Reference: Special addresses

This page serves as a refererence guide for special addresses used in networking.

MAC Addresses

PatternPurposeUsage
00:00:0C:07:AC:[XX]HSRP v1 IPv4Last two nibbles are the HSRP group
00:00:0C:9F:F[X:XX]HSRP v2 IPv4Last three nibbles are the HSRP Group
00:05:73:A0:0[X:XX]HSRP v2 IPv6Last three nibbles are the HSRP Group
00:00:5E:00:01:[XX]VRRP IPv4Last two nibbles are the Virtual Router ID
00:00:5E:00:02:[XX]VRRP IPv6Last two nibbles are the Virtual Router ID
00:07:B4:00:[XX]:[YY]GLBPLast octet is GLBP group [XX] followed by the AVF number [YY]
00:23:04:EE:BE:[XX]VPC System-macLast two nibbles is the VPC Domain ID
01:80:C2:00:00:00STP BPDUDestination MAC for BPDUs
01:00:0C:CC:CC:CDCisco PVSTP BPDUDestination MAC for BPDUs
01:80:C2:00:00:02IEEE Std 802.3 Slow Protocols multicast addressUsed for LACP etc
01:00:0C:CC:CC:CCMulticast MAC for Cisco servicesUsed for PAgP/CDP/VTP

Loading

Fault: Unresponsive UI when putting EVE-NG behind an NGINX reverse proxy

For the purposes of this article I’m making an assumption that the reader has already completed all of the steps required to place EVE-NG behind an NGINX reverse proxy. Using the default settings this can cause the EVE-NG HTML5 GUI to act in an unpredictable manner and at times appear to act like there is extreme latency and jitter on the connection.

This same effect can often be seen on other reverse proxy-like applications and can affect other web applications that rely on real-time or near real time communications. Most notibly Cisco Anyconnects Web SSL VPN appears to suffer from this effect however it can be observed to come and go. There is no resolution for Cisco Anyconnect as the configuration options to resolve the root cause are not available to us.

Root cause: The cause of this behaviour is that NGINX will buffer the traffic to the EVE-NG server and therfore to the Apache Guacamole in behind EVE-NG. While this makes for an efficent proxy; It will prevent connections being made correctly for Apache Guacamole correctly and cause sessions to time out. This eventually will exchaust all available sessions and prevent users from connecting.

Resolution: Disable proxy buffering in your proxy.conf on the NGINX server.

This solution may be suitable for other reverse proxies and SSL Web VPNs if the options are configurable. This is the required configuration to be added to the location section of the config file:

proxy_buffering off;

The below is the full required config for the location section of the reverse proxy configuration should it be required for reference:

location / {
proxy_set_header x-real-IP $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded__for;
proxy_set_header host $host;
proxy_pass https://INTERNALIP:443;
proxy_buffering off;
}

Loading

Guide: How to get experience of Palo Alto without physical kit

When studying for the Palo Alto PCSNA exam I had formal training and experience with the PA firewalls themselves. That said; Not all of the PA firewalls I supported used all of the features required for the exam and so self study was essential. Now that I’m beginning my studies for PCSNE I’ve discovered that this not only requires experience of PanOS on the firewalls but also experience of Panorama.

This guide will discuss the options available to someone studying for PCSNA or PCSNE to get some hands on training before sitting the exams.

Palo Alto Learning Centre

Palo alto have an education page explaining the certification process and explaining what resources are available to help you study. The most useful of this is the Learning center. The learning centre provides access to some training courses and training materials however what you get access to is dependent on you or your companies relationship with Palo Alto. Palo Alto partners also get additional learning resouces and courses such as EDU-110. As part of these training courses there are virtual labs available that give access to the physical kit however these courses won’t be available for everyone

Virtual Appliance / EVE-NG

The Palo Alto firewall can be deployed as a virtual appliance in most hypervisors. Even in production these virtual appliances can be utilised. The VM Series appliances can be deployed without being licensed or registered in an ‘evaluation’ type state. This allows us to configure and get used to the GUI/CLI but comes with some major drawbacks. The ‘secret sauce’ of Palo Alto firewalls heavily relies on it’s cloud connected features. These features require licenses. Another drawback is that without the base/throughput license on a Palo Alto firewall we don’t get the monitor logs which makes troubleshooting much more difficult. That said for PCSNA/PCSNE this is a fantastic way to get hands on a real device without any physical hardware. I particularly recommened using EVE-NG to run the PA virtual images in.

EVE-NG is a clientless multi-vendor network emulation platform. Similar to GNS3, It allows us to virtualise a variety of network devices including but not limited to Cisco switches/routers/firewalls and Palo Alto firewalls. This can run on bare metal or on any hypervisor as a VM. It also provides a full HTML5 GUI for interaction meaning that only a web browser is required to use it. It’s very easy to set up and build custom topologies. There exists and free and a professional edition.

EVE-NG Basic topology of 2 x Palo Alto VMs, 1 Layer 3 switch and a docker client of Firefox

The professional edition costs about £108/$112 per year (at time of writing) for individuals and is definetely worth it if you’re studying for Cisco or Palo Alto certifications. The professional edition provides ‘docker’ based images for things like Web Browsers and Wireshark with makes connecting to the GUI on the Palo Alto firewalls much easier and it also allows for interfaces to be connected/disconnected while the devices are switched on.

Example of the EVE-NG Docket firefox node and CLI via the HTML5 GUI

AWS / Amazon Web Services

As I illuded to earlier; The secret sauce for Palo Alto comes from it’s cloud based features such as Wildfire/PanDB URL lookups and APP-ID services. These all require licenses to function and so for study the cost of a dedicated device (even with NFR/LAB licenses) may be too high for an individual. Another issue is the requirement for PCSNE candidates to have experience of Panorama as this also requires licensing for the Firewall.

This is where Amazon Web Services comes in. AWS allows us to spin up virtual Palo Alto firewalls or Panorama in an EC2 instance and to pay by the hour for the use of the devices. As well as the EC2 compute/S3 Storage cost for these we also pay a small fee which covers the licensing and subscriptions for the various advanced features. As we only want this for non-production purposes we can lower the EC2 instances resources to the lowest possible to reduce the cost of running.

