Cisco Client VPN Configuration

This was set up on a 857W running IOS 12.4-15-T12
There is already a Site to Site configured so this will be set up as priority 2.
LAN : 192.168.0.0/24
VPN : 172.16.0.0/24

Phase 1 policy parameters
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2

VPN client address pool
crypto isakmp client configuration address-pool local poolname
ip local pool poolname 172.16.0.1 172.16.0.254

VPN client group
crypto isakmp client configuration group groupname
key psk
pool poolname
acl aclname
crypto isakmp keepalive 300
crypto isakmp xauth timeout 60

Phase 2 policy parameters
crypto ipsec transform-set transform-2 esp-3des esp-sha-hmac
crypto dynamic-map mapname 2
set transform-set transform-2
reverse-route

Crypto map
crypto map mapname client authentication list userlist
crypto map mapname isakmp authorization list groupname
crypto map mapname client configuration address respond
crypto map mapname 2 ipsec-isakmp dynamic mapname
interface external
crypto map mapname

Define the phase 2 proxy ID
ip access-list extended aclname
permit ip 172.16.0.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any

Exclude the client VPN range from the NAT rule
ip nat inside source list 101 interface external overload
access-list 101 deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any

Cisco Site to Site VPN Configuration

This was set up on a 857W running IOS 12.4-15-T12
There is also a client VPN configured on this router.
Local subnet : 192.168.0.0/24
Remote subnet : 10.10.0.0/16
Peer IP : 5.5.8.8

Phase 1 parameters
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2

Pre Shared Key
crypto isakmp key psk address 5.5.8.8 no-xauth

Transform set
crypto ipsec transform-set transform-1 esp-aes esp-sha-hmac

Crypto map
crypto map mapname 1 ipsec-isakmp
set peer 5.5.8.8
set transform-set transform-1
match address aclname

Interesting traffic
ip access-list extended aclname
permit ip 192.168.0.0 0.0.0.255 10.10.0.0 0.0.255.255

Remove from NAT rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 10.10.0.0 0.0.255.255

Inbound ACL
interface bridge to internal network
ip access-group aclname2 out
ip access-list extended aclname2
permit udp host 10.10.4.8 192.168.0.1 0.0.0.225
deny ip 10.10.5.0 0.0.0.255 any
permit ip any any

Squeezelite on Fedora

I've found squeezelite to be superior to SqueezeSlave, specificially for player synchronisation.
The install is as simple as downloading the (i386) binary from here.

Because I prefer to run this as a service, and because I found no example startup scripts online, I wrote my own.  I'm no expert at this sort of thing, so it may well not work on your machine, but it should be just a case of a few small tweaks.


#!/bin/sh

### BEGIN INIT INFO
# Provides:          squeezelite
# Required-Start:    $syslog
# Required-Stop:     $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Script to start squeezelite
# Description:       Service script for squeezelite, command line squeezebox player
### END INIT INFO

. /etc/init.d/functions

USER=j.doe                              # The user logged in to Gnome, required to use Pulse
NAME=Squeezelite                        # Name of the player
LMS=127.0.0.1                           # IP of the media server
LOG=/var/log/squeezelite.log            # Log file
LOCKFILE="/var/lock/subsys/squeezelite"
RETVAL=0

start() {    
        echo -n $"Starting Squeezelite daemon: "
        daemon --user $USER squeezelite-i386 -z -f $LOG -n $NAME $LMS &
        RETVAL=$?
        echo
        touch $LOCKFILE
        return $RETVAL
} 

stop() {    
       echo -n $"Stopping Squeezelite daemon: "
       killproc squeezelite-i386    
       echo
       RETVAL=$?
       rm -f $LOCKFILE
       return $RETVAL
}    

restart() {
        stop
        sleep 5
        start
}

case "$1" in
        start)
                start
                ;;
        stop)
                stop
                ;;
        restart)
                restart
                ;;
        status)
                status squeezelite
                ;;
        condrestart)
                [ -e $LOCKFILE ] && restart
                ;;
        *)
                echo $"Usage: $0 {start|stop|status|restart|condrestart}"
                RETVAL=1
esac

exit $RETVAL

iPerf

iPerf is a small, open-source, cli app designed to run on Linux (but has been ported to Windows) which is very useful in measuring throughput on a network.

