Posted on

Cisco : MACSec (Media Access Control Security)

This describes how to enable MACSec (Media Access Control Security) Encryption between two Catalyst Switches. MACSec is the standard for authenticating and encrypting the data link layer between switches. IEEE 802.1.AE.

Configuring MACSec

interface TenGigabitEthernet1/0/48
   cts manual
   no propagate sgt
   sap pmk 0000000000000000000000000000000000000000000000000000001234ABCDEF mode-list gcm-encrypt null no-encap

Below is an example config for Macsec with AES-256 encryption.   This config needs to be on both sides of the switches.  Was tested on a 3650-12x48UZ running ios-xe version 16.3.2.     Please update the keystring each time you use it with another random set of digits.  The length of the string has to be the same as below (64).

key chain mka_keychain macsec
    key 1234
    cryptographic-algorithm aes-256-cmac
 key-string 7586258746587645873490731985370957385753195709435175415784768466
 lifetime local 00:00:00 Jan 1 2000 infinite
 mka policy mka_policy_256
  key-server priority 2
 macsec-cipher-suite gcm-aes-256
interface GigabitEthernet1/0/1
 switchport mode trunk
 macsec network-link
 mka policy mka_policy_256
 mka pre-shared-key key-chain mka_keychain

Checking to Make sure the MKA Session is up and secure.

Switch#sh mka session

Total MKA Sessions....... 1

      Secured Sessions... 1

      Pending Sessions... 0

====================================================================================================

Interface      Local-TxSCI         Policy-Name      Inherited         Key-Server

Port-ID        Peer-RxSCI          MACsec-Peers     Status            CKN

====================================================================================================

Te1/0/48       00f6.6389.8b30/0037 test             NO                YES

55             00fe.c8d4.44b0/0037 1                Secured           1234000000000000000000000000000000000000000000000000000000000000

Verify MACSec is enabled.

Switch#sh macsec int ten1/0/48

MACsec is enabled
   Replay protect : enabled
   Replay window : 0
   Include SCI : yes
   Use ES Enable : no
   Use SCB Enable : no
   Admin Pt2Pt MAC : forceTrue(1)
   Pt2Pt MAC Operational : no
   Cipher : GCM-AES-256
   Confidentiality Offset : 0
Posted on

Solarwinds : Download “Set” Command backup for Palo Alto

Download “Set” Command  backup for Palo Alto

Settings > All Settings > NCM Settings > Advanced > Device Templates > Search ‘Palo Alto’ > Select ‘PaloAlto5050’ > Click Copy > Change Template Name ‘PaloAlto5050 – Set’ > Remove the XML information and then Copy and Paste the XML below > Click Save

<Configuration-Management Device="Palo Alto" SystemOID=" 1.3.6.1.4.1.25461.2.3">
 <Commands>
 <Command Name="RESET" Value="set cli pager off${CRLF}set cli config-output-format set${CRLF}configure" RegEx="#" />
 <Command Name="EnterConfigMode" Value="" />
 <Command Name="ExitConfigMode" Value="exit" />
 <Command Name="Startup" Value="saved running-configuration" />
 <Command Name="Running" Value="" />
 <Command Name="DownloadConfig" Value="show ${ConfigType}" />
 <Command Name="UploadConfig" Value="" />
 <Command Name="DownloadConfigIndirect" Value="" />
 <Command Name="SaveConfig" Value="commit" />
 <Command Name="Version" Value="show" />
 </Commands>
 </Configuration-Management>

 

Change the Template being used on the Palo Alto Nodes

Settings > Manage Nodes > Palo Alto > Select All > Edit Properties > Tick Communication > Select Device Template ‘Palo Alto5050 – Set’ > Submit.

Posted on

Solarwinds : Add/Edit Node

Add Device

Settings > Manage Nodes  > Add Node > Follow the Wizard.

Edit Node

Find Device > Edit Node > NCM Properties

Configurations Normally download to : \SolarWinds\Orion\NCM\Config-Archive

Posted on

Data Centre : Post DC Move Unracking

We moved our company internal Data Centre to a COLO Facility 2 weeks ago, here is what is left. Before and After Pictures, as well as a photo of the “Boneyard”. A pretty good haul for E-Wasting:

2x Cisco 6909’s

3x Cisco 6513’s

8x Cisco ASA’s

2x Brocade Loadbalancers

4x Cisco 2900 Routers

2x Cisco Nexus 5k

1x Cisco Wireless LAN Controller

 

Posted on

Palo Alto : Enable IPv6 and Create Default Route

To Enable IPv6 on the Firewall

Web GUI

IPv6 firewalling is enabled under Device > Setup > Session:

*** You may have to restart your Firewall for IPv6 to be enabled.

On the CLI

> configure

# set deviceconfig setting session ipv6-firewalling [yes|no]

# commit

Here is the interface configuration I used:

Don’t forget to add a rule in your security policy that allows Your new IPv6 interface to talk to your Gateway.

