maximum VLANs supported locally : 255
Number of existing VLANs : 9
VTP Operating Mode : Client
VTP Domain Name : mydomain
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x69 0x04 0x82 0x5B 0x12 0x01 0x0C 0xD2
Configuration last modified by 0.0.0.0 at 3-1-93 00:59:53
client1(config-if)#do sh vlan
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active

Although client1 switch is directly connected to transparent switch (which has no an VTP info from server switch),transparent switch passed all VTP info to client1 switch.

Simulating fail of server switch

What will happen if server switch goes down,if we set new switch instead of failed one,will it’s settings override existing client VTP settings,or VTP info from client will propagate to new server switch ?

While disconnected,configure new server switch:

Switch#config t
Switch(config)#hostname new_server
new_server(config)#int fa0/1
new_server(config-if)#switchport mode trunk
new_server(config-if)#switchport trunk allowed vlan 2-4
new_server(config-if)#do vtp domain mydomain
Changing VTP domain name from NULL to mydomain
new_server(config-if)# do vtp password 1234
Setting device VLAN database password to 1234
new_server(config-if)# do vtp mode server
Device mode already VTP SERVER.
new_server(config-if)#do sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 255
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : mydomain
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x09 0xC6 0x71 0xCE 0x32 0x0D 0x6A 0xA1
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)

At this moment,before connecting this switch to client switch,new_server switch has revision number (0), lower than revision number of client switch (4),when we connect new_server to the network,client switch will notice that he has larger revision number than new_server has,and will propagate his VTP data to new_server.

Untitled

new_server(config)#do sh vtp status
VTP Version : 2
Configuration Revision : 4
Maximum VLANs supported locally : 255
Number of existing VLANs : 9
VTP Operating Mode : Server
VTP Domain Name : mydomain
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x69 0x04 0x82 0x5B 0x12 0x01 0x0C 0xD2
Configuration last modified by 0.0.0.0 at 3-1-93 00:59:53
Local updater ID is 0.0.0.0 (no valid interface found)

DHCP snooping is a security feature that provides security by filtering untrusted DHCP messages
An untrusted message is a message that is received from outside,rogue DHCP server,that can cause traffic attacks within your
network,could cause malfunction of the network or even control it.

GNS3 doesn’t support ip dhcp snooping command,and Packet Tracer 6.1 does,but have no support for debug ip dhcp snooping packet,and the best way to see ip dhcp snooping in action is to obtain real CISCO switch

Untitled5

If you have no access to physical equipment Packet Tracer will be just fine.As dhcp server you can use Linux or Windows

DHCP server,or CISCO router or multilayer switch.

Configure DHCP_SERVER with IP address 192.168.1.1 and pool named mypool:

DHCP_SERVER#config t
DHCP_SERVER(config)#int gig0/0
DHCP_SERVER(config-if)#ip address 192.168.1.1 255.255.255.0
DHCP_SERVER(config-if)#no shut
DHCP_SERVER(config-if)#exit
DHCP_SERVER(config)#ip dhcp excluded-address 192.168.1.1
DHCP_SERVER(config)#ip dhcp excluded-address 192.168.1.2
DHCP_SERVER(config)#ip dhcp pool mypool
DHCP_SERVER(dhcp-config)#network 192.168.1.0 255.255.255.0
DHCP_SERVER(dhcp-config)#exit

Assign to client IP address:

CLIENT#config t
CLIENT(config)#int fa0/0
CLIENT(config-if)#ip address dhcp
*Mar  1 00:43:44.131: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 192.168.1.3, mask 255.255.255.0, hostname CLIENT

Configure “Rogue” DHCP Server:

ROGUE_DHCP#config t ROGUE_DHCP(config)#int gig0/0
ROGUE_DHCP(config-if)#ip address 192.168.1.2 255.255.255.0
ROGUE_DHCP(config-if)#no shut
ROGUE_DHCP(config-if)#exit
ROGUE_DHCP(config)#ip dhcp excluded-address 192.168.1.1
ROGUE_DHCP(config)#ip dhcp excluded-address 192.168.1.2
ROGUE_DHCP(config)#ip dhcp pool roguepool
ROGUE_DHCP(dhcp-config)#network 192.168.1.0 255.255.255.0
ROGUE_DHCP(config)#exit