AWS has in it’s market place the following options for Palo Alto:

VM-Series Next-Generation Firewall Bundle 1 – From $0.87 per hour

  • Palo Alto VM Series firewall
  • Threat Prevention (IDS/IPS) subscription
  • Premium Support
  • Panorama subscription

VM-Series Next-Generation Firewall Bundle 2 – From $1.14 per hour

  • Palo Alto VM Series firewall
  • Threat Prevention (IDS/IPS) subscription
  • PanDB URL filtering subscription
  • Wildfire
  • Global Protect & DNS filtering subscriptions
  • Premium Support
  • Panorama subscription

Palo Alto Networks Panorama – From $0.19 per hour

  • The Panorama server is slightly different in that the license is applied to the firewall so there is only compute costs.

Other virtual machines can also be spun up in AWS and integrated into your topologies for testing. While this method isn’t free it provides a low cost alternative to an NFR (Not for resale) or Lab licensed device. This allows an individual to have access to the full range of Palo Alto capabilities for a small fee. If this were for a team or company I’d suggest getting the NFR or Lab licensed physical kit as this would be cheaper and more effective in the long run.

I intend to put together a guide on building a PCSNE study environment in AWS at a later date.

Loading

Fault: Why does my DNS lookup return my own internal IP Address?

If you’re doing a NSLOOKUP for a DNS Name that resolves to your routers public IPv4 address you may find that the result returned from any external DNS server will resolve to your clients internal IP address. If you have an internal DNS server that is forwarding queries to an external DNS server then you may see the DNS servers IP address when querying.

Scenario: You have a server internally which you’re NATing from your outside interface on your Cisco router to an internal IP address. You run a dynamic DNS client to map WWW.YOURDOMAIN.COM to your public IP. Your clients on the LAN also use this router to get internet access using PAT/NAT Overload. You want to verify that the DNS entry has propagated to Google DNS so you perform an NSLOOKUP to 8.8.8.8 or 8.8.4.4

nslookup WWW.YOURDOMAIN.COM 8.8.8.8
Snslookup WWW.YOURDOMAIN.COM 8.8.8.8
Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
Name: WWW.YOURDOMAIN.COM
Address: 192.168.0.10

But if you try an online DNS check tool like MX Toolbox it will return the correct result or if you get someone else to try for you to the same External DNS server they get the correct result.

Investigation: Lets confirm what we appear to be seeing. To do this we will capture the DNS queries for an external website (www.google.com) and one to an entry mapped to my external IP (testdns.kierandrain.com).

Query from 10.100.5.22 to 8.8.8.8 requesting the ip for www.google.com

So we can see the reply to our query here and it has resolved www.google.com to 172.214.169.36 correctly. Next we’ll test for testdns.kierandrain.com which is currently mapped to the public IP of my Cisco router.

Query from 10.100.5.22 to 8.8.8.8 requesting the ip for dnstest.kierandrain.com

So we can see this time that 8.8.8.8 appears to have returned the IP address of the querying host. So why did 8.8.8.8 return the incorrect result and how did google know what the local IP address was to return that in the query? As far as 8.8.8.8 was concerned the request came from my public IP and my client was using NAT to contact 8.8.8.8.

Problem Statement: In short any internal queries where the results IP matches the routers outside interface are somehow modified to return the querying hosts IP address. The same issue doesn’t affect IPv6 traffic.

Root cause: You might suspect that this behavior of the external IP being mapped to an internal one looks supiciously like a NAT issue but since NAT only affects the Layer 3 and Layer 4 information on the packets and we see application layer changes then surely this couldn’t be the case. Could it?

The culprit here is a feature known as ALG – Application Layer Gateway. This isn’t specific to Cisco however it does come enabled on all Cisco routers. ALG is intended to support traffic flows where NAT is being performed by changing application layer data on a packet to reflect the changes performed by NAT. This can however cause problems like the scenario above and particularly for SIP and VoIP traffic where the changes can actually cause the packets to become malformed.

As there’s nothing in our router configuration to tell us this is enabled you will need to use the all command when tryting to view the configuration.

Router#show run all | i ip nat service
ip nat service all-algs

As you can see all ALG services are currently enabled by default. To get a detailed view of the ALG subservices we can run the following command.

router(config)#ip nat service ?
H225              H323-H225 protocol
all-algs          Enable all NAT ALGs
dns               DNS protocol
dns-reset-tl      Reset dns cname ttl value
dns-v6            dns v6 packet processing
ftp               ftp protocol
fullrange         allocate all available port of 1024 to 65535
gatekeeper        Gatekeeper protocol
ipsec-esp         ipsec esp packet processing options
ldap              LDAP protocol
list              Specify access list describing global addresses
modify-in-progress Packet processing options when config is being modified and/or cleared
msrpc             MS-RPC protocol
netbios-dgm       NetBios datagram protocol
netbios-ns        NetBios name protocol
netbios-ssn       NetBios session protocol
pptp              PPTP protocol
ras               H323-RAS protocol
rcmd              RCMD protocol
rtsp              RTSP protocol
sip               SIP protocol
skinny            skinny protocol
sunrpc            SUNRPC protocol
tftp              TFTP protocol

Resolution: To resolve this issue we simply disable the NAT ALG service for DNS by issuing the No command for the service. Note we must do this for tcp and udp separately.

! Most modern IOS/IOSXE will disable the service using these commands
!
Router(config)#no ip nat service dns tcp
Router(config)#no ip nat service dns udp

! Some older IOS devices use the following format
!
Router(config)#no ip nat service alg udp dns
Router(config)#no ip nat service alg tcp dns

Now that this service is disabled the DNS lookups data will not be inspected/changed and so they will return the correct IP address for a client behind NAT.

Loading

Tip: Force Cisco device to sync to NTP server

If NTP is unable to synchronise on a Cisco switch or router you may resolve the root cause and the device will still not be synchronised when we check. This is because the device will wait until the next polling interval to try again. Normally we can wait however in instances where we need to update a number of devices this process can be time consuming.

Device# Show ntp associations
address ref clock st when poll reach delay offset disp
~195.219.205.9 .INIT. 16 - 64 0 0.000 0.000 15937.
sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

To force the sync simply remove the NTP configuration for that peer and re-add it. On the addition of the peer the initial sync is immediate.

