Configuring your Home Gateway for Qtel ADSL

As a network engineer in Qatar, I do get frequently asked by people to help them with configuring their Home ADSL Gateways (linksys, speedtouch, netgear, D-link...etc.,). Qtel usually provides a Thomson TG585 ADSL Gateway, but sometimes people opt for a different ADSL Gateway to get more features for their home network. Configuring an ADSL gateway can turnout to be a somewhat complicated matter for a non-techie and you will need to know the right values to configure your Gateway so that your ADSL connection works. You could always call Qtel helpline 111, to get the right parameters to configure your home ADSL. Different brands of ADSL gateways will have different configuration web interfaces, I will be using a Linksys WAG200G to explain the configuration. The ADSL Gateway device can be accessed by typing the Gateway IP address in your browser url box (e.g., http://192.168.1.254, varies for device to device) after connecting the gateway to your PC via an Ethernet cable.

VC Settings

• Encapsulation: Qtel uses both PPPoE and PPPoA type of encapsulation, it depends on the settings on the local DSLAM to which your home is connected to. You could get this information from Qtel or if you are not sure you could try both the settings, it should work in either of these modes. On a Linksys WAG200G Gateway select RFC 2516 PPPoE or RFC 2364 PPPoA from the drop down list.

• Multiplexing: Select the VC radio button. ADSL/ATM links operates using Virtual Circuits (VC) for traffic flow.

• QoS Type: Select VBR from the drop down list. Qtel uses Variable Bit Rate (VBR) traffic class which ensures QoS. More specifically the non-real time variant is used, so you might have to configure vbr-nrt on some gateways.

• Pcr Rate: Peak Cell Rate is a traffic parameter which maximum allowed data rate on an ATM connection. This can be in kbps or cps (cells per second). On the Linksys WAG200G Gateway configure PCR as 2358 cps.

• Scr Rate: Sustainable Cell Rate is a traffic parameter which limits the average data rate on an ATM connection. This can be in kbps or cps (cells per second). Cells may be dropped if the SCR is violated. On the Linksys WAG200G Gateway configure SCR as 2358 cps(cells per second).

Note: Usually Service Providers give PCR and SCR rate values in kbps, which you might have to convert to cps if your gateway takes these values in cps. Since an ATM cell is 53 bytes i.e., 424 bits, to convert kbps value divide by 424 to get value in cps. eg: 1000kbps = 1000000/424 = 2358cps (round down to a whole number).

• Autodetect: Select Enable radio button if you want the Gateway to automatically detect the Virtual Circuit VPI and VCI values. Select Disable if you want to enter the Virtual Circuit values manually.

• Virtual Circuit: Qtel uses the Virtual Circuit 8/35, where VPI is 8 and VCI is 35. Enter this if you have have selected Autodetect as Diable. Virtual Path Identifier (VPI) & Virtual Circuit Identifier together identify the virtual circuit used by the connection.

• DSL Modulation: Select ADSL2+ from the drop down list.

PPPoE Settings

• Username: the username is usually a 'p' or 's' followed by your ADSL telephone number. e.g.: p4765432. This information can obtained from Qtel.

• Password: the default password is qatar12. If you are not sure as to what your password is, call Qtel 111 from your ADSL telephone line and ask Qtel to reset your password which will be qatar12.

Network Address Server Settings (DHCP)

• DHCP Server: Select the Enable radio button, so that DHCP is enabled and all connected PC's can automatically get an IP address.

• Static DNS1: 212.77.192.59, this is Qtel DNS Server

• Static DNS2: 212.77.192.60, this is another Qtel DNS Server

The Static DNS should be enabled so that the connected PC's know where to resolve domain names. DNS is important to resolve website url's to their IP addresses and crucial for your internet to work. If your Gateway requires NAT configuration, go ahead and do it. This is important for translating your single public IP address to multiple private IP addresses.

This is the basic configuration for the ADSL to work. The rest of the configuration is optional and dependent on user requirements.

