Search This Blog

Monday, March 9, 2015

CheckPoint cluster failover

To force a failover on CheckPoint HA cluster, run the following commands on the current active cluster member:

cphaprob -d fail -s problem -t 0 register

Verify active member change:

cphaprob stat

and

cphaprob -i list

To revert the fail member back to service:

cphaprob -d fail -s ok report

cphaprob -d fail unregister

Microsoft Windows NAP for Cisco WLC management access

Configuring Cisco WLC using RADIUS (Microsoft NAP) for management access.
In the following example I’m using Microsoft Windows Server 2008, and it’s the same for Windows 2012, for using NAP (Network Access Policy) server to authenticate users for management access to Cisco WLC.

First let’s configure the WLC as RADIUS client:

Open the NAP console

Press the ‘+’ sign near to RADIUS clients and Servers

Right click on RADIUS Clients and select New

Type in the name of the WLC in Friendly name

Type in the WLC IP address

Select manual shared secret and type in the desired shard secret and confirm it



Click on the Advanced tab and select RADIUS Standard, to finish click OK



Now let’s configure the Policy:

Open the NAP console

Press the ‘+’ sign near to Policies and select Network Policies

Right click on Network Policies and select New



The New Network Policy wizard will appear, type in the policy name



Click next

Click on Windows Groups and add the required group

Click add and select NAS Identifier and enter the WLC hostname



Click next

Select Access granted and click next



Uncheck all and select only Unencrypted authentication (PAP, SPAP) and click next



Under constraints we can choose idle timeout, day and time restrictions or we can just can click next


Under RADIUS attributes->Standard remove Framed-Protocol and change Service-Type to Administrative.





Click on Encryption, uncheck all and check only No Encryption
Click next and then Finish


Now let’s configure the NAP as RADIUS server on the WLC

Login into the WLC

Click on Security->RADIUS->Authentication and click New

Type in the NAP IP address

Type in the shared secret and confirm it

Make sure the Management checkbox is checked
Click apply



Select Security->Priority Order->Management User, add RADIUS to Order Used for Authentication and make sure it’s before LOCAL

Click Apply


That’s it, Logout from the WLC and login again with your domain account.





Sunday, March 8, 2015

VRF-Lite for management interface

How to configure management interface for WAN edge router

Create VRF-Lite for management purpose:

ip vrf MGMT
rd 1:1

Configure the required interface for this VRF:

interface GigabitEthernet0/2
description MGMT-INTF
ip vrf forwarding MGMT
ip address 10.1.0.10 255.255.255.0
load-interval 30
speed auto
duplex auto

Configure default route for this VRF:

ip route vrf MGMT 0.0.0.0 0.0.0.0 10.1.0.1

FTP for download/upload files to the router:

ip ftp source-interface GigabitEthernet0/2
ip ftp username cisco
ip ftp password cisco

Management access for VTY access:

ip access-list standard ACL_MGMT_ACCESS
permit 10.1.0.0 0.0.0.255
deny   any log
!
line vty 0 15
access-class ACL_MGMT_ACCESS in vrf-also
exec-timeout 5 0
logging synchronous
transport input ssh

Note the vrf-also keyword for allowing this ACL from all VRF’s

NTP configuration:

ntp authentication-key 1 md5 013C10578F020123890C 7
ntp authenticate
ntp trusted-key 1
ntp source GigabitEthernet0/2
ntp server vrf MGMT 10.1.0.1 maxpoll 6 minpoll 4 version 2

And RADIUS configuration:

radius server RADIUS
address ipv4 10.5.0.45 auth-port 1812 acct-port 1813
timeout 2
retransmit 2
key 7 013C10578F0201238
!
ip radius source-interface GigabitEthernet0/2 vrf MANAGEMENT


Thursday, March 5, 2015

DM-VPN VRF aware



Network Topology:



R7 is the hub and R10 is the spoke, both routers establish their tunnel using loopback 0 as source IP.

R7 and R10 are using VRF-lite in-front of the SP.

R7 [Hub] relevant configuration:

ip vrf LOCALSP
 rd 7:7
!
crypto keyring CCIE vrf LOCALSP
  local-address Loopback0
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp profile ISAKMP-DMVPN
   vrf LOCALSP
   keyring CCIE
   match identity address 0.0.0.0 LOCALSP
   local-address Loopback0
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set MYSET
 set isakmp-profile ISAKMP-DMVPN
!
!
interface Loopback0
 ip vrf forwarding LOCALSP
 ip address 7.7.7.7 255.255.255.255
!
!
interface Tunnel1
 ip vrf forwarding LOCALSP
 ip address 172.16.0.7 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel vrf LOCALSP
 tunnel protection ipsec profile DMVPN
!
interface Tunnel1
 ip vrf forwarding LOCALSP
 ip address 172.16.0.7 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel vrf LOCALSP
 tunnel protection ipsec profile DMVPN
!
router bgp 65003
 bgp log-neighbor-changes
 neighbor 10.1.78.8 remote-as 65002
 !
 address-family ipv4 vrf LOCALSP
  network 7.7.7.7 mask 255.255.255.255
  neighbor 10.1.117.11 remote-as 65001
  neighbor 10.1.117.11 activate
 exit-address-family

R10 [Spoke] relevant configuration:

ip vrf LOCALSP
 rd 10:10
!
crypto keyring CCIE vrf LOCALSP
  local-address Loopback0
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp profile ISAKMP-DMVPN
   vrf LOCALSP
   keyring CCIE
   match identity address 0.0.0.0 LOCALSP
   local-address Loopback0
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set MYSET
 set isakmp-profile ISAKMP-DMVPN
!
interface Loopback0
 ip vrf forwarding LOCALSP
 ip address 10.10.10.10 255.255.255.255
!
interface Tunnel1
 ip vrf forwarding LOCALSP
 ip address 172.16.0.10 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.7 nbma 7.7.7.7 multicast
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel vrf LOCALSP
 tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/1
 ip vrf forwarding LOCALSP
 ip address 10.1.104.10 255.255.255.0
 duplex auto
 speed auto
!
router bgp 65004
 bgp log-neighbor-changes
 neighbor 10.1.109.9 remote-as 65002
 !
 address-family ipv4 vrf LOCALSP
  network 10.10.10.10 mask 255.255.255.255
  neighbor 10.1.104.4 remote-as 65001
  neighbor 10.1.104.4 activate
 exit-address-family

Notes:
- The interface toward the SP is configured under the VRF hence the BGP should also.
- Tunnel interface must be VRF aware (tunnel vrf)
- Key-ring is configured for the specific VRF
- The identity match under the ISAKMP profile is also configured for the specific VRF