Quick & Dirty: Cisco Modern Router (ISR, ASR) Software Upgrades

Hello World!

Just a quick post today, and my usual apology for not posting more frequently.

If, like me, you find yourself doing ISR IOS XE upgrades, you realize that although it can be a quick process there is always room for improvement.

Today, while upgrading 15+ ISR 4451 CUBE routers, I decided to quickly “notepad script” my upgrade commands. For reference I am using an SFTP server for this upgrade but the plan works for FTP or TFTP if you wish.

My quick and dirty notepad script looks like this…

copy sftp: bootflash:
! (for Enter)

A quick copy and paste and the process has started. Once the copy is successful, a second quick and dirty script will change the boot path and then reboot your router.

config t
boot system bootflash:IOSXEFileName
wr mem

There is nothing special here, and there are far more elegant solutions but this works for me and hopefully it can work for you!


Ubiquiti USG: Quick & Easy Remote Access VPN

Hello World!

When I decided to purchase and install a Ubiquiti USG-3P security appliance, which you can read about here, one of the determining factors was that I could configure VPN service for remote connectivity. As I use Dynamic DNS (DynDns) with the USG (read about that here), I have a reliable VPN url that is always available.

Whenever you put “Quick & Easy” in the title of anything, the expectation is that the process is not difficult and does not take all day. Ubiquiti has made the process very simple, I’ll outline the steps below.

Step 1.  Configure the local Radius server

This first step is located under the Settings -> Services -> RADIUS -> Server   within the Unifi Controller software. Turn it on and set your Secret and you are good to go!

Step 2. Configure your Radius (VPN) User

This second step is located under the Settings -> Services -> RADIUS -> Users   within the Unifi Controller software. Turn it on and set your Password and you are good to go! Notice I left the VLAN blank. If I was using the USG as a switched Layer 3 device this would need to be filled in. As it stands my USG is basically running as a transparent firewall.

Step 3. Build your VPN Network (VPN Profile)

This third and final step (on the UBNT side) is located within the Settings section under Networks. You will create a new network and select Remote User VPN as the purpose. In my case I selected an L2TP  Server, you could select PPTP as well, but L2TP works for my purposes. You’ll then configure your Pre-Shared Key (PSK) and define your VPN subnet. I recommend making this network small and keeping it on a network convention dissimilar from your internal networks. Configure your Name (DNS) server(s) and other options and then select your Radius profile. In my case the simple Default profile was all I needed. Within the Radius profile configuration you could add an external Radius server if you have one in place currently. If that is the case the first two steps are not necessary.  The MS-CHAP v2 requirement is checked by default and you should use it for security.

At this point, we are done with our Ubiquiti configuration! That means it is time to move on to the client side. In my case that means Windows 10. There are L2TP/PPTP configuration guides out there for Mac and Linux as well but since I am using Windows, that is what I’ll cover.

Step 1. Go to the VPN Configuration Screen

In the image below you’ll see the VPN configuration screen that is under Settings -> Network & Internet -> VPN from here you can Add a VPN Connection. Once your connection is added you’ll see it in the list (as shown below) and also in the network status icon on your Windows taskbar (Windows 10).

Step 2. Configure the VPN Profile

Configuring the VPN profile for Windows 10 is very straightforward. You’ll need the public address of your USG (or your Dynamic DNS url) and you’ll need the Pre-Shared Key (PSK). You’ll also need (optionally) your username and password. If you don’t enter your username and password (shown in the image below) you’ll be prompted every time you connect.

Step 3. Connect

To connect to your VPN in Windows 10, select the network status icon in the task bar (usually a computer screen for wired or a wireless signal graph for wireless) and click on the VPN connection at the top of the box.

If you entered your username and password into the configuration page you should not be prompted for them, if you did not, you will need to enter them when prompted. Once connected, you’ll see the status above.

When I show my connection status I can see the VPN settings that I configured earlier (shown below).

In closing, this really is a quick and easy process. If you need easy and reliable remote access it is definitely something to consider. Also worth considering is that we are doing this configuration with PSKs and not with certificates. There are security considerations to take into account here.  With all of that said, I would 100% choose this option over users accessing systems remotely via the questionable applications that exist in the software client remote access space today.

I hope this helps someone! Questions? Comments? Post them below.


When Good VTP Goes Bad

Just a quickie tonight folks…

I am expanding my network and relocating my servers and other “noisy” hardware to my basement. The cooling value of the dry subterranean environment is great but in all honesty I’m trying to keep my better half happy and my office is not a great place for network gear and servers apparently.

With this relocation I am expanding my switching infrastructure from my core 3560G to include a 2960G as well. The addition of this switch gives me the opportunity to play with VTP or the VLAN Trunking Protocol.

VTP is a Layer 2 protocol that allows you to configure all of your VLANs on the “server” and then feed them down to the “clients”. VTP is a proprietary Cisco protocol and for large, diverse networks it may not be the best option but for me it works, at least it was supposed to.

I say supposed to, because I configured it, using version 2 and nothing happened. Below are my configurations…

CORE-3560G-01(config-vlan)#do show vtp status
VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : SPRNET
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 000a.b8d3.0400
Configuration last modified by at 8-22-16 01:52:57
Local updater ID is on interface Vl1 (lowest numbered VLAN interface found)
Preferred interface name is gig0/49

Feature VLAN:
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 23
Configuration Revision            : 0
MD5 digest                        : 0x85 0x94 0x36 0x46 0xC1 0xCE 0xE0 0xD0          
                                    0x87 0x0A 0xF2 0xD4 0x24 0xD0 0xF8 0xD2
BASEMENT-2960G-01#show vtp sta
VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : SPRNET
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 0017.594c.b180
Configuration last modified by at 3-15-93 06:29:46

Feature VLAN:
VTP Operating Mode                : Client
Maximum VLANs supported locally   : 255
Number of existing VLANs          : 5
Configuration Revision            : 0
MD5 digest                        : 0x7D 0x73 0xB1 0x19 0x35 0xDC 0xE2 0xA8
                                    0x3A 0x07 0xE0 0xBF 0x92 0xFA 0x53 0x2A

As you can see everything looks like it should work. My passwords match and my domain matches but still no joy. After banging my head on my desk to figure this out, I see the below error message at the bottom of my client’s VTP status.

*** MD5 digest checksum mismatch on trunk: Gi0/21 ***

What is this error? What does it mean?

What it means is that the key exchange between the VTP server and client is incorrect and thus no one talks. What it also means is that I am hitting a long running bug. See the Cisco forum post here

If you read that post, you’ll find the fix, but here it is for your reference.

Basically, you need to make your server regenerate its MD5 Checksum value. Once that value is regenerated, VTP messages are exchanged between the server and client(s) and VLAN joy is had by all. To regenerate this value, simply create a new Layer 2 Vlan.  A simple fix for a complex problem. For those of you that want to upgrade code to solve the problem, good luck, Cisco hasn’t fixed this bug in over 20 revisions of IOS software.

I hope this has helped someone, thank you for reading.