We are putting the final touches together for the CCSP bootcamp that is launching soon.  (PS, it is going to ROCK! ) As I was going through the demo’s on L2 security, I was reminded of how this topic is often an Achilles heel for many CCIE candidates, both R/S and Security.

This blog post is to refresh your memories and provide some examples  for layer 2 security on the Catalyst switch. We will begin with DHCP snooping. Read the rest of this entry »

Bob turned up the volume on his MP3 player. It was difficult to hear his music over the whirring of the humidifiers.  He sat down in one of the small chairs in front of a computer with SecureCRT.  It was freezing in the data center, and a short sleeved Bob was hoping for a quick and working solution.   It all happened like this:

After his huge success implementing DMVPN and GET VPN overlay, (with a lot of help from his INE Blog Buddies), Bob was on a roll.   He decided to attempt VRF and IPSec integration as his next challenge.

Read the rest of this entry »

Beginning in October 2009, students will be required to demonstrate mastery of the Cisco IOS Intrusion Prevention System (IPS) for the CCIE R/S track. This blog post introduces candidates to this relatively new security feature. Note this series of blog posts will focus on Tier 1 knowledge. This information allows mastery for the Core Knowledge section and builds a foundation for later mastery at the Command Line Interface.

Intrusion Prevention replaces mere Intrusion Detection from previous IOS versions. IDS for the IOS was certainly nice (you get alerted when a security attack is occurring), but obviously, stopping an attack is much more powerful.

Read the rest of this entry »

Female Voice: “Don’t tell me which zone’s for stopping and which zone’s for loading!
Male Voice: “Listen, Betty, don’t start your white zone sh*t again. There is just no stopping in the white zone.” – Airplane 1980

In an earlier blog post, we introduced you to the IOS Zone-Based Firewall from Cisco Systems. You can find that post here if you need it.
This post will walk you through an example of the Zone-Based Firewall at the command line. Here is the simple topology we will use in this example:

Read the rest of this entry »

In this blog post, we will obtain some good solid Tier 1 level knowledge regarding VLAN Access Control Lists or VACLs. These are often also referred to as VLAN Access Maps or just VLAN Maps; thanks to the syntax that is used in their creation.

When you want to filter traffic that is moving from one VLAN to another, things are real CCNA-like and friendly We use an Access Control List. In fact, we should elaborate on that term a bit now in light of this discussion. We actually use a Router-based Access Control List or RACL.

But what if we want to filter traffic that is flowing within a VLAN? On no, a Router-based Access Control List cannot help us! This is when we turn to the VLAN Access Control List. To help us understand this feature, let us create a topology and a sample scenario. Here is the simple topology:

Read the rest of this entry »

Flexible Packet Matching is a new feature that allows for granular packet inspection in Cisco IOS routers. Using FPM you can match any string, byte or even bit at any position in the IP (or theoretically non-IP) packet. This may greatly aid in identifying and blocking network attacks using static patterns found in the attack traffic. This feature has some limitation though.

a) First, it is completely stateless, e.g. does not track the state/history of the packet flow. Thus, FPM cannot discover dynamic protocol ports such as use by H.323 or FTP nor cannot it detect patterns split across multiple packets. Essentially, you are allowed to apply inspection per-packet basis only.

b) Additionally, you cannot apply FPM to the control-plane traffic, as the feature is implemented purely in CEF switching layer. Fragmented traffic is not assembled for matching, and the only inspected packet is the initial fragment of the IP packet flow.

c) IP packets with IP options are not matched by FPM as well, because they are punted to the route processor.

d) Lastly, this feature inspects only unicast packets and does not apply to MPLS encapsulated packets.

Configuring an FPM filter consists of a few steps.

(1) Loading protocol headers.
(2) Defining a protocol stack.
(3) Defining a traffic filter.
(4) Applying the policy & Verifying

Let’s look at every of these steps in depth.

Read the rest of this entry »

The Security section of Internetwork Expert’s CCIE Routing & Switching Lab Workbook Volume 1 Version 5.0 is completed and available on the members site. As of now the fully completed and posted sections are Bridging & Switching, Frame Relay, IP Routing, RIP, EIGRP, OSPF, QoS, Security, System Management, and IP Services. BGP, Multicast, and IPv6 remain, and will be incrementally posted next.

The final release of the Security section contains around 35 lab scenarios in approximately 150 pages. The final release consists of the following sections:

• AAA Authentication Lists
• AAA Exec Authorization
• AAA Local Command Authorization

Read the rest of this entry »

One of my student friends from Cisco RTP suggested a great weekly addition to our blog – a sample task from a Mock Lab to challenge the blog faithful. Cool idea! Love it! To not spoil your fun when taking our Mock Labs, these tasks have been written special so that there is no carryover.

My first installment is a topic that could easily appear on either the R/S Lab or the Security Lab. Enjoy! You are more than welcome to post your suggested solution in the comments. I will wait a week and then post a solution in there myself – along with some explanation text. If you enjoy this new blog installment, you should check out our products, because they are even better!

Here we go!

8.0 Security

8.1 DoS Protection

You are concerned about DoS attacks against a key perimeter router in your company. Configure R1 so that it limits the aggregate rate of ARP traffic toward the route processor to 75 packets per second. Routing control traffic marked with an IP Precedence value of 6 should be limited to 100 packets per second.

2 points

NOTE: The solution and walkthrough are posted in the comments below dated February 6, 2009. Once again, this is a fraction of what you receive in our products!

Hello to all our faithful blog readers, I hope this post find you very well, and enjoying your studies!

Access list tasks are a common CCIE Lab Exam feature, and I wanted to take a moment to show how easy it can be for a candidate to miss one thing or many things in such a task.

Here is the task topology and the task itself. Following that we have the proposed solution by a Mock Student

Can you find the errors in his or her ways?

The Topology

The Task

Security

Traffic Filtering

8.1 Configure a security filter on R3 that will accomplish the following for traffic entering the router from the direction of R2:

• Allow Telnet from R2 (S0/1) to R1 (Lo1)
• Allow BGP traffic through the router
• Allow ICMP ping traffic between R1 (Lo1) and R2 (Lo1)
• Block any traffic sourced from RFC 1918 addresses – log these violations and include Layer 2 address information

4 points

The Proposed Solution

!
access-list 100 permit tcp host 32.0.1.2 eq telnet host 192.168.100.1 eq telnet
access-list 100 permit tcp any any eq bgp
access-list 100 permit icmp host 22.10.1.2 host 192.168.100.1
access-list 100 permit icmp host 192.168.100.1 host 22.10.1.2
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.0.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
!
interface Serial1/2
ip access-group 100 in

NOTE: I have posted a solution to this blog in the comments. The solution post date is November 20th, 2008.

What in the world is a bogon? It is a source address that should not appear in an IP packet on an interface that faces the public Internet. A very famous example of a bogon address would be the Private IP address space, as defined in RFC 1918. This address space is as follows:

• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16

What would be another example of a bogon address? How about the “link-local” addresses that a system will use to communicate on the local link in the event of DHCP failure. This address space is 169.254.0.0/16.

So bogons consist of special use addresses and any other portions of the address space that has not been allocated for public use. This list of addresses is not static, and does change over time. These addresses are excellent entries in your filters (access control lists) for interfaces that face the Internet.
What is a convenient place to learn of the bogon addresses you should be most concerned with as a CCIE candidate? Well, it is none other than an RFC. It is RFC 3330. It is an excellent RFC that summarizes many of the other RFCs detailing special use address space. You can find RFC 3330 here:

http://www.faqs.org/rfcs/rfc3330.html