My Ethernet mind

Sunday, April 14, 2013

BGP Timers

BGP peers exchange timers parameters during the session initiation and it’s using 3 types of timers:

Keepalive - Frequency (in seconds) with which the Cisco IOS software sends keepalive messages to its peer. The default is 60 seconds.The range is from 0 to 65535.

Holdtime - Interval (in seconds) after not receiving a keepalive message that the software declares a peer dead. The default is 180 seconds. The range is from 0 to 65535.

Min-holdtime - (Optional) Interval (in seconds) specifying the minimum acceptable hold-time from a BGP neighbor. The minimum acceptable hold-time must be less than, or equal to, the interval specified in the holdtime argument. The range is from 0 to 65535.

This is the topology i used:

Both peers exchange the timers parameters using the open message, here we can see open message sent by R1 to R3:

Note that only the holdtime timer is announced.

Now I have configured the following command on R1:

R1(config-router)#neighbor 10.1.13.3 timers 3 9

The result:

R1 will send every 3 seconds a keepalive message to R3.

R3 will wait 3 seconds to get another keepalive else he will wait 9 seconds until declaring R1 as neighbor down.

The holdtime timer is the only setting that matters, it tells the other side how long to wait, if not getting a keepalive message, before declaring a down neighbor.

The min-holdtime timer is the lower value that the BGP peer will allow to accept as holdtime, but the value of this timer should be less or equal to the current peer.

For example:

R1(config-router)#neighbor 10.1.13.3 timers 10 60 60

The result:

R1 will send a keepalive message every 10 seconds.

R3 will wait 10 seconds to get another keepalive else he will wait 60 seconds until declaring R1 as neighbor down.

R3 will also have to send a holdtime with value of 60 seconds or less.

In case that R3 will send a holdtime value greater then 60 seconds we will get notification error in terminal:

*Mar 1 02:30:03.747: %BGP-3-NOTIFICATION: sent to neighbor 10.1.13.3 2/6 (unacceptable hold time) 0 bytes

or Wireshark:

Timers parameters can be configured globally on the BGP process for all neighbors or on per-neighbor basis which override the global configuration.

Wednesday, April 10, 2013

Cisco 7 password recovery on IOS

If we encounter a situation where we need to revel Cisco 7 password but we don’t have access to the internet (sound like science fiction!) or to utility which do that we can use Cisco IOS for reveling the password.

Let’s say we logged in into R1 and as we can see there is a password on the BGP peer to R2:

R1#sh run | s bgp

router bgp 65000

no synchronization

bgp log-neighbor-changes

neighbor 2.2.2.2 remote-as 65002

neighbor 2.2.2.2 password 7 106D000A061843595F

no auto-summary

In order to revel the password follow these steps:

R1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#key chain decrypt

R1(config-keychain)#key 1

R1(config-keychain-key)#key-string 7 106D000A061843595F

R1(config-keychain-key)#end

Note that in the key-string we start with 7 follow by the hash password we copy from the BGP peer password.

Now to see the password type:

R1#show key chain decrypt

Key-chain decrypt:

key 1 -- text "Cisco123"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (always valid) - (always valid) [valid now]

The password is “Cisco123”

SecureCRT chat window

Using SecureCRT chat window will allow us to send command or multiple commands to multiple hosts at once. In this way we can save a lot of time and keyboard strokes.

For example here I opened a SecureCRT window with 3 routers organized in tabs: