Nov
26

Here is a small task that illustrates how combining a few technologies may result in interesting solution.

Task:

Configure R1 to send all logging messages to the remote server at the IP address “10.0.0.100″. Ensure secure (non-cleartext) and reliable (acknowledged) information delivery.

DO NOT USE:

1) TCP as the transport protocol.
2) IPsec for encryption.
3) Any tunneling technology.

Recent update: do not use BEEP. This seems to be ruled out by “don’t use TCP”, but worths being mentioned separately. The solutions is supposed to be a “bit” more complicated :)

For simplicity, assume the server to be directly connected to the router via Ethernet. Also, assume the server could be configured in any way to match the router’s configuration.

The first person to find the correct solution would win a 100$ Amazon.com gift card. Since tomorrow is a big holiday in the US, we will post the solution and announce the winner somewhere around the coming weekend.

Have a nice Thanksgiving!

—-

OK, it looks like I’m getting old after all :) The solution has been found a few hours after I actually made the post! The Winner is: Carl Burkland. Congratulaitons! He was the first to post a working solution. I’m disclosing the comments right now, so you can see other people who came with correct solutions or bright ideas after Carl. Also, see some explanations and comments below.

R1:
logging history debugging
snmp-server engineID remote 10.0.0.100 ABCD12345678
snmp-server group TRAP v3 priv
snmp-server user TRAP TRAP remote 10.0.0.100 v3 auth sha CISCO priv des56 CISCO
snmp-server enable traps syslog
snmp-server host 10.0.0.100 informs version 3 priv TRAP

The idea is combine the following features:

1) Syslog history buffer logging.
2) SNMP traps/informs generation based on syslog messages.
3) SNMPv3 DES encryption for traps/informs.
4) Reliable delivery thanks to informs mechanism.

Of course, using any reliable transport would be too easy ;) . Antonio Soares (and later Sorin CONSTANTINESCU) came with an idea of using PPPoE with MPPE and PPP reliable delivery features. While this violates the requirement of not using any tunneling techniques (in this case – L2 inside L2) the idea is really good. The only problem is that I never found the “reliable” PPP to work, particularly with PPPoE :) Looks like you still need good old LAPB encapsulation on serial interfaces to enforce reliable delivery. There is another protocol called “RBSCP” which you could use across unreliable/long-haul links to imporve TCP performance, but this is deserves a separate post.

Other people (e.g. NTllect, Lejoe Thomas – see their comment) correctly suggested using SNMPv3 informs, but some did not provide the complete working configuration. The trick is that in order to get SNMPv3 informs working you need to configure a remote engine ID for the remote server and associate the SNMPv3 user with this ID. Without that, the router will not send any informs! You can easily verify if your configuration is working by doing something like this:

access-list 100 permit udp any any eq 162

R1#debug ip packet 100 dump

Generating some syslog messages, and see if you see packets captured.
After that, use the command show snmp pending to see the pending informs (if any).

Overall I’ve seen a bunch of pretty good answers. Thanks a lot to everyone for participating. Congratulations to winner once again, our sales team will contact you after holidays! Oh yeah, and next time I will try to come with more complicated tasks.

About Petr Lapukhov, 4xCCIE/CCDE:

Petr Lapukhov's career in IT begain in 1988 with a focus on computer programming, and progressed into networking with his first exposure to Novell NetWare in 1991. Initially involved with Kazan State University's campus network support and UNIX system administration, he went through the path of becoming a networking consultant, taking part in many network deployment projects. Petr currently has over 12 years of experience working in the Cisco networking field, and is the only person in the world to have obtained four CCIEs in under two years, passing each on his first attempt. Petr is an exceptional case in that he has been working with all of the technologies covered in his four CCIE tracks (R&S, Security, SP, and Voice) on a daily basis for many years. When not actively teaching classes, developing self-paced products, studying for the CCDE Practical & the CCIE Storage Lab Exam, and completing his PhD in Applied Mathematics.

Find all posts by Petr Lapukhov, 4xCCIE/CCDE | Visit Website


You can leave a response, or trackback from your own site.

19 Responses to “Brainteaser: IP Services”

 
  1. Andrew Hoyos says:

    BEEP as a transport with TLS would probably fit the bill, although BEEP operates on top of TCP, so I don’t know if that fits your guidelines :)

    logging trap debugging
    logging host 10.0.0.100 transport beep channel 1 tls cipher 128

  2. alan says:

    use snmp informs?

  3. Carl Burkland says:

    Have R1 send the syslog messages as SNMPv3 (UDP) informs. That way the communication is encrypted and acknowledged.

    snmp-server engineID remote 10.0.0.100 8888888888
    snmp-server user MYV3USER MYV3GROUP remote 10.0.0.100 v3 auth md5 CCIERS priv des56 password1234
    snmp-server host 10.0.0.100 inform version 3 priv MYV3USER syslog
    snmp-server enable traps
    logging history inform

  4. ayman azzam says:

    hello to all

    snmp-server enable traps syslog

    snmp-server host 10.0.0.100 informs ver 3 priv r1 syslog

    logging history debugging
    loggong history size 4096

  5. Antonio Soares says:

    R1:
    !
    username SERVER password 0 CISCO
    !
    interface FastEthernet0/0
    pppoe enable
    pppoe-client dial-pool-number 1
    !
    interface Dialer1
    ip address 10.0.0.1 255.255.255.0
    encapsulation ppp
    dialer pool 1
    ppp encrypt mppe 128 required
    ppp authentication ms-chap
    !
    logging trap debugging
    logging 10.0.0.100
    !

    SERVER:
    !
    username R1 password 0 CISCO
    !
    bba-group pppoe global
    virtual-template 1
    !
    interface FastEthernet0/0
    pppoe enable group global
    !
    interface Virtual-Template1
    ip address 10.0.0.100 255.255.255.0
    ppp encrypt mppe 128 passive
    ppp authentication ms-chap
    !

  6. NTllect says:

    Rack1R1#sh run | s snmp
    snmp-server group CCIE v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
    snmp-server group IEGROUP v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
    snmp-server enable traps syslog
    snmp-server host 10.0.0.100 version 3 priv CCIE

    Rack1R1#sh run | s logging
    logging trap debugging

  7. Run PPPoE with the logging server. Use the following PPP options:

    1) ppp encrypt mppe 128 required
    2) ppp reliable-link

  8. Lejoe Thomas says:

    I think SNMPv3 will accomplish the goals of sending the logging messages
    1) using UDP
    2) Providing Encryption
    3) Message Integrity (acknowledgment)

    All commands in global configuration mode

    snmp-server engineID local [engine-id string]
    snmp-server group logginggroup v3 auth
    snmp-server user lejoe logginggroup v3 encrypted auth md5 mypassword
    snmp-server host 10.0.0.100 version 3 auth lejoe

    #syslog messages are now sent via snmp

    snmp-server enable traps syslog
    logging history debugging

    Ofcourse you’ll have to configure username, authentication type, password and engineID in the SNMP server on 10.0.0.100

  9. Tassos says:

    I don’t know if this fits into the category “assume the server could be configured in any way to match the router’s configuration”, but here it goes:

    snmp-server engineID local 0000000000
    snmp-server engineID remote 10.0.0.100 0101010101

    snmp-server group SYSLOG-TRAP-GROUP v3 priv
    snmp-server user SYSLOG-TRAP-USER SYSLOG-TRAP-GROUP remote 10.0.0.100 v3 auth md5 CISCO priv 3des CISCO

    snmp-server host 10.0.0.100 informs version 3 priv SYSLOG-TRAP-USER

    snmp-server enable traps syslog

  10. SSink says:

    This is a nice one! :)

    Damn already answer by Tassos after leaving for lunch.

  11. dinu says:

    Configure syslog to send messages as traps and configure the snmp server as v3 with encryption and to send informs.

  12. alan says:

    i didnt be as specific but how cool am i to know the answer based on the question and be the first one! I dont even get a $1 voucher?

  13. Vladimir Sousa says:

    Hello again,

    Nice Post,

    however shouldnt

    snmp-server host 10.0.0.100 traps version 3 priv TRAP

    be:
    snmp-server host 10.0.0.100 informs version 3 priv TRAP
    ?

    Regards,
    Vlad

  14. To: Vladimir Sousa

    Correct, my bad :) Those should be informs, I fixed the solution. Seems like age is taking its tax on me :)

  15. To: alan

    I must admit, that was the quickest reply with the correct solution idea :) However, a good idea by itself does not constitute a solution yet. It may take quite some time for the idea to evolve into a working thing.

    Still, as a fan reader of our blog and a person of insight you deserved a prize too. I’ll talk to our sales team and we’ll figure out an “encouraging” gift for you ;)

  16. alan says:

    woohooo, thanks. look forward to it. :)

  17. Rack009 says:

    “Congratulaitons” should be Congratulations

  18. Cisco_Godfather says:

    @ Rack009

    lol

    This proves the fact that Petr is really getting old :D

  19. NTllect says:

    I think the very complete solution would require

    Rack1R5(config)#$ TRAP remote ABCD12345678 v3 auth sha CISCO priv des56 CISCO
    Translating “ABCD12345678″

    %Illegal Hostname or IP/IPv6 address

    Rack1R5(config)#ip host ABCD12345678 10.0.0.100

 

Leave a Reply

Categories

CCIE Bloggers