CCIE Pursuit Blog

June 10, 2009

Core Knowledge Question of the Day: 10 June 2009

Which Cisco-proprietary STP feature detects indirect failures in the core of the backbone?

Highlight for answer: BackboneFast.

Advertisements

June 9, 2009

Core Knowledge Question of the Day: 09 June 2009

The Dynamic ARP Inspection and IP Source Guard features both require which additional feature to be configured?

Highlight for answer:  DHCP Snooping must be enabled.  Both Dynamic ARP Inspection and IP Source Guard rely on the DHCP Snooping database.

June 8, 2009

Core Knowledge Question of the Day: 08 June 2009

Given the output below, how long will it take for a MAC address to age out?

Rack1SW1(config-if)#do sh port-security int f0/4
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : aaaa.bbbb.cccc:1
Security Violation Count   : 0

Highlight for answer: By setting ‘switchport port-security aging’ to 0(the default), aging is disabled and the MAC address will never age out.

August 17, 2008

Internetwork Expert Volume II: Lab 8 – Section 8

Section 8 – Security – 7 Points

8.1 Router Hardening

Configure r5 to:

Drop all source-routed packets
Disable proxy-arp and CDP support on the connections to BB2 and BB3
Drop all HTTP an telnet sessions destined for 174.x.0.0/16 and 150.x.0.0/16 from BB2 or BB3
Drop all inbound echo requests coming from BB2 or BB3

In the real lab I would just eat the 3 points rather than mess with connections to the backbone routers.  But this task is pretty easy so I gave it a shot.

The first requirement:

ip source-route
To allow the Cisco IOS software to handle IP datagrams with source routing header options, use the ip source-route command in global configuration mode.

r5(config)#no ip source-route

The second one:

r5(config-subif)#no cdp en
r5(config-subif)#no ip proxy-arp

And the rest:

r5(config)#ip access-list ex TASK_8_1
r5(config-ext-nacl)#deny tcp any 174.1.0.0 0.0.255.255 eq www
r5(config-ext-nacl)#deny tcp any 174.1.0.0 0.0.255.255 eq telnet
r5(config-ext-nacl)#deny tcp any 150.1.0.0 0.0.255.255 eq www
r5(config-ext-nacl)#deny tcp any 150.1.0.0 0.0.255.255 eq telnet
r5(config-ext-nacl)#deny icmp any any echo
r5(config-ext-nacl)#permit ip any any

8.2 Traffic Filtering

Drop all traffic from BB2 to BB3 and vice versa on r5 but do not use any access-lists to do this.

We can police inbound, but how to match on the destination without an ACL?

r5(config)#class-map TASK_8_2
r5(config-cmap)#match ?
  destination-address  Destination address
  input-interface      Select an input interface to match

r5(config-cmap)#match destination-address ?
  mac  MAC address

That will not work:

r5(config-cmap)#do sh int f0/1.52 | i bia
  Hardware is AmdFE, address is 0011.93b0.7521(bia 0011.93b0.7521)
r5(config-cmap)#do sh int f0/1.53 | i bia
  Hardware is AmdFE, address is 0011.93b0.7521(bia 0011.93b0.7521)
r5(config-cmap)#do sh int f0/1 | i bia
  Hardware is AmdFE, address is 0011.93b0.7521(bia 0011.93b0.7521)

Let’s check out the input-interface:

r5(config-cmap)#match input-interface fa0/1.52
                                           ^
% Invalid input detected at ‘^’ marker.

r5(config-cmap)#match input-interface fa0/1

Okay, so I can match on the interface, but only the physical interface (which makes sense). 

r5(config-cmap)#policy-map TASK_8_2
r5(config-pmap)#class TASK_8_2
r5(config-pmap-c)#drop

r5(config-pmap-c)#int fa0/1.52
r5(config-subif)#service-policy out TASK_8_2
r5(config-subif)#int fa0/1.53
r5(config-subif)#service-policy out TASK_8_2

