Showing posts with label switching tips and tricks. Show all posts
How to apply ACL in cisco ios for ipv4 and ipv6
Posted by Anbu on Monday, February 18, 2013
Problem:
How to apply ACL in cisco ios for ipv4 and ipv6
Solution:
IPv4 and IPv6 Access Control Lists In Cisco IOS
What are Access Control Lists?
ACLs are simple rulesets, they can be used to filter network traffic, routing updates, matching packets and a lot of different uses. The most common and basic usage must be to restrict network traffic to your router by applying it on the vty lines.
The access control lists have numbers and can also have text as identifiers, each number or string represents a specific access control list.
There are several “classes” of Access Control Lists, the most common ones are
IP Standard Access List
List numbers 1-99, can only define source or destination, not source and destination.
IP Extended Access List
List numbers 100-199, can define both source and destination as well as port and protocol numbers.
Okay, I understand…. but how do I configure it?
A IP standard access control list with two entries is configured like this
Router#conf t
Router(config)#ip access-list standard 5
Router(config-std-nacl)#5 permit 192.168.0.0 0.0.0.255
Router(config-std-nacl)#10 permit 192.168.1.0 0.0.0.255
To apply this inbound on an interface, just use
Router#conf t
Router(config)#int te 1/1
Router(config-if)#ip access-group 5 in
The alternative way to define an access list number 5 with two entries is
Router#conf t
Router(config)#access-list 5 permit 192.168.0.0 0.0.0.255
Router(config)#access-list 5 permit 192.168.1.0 0.0.0.255
Router(config)#
To apply this one inbound on a line interface
Router#conf t
Router(config)#line vty 1
Router(config-line)#access-class 5 in
Nice, now I have a lot of ACLs configured in my network for all the IPv4 traffic, mon ami! But IPv6 traffic still seems to keep flowing right through, thought you said you were supposed to make sense of all this in the end?
Yeah, I know I promised that and as long as you understand the IPv4 basics you will understand IPv6 pretty well. You will need to understand basic IPv6 subnetting theory to be able to filter subnets (obviously), if anyone wants me to write an article about it, just comment about it and I will get on to it ASAP. When you learn that, you will see that IPv6 access control lists are pretty much the same as for IPv4.
Anyways, I take for granted you understand IPv6 subnetting by now so I will just get right on to the configuration, an example for an IPv6 access list in Cisco IOS follows
Router#conf t
Router(config)#ipv6 access-list myfirewall
Router(config-ipv6-acl)#permit 3ffe:200::/32 any
Router(config-ipv6-acl)#permit 3ffe:100::/32 any
To verify the access-lists just look at this
Router#show access-lists myfirewall
IPv6 access list myfirewall
permit ipv6 3FFE:200::/32 any sequence 10
permit ipv6 3FFE:201::/32 any sequence 20
Router#
To apply this IPv6 Access Control List to an interface, just do as follows
Router#conf t
Router(config)#int te 1/1
Router(config-if)#ipv6 traffic-filter myfirewall in
To apply this IPv6 access control list to a line
Router#conf t
Router(config)#line vty 1
Router(config-line)#ipv6 access-class myfirewall in
How to apply ACL in cisco ios for ipv4 and ipv6
Solution:
IPv4 and IPv6 Access Control Lists In Cisco IOS
What are Access Control Lists?
ACLs are simple rulesets, they can be used to filter network traffic, routing updates, matching packets and a lot of different uses. The most common and basic usage must be to restrict network traffic to your router by applying it on the vty lines.
The access control lists have numbers and can also have text as identifiers, each number or string represents a specific access control list.
There are several “classes” of Access Control Lists, the most common ones are
IP Standard Access List
List numbers 1-99, can only define source or destination, not source and destination.
IP Extended Access List
List numbers 100-199, can define both source and destination as well as port and protocol numbers.
Okay, I understand…. but how do I configure it?
A IP standard access control list with two entries is configured like this
Router#conf t
Router(config)#ip access-list standard 5
Router(config-std-nacl)#5 permit 192.168.0.0 0.0.0.255
Router(config-std-nacl)#10 permit 192.168.1.0 0.0.0.255
To apply this inbound on an interface, just use
Router#conf t
Router(config)#int te 1/1
Router(config-if)#ip access-group 5 in
The alternative way to define an access list number 5 with two entries is
Router#conf t
Router(config)#access-list 5 permit 192.168.0.0 0.0.0.255
Router(config)#access-list 5 permit 192.168.1.0 0.0.0.255
Router(config)#
To apply this one inbound on a line interface
Router#conf t
Router(config)#line vty 1
Router(config-line)#access-class 5 in
Nice, now I have a lot of ACLs configured in my network for all the IPv4 traffic, mon ami! But IPv6 traffic still seems to keep flowing right through, thought you said you were supposed to make sense of all this in the end?
