EEM Script to shut / no shut ATM interface automatically

Tired of DSL lines mysteriously dropping I knocked together this EEM script to bounce the ATM interface on a Cisco router if it has been down for 1 minute. Known affectionately as the “ATM brown trousers” script ๐Ÿ™‚

This is a dirty hack, but sometimes needs must, especially when you’re at the end of a long DSL line that just never settles.

track 1 interface ATM0 line-protocol
delay down 60 up 5

event manager applet atm0-down
event track 1 state down
action 1.0 syslog msg “%ATM-BRWNTRSRS: Interface ATM 0 failed, reset via EEM.”
action 1.1 cli command “enable”
action 1.2 cli command “conf t”
action 1.3 cli command “interface atm 0”
action 1.4 cli command “shut”
action 1.5 wait 5
action 1.6 cli command “no shut”
action 1.7 cli command “end”
action 1.8 syslog msg “EEM script complete”
action 1.9 wait 60
action 2.0 snmp-trap strdata “%ATM-BRWNTRSRS: Interface ATM 0 failed, reset via EEM.”

HOWTO: Prime a Cisco lightweight (CAPWAP) access point

Quick note on how to pre-configure the IP, subnet, gateway and controller IP address on a CAPWAP access point – a 3602 joining a Cisco 5508 WLC in this case.

Handy when you’re sending out a replacement AP and that’s statically addressed with no sign of a DHCP server. Saves temporarily configuring one on the WLC.

Console in, enable password is Cisco

No need to ‘conf t’ just drop these in at the prompt

capwap ap ip address <IP> <mask>

capwap ap ip default-gateway <GW IP>

capwap ap controller ip address <Controller IP>

SSH port forwarding – as a secure proxy

I’ve built a local SSH proxy to secure traffic whilst I update this blog, so thought I would explain the syntax in some more detail than my previous post SSH Port Forwarding

The ssh utility in Linux has a feature which allows forwarding of a local port to a remote host in a number of ways. I use the -L option to forward a local port on a proxy host to a remote server, to save establishing an ssh tunnel from each machine I work from within my network.

The ssh man page explains it like this :

-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side. This
works by allocating a socket to listen to port on the local side,
optionally bound to the specified bind_address. Whenever a con-
nection is made to this port, the connection is forwarded over
the secure channel, and a connection is made to host port
hostport from the remote machine. Port forwardings can also be
specified in the configuration file. IPv6 addresses can be spec-
ified with an alternative syntax:
[bind_address/]port/host/hostport or by enclosing the address in
square brackets. Only the superuser can forward privileged
ports. By default, the local port is bound in accordance with
the GatewayPorts setting. However, an explicit bind_address may
be used to bind the connection to a specific address. The
bind_address of โ€œlocalhostโ€ indicates that the listening port be
bound for local use only, while an empty address or โ€˜*โ€™ indicates
that the port should be available from all interfaces.

Simple use of the -L option as per my previous post indicates that the following command will translate a connection to a port on the localhost running ssh as a socket connection from the remote host. For example :

ssh -L 8888:127.0.0.1:80 [email protected]

As explained previously, this command will take a connection to port 8888 on the localhost address of my machine (127.0.0.1) and tunnel the traffic through the ssh connection and present it from the localhost adapter on the server to the service listening on port 23, usually the telnet daemon. Worth noting, I could have forwarded port 23 on my local host, however with this being a special port I would require root access.

This method combined with autossh (to keep the tunnel live) and a small caching DNS server daemon on my LAN (DNSMasq), which points this blog to an internal IP address I can tunnel all traffic to my web server securely..

Network Address Translation – NAT explained

Like it or not, NAT has been with us for some time and is unlikely to go anywhere in the near future, at least not until IPv6 becomes mainstream and even then it will be a slow process.

NAT typically comes in three flavours. Static, dynamic and overloading.

Static NAT can be found where a direct mapping between between addresses is necessary. An example would be where overlapping address space is an issue, typically when companies networks’ merge or a VPN link is required for remote support.

In the example below, traffic inbound to fa0/0 exiting fa0/1 from the host 10.0.0.10 would be translated and will arrive at the destination with a source address of 192.168.1.10. When the return traffic crosses the router, packets will be destined for 192.168.1.10 and then re-addressed and forwarded to the original host at 10.0.0.10. The same applies to traffic on the inbound direction. This is also known as a 1:1 NAT mapping.

Configuration example:

interface fa0/0
ip nat inside
ip address 10.0.0.1 255.255.255.0

interface fa0/1
ip nat outside
ip address 192.168.1.1 255.255.255.0

ip nat inside source static 10.0.0.10 192.168.1.10

Dynamic NAT can provide a pool of address space where no bi-directional static relationship is required between hosts. For example, where a sufficient range of publicly routable addresses are available to service internal hosts requesting resources from the Internet, a dynamic translation may be configured on a border router to service outbound requests from local hosts. This method is becoming less common due to rapid depletion of IPv4 public address space.

In the example below traffic from the 10.0.0.0/24 network will be dynamically assigned an address between 192.168.1.10 to 192.168.1.19 when crossing the router outbound. Return traffic will be translated back, depending on the outbound address translation. You may notice that only 10 addresses are available in the translation pool, once all ten addresses are assigned the NAT pool will be exhausted and any further translations will fail. It is also worth noting this method will only work where traffic is initiated outbound, since until this point no translation will exist in the router’s NAT table.

