Section 8 – Security – 6 Points
8.1 Traffic Filtering
Allow ICMP, UPD, and TCP traffic originated from inside the network to go out to and back from r4 to BB3. We also need to allow r4 to ping and telnet to BB3. That’s going to need a reflexive ACL. Filter everything else except the routing protocols (RIP and BGP) between r4 and BB3.
This is 3 points that I would definitely skip in the lab. Breaking connectivity to a backbone device could end up costing you $1500. 🙂
r4(config)#ip access-l ex IN_FROM_BB3
r4(config-ext-nacl)#perm icmp any any echo-reply
r4(config-ext-nacl)#perm tcp any eq telnet any ?
ack Match on the ACK bit
dscp Match packets with given dscp value
eq Match only packets on a given port number
established Match established connections
r4(config-ext-nacl)#perm tcp any eq telnet any established
4(config-ext-nacl)#permit tcp any any eq bgp
r4(config-ext-nacl)#permit tcp any eq bgp any <- I usually forget this 😦
r4(config-ext-nacl)#permit udp any any eq rip
r4(config-ext-nacl)#ip access-list ex OUT_TO_BB3
r4(config-ext-nacl)#perm tcp any any reflect REFLEXIVE
r4(config-ext-nacl)#perm udp any any reflect REFLEXIVE
r4(config-ext-nacl)#perm icmp any any reflect REFLEXIVE
r4(config-if)#ip access-group IN_FROM_BB3 in
r4(config-if)#ip access-group OUT_TO_BB3 out
This is the first time that I’ve actually seen an “A” on a traceroute:
Type escape sequence to abort.
Tracing the route to 18.104.22.168
1 22.214.171.124 !A * !A
A = Administratively unreachable. Usually, this output means that an access list is blocking traffic.
8.2 DoS Prevention
“…configure r1 and r6 to not receive any ICMP echo request sourced from the 126.96.36.199/24 network inbound on their interfaces attached to VLAN 162.”
“Do not apply any configuration on either r1 or r6 to accomplish this.”
r1 and r6 connect to BB2 on an Ethernet connection. If we can’t configure r1 or r6 then we must need to configure the switch port connected to BB2 (sw2 fa0/24).
Sweet. So I set up my ACL:
sw2(config)#do sh run | i 182
access-list 182 permit tcp 188.8.131.52 0.0.0.255 184.108.40.206 0.0.0.255
and then I tried to enable TCP Intercept:
sw2(config)#ip tcp intercept list 182
% Invalid input detected at ‘^’ marker.
sw2(config)#ip tcp ?
async-mobility Configure async-mobility
chunk-size TCP chunk size
mss TCP initial maximum segment size
path-mtu-discovery Enable path-MTU discovery on new TCP connections
queuemax Maximum queue of outgoing TCP packets
selective-ack Enable TCP selective-ACK
synwait-time Set time to wait on new TCP connections
timestamp Enable TCP timestamp option
window-size TCP window size
Great. This is not available on the 3560.
Ummm…it turns out that I needed to read the tasks closer. I keyed in on DoS prevention and forgot that I was just supposed to filter ICMP echo requests. 🙂
Starting over – this looks like a simple VACL task. Just drop ICMP echo requests from a specific network for VLAN 162.
First match the traffic that we want to drop (VACL use a logic similar to route-maps):
sw2(config)#access-list 182 permit icmp 220.127.116.11 0.0.0.255 any echo
Now build the VACL:
sw2(config)#vlan access-map TASK_8_2
sw2(config-access-map)#match ip add 182
Remember to include a statement to forward all other traffic:
sw2(config)#vlan access-map TASK_8_2 1000
Now just add the VACL to the VLAN with the ‘vlan filter’ command. Don’t do this:
sw2(config)#flanfilter TASK_8_2 vlan-list 162
% Unrecognized command
It’s sad that the IOS does not know about the tasty dessert that is flan, but the IOS does not get out much. 🙂
sw2(config)#vlan filter TASK_8_2 vlan-list 162
sw2#sh vlan access-map
Vlan access-map “TASK_8_2” 10
ip address: 182
Vlan access-map “TASK_8_2” 1000
sw2#sh vlan filter
VLAN Map TASK_8_2 is filtering VLANs: