Search

badly connected

Category

Uncategorized

Stateful Interchassis Redundancy (ASR)

d

Static routes

Floating static routes

A floating static route is a static route that the router uses to back up a dynamic route. You must configure a floating static route with a higher administrative distance than the dynamic route that it backs up.
When the primary route is lost the floating static route will be used.

In case 10.66.0.1/32 is learned by OSPF
ip route 10.66.0.1 255.255.255.255 10.66.0.2 111 name Floating-static

 

Static routes in the routing table

ip route 1.1.1.1 255.255.255.255 FastEthernet0/1

This will remain in the routing table until Fa0/1 is working.

 


However if you specify an IP address as next-hop, the static route will stay in the routing table as long as the next-hop IP is reachable:

static.PNG

ip route 2.2.2.2 255.255.255.255 10.66.0.6

Even if the link between P-03 and P-02 goes down, the 10.66.0.6 next-hop IP will be reachable via P-01, so the static route to 2.2.2.2 will work.

 


In case you use both next-hop IP and interface and the next-hop interface goes down, the static route will be dropped from the routing table.

ip route 2.2.2.2 255.255.255.255 FastEthernet0/0 10.66.0.6

 

iBGP vs eBGP

The main difference

eBGP is used to receive routes and exchange it to the uplinks while iBGP will be used to make connection within your own system.

iBGP does not modify any BGP attributes! This includes next-hop that is why you need to use an IGP or next-hop-self.
Note: IGP is the best practice!

iBGP

Since iBGP doesn’t modifies the AS-Path (which is the primary loop prevention mechanism in BGP)  it will have some additional rules:

BGP split horizon
“Never advertise a route you received via iBGP to another iBGP peer.”

ibgp.png

This means that you must have a full-mesh between your iBGP neighbors. Fortunately you can make iBGP neighborship between not directly connected devices:

ibgp-2.PNG

 

eBGP

eBGP will modify the BGP parameters for example the next-hop IP.
However PE-01 will not know how to reach 10.0.0.2 for example. To resolve this the routers will run IGP and PE-03 will advertise the 10.0.0.0/30 network. IGP is also necessary to build the iBGP connection between 2 not directly connected iBGP peers.

mpls-example.PNG

 

LWAP to Autonomous

Tested with: Cisco 1242AG E K9

In Light Weight Access Point mode you are not able to configure the AP locally.
However you can configure an IP address (temporarly ! ):

capwap ap ip address 10.0.0.1 255.0.0.0

 

To switch between LWAP to Autonomous you have to load an Autonomous IOS that you can do with TFTP.

When the AP goes into ROMMON mode it will have a 10.0.0.1 IP address as default. So if you configure your TFTP server for example 10.0.0.2 it will be able to download the IOS.

There is 2 ways to do this:

Method 1

Connect the AP and the TFTP server via patch cable, then hold MODE button and after that plug in the AC. You can release the MODE button when the LED is solid red (or purple).
In this case the AP will try to download and boot the IOS through TFTP:

image_recovery: Download default IOS tar image tftp://255.255.255.255/c1240-k9w7-tar.default

Make sure that you have the right IOS name.

Method 2

Unplug the ethernet port then hold MODE button and after that plug in the AC. You can release the MODE button when the LED is solid red (or purple).

The AP will boot into ROMMON mode. Connect the AP to the TFTP server then execute the following commands:

ether_init
tftp_init
tar -xtract tftp://10.0.0.2/c1240-k9w7-tar.123-8.JA2.rar flash:
boot flash:/c1240-k9w7-mx.123-8.JA2/c1240-k9w7-mx.123-8.JA2

With this method you dont need to worry about the IOS name.

 

After booting the IOS, don’t forget to configure the boot system!

Bridge Virtual Interface (BVI) vs Switch Virtual Interface (SVI)

Source: https://supportforums.cisco.com/discussion/12043896/bvi-what-it-and-what-are-its-uses

A BVI is in fact quite similar to an SVI (interface Vlan). You can define a software bridging between various ports of a router, similar to switching between various ports on a switch. If the ports on a switch belong to the same VLAN and the switch is capable of multilayer switching, you can create an interface Vlan for that VLAN and allow the hosts in that VLAN to use the IP address of the interface Vlan as their default gateway.

The same goes for interface BVI – Bridged Virtual Interface. When configuring software bridging, you define a group of interfaces that are bridged – the router performs bridging (i.e. software-based switching) of frames between all member ports of a bridge group, in essence forming a single broadcast domain – an IP subnet. If the devices in the common bridge group want to access other IP networks, they need a gateway, so you create an associated interface BVI that is also a part of the bridge group, and devices in the bridge group then use the IP address of the BVI interface as their gateway.