Yeah, I know I promised that and as long as you understand the IPv4 basics you will understand IPv6 pretty well. You will need to understand basic IPv6 subnetting theory to be able to filter subnets (obviously), if anyone wants me to write an article about it, just comment about it and I will get on to it ASAP. When you learn that, you will see that IPv6 access control lists are pretty much the same as for IPv4.
Anyways, I take for granted you understand IPv6 subnetting by now so I will just get right on to the configuration, an example for an IPv6 access list in Cisco IOS follows
Router#conf t
Router(config)#ipv6 access-list myfirewall
Router(config-ipv6-acl)#permit 3ffe:200::/32 any
Router(config-ipv6-acl)#permit 3ffe:100::/32 any
To verify the access-lists just look at this
Router#show access-lists myfirewall
IPv6 access list myfirewall
permit ipv6 3FFE:200::/32 any sequence 10
permit ipv6 3FFE:201::/32 any sequence 20
Router#
To apply this IPv6 Access Control List to an interface, just do as follows
Router#conf t
Router(config)#int te 1/1
Router(config-if)#ipv6 traffic-filter myfirewall in
To apply this IPv6 access control list to a line
Router#conf t
Router(config)#line vty 1
Router(config-line)#ipv6 access-class myfirewall in
How to secure a cisco network
Posted by Anbu on
Problem:
How to secure a cisco network
Solution:
1. Reverse Path Forwarding
When you enable Reverse Path Forwarding (RPF) on an interface, the router will check with a lookup in the FIB/CEF table to see that there exists a path back to the source address on the interface on which it receives a packet. This avoids spoofing of packets.
The way to configure reverse path forwarding is like this
Router#configure terminal
Router(config)#interface GigabitEthernet 2/1
Router(config-if)#ip verify unicast reverse-path
2. Silence that port
A lot of networks leak sensitive information on their switchports, this should be a pretty silent switchport.
Switch#configure terminal
Switch(config)#interface GigabitEthernet0/16
Switch(config-if)#no cdp enable
Switch(config-if)#spanning-tree bpdufilter enable
Switch(config-if)#no keepalive
This will supress CDP (Cisco Discovery Protocol), spanning-tree bpdu’s and ethernet keepalives on that interface.
3. Configure AAA and ACL’s for secure VTY access
VTY’s are for example the telnet connections on Cisco, to configure who should be able to access your switch via telnet just do like this:
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#access-list 80 permit 10.0.0.0 0.0.0.255
Switch(config)#access-list 80 permit 192.168.0.0 0.0.255.255
Switch(config)#line vty 0 15
Switch(config-line)#access-class 80 in
Switch(config-line)#end
Switch#
This will limit VTY access to 10.0.0.0/8 and 192.168.0.0/16, the netmask is a Cisco wildcard mask, troubles figuring them out? Try the wildcard cheat.
If you want to have separate users (will show up in logs) instead of the regular password prompt, you can configure AAA as such:
Switch#configure terminal
Switch(config)#username cisco secret mypassword
Switch(config)#aaa new-model
Switch(config)#aaa authentication login default local
Switch(config)#line vty 0 15
Switch(config-line)#login authentication default
Switch(config-line)#^Z
Switch#
4. Encrypt passwords in Configuration
Do you see this in your configuration?
Switch#show run | include ^username
username admin password 0 mysecret
To enable encryption of passwords just configure
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#service password-encryption
Switch(config)#end
*Mar 4 10:21:10.343: %SYS-5-CONFIG_I: Configured from console by console
Switch#show run | include ^username
username admin password 7 060B1632494D1B1C11
This gives Cisco Type 7 encryption (which, I am sorry to say; is very crackable), but it is at least something.
I like to use ’secret’ instead of ‘password’ which gives MD5 passwords in the configuration file, I am not sure of the difference, but it seems to give me what I want.
