Wednesday, 31 August 2016

ASA Clustering Architecture

 ASA Clustering Architecture
One cluster member is elected Master and the other devices are Slaves. The first unit to join the cluster or based on a priority value will become the Master unit. The Master device handles all configuration, management and owns the VIP for the cluster. A new master is elected only if the current Master is down.
The devices use a Cluster Control Link (CCL) for intra-communication (cluster backplane). Each device must have at least one hardware interface dedicated to this and the recommended design is to have an Etherchannel. The CCL is used for the Master election, configuration replication, health monitoring and state replication. Each cluster link needs its own IP address on the same subnet.
Their are two (2) supported data interface modes.
                                           Spanned Etherchannel – Layer 2
  • ·         Group one or more interfaces per unit into an EtherChannel that spans all units in the cluster.
  • ·         The EtherChannel aggregates the traffic across all the available active interfaces in the channel.
  • ·         This is the recommended design
  • ·         All units use the same VIP and MAC
  •          Supports MCEC (VSS, vPC etc.)

  Individual Mode – Layer 3

  • ·         Each device has a seperate IP address on each data interface
  • ·         Uses dynamic routing to load-balance traffic (Think ECMP)
  • ·         Etherchannels are local to each member
  • ·         Interface IPs are assigned from pools configured on the Master unit

In individual mode, each device maintains its own routing adjacency. The disadvantage of this is slower convergence and higher processor utilization due to each unit maintaining it’s own routing table. In spanned Etherchannel mode, the Master ASA runs dynamic routing. Routing and ARP tables are synchronized to the slave devices.
How the ASA manages connections
When a connection is forwarded to a member of the cluster via load balancing, that unit owns both directions of the connection. If any of that connections packets arrive at a different unit, they are forwarded to the owner device over the cluster control link. Because of this it is recommended to have symmetric load-balancing. Symmetric load-balancing is required for both directions of a flow to arrive at the same unit, and for flows to be distributed evenly between ASAs.
For each connection there is also a device that acts as the director. The director handles look-up requests from forwarders and also maintains the connection state to serve as a backup if the owner fails. When the owner receives a new connection, it chooses a director based on a hash algorithm and sends a message to the director to register the new connection.

Monday, 29 August 2016

Cisco ASA 5545-X with Firepower Complete Initial Setup

Download the ASA SFR system software from
Download the boot image to the device.
Download the boot image to your workstation
Copy Boot Image to ASA Flash


ASA# copy http://<HTTP_SERVER>/asasfr-5500x-boot-5.3.1-152.img  disk0:/asasfr-5500x-boot-5.3.1-152.img

Configure SFR module

ASA# sw-module module sfr recover configure image disk0:/file_path

Example below:

ASA# sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-5.3.1-152.img

Load  the ASA SFR boot image using below command

ASA# sw-module module sfr recover boot

    Initial Configuration
Note: The default username is admin, and the default password is Admin123.
Example Below

ASA# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA SFR Boot Image 5.3.1
asasfr login: admin
Password: Admin123
Enter the setup command in order to configure the system so that you can install the system software package:

asasfr-boot> setup   
Provide below settings                   
·         Host name 
·         Network address.
·         DNS information 
·         NTP information 
 System Software Installation
2.       Enter the system install command:

asasfr-boot >system install [noconfirm] url
Include the noconfirm option if you do not want to respond to confirmation messages. Replace the url keyword with the location of the .pkg file.

Example Below

asasfr-boot >system install http:/<HTTP_SERVER>/asasfr-sys-5.3.1-152.pkg

Package Detail
        Description: Cisco ASA-FirePOWER 5.3.1-152 System Install
        Requires reboot: Yes

Do you want to continue with upgrade? [y]: y

Starting upgrade process ...
Populating new system image

Reboot is required to complete the upgrade. Press 'Enter' to reboot the system.
(press Enter)

Broadcast message from root (ttyS1) (Mon Jun 23 09:28:38 2014):
The system is going down for reboot NOW!
Console session with module sfr terminated.

