Author Archives: ACR 2014

About ACR 2014

Network Enthusiast

vManage Web Certificate Installation

Another thing we need to do in post-installation part is the vManage web certificate installation which resolve the issue of browser invalid service.
webbrowsercerissue.PNG

Go to Admin > Settings

a. Generate CSR
1010webcertx1

Generated CSR
1010generawebcertcsr

b. CSR Installation
101019instalwebcesvert

Note: Once the installation is completed, In order for Cert. to take effect we need to reboot the server. Make sure the CSR is updated before reboot.

To Reboot go to Maintenance > Device Reboot > vManage
101009rebootx

Reference:https://sdwan-docs.cisco.com/Product_Documentation/vManage_How-Tos/Configuration/Generate_Web_Server_Certificate

Advertisements

Viptela Web Interface

vManage Web Interface Options/Role

I. Dashboard

II. Monitor

III. Configuration

IV. Tools

V. Maintenance

VI. Administration

a. Settings

1010adminsettingsx.png

Organization name – Added on the post-installation and has to match to every single devices you have on your sd-wan deployment.
vBond – Specifies the vBond address for contact and authentication using the default port.
Email Notification – For alarm via email. You can specify the smtp email and other mail server details.
Controller Certificate Authorization – This is where we assign how we assign the vManage certificate and it consist of 3 ways.
WAN Edge Cloud Certificate Authorization – Issue the certificate to the vEge cloud (default).
Web Server Certificate – SSL Certificate installation.
Enforce Software Version(ZTP) – Software repository when you upload the update file.
Banner – will be dispay on vmanage.
Reverse Proxy – To enable reverse proxy function.
Statistics Settings – Enable/disable statistics collection (all by default).
CloudExpress – To enable cloud express features.
vAnalytics – To enable/launch vAnalytics.
Client Session Timeout – Disable by default, how to handle the web session.
Data Stream – Data collection on wan edge is disabled (packet capture, log collection speed test)
Tenancy Mode – Can change to single (default) or multiple tenant. 
     Note: Once you switchover to multi test you can never switchback.
Statistics Configuration – How often vManage collects device statistics (min of 5min).
Maintenance window -  You can schedule a maintenance window to any major changes. 
Identity Provider settings – Disabled by default. Use if you want to have a single signed-on server.
Statistics Database Configuration – Change/Set the size of the allocated database for statistics types.
Google Map API key – Key advertised to google for geographic location.
Software Install Timeout – For controller upgrade which try up to Default is 60 minutes before we terminate. 
IPS Signature Update - 

VII. Analytics

Viptela Controller Configuration

Viptela Lab – Topology

1008topoloab

I . vManage Initial Configuration(CLI)

vmanage# conf t
Entering configuration mode terminal
vmanage(config)# system
vmanage(config-system)# host-name LAB-VMANAGE1
vmanage(config-system)# system-ip 1.1.255.11
vmanage(config-system)# site-id 255
vmanage(config-system)# organization-name "2019_VIPLAB"
vmanage(config-system)# ntp server 1.1.0.1 prefer vpn 0
vmanage(config-server-1.1.0.1)# exit
vmanage(config-ntp)# exit
vmanage(config-system)# clock timezone America/Los_Angeles
vmanage(config-system)# vbond 1.1.0.12

! Configuration that were added to the internal memory. This won’t take effect until commit.

vmanage(config-system)# show configuration
system
host-name LAB-VMANAGE1
system-ip 1.1.255.11
site-id 255
organization-name 2019_VIPLAB
clock timezone America/Los_Angeles
vbond 1.1.0.12
ntp
server 1.1.0.1
version 4
prefer
exit
!
vmanage(config-system)# commit
Commit complete.

II. Interface Configuration(CLI)

LAB-VMANAGE1# conf t
Entering configuration mode terminal
LAB-VMANAGE1(config)# vpn 0
LAB-VMANAGE1(config-vpn-0)# ip route 0.0.0.0/0 1.1.0.1
LAB-VMANAGE1(config-vpn-0)# interface eth0
LAB-VMANAGE1(config-interface-eth0)# ip address 1.1.0.11/24
LAB-VMANAGE1(config-interface-eth0)# no shut
LAB-VMANAGE1(config-interface-eth0)# commit

Note: VPN512 is other reserved VPN used for dedicated management access, mainly refer to management interface in cisco router.