For exampe, imagine a router with two FastEthernet interfaces:

bridge irb
!
interface FastEthernet0/0
 no ip address
 no shutdown
 bridge-group 1
!
interface FastEthernet0/1
 no ip address
 no shutdown
 bridge-group 1
!
interface BVI1
 ip address 10.0.0.1 255.255.255.0
 no shutdown
!
bridge 1 route ip

This configuration would make your router to basically behave as a 2-port “switch” on its Fa0/0 and Fa0/1 interfaces, and devices connected to these ports would use the 10.0.0.1 as their default gateway to other networks.

You rarely configure bridging exactly this way these days, as switches are orders of magnitude faster and have way more ports. Still, there are situations where you need to bridge two interfaces, taking packets out of frames of one technology and putting them into frames of a different technology, without routing them, just repackaging but still carrying them between interfaces. This is often done in, say, DSL if the router is configured to act in bridge mode – take IP packets coming to Ethernet interface and simply repackage them into PPP or ATM+AAL5 cells on the DSL WAN port (and vice versa).

Route map

As in the case of ACLs, route maps also have an implicit deny at the end. Be careful!

Multiple “match” statements

When adding multiple “match” into a single route-map sequence it will use AND.
So all of the “match” statements need to match for a specific route to apply the “set” statement.

Multiple match parameters

You can also add multiple parameters for a match statement for example:

route-map TEST permit 10
 match ip address ACL_1  ACL_2  ACL_3

In this case the ACLs will use OR logic:
match ip address ACL_1  OR  ACL_2  OR  ACL_3

 

Multicast

  • Source IP is a simple unicast IP
  • Destination IP is a multicast group
  • IP addressing
    • Class D
    • 224.0.0.0 – 239.255.255.255
    • No subnetting !
  • There are sub-ranges (not subnets) within this class D:
    • 224.0.0.0/24 – Local Network Control Block (Routing Protocols)
      • Operate within a link-local scope
      • TTL of 1 or 2
      • ie.: 224.0.0.5, 224.0.0.6 for OSPF
    • 232.0.0.0/8 – Source-Specific Multicast Block
      • for multicast streams whose sources are already known
    • 239.0.0.0/8 – Organization-Local Scope (Private IPs)
      • Should be limited to use within an AS

Routing Protocol Authentication

Authentication Methods

  • How does plain text authentication work in case of routing updates?
    • The routing updates have a key and a key number. (In case a routing protocol does not support multiple keys the key number = 0 )
    • The other router receives the key and compares with it’s own.
    • If the keys and key numbers match it receives the update.
  • Which routing protocols support plain text authentication?
    • RIPv2, OSPFv2, IS-IS
  • How does Hashing authentication work in case of routing updates?
    • A hashing algorithm is run on a routing update using the configured key. The result is added to the end of the routing update.
    • The neighbor runs hashing algorithm on the received update and it’s local key which result a hash digest.
    • If the created hash digest matches with the received hash digest then the router accepts the update.
  • What is a key chain? What are it’s advantages?
    • It is a collection of keys, each identified with a key ID that is associated.
    • Each key can be configured to be used in a specified timewindow = time-based key chain.
  • How do you configure time-based key chain?
    • key chain R1KEYCHAIN
        key 1
           key-string Cisco  // password of key 1
           accept-lifetime 01:00:00 April 1 2014 01:00:00 May 2 2014
           send-lifetime 01:00:00 April 1 2014 01:00:00 May 2 2014
        key 2
           key-string Juniper
           accept-lifetime 01:00:00 April 1 2014 infinite
           send-lifetime 01:00:00 April 1 2014 infinite

EIGRP Authentication

  • What packets are authenticated when EIGRP authentication active?
    • All EIGRP messages.
    • The routers use the same preshared key (PSK) and generate an MD5 digest for each EIGRP message based on the PSK.
  • What kind of security does EIGRP authentication gives?
    • It helps to prevent DoS attacks
    • Other devices (not neighbors) can read the EIGRP messages
    • however they cannot form neighborship
  • How do you configure EIGRP for IPv4 authentication? 
    • key chain R1KEYS
        key 1
           key-string DRIZZT
        key 2
           key-string GERALT
      !
      interface Fa0/0
        ip authentication mode eigrp 1 md5
        ip authentication key-chain eigrp 1 R1KEYS
    • ip authentication mode eigrp ASN md5
      ip authentication key-chain eigrp ASN  name-of-keychain
    • Note: In this example key 2 will never be used. If key 1 not matching then it wont check key 2. Multiple keys are useful if you configure lifetime too.
  • How do you configure EIGRP for IPv6 authentication?

