- itcertnotes -

Friday, March 29, 2013

The BGP neighbor Command Caveat

Router#sh ver | in IOS
IOS (tm) 3600 Software (C3620-I-M), Version 12.3(26), RELEASE SOFTWARE (fc2)
Router#
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#router bgp 100
Router(config-router)#neighbor 22.22.22.22 remote-as 200
Router(config-router)#neighbor 33.33.33.333 remote-as 300
% Create the peer-group first
Router(config-router)#
Router(config-router)#neighbor 33.33.33.33 remote-as 300
% Create the peer-group first
Router(config-router)#
Router(config-router)#exit
Router(config)#
Router(config)#router bgp 100
Router(config-router)#neighbor 44.44.44.44 remote-as 400
% Create the peer-group first
Router(config-router)#
Router(config-router)#exit
Router(config)#no parser cache
Router(config)#
Router(config)#router bgp 100
Router(config-router)#neighbor 33.33.33.33 remote-as 300
Router(config-router)#neighbor 44.44.44.44 remote-as 400
Router(config-router)#

Tuesday, January 1, 2013

Overlapping Address Translation

Both RT1 and RT2 have an overlapping subnet of 172.16.1.0/24.

RT1 is configured to perform the Twice NAT operation.

PC1 will view ServerA as 11.0.0.2 (outside local); while ServerA will view PC1 as 10.0.0.2 (inside global).

RT1 configuration:

!
ip route 11.0.0.0 255.255.255.0 200.0.0.2
!
interface Serial0/0
 ip nat outside
!
interface FastEthernet1/0
 ip nat inside
!
ip nat inside source static network 172.16.1.0 10.0.0.0 /24
ip nat outside source static network 172.16.1.0 11.0.0.0 /24
!

RT2 configuration:

!
ip route 10.0.0.0 255.255.255.0 200.0.0.1
!

Below show the command output and ICMP debug message when RT1 pings RT2’s 172.16.1.1 (appeared as 11.0.0.1) using its own IP address of 172.16.1.1.

RT1#ping 11.0.0.1 source 172.16.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/30/52 ms
RT1#
--------------------------------------------------------------------------------
RT2#debug ip icmp
ICMP packet debugging is on
RT2#
*Mar  1 00:05:12: ICMP: echo reply sent, src 172.16.1.1, dst 10.0.0.1
*Mar  1 00:05:12: ICMP: echo reply sent, src 172.16.1.1, dst 10.0.0.1
*Mar  1 00:05:12: ICMP: echo reply sent, src 172.16.1.1, dst 10.0.0.1
*Mar  1 00:05:12: ICMP: echo reply sent, src 172.16.1.1, dst 10.0.0.1
*Mar  1 00:05:12: ICMP: echo reply sent, src 172.16.1.1, dst 10.0.0.1
RT2#

Below show the command output and ICMP debug message when ServerA pings PC1.

ServerA#ping 10.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/25/48 ms
ServerA#
--------------------------------------------------------------------------------
PC1#debug ip icmp
ICMP packet debugging is on
PC1#
*Mar  1 00:05:06: ICMP: echo reply sent, src 172.16.1.2, dst 11.0.0.2
*Mar  1 00:05:06: ICMP: echo reply sent, src 172.16.1.2, dst 11.0.0.2
*Mar  1 00:05:06: ICMP: echo reply sent, src 172.16.1.2, dst 11.0.0.2
*Mar  1 00:05:06: ICMP: echo reply sent, src 172.16.1.2, dst 11.0.0.2
*Mar  1 00:05:06: ICMP: echo reply sent, src 172.16.1.2, dst 11.0.0.2
PC1#

Below shows the IP NAT translation table on RT1 after the ICMP ping operations above.

RT1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 10.0.0.1           172.16.1.1         ---                ---
--- 10.0.0.2           172.16.1.2         ---                ---
--- ---                ---                11.0.0.1           172.16.1.1
--- ---                ---                11.0.0.2           172.16.1.2
--- 10.0.0.2           172.16.1.2         11.0.0.2           172.16.1.2
icmp 10.0.0.1:1        172.16.1.1:1       11.0.0.1:1         172.16.1.1:1

Subnet translation:
Inside global   Inside local    Outside local   Outside global /prefix
10.0.0.0        172.16.1.0      ---             ---             /24
---             ---             11.0.0.0        172.16.1.0      /24
RT1#

Note: The icmp NAT entry is only being created when RT1 initiates an ICMP ping to 10.0.0.0/24.

