alcatron.net

Cisco has finally got their act together and released a x64 version of their VPN client to be used on Vista/Windows 7. About Time!…I just tested it and works well The following is available:

vpnclient-winx64-msi-5.0.07.0290-k9.exe
Release Date: 13/Apr/2010
VPN Client Software for x86 64-bit version of Vista/Windows 7 - Microsoft Installer
Size: 4898.00 KB  (5015552 bytes)

And the x86 as well of course:

vpnclient-win-msi-5.0.07.0290-k9.exe
Release Date: 13/Apr/2010
VPN Client Software for x86 32-bit version of XP/Vista/Windows 7 - Microsoft Installer
Size: 7814.00 KB  (8001536 bytes)

They would probably kill me if I mirrored it on here, im sure you guys can grab a copy of it from somewhere

Tech

Hey everyone, welcome to 2010

In the last week I managed to score myself a Cisco Aironet Series 1140 access point. Now it is standalone since its only going to be used for a single AP setup without any wireless controllers.

The model which I got is the - AIR-AP1142N-N-K9 and also I had to get with it a powersupply AIR-PWR-B=.

As taken from the cisco website..

“The Cisco® Aironet® 1140 Series Access Point is a business-ready, indoor access point designed for simple deployment and energy efficiency. The 1140 Series is a dual-band (a/g/n), 802.11n access point with integrated antennas. It can be ordered in a controller-based* (lightweight) or Standalone (autonomous) version. “

I must say im quite impressed by this AP, the performance and features make it really outstanding. The access point is “Made in the USA” so none of that made in china stuff..

A show version from the console:

Cisco IOS Software, C1140 Software (C1140-K9W7-M), Version 12.4(21a)JA1, RELEASE
SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 16-Sep-09 18:09 by prod_rel_team

ROM: Bootstrap program is C1140 boot loader
BOOTLDR: C1140 Boot Loader (C1140-BOOT-M) Version 12.4(18a)JA, RELEASE SOFTWARE
(fc4)

cisco AIR-AP1142N-N-K9     (PowerPC405ex) processor (revision A0) with 98294K/32
768K bytes of memory.
Processor board ID FTX1350S0AG
PowerPC405ex CPU at 586Mhz, revision number 0×147E
Last reset from power-on
1 Gigabit Ethernet interface
2 802.11 Radio(s)

The access point is configurable by console and by a webpage interface. I must say the webpage interface is quite easy to use, and so is the AP.

I have taken some screenshots of the webpage interface below, and some shots of the AP. It gets a 10/10 from me, and of course the AP is nicely connected to that 2960G switch (click on images to make them larger)

Tech

Well well, it seems cisco has updated their Cisco 877 IOS with version 15!!

Latest IOSes on their site:
ADVANCED ENTERPRISE SERVICES
c870-adventerprisek9-mz.150-1.XA.bin
Release Date: 27/Oct/2009
Size: 23984.26 KB (24559880 bytes)
Minimum Memory: DRAM:128 MB Flash:28 MB

ADVANCED IP SERVICES
c870-advipservicesk9-mz.150-1.XA.bin
Release Date: 27/Oct/2009
Size: 23680.82 KB (24249152 bytes)
Minimum Memory: DRAM:128 MB Flash:28 MB

ADVANCED SECURITY
c870-advsecurityk9-mz.150-1.XA.bin
Release Date: 27/Oct/2009
Size: 20300.32 KB (20787520 bytes)
Minimum Memory: DRAM:128 MB Flash:24 MB

Just beware when you load these on, to watch out for the memory/flash requirements!

Also along with the new IOS versions, they have also released a recent DSL controller firmware, however no readme file yet for it!

Latest firmware:
adsl_alc_20190_4.0.018.bin
Description ADSL firmware version 4.0.18
Size 977.49 KB (1000952 bytes)

Will attempt to test the IOS/Firmware and see how they go, if anyone else has tested these please comment, and let us know how they are

Cisco 877

Netdisco 1.0 has been released, probably the best network management tool of all your routers/switches in the enterprise

This brings many new features including improved Vlan searching, graphical network mapping, and device type discovery including IP phones and wireless clients.

