Test network services

This container has been tested with IOS / NXOS and ACI.

Test syslog

You can verify if you receive logs with syslog-ng. This service runs on the default port udp/514.

The configuration on the file /etc/syslog-ng/syslog-ng.conf redirects the external logs to the following file: /var/log/remote-syslog.log

# Extract of syslog-ng.conf

source s_net {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};

log { source(s_net); destination(d_net); };
destination d_net { file(« /var/log/remote-syslog.log »); };

Logs could be see with the following command:

root@89944db0da60:~# tailf /var/log/remote-syslog.log
Apr 15 06:50:51 10.0.100.46 2019 Apr 15 06:50:48 UTC: %ETHPORT-5-IF_DOWN_CFG_CHANGE: Interface Ethernet1/1 is down(Config change)
Apr 15 06:50:52 10.0.100.46 2019 Apr 15 06:50:49 UTC: %ETHPORT-5-IF_DOWN_ADMIN_DOWN: Interface Ethernet1/1 is down (Administratively down)
Apr 15 06:50:55 10.0.100.46 2019 Apr 15 06:50:52 UTC: last message repeated 1 time
Apr 15 11:57:59 10.255.0.2 %LOG_LOCAL7-4-SYSTEM_MSG [F1186][raised][config-failure][warning][sys/phys-[eth1/35]/fault-F1186] Port configuration failure.                                   Reason: 2                                   Failed Config: l1:PhysIfspeed_failed_flag

Test snmptrap

snmptrapd is used to receive snmptrap. The logs are redirect to the file : /var/log/snmptrapd.log.

The configuration files are the following : /etc/snmp/snmptrapd.conf and /etc/default/snmptrapd.

The community configured is « public ». You can change in the /etc/snmp/snmptrad file or disabled the authentification with  » disableAuthorization yes »

Example:


Agent Address: 0.0.0.0
Agent Hostname: nxos – UDP: [10.0.100.46]:59353->[172.21.0.2]:162
Date: 6:50:57 15-4
Enterprise OID: .
EngineID:
Trap Type: Cold Start
Trap Sub-Type: 0
Community/Infosec Context: TRAP2, SNMP v2c, community nxos
Uptime: 0
Description: Cold Start
PDU Attribute/Value Pair Array:
iso.3.6.1.2.1.1.3.0 = Timeticks: (16384794) 1 day, 21:30:47.94
iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.2.1.17.0.2
iso.3.6.1.4.1.9.9.46.1.3.1.1.1.1.1 = INTEGER: 1
iso.3.6.1.2.1.31.1.1.1.1.436207616 = STRING: « Ethernet1/1 »


Agent Address: 0.0.0.0
Agent Hostname: nxos – UDP: [10.0.100.46]:59353->[172.21.0.2]:162
Date: 6:51:6 15-4
Enterprise OID: .
EngineID:
Trap Type: Cold Start
Trap Sub-Type: 0
Community/Infosec Context: TRAP2, SNMP v2c, community nxos
Uptime: 0
Description: Cold Start
PDU Attribute/Value Pair Array:
iso.3.6.1.2.1.1.3.0 = Timeticks: (16385696) 1 day, 21:30:56.96
iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.4.1.9.9.43.2.0.2
iso.3.6.1.4.1.9.9.43.1.1.1.0 = Timeticks: (16384764) 1 day, 21:30:47.64
iso.3.6.1.4.1.9.9.43.1.1.6.1.6.7117 = INTEGER: 3


Test tacacs+

tacacs+ is used to verify the Authentication, Authorization and Accounting. The configuration is in the file /etc/tacacs/tac_plus.conf.

We use the following package : http://www.shrubbery.net/tac_plus/

The current configuration is the following:

  • Tacacs Key : cisco1234
  • user : user1 / cisco1234
  • Right: admin

The log files are the following :

  • For accounting : /var/log/tacacs/tac_plus.acct
  • For authentication : /var/log/tac_plus.log

Test radius

We use freeradius with the following files:

  • radiusd.conf
  • clients.conf
  • users

The logs are in the following directory /var/log/freeradius/.

Example for IOS/NXOS and ACI :

user1 Cleartext-Password := « cisco1234 »
Service-Type = NAS-Prompt-User,
Cisco-AVPair = « shell:priv-lvl=15 »,
Cisco-AVPair += « shell:domains=all/admin/ »

Docker-compose file

docker-compose.yml

version "3"
services:
network-test:
image: zednetwork/network-test:latest
ports:
- "49:49"
- "162:162/udp"
- "514:514/udp"
- "1812:1812/udp"
- "1813:1813/udp"
tty: true
stdin_open: true

To download the container :
docker pull zednetwork/network-test:latest

To enter in the container :

docker exec -it <container_ID> /bin/bash

Cisco IOS shell

Enable shell

Enable shell linux 

router(config)#shell processing full

show shell environment

router#sh shell environment
# Environment Variables:
# User Environment Variables:
?=1
# Global Environment Variables:
# Builtin Environment Variables:
PATH=CLI%Userfunctions%Builtins%SYSTEM
# Environment Functions:

# User Environment Functions:

# Global Environment Functions:

# Builtin Environment Functions:

Function namespace: DEFAULT
((              evaluate a numeric test expression


Function namespace: DEFAULT
[[              evaluate a logical test expression


Function namespace: DEFAULT
cat             output data from a pipe or file to the terminal


Function namespace: DEFAULT
cut             edit piped output


Function namespace: DEFAULT
echo            echo arguments to the terminal


Function namespace: DEFAULT
false           return false in while or if expressions, and set the result


Function namespace: DEFAULT
fetch           return values from the configuration database


Function namespace: DEFAULT
grep            search for regular expressions in piped output or files


Function namespace: DEFAULT
head            print the first lines in the input


Function namespace: DEFAULT
interface       print interfaces that match the argument


Function namespace: DEFAULT
let             evaluate a numeric expression, and set the result


Function namespace: DEFAULT
man             print information for builtins


Function namespace: DEFAULT
more            page piped output to the terminal


Function namespace: DEFAULT
nl              number the lines in the input


Function namespace: DEFAULT
null            ignore the input


Function namespace: DEFAULT
printf          output formatted data to the terminal


Function namespace: DEFAULT
read            read input into variables


Function namespace: DEFAULT
set_oper        set operational values


Function namespace: DEFAULT
sleep           pause execution of the terminal


Function namespace: DEFAULT
sort            sort the input


Function namespace: DEFAULT
tail            print the tail of the input


Function namespace: DEFAULT
true            return true in while or if expressions, and set the result


Function namespace: DEFAULT
uname           print system information


Function namespace: DEFAULT
wc              count lines, words, and chars

Example

router#sh int desc | grep up
Et0/0                          up             up
Et0/1                          up             up
Lo0                            up             up
NV0                            up             up
Tu0                            up             up

router#sh int desc | grep up | wc -l
4

 

 

 

Configure Route Leaking Between Global and VRF Routing with PBR

Diagram

Interface to Internet

interface Ethernet0/0
description Outside
ip vrf forwarding INTERNET
ip address 192.0.0.1 255.255.255.252

Interface Inside in the GRT (Global Routing Table)

interface Ethernet0/1
description Inside
ip address 192.168.1.254 255.255.255.0

Leaking default route to internet

ip route 0.0.0.0 0.0.0.0 Ethernet0/0 192.0.0.2

NAT configuration

ip nat inside source list NAT interface Ethernet0/0 overload
access-list NAT permit 192.168.1.0 0.0.0.255

PBR configuration

ip prefix-list PREF seq 5 permit 192.168.1.0/24
!
route-map PBR permit 10
  match ip address 101
  set global
!
access-list 101 permit ip any 192.168.1.0 0.0.0.255

interface Ethernet0/0
 ip policy route-map PBR

Verification

Router#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.0.0.1:7 192.168.1.1:7 8.8.8.8:7 8.8.8.8:7

Router#sh ip policy
Interface      Route map
Ethernet0/0    PBR

Router#sh route-map
route-map PBR, permit, sequence 10
  Match clauses:
    ip address (access-lists): 101
  Set clauses:
    global
  Policy routing matches: 25 packets, 2850 bytes

 

 

 

BGP multipath with RR

The idea is to receive more than one path – i.e the best path calculate by the RR)

All routers are connected to the RR.

Extract of the configuration on the RR

router bgp 65000
bgp router-id 10.1.1.1
bgp log-neighbor-changes
bgp additional-paths select best 2
bgp additional-paths send
neighbor IBGP peer-group
neighbor IBGP remote-as 65000
neighbor IBGP update-source Loopback0
neighbor IBGP route-reflector-client
neighbor IBGP advertise additional-paths best 2
maximum-paths ibgp 2

The RR accepts two paths, and advertise additional paths on the same session.

Extract on one bgp client

router bgp 65000
bgp router-id 10.1.1.2
bgp log-neighbor-changes
neighbor 10.1.1.1 remote-as 65000
neighbor 10.1.1.1 update-source Loopback0
neighbor 10.1.1.1 next-hop-self
neighbor 10.1.1.1 additional-paths receive
maximum-paths ibgp 2

The client supports two paths and could receive more than one path from the same neighbor.

More information:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-16/irg-xe-16-book/bgp-additional-paths.html

OSPF Router-ID lookup

By default ospf display Router-ID like IP address.

It’s possible to change this behavior and replace by a name.

Before:

R1#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
10.0.31.31 0 FULL/ - 00:00:39 10.0.99.2 Ethernet0/1
10.0.130.130 0 FULL/ - 00:00:36 10.0.10.2 Ethernet0/2

After:

ip host R3 10.0.130.130
ip host R2 10.0.31.31


ip ospf name-lookup

R1#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
R2 0 FULL/ - 00:00:38 10.0.99.2 Ethernet0/1
R3 0 FULL/ - 00:00:36 10.0.10.2 Ethernet0/2

Of course, fix the router-id.