Device#conf t
Device(config)#no ntp server 195.219.205.9
Device(config)#ntp server 195.219.205.9

And now when we check it will have immediately been synchronised.

address ref clock st when poll reach delay offset disp
+~195.219.205.9 195.219.14.21 2 31 64 1 15.958 3.940 188.52

Loading

Reference: Higher or lower preferred?

This will be a dynamic document to document all the scenarios where it’s not clear which is better; A higher value or a lower value?

I have noticed that as a general rule; For layer 2 technologies a lower value is preferred and for layer 3 a higher value is prefered. The purpose of this post is to keep a list so I can see if this rule holds out or is proven wrong on some occasions.

Cisco

ValueDefault ValuePreferred value
HSRP Priority100Higher
BGP Local-preference100Higher
BGP Weight (Cisco)0Higher
BGP MED0Lower
Spanning-tree bridge ID32768Lower
Router ID auto selectionIP Address1Higher

1The highest active configured IP on a loopback is preferred. If there are no lookbacks then the highest IP address on an active interface is chosen next.

Palo Alto

ValueDefault ValuePreferred value
HA Device Priority100Lower2

2The palo alto documentation covers this is a very confusing manner. It states that the device with the highest device priority is chosen as the active. It goes on to say that a lower integer value means the device has a higher priority.

Loading

Reference: Networking Mnemonics

The following is a list of networking Mnemonics which I have either created, been told about or read about as a method of remembering various aspects of networking as part of my study. This list will be updated as time goes on:

The OSI Model

OSI LayerMnemonicOSI Layer description
1PeoplePhysical
2Don’tData-link
3NeedNetwork
4ThoseTransport
5StupidSession
6PacketsPresentation
7AnywayApplication

The OSI Model (Alternative)
Please Do Not Take Sales Peoples Advice

EIGRP K Values

K ValueMnemonicK Value Description
K1BigBandwidth
K2LatenciesLoad
K3Don’tDelay
K4ReallyReliability
K5MatterMTU

Bear in mind that the Cisco format for entering the metric is as follows

metric [Bandwidth] [Delay] [Reliability] [Load] [MTU]
Metric 100 0 255 1 1500

Always remember that delay is in units of 10 micro seconds and so a value of 10 is actually equal to 100 micro seconds of delay.

OSPF LSA Types

LSA TypeMnemonicLSA Description
Type 1RightRouter LSA
Type 2NowNetwork LSA
Type 3SomeSummary LSA
Type 4ArgueASBR Summary LSA
Type 5As1ASBR External LSA
Type 6GoodGroup Membership LSA
Type 7NetworkNSSA LSA
Type 8EngineersExternal Attributes
Type 9LookLink Scope Opaque
Type 10AlwaysArea Scope Opaque
Type 11AsideAS Scope Opaque

1 Think of As path to remember external

Cisco BGP Attributes (NB: Not yet completed)

BGP Metric Mneumonic PreferenceSignificanceRequirement
WeightHighestLocal
Local PreferenceHighestLocal AS
Local originatedLocal originatedLocal
AS PathShortestGlobal
MEDLowerGlobal
ExternaleBGP > iBGP
IGP costLowest
eBGP PeerinOldest
Router IDLowest

BGP attributes are evaluated from the top down. Preference is which value is better than another value and significance is whether that property carries to other AS, Is local to the AS or is local to the device. Compatibility is whether something is vendor proprietarty.

Syslog Severity levels

Syslog levelMneumonicSyslog Level description
0EveryoneEmergency
1AlwaysAlert
2ComplainsCritical
3EvenError
4WhenWarning
5NothingNotification
6IsInformational
7DifferentDebugging

Loading

Guide: Using KeePass – The Basics

What is KeePass?

KeePass is a free and open-source password manager. The application allows for usernames, passwords and other information such as strings and files to be stored in a secure database. Where KeePass differs from many commercial solutions for password management is that it stores these in a single encrypted file rather than utilising anything storage in the cloud.This credential database is secured using a master password.

Why use KeePass?

It is best practice to use a unique username and/or password for each service we create credentials for. This practice prevents a scenario whereby if one service is compromised (e.g. Email) that the same credentials are compromised by virtue of being used for other services (e.g. Online banking). It is also good practice to pick a strong password which would be infeasible for a computer to crack. The problem is that doing this gives an unreasonable amount of credentials to memorise. KeePass allows for the storage of credentials and creation of cryptographically secure passwords meaning that we need only remember the master password. It is also free and open source and so open to scrutiny and comes at zero cost.

I personally use KeePass because I’m too forgetful to remember all of these usernames and passwords and too lazy to manually type them in.

Getting started with KeePass

As stated before KeePass stores the passwords in a database file. If you have multiple devices you may need access to this file from multiple locations. To achieve this you can store the KeePass file on cloud storage such as Google Drive, OneDrive, Dropbox or iCloud.

KeePass Clients

As KeePass is free and open-source there are multiple clients across the different platforms. These are the clients I have used and can personally recommend. Simply install the applications to get started.

Creating the KeePass database

Inside the application choose to create a new database. You’ll then be prompted for the login credentials.

Ensure that you set a strong password as this will protect all of your other passwords. You can also use a key file to provide additional security. Another option is to use your computers login account in place of the authentication. I do not recommend this approach due to the extra risks involved.

In addition to the default settings I recommend making the KeePass database stronger by using the key transformation options. This makes checking the password more computationally difficult and therefore take longer. Before this is enabled we can see how long a guess would take:

This means a computer could guess 500 passwords per second if it were to try to brute force the password. By selecting 1 second delay it will modify the key transformation such that it takes much longer.

This now means a computer could guess less than 1 password per second and is therefore more resistant to brute forcing. The rest of the default settings are good enough.

There are a number of options in the settings to change how KeePass operates; Things like whether or not it opens on startup, minimizes to the tray or the start menu or default usernames for entries. These are largely personal preference however I’d recommend setting the following options.

Enable “Enter Master key on secure desktop”. This option uses the secure desktop (like when UAC dims the screen when asking for an admin prompt) when entering your password thereby preventing applications from intercepting the key strokes. The other option I recommend changing is the autotype features.

