Category Archives: Cisco

Using a PFX formatted certificate on Cisco IOS

Rather than converting from pfx to pem format, why not just use a pfx?

With the way that pfx files are formatted, copying and pasting from a terminal is not possible, however if you can get the certificate transferred over FTP, it becomes much simpler :-)

The certificate has to have the full chain in it, and a passphrase.

conf t
ip ftp username <ftp username>
ip ftp password <ftp password>
end
copy ftp flash:

enter server name
enter source file name
enter destination file name

conf t
crypto pki trustpoint <trustpoint name>
fqdn <f.q.d.n>
subject-name cn=<f.q.d.n>
revocation-check crl
rsakeypair <trustpoint name>
exit
crypto pki import <certificate.pfx> pkcs12 flash:<certificate> <passphrase>
exit
wri mem

to show the certificate

show crypto pki trustpoints status

IPv4 DDNS on Cisco for dns.he.net

As dyndns.com has reduced the capabilities of their free service, I looked around for other free providers of Dynamic DNS service.

After testing several, I decided to move my DNS hosting to Hurricane Electric as they include Dynamic DNS service with their free service (for up to 50 domains), and it removes the requirement to use CNAMEs as with the dyndns.com free service.

The configuration as below is for IPv4 dynamic addressing as provided by most Internet Service Providers on xDSL or Cable (broadband) connections when using the free DNS and DDNS service as provided by dns.he.net

The below has been tested on a Cisco 1812 running c181x-advipservicesk9-mz.151-4.M4.bin on a BT FTTC connection which uses PPPoE over VDSL where the PPPoE interface has a dynamic address. It has also been tested on a Cisco 877 running c870-advipservicesk9-mz.151-4.M4.bin on several other UK ADSL and ADSL2+ connections

It does not cover changing the IPv4 termination address for a he.net IPv6 Tunnel.

In Global mode

ip ddns update method 
HTTP
 add http://<f.q.d.n>:<password>@ipv4.dyn.dns.he.net/nic/update?hostname=<h>&myip=<a>

Then on the dynamic addressed interface (usually Dialer 1)

 ip ddns update hostname <f.q.d.n>
 ip ddns update <method-name> host ipv4.dyn.dns.he.net

<method-name> This is the name that you want to give the DDNS update, I usually use dyn.he.net
<f.q.d.n> This is fully qualified domain name that is configured for Dynamic DNS on the dns.he.net control panel<password> This is the password for the fully qualified domain name that is configured for Dynamic DNS on the dns.he.net control panel
<h> This is an internal Cisco IOS variable for the hostname that it gets from the configuration on the interface
<a> This is an internal Cisco IOS variable for the dynamic address on the interface

Presuming that the method name is dyn.he.net, the dynamic hostname being used is router.domain.com and the password is SuperSecretPassword the completed configuration commands should look something like this

In Global mode

ip ddns update method dyn.he.net
HTTP
add http://router.domain.com:[email protected]/nic/update?hostname=<h>&amp;myip=</h>

Then on the dynamic addressed interface (usually Dialer 1)

ip ddns update hostname router.domain.com
ip ddns update dyn.he.net host ipv4.dyn.dns.he.net

It is not possible to copy and paste all of the config directly into a console session as the line that begins with “add” contains a question mark.

To enter a question mark ? in IOS, press and hold ctrl, press v, release both keys, then press ?

Achieving an MTU of 1500 on BT FTTC

The BT FTTC service uses PPPoE as its mode of connection via the VDSL modem.

Although the default Ethernet MTU is 1500, when using PPPoE, 8 bytes are used for the PPPoE header, this then reduces the MTU to 1492.

There are some devices such as the Vodafone SureSignal (a 3G Femotocell), that have an embedded IPSec client that will not connect over a connection that has an MTU of below 1500. There are other applications such as the Cisco AnyConnect client that can also have issues with an MTU of below 1500

There is however a method to increase the MTU to 1500 which has been documented in RFC 4638. This method is to increase the MTU on the interface running the PPPoE connection to 1508 which are called “Baby Jumbo Frames”, and to then instruct the PPPoE client to use an MTU of 1500. The BT FTTC service supports this method, as do some modern Cisco routers such as the ISR 1812, this then enables you to run an MTU of 1500 over the connection.

To enable this method, there are two extra commands that you need to enable on the physical interface the you are using for PPPoE connection

The first part is to set the interface to use baby jumbo frames

mtu 1508

The second part is to set the PPPoE dialler to negotiate an MTU of 1500 as per RFC 4638

pppoe-client ppp-max-payload 1500

A complete interface config would look something along the lines of

interface FastEthernet0

description BT FTTC PPPoE
mtu 1508
no ip address
ip access-group FastEthernet0 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
pppoe-client ppp-max-payload 1500
no cdp enable

The Dialer interface does does not need to be changed, neither do any internal interfaces.

With these changes you should have an MTU of 1500 over the connection, devices and/or applications that had issues with an MTU of 1492 should no longer be affected.