LAB-VMANAGE1# request nms all status 
NMS application server
Enabled: true
Status: waiting
NMS configuration database
Enabled: true
Status: running PID:6831 for 107s
NMS coordination server
Enabled: true
Status: running PID:6844 for 107s
NMS messaging server
Enabled: true
Status: running PID:8542 for 89s
NMS statistics database
Enabled: true
Status: running PID:2355 for 138s
NMS data collection agent
Enabled: true
Status: not running
NMS cloud agent
Enabled: true
Status: running PID:268 for 155s
NMS container manager
Enabled: false
Status: not running
NMS SDAVC proxy
Enabled: true
Status: running PID:363 for 155s

III. Post Installation(GUI)

1008guilab

Log In to a Device for the First Time
Enter a URL in the format https://ip-address:8443, where 8443 is the port number used by the vManage NMS.

a. Set Organization, vBond(Default port)
Administration > Settings
1009portinstallation1

b. Controller Certificate Authorization
When we bring up all the controller they authenticate to each other using certificate but they need to get that certificate.

Ways to issue certificate to controllers
1. Symantec Automated – vManage will create a CSR on devices behalf then automatically have it signed by the symantec host CA server which controls by Cisco support.

2. Symantec Manual – Similar with the first method but everything is done manually. Includes generating CSR (go to symantec website to have it signed and needs to be approved by Cisco team). Once you get the signed certificate you can manually install it, you do this when you have no vManage internet access.

3. Enterprise root certificate – Basically take all the certificate signing into your own hands, So you need to have your own Boot CA. Process is similar to symantec manual but need to make all devices trust your root CA as supposed to the devices already trusted the symantec CA (built in).

IV. vBond Initial Configuration(CLI)

Similar to vEdge, you need to configure the system-id, site-id, organization etc. Difference is we need enable the vBond service by providing the local command.

vedge# conf t
Entering configuration mode terminal
vedge(config)# system 
vedge(config-system)# host-name LAB-VBOND1
vedge(config-system)# system-ip 1.1.255.12
vedge(config-system)# site-id 255
vedge(config-system)# organization-name "2019_VIPLAB"
vedge(config-system)# ntp server 1.1.0.1 prefer vpn 0
vedge(config-server-1.1.0.1)# exit
vedge(config-ntp)# exit
vedge(config-system)# vbond 1.1.0.12 local
vedge(config-system)# 
Uncommitted changes found, commit them? [yes/no/CANCEL] yes
Commit complete.
!
LAB-VBOND1# conf t
Entering configuration mode terminal
LAB-VBOND1(config)# vpn 0
LAB-VBOND1(config-vpn-0)# ip route 0.0.0.0/0 1.1.0.1
LAB-VBOND1(config-vpn-0)# interface ge0/0
LAB-VBOND1(config-interface-ge0/0)# ip address 1.1.0.12/24
LAB-VBOND1(config-interface-ge0/0)# no shut
LAB-VBOND1(config-interface-ge0/0)# no tunnel-interface
LAB-VBOND1(config-interface-ge0/0)# commit
LAB-VBOND1# show interface 
interface vpn 0 interface ge0/0 af-type ipv4
 ip-address        1.1.0.12/24
 if-admin-status   Up
 if-oper-status    Up
 if-tracker-status NA
 encap-type        null
 port-type         service
 mtu               1500
 hwaddr            50:00:00:03:00:01
 speed-mbps        1000
 duplex            full
 tcp-mss-adjust    1416
 uptime            0:00:03:11
 rx-packets        149
 tx-packets        111
interface vpn 0 interface system af-type ipv4
 ip-address        1.1.255.12/32                 <----- For vManage
 if-admin-status   Up
 if-oper-status    Up
 if-tracker-status NA
 encap-type        null
 port-type         loopback
 mtu               1500
 hwaddr            00:00:00:00:00:00
 speed-mbps        0
 duplex            full
 tcp-mss-adjust    1416
 uptime            0:00:03:17
 rx-packets        0
 tx-packets        0
interface vpn 512 interface eth0 af-type ipv4
 if-admin-status   Up
 if-oper-status    Up
 if-tracker-status NA
 encap-type        null
 port-type         service
 mtu               1500
 hwaddr            50:00:00:03:00:00
 speed-mbps        0
 duplex            half
 tcp-mss-adjust    0
 uptime            0:00:03:10
 rx-packets        0
 tx-packets        41

Note: By default it just a vEdge cloud router until you enable vBond using local command. Also by default tunnel interface is enabled on vEdge router, So we need to delete if you plan to registed vManage using the G0/0 interface because it will not register because there’s a policy added on the tunnel interface “allow-services” and by default it is not allowed to talk to anything but the specific services.

V. Adding vBond to vManage (web)
Add vBond management interface but as long you disable tunnel 0 you be able to connect to vBond vpn 0.

Configuration > Devices > Controllers > Add Controller > vBond
1009vbondtovmanage1x

VI. Certificate Installation using OpenSSL

LAB-VMANAGE1# vshell
LAB-VMANAGE1:~$ openssl genrsa -out ROOTCA.key 2048
Generating RSA private key, 2048 bit long modulus
.......................................+++++
...............................+++++
e is 65537 (0x10001)

LAB-VMANAGE1:~$ openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 1024 \
> -subj "/C=AU/ST=NSW/L=NSW/O=network-lab/CN=vmanage.lab" \
> -out ROOTCA.pem
LAB-VMANAGE1:~$ exit

LAB-VMANAGE1# request root-cert-chain install /home/admin/ROOTCA.pem
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/ROOTCA.pem via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain

LAB-VMANAGE1# vshell
LAB-VMANAGE1:~$ cat > vmanage.csr
LAB-VMANAGE1:~$ ls
ROOTCA.key ROOTCA.pem archive_id_rsa.pub vmanage.csr vmanage_csr

LAB-VMANAGE1:~$ pwd 
/home/admin

LAB-VMANAGE1:~$ cat > vmanage.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIDSzCCAjMCAQAwgcoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MREwDwYDVQQHEwhTYW4gSm9zZTEUMBIGA1UECxQLMjAxOV9WSVBMQUIxFDASBgNV
BAoTC3ZJUHRlbGEgSW5jMUMwQQYDVQQDEzp2bWFuYWdlLWJmMGM1NGIyLWRiOGUt
NDAwZi1hNGM3LTkzYmIyMjZhYzM5YS0xLnZpcHRlbGEuY29tMSIwIAYJKoZIhvcN
AQkBFhNzdXBwb3J0QHZpcHRlbGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA05ofYt9O39qLpcD73D2yOl0e9XLeDtJtQqAqNlPrBcQvmkNKO2Jx
sGL7uLB0I5JLMWQnC58GHe+h8HPNMjFIoPD7lGVHs1lzgsZ/OkODGGbI+0mHENnS
lWOyqcrkKbg7lB7EcIc40MJF9fqhIIV6z0Lwmr0/hqIrzD0LanSUss1LcyJ1XAVF
oNUIhEUKZVkrEPMFuHpBPw2lSL2ghFHagNExVLwFwXfmVSqBr2bfO7vIgqWOZQKO
lUc3ZrHgwmTO3pjRKsUXUztYxbspLK3gf2v+IJrIxSlxYcd3RHCXnIccEkOMD/cM
eu+7QDKleYrSjnXa0uXzUYmpSf5Y4EQR0QIDAQABoDswOQYJKoZIhvcNAQkOMSww
KjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQ9ic9XKX3scnPi0UYRC288tJRwNDANBgkq
hkiG9w0BAQsFAAOCAQEAvN34hWESmr8YCQzh4flJf7LexhZovKVR5ZmsjJxr4uBU
7/Y4A6+eNq678ogoGhPtIuWg6Bs4+fo2r3/qLoOa6SAMCxtQApjz5fuzZcmYoZCB
53VGWY1yk33S0GLikNt7ZS5nNAkZKkWtnswsl5w2KeNfYReb3VVoEe804S/7Nqqd
fU6zkC3dq3x4Ddm3FfC/U4EntonX4eaMsu7EKP4jYEQYRsf++WW13WoTEkFHG2PG
I/lxRCrNsLJk0OArNU/rYTHM62AkWU15I9P5WALZpJDVcTftrhSaleU2XNNjk14y
tN5bE8D/g4fAv0sxS237VsnmvbaxchVXIb/e9a9IMw==
-----END CERTIFICATE REQUEST-----

LAB-VMANAGE1:~$ openssl x509 -req -in vmanage.csr \
> -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
> -out vmanage.crt -days 500 -sha256
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=2019_VIPLAB/O=vIPtela Inc/CN=vmanage-bf0c54b2-db8e-400f-a4c7-93bb226ac39a-1.viptela.com/emailAddress=support@viptela.com
Getting CA Private Key
LAB-VMANAGE1:~$ ls
ROOTCA.key ROOTCA.pem ROOTCA.srl archive_id_rsa.pub vmanage.crt vmanage.csr vmanage_csr

