I read that you could get the CCIE Service Provider in a month with a CCIE Routing and Switching background. And this is exactly what I want to do next: get the CCIE SP in a month! Service Provider is good to get since it is very useful for the CCDE Practical Exam which is my next goal. Currently there are only 3 CCDEs, so my goal is to be among the first 100 people.
Service Provider Lab blue print can be found here: http://www.cisco.com/web/learning/le3/ccie/sp/lab_exam_blueprint.html
Some good information on the SP lab from the Cisco Learning Network
Friday, March 27, 2009
Friday, March 13, 2009
Code Red
Code Red Example
i. Marking traffic
Router(config)#class−map match−any http−hacks
Router(config−cmap)#match protocol http url "*default.ida*"
Router(config−cmap)#match protocol http url "*cmd.exe*"
Router(config−cmap)#match protocol http url "*root.exe*"
Router(config)#policy−map mark−inbound−http−hacks
Router(config−pmap)#class http−hacks
Router(config−pmap−c)#set ip dscp 1
Router(config)#interface serial 0/0
Router(config−if)#service−policy input mark−inbound−http−hacks
ii. ACL to drop traffic
Router(config)#access−list 105 deny ip any any dscp 1
Router(config)#access−list 105 permit ip any any
Router(config)#interface ethernet 0/1
Router(config−if)#ip access−group 105 out
iii. PBR to drop traffic
Router(config)#access−list 106 permit ip any any dscp 1
Router(config)#route−map null_policy_route 10
Router(config−route−map)#match ip address 106
Router(config−route−map)#set interface Null0
Router(config)#interface serial 0/0
Router(config−if)#ip policy route−map null_policy_route
iv. Class-Based Policing to drop traffic
Router(config)#policy−map drop−inbound−http−hacks
Router(config−pmap)#class http−hacks
Router(config−pmap−c)#police 1000000 31250 31250
conform−action drop exceed−action drop violate−action drop
Router(config)#interface serial 0/0
Router(config−if)#service−policy input drop−inbound−http−hacks
i. Marking traffic
Router(config)#class−map match−any http−hacks
Router(config−cmap)#match protocol http url "*default.ida*"
Router(config−cmap)#match protocol http url "*cmd.exe*"
Router(config−cmap)#match protocol http url "*root.exe*"
Router(config)#policy−map mark−inbound−http−hacks
Router(config−pmap)#class http−hacks
Router(config−pmap−c)#set ip dscp 1
Router(config)#interface serial 0/0
Router(config−if)#service−policy input mark−inbound−http−hacks
ii. ACL to drop traffic
Router(config)#access−list 105 deny ip any any dscp 1
Router(config)#access−list 105 permit ip any any
Router(config)#interface ethernet 0/1
Router(config−if)#ip access−group 105 out
iii. PBR to drop traffic
Router(config)#access−list 106 permit ip any any dscp 1
Router(config)#route−map null_policy_route 10
Router(config−route−map)#match ip address 106
Router(config−route−map)#set interface Null0
Router(config)#interface serial 0/0
Router(config−if)#ip policy route−map null_policy_route
iv. Class-Based Policing to drop traffic
Router(config)#policy−map drop−inbound−http−hacks
Router(config−pmap)#class http−hacks
Router(config−pmap−c)#police 1000000 31250 31250
conform−action drop exceed−action drop violate−action drop
Router(config)#interface serial 0/0
Router(config−if)#service−policy input drop−inbound−http−hacks
ASA Cut-Through Proxy
From the notes given to me by Rob Chee...
Configure authentication using TACACS+
Aaa-server RAD protocol tacacs
Aaa-server RAD (outside) host 192.168.137.10
Key cisco
Configure login prompt:
auth-prompt prompt Enter Your Authentication
auth-prompt accept You are Good
auth-prompt reject Goodbye
Through traffic authentication – This is the default mechanism for authentication. When a user attempts to access a HTTP, HTTPS, FTP, or telnet resource behind the PIX, the PIX redirects users to an authentication page if the traffic matches the cut-through proxy ACL.
