Thursday, August 18, 2011

Cisco AnyConnect in standalone mode

Durint the preparation for the Cisco 642-637 exam was trying tu put an SSL VPN (webvpn) Lab together, in thick client standalone mode, so I installed the latest version of the Cisco AnyConnect (2.5) and was trying to connect to a router directly with, without a web browser. I did not want to work. After approximately 3-4 hours of troubleshooting I found the problem: the IOS is old...

Here it is:
http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml#Spprtdvcs

Q. Is AnyConnect supported on Cisco IOS® devices?
A. Yes.

As of Cisco IOS Software Release 12.4(15)T in browser-initiated mode only as per the Release 12.4T New Security Features Notes.

As of Cisco IOS Software Release 12.4(20)T, standalone mode is also supported.

and that's the point. I think it could be mentioned in more places. I upgraded the IOS to a correct version, and it started to work immediately. Hurray! The configuration:

ip local pool MYPOOL 166.1.1.1 166.1.1.10

webvpn gateway MYWEBVPNGW
 hostname R13
 ip address 13.3.0.1 port 443 
 http-redirect port 80
 ssl trustpoint TP-self-signed-4279256517
 logging enable
 inservice
 !
webvpn install svc disk0:/webvpn/svc.pkg sequence 1
 !
webvpn context MY-CONTEXT
 ssl authenticate verify all
 !
 !
 policy group PG
   functions svc-enabled
   svc address-pool "MYPOOL"
   svc keep-client-installed
   svc split include 13.0.0.0 255.0.0.0
 default-group-policy PG
 aaa authentication list WEBLOGIN
 gateway MYWEBVPNGW
 max-users 10
 inservice

Monday, August 8, 2011

switchport protected

If you have an older Switch, which does not support private VLANs, then an alternative can be the protected switch ports. This is roughly like the private VLAN isolated port: ports in protected mode can not communicate with each other, but protected and not protected ports can.

So if you want PCs in a VLAN not to see each other in L2, then the ports should be set to protected mode, and the router's (default gateway) port doesn't change. Then every PC reaches the router, but not each other.

Of course, this only works within a switch and thus two protected ports on different switches can communicate with each other.


Switch(config)# interface GigabitEthernet0/4
Switch(config-if)# switchport protected

Switch#show interface GigabitEthernet0/4 switchport
Name: Gi0/4
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: true
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Wednesday, August 3, 2011

ISIS default route redistribution

I run into the following problem: the default route is not redistributed from BGP to ISIS during the redistribution process. It turned out that this is normal:

http://cisco.biz/en/US/docs/ios/11_3/np1/configuration/guide/1cisis.html#wp17563

"
You can force a default route into an IS-IS routing domain. Whenever you specifically configure redistribution of routes into an IS-IS routing domain, the Cisco IOS software does not, by default, redistribute the default route into the IS-IS routing domain. The following feature allows you to force the boundary router to redistribute the default route or generate a default route into its L2 LSP. You can use a route-map to conditionally advertise the default route, depending on the existence of another route in the router's routing table.

To generate a default route, perform the following task in router configuration mode:

Task

Command

Force a default route into the IS-IS routing domain.

default-information originate [route-map map-name]
"

So we need a route-map to generate a default route conditionally. I did the following:

ip prefix-list DEFAULT-ROUTE seq 10 permit 0.0.0.0/0

ip access-list standard LOCAL-BGP-NEXTHOP
 permit *az eBGP peer IP cime (next hop)*

route-map ISIS-DEFAULT-INFORMATION-ORIGINATE permit 10
 match ip address prefix-list DEFAULT-ROUTE
 match ip next-hop LOCAL-BGP-NEXTHOP

router isis
 default-information originate route-map ISIS-DEFAULT-INFORMATION-ORIGINATE

It will generate a default route only if it's already in the routing table, and the local BGP peer is the next hop for it. The backup router won't generate one, cause the default route's next hop is not its neighbor.