Monday, October 22, 2012

Cisco DCNM Listening to Dynamic / Random TCP Port

Problem Scenario:
Cisco DCNM-LAN client shows the error message "Connectivity to the Server is lost" and become unusable after 3 minutes and 40 seconds upon successful login into the DCNM-LAN client.

You have hardened the DCNM server in which it only allow certain TCP ports to connect through the iptables firewall according to the TCP ports documented in the Cisco DCNM Installation and Licensing Guide, Release 5.x as below.

Root Cause:

Solution:

Sunday, October 14, 2012

Cisco IOS TCP Ports 2002, 4002, 6002, and 9002

A Cisco 2900 Series router with the following basic configuration is found answering to the TCP connection attempts (replying SYN-ACKs for the SYN requests) upon TCP ports 2002, 4002, 6002, and 9002.

Router#sh ver
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.2(1)T3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Thu 23-Aug-12 23:18 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M13, RELEASE SOFTWARE (fc1)

Router uptime is 2 minutes
System returned to ROM by reload at 08:12:30 UTC Thu Oct 11 2012
System restarted at 08:14:25 UTC Thu Oct 11 2012
System image file is "flash0:c2951-universalk9-mz.SPA.152-1.T3.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco CISCO2951/K9 (revision 1.1) with 487424K/36864K bytes of memory.
Processor board ID FGL160812PW
3 Gigabit Ethernet interfaces
1 terminal line
DRAM configuration is 72 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)


License Info:

License UDI:

-------------------------------------------------
Device#   PID                   SN
-------------------------------------------------
*0        CISCO2951/K9          FGL160812PW



Technology Package License Information for Module:'c2951'

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
------------------------------------------------------------------
ipbase        ipbasek9      Permanent      ipbasek9
security      None          None           None
uc            None          None           None
data          None          None           None

Configuration register is 0x2102

Router#
Router#sh inv
NAME: "CISCO2951/K9 chassis", DESCR: "CISCO2951/K9 chassis"
PID: CISCO2951/K9      , VID: V05 , SN: FGL160812PW

NAME: "C2921/C2951 AC Power Supply", DESCR: "C2921/C2951 AC Power Supply"
PID: PWR-2921-51-AC    , VID: V03 , SN: DCA1552K1QG


Router#
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int gi0/0
Router(config-if)#ip address 192.168.1.2 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
Oct 11 08:17:14.899: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down
Oct 11 08:17:19.351: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
Oct 11 08:17:20.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
Router(config-if)#
Router(config-if)#line vty 0 4
Router(config-line)#password cisco123
Router(config-line)#exit
Router(config)#enable secret cisco123
Router(config)#
Router(config)#banner motd ^
Enter TEXT message.  End with the character '^'.
*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
* This is a WARNING banner! *
*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
^
Router(config)#
Router(config)#end
Router#

Below shows that the router was only listening upon TCP Port 23 Telnet.
However it actually established the TCP connections for TCP ports 2002, 4002, 6002, and 9002 upon Nmap slow comprehensive port scanning.

Router#sh control-plane host open-ports
Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:23                         *:0                   Telnet   LISTEN

Router#
Router#sh control-plane host open-ports
Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                      *:4002              192.168.1.1:53            TCP Protocols ESTABLIS
 tcp                        *:23                         *:0                   Telnet   LISTEN
 tcp                      *:6002              192.168.1.1:53            TCP Protocols ESTABLIS
 tcp                        *:23              192.168.1.1:53                   Telnet ESTABLIS
 tcp                      *:9002              192.168.1.1:53            TCP Protocols ESTABLIS
 tcp                      *:2002              192.168.1.1:53            TCP Protocols ESTABLIS

Router#
Router#sh control-plane host open-ports
Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:23                         *:0                   Telnet   LISTEN

Router#

After a while, it will actually again shows only listening upon TCP port 23.

Below shows the Nmap / Zenmap slow comprehensive scan results.

Below shows the screen of the Windows Command Prompt upon telneting to TCP port 23.

Below shows the screen of the Windows Command Prompt upon telneting to TCP ports 2002, 6002, and 9002.

Below shows the screen of the Windows Command Prompt upon telneting to TCP port 4002.