8.3 Traffic Filtering

Open the filter you just configured to allow SMTP from 192.10.1.100 to 204.12.1.0/24

r5(config)#ip access-list ex TASK_8_3_FROM_SERVER
r5(config-ext-nacl)#permit tcp host 192.10.1.100 eq smtp 204.12.10.0 0.0.0.255
r5(config)#ip access-list ex TASK_8_3_TO_SERVER
r5(config-ext-nacl)#perm tcp 204.12.10.0 0.0.0.255 host 192.10.1.100 eq smtp

r5(config)#class-map TASK_8_3_FROM_SERVER
r5(config-cmap)#match access-group name TASK_8_3_FROM_SERVER

r5(config-cmap)#class-map TASK_8_3_TO_SERVER
r5(config-cmap)#match access name TASK_8_3_TO_SERVER

Because I did not create separate policy-maps per backbone router, I had to go back and do that:

r5(config-cmap)#policy-map OUT_TO_BB2
r5(config-pmap)# class TASK_8_3_FROM_SERVER
r5(config-pmap-c)# class TASK_8_2
r5(config-pmap-c)#   drop

r5(config-pmap-c)#policy-map OUT_TO_BB3
r5(config-pmap)# class TASK_8_3_TO_SERVER
r5(config-pmap-c)# class TASK_8_2
r5(config-pmap-c)#   drop

Then I had to go in and remove the old class and policy maps and add the new service-policies:

r5(config)#int fa0/1.52
r5(config-subif)#service-policy out OUT_TO_BB2
r5(config-subif)#int fa0/1.53
r5(config-subif)#service-policy out OUT_TO_BB3

IE went with a few less lines of configuration by using a ‘match not’ statement.

August 13, 2008

Internetwork Expert Volume II: Lab 12 – Section 9

Section 9 – Security – 3 Points

9.1 Traffic Filtering

Allow telnet access to r6 only from an NMS at 129.16.46.100.  Log all attempts from unauthorized devices.

Let’s start with our ACL – remember that we need to add and explicit deny statement for logging:

Rack16R6(config)#ip access-list ex TASK_9_1
Rack16R6(config-ext-nacl)#perm tcp host 129.16.46.100 any eq 23
Rack16R6(config-ext-nacl)#deny tcp any any eq 23 log

Now just apply this to the vty lines:

Rack16R6(config-ext-nacl)#line vty 0 4
Rack16R6(config-line)#access-class TASK_9_1 in

Verify:

Rack16R4#telnet 150.16.6.6
Trying 150.16.6.6 …
% Connection refused by remote host

Rack16R6#sh log | b Log Buffer
Log Buffer (4096 bytes):

Aug 13 14:17:37.053: %SYS-5-CONFIG_I: Configured from console by console
Aug 13 14:17:42.285: %SEC-6-IPACCESSLOGP: list TASK_9_1 denied tcp 129.16.46.4(43572) -> 0.0.0.0(23), 1 packet

August 10, 2008

Internetwork Expert Volume II: Lab 5 – Section 8

Section 8 – Security – 6 Points

8.1 Traffic Filtering

Allow ICMP, UPD, and TCP traffic originated from inside the network to go out to and back from r4 to BB3.  We also need to allow r4 to ping and telnet to BB3.  That’s going to need a reflexive ACL. Filter everything else except the routing protocols (RIP and BGP) between r4 and BB3.