Disable gig0/0 interface on “Real” DHCP server (DHCP_SERVER) and try to obtain IP address from client

CLIENT(config-if)#ip address dhcp
*Mar  1 00:43:44.131: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 192.168.1.3, mask 255.255.255.0, hostname CLIENT
ROGUE_DHCP(config)#do sh ip dhcp bind
IP address Client-ID/ Lease expiration Type
Hardware address
192.168.1.3 0001.9670.5601 --

As you can see,client got address from ROGUE_DHCP server

 

Preventing DHCP snooping

To enable only legitimate DHCP server to provide IP addresses we need to configure switch:

Switch#config t
Switch(config)#ip dhcp snooping vlan 1 !I have only vlan 1 configured
Switch(config)#no ip dhcp snooping information option

We enabled ip dhcp snooping on all interfaces (all ports are set to  “untrusted”-all ports won’t pass DHCP packets)

no ip dhcp snooping information option

By default, switch adds option 82 into dhcp request packet before forwarding to DHCP server.DHCP server  assigns ip addresses based on option 82 parameters and forwards packets to ip address set in giaddr field.When switch forwards dhcp packet with option 82 information, it does not change giaddr field to non-zero value, it remains to 0.0.0.0 and DHCP server expects a packet with option field should have giaddr field to some non-zero value but notices that its zero and rejects it.To avoid this behavior,we need to set no ip dhcp snooping information option.
Switch port fa0/2 is connected to our “legitimate” DHCP server and we will configure that port as “trusted”

Switch#config t
Switch(config)#int fa0/2
Switch(config-if)#ip dhcp snooping trust

Client get address from fa0/1 switch port,and,for security reasons,we set the number of dhcp request that can be received in a second,if the rate exceeds configured one,traffic is dropped.We configured 10 DHCP packets per second.

Switch(config-if)#int fa0/1
Switch(config-if)#ip dhcp snooping limit rate 10

Switch(config-if)#do sh ip dhcp snooping

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
DHCP snooping is operational on following VLANs:
1
Smartlog is configured on following VLANs:
none
Smartlog is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 0001.96C9.0480 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
FastEthernet0/1    no        no            10
Custom circuit-ids:
FastEthernet0/2 yes yes unlimited

Disable again gig0/0 interface on real DHCP_SERVER,enable ip dhcp snooping debugging and try to assign IP address to the client:
dhcpdebug

In this article we’ll simulate external access to our web site hosted on internal network

Untitled

When client from the internet type 10.10.10.2 in web browser (or hostname associated with that address),he/she will be redirected to web site hosted on web server with IP 192.168.5.10

In this article i described NAT terminology so i won’t desribe following commands:

Configure R2 s2/0 interface as nat outside and f0/0 as nat inside:

R2#
R2#config t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config-if)#int s2/0
R2(config-if)#ip nat outside

R2(config-if)#int f0/0
R2(config-if)#ip nat inside

Add default route to the “Internet”: and enable nat debugging:

R2(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.1
R2(config)#do deb
R2(config)#do debug ip nat
IP NAT debugging is on

Configure Static NAT to translate 192.168.5.10 (Private IP address of Web Server) as it originates from the “Internet” (10.10.10.2-Public R2 s2/0 interface) and to translate  the outside IP address of the Web server  from 10.10.10.2 (public IP) to 192.168.5.10:

R2(config)#ip nat source static 192.168.5.10 10.10.10.2

Switch now to R1 to configure default static route (to ping from internet to R2 and from R2 to internet)

R1(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.2

On client,add entry in host file to map mysite.com to 10.10.20.2 IP address (R2 s2/0 interface):

Untitled

Open web browser and access web site:

Untitled

R2(config)#
*Mar  1 02:26:24.687: NAT*: s=192.168.81.10, d=10.10.10.2->192.168.5.10 [                                17032]

As you can see,request from client (192.168.81.10 is destined to 10.10.10.2 (R2’s s2/0 interface) and it’s forwarded to 192.168.5.10 (Web server’s IP address)