    • key chain R1KEYS
        key 1
           key-string DRIZZT
      !
      interface Fa0/0
        ipv6 eigrp 1
        ipv6 authentication mode eigrp 1 md5
        ipv6 authentication key-chain eigrp 1 R1KEYS
    • ipv6 authentication mode eigrp ASN md5
      ipv6 authentication key-chain eigrp ASN  name-of-keychain 
  • How do you configure named EIGRP authentication? 
    • key chain R1KEYS
        key 1
           key-string DRIZZT
      !
      router eigrp EIGRP-DEMO
      !
        address-family ipv4 unicast autonomous-system 2
        !
        af-interface Fa0/0
          authentication mode md5
          authentication key-chain R1KEYS
        exit-af-interface
        !
        network 0.0.0.0
      exit-address-family

OSPF Authentication

  • What packets are authenticated when OSPF authentication active?
    • As in the case of EIGRP, all OSPF messages are checked.
  • What type of authentications exist in OSPF?
    • Type 0 = no authentication
    • Type 1 = plain text authentication (OSPFv3 does not support it)
    • Type 2 = Hashing authentication
  • Where and how can you configure plain text authentication?
    • You can configure it either on interface or an OSPF area
    • !R1
      interface Fa0/0
        ip address 10.0.0.1 255.255.255.0
        ip ospf authentication-key KEYLIME
      !
      router ospf 1
        area 0 authentication  // enables authentication on an area
      
      !R2
      interface Fa0/0
        ip address 10.0.0.2 255.255.255.0
        ip ospf authentication   // enable authentication on an individual interface
        ip ospf authentication-key KEYLIME
      
      
  • What is the difference between plain text and MD5 authentication in OSPF?
    • MD5 hash is calculated using the key-string (up to 16 characters) and they key-id
    • you could have a separate key for each interfaces
  • How do you configure MD5 authentication?
    • !R1
      interface Fa0/0
        ip address 10.0.0.1 255.255.255.0
        ip ospf message-digest-key 1 md5 KEYLIME
      !
      router ospf 1
        area 0 authentication message-digest //enable MD5 auth for all area 0
        network 0.0.0.0 255.255.255.255 area 0
      
      !R2
      interface Fa0/0
        ip address 10.0.0.2 255.255.255.0
        ip ospf authentication message-digest //enable MD5 auth for interface
        ip ospf message-digest-key 1 md5 KEYLIME
      !
      router ospf 1
        network 0.0.0.0 255.255.255.255 area 0
  • How do you verify which type of authentication is used on the interface?
    • sho interface interface-id 
  • How does OSPFv3 authentication work?
    • OSPFv3 using IPSEC for authentication and Encapsulating Security Payload (ESP) for authentication and encryption:
      ipv6 ospf authentication = only authentication
      ipv6 ospf encryption = authentication and encryption using ESP
  • How do you configure OSPFv3 authentication?
    • !R1
      interface Fa0/0
        ipv6 address 2002::1/64
        ipv6 ospf 2 area 0
      !
      ipv6 router ospf 2
        router-id 1.1.1.1
        area 0 authentication ipsec spi 256 sha1 0123456789012345678901234567890123456789
      
      
      !R2
      interface Fa0/0
        ipv6 address 2002::2664
        ipv6 ospf authentication ipsec spi 256 sha1 0123456789012345678901234567890123456789
        ipv6 ospf 2 area 0
      !
      ipv6 router ospf 2
        router-id 2.2.2.2
    • Similar to previous configurations OSPFv3 security can be configured under interface and router ospf section too.
      area area-number authentication ipsec spi security-policy-index md5/sha1  0/7 key-string 

      ipv6 ospf authentication ipsec spi security-policy-index md5/sha1  0/7 key-string

  • How can you verify OSPFv3 authentication?
    • show crypto ipsec sa interface interface-id

BGP Authentication

  • What is the difference between IGP and BGP security?
    • BGP specifies the neighbor there is a smaller chance for threats. The existing TCP session still can get hijacked.
  • What type of security does BGP use?
    • There is no plain text or SHA authentication only MD5 !!
  • How do you configure IPv4 BGP authentication?
    • neighbor neighbor-IP password key-string 
  • How do you configure IPv6 BGP authentication?
    • neighbor neighbor-IPv6 password key-string