Add Default Route

You will also have to add a default route under Network > Virtual Routers > Default > Static Routes > IPv6

The default route for IPv6 is ::/0 the next hop is the default gateway address

Posted on

Network Utilities : SuperPutty Setup

I only use SuperPutty with GNS3, here is how.

  • GNS3 as of 1.5.2 doesn’t include the latest version so download it from here:
  • Start SuperPutty which will present you with the configuration options.  Set the following:
    • YOU MUST USE THE PUTTY PROVIDED WITH GNS3.  If you don’t, you’ll receive errors “unknown option -wt” when opening consoles with SuperPutty from GNS3
    • putty.exe location (Required): C:\Program Files\GNS3\putty.exe
      • Or where-ever GNS3 is installed
    • Click the “Advanced: tab > Check off “Only allow single instance of SuperPutty to run”
  • Set the other options however you like
  • Open up Preferences in GNS3 > General > Console applications tab
  • Change the console application for telnet and serial to use SuperPutty
  • If you want to use keep the same color scheme that is used by the regular Putty console, add “-gns3 5 -skin 4” at the end i.e.
    • c:\dropbox\apps\superputty\SuperPutty.exe -telnet “%h -P %p -wt \”%d\” -gns3 5 -skin 4″
Posted on

GNS3 : Install and Configure

This install is intended for running IOU/IOL images on the GNS3 VM because it is the preferable way of running IOS in GNS3 now.

Pre-Requisites:

  1. Install VMware Workstation Player
    http://www.vmware.com/products/player/playerpro-evaluation.html
  2. Install VMware VIX API
    https://www.vmware.com/support/developer/vix-api/
  3. Install Wireshark
    https://www.wireshark.org/download.html
    Install WinPCAP provided by Wireshark

 

Install GNS3:

  1. Install GNS3
    https://www.gns3.com/software/download
  2. Install only the following components:

  1. We don’t need Dynamips/QEMU/VPCS/Cpulimit because we’ll be running everything off of the GNS3 VM server.  We don’t install SuperPutty from here because its not the latest version and the first thing it does when you open it is bug you about upgrading to the latest version.  There are setup instructions for it below.

Install Loopback Adapter

  1. Open an Admin Command Prompt

cd “c:\Program Files\gns3”

loopback-manager.cmd

  1. Install a new Loopback interface (reboot required)
  2. Reboot
  1. Rename the new Loopback adapter to “Loopback”
  2. Assign it an IP address

 

Setup GNS3 VM:

  1. Download the GNS3 VM version that matches the installed GNS3 version
    https://github.com/GNS3/gns3-gui/releases
  2. Import the VM and keep the defaults
  3. Add a 3rd Network Adapter that will be in Bridged mode and connected to the Loopback adapter (Microsoft KM-TEST Loopback Adapter)

  1. Power on the VM
  2. SSH into the VM using gns3/gns3 for the credentials
    1. Sudo to root and run the following:
      1. echo ‘127.0.0.127 xml.cisco.com’ >> /etc/hosts
  3. Leave the VM powered on, we’re done with it for now
  4. Open an Administrator command prompt
  5. cd into the GNS3 install directory and run the following:
    1. IMPORTANT: On my work laptop, added the additional interfaces broke network connectivity to the VM after they were added.  I have no idea why but after I reinstalled VMware Workstation which uninstalled all the adapters, I was able to connect to the VM again.  On the work laptop, I’m running without the additional adapters and it seems fine so far.
    2. vmnet-manager.cmd
    3. Select option 1 which will add the vmnet interface 2 to 19 (this can take a while, please be patient)
    4. If it looks like this process has hung, you follow step 2 in the url below to add the adapters
      https://www.gns3.com/support/docs/how-to-use-vmware-player-in-gns3

 

Configure GNS3 to use the GNS3 VM server:

  1. Open up GNS3
  2. Goto Edit > Preferences

    Be sure to leave “Start VM in headless mode” unchecked.  I ran into issues where the VM would not automatically startup when opening GNS3 and also cause the GNS3 process to linger when closing out of it.

  3. Disable “Use of the local server” for Dynamips and QEMU.  We’ll use the GNS3 VM instead for running those processes.

Packet capture VPCS Dynamips IOS routers General settings Use the local server Path to Dynamips:

 

 

Create the L2/L3 IOU Devices:

  1. Goto Edit > Preferences
  2. Set the iourc file to use with the license (IOU devices need a license to run)
  3. Create the L2 image:
  4. Create the L3 image:

Add Device Image

New appliance template > Add and IOU > Run the IOU > New Image > Browse

 

i86bi-linux-l2-ipbasek9-15.1e.bin – IOU-L2

i86bi-linux-l3-adventerprisek9-15.4.2T.bin – IOU-L3

 

 

Operational Notes:

  • Sometimes a restart of all the routers/switches are required when new links are created between devices.  Even though the line protocols show as up, I’ve found a restart is required for traffic to actually pass through them.

 

If you want to use SuperPutty as the SSH client for GNS3 click this link:
SuperPutty with GNS3