Essential Getting Around Linux Commands

Linux is essential for networking in future because of the rise of network automation and evolving concepts. I am writing this post as a reference of basic Linux commands and their outputs which you will come across in a Linux CLI / Bash environment.

Most people like to use an Ubuntu VM on top of VMware in their Windows PC's, I like to use the Ubuntu App in Windows 10 App Store for my networking work.

Because of this app, both my RAM and time are saved. I just need to open it like Windows command prompt and perform Linux tasks right away.


Switch User / Switch User to root
su <username>
su - or sudo su

You will have to give the password for the switching user.

Installing a Package
apt install

You can use -y at the end of the command to say Yes to any dialog there to be appear in installation.

Uninstalling a Package
apt purge 

If you specify a wildcard name Ex:- apt purge *impacket* will get rid of everything with impacket.

Go back and forth a directory
cd .. & cd

If the directory is not where you currently in, you should use '/' before the directory name.

Listing items in a directory
ls

See all files in long listing format with read/write capabilities
ls -la

Things starts with dots (.) are hidden files.

Let's analyze the permissions notation of the 1st raw.



The letter sequence drwxr-xr-x stands for permissions.
d means a directory, if a file it will be -
After d, next letters are grouped into 3 letter groups.
In the above example, 1st group 'rwx', 2nd group 'r-x' and the 3rd group is 'r-x'.

Within these 3 letter groups 1st letter is always r = read, 2nd letter is always w = write and the 3rd letter is x = executable. If the particular right is not set it will be marked as a dash -

1st group 'rwx' is for file / directory owner
2nd group 'r-x' is for group owner
3rd group 'r-x' all others

In the above example, group owner can read and execute but cannot write.

Note:-
When you try to execute python scripts etc in networking, they should have executable rights.

Making Permissions to a file or folder
chmod

chmod 777 will make the file rwx to everyone while chmod 755 will permit read and execute access for everyone and also write access for the owner of the file.


chmod +x new.text will make the file executable for everyone

Create a directory
mkdir

Remove an empty directory
rmdir

Remove a non empty directory
rm -rf

Create a new text file with a text
echo

View a text file content on CLI
cat

You can view this content in a text editor like nano using nano new.text command.




Copy a file or a folder
cp

Following command will rename the file at destination when you copy..

Moving file or folder
mv

You can see the file is gone from the original location..

Remove a file
rm

Find a file
locate

Newly created files or folders may not be seen by this command until you run updatedb command.



View Interface Configuration
ifconfig

for wireless interfaces and configuration, we can use iwconfig

Network Troubleshooting Commands

ping <ip address>

traceroute <ip address>

arp -a

View all the ports that are open and whats connected to that ports
netstat -ano

View Routing Table
route

View command history
history

You can use grep to find a matching command in command history.
Ex:- history | grep ping

Clone a Git Repository 
git clone <github link>

Start / Stop Service
service ssh start
service ssh stop

Above commands will start and stop ssh service.

You can view the manual / get help for any command using man <command>

Route Leaking with Inter VRF Tunneling

Inter VRF routing can be achieved by several methods. Following are 6 ways you can do it. There can be some more methods but most commonly you will see one of the following methods in your network.

1. Using static routes
2. Using route maps
3. Import - Export Policies plus Multi-Protocol BGP
4. Connecting two interfaces which belongs to two VRFs
5. Pointing traffic to a Firewall
6. Inter VRF Tunneling

Go here to know how to do inter VRF routing using static routes.
Go here to know how to do inter VRF routing using route maps.
Go here to know how to do inter VRF routing using import export policies.

In this post I am doing it using GRE Tunnels. Advantages of this method are easiness to achieve global to VRF connectivity even inside a one router, configure dynamic routing between VRFs etc.

First let's configure 2 Loopbacks in global table for underlay routing.. (you can use existing interfaces for this too)

interface Loopback1
 ip address 1.1.1.1 255.255.255.255

interface Loopback2
 ip address 2.2.2.2 255.255.255.255

Now let's create 2 Tunnel interfaces for overlay routing..

interface Tunnel1
 ip vrf forwarding ONE
 ip address 10.10.10.1 255.255.255.252
 tunnel source Loopback1
 tunnel destination 2.2.2.2

interface Tunnel2
 ip vrf forwarding TWO
 ip address 10.10.10.2 255.255.255.252
 tunnel source Loopback2
 tunnel destination 1.1.1.1

Now the 3 routing tables (global, ONE, TWO) look like the following..

