GNS 3 Tutorial - configuring Static VRRP over Cisco router and testing it

Hi all,
I was working over 7200 routers for HSRP and VRRP implementation, and thought why not to cover an article over it. I will be covering Static VRRP over Cisco routers in GNS3 and will be showing you how to test it. you can also read my basic GNS3 tutorial over Cisco routers if you wish

GNS 3 Tutorial – Basic Router password Configuration

A bit about VRRP from Cisco Documentation.
The Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns responsibility for one or more virtual routers to the VRRP routers on a LAN, allowing several routers on a multiaccess link to utilize the same virtual IP address. A VRRP router is configured to run the VRRP protocol in conjunction with one or more other routers attached to a LAN. In a VRRP configuration, one router is elected as the virtual router master, with the other routers acting as backups in case the virtual router master fails.
In layman's terms, it allows for switching of routers in case a link fails or flaps. I have left some advanced parts from this tutorial, this is completely for those who have a general idea of Cisco CLI and want to learn how to configure fault tolerant VRRP over cisco routers.

Here is the GNS3 topology I will be using for this tutorial


Now, fire up your GNS3 and start by configuring all the routers. Click on the console button over titlebar to start putty terminal.the first step is to configure telnet over routers R3.

(PS: I have kept the passwords simple for the sake of simplicity, don't try this habit in an actual scenario.)

Router R3
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line vty 0
Router(config-line)#password r3
Router(config-line)#login
Router(config-line)#exit
Once done, Lets configure the R3 router and assign IP address over it.
Router(config)#int s0/0
Router(config-if)#ip add
Router(config-if)#ip address 1.1.1.1 255.255.255.252
Router(config-if)#no sh
Router(config)#int s0/1
Router(config-if)#ip address 2.1.1.1 255.255.255.252
Router(config-if)#no sh
Router(config-if)#
Router(config-if)#exit
Router(config)#
So far, router R3 has been configured. Do the same for all others. make sure to assign R4 and R5 same lan IP.

Router R4
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line vty 0
Router(config-line)#password r4
Router(config-line)#login
Router(config-line)#exit
 and Interface IP's
Router(config)#int s0/0
Router(config-if)#ip add
Router(config-if)#ip address 1.1.1.1 255.255.255.252
Router(config-if)#no sh
Router(config)#int e1/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#no sh
Router(config-if)#
Router(config-if)#exit
Router(config)#
Router R5
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line vty 0
Router(config-line)#password r5
Router(config-line)#login
Router(config-line)#exit
 and Interface IP's
Router(config)#int s0/0
Router(config-if)#ip add
Router(config-if)#ip address 1.1.1.1 255.255.255.252
Router(config-if)#no sh
Router(config)#int e1/0
Router(config-if)#ip address 192.168.1.2 255.255.255.0
Router(config-if)#no sh
Router(config-if)#
Router(config-if)#exit
Router(config)#
Once done, its time to add some routes to the routers. After doing it, Ping everything to every lan/wan just to be safe and sure.

Router R3

Router(config)#ip route 192.168.1.0 255.255.255.0 1.1.1.2
Router(config)#ip route 192.168.1.0 255.255.255.0 2.1.1.2 20
Router R4
Router(config)#ip route 2.1.1.0 255.255.255.0 192.168.1.2 20
Router(config)#ip route 2.1.1.0 255.255.255.0 1.1.1.1
Router R5
Router(config)#ip route 1.1.1.0 255.255.255.0 2.1.1.1 20
Router(config)#ip route 1.1.1.0 255.255.255.0 192.168.1.1
If it doesnt pings, then you might have screwed up some where.
Run "sh ip route" over router to check configuration. 

Router 3
Router#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/30 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Serial0/0
     2.0.0.0/30 is subnetted, 1 subnets
C       2.1.1.0 is directly connected, Serial0/1
S    192.168.1.0/24 [1/0] via 1.1.1.2
Router R4 
Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/30 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Serial0/0
     2.0.0.0/24 is subnetted, 1 subnets
S       2.1.1.0 [1/0] via 192.168.1.2
                [1/0] via 1.1.1.1
C    192.168.1.0/24 is directly connected, Ethernet1/0
Router R5
Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/24 is subnetted, 1 subnets
S       1.1.1.0 [1/0] via 192.168.1.1
     2.0.0.0/30 is subnetted, 1 subnets
C       2.1.1.0 is directly connected, Serial0/0
C    192.168.1.0/24 is directly connected, Ethernet1/0

Till here, basic configuration has been done. now we will configure VRRP over R4 on ethernet interface.