Using Telnet
Static (inside,outside) 192.1681.137.2 10.100.100.2
Access-list OUTSIDE permit tcp any host 192.168.137.2 eq 23
Access-list AUTH permit tcp any host 192.l68.137.2 eq 23
Access-group OUTSIDE in interface outside
Aaa authentication match AUTH outside RAD
Using Encryption for HTTP
Static (inside,outside) 192.1681.137.2 10.100.100.2
Access-list OUTSIDE permit tcp any host 192.168.137.2 eq 80
Access-list AUTH permit tcp any host 192.l68.137.2 eq 80
Access-group OUTSIDE in interface outside
Aaa authentication match AUTH outside RAD
Aaa authentication secure-http-client
Using HTTPS
Static (inside,outside) 192.1681.137.2 10.100.100.2
Access-list OUTSIDE permit tcp any host 192.168.137.2 eq 443
Access-list AUTH permit tcp any host 192.l68.137.2 eq 443
Access-group OUTSIDE in interface outside
Aaa authentication match AUTH outside RAD
The authentication listener mechanism is the recommended method of authentication. With the basic configuration, a user must access a specific URL on the PIX to authenticate. Since it relies on accessing a URL, only the HTTP and HTTPS authentication methods are supported for this mechanism.
Static (inside,outside) 192.1681.137.2 10.100.100.2
aaa authentication match AUTH outside RAD
aaa accounting match AUTH outside RAD
aaa authentication listener HTTPS outside port HTTPS redirect
aaa authentication listener HTTP outside port HTTP redirect
Authenticate against a virtual IP address, configured on the PIX, through HTTP, HTTPS, and Telnet by redirecting to the virtual IP address when they try to access a resource, through the PIX, that matches the cut-through proxy ACL.
Virtual HTTP 192.168.137.20
Virtual Telnet 192.168.137.20
Static (inside,outside) 192.168.137.2 10.100.100.2
Access-list OUTSIDE permit tcp any host 192.168.137.20 eq 80
Access-list OUTSIDE permit tcp any host 192.168.137.2 eq 80
Access-list AUTH permit tcp any host 192.168.137.20 eq 80
Access-list AUTH permit tcp any host 192.168.137.2 eq 80
Access-group OUTSIDE in interface outside
Aaa authentication match AUTH outside RADIUS
! If secure authentication to the PIX is required
Aaa authentication secure-HTTP-client
With RADIUS, authentication and authorization are bound together. This means that verifying authentication and providing authorization are handled during the same negotiation when a user logs in. It also means that no further authorization privileges can be granted after the login.
When RADIUS is used for PIX cut-through proxy, the ACS server provides downloadable ACLs as authorization. This downloadable ACL becomes a temporary ACL that is created on the PIX with a dynamically created name. This ACL can be viewed with “show access-list” after successful authentication. Below is an example of this.
access-list #ACSACL#-IP-cutthroughproxy-47b78823; 3 elements (dynamic)
access-list #ACSACL#-IP-cutthroughproxy-47b78823 line 1 extended permit tcp any host 192.168.137.2 eq telnet (hitcnt=0) 0x78ea2fad
access-list #ACSACL#-IP-cutthroughproxy-47b78823 line 2 extended permit tcp any host 192.168.137.2 eq www (hitcnt=0) 0x4519be9a
access-list #ACSACL#-IP-cutthroughproxy-47b78823 line 3 extended permit tcp any host 192.168.137.2 eq https (hitcnt=5) 0x0c281b01
RADIUS Downloadable ACL Authorization
access-list OUTSIDE extended permit udp host 192.168.137.10 eq radius host 192.168.137.8
access-list OUTSIDE extended permit udp host 192.168.137.10 eq radius-acct host 192.168.137.8
access-list OUTSIDE extended permit udp host 192.168.137.10 eq 1812 host 192.168.137.8
access-list OUTSIDE extended permit udp host 192.168.137.10 eq 1813 host 192.168.137.8
access-list AUTH extended permit tcp any any eq www
access-list AUTH extended permit tcp any any eq HTTPS
access-list AUTH extended permit tcp any any eq Telnet
static (inside,outside) 192.168.137.2 10.100.100.2 netmask 255.255.255.255
access-group OUTSIDE in interface outside per-user-override
aaa-server RADIUS protocol radius
aaa-server RADIUS (outside) host 192.168.137.10
