Thursday, July 26, 2012

Private VLANs de-constructed in 50 words!


Private VLANs can be de-constructed into 3 types of ports

"P" ports
"C" ports
"I" ports

Promiscuous "P" ports - no restrictions
Community "C" ports can talk to other "C" ports in same community, and to "P" ports
Isolated "I" ports can only talk to "P" ports


Phone Proxy with ASA 8.2

ASA 8.2 Phone Proxy feature allows the security appliance to proxy Certificate Authority function on behalf of the CUCM.  This allows phones registering from the outside to contact the ASA which then proxies the connection to the CUCM.  The “media termination point” feature, along with the ‘Certificate Trust List’ CTL on the ASA ensures that media streams are encrypted (SRTP).

Due to the fact that the “Phone Proxy” ASA is separate from the “Internet ASA” at Securiosity Companies, “outside NAT” had to be implemented to ensure that Phone-to-CUCM” traffic was not asymmetrically routed.  Please review the configuration on the ASA (contained in this document) for specific details of this solution.

We have also modified a service policy to inspect SIP, and the policy is attached to the “outside” interface.

The only ACL entry relaxed here is TFTP traffic to the CUCM’s translated address on the “outside” address of the ASA.


Trustpoint for MIC (7941 and 7961 phones)

crypto ca trustpoint CAP-RTP-001_trustpoint
 enrollment terminal
 crl configure
crypto ca trustpoint CAP-RTP-002_trustpoint
 enrollment terminal
 crl configure
crypto ca trustpoint Cisco_Manufacturing_CA_trustpoint
 enrollment terminal
 crl configure


Phone-Proxy configuration

tls-proxy ASA-tls-proxy
 server trust-point _internal_PP_ctl_phoneproxy_file
!
ctl-file ctl_phoneproxy_file
 record-entry cucm-tftp trustpoint phoneproxy_trustpoint address 192.168.2.227
! the following entry is optional (for use with CAPF w/ LSC only phones
 record-entry capf trustpoint capf_trustpoint address 192.168.2.227
 no shutdown
!
media-termination mymta
 address 208.87.143.229 interface outside
 address 172.18.0.182 interface inside
!
phone-proxy ASA-phone-proxy
 media-termination mymta
 tftp-server address 172.18.2.26 interface inside
 tls-proxy ASA-tls-proxy
 ctl-file ctl_phoneproxy_file
 no disable service-settings

FW basic configuration (ACLs and NAT)

! public address of TFTP server
static (inside,outside) 192.168.2.227 172.18.2.26 netmask 255.255.255.255
!
! the only ACL entry required
access-list list outside permit tcp any host 192.168.2.227 eq tftp
!
object-group type service CUCM-PROXY-PORTS
 service-object tcp 2443
 service-object tcp 5061
 service-object tcp 3804
 service-object udp tftp
 service-object udp range 1024 65535
!
access-list phone-proxy-traffic permit object-group CUCM-PROXY-PORTS any host 192.168.2.227 
!
! Outside NAT forces return traffic from CUCM to go through ASA-PP
! Without this traffic from CUCM will take natural 0’s route to Internet causing asymmetrical behavior
nat (outside) 555 access-list phone-proxy-traffic outside
global(inside) 555 interface
!
class-map sec_sip
 match port tcp eq 5061
class-map sec_sccp
 match port tcp eq 2443
!
!
policy-map voice_policy
 class sec_sccp
  inspect skinny phone-proxy ASA-phone-proxy 
 class sec_sip
  inspect sip phone-proxy ASA-phone-proxy 
!
service-policy voice_policy interface outside


Cisco UCS: Tracking layer-2 paths


Basic tenets of network design:
Dual Nexus 7018s in the access layer
Dual UCS 6100 fabric interconnnects
ESXi 5.0 - hosts are dual attached to A and B side of fabric

We are tracking down an IP address in VLAN 301.