I personally recommend using F4 for Global Autotype and Control + Alt + P for the Autotype selected entry. The auto type feature is something I’ll explore in a later blog post.

Once the KeePass file is created and saved it’s just a matter of pointing whatever client you use to the file wherever the file is and enter the master password.

Loading

Guide: Configuring a Cisco router for BT Ultrafast Broadband (FTTP)

Disclaimer: In no event will I be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this guide. Please ensure you read the full disclaimer before proceeding. By proceeding you confirm you have read and agree to these terms.

PLEASE READ BEFORE CONTINUING:

If you are a home user; Reconsider using Cisco as a manufacturer for your router. Caution should be taken when considering buying a second hand router. This is due to the new requirement for Cisco Smart licensing which makes it almost impossible to get the correct licenses and support applied to your router if you purchased it second hand.

As Infinity broadband (FTTC/Fibre to the Cabinet) has been common place for several years there are a number of documents out there to describe how to configure a Cisco router for this service. Ultrafast fibre broadband is a new product offered by BT and as such there isn’t a huge amount of information available as it relates to Cisco however BT have produced a SIN documents ( Suppliers’ Information Notes) to describe the FTTP product just as they have done for the FTTC product. As I moved to Ultrafast broadband when it was available and run a Cisco network at home I have attempted to work out how to configure a cisco router for this service and documented it for others.

If you’re confident with cisco configuration you may chose to skip to the configuration only guide here

The BT SINs discussed below can all be found here:
https://www.openreach.co.uk/orpg/home/helpandsupport/sins/sins.do

In order to make things simpler I will break each element into the following segments:

  • Step 1 – Choosing the right router
  • Step 2 – Understanding how FTTP is delivered
  • Step 3 – Intial configuration of the FTTP
  • Step 4 – Configuration of IPv6
  • Step 5 – Security hardening of the router
  • Step 6 – (Optional) BT TV and Multicast

Step 1 – Choosing the right router

For FTTC the most popular cisco VDSL routers were Cisco 880s and 890s. These are hybrid router/switch devices that aren’t quite a router and aren’t quite a layer 3 switch. The Cisco 880 series (e.g. Cisco C887VA) has a limited throughput capability and when certain features are enabled like NAT, Context Based Access Control (CBAC) or VPN tunnels the performance will restrict throughput to around 20-25mbit/s. The Cisco 890 series (e.g. Cisco C897VA) provide more capability however in the same scenario the throughout could be limited to around 130-140 mbit/s.

The speeds offered under BT ultrafast broadband range far exceed this and so throughput becomes an issue. In my opinion there are three possible solutions:

Solution 1: Offload the features which are most CPU intensive (NAT and CBAC) to another device (like a Pfsense firewall) and route all your traffic through it instead or use Pfsense in place of the router entirely.

Solution 2: Use a more capable dedicated Cisco router such as an ISR4000 since a VDSL interface is no longer required.

Solution 3: Use a Cisco 1100 Series ISR. These are the routers designed to replace the Cisco 897 which are now end of sale. I have gone for this option and will be using a Cisco ISR C1111-8P.

Step 2 – Understanding how FTTP is delivered

In order to provide FTTP a fiber must be run from your local fiber enabled cabinet to your home. Usually this involves the ‘removal’ of your current analogue phoneline. In many cases the analogue line will be used as a fish wire to pull the new fiber line into your premises.

The fibre will be terminated into an ONT (Optical Network Termination). This unit used to comprise of two elements. The ONT and the battery backup. It would appear that BT no longer provide the battery backup.

The fiber is terminated into the ONT and the ethernet cable to our router will come from this. It requires a standard plug socket. On my ONT enclosure there is a gap where the battery backup would have went. The ONT also has a BT Plug for a telephone however the normal BT Master socket / NTE5 is still in place and wired for use and so I don’t know if the ONT provides any usable phone connection for now. This also means that you could potentially revert back to FTTC.

The same PPPoE configuration is required for FTTP as was required for FTTC. The dialer interfaces are configured identically.

With FTTC traffic was sent in two ways; Data traffic was sent via vlan 101 and all other traffic (multicast etc) was sent untagged. This is particularly troublesome for BT TV which relies on the multicast traffic for its services. On the FTTC broadband it was recommended that the interface with the BT TV be bridged to the wan interface. In FTTP however all traffic is untagged which presents us a problem for IPTV. This is explored further in step 6. Although the SIN makes reference to a VLAN tag being allocated on a per customer basis; I saw no VLAN tags when a ran a wireshark capture of the WAN connection and so I can only assume the ONT strips these tags off before presenting to us.

The speed promises of Ultrafast can be a little confusing to understand as it will come with a “Guaranteed minimum speed” and a much faster maximum speed. I’m guessing that this is because in practice this is because we have a few different ‘levels’ of bandwidth available. BT SIN506 describes the various ‘levels’ and the behaviour that goes along with them. I suspect that the current consumer offerings from BT relate to one of these and the ‘guarantees’ are the prioritised rate plus the committed burst size:

Click here to go to BT SIN 506

The table under 2.1.6 of the above document shows various product specifications with a Peak rate (e.g. the advertised max rate for Ultrafast) and the prioritised rate (E.g. The minimum speed guarentee rate). To achive this the service will police to the commited information rate (prioritised) and burst up to the peak information rate. We don’t need to worry about this table as this is the shaping which is occuring from the provider to us.

For the traffic originating from our router (Upstream) the BT SIN has the following to say:

CPs can (optionally) prioritise upstream traffic from the CPE to the ONT by marking their traffic with IEEE 802.1p markings in a VLAN. The GEA-FTTP service supports four upstream queues that are served in strict priority orderCPs can (optionally) prioritise upstream traffic from the CPE to the ONT by marking their traffic with IEEE 802.1p markings in a VLAN. The GEA-FTTP service supports four upstream queues that are served in strict priority order

Source: BT SIN506 – Fibre to the Premises (FTTP) Generic Ethernet Access, Service and Interface Description

and here lies the problem with our ability to prioritise our upstream traffic. As the CoS marking is done on the VLAN tag and we know the ONT strips off the VLAN tag there is no mechanism for tagging the traffic as it leave our router. If the service was ordered by a Business there may be a mechanism by virtue of utilising the VLAN tagging.