key cisco
aaa authentication match AUTH outside RADIUS
aaa accounting match AUTH outside RADIUS
aaa authentication listener HTTPS outside port HTTPS redirect
auth-prompt prompt Enter Lab Authentication
auth-prompt accept You're In
auth-prompt reject You're Out
TACACS+ Authorization
access-list OUTSIDE extended permit tcp host 192.168.137.10 eq tacacs host 192.168.137.8
access-list AUTH extended permit tcp any any eq www
access-list AUTH extended permit tcp any any eq HTTPS
access-list AUTH extended permit tcp any any eq Telnet
static (inside,outside) 192.168.137.2 10.100.100.2 netmask 255.255.255.255
access-group OUTSIDE in interface outside
aaa-server TAC protocol tacacs
aaa-server TAC (outside) host 192.168.137.10
key cisco
aaa authentication match AUTH outside TAC
aaa authorization match AUTH outside TAC
aaa accounting match AUTH outside TAC
aaa authentication listener HTTPS outside port HTTPS redirect
auth-prompt prompt Enter Lab Authentication
auth-prompt accept You're In
auth-prompt reject You're Out
Configure authentication using TACACS+Aaa-server RAD protocol tacacs
Aaa-server RAD (outside) host 192.168.137.10
Key cisco
Configure login prompt:
auth-prompt prompt Enter Your Authentication
auth-prompt accept You are Good
auth-prompt reject Goodbye
Through traffic authentication – This is the default mechanism for authentication. When a user attempts to access a HTTP, HTTPS, FTP, or telnet resource behind the PIX, the PIX redirects users to an authentication page if the traffic matches the cut-through proxy ACL.
Using Telnet
Static (inside,outside) 192.1681.137.2 10.100.100.2
Access-list OUTSIDE permit tcp any host 192.168.137.2 eq 23
Access-list AUTH permit tcp any host 192.l68.137.2 eq 23
Access-group OUTSIDE in interface outside
Aaa authentication match AUTH outside RAD
Using Encryption for HTTP
Static (inside,outside) 192.1681.137.2 10.100.100.2
Access-list OUTSIDE permit tcp any host 192.168.137.2 eq 80
Access-list AUTH permit tcp any host 192.l68.137.2 eq 80
Access-group OUTSIDE in interface outside
Aaa authentication match AUTH outside RAD
Aaa authentication secure-http-client
Using HTTPS
Static (inside,outside) 192.1681.137.2 10.100.100.2
Access-list OUTSIDE permit tcp any host 192.168.137.2 eq 443
Access-list AUTH permit tcp any host 192.l68.137.2 eq 443
Access-group OUTSIDE in interface outside
Aaa authentication match AUTH outside RAD
The authentication listener mechanism is the recommended method of authentication. With the basic configuration, a user must access a specific URL on the PIX to authenticate. Since it relies on accessing a URL, only the HTTP and HTTPS authentication methods are supported for this mechanism.
Static (inside,outside) 192.1681.137.2 10.100.100.2
aaa authentication match AUTH outside RAD
aaa accounting match AUTH outside RAD
aaa authentication listener HTTPS outside port HTTPS redirect
aaa authentication listener HTTP outside port HTTP redirect
Authenticate against a virtual IP address, configured on the PIX, through HTTP, HTTPS, and Telnet by redirecting to the virtual IP address when they try to access a resource, through the PIX, that matches the cut-through proxy ACL.
Virtual HTTP 192.168.137.20
Virtual Telnet 192.168.137.20
Static (inside,outside) 192.168.137.2 10.100.100.2
Access-list OUTSIDE permit tcp any host 192.168.137.20 eq 80
Access-list OUTSIDE permit tcp any host 192.168.137.2 eq 80
Access-list AUTH permit tcp any host 192.168.137.20 eq 80
Access-list AUTH permit tcp any host 192.168.137.2 eq 80
Access-group OUTSIDE in interface outside
Aaa authentication match AUTH outside RADIUS
! If secure authentication to the PIX is required
Aaa authentication secure-HTTP-client
With RADIUS, authentication and authorization are bound together. This means that verifying authentication and providing authorization are handled during the same negotiation when a user logs in. It also means that no further authorization privileges can be granted after the login.
