Wednesday, April 1, 2009

AD Group Mapping Across Different Domain Forest using ACS-AD

When U have the Different Domain Forest and ur implementing Wireless across it and wants to bind SSIDs to respected Domains following points needs to be taken care off
1) Two way trust needs to be form between All Domain
2) Windows Remote Agent needs to be install on One of the Member Server Machine of any of the Domains
3) If there is the Firewall between Domains following ports needs to be open
Here is the port list for Active Directory communication:
TCP Ports: 88, 135, 136, 139, 389, 445, 1025, 1026
UDP Ports: 88, 123, 137, 389 ICMP
4) Link for what needs to be configured on Member Server Machine on which Windows Remote Agent install
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp299851
5) Member Server on which Remote Agent is install should login with user have Domain Admin Priviledge
6) See the Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS Configuration Link for configuration
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

Saturday, March 21, 2009

802.11n Supporting Setting on Wireless LAN Controller

802.11n is activated on Cisco WLC or WiSM only when WPA2 setting is selected , if you select WPA+WPA2 setting then you can get only 802.11a/b/g , though your Access Point support 802.11n (example Cisco Access Point 1252)


By Sachin

Friday, August 17, 2007

PIX URL filtering

PIX/ASA are capable of doing advanced protocol inspection and this applies to all popular protocols in the world. In this post, I am giving an example of URL filtering using advanced http inspection with the use of regular expressions.

Though ASA has an option of CSC module to do the same, there is no provision for creating multiple profiles for different set of users. The only difference between the ASA/PIX method and the CSC method (As far as the HTTP functionality goes) is the blocking of websites based on site content classifications which are updated regularly from the internet & custom message that CSC module can throw to the user when it blocks the website.

Below is an example wherein all users in the 'INSIDE' network should be able to access only 'GOOGLE' and all its services but not any other website. (Please note that it can be done vice-versa, i.e., by blocking certain websites and allowing all others.
*************************************
regex allow_google ".*google.*"

class-map inside
match any

class-map type inspect http match-all url_filter
match not request header host regex allow_google

policy-map type inspect http url_filter
parameters
class url_filter
drop-connection log

policy-map inside
class inside
inspect http url_filter

service-policy inside interface inside
************************************

I feel it should be possible to port snort rules into PIX/ASA using regular expressions. Probably, the next post may have an example.

happy tweaking....


Wednesday, May 30, 2007

Issues with RSTP Interoperability and Backward Compatibility

As per Cisco RSTP is backward compatible with STP 802.1D. All the documents in Cisco specify that a RSTP enabled port will go STP when connected to an STP enabled network.

In most cases this is true. In most cases RSTP is backward compatible with STP.

http://www.cisco.com/univercd/cc/td/doc/product/metro/me3400/12225seg/3400scg/swstp.htm#wp1166519

But there is a rider to this generalized statement. RSTP is a lot more faster than STP. The typical convergence time of RSTP is less than <3secs while that of STP is about 50 seconds assuming that no proprietary cisco enhancements are used.

The rider is, RSTP and STP work perfectly together only IF RSTP is used in the core while STP is used in access-layers. Any other combination of RSTP-STP would be a disaster. IF done any other way, a STP loop would be induced into the network.

The above link gives a recommendation.. I quote
"When a network contains switches running rapid PVST+ and switches running PVST+, we recommend that the rapid-PVST+ switches and PVST+ switches be configured for different spanning-tree instances."

I have faced problems personally in RSTP-STP interoperability.

If there is need to convert a network from STP to RSTP, I would suggest that the Core is first converted to RSTP.. then the distribution and then the access. (Although this methodology is not entirely tested).

Monday, May 7, 2007

TCL Snippet for Cisco Routers

You might come across a situation where you might have to configure etherchannel across multiple card modules of a Cisco 6500 Switch. Manually configuring a large number of port pairs across multiple card modules could be very time consuming and monotonous.

Well, here comes the solution with the help of tcl interpreter built within Cisco IOS (select models only).

Following is an example wherein the ports of 48-port 10/100 ethernet modules in slot 2 and 3 are configured for etherchannel.

Traditional Method

configure terminal
interface fastethernet 2/1
channel-group 1 mode on
interface fastethernet 3/1
channel-group 1 mode on
interface fastethernet 2/2
channel-group 2 mode on
interface fastethernet 3/2
channel-group 2 mode on
...and so on.

Smart Method using TCL

tclsh
set i 1;
while {$i < 49} {
ios_config "interface fastethernet 2/$i" "channel-group $i mode on"
ios_config "interface fastethernet 3/$i" "channel-group $i mode on"
incr i;
}

Hope this helps. Suggestions and Feedback, welcome. Will come up with more in the future, so watch this space.
Sridhar.

Power of Tera Term

Tera Term is easily one of the most powerful free Terminal Emulation Software that I have come across and the power of it lies in its scripting language TTL. Of-course, it is not as extensive and capability rich as Perl but for a non-programmer, a browse through a single help file on TTL language is all it takes to create wonderful scripts that could make his/her life easier in maintaining huge networks.

The capabilities are limitless and if you could find better ways of enhancing the following script, please come forward and do your bit.

The purpose of the script is for terminal configuration of repetitive commands in multiple terminal enabled devices at once but sequentially without human intervention.

The other purpose of the script is to fetch terminal information from multiple terminal enabled devices at once but sequentially without human intervention.

The script is primarily designed for working with Cisco devices which can be configured using terminal emulation and which has a Command Line Interface (CLI).

