Sunday, 27 May 2012

IOS Based traffic generation with tcp-small-servers

Recently I was watching the INE vSeminar on OER - 7.5 hours of well I wouldn't exactly call it joy but it is certainly enlightening on how the performance routing (the current name for optimized edge routing) "works" in an IOS 12.4(15)T environment.   The version number is of relevance as that is currently what the CCIE Lab uses, however based on my own experiences and seeing the vSeminar, while quite powerful and flexible, it is also kind of fragile while you try to develop your configuration.

Anyway one of the interesting things that came out of it wasn't directly related to OER itself except that it needed some traffic flows to take actions upon and rather than purely using on pings, Brian demoed a different technique that used TCP traffic flows by enable "service tcp-small-servers" on the router you would like to generate the traffic from, and telneting on port 19 from where you would like the traffic sent.


Here's a quick demo with two routers:

R1
hostname R1
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no frame-relay inverse-arp
!
interface Serial0/0.12 point-to-point
 description R2 S0/0.21
 ip address 10.1.12.1 255.255.255.0
 frame-relay interface-dlci 102
!
router ospf 1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 0
 network 10.1.12.1 0.0.0.0 area 0
!

R2
hostname R2
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no frame-relay inverse-arp
!
interface Serial0/0.21 point-to-point
 description R1 S0/0.12
 ip address 10.1.12.2 255.255.255.0
 frame-relay interface-dlci 201
!
router ospf 1
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 10.1.12.2 0.0.0.0 area 0
!

First lets verify connectivity:

R2#ping 1.1.1.1 source 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Enabling tcp-small-servers enables the chargen service on TCP Port 19.  Other services such as echo, discard and daytime are enabled but aren't so helpful when it comes to traffic generation.


R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#service tcp-small-servers

We cant see it but the router is listening to TCP Port 19

R1(config)#do sh tcp brief all
TCB       Local Address               Foreign Address             (state)
674596C8  *.80                        *.*                         LISTEN
 

R2#telnet 1.1.1.1 chargen /source-interface lo0
Trying 1.1.1.1, 19 ... Open
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh
"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi
#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
.....

The output on R2 is the chargen service on R1 which will run forever (or at least the session is closed) On R1 we can see the session is up and running.

R1(config)#do sh tcp brief all
TCB       Local Address               Foreign Address             (state)
665DEFFC  1.1.1.1.19                  2.2.2.2.20844               ESTAB
674596C8  *.80                        *.*                         LISTEN

Lets see how fast R1 is pushing out traffic

R1(config)#policy-map Monitor
R1(config-pmap)#class class-default
R1(config)#int s0/0.12
R1(config-subif)#service-policy output Monitor
R1(config-subif)#int s0/0
R1(config-if)#load-interval 30

We wait for a short period and see how fast R1 is going

R1(config-if)#do sh policy-map int s0/0.12 out

 Serial0/0.12

  Service-policy output: Monitor

    Class-map: class-default (match-any)
      10441 packets, 1232016 bytes
      30 second offered rate 56000 bps, drop rate 0 bps
      Match: any

Lets shape the outbound TCP traffic to 32kbps


R1(config)#ip access-list extended TCP
R1(config-ext-nacl)#permit tcp any any
R1(config-ext-nacl)#class TCP
R1(config-cmap)#match access-group name TCP
R1(config-cmap)#policy-map SHAPE_TCP
R1(config-pmap)#class TCP
R1(config-pmap-c)#shape average 32000
R1(config)#int s0/0.12
R1(config-subif)#no service-policy output Monitor
R1(config-subif)#service-policy output SHAPE_TCP

And leave things for a minute or so to see how things are operating

R1(config-subif)#do sh policy-map int s0/0.12 out

 Serial0/0.12

  Service-policy output: SHAPE_TCP

    Class-map: TCP (match-all)
      3810 packets, 449510 bytes
      30 second offered rate 32000 bps, drop rate 0 bps
      Match: access-group name TCP
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval  Increment
             Rate           Limit  bits/int  bits/int  (ms)      (bytes)
            32000/32000     2000   8000      8000      250       1000

        Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      26        3784      446442    3740      441320    yes

    Class-map: class-default (match-any)
      28 packets, 3320 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any

TCP is adapting to the link bandwidth giving us a 32kbps stream we can play with elsewhere in our network.