Full VMware image, and Source files availble from http://sourceforge.net/projects/netdisco/files/

More info http://www.netdisco.org/

News

I researched some more information how to tighten the 877 against security attacks, and usually on your dialer interface you might have this..

ip access-group 101 in

then a access list for incoming traffic via access-group 101 might look like this..

access-list 101 permit ip any any

However with having this set, means icmp, port attacks, or any other type of probing could be spoofed to gain access to your network. I have implemented the following access list filter to stop that from occuring, by blocking any internal LAN ranges from the wan side coming in via the dialer interface, and other type of bogus attacks.

access-list 101 deny   icmp any any echo                (blocks wan pings)
access-list 101 deny   tcp any any eq 139     (blocks port 139 netbios attacks used for ms fileshares)
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any  (blocks internal lan range)
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any (blocks internal lan range)
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any (blocks internal lan range)
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any  (blocks localhost spoofs)
access-list 101 deny   ip 50.0.0.0 0.255.255.255 any   (blocks unused 50.* address space which attackers may spoof)
access-list 101 deny   ip 100.0.0.0 0.255.255.255 any   (blocks unused 100.* address space which attackers may spoof)
access-list 101 deny   ip 101.0.0.0 0.255.255.255 any (blocks unused 101.* address space which attackers may spoof)
access-list 101 deny   ip host 255.255.255.255 any (blocks spoofing from this address)
access-list 101 deny   ip host 0.0.0.0 any (blocks spoofing from this address)
access-list 101 permit ip any any  (permits all other traffic)

Now once you have this in place, how do you know if you are actually getting hits from any of these rules, and if the 877 is dropping the packets if the acl matches?

There is one nice command to show that data…(need to be in priviliged mode)

cisco877#show access-lists
Extended IP access list 101
10 deny icmp any any echo (30 matches)  <30 hits on blocking wan ping from outside sources
20 deny tcp any any eq 139 log
30 deny ip 10.0.0.0 0.255.255.255 any
40 deny ip 172.16.0.0 0.15.255.255 any
50 deny ip 192.168.0.0 0.0.255.255 any
60 deny ip 127.0.0.0 0.255.255.255 any
70 deny ip 50.0.0.0 0.255.255.255 any log
80 deny ip 100.0.0.0 0.255.255.255 any log
90 deny ip 101.0.0.0 0.255.255.255 any log
100 deny ip host 255.255.255.255 any
110 deny ip host 0.0.0.0 any
120 permit ip any any (2954091 matches) <<lots of hits being allowed in from other sources not in access list (normal ip traffic flow)

Hopefully this is useful to someone wishing to implement a bit more security to their 877 setup

Any questions post your comments.

Cisco 877

Well the new switch just arrived here are some pics. Looks quite nice, little bit bigger than your usual 8 port switch, but it runs nice and quiet

When it came to configuring individual ports, following website prooved very useful:
http://www.itsyourip.com/cisco/how-to-enable-spanning-tree-portfast-in-cisco-catalyst-switch-ios/

With gigabit connectivity you can enable jumbo ports in global config:

system mtu jumbo 9000

Then by issuing “show system mtu”

System MTU size is 1500 bytes
System Jumbo MTU size is 9000 bytes
Routing MTU size is 1500 bytes

Also note on Port GigabitEthernet 0/6 i decided not to use the portfast/bpduguard since the Cisco 877 is plugged into it, and that has a switch. Portfast is only recommended on single devices etc.

Current config I have running:

Current configuration : 3531 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2960G
!
boot-start-marker
boot-end-marker
!
enable secret yourpasshere
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface GigabitEthernet0/1
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/3
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/4
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/5
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/6
switchport mode access
!
interface GigabitEthernet0/7
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!

interface GigabitEthernet0/8
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface Vlan1
ip address 10.108.1.9 255.255.255.224
no ip route-cache
control-plane
!
!
line con 0
login

line vty 0 4
access-class 102 in
login
line vty 5 15
no login
!
end

Tech

Well i just ordered a new cisco switch - CISCO WS-C2960G-8TC-L

To be used for home purposes of course and experimenting So far I have the 877 as the ADSL type modem, also got a Cisco Pix501 used as a firewall for a wireless network I connect into, and im just missing a cisco switch now

I also have to one day write a small writeup on how a pix501 can be configured in between networks.

When i get the 2960G will post photos/config etc

Tech

Need to setup a 877 with an external ADSL modem in bridged mode? Maybe you have another modem which can sync/be more stable than the cisco and you wish to purely use the 877 as a router.

Following commands should help set it up..

Assign an ethernet interface to where it will use pppoe from, and assign it vlan2

interface FastEthernet3
description External DSL PPPoE
switchport access vlan 2

interface Vlan2
description External DSL PPPoE
no ip address
pppoe enable group global
pppoe-client dial-pool-number 2

setup a Dialer2 interface..