The root cause of the problem is due to the Embedded Service Engine on the Cisco ISR G2 routers. (more info here)

Router#sh line
   Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise Overruns  Int
*     0    0 CTY              -    -      -    -    -     0      2    0/0      -
      1    1 AUX   9600/9600  -    -      -    -    -     0      0    0/0      -
      2    2 TTY   9600/9600  -    -      -    -    -     4      0    0/0      -
    644  644 VTY              -    -      -    -    -     1      0    0/0      -
    645  645 VTY              -    -      -    -    -     0      0    0/0      -
    646  646 VTY              -    -      -    -    -     0      0    0/0      -
    647  647 VTY              -    -      -    -    -     0      0    0/0      -
    648  648 VTY              -    -      -    -    -     0      0    0/0      -

Line(s) not in async mode -or- with no hardware support:
3-643

Router#
Router#service-module ?
  Embedded-Service-Engine  cisco embedded service engine module

Router#service-module Embedded-Service-Engine 0/0 ?
  heartbeat-reset  Enable/disable Heartbeat failure to reset Service Module
  install          Install an application
  log              history of logs
  password-reset   Password reset of Service Module
  reload           Reload service module
  reset            Hardware reset of Service Module
  session          Service module session
  shutdown         Shutdown service module
  statistics       Service Module Statistics
  status           Service Module Information
  uninstall        Uninstall an application

Router#service-module Embedded-Service-Engine 0/0 session
IP address needs to be configured on interface Embedded-Service-Engine0/0
Router#
Router#sh run | sec Embedded
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
Router#
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int Embedded-Service-Engine0/0
Router(config-if)#ip address 192.168.1.2 255.255.255.0
% 192.168.1.0 overlaps with GigabitEthernet0/0
% 192.168.1.0 overlaps with GigabitEthernet0/0
Router(config-if)#no shutdown
% 192.168.1.0 overlaps with GigabitEthernet0/0
Embedded-Service-Engine0/0: incorrect IP address assignment
Router(config-if)#end
Router#
Router#service-module Embedded-Service-Engine 0/0 session
Trying 192.168.1.2, 2002 ... Open

*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
* This is a WARNING banner! *
*~*~*~*~*~*~*~*~*~*~*~*~*~*~*

Router#disco 1
Closing connection to 192.168.1.2 [confirm]
Router#
Router#sh run | sec line 2
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
Router#

Solution #1: Disable line 2 completely. Not recommended because this will also block us from accessing to the service module for troubleshooting and maintenance purposes.

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line 2
Router(config-line)#transport input none
Router(config-line)#end
Router#
Router#service-module Embedded-Service-Engine 0/0 session
Trying 192.168.1.2, 2002 ...
% Connection refused by remote host

Router#

Solution #2: Define access list and access class to only allow certain hosts or IP subnet ranges to access the service module.

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 10 permit 192.168.1.2
Router(config)#line 2
Router(config-line)#access-class 10 in
Router(config-line)#end
Router#
Router#service-module Embedded-Service-Engine 0/0 session
Trying 192.168.1.2, 2002 ... Open

*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
* This is a WARNING banner! *
*~*~*~*~*~*~*~*~*~*~*~*~*~*~*

Router#disco 1
Closing connection to 192.168.1.2 [confirm]
Router#

Tuesday, October 9, 2012

Ncat HTTP Proxy

[root@localhost Downloads]# uname -a
Linux localhost.localdomain 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost Downloads]# 
[root@localhost Downloads]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.3 (Santiago)
[root@localhost Downloads]# 
[root@localhost Downloads]# ls -l
total 892
-rw-r--r--. 1 root root 909460 Oct  9 15:37 ncat-6.01-1.x86_64.rpm
[root@localhost Downloads]# 
[root@localhost Downloads]# rpm -vhU ncat-6.01-1.x86_64.rpm 
Preparing...                ########################################### [100%]
   1:ncat                   ########################################### [100%]
[root@localhost Downloads]# 
[root@localhost Downloads]# which ncat
/usr/bin/ncat
[root@localhost Downloads]# 
[root@localhost Downloads]# netstat -an | grep 8080
[root@localhost Downloads]# 
[root@localhost Downloads]# ncat -l 8080 --proxy-type http &
[1] 28406
[root@localhost Downloads]# 
[root@localhost Downloads]# ps -ef | grep ncat
root     28064     1  0 15:38 ?        00:00:01 gedit /root/Desktop/ncat
root     28406 27911  0 15:46 pts/0    00:00:00 ncat -l 8080 --proxy-type http
root     28408 27911  0 15:46 pts/0    00:00:00 grep ncat
[root@localhost Downloads]# 
[root@localhost Downloads]# netstat -an | grep 8080
tcp        0      0 0.0.0.0:8080                0.0.0.0:*                   LISTEN      
tcp        0      0 :::8080                     :::*                        LISTEN      
[root@localhost Downloads]# 
[root@localhost Downloads]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0C:29:BC:40:01  
          <span style="background-color: #fdff7b;">inet addr:192.168.18.101</span>  Bcast:192.168.18.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:febc:4001/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13042 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2318 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2924825 (2.7 MiB)  TX bytes:761972 (744.1 KiB)