-----BEGIN CERTIFICATE-----
MIIDnDCCAoQCCQCn0+m/Nt5msjANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJB
VTEMMAoGA1UECAwDTlNXMQwwCgYDVQQHDANOU1cxFDASBgNVBAoMC25ldHdvcmst
bGFiMRQwEgYDVQQDDAt2bWFuYWdlLmxhYjAeFw0xOTEwMDgxMDE3MzBaFw0yMTAy
MTkxMDE3MzBaMIHKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTER
MA8GA1UEBxMIU2FuIEpvc2UxFDASBgNVBAsUCzIwMTlfVklQTEFCMRQwEgYDVQQK
Ewt2SVB0ZWxhIEluYzFDMEEGA1UEAxM6dm1hbmFnZS1iZjBjNTRiMi1kYjhlLTQw
MGYtYTRjNy05M2JiMjI2YWMzOWEtMS52aXB0ZWxhLmNvbTEiMCAGCSqGSIb3DQEJ
ARYTc3VwcG9ydEB2aXB0ZWxhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANOaH2LfTt/ai6XA+9w9sjpdHvVy3g7SbUKgKjZT6wXEL5pDSjticbBi
+7iwdCOSSzFkJwufBh3vofBzzTIxSKDw+5RlR7NZc4LGfzpDgxhmyPtJhxDZ0pVj
sqnK5Cm4O5QexHCHONDCRfX6oSCFes9C8Jq9P4aiK8w9C2p0lLLNS3MidVwFRaDV
CIRFCmVZKxDzBbh6QT8NpUi9oIRR2oDRMVS8BcF35lUqga9m3zu7yIKljmUCjpVH
N2ax4MJkzt6Y0SrFF1M7WMW7KSyt4H9r/iCayMUpcWHHd0Rwl5yHHBJDjA/3DHrv
u0AypXmK0o512tLl81GJqUn+WOBEEdECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
IZa7TPJv7AdFDDWBkqHl6XE44TJywpkmpj29GXsDDf1CDtsyEC1oA4mPQX0f6dPb
IOEcKf8KXm+8TkW8hxI10/wIU5abYtY0i+JoLb/QSb0WbjShwN56SjzYmDJzBf5Q
9Cfxgx9LF6SrEm2/5pQP7HRikZsyhVSsrx2MuaWggwluzFRsqxs/y7ATqrP3QOyj
zGyZ1PmRT/EOgkTBVSb9SUkKHMp1tZoqoxxoqDzK6TPKiWas54IwF7rlMjIJMPAi
JVZ6mgIkPIIQlx5VKXDP3Y8SArhZDKWX6xWetNEkGrbqu33F4WZi3kHA97X1fhGz
MLDuUtAVBhVA85EfkntD+w==
-----END CERTIFICATE-----
LAB-VMANAGE1:~$ exit

LAB-VMANAGE1# request certificate install /home/admin/vmanage.crt
Installing certificate via VPN 0
Copying ... /home/admin/vmanage.crt via VPN 0
Same certificate is already installed.
Failed to install the certificate !!

https://codingpackets.com/blog/viptela-control-plane-setup

vBond Certificate installation

#request root-cert-chain install scp://admin@1.1.0.11:/home/admin/ROOTCA.pem vpn 0

LAB-VBOND1# request root-cert-chain install scp://admin@1.1.0.11:/home/admin/ROOTCA.pem vpn 0
Uploading root-ca-cert-chain via VPN 0
Copying ... admin@1.1.0.11:/home/admin/ROOTCA.pem via VPN 0
Warning: Permanently added '1.1.0.11' (ECDSA) to the list of known hosts.
viptela 18.4.3