As you can see, VRF ONE and TWO has the same tunnel as connected interfaces. So you can add static routes or dynamic routing as per your requirement.

In the routing tables you can see there are 2 more Loopback interfaces which only belongs to a specific VRF..

Loopback 100 = 100.1.1.1/24 vrf ONE
Loopback 200 = 200.1.1.1/24 vrf TWO

I added these to test the route-leaking..
As an example, let's say we want to ping Loopback 200 which is in VRF TWO from VRF ONE.

I will add an static route,

ip route vrf ONE 200.1.1.1 255.255.255.255 10.10.10.2

See, It was enough, how about pining sourcing from Loopback 100,

Well it fails, because there is no route for the returning traffic..
Let's fix it by adding anther static route..

ip route vrf TWO 100.1.1.1 255.255.255.255 10.10.10.1



Now let's see how dynamic routing can be configured for this. Le's remove above static routes and use OSPF to leak routes.

Following commands will enable OSPF in interfaces,

interface Loopback100
ip ospf 1 area 0
interface Loopback200
 ip ospf 2 area 0

or you can use following format too..

router ospf 1 vrf ONE
 network 10.10.10.1 0.0.0.0 area 0
 network 100.1.1.1 0.0.0.0 area 0
router ospf 2 vrf TWO
 network 10.10.10.2 0.0.0.0 area 0
 network 200.1.1.1 0.0.0.0 area 0

You can see the neighbors are up and the routing tables get leaked via OSPF..

TACACS Configuration in Cisco ISE 2.x

If you want to learn how we did this on old Cisco ACS servers, click on the following link..

Configure Users & Add AAA Clients to TACACS Server

Also to configure network devices as TACACS clients, please refer following posts..

Configuring AAA on Cisco Routers / Switches for TACACS Users
Configuring AAA on Cisco ASA for TACACS Users

Evolution of the ACS

Actually the basis of oldest method was to configure Shared Profile Components and bind them in User Profiles/Groups. Then they developed it to a some extent where we can configure Policy Elements and bind them with User Profiles/Groups.

Now the ISE is here to replace the old ACS servers. So now it is more flexible because ISE uses a rich set of policy elements and use them to implement policies to permit or deny Authorization based on conditions.

Let's get started with a typical practical example..

Let's say there are 2 types of users who access network devices of a company. They are Admin users and Help Desk users. Both Admin and Help Desk users must be able to issue any command in L2 Devices. Admin users should be allowed to issue any command in L3 Devices too while Help Desk users must not be able to configure Layer 3 devices.

To full fill this requirement, following tasks should be performed at ISE.

1. Create 2 User Groups (Admin_Users, Helpdesk_Users)
2. Create 2 Users and assign them to 2 User Groups (Bob, Sally)
3. Create a Shell Profile (CiscoHigh)
4. Create 2 Command Sets (ALL Commnads, Deny Some Config)
5. Create 2 Device Groups (LAN,WAN)
6. Create 2 Network Devices (L2-Switch, L3-Router)
7. Create a Device Admin Policy Set with 2 Authorization Policies

Prerequisites

First of all following 2 features must be fulfilled.

1. Have a Device Admin License
Administration > System > Licencing

Quantity of 1 license is enough per ISE which means you have to have only 1 Device Admin license to run ACS service on ISE.

2. Enable Device Admin Service
Administration > System > Deployment

Configuration

1. Create 2 User Groups
Go to Work Centers > Device Administration > User Identity Groups >  +Add

2. Create 2 Users and assign them to 2 User Groups
Go to Work Centers > Device Administration > Identities >  +Add

I am only giving the Login Password and the User Group for each user.
Bob is the Admin User & Sally is the HelpDesk User.

3. Create a Shell Profile
Go to Work Centers > Device Administration > Policy Elements >  Results > TACACS Profiles > +Add

I am creating a one Shell Profile for both user types because the command restriction is done at the Command Sets configuration. Because all users should have access to privilege level 15 commands generally, this is the approach.

I name this Shell Profile as CiscoHigh.