Implementing Wake-on-LAN in a Cisco Network

Wake-on-LAN or WoL is a clever way of turning on a computer or group of computers by sending a Broadcast Magic Frame over the LAN. The magic frame is send by a WoL Server which runs an application that generates the Magic frame. The computer can be woken up from sleeping, standby, hibernation and shutdown modes as long as the power cable is connected and some power is reserved for the network card to be partly on. The magic packet contains 6 bytes of ones followed by sixteen repetitions of the target computers's 48-bit MAC address. It is typically sent as a UDP datagram on port 1,7 or 9. A Magic packet can originate from the same LAN or over a VPN or even from internet if properly routed.

For WoL to work the computer should support Wake-on-LAN, which is implemented on the motherboard and hence usually set via the BIOS. Some Operating Systems can also control Wake-on-LAN behaviour. Lately laptops powered by the latest Intel chipset allow waking up the machine over wireless also, called Wake-on-Wireless LAN (WoWLAN).

If the WoL Server and the computer to be waken up are on the same LAN, i.e., in the same broadcast domain, no configuration is needed as the WoL Server will broadcast the Magic packet to all the devices in the LAN. If your computers are on a different VLAN from the one on which the WoL Server is sitting, then you need to use the ip helper-address command on the VLAN interface or the Server interface on the switch. The ip helper-address command lets the router interface know that it will be receiving a UDP broadcast from a directly connected client and that it should repackage it as either a directed broadcast to a specific subnet or a unicast to a specific machine.

int fa 1/0/48

description --- Connected to WoL Server ---

ip helper-address 10.10.255.255

switchport mode access

switchport access vlan 20

The ip helper-address helps in fowarding of UDP broadcasts. By default very few number of application ports (like DHCP, TACACS, etc.) are fowarded. Therefore you will need to use the ip forward-protocol global command to specify exactly which types of broadcast packets you would like to have forwarded.

ip forward-protocol udp 7

An ip directed-broadcast command should be applied to the VLAN interface that is expected to receive the directed broadcast from the WoL Server (assuming IP address: 10.11.1.254 for the below example). You should be cautious when ip directed-broadcast is applied on any interface because an incoming unicast packet with a broadcast destination address can explode as broadcast once it reaches the interface. For security concerns ip directed-broadcast command is usually adviced to be used with an access-list so that only the WoL server can send a directed broadcast to the VLAN, using otherwise could make your Cisco devices a target for Smurf and Denial of Service attacks, or maybe even inhibit Smurf attacks on to other networks.

access-list 10 permit 10.11.1.254

int vlan 30

description --- Connected to PCs ---

ip address 10.10.1.1 255.255.0.0

ip directed-broadcast 10

Some WoL Servers are smart enough to send directed broadcasts, then you only have to configure ip directed-broadcast on the VLAN connected to the target PC. Some WoL Servers can unicast magic packets to a specific layer 3 IP address, enabling to execute Wake-on-LAN from an external network like the Internet.

Also note that Cisco VMPS and WoL cannot work together on Cisco devices because unused ports according to Cisco VMPS does not belong to any VLAN as the PC is inactive and hence no Magic packets can reach the PC port.

Enabling NetFlow on a Cisco Catalyst 6500 Switch

NetFlow can be enabled on Catalyst 6500 Switches with a Supervisor Engine 32, RSP 720 or a Supervisor Engine 720. NetFlow cache on the Multilayer Switch Feature Card (MSFC) captures statistics for flows routed in software and the NetFlow cache on the Policy Feature Card (PFC) captures statistics for flows routed in hardware. The configuration of Netflow neither disrupts the traffic nor disables the configured interface.

To start first install NetFlow Analyzer (or similar tool) on your PC so that your PC becomes a NetFlow Collector. Do note the port number (e.g.: 9996) used by you NetFlow Analyzer Application. With the data obtained NetFlow Collectors can generate reports and statistics of traffic flowing through the switch or router.

Next on the Catalyst 6500 configure NetFlow to enable NetFlow on both the MSFC and PFC, so that it can send the Netflow information to the NetFlow Collector. You also need to configure the NetFlow Data Export (NDE) on the switch in order to export the NetFlow statistics to the NetFlow collector. Assuming the NetFlow Collector IP Address is 172.16.16.1, the following configuration has to be made

ip flow-export destination 172.16.16.1 9996

ip flow-export source Loopback 0

ip flow-export version 5

To avoid spikes in the traffic report, use the ip flow-cache time active N command (where N can be from 1 to 60 minutes). The default is 30 minutes, which can lead to having spikes in your traffic report. It is important to set this value to 1 minute to generate alerts and view troubleshooting data.

ip flow-cache timeout active 1

On interfaces that need to be monitored, enter the ip route-cache command. Enabling ip route-cache on the interface enables NetFlow on the MFSC. On 6500 12.2SXH Release, NetFlow is enable on the Layer 3 interface using ip flow ingress command on the interface.

To enable NetFlow & NDE for Layer 2

interface vlan 10

ip route-cache

!

interace GigabitEthernet 1/1

ip route-cache

To enable NetFlow on the PFC, enter the mls netflow command and to configure flow mask on the PFC, configure mls flow ip interface-full. Apply ip flow ingress layer2-switched vlan 10,20 command to enables NetFlow and NDE for Layer 2-switched traffic (for ingress-bridged traffic) on the PFC. Should note that NetFlow does not show statistics of traffic that goes across the same VLAN and hence cannot be configured on a layer 2 interface.

Once configured, the interfaces in the NetFlow tool will be shown as ifindex instead of the actual interface name. To obtain the actual interface names the NetFlow tool will have to pull it from the switch SNMP MIB values, therefore you will have to configure SNMP on the NetFlow Collector as well as on the Catalyst 6500 Switch.

access-list 99 permit 172.16.16.1

!

snmp-server group GRPName v3 auth

snmp-server user snmp_username GRPName v3 auth md5 user_authpwd

snmp-server user snmp_username GRPName remote 172.16.16.1 v3 auth md5 user_authpwd access 99

snmp-server host 172.16.16.1 traps version 3 auth snmp_username

Decrypting Cisco Device Login Passwords

If your router or switch has been globally configured with the service password-encryption command, the passwords in the configuration will be encrypted for secrecy. In dire cases we would like to retrieve this password and that is when this procedure using the key chain command can be of great help. For this to work you have to be already logged into the device of which you are decrypting the password and you should have the authorization to execute these commands.

Key chains are typically used in EIGRP and RIPv2 routing protocols for authentication. A key chain can have number of keys and each key will have a key string associated with it.

Switch(config)#key chain CRACK

Switch(config-keychain)#do sh run | inc Admin

username Admin privilege 15 password 7 107E290A1600421908

Switch(config-keychain)#key 1

Switch(config-keychain-key)#key-string 7 107E290A1600421908

Switch(config-keychain-key)#exit

Switch#sh key chain CRACK

Key-chain CRACK:

key 1 -- text "P@ssw0rd"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (always valid) - (always valid) [valid now]

You can also decrypt the enable, line vty and console passwords using this method. However this method cannot be used to decrypt passwords which have been configured using the secret command (e.g: enable secret password or username username secret password ) as they use the more secure MD5 encryption. Considering the Security implication it is adviced to apply the enable secret password command and use TACACS+ or RADIUS for authentication. Using Cisco ACS you can block non-privileged administrators from using key chain command.

Obtaining the pre-shared key used for VPN on an ASA

Usually the pre-shared key for a VPN configuration is encrypted and can be only seen as a * when you do a show run.

tunnel-group USERVPN ipsec-attributes

pre-shared-key *

If you want to see the pre-shared key that has been configured on an ASA, type

more system:running-config