admin@1.1.0.11's password:
ROOTCA.pem 100% 1269 40.2KB/s 00:00
Updating the root certificate chain..
Successfully installed the root certificate chain
### SIGNED FROM VMANGE
LAB-VMANAGE1# vshell
LAB-VMANAGE1:~$ cat > vbond.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIDSzCCAjMCAQAwgcoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MREwDwYDVQQHEwhTYW4gSm9zZTEUMBIGA1UECxQLMjAxOV9WSVBMQUIxFDASBgNV
BAoTC3ZJUHRlbGEgSW5jMUMwQQYDVQQDEzp2bWFuYWdlLWJmMGM1NGIyLWRiOGUt
NDAwZi1hNGM3LTkzYmIyMjZhYzM5YS0yLnZpcHRlbGEuY29tMSIwIAYJKoZIhvcN
AQkBFhNzdXBwb3J0QHZpcHRlbGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA05ofYt9O39qLpcD73D2yOl0e9XLeDtJtQqAqNlPrBcQvmkNKO2Jx
sGL7uLB0I5JLMWQnC58GHe+h8HPNMjFIoPD7lGVHs1lzgsZ/OkODGGbI+0mHENnS
lWOyqcrkKbg7lB7EcIc40MJF9fqhIIV6z0Lwmr0/hqIrzD0LanSUss1LcyJ1XAVF
oNUIhEUKZVkrEPMFuHpBPw2lSL2ghFHagNExVLwFwXfmVSqBr2bfO7vIgqWOZQKO
lUc3ZrHgwmTO3pjRKsUXUztYxbspLK3gf2v+IJrIxSlxYcd3RHCXnIccEkOMD/cM
eu+7QDKleYrSjnXa0uXzUYmpSf5Y4EQR0QIDAQABoDswOQYJKoZIhvcNAQkOMSww
KjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQ9ic9XKX3scnPi0UYRC288tJRwNDANBgkq
hkiG9w0BAQsFAAOCAQEARKSNvHrJloLvuOtsMqSpGrn/O6gv/HKMf7Z3N2IMwmBo
RFbH2lLe8VAoilODduJEUTVHKSYiA698g+Y1s5lvPK1pYzUMyAFOtKr5YPJnYOH5
yaOnLlKdRZHqrx8hRa/ISRwj86m1N6QnXs9a1Ctdf7uPIiDZlhK4ju/qchfSa1Iw
9566rxEmz+MpPbSiSjkFP82NghtH+H2A6NjtpNMxpPQhGJxhcSly9uKmFfWYi6OJ
oCTUPfLeHHdLK6EFcBR2zps1QkzTXQYRNTwQUmkJ9G1NpWNwOc+8TGk4miGkgWea
i2CnThLC/JhxnxIKyIbVDSZA4zGhbgsTMxEvxKK97g==
-----END CERTIFICATE REQUEST-----
LAB-VMANAGE1:~$
LAB-VMANAGE1:~$
LAB-VMANAGE1:~$ openssl x509 -req -in vbond.csr \
> -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
> -out vbond.crt -days 500 -sha256
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=2019_VIPLAB/O=vIPtela Inc/CN=vmanage-bf0c54b2-db8e-400f-a4c7-93bb226ac39a-2.viptela.com/emailAddress=support@viptela.com
Getting CA Private Key

request certificate install scp://admin@1.1.0.11:/home/admin/vbond.crt vpn 0
LAB-VBOND1# request certificate install scp://admin@1.1.0.11:/home/admin/vbond.crt vpn 0
Installing certificate via VPN 0
Copying ... admin@1.1.0.11:/home/admin/vbond.crt via VPN 0
Warning: Permanently added '1.1.0.11' (ECDSA) to the list of known hosts.
viptela 18.4.3

admin@1.1.0.11's password:
vbond.crt 100% 1314 41.4KB/s 00:00
Error: CSR not generated.. Aborting !
Failed to install the certificate !!
LAB-VBOND1#

WIP: Building Viptela Lab on Eve-ng

Work in progress….

Some key point of Viptela SD-WAN Architecture:
Cisco Viptela have following components
1. vOchestrator
2. vBond
3. Vcontroller
4. vEdge
connect each other as a overlays using underlay media like LTE,MPLS ,4G etc. They use OMP protocol,TLOC to identify each other locations and peer.

Benefits
1. Cost Reduction
2. Zero touch provision
3. Cloud readiness
4. Control over segregated network
5. Secure VPN based services Readiness – different private cloud and SAAS can be added or integrate easily

1st Run:
CPUs: 4
Mem: 24gb
1strun

set to.. CPUs: 12 Mem: 24gb
Viptela Output
Issue on Vedge and Vmgmt…

My HP Proliant DL380 G6 (2u)

Hp

Due to the lack of resources of my Lab-station (Amd ryzen3 with 16gb) build, I have decided to build a new Lab-station for Data Center, SD-WAN, Virtualization, Net-dev & Cloud reps. Package includes 5-extra sas drive and door-to-door delivery. With this server I can get 6core/12threads per cpu, total of 24t. It has 18 ram slots(max) but I’m only using 6 slots 8gb per slot (48gb in total) and with supported raid 0, 1, 5, 10 feature.