Configuration example:

interface fa0/0
ip nat inside
ip address 10.0.0.1 255.255.255.0

interface fa0/1
ip nat outside
ip address 192.168.1.1 255.255.255.0

access-list 1 permit 10.0.0.0 0.0.0.255

ip nat pool NATPOOL 192.168.1.10 192.168.19 prefix-length 24
ip nat inside source list 1 pool NATPOOL

Overloading NAT is most commonly used, especially in the home environment where one public IP address is shared between several hosts on the internal LAN. Overloading, or PAT (Port Address Translation) works in a similar way to dynamic NAT. However, instead of translating internal to external IP addresses the router builds a dynamic mapping of source and destination address / port pairs for each connection. These mappings allow the router to map individual connections to internal hosts using only one external IP address, typically this address is publicly routable.

In the configuration example below, a single public IP address is assigned to fa0/1 which will be used to service outbound requests from the internal network on fa0/0. The router will record the source address and port numbers of connections initiated from internal hosts, packets will then be assigned a the external IP address and a port number chosen by the router’s NAT process. A table will be built mapping inside source address / port pairs to the outside source address / port pair and traffic will be forwarded to the remote host with a source address of that on fa0/1. The return traffic will be translated to the relevant internal host using the NAT mapping table as it crosses the router.

Configuration example:

interface fa0/0
ip nat inside
ip address 10.0.0.1 255.255.255.0

interface fa0/1
ip nat outside
ip address 178.79.134.87 255.255.255.248

access-list 123 permit ip 10.0.0.0 0.0.0.255 any

ip nat inside source list 123 destination interface fa0/1 overload

That’s about it for a basic introduction, in my next post I will cover NAT timeouts and overlapping NAT.

 

FTTC with a Cisco VDSL router

[Note] I’ve recently started a network consultancy business, head over to Optimus Networks to get in touch.

I recently learned that the Cisco 887VA packs a dual technology modem that supports not only ADSL2+ but VDSL2, the technology that supports FTTC (Fibre To The Cabinet), more commonly known as BT Infinity.

Excited at the prospect of removing the Openreach modem from my over-heating cupboard / home comms room, I set about building the config and was surprised to find FTTC to be very similar in delivery to a Etherflow Etherway. The similarity being that the circuit is delivered with a vlan tag, that is 101. The authentication is done via CHAP/PPPOE, see my previous posts on how to get an Ethernet connection established from an Ethernet port on a router or an ASA.

There is no ATM configuration as per ADSL, the VDSL modem is tied to the Ethernet0 interface and must be bound to a dialer carrying the PPPOE configuration. Also, since the service arrives tagged, an Ethernet0.101 sub-interface must be configured and bound to the dialer.

Here is the config :

controller VDSL 0 !## TELL THE ROUTER WE WILL BE USING VDSL MODE

interface Ethernet0
no ip address !## SEE THE DIALER

interface Ethernet0.101 !## EVERYTHING IS TAGGED IN VLAN 101, SO WE MUST USE A SUB INTERFACE
encapsulation dot1Q 101
pppoe-client dial-pool-number 1

interface ATM0 !## NO NEED FOR THIS
no ip address
shutdown
no atm ilmi-keepalive

interface Dialer0
ip address negotiated
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname YOUR_LOGIN
ppp chap password 0 YOUR_PASSWORD
ppp ipcp dns request
ppp ipcp route default !## GRAB YOUR 0.0.0.0/0 ROUTE FROM PPPOE

In-case of issues or slow performance, I believe the FTTC MSAN equipment will fall back to ADSL2+ mode if required so check you have specified VDSL mode as per the 1st line of the config if you have any trouble. Not that I’ve had any issues.

Also, in-case you are wondering what speed your line is capable of, since BT recently announced 80Mbps downstream for new or renewing customers, the VDSL stats show a good amount of detail including a headline reading for your line. I was pleasantly surprised..

Router#sh controllers VDSL 0
Attainable Rate: 102056 kbits/s 33192 kbits/s

According to these numbers I’ve lost a whole 2Mbps downstream, a previous reading showed 104Mbps. I wonder if the nice weather we’ve had this week had an effect on the cable? Damn you physics! ๐Ÿ˜‰

Cisco PPP ADSL config – UK ISP

Some standard config for UK ADSL using a Cisco router, again from an 1800. Remember to add NAT config and inbound access control if required.


interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
bandwidth [X]
bandwidth receive [X]
ip address negotiated
ip flow ingress
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname [username]
ppp chap password 0 [password]
ppp ipcp route default
end

FTTC – Cisco PPPoE router config

A sample Fibre To The Cabinet Cisco router config for PPPoE assuming you have the standard BT Openreach modem. Generated from an 1800 series router.

interface FastEthernet0
description FTTC
no ip address
ip virtual-reassembly
pppoe enable group global
pppoe-client dial-pool-number 1

interface Dialer0
ip address negotiated
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [USERNAME]
ppp chap password 0 [PASSWORD]
ppp ipcp dns request
ppp ipcp route default

Cisco ASA / BT Fiber To The Cabinet (FTTC) PPPoE config

I’m lucky enough to be in one of the few UK areas to have BT’s latest broadband offering – Fiber To The Cabinet or FTTC.

When the BT Openreach engineer decides to turn up, he will install a Huawei modem which hands off your public IP address (or subnet if you so choose) via PPPoE to your router of preference. Being a networking geek I chose a Cisco ASA 5505 firewall.

Below is a basic command-line config, I’ll get working on some ASDM screenshots soon for those who prefer the GUI (not my thing). Note the MTU size, for PPPoE overhead we need to trim 8 bytes off the 1500 Ethernet standard leaving 1492.

interface Vlan10
nameif outside
security-level 0
pppoe client vpdn group BTFTTC
ip address pppoe
!
mtu outside 1492
!
vpdn group BTFTTC request dialout pppoe
vpdn group BTFTTC localname [email protected]
vpdn group BTFTTC ppp authentication chap
vpdn username [email protected] password *ppp password*