This is 3 points that I would definitely skip in the lab.  Breaking connectivity to a backbone device could end up costing you $1500.  🙂

r4(config)#ip access-l ex IN_FROM_BB3
r4(config-ext-nacl)#perm icmp any any echo-reply
r4(config-ext-nacl)#perm tcp any eq telnet any ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections  
r4(config-ext-nacl)#perm tcp any eq telnet any established
4(config-ext-nacl)#permit tcp any any eq bgp
r4(config-ext-nacl)#permit tcp any eq bgp any  <- I usually forget this 😦
r4(config-ext-nacl)#permit udp any any eq rip
r4(config-ext-nacl)#evaluate REFLEXIVE

r4(config-ext-nacl)#ip access-list ex OUT_TO_BB3
r4(config-ext-nacl)#perm tcp any any reflect REFLEXIVE
r4(config-ext-nacl)#perm udp any any reflect REFLEXIVE
r4(config-ext-nacl)#perm icmp any any reflect REFLEXIVE

r4(config-ext-nacl)#int fa0/0
r4(config-if)#ip access-group IN_FROM_BB3 in
r4(config-if)#ip access-group OUT_TO_BB3 out

This is the first time that I’ve actually seen an “A” on a traceroute:

bb3#trace 150.1.3.3

Type escape sequence to abort.
Tracing the route to 150.1.3.3

  1 204.12.1.4 !A  *  !A

A = Administratively unreachable.  Usually, this output means that an access list is blocking traffic.

8.2 DoS Prevention

“…configure r1 and r6 to not receive any ICMP echo request sourced from the 205.90.31.0/24 network inbound on their interfaces attached to VLAN 162.”
“Do not apply any configuration on either r1 or r6 to accomplish this.”

r1 and r6 connect to BB2 on an Ethernet connection.  If we can’t configure r1 or r6 then we must need to configure the switch port connected to BB2 (sw2 fa0/24).

Configuring TCP Intercept (Preventing Denial-of-Service Attacks)

Sweet.  So I set up my ACL:

sw2(config)#do sh run | i 182
access-list 182 permit tcp 205.90.31.0 0.0.0.255 192.10.1.0 0.0.0.255

and then I tried to enable TCP Intercept:

sw2(config)#ip tcp intercept list 182
                   ^
% Invalid input detected at ‘^’ marker.

sw2(config)#ip tcp ?
  async-mobility      Configure async-mobility
  chunk-size          TCP chunk size
  mss                 TCP initial maximum segment size
  path-mtu-discovery  Enable path-MTU discovery on new TCP connections
  queuemax            Maximum queue of outgoing TCP packets
  selective-ack       Enable TCP selective-ACK
  synwait-time        Set time to wait on new TCP connections
  timestamp           Enable TCP timestamp option
  window-size         TCP window size

Great.  This is not available on the 3560.

Ummm…it turns out that I needed to read the tasks closer.  I keyed in on DoS prevention and forgot that I was just supposed to filter ICMP echo requests.  🙂

Starting over – this looks like a simple VACL task.  Just drop ICMP echo requests from a specific network for VLAN 162.

Configuring VLAN Maps

First match the traffic that we want to drop (VACL use a logic similar to route-maps):

sw2(config)#access-list 182 permit icmp 205.90.31.0 0.0.0.255 any echo

Now build the VACL:

sw2(config)#vlan access-map TASK_8_2
sw2(config-access-map)#match ip add 182
sw2(config-access-map)#action drop

Remember to include a statement to forward all other traffic:

sw2(config)#vlan access-map TASK_8_2 1000
sw2(config-access-map)#action forward

Now just add the VACL to the VLAN with the ‘vlan filter’ command. Don’t do this:

sw2(config)#flanfilter TASK_8_2 vlan-list 162
% Unrecognized command

It’s sad that the IOS does not know about the tasty dessert that is flan, but the IOS does not get out much.  🙂

sw2(config)#vlan filter TASK_8_2 vlan-list 162

sw2#sh vlan access-map
Vlan access-map “TASK_8_2”  10
  Match clauses:
    ip  address: 182
  Action:
    drop
Vlan access-map “TASK_8_2”  1000
  Match clauses:
  Action:
    forward

sw2#sh vlan filter
VLAN Map TASK_8_2 is filtering VLANs:
  162

August 2, 2008

Internetwork Expert Volume II: Lab 3 – Section 9

Section 9 – Security – 6 Points

9.1  Traffic Filtering

“Configure r6 so that it only allows TCP, UDP, and ICMP traffic in from BB1 if it was originated from behind R6.”

