« Day #24 – The final frontier.
Day #26, #27 »

Day #25 – Boy! Was i wrong! :)


It’s been a day of revelations :) . One major lesson i learnt was that there’s a HUUUGE difference between knowing the technology and labbing it! Boy, oh boy!

Before i list my activites for the day, i want to point you to an interesting and VERY helpful document -> Cisco Guide to Harden Cisco IOS Devices . It’s very useful and it covers many of the topics under the CCIE-sec v3 blueprint for this particular section. So i would suggest reading through it once ( or maybe even twice :) )

Right! Today i did the Control plane and management plane security Vol 1 INE lab and i feel really good about the challenges that i faced and the stuff that i learnt in the process. Here’s the stuff i learnt.

  • If the task asks you to limit all the “non-ip” traffic to some bandwidth, then create a policy-map with “class-default” traffic and specify the limit and apply it under the “CEF exception” subinterface, because that’s where all the non-IP traffic goes to.
  • On a subinterface , we can configure a service policy , one of each type. i.e one general , one of type port-filter, one of type queue-threshold ,etc
  • DON’t FORGET TO CONFIGURE THE BURST SIZE In the police rate command. What happened is that there was a task where i had to police the number of Non-IP traffic traversing the router to a rate of 100 pps. So what i did was i entered this command under the policy-map configuration – “#police rate 100 pps conform-action transmit exceed-action drop” and i assumed that the other parameters like burst rate, interval, etc would be assigned some non-zero default values.
    • After configuring this , i noticed that the reachability between the routers who were on either sides of the policing router was down. They could’nt ping each other. After some investingation, i noticed that the ARP requests for the next hop’s MAC were getting eaten by the “police-rate” command.
    • It also said that the packet rate allowed was : 100, and the burst size was : 0 . This was a big surprise to me. The burst rate did not get a default value based on the police rate value ( like the “police” command ) .
    • So i went into the config once again, and i set the burst rate to 10 . As soon as i did this, the network was up and running again.
    • What i wanted to enforce here is that, though it’s common to assume that some fields get default values, it’s VERY VERY important knowing exactly what values will be assigned to them in order to avoid such configuration errors.
  • Selective packet discard ( SPD )
    • This is an awesome feature that i found in the workbook.
    • This is a queue-management technique for input interface queuing
    • Every interface has an input FIFO queue ( Hold queue )
    • There are 3 total queues on the input interface 
      • SPD extended headroom -> Priority queuing, Highest priority among all the queues, L2 keepalives and IGP packets go in here
      • SPD headroom -> Priority queuing, lower priority, if the packets don’t have space in the extended headroom it goes in here. BGP packets go here.
      • Hold queue ( the output FIFO queue ) -> Lowest priority, FIFO method to process the packets which arrive here. All IP packets go here by default
    • By implemnting the 2 additional queues, what SPD achieves is, it can prioritize traffic which is coming into the interface and avoids a scenario where, some important traffic arriving on an interface gets dropped, because the Hold queue is full of low-priority traffic.
    • SPD basically treats malformed packets(packets that need the router to generate ICMP responses ). All these packets head to the Hold queue.
    • SPD has 2 modes of operation
      • normal
        • it places the malformed packests in the hold queue. If the queue size increases above the maximum threshold, the packets are dropped in a random fashion.
      • aggressive
        • the malformed packets are dropped as soon as the hold queue grows above the minium threshold. Instead of random drop, it does an unconditional drop here.
  • Use “hold-queue” command in the interface config to set the size of the hold-queue
  • when the task asks you to only allow telnet traffic without using ACL’s , all we need to do is “transport input telnet” on the vty lines, that should do the trick
  • if you want the IOS to not start a telnet session for every random (unknown ) command entered in the exec mode , use ” transport preferrred none ” on the line where you want to enable it.. Otherwise be default, if we enter some random stuff in the exec mode, the IOS will try and telnet to that name.
    • #line vty 0 4
    • #transport input preferred none
  • Rotary groups
    • Rotary groups are an interesting concept. They are used to allow a protocol to run on another port , other than it’s standard port. Ex : We can configure telnet to run on port 2001.
    • Simple config to make telnet run on aux port 2001 is as follows
      • (config)#ip telnet port 2000 rotary 1
      • What this does is, it tells the IOS that, telnet is now assigned to rotary group “1″, and the the starting port address is async port 2000.
      • That means that telnet will now run also on port “2000 + rotary group number” = 2000 +1 = 2001.
  • When we need to enable traps for every interface’s up/down status
    • #snmp-server enable traps snmp linkdown linkup
  • If we want to exclude an interface from this
    • #interface fa0/0
    • #no snmp trap link-status
  • SNMP v3
    • replaces the old community-based authentication system.
    • communication privacy using encryption.
    • the new concepts
      • user
      • group
        • defines what access rights a set of users have
        • the policy is defined by associating a r,w or notify view with the group.
        • if a group is defined without a read view, all objects are availbale to read ( implicit permit )
        • but, if a write or notify view is not defined, no write access is granted, no objects can send notifications to  members of the group.
      • security level
        • authentication and/or encryption
        • 3 levels
          • noAuthnoPriv – keyword “noauth
          • AuthnoPriv – “auth
          • AuthPriv – “priv”
    • SNMP v1 and v2 can only support noAuthnoPriv, in case the SNMPv3 uses noAuthnoPriv, then the username serves as the community string.
    • password,encryption-key are set on a “per-user” basis.
    • SNMPv3 does not send passwords in clear-text , but instead uses MD5 or SHA1 hash based authentication.
    • for encryption : Des, 3DES/AES keys are supported.
    • NOTE : SNMP v3 users do not appear in the running config for security reasons.
  • NOTE : “snmp-server ifindex persist ” makes sure the interface index stays after reconnect..read properly.

It’s been an intense and very interesting day. I wish i could learn so much everyday :)

Cheers,

TacACK

This entry was posted on Wednesday, December 16th, 2009 and is filed under 90 Day countdown. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. No comments yet.
(will not be published)