As an optional step you migh consider shaping the upload of your router to try to avoid TCP Global synchronisation issues withyour FTTP service. I say this is optional because it’s extremely unlikely for you to cause issues unless you’re maxing our the upload speeds.

Step 3 – Intial configuration of the FTTP

The first step in our configuration will be to configure the PPPoE connection so we can authenticate with the providers network. To do this we create a dialer interface with the required parameters and apply it to our WAN interface. With BT connections in general the username and password are largely superficial. With Cisco however we must at least supply a username and password or the router won’t initiate the PPP session.
If you have a business connection the details below might work but using the supplied credentials is essential if you want to ensure you have the correct static IPs available. This configuration adjust the MTU values, Enables the CHAP authentication, requests an IP address and a default route.

interface Dialer0
  ip address negotiated
  encapsulation ppp
  ip tcp adjust-mss 1452
  dialer pool 0
  no cdp enable
  ppp mtu adaptive
  ppp authentication chap callin
  ppp chap hostname bthomehub@btbroadband.com
  ppp chap password DoesntMatter
  ppp ipcp dns request
  ppp ipcp route default
 

Now we want to apply the configuration to secure our device:

Now we need to apply nat overload (PAT) to allow internet access out. First we create an ACL to define the networks that require internet access and then we add the NAT rule and then apply NAT to the interfaces. The vlan is the subnet or subnets you want to provide internet access for.

ip access-list standard Internet-Permitted
  remark == Permit NAT for Internet Access ==
  permit  <network id> <Wildcard mask>

ip nat inside source list Internet-Permitted interface Dialer0 overload

interface Dialer0
    ip nat outside
interface vlan X
    ip nat inside 

The final step is to patch the BT ONT to your wan port and configure the port to use the dialer interface.

interface GigabitEthernet0/0/0
description WAN - FTTP Uplink
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
no cdp enable
pppoe enable group global
pppoe-client dial-pool-number 1
no mop enabled

Before you patch the WAN interface you’ll want to complete steps 4 (optional) and step 5 to ensure that your device is properly secured.

Step 4 – Configuration of IPv6

BT provide a /56 subnet for IPv6. What this means is that we have 256 /64 subnets to allocate. The prefix that BT allocate is dynamic just like the IPv4 address and so could change on reboot. The method used to allocate IPv6 addresses to clients is called stateless DHCPv6. Once you have defined your subnet for a network utilising the prefix learned from BT clients use SLAAC to learn of the prefix using NDP and our router will reply with the prefix in a router advertisement. SLAAC requires a /64 in order to perform the autoconfiguration. The client then auto configures the host portion of the IP address. The final step is for DHCPv6 to be used to supply DNS servers to the IPv6 clients.

First we enable ipv6 unicast routing. We can also enable source-route which allows an ipv6 packet to define its route however this is just for diagnostics. We then set a default route for ipv6 to the dialer interace (this isn’t learned like the IPv4 route and define a DHCP pool to hand out the DNS servers for clients.

ipv6 source-route
ipv6 unicast-routing
ipv6 route ::/0 Dialer0
ipv6 dhcp pool IPv6
 dns-server 2001:4860:4860::8888
 dns-server 2001:4860:4860::8844

These two DNS servers are the IPv6 equivilent of Googles 8.8.8.8 and 4.4.4.4 so you can change these for whichever provider you prefer. We then we configure the dialer interface to enable ipv6, request a prefix from BT and configure an IPv6 address based on that prefix.

interface Dialer0
ipv6 address PREFIX-V6::1/64
ipv6 enable
ipv6 dhcp client pd PREFIX-V6 rapid-commit

Rapid commit here just makes the request a much shorter two step process. We then need to configure our VLANs to enable IPv6 and then advertise the prefix for users to autoconfigure. We also need to ensure DNS servers are handed to ipv6 clients.

interface vlan x
ipv6 address PREFIX-V6 ::<x>:0:0:0:1/64
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server IPv6

PREFIX-V6 tells the interface to use the prefix we learned from BT (the /56) as the base of the /64 address. Set the <x> element to any number between 1 and 255 (0 was used for our dialer interface) and this will define separate /64 subnets. The other config flag lets the clients know they can use DHCPv6 to receive additional configuration and the server command direct the clients to the DHCP pool we created above. Now we are done; The router will learn it’s ipv6 prefix from BT and each client will learn it’s /64 subnet via NDP and autoconfigure using SLAAC. They will also get their DNS servers from DHCPv6.

NOTE: IPv6 heavily relies on ICMP and so the security section will permit this.

Step 5 – Security hardening of the router

Cisco have included a feature called ‘Auto Secure’ for their routers for some time. The feature will ask a series of questions and recommend security configuration based on the answers. I always recommend this as a starting point. Auto secure should be run when all other configuration is done but the internet has yet to be patched in. You may be asked other questions such as whether or not SNMP is used but the output below shows a sample:

FTTP-ROUTER#auto secure
                 --- AutoSecure Configuration ---
 *** AutoSecure configuration enhances the security of
 the router, but it will not make it absolutely resistant
 to all security attacks ***
 AutoSecure will modify the configuration of your device.
 All configuration changes will be shown. For a detailed
 explanation of how the configuration changes enhance security
 and any possible side effects, please refer to Cisco.com for
 Autosecure documentation.
 At any prompt you may enter '?' for help.
 Use ctrl-c to abort this session at any prompt.
 Gathering information about the router for AutoSecure
 Is this router connected to internet? [no]: yes
 Enter the number of interfaces facing the internet [1]: 1
 Interface                  IP-Address      OK? Method Status                Protocol
 GigabitEthernet0/0         unassigned      YES NVRAM  up                    up
 GigabitEthernet0/1         unassigned      YES NVRAM  administratively down down
 GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down
 GigabitEthernet0/3         unassigned      YES NVRAM  administratively down down
 Enter the interface name that is facing the internet: GigabitEthernet0/0
 Securing Management plane services…
 Disabling service finger
 Disabling service pad
 Disabling udp & tcp small servers
 Enabling service password encryption
 Enabling service tcp-keepalives-in
 Enabling service tcp-keepalives-out
 Disabling the cdp protocol
 Disabling the bootp server
 Disabling the http server
 Disabling the finger service
 Disabling source routing
 Disabling gratuitous arp
 Here is a sample Security Banner to be shown
 at every access to device. Modify it to suit your
 enterprise requirements.
 Authorized Access only
   This system is the property of So-&-So-Enterprise.
   UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
   You must have explicit permission to access this
   device. All activities performed on this device
   are logged. Any violations of access policy will result
   in disciplinary action.
 Enter the security banner {Put the banner between
 k and k, where k is any character}:
 k BANNER k
 Enable secret is either not configured or
  is the same as the enable password
 Enter the new enable secret:
 Confirm the enable secret :
 Enter the new enable password:
 Confirm the enable password:
 Configuration of local user database
 Enter the username: username
 Enter the password:
 % Invalid Password length - must contain 6 to 25 characters. Password configuration failed
 Enter the password:
 Confirm the password:
 Configuring AAA local authentication
 Configuring console, Aux and vty lines for
 local authentication, exec-timeout, transport
 Securing device against Login Attacks
 Configure the following parameters
 Blocking Period when Login Attack detected: 360
 Maximum Login failures with the device: 5
 Maximum time period for crossing the failed login attempts: 30
 Configure SSH server? [yes]: yes
 Enter the domain-name: domain.name
 Configuring interface specific AutoSecure services
 Disabling the following ip services on all interfaces:
 no ip redirects
  no ip proxy-arp
  no ip unreachables
  no ip directed-broadcast
  no ip mask-reply
 Disabling mop on Ethernet interfaces
 Securing Forwarding plane services…
 Enabling unicast rpf on all interfaces connected
 to internet
 Configure CBAC Firewall feature? [yes/no]: yes
 This is the configuration generated:
 no service finger
 no service pad
 no service udp-small-servers
 no service tcp-small-servers
 service password-encryption
 service tcp-keepalives-in
 service tcp-keepalives-out
 no cdp run
 no ip bootp server
 no ip http server
 no ip finger
 no ip source-route
 no ip gratuitous-arps
 no ip identd
 banner motd ^C BANNER ^C
 security passwords min-length 6
 security authentication failure rate 10 log
 enable secret 5 $1$VXT6$geedAyQQ8K9M82NkM7Gfa/
 enable password 7 06160E325F1D5D4C
 username username password 7 095C4F1A0A5445415F
 aaa new-model
 aaa authentication login local_auth local
 line console 0
  login authentication local_auth
  exec-timeout 5 0
  transport output telnet
 line aux 0
  login authentication local_auth
  exec-timeout 10 0
  transport output telnet
 line vty 0 4
  login authentication local_auth
  transport input telnet
 line tty 1
  login authentication local_auth
  exec-timeout 15 0
 login block-for 360 attempts 5 within 30
 ip domain-name domain.name
 crypto key generate rsa general-keys modulus 1024
 ip ssh time-out 60
 ip ssh authentication-retries 2
 line vty 0 4
  transport input ssh telnet
 service timestamps debug datetime msec localtime show-timezone
 service timestamps log datetime msec localtime show-timezone
 logging facility local2
 logging trap debugging
 service sequence-numbers
 logging console critical
 logging buffered
 interface GigabitEthernet0/0
  no ip redirects
  no ip proxy-arp
  no ip unreachables
  no ip directed-broadcast
  no ip mask-reply
  no mop enabled
 interface GigabitEthernet0/1
  no ip redirects
  no ip proxy-arp
  no ip unreachables
  no ip directed-broadcast
  no ip mask-reply
  no mop enabled
 interface GigabitEthernet0/2
  no ip redirects
  no ip proxy-arp
  no ip unreachables
  no ip directed-broadcast
  no ip mask-reply
  no mop enabled
 interface GigabitEthernet0/3
  no ip redirects
  no ip proxy-arp
  no ip unreachables
  no ip directed-broadcast
  no ip mask-reply
  no mop enabled
 access-list 100 permit udp any any eq bootpc
 interface GigabitEthernet0/0
  ip verify unicast source reachable-via rx allow-default 100
 ip inspect audit-trail
 ip inspect dns-timeout 7
 ip inspect tcp idle-time 14400
 ip inspect udp idle-time 1800
 ip inspect name autosec_inspect ftp timeout 3600
 ip inspect name autosec_inspect http timeout 3600
 ip inspect name autosec_inspect rcmd timeout 3600
 ip inspect name autosec_inspect realaudio timeout 3600
 ip inspect name autosec_inspect smtp timeout 3600
 ip inspect name autosec_inspect tftp timeout 30
 ip inspect name autosec_inspect udp timeout 15
 ip inspect name autosec_inspect tcp timeout 3600
 ip access-list extended autosec_firewall_acl
  permit udp any any eq bootpc
  deny ip any any
 interface GigabitEthernet0/0
  ip inspect autosec_inspect out
  ip access-group autosec_firewall_acl in
 end

 Apply this configuration to running-config? [yes]:

The problem we will have with this with a modern cisco router is that in later IOS it will still try to apply the CBAC rules even though they’ve been depreciated or completely removed. Zone based firewalls should be used instead. It’s important to remember that zone based firewalls don’t apply to system traffic such as SSH, SNMP or NTP and so these needs locked down with ACLs. The following is a basic zone based setup to get you started. It’s worth noting that ICMP is used heavily for IPv6 and you may need to permit it.