Specs: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c01714721

71644076_241911193413618_4127634412370132992_n

Powering-up HP Proliant DL380 G6. After the post you need to configure/setup the raid(redundant array of independent disks).

I. RAID Configuration

> Press F8 to move to Option Rom Configuration for Array (ORCA). If after pressing the F8 and you get redirected to the bios option you’ll just need to exit and press the F8 again.

Issue pops up regarding “Invalid drive movement” this was possible due to missing old raid config, So I just tried clearing the existing raid config and re-create a new one for the installed drives. Select raid 5.

Once the raid configuration has been completed. I moved to OS/ESXI installation.

II. ESXI Installation

a. Download esxi 6.7 version from exsi website (need to register to download).

b. Create a bootable usb drive using rufus 2.7 version.
https://rufus.ie/

c. Connect the USB drive onto server usb port then select F11 to manually specify the boot option. Select 3.

d. Read the installation Guide for reference.71394848_771652239923983_5570224591776776192_n.jpg
https://docs.vmware.com/en/VMware-vSphere/6.7/vsphere-esxi-67-installation-setup-guide.pdf

Once completed, You can now access you esxi server using the web management. From my old lab-station I have exported all my Virtual machine and import to the new ESXI server.

HP2.jpg

Pending: Next, I need to convert my Physical machine w/ Ubuntu OS to OVF. This can be done using Vmware vCenter Converter Standalone.

Converter.PNGFrom my old lab-station, I have created a new root acct. and make sure to run the sudo command w/out password prompt.

visudo or sudo visudo
sudoer ALL=(ALL) NOPASSWD:ALL
%sys ALL=(ALL) NOPASSWD: ALL
sudoer ALL=(ALL) NOPASSWD: /bin/kill
https://linuxize.com/post/how-to-create-a-sudo-user-on-ubuntu/

How to Run ‘sudo’ Command Without Entering a Password in Linux

My New Lab Station:

HP3

 

Converter.PNG

Network Address Translation (NAT) & Scenario

Configuration Notes:
Defining NAT Inside and Outside Interfaces
The first step to deploy NAT is to define NAT inside and outside interfaces. You may find it easiest to define your internal network as inside, and the external network as outside. However, the terms internal and external are subject to arbitration as well. This figure shows an example of this.

NAT Overloading
Also called Port Address Translation (PAT) is form of dynamic NAT where we have is just a single inside global IP address providing Internet access to all inside hosts. As a general case, NAT Overload is used in scenarios where the number of inside local addresses is greater than the number of inside global addresses.

Clearing Static NAT Entry
Clear command will just delete dynamic entries. If you don’t need a static entry anymore, delete it in the config.
It will not be possible to clear static NAT entry that’s the reason why error message is seen “Translation not dynamic”. If the static NAT entry is not useful/not doing intended purpose, why not just editing or removing it.


NAT Order of Operation:

  1. When a packet arrives on an interface which is configured as ‘ip nat inside’,
    • The Packet is first checked if it qualifies as per the NAT access-list aka interested traffic.
    • The packet is then checked for the destination address.
    • If the destination is reachable via an interface which is configured ‘ip nat outside’ then before sending the actual packet out on the egress interface, the source address will be masked/NATed.
  2. When the return packet arrives on an interface which is configured as ‘ip nat outside’,
    • The packet is first compared with a matching entry in the NAT translation table.
    • If a matching entry is found then the destination IP and port will be replaced as per the entry before being routed toward the internal port.

NAT Terminology:

Inside Local – The IP address of the inside network as viewed locally (e.g. your LAN network or private network)
Inside Global – The IP address of the inside network as viewed by outside world (e.g. your public IP on WAN interface)
Outside Local – The IP address of the outside network as viewed you
Outside Global – The IP address of the outside network as viewed outside world

IP NAT OUTSIDE SOURCE STATIC SCENARIO:

  1. Translating the output public IP to reach the LAN network.

nat120190923

Note: Outside perform translation before routing and inside perform routing then translation.

acnat20190923

Configure loopback on R3 and R2, make sure the route is correct on all routers.