When RADIUS is used for PIX cut-through proxy, the ACS server provides downloadable ACLs as authorization. This downloadable ACL becomes a temporary ACL that is created on the PIX with a dynamically created name. This ACL can be viewed with “show access-list” after successful authentication. Below is an example of this.
access-list #ACSACL#-IP-cutthroughproxy-47b78823; 3 elements (dynamic)
access-list #ACSACL#-IP-cutthroughproxy-47b78823 line 1 extended permit tcp any host 192.168.137.2 eq telnet (hitcnt=0) 0x78ea2fad
access-list #ACSACL#-IP-cutthroughproxy-47b78823 line 2 extended permit tcp any host 192.168.137.2 eq www (hitcnt=0) 0x4519be9a
access-list #ACSACL#-IP-cutthroughproxy-47b78823 line 3 extended permit tcp any host 192.168.137.2 eq https (hitcnt=5) 0x0c281b01
RADIUS Downloadable ACL Authorization
access-list OUTSIDE extended permit udp host 192.168.137.10 eq radius host 192.168.137.8
access-list OUTSIDE extended permit udp host 192.168.137.10 eq radius-acct host 192.168.137.8
access-list OUTSIDE extended permit udp host 192.168.137.10 eq 1812 host 192.168.137.8
access-list OUTSIDE extended permit udp host 192.168.137.10 eq 1813 host 192.168.137.8
access-list AUTH extended permit tcp any any eq www
access-list AUTH extended permit tcp any any eq HTTPS
access-list AUTH extended permit tcp any any eq Telnet
static (inside,outside) 192.168.137.2 10.100.100.2 netmask 255.255.255.255
access-group OUTSIDE in interface outside per-user-override
aaa-server RADIUS protocol radius
aaa-server RADIUS (outside) host 192.168.137.10
key cisco
aaa authentication match AUTH outside RADIUS
aaa accounting match AUTH outside RADIUS
aaa authentication listener HTTPS outside port HTTPS redirect
auth-prompt prompt Enter Lab Authentication
auth-prompt accept You're In
auth-prompt reject You're Out
TACACS+ Authorization
access-list OUTSIDE extended permit tcp host 192.168.137.10 eq tacacs host 192.168.137.8
access-list AUTH extended permit tcp any any eq www
access-list AUTH extended permit tcp any any eq HTTPS
access-list AUTH extended permit tcp any any eq Telnet
static (inside,outside) 192.168.137.2 10.100.100.2 netmask 255.255.255.255
access-group OUTSIDE in interface outside
aaa-server TAC protocol tacacs
aaa-server TAC (outside) host 192.168.137.10
key cisco
aaa authentication match AUTH outside TAC
aaa authorization match AUTH outside TAC
aaa accounting match AUTH outside TAC
aaa authentication listener HTTPS outside port HTTPS redirect
auth-prompt prompt Enter Lab Authentication
auth-prompt accept You're In
auth-prompt reject You're Out
Thursday, March 5, 2009
PPTP
http://www.cisco.com/en/US/tech/tk82/tk36/technologies_configuration_example09186a00801e51e2.shtml
Server Side 880W Router:
vpdn enable
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
!
ip local pool netcraftsmen 192.168.1.1 - 192.168.1.10
!
interface virtual-template 1
encapsulation ppp
peer default ip address pool netcraftsmen
ip unnumbered FastEthernet4
ppp encrypt mppe auto
ppp authentication pap chap
Server Side 880W Router:
vpdn enable
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
!
ip local pool netcraftsmen 192.168.1.1 - 192.168.1.10
!
interface virtual-template 1
encapsulation ppp
peer default ip address pool netcraftsmen
ip unnumbered FastEthernet4
ppp encrypt mppe auto
ppp authentication pap chap
Tuesday, March 3, 2009
Remote Trigger Black Hole Filtering
Cisco has a real good document on this: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd80313fac.pdf
It is a technique used to drop bad packets before they get into the network: used for DDOS attack mitigation.
interface Null0
no ip unreachables
!When packet is dropped, an Internet Control Message Protocol (ICMP) unreachable message is !sent back to the source. So it is recommended that ICMP unreachable message is disabled.