[root@localhost Downloads]#

[root@localhost Downloads]# netstat -an | grep 8080
tcp        0      0 0.0.0.0:8080                0.0.0.0:*                   LISTEN      
tcp        0      0 192.168.18.101:8080         192.168.18.1:5929           ESTABLISHED 
tcp        0      0 192.168.18.101:8080         192.168.18.1:5927           TIME_WAIT   
tcp        0      0 :::8080                     :::*                        LISTEN      
[root@localhost Downloads]# 
[root@localhost Downloads]# ps -ef | grep ncat
root     28064     1  0 15:38 ?        00:00:01 gedit /root/Desktop/ncat
root     28406 27911  0 15:46 pts/0    00:00:00 ncat -l 8080 --proxy-type http
root     28424 27911  0 15:47 pts/0    00:00:00 grep ncat
[root@localhost Downloads]#

Note: Make sure that the Linux iptables firewall is disabled or permit TCP/8080.

Monday, October 8, 2012

Setup Wireshark on Red Hat Enterprise Linux 5.8

Before:

[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.18-308.el5 #1 SMP Fri Jan 27 17:21:15 EST 2012 i686 i686 i386 GNU/Linux
[root@localhost ~]#
[root@localhost ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.8 (Tikanga)
[root@localhost ~]#
[root@localhost ~]# ls -l
total 14204
-rw------- 1 root root     1360 Oct  8 18:45 anaconda-ks.cfg
drwxr-xr-x 2 root root     4096 Oct  8 18:49 Desktop
-rw-r--r-- 1 root root    30662 Oct  8 18:45 install.log
-rw-r--r-- 1 root root     3672 Oct  8 18:44 install.log.syslog
-rw-r--r-- 1 root root  2540456 Oct  8 18:52 libsmi-0.4.5-2.el5.i386.rpm
-rw-r--r-- 1 root root 11212515 Oct  8 18:52 wireshark-1.0.15-1.el5_6.4.i386.rpm
-rw-r--r-- 1 root root   687015 Oct  8 18:52 wireshark-gnome-1.0.15-1.el5_6.4.i386.rpm
[root@localhost ~]#
[root@localhost ~]# rpm -vhU libsmi-0.4.5-2.el5.i386.rpm
warning: libsmi-0.4.5-2.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing...                ########################################### [100%]
   1:libsmi                 ########################################### [100%]
[root@localhost ~]#
[root@localhost ~]# rpm -vhU wireshark-1.0.15-1.el5_6.4.i386.rpm
warning: wireshark-1.0.15-1.el5_6.4.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing...                ########################################### [100%]
   1:wireshark              ########################################### [100%]
[root@localhost ~]#
[root@localhost ~]# rpm -vhU wireshark-gnome-1.0.15-1.el5_6.4.i386.rpm
warning: wireshark-gnome-1.0.15-1.el5_6.4.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing...                ########################################### [100%]
   1:wireshark-gnome        ########################################### [100%]
[root@localhost ~]#

After:

Thursday, September 27, 2012

BlueCoat Director Telnet Client

sh-3.2# uname -a
Linux director 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:53:09 EST 2011 i686 i686 i386 GNU/Linux
sh-3.2#
sh-3.2# cat /etc/redhat-release
Director release 6
sh-3.2#
sh-3.2# which ssh
/usr/bin/ssh
sh-3.2#
sh-3.2# ssh -v
OpenSSH_5.8p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-e escape_char] [-F configfile]
           [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-W host:port] [-w local_tun[:remote_tun]]
           [user@]hostname [command]
sh-3.2#
sh-3.2# which telnet
which: no telnet in (/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin)
sh-3.2#
sh-3.2# ftp 192.168.18.1
Connected to 192.168.18.1 (192.168.18.1).
220 3Com 3CDaemon FTP Server Version 2.0
Name (192.168.18.1:admin): anonymous
331 User name ok, need password
Password:
230 User logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -l
227 Entering passive mode (192,168,18,1,17,104)
125 Using existing data connection
drwxrwxrwx 1 owner group         0 Aug 09 16:49 .
drwxrwxrwx 1 owner group         0 Aug 09 16:49 ..
-rwxrwxrwx 1 owner group     58061 Sep 27 00:36 telnet-0.17-39.el5.i386.rpm
226 Closing data connection
ftp>
ftp> get telnet-0.17-39.el5.i386.rpm
local: telnet-0.17-39.el5.i386.rpm remote: telnet-0.17-39.el5.i386.rpm
227 Entering passive mode (192,168,18,1,17,105)
125 Using existing data connection
226 Closing data connection; File transfer successful.
58061 bytes received in 0.00341 secs (1.7e+04 Kbytes/sec)
ftp> bye
221 Service closing control connection
sh-3.2#
sh-3.2# rpm -vhU telnet-0.17-39.el5.i386.rpm
Preparing...                ########################################### [100%]
   1:telnet                 ########################################### [100%]
sh-3.2#
sh-3.2# which telnet
/usr/bin/telnet
sh-3.2#