Now in very very simple terms, 

  1. We will be tracking an interface (by giving it a track id) which in case if goes down the router shall switch states, in this case its the serial link from Router R3 to R4 (serial 0/0)
  2. We will be creating a group of routers (here R4 and R5), 
  3. Assign a group ID to them (which is "1" btw) , 
  4. After that, we will create a Virtual gateway over both routers which will be always up in case any router goes down (and thats why we gave both routers IP's from same lan) .
  5. Then will select one of them as Master router and Rackup router (R4 in this case and R5 as Backup) and assign priority to them (higher is important, default is 100, 200 to R4, default to R5). 
  6. We will specify a decreasing value which shall be subtracted from priority which will preempt it to switch to router with higher priority, which in this case is 110. As serial link from R3 to R4 fails, 110 will be subtracted from 200 and hence R5 will have a higher priority 100 > then priority of R4 which is 90, hence it will become the Master router.
  7. Test it :)


Router R4
Assign track id to Serial interface, which will be monitored by R4 .
Router(config)#track 1 interface serial 0/0 line-protocol
Router(config-track)#exit
Then configuring VRRP over it.
Router(config)#int e1/0
Router(config-if)#vrrp 1 ip 192.168.1.3
Router(config-if)#vrrp 1 priority 200
Router(config-if)#vrrp 1 preempt
Router(config-if)#vrrp 1 track 1 decrement 110
Router(config-if)#exit
Hence the final configuration upon "sh vrrp" will be
Ethernet1/0 - Group 1
  State is Master
  Virtual IP address is 192.168.1.3
  Virtual MAC address is 0000.5e00.0101
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 200
    Track object 1 state Up decrement 110
  Master Router is 192.168.1.1 (local), priority is 200
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.218 sec
Now we need to configure VRRP over Router 5

Router 5
Not much to do here except to enable preempt and VRRP..
Router(config)#int e1/0
Router(config-if)#vrrp 1 ip 192.168.1.3
Router(config-if)#vrrp 1 preempt
Router(config-if)#exit
hence final configuration of Router 5 will be 
Ethernet1/0 - Group 1
  State is Backup
  Virtual IP address is 192.168.1.3
  Virtual MAC address is 0000.5e00.0101
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 100
  Master Router is 192.168.1.1, priority is 200
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec (expires in 3.201 sec)
Congrats :) you have configured VRRP over your routers. Now to check , if its working or not, first traceroute your packet to 192.168.1.0 lan from Router R3
Router#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
1 1.1.1.2 56 msec 88 msec *
Its going through our primary router :) now telnet from Router R3 to virtual gateway.
Router#telnet 192.168.1.3
Trying 192.168.1.3 ... Open

User Access Verification
Password:
Router>

If the password which gives you access is r4, then its configured correctly as of now. Now , lets shut unshut the primary serial interface from Router R3 .

Router#
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int s0/0
Router(config-if)#sh
Router(config-if)#exit
Router(config)#
*Mar  1 00:57:27.927: %LINK-5-CHANGED: Interface Serial0/0, changed state to administratively down
*Mar  1 00:57:28.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
Router(config)#exit
Router#
*Mar  1 00:57:38.483: %SYS-5-CONFIG_I: Configured from console by console
Router#
Good, now ping virtual gateway
Router#ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/49/80 ms
its working fine, now traceroute the packet to 192.168.1.0 lan from Router R3
Router#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
  1 2.1.1.2 64 msec 68 msec 64 msec
  2 192.168.1.1 44 msec 68 msec *
:)) its working too..now finally we login into virtual gateway from Router R3 and i assume we will login into Router R5, and then lets check out the VRRP configuration by running "sh vrrp" command.
Router#
Router#telnet 192.168.1.3
Trying 192.168.1.3 ... Open

User Access Verification
Password:
Router>sh vrrp
Ethernet1/0 - Group 1
  State is Master
  Virtual IP address is 192.168.1.3
  Virtual MAC address is 0000.5e00.0101
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 100
  Master Router is 192.168.1.2 (local), priority is 100
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec
which works :) as Router R5 is the Master Router for now. Now disconnect from Router R5 and unshut the serial interface from Router R3, login into virtual gateway again and then check out the VRRP configuration by running "sh vrrp" command.
Router#exit
[Connection to 192.168.1.3 closed by foreign host]
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int s0/0
Router(config-if)#no sh
Router(config-if)#exit
Router(config)#
*Mar  1 01:08:41.739: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar  1 01:08:42.743: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to upexit
Router#
*Mar  1 01:08:46.955: %SYS-5-CONFIG_I: Configured from console by console
Router#telnet 192.168.1.3
Trying 192.168.1.3 ... Open

User Access Verification
Password:
Router>sh vrrp
Ethernet1/0 - Group 1
  State is Master
  Virtual IP address is 192.168.1.3
  Virtual MAC address is 0000.5e00.0101
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 200
    Track object 1 state Up decrement 110
  Master Router is 192.168.1.1 (local), priority is 200
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.218 sec
Router>
Excellent..VRRP has been fully configured as the Router R4 is again the Master Router :) 
Congrats..you have successfully configured the VRRP over Static on Cisco Routers and fully tested it for fault tolerance .