ipv6 access-list ICMPv6-in
   permit icmp any any echo-reply
   permit icmp any any echo-request
   permit icmp any any no-route
   permit icmp any any packet-too-big
   permit icmp any any hop-limit
   permit icmp any any header
   permit icmp any any next-header
   permit icmp any any parameter-option
   permit icmp any any time-exceeded
   deny ipv6 any any
  
  ipv6 access-list ICMPv6-out
   permit icmp any any nd-na
   permit icmp any any nd-ns
   permit ipv6 any any
 
 class-map type inspect match-any ICMPv6-inbound
    match access-group name ICMPv6-in
   class-map type inspect match-any ICMPv6-outbound
    match access-group name ICMPv6-out
 
   class-map type inspect match-any IP-outbound
    match protocol udp
    match protocol tcp
 
   class-map type inspect match-any ICMPv4-outbound
    match protocol icmp
 
   policy-map type inspect ToInternet
    class type inspect IP-outbound
     inspect
    class type inspect ICMPv6-outbound
     pass
    class type inspect ICMPv4-outbound
     inspect
    class class-default
     drop
 
   policy-map type inspect FromInternet
    class type inspect ICMPv6-inbound
     pass
    class class-default
     drop
 
  zone security inside
  zone security outside
  zone-pair security inside-->outside source inside destination outside
   service-policy type inspect ToInternet
  zone-pair security outside-->inside source outside destination inside
   service-policy type inspect FromInternet

interface dialer 0
 zone-member outside

interface vlan x
 zone-member inside

This config creates two zones; Inside and outside. It allows access out to the internet and reflexive traffic back. Remember to add all your vlans to a zone as by default if two interfaces are in different zones but have no zone pairing their communications will not be permitted. ICMP is a major component of IPv6 and so this configuration permits icmp inbound for IPv6.

Once you’re confident in the security of the router i.e. you have this config completed, have NTP/SNMP/SSH secured with ACLS and your zones configured you can now patch the WAN interface and start using your FTTP broadband.

Step 6 – (Optional) BT TV and Multicast

This part is probably the most frustrating element to dealing with Cisco and the FTTP service. As far as I’m aware there is no way to have a Cisco router function correctly for multicast due to the nature of how BT TV / Youview is delivered. I have however found a very hacky workaround to at least get the BT TV to work.

Your BT TV / Youview set top box will send an IGMPv3 Join message in order to join a multicast stream for whatever IPTV channel you try to visit. The problem is that this IGMP Join message needs to be sent our the WAN interface on your router and not be encapsulated in PPPoE. The following section from a BT SIN explains the behavior

3.2.2.1 IGMP encapsulation
IGMP messages intended for the Openreach Multicast service must be sent as IGMP over IP.
IGMP messages sent as IGMPoPPPoE will be passed through transparently to the CP and will not be acted on by Openreach.
In the case of GEA-FTTP and GEA-FTTC with a white Openreach modem IGMP messages can be tagged with VLAN ID 0 (zero) by the CPE in order to set a preferred 802.1p value upstream. A VLAN tag with an ID of 0 will be removed by the ONT and white Openreach modem but the 802.1p value will be used to ensure the desired upstream scheulding of the IGMP messages on to the PON and VDSL line respectively.

BT SIN 503 – Generic Ethernet Access Multicast, Service & Interface Description

Unfortunately for us Cisco has no method available to forward an IGMP join received on a VLAN directly out a specified interface and therefore avoiding the PPPoE encapsulation. As a result it is not possible to configure a cisco router natively to deal with this setup. With FTTC the story is different because the data is encapsulated in VLAN 101. This allows us to bridge the VLAN with the IPTV with the WAN interface and to configure the PPPoE on the VLAN 101 encapsulated sub interface. With FTTP this isn’t an option as all frames are sent through untagged. As a result the only option available is to physically bridge your connection to the ONT with your routers WAN interface, the IPTV set top box and the interface where the set top box would connect to your switch normally. Hypothetically this bridging shouldn’t lead to any extra risk but just in case I’d suggest putting the IPTV VLAN in a separate security zone.


First we create a new security zone and permit it the same access we have given our inside policy. Creating a new zone ensures the IPTV box can’t communicate with our home network but can reach the internet.

zone security BTTV

zone-pair security BTTV-->outside source BTTV destination outside
service-policy type inspect ToInternet

zone-pair security outside-->BTTV source outside destination BTTV
service-policy type inspect FromInternet

Then we create VLAN for the IPTV box and an interface vlan. Create this as a /30 as you will only have the SVI and the IPTV box. We assign it to this security zone.

vlan 66
name BTTV
no shutdown

interface vlan 66
description BT Youview IPTV
ip address x.x.x.x 255.255.255.252
ip nat inside
zone-member security BTTV
no shutdown

As is stands the IPTV box is isolated but has internet access. It still has no ability to join the multi-cast streams. Now we need to connect up these devices to a dumb switch to bridge the WAN and IPTV box. By doing this the IGMP joins that our IPTV box tries to send out will be sent toward the WAN without being encapsulated in the PPPoE and therefore the Multicast channels will work.

NOTE: Some switches are smarter than others and this can be a problem. The switch i used and can confirm works is a Netgear GS305

1 The BT ONT
2 The WAN port of the ISR (Gi0/0/0 above)
3 The LAN port for the IPTV VLAN (Gi0/1/0 above)
4 The Youview IPTV box

In addition to the configuration the following settings are required on the youview box.

IP Address:      x.x.x.x
Subnet mask:     255.255.255.252
Gateway:         x.x.x.x
Primary DNS:     62.6.40.178   
Secondary DNS:   62.6.40.162

Where the IP address is the one configured for your IPTV VLAN and the DNS server is one of the BT DNS servers. I’ve chosen two of these but you can chose any two from the following list; It just needs to be a BT DNS server:

62.6.40.178
62.6.40.162 
194.72.9.38
194.72.9.34
194.72.0.98
194.72.0.114
194.74.65.68
194.74.65.69 

Final checks

For some reason the BT wholesale speed tester completely gets the speed for this service wrong. Try any other online speed testing website and ensure the speeds are as expected. If you want to see close to the full 330mbit you need to be directly connected to the LAN and be using the internet at an off peak time. That said I regularly see 220mbit during peak times through a Cisco switch and BT Powerline adapter.

If you want to test the IPv6 connectivity I recommend using https://ipv6-test.com/

This will show a number of metrics for your IPv6 connectivity. You should get the full 20/20 for this test. If ICMP shows as filtered you may have to permit ICMPv6 through your clients firewall (e.g. Windows Firewall).

Loading

Guide: Configuring a Cisco router for BT Ultrafast Broadband (FTTP) – Configuration Only

Disclaimer: In no event will I be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this guide. Please ensure you read the full disclaimer before proceeding . By proceeding you confirm you have read and agree to these terms.