“Ensure that users behind r6 can still traceroute to hosts beyond the Frame Relay cloud.”

Confusing wording, but I think that it means that you need to filter traffic from BB1 so that it only allows TCP, UDP, and ICMP responses from devices behind r6 – but not r6.  This sounds like a reflexive ACL.

This is the type of task that I would probably skip in the actual lab.  I really don’t want to fuck up my connection to a backbone router to get 3 points in Security.  There’s an excellent breakdown for this task.  I’d still skip it though.  🙂

9.2 DOS Prevention

Argh!!!  I am SO weak in Security.

“…configure r4 to send a TCP reset to the webserver (136.1.4.100) for any TCP sessions that fail to reach the established state after 15 seconds.”

All I’m sure of in this task is that I’m going to be configuring fa0/0 on r4.

A quick look through the 12.4 Security Configuration Guide yields this document:

Configuring TCP Intercept (Preventing Denial-of-Service Attacks)

It looks like I need an ACL for traffic to the server:

r4(config)#access-list 192 perm tcp any host 136.1.4.100

Then it’s just a matter of picking the correct configuration items:

r4(config)#ip tcp intercept ?
  connection-timeout  Specify timeout for connection info
  drop-mode           Specify incomplete connection drop mode
  finrst-timeout      Specify timeout for FIN/RST
  list                Specify access-list to use
  max-incomplete      Specify maximum number of incomplete connections before
                      clamping
  mode                Specify intercepting mode
  one-minute          Specify one-minute-sample watermarks for clamping
  watch-timeout       Specify timeout for incomplete connections in watch mode

The task asks us to send a TCP reset, so that decides the TCP intercept mode that we will use:

The TCP intercept can operate in either active intercept mode or passive watch mode. The default is intercept mode.

In intercept mode, the software actively intercepts each incoming connection request (SYN) and responds on behalf of the server with an SYN-ACK, then waits for an ACK from the client. When that ACK is received, the original SYN is sent to the server and the software performs a three-way handshake with the server. When this is complete, the two half-connections are joined.

In watch mode, connection requests are allowed to pass through the router to the server but are watched until they become established. If they fail to become established within 30 seconds (configurable with the ip tcp intercept watch-timeout command), the software sends a Reset to the server to clear up its state.

r4(config)#ip tcp intercept mode ?
  intercept  Intercept connections
  watch      Watch connections

r4(config)#do sh run | i list 192|ip tcp
ip tcp intercept list 192
ip tcp intercept watch-timeout 15
ip tcp intercept mode watch
!
access-list 192 permit tcp any host 136.1.4.100

April 11, 2008

IPexpert: Free IPexpert vLectures In May and June

IPexpert have a slew of free CCIE vLecture Seminars scheduled for May and June in a number of different CCIE tracks:

CCIE vLecture Seminar Series

Our vLecture Seminar Series offers focused online discussions led by the renowned CCIE-certified instructors at IPexpert. Each seminar will concentrate on a specific topic related to CCIE preparation, including individual protocols and technologies listed on the lab blueprint, as well as test-taking strategies!

You may now register for any of the following vLectures:

May 01 4:00 PM EST  
Topic: VPN Troubleshooting
Track: Security

May 10 11:00 AM EST  
Topic: IPMA
Track: Voice

May 27 5:00 PM EST  
Topic: WAN QoS
Track: Voice

May 29 6:00 PM EST  
Topic: ATM Operations and Configuration
Track: Service Provider

Jun 03 3:00 PM EST  
Topic: Troubleshooting on the CCIE Lab
Track: R&S

Jun 17 3:00 PM EST  
Topic: Multicast – Anycast RP
Track: R&S

Jun 24 8:00 PM EST  
Topic: Digit Manipulation on CallManager 4.1(3) & CME 3.3
Track: Voice

Jun 30 8:00 PM EST  
Topic: PPPoE Operations
Track: Service Provider

Click here to register for any of the available vLectures.
If you have any questions, contact a Training Advisor for assistance.
 

