Hello!

Yesterday, as the title suggests, i re-visited the Control Plane security Vol 1 Labs. I’d worked this lab earlier and had posted an article about it. Please refer to that article for lotsa technical stuff that i found in the lab. Here i’ll be making a quick listing of the other interesting stuff that i encountered yesterday when doing the labs

• There was a task which focused on Control-plane protection. The task asked for the HTTP traffic headed to the host-subinterface to be rate-limited.
  • So i tried this configuration to match the traffic
    • #class-map HTTP_RATE
      • #match protocol http
    • #policy-map HTTP_RATE
      • #class HTTP_RATE
        • #police……<bla>
  • But when i applied this on the host subinterface using the “service-policy” command, it gave me an error saying that an unknown type of traffic was being classified under the class-map , and therefore the policy-map couldn’t be applied to the Host-subif.
  • To counter this, i tried another method to configure the same thing. i.e to match HTTP packets. I create an ACL, and called it under the class-map.
    • #access-list 101 permit tcp any any eq www
    • #class-map HTTP_RATE
      • #match access-group 101
  • This worked just fine! Although this behaviour was wierd, i tried it many times. Everytime i tried it, i got the same error messages for the 1st configuration method.
  • This maybe just a point to note. In-case you get similar errors in the lab, don’t panic; Try other ways of matching the traffic.
• BGP TTL Security
  • This is such an awesome concept! I discovered this yesterday thanks to Ryan and the DocCD.
  • I was on google wave ( Live-blogging my lab ), when Ryan wrote a small summary of what TTL-security achieves and how this applies to situations where eBGP peers are multiple hops from each other.
  • Here’s what Ryan wrote :

  BGP Generic TTL Security Mechanism.

  Internal BGP (iBGP) – these are neighbors connected within the same AS. By default, these neighbors can be reached over as many hops as it takes (well, I guess 255).

  External BGP (eBGP). By default, you can only reach a neighbor being 1 hop away. Anymore hops and you would have to use the following command (most common)

  #neighbor x.x.x.x ebgp-multihop (0-255).

  This command will connect to a neighbor up to the specified number of hops away.

  For example, if we used neighbor x.x.x.x ebgp-multihop 10, the the neighbor can be 2 hops away or 9, anything lower that 10.

  Another command exists to disable this TTL check as well.

  #neighbor x.x.x.x disable-connected-check

  This won’t even check the number of hops an external neighbor is and will allow them to connect without issue.

  Now the TTL security Security Mechanism is used when you want to connect to a neighbor that must be a certain number of hops away.

  So for example, we know we have a neighbor that is 3 hops away and we are sourcing our peerings off of a loopback address to the loopback of our BGP neighbor, then we would be 5 hops away. We could use TTL security to tell the BGP process that the neighbor must be 5 hops away, no more and no less.

  • I also found a great DocCD link for this task . You can find it HERE.
  • Point to NOTE : If the eBGP peering doesn’t adhere to the TTL-security hop count configured, then the eBGP goes into “ECN Disabled” state. If the hop-count between the peers is lesser than the count configured, then it gets into the “ESTABLISHED” state.
• I found THIS to be a great resource for many “routing-protocol” related configurations.
• SELECTIVE PACKET DISCHARGE ( or we call it SPD with love )
  • I’ve blogged about this feature when i did the same lab earlier, but there are some additional details which i noticed here!
  • WARNING : When i labbed this, these commands were’nt under the context-sensitive help. i.e We had to remember the commands verbatim and type them out. KEEP THIS IN MIND!
  • HERE’s the DocCD link for this.
  • Crazy fact to remember : IGP takes precendence over BGP(external) here. Apparently, internal routes are more important than external-routes
• SNMP trap v/s SNMP Inform
  • I didn’t know the difference till yesterday. Thanks to THIS document
• Remember, to apply limiting on PMTUD  packets, check for icmp packets with the DF bit to “1″ .

Well, thats about it for the lab. Tomorrow i’m going to be doing Advanced Mitigation labs! Join me on Google WAVE at 10:30 PM IST.

Another thing to look out for is that, most of the configuration tasks can’t actually be tested in the lab, so i would suggest paying importance to the “show” commands and learning to decipher what they mean. That could make the difference between an almost complete configuration and an award winning configuration. This is something which i am learning

Cheers and have a great day!

TacACK