PLEASE READ BEFORE CONTINUING:

If you are a home user; Reconsider using Cisco as a manufacturer for your router. I cannot recommend Cisco at this time If you’re buying a second hand router. This is due to the new requirement for Cisco Smart licensing which makes it almost impossible to get the correct licenses and support applied to your router if you purchased it second hand.

This is the configuration only guide for configuring a Cisco C1100 series ISR for BT Ultrafast 2 Broadband including IPv6 and BT TV / Youview. The purpose of this post is to list the commands required to configure the device to be used as a reference. The full guide with the commands explained can be found here.

For reference VLAN 1 represents any internal VLANs you have and VLAN 2 represents the Youview IPTV VLAN. Interface GigabitEthernet0/1/0 represents where the Youview box is patched. This is not a complete list of commands required to configure the device; Just the relevant commands.

Configuration:

 ip dhcp excluded-address 192.168.1.1
 !
 ip dhcp pool VL1_LAN
  network 192.168.1.0 255.255.255.0
  dns-server 8.8.8.8 8.8.4.4
  default-router 192.168.1.1
  lease 0 8
 !
 ipv6 source-route
 ipv6 unicast-routing
 ipv6 dhcp pool IPv6
  dns-server 2001:4860:4860::8888
  dns-server 2001:4860:4860::8844
 !
 no cdp run
 !
 class-map type inspect match-any ICMPv6-inbound
   match access-group name ICMPv6-in
  class-map type inspect match-any ICMPv6-outbound
   match access-group name ICMPv6-out
 !
  class-map type inspect match-any IP-outbound
   match protocol udp
   match protocol tcp
 !
  class-map type inspect match-any ICMPv4-outbound
   match protocol icmp
 !
  policy-map type inspect ToInternet
   class type inspect IP-outbound
    inspect
   class type inspect ICMPv6-outbound
    pass
   class type inspect ICMPv4-outbound
    inspect
   class class-default
    drop
 !
  policy-map type inspect FromInternet
   class type inspect ICMPv6-inbound
    pass
   class class-default
    drop
 !
 zone security inside
 zone security outside
 zone security BTTV
 zone-pair security BTTV-->outside source BTTV destination outside
  service-policy type inspect ToInternet
 zone-pair security inside-->outside source inside destination outside
  service-policy type inspect ToInternet
 zone-pair security outside-->BTTV source outside destination BTTV
  service-policy type inspect FromInternet
 zone-pair security outside-->inside source outside destination inside
  service-policy type inspect FromInternet
 !
 interface GigabitEthernet0/0/0
  description WAN - FTTP Uplink
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  zone-member security outside
  negotiation auto
  no cdp enable
  pppoe enable group global
  pppoe-client dial-pool-number 1
  no mop enabled
 !
 interface Vlan1
  description VLAN1 LAN
  ip address 192.168.1.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  zone-member security inside
  ipv6 address IP-V6 ::1:0:0:0:1/64
  ipv6 enable
  ipv6 nd other-config-flag
  ipv6 dhcp server IPv6
  no mop enabled
 !
 interface Vlan2
  description VLAN2 Youview
  ip address 172.16.0.1 255.255.255.252
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  zone-member security BTTV
  no mop enabled
 !
 interface GigabitEthernet0/1/0
  description BT TV connection
  switchport access vlan 40
  switchport mode access
  no cdp enable
  spanning-tree portfast
 !
 interface Dialer1
  ip address negotiated
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  zone-member security outside
  encapsulation ppp
  ip tcp adjust-mss 1452
  dialer pool 1
  no cdp enable
  ipv6 address IP-V6 ::1/64
  ipv6 enable
  ipv6 dhcp client pd IP-V6 rapid-commit
  ppp mtu adaptive
  ppp authentication chap callin
  ppp chap hostname bthomehub@btbroadband.com
  ppp chap password 7 030A541F140A3059471B1C01
  ppp ipcp dns request
  ppp ipcp route default
 !
 ip nat inside source list Internet-Permitted interface Dialer1 overload
 ip forward-protocol nd
 !
 ip access-list standard Internet-Permitted
  remark == Permit NAT for Internet Access ==
  permit 192.168.1.0 0.0.0.255
  permit 172.16.0.0 0.0.0.3
 ip access-list standard NTP
  remark == Permit NTP clients == 
  permit 10.0.0.0 0.255.255.255
  deny   any
 ip access-list standard SNMPv3
  remark == Permit SNMP monitor == 
  permit 192.168.0.0 0.0.0.255
  deny   any
 ip access-list standard SSH
  remark == Permit SSH access == 
  permit 192.168.0.0 0.0.0.255
  deny   any
 !
 ipv6 route ::/0 Dialer1
 !
 ipv6 access-list ICMPv6-in
  permit icmp any any echo-reply
  permit icmp any any echo-request
  permit icmp any any no-route
  permit icmp any any packet-too-big
  permit icmp any any hop-limit
  permit icmp any any header
  permit icmp any any next-header
  permit icmp any any parameter-option
  permit icmp any any time-exceeded
  deny ipv6 any any
 !
 ipv6 access-list ICMPv6-out
  permit icmp any any nd-na
  permit icmp any any nd-ns
  permit ipv6 any any
 !
 line vty 0 15
  access-class SSH in
  transport input ssh
 line vty 5 15
  access-class SSH in
  transport input ssh
 !
 ntp source Dialer1
 ntp access-group query-only NTP
 ntp master 2
 ntp server 194.80.204.184
 ntp server 195.219.205.9
 ntp server 178.62.250.107
 ntp server 178.79.155.116 prefer
 !
 !
 !
 !
 !
 end

In addition to the configuration the following settings are required on the youview box.

IP Address:      172.16.0.2
Subnet mask:     255.255.255.252
Gateway:         172.16.0.1
Primary DNS:     62.6.40.178   
Secondary DNS:   62.6.40.162 

You will also need to physically bridge the following interfaces with a dumb switch that won’t interfere with the traffic flow:

1 The BT ONT
2 The WAN port of the ISR (Gi0/0/0 above)
3 The LAN port for the IPTV VLAN (Gi0/1/0 above)
4 The Youview IPTV box

I can confirm that a Netgear GS305 works for this purpose.

Loading