PacketPundit
all things packets and internetworks
Differences in building a static route.
Apr 15th
I was asked by someone “Why don’t you just add the static route pointing out the ethernet interface?” I explained that creating a static route this way the router would have to arp for each destination address, and would (a) create the delay needed to complete the arp and (b) would create an excess of arp traffic.
To show the effects, lets lab this up.
The topology is a simple 2 router set up, where R2 has 10 loopbacks created to simulate end hosts on different networks.
Loopbacks are 100.1.1.1, 100.2.2.2, 100.3.3.3 , etc.
Now, let’s create a static default route pointing out the interface to R2.
R1(config)#ip route 0.0.0.0 0.0.0.0 fastEthernet 0/0
After this is created, ping all the address. It is seen that an arp is done on each address (first icmp is a timeout).
R1#ping 100.10.10.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 100.10.10.10, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 4/41/68 ms
Look at the arp table to verify.
R1#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.1.12.1 - c200.0b68.0000 ARPA FastEthernet0/0 Internet 10.1.12.2 6 c201.0b68.0000 ARPA FastEthernet0/0 Internet 100.1.1.1 0 c201.0b68.0000 ARPA FastEthernet0/0 Internet 100.2.2.2 0 c201.0b68.0000 ARPA FastEthernet0/0 Internet 100.3.3.3 0 c201.0b68.0000 ARPA FastEthernet0/0 Internet 100.4.4.4 0 c201.0b68.0000 ARPA FastEthernet0/0 Internet 100.5.5.5 0 c201.0b68.0000 ARPA FastEthernet0/0 Internet 100.6.6.6 0 c201.0b68.0000 ARPA FastEthernet0/0 Internet 100.7.7.7 0 c201.0b68.0000 ARPA FastEthernet0/0 Internet 100.8.8.8 0 c201.0b68.0000 ARPA FastEthernet0/0 Internet 100.9.9.9 0 c201.0b68.0000 ARPA FastEthernet0/0 Internet 100.10.10.10 0 c201.0b68.0000 ARPA FastEthernet0/0
Clear the arp table, and add the static route with the next hop interface.
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.12.2
Ping the loopback again and a difference can been seen. None of the loopback had the first ICMP message timeout (maybe the 1st if the entire arp cache was cleared).
R1#ping 100.10.10.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 100.10.10.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/41/68 ms
Also, there is only 1 dynamic arp entry in the table.
R1#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.1.12.1 - c200.0b68.0000 ARPA FastEthernet0/0 Internet 10.1.12.2 0 c201.0b68.0000 ARPA FastEthernet0/0
The above output is taken after pinging all 10 networks. See the difference?
There is still one small problem with setting up a static route this way. Since it is an IP address, the router must still find an exit interface. Therefore, for each packet to 10.1.12.2 the following recursive lookup is done.
R1#show ip route 10.1.12.2 Routing entry for 10.1.12.0/24 Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks: * directly connected, via FastEthernet0/0 Route metric is 0, traffic share count is 1
That is one extra step we can eliminate by adding both the interface and address on the same line.
R1(config)#ip route 0.0.0.0 0.0.0.0 fastethernet0/0 10.1.12.2
Here you have the next hop address and the interface so route recursion does not have to be done.
Decrypting on IOS
Apr 11th
I have found myself in a couple of situations where I would like to know what the encrypted password is for a user in the show run (ppp auth fails for example). Or, let’s say one is in the CCIE lab, and NTP auth is failing with a restriction where you cannot change one side of the connection. This restriction will prevent one from deleting both ends and reading them. In the example below, the password for username BILLY will be decrypted. The same works for any encryption type 7. Let’s see the username in question.
MLS-1-1#show run | i username BILLY username BILLY password 7 106C263B
From this output we have the encrypted password. Put this value into a key chain.
MLS-1-1# MLS-1-1#conf t MLS-1-1(config)#key chain DECRYPT MLS-1-1(config-keychain)#key 1 MLS-1-1(config-keychain-key)#key-string ? <0-7> Encryption type (0 to disable encryption, 7 for proprietary) MLS-1-1(config-keychain-key)#key-string 7 106C263B MLS-1-1(config-keychain-key)#
For the key-string, but sure to enter 7 with the encrypted output.
Now, all that needs to be done is to view the key chain.
MLS-1-1#show key chain DECRYPT Key-chain DECRYPT: key 1 -- text "BOB" accept lifetime (always valid) - (always valid) [valid now] send lifetime (always valid) - (always valid) [valid now]
Now we know the password is BOB.