Monday, September 3, 2012

NX-OS 6.x + nmap UDP Port 1434 open|filtered

Problem Description:
The nmap 6.01 port scanning results upon a Nexus 7000 running NX-OS 6.0(4) showing that UDP Port 1434 is open or filtered.

Problem Analysis:
The packet capture shows that the Nexus 7000 never reply to any packet destined to UDP port 1434.

However, it replies upon the packet destined to UDP port 1433 with an ICMP Port Unreachable message.

UDP Port 1433 is MS SQL Server.
UDP Port 1434 is MS SQL Monitor.

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Solutions:
Preventing NX-OS to generate ICMP Unreachable messages with the no ip unreachables interface subcommand (a very common Cisco IOS hardening command) is not sufficient, we need to also prevent NX-OS from generating ICMP Port Unreachable messages with the no ip port-unreachable interface subcommand, in order to prevent NX-OS from leaking information to port scanning tools.

n7010# sh ip int vlan 3
IP Interface Status for VRF "default"(1)
Vlan3, Interface status: protocol-up/link-up/admin-up, iod: 3,
  IP address: 192.168.1.1, IP subnet: 192.168.1.0/24
  IP broadcast address: 255.255.255.255
  IP multicast groups locally joined:
      224.0.0.9  224.0.0.2
  IP MTU: 1500 bytes (using link MTU)
  IP primary address route-preference: 0, tag: 0
  IP proxy ARP : disabled
  IP Local Proxy ARP : disabled
  IP multicast routing: disabled
  IP icmp redirects: disabled
  IP directed-broadcast: disabled
  IP icmp unreachables (except port): disabled
  IP icmp port-unreachable: enabled
  IP unicast reverse path forwarding: none
  IP load sharing: per-packet
  IP interface statistics last reset: never
  IP interface software stats: (sent/received/forwarded/originated/consumed)
    Unicast packets    : 139718/1314121/1507/138211/0
    Unicast bytes      : 15147448/245546562/225076/14922372/0
    Multicast packets  : 333941/5486628/0/333941/5484138
    Multicast bytes    : 125711410/424427396/0/125711410/424218414
    Broadcast packets  : 0/0/0/0/0
    Broadcast bytes    : 0/0/0/0/0
    Labeled packets    : 0/0/0/0/0
    Labeled bytes      : 0/0/0/0/0
  WCCP Redirect outbound: disabled
  WCCP Redirect inbound: disabled
  WCCP Redirect exclude: disabled
n7010#
n7010# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
n7010(config)# int vlan 3
n7010(config-if)# no ip port-unreachable
n7010(config-if)#
n7010#
n7010# sh ip int vlan 3
IP Interface Status for VRF "default"(1)
Vlan3, Interface status: protocol-up/link-up/admin-up, iod: 3,
  IP address: 192.168.1.1, IP subnet: 192.168.1.0/24
  IP broadcast address: 255.255.255.255
  IP multicast groups locally joined:
      224.0.0.9  224.0.0.2
  IP MTU: 1500 bytes (using link MTU)
  IP primary address route-preference: 0, tag: 0
  IP proxy ARP : disabled
  IP Local Proxy ARP : disabled
  IP multicast routing: disabled
  IP icmp redirects: disabled
  IP directed-broadcast: disabled
  IP icmp unreachables (except port): disabled
  IP icmp port-unreachable: disabled
  IP unicast reverse path forwarding: none
  IP load sharing: per-packet
  IP interface statistics last reset: never
  IP interface software stats: (sent/received/forwarded/originated/consumed)
    Unicast packets    : 140024/1315515/1507/138517/0
    Unicast bytes      : 15188844/245681590/225076/14963768/0
    Multicast packets  : 333952/5486963/0/333952/5484473
    Multicast bytes    : 125712400/424451506/0/125712400/424242524
    Broadcast packets  : 0/0/0/0/0
    Broadcast bytes    : 0/0/0/0/0
    Labeled packets    : 0/0/0/0/0
    Labeled bytes      : 0/0/0/0/0
  WCCP Redirect outbound: disabled
  WCCP Redirect inbound: disabled
  WCCP Redirect exclude: disabled
n7010#

Finally...