Please note the MAC address tables on the Nexus 7018s, the UCS 6100 (A & B), and Nexus 1000V… the following steps illustrate the well-known method used:

Nexus-7018-01# show ip arp vlan 301
IP ARP Table
Total number of entries: 2
Address         Age       MAC Address     Interface
192.168.247.66   00:06:57  0026.980c.76c1  Vlan301
192.168.247.70   00:01:18  0050.8888.6238  Vlan301


Nexus-7018-01# show mac address-table vlan 301
Legend:
        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
        age - seconds since last seen,+ - primary entry using vPC Peer-Link
   VLAN     MAC Address      Type      age     Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
G 301      0026.980c.9bc1    static       -       F    F  sup-eth1(R)
* 301      0010.18a5.d9e0    dynamic   120        F    F  Po1
* 301      0026.980c.76c1    dynamic   450        F    F  Eth12/3
* 301      0050.8888.6237    dynamic   90         F    F  Eth12/3
* 301      0050.8888.6238    dynamic   90         F    F  Eth12/3 -> trunk to Nexus-7018-02
* 301      0050.8888.6239    dynamic   120        F    F  Eth12/7
* 301      547f.ee33.eb55    dynamic   120        F    F  Eth12/3
* 301      547f.ee35.cd95    dynamic   120        F    F  Eth12/7

Here we check the L2 adjacency table on Nexus-7018-02:

Nexus-7018-02# show mac address-table vlan 301
Legend:
        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
        age - seconds since last seen,+ - primary entry using vPC Peer-Link
   VLAN     MAC Address      Type      age     Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
...
* 301      0050.8888.6238    dynamic   90         F    F  Eth12/7 -> UCS6100 - UCS-6100-01 -A 
...

SSH to UCS 6100s first, then "connect nxos" to enter Nexus like CLI directly on the fabric.

UCS-6100-01-B(nxos)# show mac address-table vlan 301
Legend:
        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
        age - seconds since last seen,+ - primary entry using vPC Peer-Link
   VLAN     MAC Address      Type      age     Secure NTFY    Ports
---------+-----------------+--------+---------+------+----+------------------
* 301      0050.8888.6239    dynamic   20         F    F  Veth934

(the MAC address does not appear on Fab B), we could have bypassed and gone directly to Fab A based on CDP information on Nexus-7018-02.)

UCS-6100-01-A(nxos)# show mac address-table vlan 301
Legend:
        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
        age - seconds since last seen,+ - primary entry using vPC Peer-Link
   VLAN     MAC Address      Type      age     Secure NTFY    Ports
---------+-----------------+--------+---------+------+----+------------------
* 301      0050.8888.6237    dynamic   0          F    F  Veth957
* 301      0050.8888.6238    dynamic   0          F    F  Veth961 -> MAC address learnt here -> note the association on CDP neighbor on the 1000V down a few steps  below…

We now check the mac-address table on the Nexus 1000V:

n1k-lab01# show mac address-table vlan 301
VLAN      MAC Address       Type    Age       Port                           Mod
---------+-----------------+-------+---------+------------------------------+---
...
301       0050.8888.6238    static  0         Veth20                         -> this reveals MAC address 
on VM guest
...


This leads us to Veth20 - we check the Nexus 1000V again:

n1k-lab01# show interface virtual pinning module 6

------------------------------------------------------
Veth      Pinned        Associated PO List of
          Sub Group id  interface     Eth interface(s)
------------------------------------------------------
Veth17    0             Po4           Eth6/1
Veth19    1             Po4           Eth6/2
Veth20    2             Po4           Eth6/3 -> this indicates VEM 4 connected over Po4

How to manually pin traffic:

n1k-lab01(config-if)# where
  conf; interface Vethernet20      admin@n1k-lab01
n1k-lab01(config-if)# pinning ?
  id  Configure sub-group ID for pinning

n1k-lab01(config-if)# pinning id ?
    Enter sub-group ID

n1k-lab01(config-if)# pinning id 1