4. Create 2 Command Sets
Go to Work Centers > Device Administration > Policy Elements >  Results > TACACS Command Sets > +Add

First Command Set is to permit all commands, so I just need to tick permit any command that is not listed below check box and leave the commands space empty.

Next Command Set is to deny some commands,

I named the 1st one as ALL Commands and the second one as Deny Some Config..

5. Create 2 Device Groups
Go to Work Centers > Device Administration > Network Resources >  Network Device Groups >  +Add





















6. Create 2 Network Devices
Go to Work Centers > Device Administration > Network Resources >  Network Devices >  +Add

Both the devices are added in the same way..

7. Create a Device Admin Policy Set with 2 Authorization Policies
Go to Work Centers > Device Administration > Device Admin Policy Sets >  +Add

Let's create a Policy Set named TACACS.
Click on the + mark on Conditions and I am configuring this main Policy Set condition to be the username equal to TACACS User IN Network Access UserName. So that the Policy Set will be only referred for a username in Network Access section.


















After hitting Use, Policy Set will be shown like the following.. I am selecting Default Device Admin as the allowed protocols which permits TACAS, RADIUS etc by default.
(click on the images to view in full size)

Now click on the > to go inside the Policy Set and further configurations..

1st to configure is the Authentication Policy. When you expand it, you can see a Default Policy is there and truly there is nothing much to do here. So I am just selecting Internal Users as the Identity Store only and move to Authorization Policy. (click on the images to view in full size)








Authorization Policy is the one which does the real work. According to the requirement, we can use a granular logic with AND, OR etc to implement the policy. Following snap is showing how I addressed the requirement. (click on the images to view in full size)

You can go to Work Centers > Device Administration > Reports to view reports. Here is a snapshot of Command Accounting. (click on the images to view in full size)

Note:-

The main thing to keep in mind is that the distinction between Authentication Policy and the Authorization Policy inside a Policy Set.

Authentication Policies

Authentication policies define the protocols that Cisco ISE uses to communicate with the network devices, and the identity sources that it uses for authentication.

An Authentication Policy consists of the following:

1. Network Access Service
An allowed protocols service to choose the protocols to handle the initial request and protocol negotiation. The other thing is a proxy service that will proxy requests to an external RADIUS server for processing.
2. Identity Source An identity source or an identity source sequence to be used for authentication.

Authorization Policies

Network authorization policies associate rules with specific user and group identities to create the corresponding profiles. Whenever these rules match the configured attributes, the corresponding authorization profile that grants permission is returned by the policy and network access is authorized accordingly.

Inter VRF Domain/Domainless NAT with Static Route Leaking

Before reading this post, you may need to go through the following post to understand how basic inter VRF routing is done with static routes.

Inter VRF Routing using Simple Static Routes

Imagine a situation like the following where you may need to perform a NAT operation over VRFs.

Domain Based NAT is where we use inside & outside domains on interfaces.
Domainless NAT is where we enable nat on interfaces.
Here the example considers the e0/0 interface as inside and e0/1 interface as outside.

If we use Domain Based NAT, following is the way to configure domains.

R2(config)#interface Ethernet0/0
R2(config-if)#ip nat inside

R2(config)#interface Ethernet0/1
R2(config-if)#ip nat outside

If we use Domainless NAT, following is the way to enable NAT on interfaces.

R2(config)#interface Ethernet0/0
R2(config-if)#ip nat enable

R2(config)#interface Ethernet0/1
R2(config-if)#ip nat enable

Let's place a route from VRF-1 to VRF-2. Let's take a default route for the sake of simplicity..

R2(config)#ip route vrf VRF-1 0.0.0.0 0.0.0.0 Ethernet0/1 172.16.1.1

Static NAT

Let's take a static NAT example 1st. Following is the required NAT command for Domain Based NAT.

R2(config)#ip nat inside source static 192.168.1.1 172.16.1.2 vrf VRF-1

This will perform a 1 to 1 NAT which will translate 192.168.1.1 to 172.16.1.2 and vice versa and route correctly from R1 to R3. But pings from R3 to R1 will fail because VRF-2 does not have a route to VRF-1. So if the following command is entered, the traffic will pass both ways with translation.

R2(config)#ip route vrf VRF-2 0.0.0.0 0.0.0.0 Ethernet0/0 192.168.1.1

Note that NAT is not really needed if you enter those 2 routes and need to route traffic without address translation..

If the scenario is Domainless, only the inside keyword is removed in the NAT line like the following.

R2(config)#ip nat source static 192.168.1.1 172.16.1.2 vrf VRF-1

Dynamic NAT

Following commands will perform the dynamic NAT in Domain Based NAT.

R2(config)#access-list 10 permit any

R2(config)#ip nat pool DYNAMIC 172.16.1.2 172.16.1.2 prefix-length 24
R2(config)#ip nat inside source list 10 pool DYNAMIC vrf VRF-1

Access list is there to capture the traffic and the NAT command is extended with source VRF and bonded with the specified pool to perform Dynamic NAT here.

If the scenario is Domainless, only the inside keyword is removed in the NAT line like the following.

R2(config)#ip nat source list 10 pool DYNAMIC vrf VRF-1

Dynamic PAT

Following commands will perform the dynamic PAT in Domain Based NAT.

R2(config)#access-list 10 permit any

R2(config)#ip nat inside source list 10 interface Ethernet0/1 vrf VRF-1 overload

Access list is there to capture the traffic and the NAT command is extended with source VRF and overload command to perform PAT here.

If the scenario is Domainless, only the inside keyword is removed in the NAT line like the following.

R2(config)#ip nat source list 10 interface Ethernet0/1 vrf VRF-1 overload

Note:-
If the traffic is going from global default VRF to a configured VRF and if you are using Domain Based NAT, you will need to configure a route-map which sets the returning traffic to global VRF and apply it to the configured VRF interface. Otherwise the replies will not comeback..

Let's configure a PAT for this..

R2(config)#access-list 10 permit any

R2(config)#ip nat inside source list 10 interface Ethernet0/1 overload

R2(config)#route-map BACK permit 10
R2(config-route-map)#match ip address 10
R2(config-route-map)#set global

R2(config)#interface Ethernet0/1
R2(config-if)#ip policy route-map BACK

If the source is coming from a configured VRF and goes to global default VRF a route map is not needed. Note that this is not required in Domainless. Following will be the NAT configuration for Domainless NAT.

R2(config)#ip nat source list 10 interface ethernet 0/1 overload

Inter VRF Routing using Simple Static Routes

Inter VRF routing can be achieved by several methods. Following are 6 ways you can do it. There can be some more methods but most commonly you will see one of the following methods in your network.

1. Using static routes
2. Using route maps
3. Import - Export Policies plus Multi-Protocol BGP
4. Connecting two interfaces which belongs to two VRFs
5. Pointing traffic to a Firewall
6. Inter VRF Tunneling

Go here to know how to do inter VRF routing using route maps.
Go here to know how to do inter VRF routing using import export policies.
Go here to know how to do inter VRF tunneling.

In this post I am doing it using simple static routes & his is the most simple method of doing it.

Adding following 2 routes to R2 will do it.

ip route vrf VRF-1 172.16.1.0 255.255.255.0 Ethernet0/1 172.16.1.1
ip route vrf VRF-2 192.168.1.0 255.255.255.0 Ethernet0/0 192.168.1.1

If you are leaking routes between VRFs you must always have a next hop and it cannot be the same router which does the inter VRF routing.

Commands will be like the following..

ip route 192.168.1.0 255.255.255.0 Ethernet0/0 192.168.1.1
ip route vrf VRF-1 172.16.1.0 255.255.255.0 Ethernet0/1 172.16.1.1

Note that in this situation pings originating from default VRF of R2 to the VRF-1 will fail if the source is not specified in the command.

The reason for this that the ping 192.168.1.1 will be sourced from 192.168.1.2 which is not the default VRF.

But traffic from R1 to R3 will flow without issue.

If one of the VRFs is the default VRF, you don't need to specify the next hop for a route but if you do not specify the next hop, you need to remove the source address in the ping command when you ping your own interface which is not in default VRF.

If the commands are like the following;

ip route 192.168.1.0 255.255.255.0 Ethernet0/0
ip route vrf VRF-1 172.16.1.0 255.255.255.0 Ethernet0/1 172.16.1.1

the result will be like in the below captures..