If for whatever reason we found that the typical telnet escape sequence (Control+Shift+6 x) didn't work on R2, we can close the session from R1

R1(config)#do sh tcp brief all
TCB       Local Address               Foreign Address             (state)
665DEFFC  1.1.1.1.19                  2.2.2.2.20844               ESTAB
674596C8  *.80                        *.*                         LISTEN
R1(config-if)#do clear tcp local 1.1.1.1 19 remote 2.2.2.2 20844
[confirm]
 [OK]
R1(config-subif)#do sh tcp br all
TCB       Local Address               Foreign Address             (state)
674596C8  *.80                        *.*                         LISTEN

Probably not something useful for the CCIE Lab itself but for testing QoS in your own environment it may be useful.

Monday, 21 May 2012

Back to Basics

As part of my getting back to basics regime I've been going through Narbik's Advanced Routing and Switching 4.0 Workbooks.To be honest it's not basics but it's refreshing to go back to something as simple as Ethernet trunking (honestly DTP isn't something I haven't given a lot of thought to in awhile and while there was nothing earth shattering, it's good to touch base again) and incrementally re-enforce my knowledge.

One of my old favourite commands that I've been using recently is "show ip protocols" which gives such a wealth of information including timers, authentication key usage and if protocols are being redistributed.

Last night I went through a rather epic RIP lab that touched 9 routers, and now it's time to jump into EIGRP...

Saturday, 12 May 2012

Switch Port Authentication with 802.1x

Lately I have been playing around with FreeRADIUS and thought it may be interesting to play around with dot1x on switch ports.

The topology I'm using today uses a AAA server, two routers and a switch:

(AAA)eth0---Fa1/0(R1)Fa0/0--Trunk--Fa1/0/1(SW1)Fa1/0/14---Fa1/0(R2)


The link between R1 and SW1 is using a trunk to support multiple VLANs.  VLAN 11 is used for AAA/SW1 connectivity and VLAN 12 for R1/R2 connectivity.


R2 is acting as our end device and is a DHCP client

Thanks to bridging on R1, AAA (192.168.100.253/24), R1 (BVI1 = 192.168.100.1/24)and SW1(VLAN11 = 192.168.100.11/24) are all on the same subnet



Here are our configurations:

R1
hostname R1
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
ip dhcp excluded-address 10.1.12.1
ip dhcp excluded-address 10.1.12.3 10.1.12.254
ip dhcp pool R2
   network 10.1.12.0 255.255.255.0
!
interface FastEthernet0/0
 description SW1 Fa1/0/1
 no ip address
!
interface FastEthernet0/0.11
 description For SW1 to Communicate with AAA
 encapsulation dot1Q 11
 bridge-group 1
!
interface FastEthernet0/0.12
 description To Communicate with R1
 encapsulation dot1Q 12
 ip address 10.1.12.1 255.255.255.0
!
interface FastEthernet1/0
 description To AAA
 no ip address
 bridge-group 1
!

SW1
hostname SW1
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
vlan 11-12,99
ip dhcp excluded-address 99.99.99.99
ip dhcp pool GuestVLAN
   network 99.99.99.0 255.255.255.0
!
!
interface FastEthernet1/0/1
 description R1 Fa0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet1/0/14
 description R2 Fa1/0
 switchport mode access
 dot1x pae authenticator
 dot1x port-control auto
 dot1x violation-mode protect
 dot1x guest-vlan 99
 spanning-tree portfast
 shutdown
!
interface Vlan11
 ip address 192.168.100.11 255.255.255.0
!
interface Vlan99
 ip address 99.99.99.99 255.255.255.0
!
radius-server host 192.168.100.253 auth-port 1812 acct-port 1813 key cisco


R2
hostname R2
interface FastEthernet1/0
 description SW1 Fa1/0/14
 ip address dhcp
!