R2#sh run int loop 30
interface Loopback30
ip address 171.68.1.1 255.255.255.255

R3#sh run int loop 30
interface Loopback30
ip address 172.16.89.32 255.255.255.255

R1#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 122.1.1.2
ip route 171.68.1.1 255.255.255.255 192.168.1.1

R1# ip nat outside source static 172.16.89.32 171.68.16.5  -> This translate the outside global source to outside local. 

R5#sh run | sec ip route
ip route 171.68.1.1 255.255.255.255 122.1.1.1
ip route 172.16.89.32 255.255.255.255 221.0.0.1

Results:

R3#ping 171.68.1.1 source loop 30

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 171.68.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.89.32
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/40/64 ms

R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
— — — 171.68.16.5 172.16.89.32
icmp 171.68.1.1:0 171.68.1.1:0 171.68.16.5:0 172.16.89.32:0

R1#sh ip nat statistics
Total active translations: 2 (1 static, 1 dynamic; 1 extended)
Peak translations: 2, occurred 00:00:26 ago
Outside interfaces:
GigabitEthernet1/0
Inside interfaces:
GigabitEthernet2/0
Hits: 10 Misses: 0
CEF Translated packets: 9, CEF Punted packets: 1
Expired translations: 0
Dynamic mappings:
Appl doors: 0
Normal doors: 0
Queued Packets: 0

2. Overlapping Network

natops120190923.PNG

acnatops20190923.PNG

R1#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 122.1.1.2
ip route 9.9.9.0 255.255.255.0 122.1.1.2
ip route 123.12.12.0 255.255.255.0 192.168.1.1
ip route 171.68.1.1 255.255.255.255 192.168.1.1
R1#sh run | sec ip nat
ip nat outside
ip nat inside
ip nat inside source static 123.12.12.3 8.8.8.1
ip nat inside source static 192.168.1.1 8.8.8.2
ip nat outside source static 123.12.12.1 9.9.9.1
ip nat outside source static 172.16.89.32 9.9.9.2

R2#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 192.168.1.254
R2#sh run int loop 40 | beg int
interface Loopback40
ip address 123.12.12.3 255.255.255.255

R3#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 221.0.0.2
R3#sh run int loop 40 | beg int
interface Loopback40
ip address 123.12.12.1 255.255.255.255

R5#sh run | sec ip route
ip route 8.8.8.0 255.255.255.0 122.1.1.1
ip route 123.12.12.0 255.255.255.0 221.0.0.1
ip route 171.68.1.1 255.255.255.255 122.1.1.1
ip route 172.16.89.32 255.255.255.255 221.0.0.1

R3#ping 8.8.8.1 source loopback 40

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.1, timeout is 2 seconds:
Packet sent with a source address of 123.12.12.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/65/76 ms

R2#ping 9.9.9.1 source loopback 40

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.1, timeout is 2 seconds:
Packet sent with a source address of 123.12.12.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/60/68 ms

Note: In troubleshooting, Make sure route is correct and all the routers that included on the path should route from both Global/Local In and out.

R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
— — — 9.9.9.1 123.12.12.1
— — — 9.9.9.2 172.16.89.32
— 8.8.8.1 123.12.12.3 — —
— 8.8.8.2 192.168.1.1 — —
R1#sh ip nat stat
Total active translations: 4 (4 static, 0 dynamic; 0 extended)
Peak translations: 53, occurred 00:19:08 ago
Outside interfaces:
GigabitEthernet1/0
Inside interfaces:
GigabitEthernet2/0
Hits: 299 Misses: 0
CEF Translated packets: 233, CEF Punted packets: 30
Expired translations: 36
Dynamic mappings:
Appl doors: 0
Normal doors: 0
Queued Packets: 0

What is CEF Punt?

https://learningnetwork.cisco.com/thread/123503

Troubleshoot/Verify NAT Configuration

1. The command: “show ip nat translations” display the details of NAT assignments; it will enable you to verify that correct translations exist in the translation table. It’s recommended that you clear any dynamic NAT translation entries that might still be on the router.

2. To view additional details about each translation us the following command;

R1#show ip nat translations verbose

This command will display additions information, which includes creation dates and usage of each translation.

To clear NAT translations use the command: clear ip nat translation.

Note: “show ip nat translations verbose” command doesn’t work in packet tracer.

3. Verify the operations of NAT by checking details about every packet that is translated by the router. To view this information use the:

R1#debug ip nat or

R1#debug ip nat detailed

The later command debug ip nat detailed Provide a description of each packet that had been considered for translation. It also displays information on some errors such as failure to assign a global IP address.