5. More secure routing protocols with passive-interface default
A passive interface is an interface which does not send nor receive routing information. Passive-interface default is supported by all routing protocols, and is configured quickly.
router routing-protocol
passive-interface default
no passive-interface interface
Passive-interface default sets all interfaces passive, and no passive-interface activates one interface. I have a more real life configuration example below.
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router ospf 1
Router(config-router)#passive-interface default
Router(config-router)#no passive-interface fastEthernet 0/2
Router(config-router)#^Z
Router#
*Mar 4 10:36:17.931: %SYS-5-CONFIG_I: Configured from console by console
This will ensure that OSPF traffic is only exchanged on fastEthernet 0/2.
How to secure a cisco network
Solution:
1. Reverse Path Forwarding
When you enable Reverse Path Forwarding (RPF) on an interface, the router will check with a lookup in the FIB/CEF table to see that there exists a path back to the source address on the interface on which it receives a packet. This avoids spoofing of packets.
The way to configure reverse path forwarding is like this
Router#configure terminal
Router(config)#interface GigabitEthernet 2/1
Router(config-if)#ip verify unicast reverse-path
2. Silence that port
A lot of networks leak sensitive information on their switchports, this should be a pretty silent switchport.
Switch#configure terminal
Switch(config)#interface GigabitEthernet0/16
Switch(config-if)#no cdp enable
Switch(config-if)#spanning-tree bpdufilter enable
Switch(config-if)#no keepalive
This will supress CDP (Cisco Discovery Protocol), spanning-tree bpdu’s and ethernet keepalives on that interface.
3. Configure AAA and ACL’s for secure VTY access
VTY’s are for example the telnet connections on Cisco, to configure who should be able to access your switch via telnet just do like this:
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#access-list 80 permit 10.0.0.0 0.0.0.255
Switch(config)#access-list 80 permit 192.168.0.0 0.0.255.255
Switch(config)#line vty 0 15
Switch(config-line)#access-class 80 in
Switch(config-line)#end
Switch#
This will limit VTY access to 10.0.0.0/8 and 192.168.0.0/16, the netmask is a Cisco wildcard mask, troubles figuring them out? Try the wildcard cheat.
If you want to have separate users (will show up in logs) instead of the regular password prompt, you can configure AAA as such:
Switch#configure terminal
Switch(config)#username cisco secret mypassword
Switch(config)#aaa new-model
Switch(config)#aaa authentication login default local
Switch(config)#line vty 0 15
Switch(config-line)#login authentication default
Switch(config-line)#^Z
Switch#
4. Encrypt passwords in Configuration
Do you see this in your configuration?
Switch#show run | include ^username
username admin password 0 mysecret
To enable encryption of passwords just configure
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#service password-encryption
Switch(config)#end
*Mar 4 10:21:10.343: %SYS-5-CONFIG_I: Configured from console by console
Switch#show run | include ^username
username admin password 7 060B1632494D1B1C11
This gives Cisco Type 7 encryption (which, I am sorry to say; is very crackable), but it is at least something.
I like to use ’secret’ instead of ‘password’ which gives MD5 passwords in the configuration file, I am not sure of the difference, but it seems to give me what I want.
5. More secure routing protocols with passive-interface default
A passive interface is an interface which does not send nor receive routing information. Passive-interface default is supported by all routing protocols, and is configured quickly.
router routing-protocol
passive-interface default
no passive-interface interface
Passive-interface default sets all interfaces passive, and no passive-interface activates one interface. I have a more real life configuration example below.
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router ospf 1
Router(config-router)#passive-interface default
Router(config-router)#no passive-interface fastEthernet 0/2
Router(config-router)#^Z
Router#
*Mar 4 10:36:17.931: %SYS-5-CONFIG_I: Configured from console by console
This will ensure that OSPF traffic is only exchanged on fastEthernet 0/2.
How to Locate the Cisco Switchport of a Server based on IP Address
Posted by Anbu on Sunday, February 17, 2013
Problem:
How to Locate the Cisco Switchport of a Server based on IP Address
Solution:
Locating computers or servers is a task I often do, and this is a tutorial on how I do it.
I have mentioned the do command, and mentioned it again in my 5 Magic Cisco Tips and Tricks article.
I am now going to give you more of a tutorial!
Locating a machine on switch port in a larger Cisco network
If you only have the IP address, just run this command:
show ip route *ipaddress*
The router will now tell you which interface this subnet is connected to.