The freeradius configuration is stock standard except for the two files below:
radius-server:~# cat /etc/freeradius/clients.conf
client 192.168.100.0/24 {
        secret=cisco
        shortname=router
}

radius-server:~# cat /etc/freeradius/users
R2      Cleartext-Password := "R2"
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-ID = 12

Initially R2 has no configuration associated with dot1x on it.  SW1 is set to communicate with the free-radius server to verify the end device connecting on Fa1/0/14.
  1. If the end device does not appear to be a dot1x client (supplicant) then after several attempts of seeing if the end device really doesn't support dot1x, the switch will place the user into the guest vlan
  2. If the end device supports dot1x and authentication fails, the user will not be allowed on the network.
  3. If the end device supports dot1x and authentication succeeds, the AAA will pass back what VLAN the user should be associated with and the switch will put the user into it
The current configuration is set up for #1

Let's start things going

SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#int fa1/0/14
SW1(config-if)#no shut
*Mar  1 09:04:43.416: %LINK-3-UPDOWN: Interface FastEthernet1/0/14, changed state to up
SW1(config-if)#do show dot1x int fa1/0/14 detail

Dot1x Info for FastEthernet1/0/14
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
Violation Mode            = PROTECT
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
Guest-Vlan                = 99

Dot1x Authenticator Client List Empty

Domain                    = DATA
Port Status               = UNAUTHORIZED





Right now SW1 Fa1/0/14 is sending out EAPOL frames and waiting for a response from a supplicant.  After about 90 seconds, the switch will have decided that there isn't a supplicant on the end and to push the end device into the Guest-VLAN

*Mar  1 09:06:16.949: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/14, changed state to up




R2#
*Mar  1 02:32:41.847: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet1/0 assigned DHCP address 99.99.99.3, mask 255.255.255.0, hostname R2

We can see that R2 was assigned an IP by SW1 from the GuestVLAN DHCP pool we defined earlier, and we can see that Port Fa1/0/14 was put into VLAN 99 because that is the guest vlan that we configured earlier.
 
SW1(config-if)#do sh interfaces fa1/0/14 switchport | i ^Name|^Operational Mode|^Access Mode
Name: Fa1/0/14
Operational Mode: static access
Access Mode VLAN: 99 (VLAN0099)


SW1(config-if)#do sh dot1x int fa1/0/14 details

Dot1x Info for FastEthernet1/0/14
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
Violation Mode            = PROTECT
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
Guest-Vlan                = 99

Dot1x Authenticator Client List Empty

Domain                    = DATA
Port Status               = AUTHORIZED

Authorized By             = Guest-Vlan
Operational HostMode      = MULTI_HOST
Vlan Policy               = 99

For setup #2 lets turn R2 into a 802.1x supplicant - firstly we shall configure our credentials:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#dot1x credentials R2
R2(config-dot1x-creden)#username R2
R2(config-dot1x-creden)#password r3



now we change our function to act as a dot1x supplicant and attach the credentials for the interface

R2(config-dot1x-creden)#int fa1/0
R2(config-if)#dot1x pae supplicant
R2(config-if)#dot1x credentials R2
R2(config-if)#end

Hmm, as soon as we do this, SW1 pulls down the line protocol and tried to authenticate our supplicant

SW1#*Mar  1 09:20:03.026: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/14, changed state to down


SW1#show dot1x interface fa1/0/14 de

Dot1x Info for FastEthernet1/0/14
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
Violation Mode            = PROTECT
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
Guest-Vlan                = 99

Dot1x Authenticator Client List
-------------------------------
Domain                    = DATA
Supplicant                = c201.08b9.0010

    Auth SM State         = HELD
    Auth BEND SM State    = IDLE
Port Status               = UNAUTHORIZED
Authentication Method     = Dot1x

let's see what is happening by debugging dot1x events on SW1

SW1#deb dot1x events
Dot1x events debugging is on
*Mar  1 09:31:13.871: dot1x-ev:Sending create new context event to EAP for c201.08b9.0010
*Mar  1 09:31:13.871: dot1x-ev:FastEthernet1/0/14:Sending EAPOL packet to group PAE address
*Mar  1 09:31:13.871: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet1/0/14.
*Mar  1 09:31:13.871: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet1/0/14
*Mar  1 09:31:13.879: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet1/0/14.
*Mar  1 09:31:13.879: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar  1 09:31:13.879: EAPOL pak dump rx
*Mar  1 09:31:13.879: EAPOL Version: 0x2  type: 0x0  length: 0x0007
*Mar  1 09:31:13.879: dot1x-ev:
dot1x_auth_queue_event: Int Fa1/0/14 CODE= 2,TYPE= 1,LEN= 7