The execution of the script requires Tera Term Software installed on the user’s computer. The Tera Term software can be downloaded from the following URL:

http://hp.vector.co.jp/authors/VA002416/teraterm.html

The Procedure for execution of the script is as follows:

  • Download Tera Term from the above mentioned URL.
  • Unzip and downloaded file and execute the Setup.exe file.
  • Install the Software in a specified destination.
  • Copy the below provided script in the Tera Term directory.
  • The script has an extension of .TTL and can be opened in notepad.
  • Open the file in notepad and change the variable ‘dirname’ in the script to reflect your Tera Term Directory.
  • Make two Text Files in the directory specified by the variable ‘dirname’ by the following names:

ip.txt

commands.txt

  • Make sure you have telnet access to all the devices you would like to configure.
  • Open the ip.txt file and enter the IP addresses of all the devices for which the configuration needs to be fetched or pushed. Place only one IP address per line.
  • Open the commands.txt file and enter the commands for configuration or commands for fetching configuration from the devices. Please note that the commands need to be compatible on all the devices entered in the ip.txt file. Please put in the commands in sequential order as you would configure the device in the normal circumstances. For eg:

terminal length 0

show running-config

config t

enable secret cisco

exit

terminal length 24

write memory

  • Please place the commands that are required after authentication is done. The script expects a device prompt (which can be customized easily) by default after authentication. You may change it at any point of time.
  • Execute the file ttpmacro.exe present in the Tera Term directory and select the macro '.ttl’ extension.
  • Please enter the Username for logging into the devices and press OK. Please note the Username and Password prompt would appear only once. The same username and password would be used to login into all the devices.
  • Please enter the password in the Password Prompt Dialog Box and press OK.
  • For Enable Password Authentication Prompt, click yes if you have enable password authentication configured in atleast some of the devices or click no if you don’t have enable password configured in any of the devices.
  • If yes, then provide the enable password to log into all the devices. The password is assumed to be common on all the devices.
  • For the Logging Dialog Box. Click yes if you want to log the output or click no if you don’t want to log the output.
  • If yes, enter the directory in which the logs have to be placed. For eg: If the directory is ‘C:\logs’ then enter it in the following format:

c:\logs\

  • Please note that the ‘\’ sign is important after you enter the directory path and name.
  • Sit back and relax, as the commands entered in the commands.txt file is executed in every device entered in ip.txt.

P.S.: While fetching configuration from any device like that of Cisco, please make sure to keep the terminal length to zero so that the device prompt appears immediately after the execution of the command.

Please give your feedbacks to make it better.



Below is the script for use with Tera Term. Just copy & paste the below code in a notepad and save it with a TTL extension.

;#######################################################
;Version 3.2 (Untested Beta Version)
;Created on 25/03/2007
;For Tera Term Macro Use Only
;Created originally for Cisco Switch & Routers.
;Customizable script, please feel free to edit it.(In fact you have to edit it)
;For usage, execute ttpmacro.exe and select this script
;Write all the ip addresses in sequential order in a file by the name of 'ip.txt'
;Write all the commands in sequential order in a file by the name of 'commands.txt'
;and place the text files in the directory as set by the 'setdir' keyword.
;Complaints and suggestions for improvement welcome.
;Please feel free to take it to the next level and share it with others.
;#######################################################

;######################################################
;Main Script
;######################################################

timeout = 5
dirname = 'E:\Program Files\TTERMPRO313'
setdir dirname
fileopen addressfile 'ip.txt' 0
inputbox 'Username:' 'Username Prompt'
Username = inputstr
passwordbox 'Password:' 'Password Prompt'
Password = inputstr
yesnobox 'Is enable password authentication required?' 'Enable Password Question'
if result=0 then
goto jumper1
endif
passwordbox 'Enable Password:' 'Enable Password Prompt'
Enable = inputstr
:jumper1
yesnobox 'Would you like to log the output?' 'Logging'
Logger = result
if Logger = 0 then
goto looper1
endif
inputbox 'Directory path & name followed by \' 'Logging Directory'
loggerpath = inputstr
dirmaker = 'cmd /C md '
strconcat dirmaker loggerpath
exec dirmaker

:looper1
filereadln addressfile ip
connect ip
if result = 1 then
goto fclose1
endif
wait 'Username:' 'Password:' '>' 'login:'
if result = 0 then
call terminator
goto looper1
elseif result = 1 then
goto jumper4
elseif result = 2 then
goto jumper5
elseif result = 3 then
goto jumper6
elseif result = 4 then
goto jumper4
endif
:jumper4
sendln Username
wait 'Password:'
:jumper5
sendln Password
if Logger = 0 then
goto jumper2
endif
loggerfile = loggerpath
strconcat loggerfile ip
logopen loggerfile 0 0
loggerfile = ''
:jumper2
wait '#' '>'
if result = 0 then
call terminator
elseif result = 1 then
call commander
call terminator
elseif result = 2 then
:jumper6
call enabler
call commander
call terminator
endif
goto looper1
:fclose1
fileclose addressfile
closett
end

;################################################
;Enabler is a sub-routine which provides enable password authentication.
;################################################

:enabler
setdir dirname
sendln 'enable'
wait 'Password:'
sendln Enable
return

;#####################################
;Commander is a sub-routine which executes the
;commands placed in 'commands.txt' file
;#####################################

:commander
setdir dirname
fileopen commandfile 'commands.txt' 0
:looper2
filereadln commandfile statement
if result goto fclose2
sendln statement
wait '#' '>'
if result = 2 then
goto fclose2
endif
goto looper2
:fclose2
fileclose commandfile
return

;###########################################
;Terminator is a sub-routine which provides terminal closure and
;passing the control to the main sub-routine for loop completion.
;###########################################

:terminator
beep
if Logger = 0 then
goto jumper3
endif
logclose
:jumper3
closett
return

;###########################################