In a usual setting you might have routed a larger block of addresses to for example a routing switch.
If this is the case, you will need to investigate layer 3 further down to that switch/router.
When you have found the IP address as directly connected issue this command to look up the MAC address in the ARP table.
show ip arp | include *ipaddress*
This will output the MAC address for this IP address, you can use this with this command:
show mac address-table | include *macaddress*
You will now see which port this hardware address is connected to.
In case you have a switch connected, you will need do the show mac address-table command on that switch also.
You can often identify switches by doing a show mac address-table interface *port*
If this gives a long list of MAC addresses with the TYPE dynamic, this is probably a switch.
How to Locate the Cisco Switchport of a Server based on IP Address
Solution:
Locating computers or servers is a task I often do, and this is a tutorial on how I do it.
I have mentioned the do command, and mentioned it again in my 5 Magic Cisco Tips and Tricks article.
I am now going to give you more of a tutorial!
Locating a machine on switch port in a larger Cisco network
If you only have the IP address, just run this command:
show ip route *ipaddress*
The router will now tell you which interface this subnet is connected to.
In a usual setting you might have routed a larger block of addresses to for example a routing switch.
If this is the case, you will need to investigate layer 3 further down to that switch/router.
When you have found the IP address as directly connected issue this command to look up the MAC address in the ARP table.
show ip arp | include *ipaddress*
This will output the MAC address for this IP address, you can use this with this command:
show mac address-table | include *macaddress*
You will now see which port this hardware address is connected to.
In case you have a switch connected, you will need do the show mac address-table command on that switch also.
You can often identify switches by doing a show mac address-table interface *port*
If this gives a long list of MAC addresses with the TYPE dynamic, this is probably a switch.
How to give security to switch ports in cisco
Posted by Anbu on
Problem:
How to give security to switch ports in cisco
Solution:
Someone connecting to your network can cause serious damage if you are sloppy with security.
Port-security
port-security on switches is very flexible, first show the status of port security
Switch#show port-security interface Gi0/19
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 001b.53b1.ffff:20
Security Violation Count : 181
Port security is disabled, violation mode is shutdown which means that the port should be shutdown if port security is tripped. There are
Let us limit this port to one MAC address, and if we see more than one; shutdown the port.
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int gi 0/19
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#switchport port-security
Switch(config-if)#
11:31:17: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/19, putting Gi0/19 in err-disable state
Switch(config-if)#
11:31:17: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001b.53b1.ffff on port GigabitEthernet0/19.
11:31:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/19, changed state to down
Switch(config-if)#
11:31:19: %LINK-3-UPDOWN: Interface GigabitEthernet0/19, changed state to down
What happened here? First we limited the port to max one MAC address, then we configured that if this is violated then the port should be shutdown. And at last we turned on port-security.
As you can see, immediately the port went in an errdisable state for a security violation.
Storm-control
Storm control can be used to limit the amount of broadcast, unicast or multicast traffic on a port.
To show the status of storm control
Switch#show storm-control gigabitEthernet 0/19
Interface Filter State Upper Lower Current
——— ————- ———– ———– ———-
Switch#
A typical broadcast storm can look like this
Switch#show interface gigabitEthernet 0/19 | i rate
Queueing strategy: fifo
5 minute input rate 106111000 bits/sec, 207129 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
Switch#
I have over 100mbit input traffic, and nothing output. I can try to apply storm-control that with shutdown the port if the amount of broadcast traffic reaches 100mbit.
Switch#conf t
Switch(config)#interface gigabitEthernet 0/19
Switch(config-if)#storm-control action shutdown
Switch(config-if)#storm-control broadcast level bps 100000000
2d10h: %PM-4-ERR_DISABLE: storm-control error detected on Gi0/19, putting Gi0/19 in err-disable state
2d10h: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Gi0/19. The interface has been disabled.
2d10h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/19, changed state to down
2d10h: %LINK-3-UPDOWN: Interface GigabitEthernet0/19, changed state to down
The interface went straight into errdisable due to the huge amount of broadcast traffic we were receiving.
You can also get the status of storm control
Switch#show storm-control
Interface Filter State Upper Lower Current
——— ————- ———– ———– ———-
Gi0/19 Link Down 100m bps 100m bps 0 bps
These are two great techniques of securing your network ports, just tune them to your preference and they will bring you a lot of good.