4. The show ip nat statistics command display:

a) Details of all the active translation entries
b) NAT configuration parameters
c) Number of IP addresses in the pool
d) Total number of assigned IP addresses.

http://academy.delmar.edu/Courses/download/CiscoIOS/NAT_ip_nat_outside_source_static.pdf
https://cciepursuit.wordpress.com/2007/10/07/hits-and-misses-in-ip-nat-statistics/
http://brbccie.blogspot.com/2013/06/everything-nat.html

3 ways to NAT on a Cisco Router


https://learningnetwork.cisco.com/thread/96145

3850 switch – IOS XE upgrade Detailed

By default, the switches are shipped in Install mode.

Bundle mode: Bundle mode is where we boot the switch/stack using the .bin file. This is the traditional method of booting the switch where the switch extracts the .bin file to the RAM of the switch and run from there.

Install Mode: Install mode is where we pre-extract the .bin file in the flash and boot the witch/stack using the packages.conf file created during the extraction.

Note:
Install mode is the recommended mode of running the switch. Not all features may be available in this Bundle mode

Upgrading a stand-alone switch:
For example: boot flash:cat3k_caa-universalk9.SSA.03.08.83.EMD.150-8.83.EMD.bin

Hence, the boot variable should not be pointing to the .bin file. If so, the switch will boot in Bundle mode. The boot variable should be pointing to the “packages.conf” file in order for the switch to boot in Install mode.

Before doing the upgrade, we need to check the mode in which the switch is currently booted in.
show version | begin Switch Port

Switch Ports Model SW Version SW Image Mode
—— —– —– ———- ———- —-
* 1 32 WS-C3850-24T 03.03.01SE cat3k_caa-universalk9 INSTALL •ß Install mode

https://community.cisco.com/t5/networking-documents/3850-switch-ios-xe-upgrade-detailed-standalone/ta-p/3138609
https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/c/en/us/td/docs/switches/lan/Denali_16-1/ConfigExamples_Technotes/Config_Examples/Misc/qos/m_install_vs_bundle.html.xml

Cisco 3850 covert from bundle to install mode:
Current mode: BUNDLE MODE

1. dir flash: – Current running IOS version should be visible.
2. Expand the file to the flash file system.
#software expand running to flash:
it take running .bin file and expand the content to the flash file system so we
can then convert from bundle to install mode.

3. Verify once expanded, All pkg file should be expanded including the very important packages.conf file.
#dir flash:

4. Change the boot variable to point to the packages.conf file.
#boot system switch all flash:packages.conf
This will cover single to multiple switches in a stack.

5. Verify the boot
#show boot
verify the boot variable and build

6. wr mem
7. reload
8. show version | begin Switch Port
9. clean the bin file
#software clean
#wr mem

Replace a Failed Cisco 3850 Switch in a Stack
I.
1. Connect to the new switch
2. Verify the license level and IOS version.
a. In order to avoid the license mismatch.
#license right-to-use activate ipbase all acceptEULA
3. Restart

II.
On your stack, you need to make sure the new switch come up with the same software version.
Master(global)# software auto-upgrade auto
So when we connect the new switch it will auto upgrade the same version as
the stack.

III.
Connect the stacking cable and the power of the new switch.

Cisco Catalyst 3850 IOS Upgrade on All Stack Members – Version Mismatch

1. Connect the switches to the stack
2. Verify the license level
3. On master
#request platform software package install auto-upgrade
Auto upgrade has been initiated for the following incompatible switch
4. Reload the new member

Cisco 3850 IOS switch stack 3.x.x to 16.x.x upgrade install mode
1. We need to make sure the we do have space available on the flash:
#software clean
2. Copy the bin file active switch flash
3. Once the file is copied over we are going to regenerate rsa cryto key use for SSH and the 16.x.x release notes if your upgrading from 3.x.x to 16.x.x to generate a new crypto key.
#crypto key generate key 1024
4. Begin the software upgrade
#software install file flash:filename switch verbose new force

New – we need to create a new packages.conf to be used by the boot up process.
force – this will force actual process, 1 major code to another.. otherwise package compatibility will fail.

Troubleshooting:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/troubleshooting/switch_stacks.html
https://community.cisco.com/t5/switching/new-3850-stack-upgrade-problem-3-x-gt-16-x/td-p/3208779
https://community.cisco.com/t5/networking-documents/using-the-auto-upgrade-feature-on-the-cisco-catalyst-3850/ta-p/3140319