!
interface Dialer2
description connection to External DSL modem
ip address negotiated
ip access-group 101 in
no ip unreachables
ip nat outside
no ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1410
dialer pool 2
dialer idle-timeout 0
dialer-group 2
no cdp enable
ppp authentication chap callin
ppp chap hostname something@something
ppp chap password something

ip route 0.0.0.0 0.0.0.0 Dialer2

ip nat inside source list 102 interface Dialer2 overload

Cisco 877

c870-advipservicesk9-mz.124-24.T1.bin
Release Date: 23/Jun/2009

c870-advsecurityk9-mz.124-24.T1.bin
Release Date: 23/Jun/2009

Just released from cisco…the T1 might solve the router from crashing and creating a dump file as it did in the T version.

Cisco 877

With my current Cisco 877 configuration running in PPPoA configuration, I noticed that my international file transfer/download performance wasnt up to scratch. Everything locally was quite fast, but when it came to download files from overseas I noticed transfer speeds would go up and down constantly without any consistency in speed. This was the same case with video streaming and constant buffering. At the same time I had a Draytek 2710 and the performance on that was better compared to the Cisco.

I spent a few hours trying to tweak various MTU/TCP MSS ADJUST settings to optimize international bandwidth performance on the Cisco. The Draytek MTU default was 1442, so I figured something on the cisco within the MTU is causing these performance issues. So I investigated and tried so many various settings and in the end, I switched to PPPoE on the Cisco. What I then discovered is, that I do not need the MTU configured on the Cisco at all, and the 877 performs better without the MTU set. All that I changed in my new configuration is adding the command “ip tcp adjust-mss 1405″ on the Dialer1 interface. After this was applied I noticed a dramatic improvement on TCP/FTP transfers from overseas destinations. As well as having  “ip virtual-reassembly” on the vlan1 interface.

I did also try adjusting the mss value to 1442 same as the draytek, however it didnt perform as well, so then i tried decrementing values to try to see what kind of performance it made, and in the end 1405 came out to be very good.

So if you are in the same scenario, and wanting to improve TCP transfers on your cisco, the MSS adjust setting could come in very handy.

When a host (usually a PC) initiates a TCP session with a server, it negotiates the IP segment size by using the MSS option field in the TCP SYN packet. The value of the MSS field is determined by the maximum transmission unit (MTU) configuration on the host. The default MSS value for a PC is 1500 bytes.

The PPP over Ethernet (PPPoE) standard supports a MTU of only 1492 bytes. The disparity between the host and PPPoE MTU size can cause the router in between the host and the server to drop 1500-byte packets and terminate TCP sessions over the PPPoE network. Even if the path MTU (which detects the correct MTU across the path) is enabled on the host, sessions may be dropped because system administrators sometimes disable the ICMP error messages that must be relayed from the host in order for path MTU to work.

The ip tcp adjust-mss command helps prevent TCP sessions from being dropped by adjusting the MSS value of the TCP SYN packets.

The ip tcp adjust-mss command is effective only for TCP connections passing through the router.

(Taken from the Cisco website…http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html)

Here is my current PPPoE config, with the optimizations:
(Items in bold are the changes)

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log uptime
service password-encryption
service internal
!
hostname cisco877
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
logging console critical
enable secret yoursecretpassword
!
no aaa new-model
clock timezone ACST 9 30
clock summer-time ACST recurring last Sun Oct 2:00 1 Sun Apr 3:00
!
!
dot11 syslog
no ip source-route
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip name-server 192.231.203.132
ip name-server 192.231.203.3
!
!
!
username root privilege 15 password yourpasswordhere
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
description — Internode ADSL —
no ip address
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
dsl bitswap both
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 10.108.1.2 255.255.255.224
ip nat inside
ip virtual-reassembly
!
interface Dialer1
description connection to ISP PPPoE 8/35 MUX
ip address negotiated
ip access-group 101 in
no ip unreachables
ip nat outside
no ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1405
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname username@something.net
ppp chap password yourpasshere

interface Dialer0
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1

access-list 1 permit 10.108.1.0 0.0.0.31
access-list 1 deny   any
access-list 101 deny   icmp any any echo
access-list 101 permit ip any any
access-list 102 permit ip 10.108.1.0 0.0.0.31 any
dialer-list 1 protocol ip permit
snmp-server community public RO 1
!
!

line con 0
password youreconsolepassword
login
no modem enable
transport preferred none
stopbits 1
line aux 0
line vty 0 4
session-timeout 240
access-class 102 in
password yourtelnetpassword
login
transport preferred none
!
scheduler max-task-time 5000
sntp server 129.127.40.3
end

Cisco 877