April 5, 2008

Internetwork Expert Volume II: Lab 6 – Section 8

Security – 6 Points

8.1 BPDU Filtering

Configure sw1 and sw2 to filter all DECnet spanning-tree BPDUs in VLAN 363

I figured that I would find this under the spanning-tree commands, but I was way off.  You need to use a VACL to filter this traffic:

mac access-list extended NO_DEC_BPDU
 permit any any dec-spanning
!
vlan access-map NO_DEC_BPDU 10
 action drop
 match mac address NO_DEC_BPDU
vlan access-map NO_DEC_BPDU 20
 action forward
!
vlan filter NO_DEC_BPDU vlan-list 363

sw1#sh vlan filter vlan 363
Vlan 363 has filter NO_DEC_BPDU.

sw1#sh vlan access-map
Vlan access-map “NO_DEC_BPDU”  10
  Match clauses:
    mac address: NO_DEC_BPDU
  Action:
    drop
Vlan access-map “NO_DEC_BPDU”  20
  Match clauses:
  Action:
    forward

sw1#sh vlan filter access-map NO_DEC_BPDU
VLAN Map NO_DEC_BPDU is filtering VLANs:
  363

VLAN 363 is not present on sw1 and sw2  🙂

sw1#sh vlan id 363
VLAN id 363 not found in current VLAN database

sw2#sh vlan id 363
VLAN id 363 not found in current VLAN database

Task 8.1 BPDU Filtering

8.2 Traffic Filtering

Hosts must authenticate to r2 before they are allowed to telnet to sw1.  Use one user/password combination to allow access to sw1 and another to grant access to r2’s CLI.

This is a task that IE is fond of.  We just used a VACL, so why not use a DACL.  🙂

r2(config)#ip access-list extended DYNAMIC
% Invalid access list name.

IOS would not let me use the word, “dynamic” as the name of my extended access-list.

Invalid access list name.

I think that Cisco IOS block creating access-list with the name “dynamic” , this is due to introducing new dynamic access-list starting from the release 12.3(7)T.  Also new show command was entered “Show ip access-list dynamic” starting from the above release , so for not making any confilicts the IOS blocks access lists with the name “dynamic”

Dynamic access is used for more security purpose, if you are interested in it , you can go to the following link:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scflock.htm

Oh well, IOS likes BOOBIES though….who doesn’t?  🙂

r2(config)#ip access-list extended BOOBIES
r2(config-ext-nacl)#dynamic PERMIT_TELNET perm tcp any any eq telnet

 

January 24, 2008

IPexpert: Free IPexpert vLecture Today – Layer 2 Tunneling Techniques

I completely forgot about IPexpert’s series of free vLectures.  They have been running one free vLecture per week since the beginning of the year.  I will be viewing today’s lecture (as much as I can while at work).  Here is the remaining schedule of vLectures:

Jan 31 3:00 PM EST  Online 
Instructor: Marvin Greenlee
Topic: DMVPN
Track: Security

Feb 07 3:00 PM EST  Online 
Instructor: Marvin Greenlee
Topic: Basic Multicast Design/Operations
Track: R&S

Feb 12 3:00 PM EST  Online 
Instructor: Vik Malhi
Topic: CUE
Track: Voice

Feb 28 3:00 PM EST  Online 
Instructor: Mark Snow
Topic: IPSec Basics
Track: Security

Mar 13 3:00 PM EST  Online 
Instructor: Scott Morris
Topic: Spanning-Tree
Track: R&S

Mar 20 3:00 PM EST  Online 
Instructor: Marvin Greenlee
Topic: IPv6
Track: R&S

Mar 27 3:00 PM EST  Online 
Instructor: Vik Malhi
Topic: SRST
Track: Voice

Next Page »

Blog at WordPress.com.