*Mar  1 09:31:13.879: dot1x-ev:Received pkt saddr =c201.08b9.0010 , daddr = 0180.c200.0003,
                    pae-ether-type = 888e.0200.0007
*Mar  1 09:31:13.879: dot1x-ev:dot1x_auth_process_eapol: EAPOL flag status of the port  Fa1/0/14 is TRUE

*Mar  1 09:31:13.879: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from c201.08b9.0010
*Mar  1 09:31:13.930: dot1x-ev:FastEthernet1/0/14:Sending EAPOL packet to group PAE address
*Mar  1 09:31:13.930: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet1/0/14.
*Mar  1 09:31:13.930: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet1/0/14
*Mar  1 09:31:13.938: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet1/0/14.
*Mar  1 09:31:13.938: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar  1 09:31:13.938: EAPOL pak dump rx
*Mar  1 09:31:13.938: EAPOL Version: 0x2  type: 0x0  length: 0x0016
*Mar  1 09:31:13.938: dot1x-ev:
dot1x_auth_queue_event: Int Fa1/0/14 CODE= 2,TYPE= 4,LEN= 22

*Mar  1 09:31:13.938: dot1x-ev:Received pkt saddr =c201.08b9.0010 , daddr = 0180.c200.0003,
                    pae-ether-type = 888e.0200.0016
*Mar  1 09:31:13.938: dot1x-ev:dot1x_auth_process_eapol: EAPOL flag status of the port  Fa1/0/14 is TRUE

*Mar  1 09:31:13.938: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from c201.08b9.0010
*Mar  1 09:31:14.962: dot1x-ev:Authorization data for client c201.08b9.0010 has been reset on FastEthernet1/0/14
*Mar  1 09:31:14.962: dot1x-ev:Received an EAP Fail on FastEthernet1/0/14 for mac c201.08b9.0010
*Mar  1 09:31:14.962: dot1x-ev:dot1x_switch_authz_fail: Called for FastEthernet1/0/14 and c201.08b9.0010
*Mar  1 09:31:14.962: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface FastEthernet1/0/14
*Mar  1 09:31:14.962: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa1/0/14
*Mar  1 09:31:14.962: dot1x-ev:dot1x_switch_addr_remove: Did not locate HA entry for MAC c201.08b9.0010 on interface FastEthernet1/0/14
*Mar  1 09:31:14.962: dot1x-ev:dot1x_vlan_assign_authz_fail on interface FastEthernet1/0/14
*Mar  1 09:31:14.962: dot1x-ev:FastEthernet1/0/14:Sending EAPOL packet to group PAE address
*Mar  1 09:31:14.962: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet1/0/14.
*Mar  1 09:31:14.962: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet1/0/14

If we look at the highlighted section above we can see that our dot1x authorization has failed - this is quite probably because authentication has not succeeded.

R2#sh run | s ^dot1x
dot1x credentials R2
 username R2
 password 0 r3

Okay, this is due to our password being incorrect, it's a simple fix, we can see what is required by looking at what was configured in the users file for freeradius and bounce the interface.

Repairing this will give us setup #3

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#dot1x credentials R2
R2(config-dot1x-creden)#password R2
R2(config-dot1x-creden)#int fa1/0
R2(config-if)#shut
R2(config-if)#no shut
R2(config-if)#end
R2#
*Mar  1 03:36:29.863: %SYS-5-CONFIG_I: Configured from console by console
*Mar  1 03:36:32.299: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet1/0 assigned DHCP address 10.1.12.2, mask 255.255.255.0, hostname R2




An IP address allocated by R1 certainly indicates that things are now working as desired.

SW1#sh interfaces fa1/0/14 switchport | ^Name|^Operational Mode|^Access ModeName: Fa1/0/14
Operational Mode: static access
Access Mode VLAN: 12 (VLAN0012)
SW1#show dot1x int fa1/0/14 det | b Client List

Dot1x Authenticator Client List
-------------------------------
Domain                    = DATA
Supplicant                = c201.08b9.0010
    Auth SM State         = AUTHENTICATED
    Auth BEND SM State    = IDLE
Port Status               = AUTHORIZED
Authentication Method     = Dot1x
Authorized By             = Authentication Server
Vlan Policy               = 12

We can see that R2 is authorized by our AAA server and the port was pushed into VLAN 12.

R2#ping 10.1.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/8/20 ms

There are more things that can be done, however should serve as a reasonable introduction into using dot1x.