System Software Configuration
Configure the Firepower Software
Complete these steps in order to configure the Firepower software:
1.       Open a session to the ASA SFR module.

ASA# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Sourcefire ASA5555 v5.3.1 (build 152)
Sourcefire3D login:
2.       Log in with the username admin and the password Sourcefire.
3.       Complete the system configuration as prompted. 

 Register Device with Management Server

Using the Command Line Interface (CLI)

1. Connect to the CLI of the device that you want register with FireSIGHT Management Center. This device could be anyFirePOWER appliance, NGIPS Virtual appliances, or an ASA running FirePOWER services.
Note: If you are using an ASA with FirePOWER services as a managed device, you can open a console session to the module from the ASA CLI. If the ASA is running on multiple context mode, session from the system execution space.
2. Log in with the username admin or another username that has the CLI configuration (Administrator) access level.
3. At the prompt, register the device to a FireSIGHT Management Center using the configure manager add command.
Note: A unique alphanumeric registration key is always required to register a device to a FireSIGHT Management Center. This is a simple key that you specify, and is not the same as a license key.
The command has the following syntax:
> configure manager add <hostname | IPv4_address | IPv6_address | DONTRESOLVE> reg_key <nat_id>
In the above syntax,
  • <hostname | IPv4_address | IPv6_address | DONTRESOLVE> specifies either the fully qualified host name or IP address of the FireSIGHT Management Center. If the FireSIGHT Management Center is not directly addressable, useDONTRESOLVE.
  • reg_key is an unique alphanumeric registration key required to register a device to the FireSIGHT Management Center.
  • nat_id is an optional alphanumeric string used during the registration process between the FireSIGHT Management Center and the device. It is required if the hostname is set to DONTRESOLVE.
In most cases, you must provide the FireSIGHT Management Center's hostname or the IP address along with the registration key, for example:
> configure manager add DC_IP_Address my_reg_key
However, if the device and the FireSIGHT Management Center are separated by a NAT device, enter a unique NAT ID along with the registration key, and specify DONTRESOLVE instead of the hostname, for example:
configure manager add DONTRESOLVE my_reg_key my_nat_id
In the following example, there is no NAT boundary between the FireSIGHT Management Center and the managed device, and123456 is used as a registration key.
> configure manager add 123456Manager successfully configured.

Add a Device to the FireSIGHT Management Center

1. Log into the web user interface of the Management Center. Click the Devices tab at the top of the page.

2. Click Add which is located at the top right. A drop down list appears. Click Add Device. A window pops up in the middle of the screen requesting the device informaiton. 

3. In the Host field, enter the IP address of the device.

4. In the Registration Key field, enter the one-time registration key that you specified earlier.

5. Set the rest of the options to your preference. If you used a NAT ID, click on Advanced to expand it and enter the same NAT ID in the Unique NAT ID field.
6. Click Register. You should now be able to manage your device from the FireSIGHT Management Center.

Nexus VPC Datacenter Architecture

I came across two different architecture for Nexus VPC data center deployment

1. Single Homed
2. Dual Homed

Single Homed


Redundant teaming configurations from the servers to the fabric extenders.

Dual Homed

Here we add few disadvantages as well.


Port configuration should match on both switches (5K FEX)
Complex Design

Out of both designs, i would recommend Single homed Design.