How to give security to switch ports in cisco
Solution:
Someone connecting to your network can cause serious damage if you are sloppy with security.
Port-security
port-security on switches is very flexible, first show the status of port security
Switch#show port-security interface Gi0/19
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 001b.53b1.ffff:20
Security Violation Count : 181
Port security is disabled, violation mode is shutdown which means that the port should be shutdown if port security is tripped. There are
Let us limit this port to one MAC address, and if we see more than one; shutdown the port.
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int gi 0/19
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#switchport port-security
Switch(config-if)#
11:31:17: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/19, putting Gi0/19 in err-disable state
Switch(config-if)#
11:31:17: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001b.53b1.ffff on port GigabitEthernet0/19.
11:31:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/19, changed state to down
Switch(config-if)#
11:31:19: %LINK-3-UPDOWN: Interface GigabitEthernet0/19, changed state to down
What happened here? First we limited the port to max one MAC address, then we configured that if this is violated then the port should be shutdown. And at last we turned on port-security.
As you can see, immediately the port went in an errdisable state for a security violation.
Storm-control
Storm control can be used to limit the amount of broadcast, unicast or multicast traffic on a port.
To show the status of storm control
Switch#show storm-control gigabitEthernet 0/19
Interface Filter State Upper Lower Current
——— ————- ———– ———– ———-
Switch#
A typical broadcast storm can look like this
Switch#show interface gigabitEthernet 0/19 | i rate
Queueing strategy: fifo
5 minute input rate 106111000 bits/sec, 207129 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
Switch#
I have over 100mbit input traffic, and nothing output. I can try to apply storm-control that with shutdown the port if the amount of broadcast traffic reaches 100mbit.
Switch#conf t
Switch(config)#interface gigabitEthernet 0/19
Switch(config-if)#storm-control action shutdown
Switch(config-if)#storm-control broadcast level bps 100000000
2d10h: %PM-4-ERR_DISABLE: storm-control error detected on Gi0/19, putting Gi0/19 in err-disable state
2d10h: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Gi0/19. The interface has been disabled.
2d10h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/19, changed state to down
2d10h: %LINK-3-UPDOWN: Interface GigabitEthernet0/19, changed state to down
The interface went straight into errdisable due to the huge amount of broadcast traffic we were receiving.
You can also get the status of storm control
Switch#show storm-control
Interface Filter State Upper Lower Current
——— ————- ———– ———– ———-
Gi0/19 Link Down 100m bps 100m bps 0 bps
These are two great techniques of securing your network ports, just tune them to your preference and they will bring you a lot of good.
Configuring a trunk link between a cisco switch and linux
Posted by Anbu on
Problem:
How to configure a trunk link between a cisco switch and linux
Solution:
Sometimes you want to test configuration settings, and linux is a good environment to do these kinds of tests in
To configure a trunk between a cisco switch and a linux machine you first have to do the trunk configuration on the cisco switch:
switch(config)# int Gi 1/0/1
switch(config-if)#switchport trunk encapsulation dot1q
switch(config-if)# switchport mode trunk
switch(config-if)# int vlan 200
switch(config-if)# ip address 10.0.0.1 255.255.255.0
switch(config-if)# no shutdown
switch(config-if)# exit
switch(config)#
Then the linux configuration for an interface eth0:
linux# /sbin/modprobe 8021q
linux# /sbin/vconfig add eth0 200
linux#/sbin/ifconfig eth0.200 10.0.0.2 netmask 255.255.255.0 up
linux# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=1.17 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.698 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.716 ms
How to configure a trunk link between a cisco switch and linux
Solution:
Sometimes you want to test configuration settings, and linux is a good environment to do these kinds of tests in
To configure a trunk between a cisco switch and a linux machine you first have to do the trunk configuration on the cisco switch:
switch(config)# int Gi 1/0/1
switch(config-if)#switchport trunk encapsulation dot1q
switch(config-if)# switchport mode trunk
switch(config-if)# int vlan 200
switch(config-if)# ip address 10.0.0.1 255.255.255.0
switch(config-if)# no shutdown
switch(config-if)# exit
switch(config)#
Then the linux configuration for an interface eth0:
linux# /sbin/modprobe 8021q
linux# /sbin/vconfig add eth0 200
linux#/sbin/ifconfig eth0.200 10.0.0.2 netmask 255.255.255.0 up
linux# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=1.17 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.698 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.716 ms