till then

Stay Gold :))

by Rishabh Dangwal · 3

BSNL router hacking and possibility of running custom code over it


Hi all,
I am sorry I have been inactive due to my job, i actually got free this weekend and there we go, i was at home. At home I am having BSNL connection, and for those who dont know what BSNL is, its the AT&T of India, bad service , too much blank spots and connections which flap/drop/disconnect like there is no tomorrow. Worst, I was on my android, trying to get the latest of cyanogen nightlies .  I was frustrated by the services of BSNL. Hence I decided to mess with the router itself. 

BSNL router on closer inspection is manufactured by SemIndia and distributed by ITI. It follows the tracks of using firmware of different routers (Broadcom to be specific, BCM6338 stands for Broadcom router firmware version 96338, deployed in US robotics ones and some other popular routers). mine is DNA-A211-1 , one of most popular ones in India.



and then its just configured accordingly wrt ISP. This time, I left the network part, as i do it all the time in my office with Cisco, focused more on the router and firmware itself.


Warning : 
I am not responsible for getting your router trashed, getting wings and trying to kill you. try on your own risk, I am not responsible for your stupidity.


I didn't had a PC (trashed due to burnt ram), so I have to do everything on my android, so pardon for small screen area, understand my plight. T-netted into Router
(PS : screencaps of android may be a bit distorted as shootme app was not working properly over nightly #120)




the first step was to know what was into it, so typed the usual help.



lots of commands :) ran swversion to get the version and see what was this upto. 
With some hunting , i came to know that "sh" command runs over my router , ran it and voila, familiar interface of busybox snaps in.



great..now thats worth something. My android has it too :)) seeing the version made me tick , it was running an older version of busybox. For those who don't know hat busybox is, its a multicall binary. Tried ls, but it didnt worked, hence tried echo *, listed everything :)



bingo..tried cat /etc/passwd and there we go again.




after that, i thought why not to check what other directories have. got into CVS and got information regarding CVS and pserver, noteworthy one is the credentials of pserver



pserver:sunila@192.168.128.19:/home/cvsroot

not much of an interest as they are of a private LAN, googled to find it was configured by Sunil A, employee at SIEMIndia. Again,opened Repository



SemIndia/Engineering/Products/ADSL2Plus/Integ_Source/targets/fs.src

maybe a private repo at SIEM. neverthless..

moved on to /etc



lots of directories here..as a rule of thumb I opened default.cfg



Generic stuff, but what caught my eye was this 

<ppp_conId1 userName="multiplay" password="bXVsdGlwbGF5"

This might come in handy (use your creativity :)) ) . But then I thought that why not to access the router from web interface. I did it.
Went to management and downloaded the backupsettings.conf file, 




opened it and there we go,



I was not able to find the above credentials in it, hence I came to a conclusion that they must be somewhat of higher privilege level.
Moving on..I thought why not to try to create an arbitrary file . Tried
echo ‘rishrockz’ >> rdx

on every directory (I was not able to determine the file permissions as the version of busybox doesn’t has ls or stat ) Finally came to know that /var is writable. Tried creating a file there
echo ‘rishrockz’ >> rdx
file was created : )))))
and then
cat /var/rdx

: ))))
Congrats, you have run/done it :) )
Now I thought why not to upgrade busybox/upgrade firmware/upload scripts over the router, tried tftp

didn’t worked. Then I checked if the tftp daemon was running as a service, it was. yet somehow I was not able to run it. :(

Strange. I thought forget it (small screen keyboard and android research limitation -> frustration) . Well.. next time I will be thinking of going to compile programs (http://people.debian.org/~debacle/cross/ and copying over them using echo (once I get a PC) , I have got some nice ideas and will be deploying them .
In the mean time, for those who are wondering what this machine has, here is the bootup log.

  1. Observation 1 #  - code can be run over the router , but files must be copied using echo (-ne with append option)  or tftp.  Since busybox is there, we can easily insert a kernel module to be run.
  2. Observation 2# -  the webs directory has a lot of html files, maybe manipulated for xss attacks (i didnt covered it as its not my domain, some better guys can do it)
  3. Observation 3# - private CVS credentials of Siemindia pserver. insider attack ? :D kidding. pserver is already much insecure, but since i have seen a lot of organisations using stock/easily guessable passwords for their outer router/firewalls/vpn servers, its not a tough nut to crack.
  4. Observation 4# (most important) - BSNL SUCKS !


Till then .. Stay Gold

-
Rishabh Dangwal


by Rishabh Dangwal · 21

All Rights Reserved by Pro Hack . Copyright 2008 - 20011. Template by Bloggermint .