Friday, 26 August 2016

Cisco 5555 with Firepower Module

How to Redirect Traffic to the SFR Module

Login to each Context if you got multiple contexts
(Perform this procedure within each security context)
Here we are routing all traffic to SFR module, customize access-list if you want to exclude some traffic.
.ASA (config) # access-list sfr_redirect extended permit ip any any
ASA (config) # class-map sfr
ASA (config-cmap) # match access-list sfr_redirect
ASA (config) # policy-map global_policy
ASA (config-pmap) # class sfr
ASA (config-pmap-c) # sfr fail-open  

Thursday, 25 August 2016

RANCID with WebSVN and Centos ( for Configuration Backups)

Install Rancid
# yum install rancid
1.Edit /etc/rancid/rancid.conf
# vi /etc/rancid/rancid.conf
2.Find this line in rancid.conf:
#LIST_OF_GROUPS=”sl joebobisp”
And,underneath it add the following line: Here we adding group Switches in to which we are adding all over networks switches
We want to use Subversion for our Version Control System, and not CVS, so find the line with the parameter RCSSYS:
RCSSYS=cvs; export RCSSYS And,change it to: RCSSYS=svn; export RCSSYS and the line with CVSROOT:
And,change it to: CVSROOT=$BASEDIR/svn; export CVSROOT
Note:the lowercase “svn”. Now exit and save the file.
3. Change to the rancid user:
# su -s /bin/bash rancid
Chec kthat you ARE the rancid user:
$ id
4.Create /var/rancid/.cloginrc. Replace ip with device IP address, you can use "*" if you want to use same method for large number of devices.
for example, 10.1.*.*
$ vi /var/rancid/.cloginrc add user <ip> ssh_username add password <ip> ssh_user_pass enable_pass add method <ip> [ssh|telnet]
$ chown rancid:rancid /var/rancid/.cloginrc
$ chmod 600 /var/rancid/.cloginrc
5.Test login to the router of your group:
$ /usr/libexec/rancid/clogin
[After successful execution, you will be login to router enable mode]
6.Initialize the SVN repository for rancid:
$ /usr/libexec/rancid/rancid-cvs
7. Create the router.db file: Here "SWITCHES" is the group we created .
$ vi /var/rancid/SWITCHES/router.db
Add below link, replacing ip with actual device IP addresses
8.Run rancid!
$ /usr/libexec/rancid/rancid-run
9.Look at the configs. The backed up configs will be saved in /var/rancid/<GROUP_NAME>/configs.
$ cd /var/rancid/bdnog/configs $ less SWITCHES
10.Check the rancid log files:
$ cd /var/log/rancid $ ls -ll
Email Alert Configuration
1.Edit /etc/rancid/rancid.conf
Add this to the /etc/aliases file: (group names have to be named rancid-admin-<group listed in rancid.conf file) and rancid-<group listed in rancid.conf file>). Replace "" with correct email addrsss of you choice.
# Groups for rancid rancid-admin-all: rancid-all:
Save the file and run
CRON Schedule
1.For automated backup, you can setup CRON schedule. Please note that cron need to configured under user RANCID.
# su -s /bin/bash rancid # crontab -e # m h dom mon dow command 0 0 * * * /usr/libexec/rancid/rancid-run g
Install WEBSVN
# yum install websvn
1.Fix permissions. The web server must be able to read the SVN (Subversion) folder
# chgrp -R apache /var/rancid/svn # chmod g+w -R /var/rancid/svn
2.Change ownership of web files:
# chown apache:apache /usr/share/websvn
3.Add the following virtual host entry to your apache configuration file /etc/httpd/conf.d/websvn.conf:
Alias /websvn /usr/share/websvn <Directory /usr/share/websvn/>  DirectoryIndex index.php  Options FollowSymLinks  Options FollowSymLinks MultiViews  Order allow,deny  Allow from all  <IfModule mod_php4.c>  php_flag magic_quotes_gpc Off  php_flag track_vars On  </IfModule> </Directory>
5.Reload apache and try to browse the websvn: http://<ip_address>/websvn.
Check you can access the WebSVN.
6.Now we add RANCID repository sites. Edit websvn configuration file.
# vi /usr/share/websvn/include/config.php
// Local repositories (without and with optional group): // $config->addRepository(‘BDNOG’, ‘file:///var/rancid/svn/’);