It runs between two machines on a network, and has various options and features viewable on the man pages (or --help for Windows).

One machine acts as the server;
iperf -s
And the other machine acts as the client;
iperf -c [server ip]

Some useful options :

-t x : This sets the time (in seconds) to run the test for, default is 10 sec
-P x : The number of parallel transfers to run, this will generally increase throughput
-w xKB : TCP window size, increasing this will generally increase throughput as well

Example:

iperf -c 192.168.0.2 -t 30 -P 10 -w 256KB

Cloning Linux VMs

The mac address in the system is tied to eth0, so we need to remove the mapping as when we clone the VM a new mac is generated.

• Edit /etc/udev/rules.d/70-persistent-net.rules to eth0 and correct MAC
• Reboot
• vi /etc/sysconfig/network-scripts/ifcfg-eth*
  • onboot=yes
  • NM_CONTROLLED=no
  • BOOTPROTO=static
  • IP address etc
• rename ifcfg-eth* to eth0 and ensure mac matches VMWare hardware ID and also the mac in persistent-net.rules

Cisco stack - rebooting/losing the master consequences

In a Cisco StackWise stack, you can have up to 9 switches connected together to create one logical switch.  This gives 32Gbps bandwidth, and whilst this is cabled in a ring topology, it is essentially one large switch so STP does not come into effect.

A master switch is elected to manage the stack, this is done by various criteria (scroll to bottom), but generally a priority is set by the admin as to which, under normal circumstances, will become the master.  Boot order is one to pay attention to, if you boot another switch before your prioritised master, this will take over as obviously the first to boot will take control.

The stack master's mac address also becomes the overall Stack Mac Address (Bridge ID), which has some considerations (show switch).
If you lose, or need to reboot the stack master, another switch will have to take over.  This is again decided by priority primarily.  When this happens, by default the mac address of the switch taking over, then becomes the overall stack mac address.

If you are using LACP etherchannels in your configuration, bear in mind the System ID (show lacp internal detail) is generated from the Stack Mac Address.  If that Stack Mac changes, it will change the LACP System ID, which will cause the etherchannel(s) to reconverge, resulting in your etherchannels flapping and the devices in those etherchans losing connectivity.  If you have a Windows cluster connected for example with teamed LACP interfaces, the duration of the reconvergance will result in the cluster failing.

To avoid this situation, you can instruct the stack not to change the Stack Mac Address if the master goes offline.  The command in global config is stack-mac persistent timer 0
Setting the timer to 0 will keep the MAC indefinitely (or until the stack reboots), alternatively you can set a time in minutes, for example 10 minutes to allow a reboot of the master.

The only caveat to this would be if you were to reuse the master elsewhere in your network, ie. you took it offline for a reason, the duplicate MAC on the network could result in lost traffic.

Cisco StackWise election process

1. User priority - The network manager can select a switch to be master.
2. Hardware and software priority - This will default to the unit with the most extensive feature set. The Cisco Catalyst 3750 IP Services (IPS) image has the highest priority, followed by Cisco Catalyst 3750 switches with IP Base Software Image (IPB). Catalyst 3750-E and Catalyst 3750-X run the Universal Image. The feature set on the universal image is determined by the purchased license. The "show version" command will list operating license level for each switch member in the stack.
3. Default configuration - If a switch has preexisting configuration information, it will take precedence over switches that have not been configured.
4. Uptime - The switch that has been running the longest is selected.
5. MAC address - Each switch reports its MAC address to all its neighbors for comparison. The switch with the lowest MAC address is selected.