!
router bgp 65535
neighbor IBGP peer-group
neighbor IBGP remote-as 701
neighbor IBGP send-community
neighbor IBGP update-source Loopback0
neighbor 1.1.1.1 peer-group IBGP
neighbor 2.2.2.2 peer-group IBGP
!
redistribute static route-map STATIC_TO_BGP
!
! A /32 route used as next-hop to “drop” the packets configured on all routers.
!
ip route 192.0.2.1 255.255.255.255 null0
!
! Route-map to signal RTHB information.
!
route-map STATIC_TO_BGP permit 10
match tag 100
set local-preference 200
set origin igp
set community no-export
set ip next-hop 192.0.2.1
!
route-map STATIC_TO_BGP deny 20
When we know that some server, for example 10.10.10.10, under attack, we would put in the blackhole route on the trigger router and propagate to all edge routers which would drop packets at the edge of the network.
!
ip route 10.10.10.10 255.255.255.255 null0 tag 100
Back scatter analysis could be use to trace back the source of the DDOS attack.
Remove the no ip unreachable from the null0 interface on all the edge routers.
Then from the "sinkhole" router:
Add new route-map entry, to propagate self-originated "interesting" routes.
!
route-map STATIC_TO_BGP permit 15
match tag 200
set local-preference 200
set origin igp
set community no-export
!
ip route 20.0.0.0 255.0.0.0 Null0 tag 200
!Network 20.0.0.0/8 is suspected to be the source of the attack. All ICMP unreachable !messages from the edge routers will be diverted to the sinkhole router for analysis.
!
ip access-list extended UNREACHABLES
permit icmp any any unreachable log
permit ip any any
!
interface WAN
ip access-group UNREACHABLES in
If the rate is big, you might not be able to see all logging line. To tune the ACL too log every hit:
ip access-list log-update threshold 1
It is a technique used to drop bad packets before they get into the network: used for DDOS attack mitigation.
interface Null0no ip unreachables
!When packet is dropped, an Internet Control Message Protocol (ICMP) unreachable message is !sent back to the source. So it is recommended that ICMP unreachable message is disabled.
!
router bgp 65535
neighbor IBGP peer-group
neighbor IBGP remote-as 701
neighbor IBGP send-community
neighbor IBGP update-source Loopback0
neighbor 1.1.1.1 peer-group IBGP
neighbor 2.2.2.2 peer-group IBGP
!
redistribute static route-map STATIC_TO_BGP
!
! A /32 route used as next-hop to “drop” the packets configured on all routers.
!
ip route 192.0.2.1 255.255.255.255 null0
!
! Route-map to signal RTHB information.
!
route-map STATIC_TO_BGP permit 10
match tag 100
set local-preference 200
set origin igp
set community no-export
set ip next-hop 192.0.2.1
!
route-map STATIC_TO_BGP deny 20
When we know that some server, for example 10.10.10.10, under attack, we would put in the blackhole route on the trigger router and propagate to all edge routers which would drop packets at the edge of the network.
!
ip route 10.10.10.10 255.255.255.255 null0 tag 100
Back scatter analysis could be use to trace back the source of the DDOS attack.
Remove the no ip unreachable from the null0 interface on all the edge routers.
Then from the "sinkhole" router:
Add new route-map entry, to propagate self-originated "interesting" routes.
!
route-map STATIC_TO_BGP permit 15
match tag 200
set local-preference 200
set origin igp
set community no-export
!
ip route 20.0.0.0 255.0.0.0 Null0 tag 200
!Network 20.0.0.0/8 is suspected to be the source of the attack. All ICMP unreachable !messages from the edge routers will be diverted to the sinkhole router for analysis.
!
ip access-list extended UNREACHABLES
permit icmp any any unreachable log
permit ip any any
!
interface WAN
ip access-group UNREACHABLES in
If the rate is big, you might not be able to see all logging line. To tune the ACL too log every hit:
ip access-list log-update threshold 1
Subscribe to:
Posts (Atom)