Fundamental Router Security Concepts

Access Control Lists

  • How do you configure a time-based ACL?
    • time-range TIMER
         periodic weekdays 8:00 to 16:30
      !
      access-list 100 permit tcp any host 192.168.0.1  eq 80 time-range TIMER
      !
      interface Fa0/0
         ip access-group 100 in
    • You can set “periodic” or “absolute” time.
  • What problem might occur when configuring IPv6 ACL with ie.: OSPF?
    • The traffic filter need to permit the link-local addresses or else the OSPF neighborship will fail.

Management Plane Security

  • How do you configure SSH?
    • hostname name
      ip domain-name name
      username name privilege 15 secret password
      crypto key generate rsa modulus size-of-modulus
      !
      line vty number
       transport input ssh
       login local
  • What is “enable secrect password“? How is it encrypted?
    • It is used to give the engineer full access on a router. The password appears in a router’s running config as a SHA-256 hash value.
    • In the running config “enable secret 4 … ” means SHA-256 and “enable secret 5 …” means MD5 hash (which is not as secure).
  • In case both “enable password pass” and “enable secret pass” is configured which one will be used? Why?
    • You will be prompted for the enable secret password. The “enable password” command is existing because of backward compatibility.
  • What is the difference between the following 2 commands?
      username paul privilege 15 secret cisco
      username david secret cisco

    • When paul logs in to the router he will be in privileged mode. David need to use the “enable” command to reach privileged mode.
  • What need to be known about line passwords? How do you configure it?
    • It is stored in clear text by default. When “service password-encryption” is enabled it will be encrypted using Type 7 encryption. This can be easily decripted.
    • line console 0
         password cisco
         login
  • What are the login states under lines?
    • no login = do not asks for password, simply let you in
    • login = uses the password configured on the line
    • login local = asks for configured username/password
  • What is uRPF?
    • Unicast Reverse Path Forwarding can help block packets having a spoofed IP address. uRPF checks the source IP of an arriving packet on an interface and determine whether that IP address is reachable based on FIB. (Checks incoming packets)
  • What modes does uRPF have?
    • Strict (rx): Source IP address must be reachable  (based on FIB)  and reply must leave on the interface where the original packet arrived.
    • Loose (any): Source IP address must be reachable (based on FIB).
    • VRF: Like Loose mode but overlapping IP addresses can be used because of VRFs.
  • What are the dangers of Strict uRPF?
    • In case of assymetric routing packets will be dropped.
  • What if there is no exact match for the source IP in the FIB?
    • by default uRPF will drop the packet
    • if “allow-default” is enabled it will forward the packet
    • an ACL can be added to the uRPF, so when  uRPF fails (using FIB) it will check whether the IP is allowed in the ACL
  • How do you configure uRPF?
    urpf.PNG

    • interface Fa1/0
         ip address 192.168.1.1 255.255.255.0
         ip verify unicast source reachable-via rx
      interface Serial2/0
         ip address 172.16.0.1 255.255.255.252
         ip verify unicast source reachable-via any allow-default
    • rx = Strict mode – source is reachable via interface on which packet was received
      any = Loose mode – source is reachable via any interface
      allow-default  = default route can match an IP
  • How do you verify whether uRPF is enabled on an interface?
    • show cef interface interface-id
  • What is the meaning of AAA?
    • Authentication: This service checks the user’s credentials. Login
    • Authorization: This service determines what the user is allowed to do.
    • Accounting: This service collect and store information about a user. Logins, used commands etc.
  • How do you configure AAA for authenticating remote logins?
    • aaa new-model    //enables AAA
      aaa authentication login ADMIN group tacacs+ local
      !
      username kevin secret cisco
      !
      tacacs server CISCO-ACS
        address ipv4 192.168.0.40
        key cisco
      !
      line vty 0 4
        login authentication ADMIN
    • The second line defines the method list named ADMIN which attempts to perform authentication through a TACACS+ server. If TACACS+ server is unreachable the local keyword allows the device to perform authentication using the local user database (kevin).
  • How do you configure AAA fallback?
    • You can use the “local” parameter on the AAA command. If the TACACS server is not reachable the router will use local authentication.
  • What are the main differences between TACACS+ and RADIUS?
    • TACACS+
      • TCP port 49
      • support 15 privilege levels
      • encrypts the entire body of the packet
      • basic accounting features
      • cisco proprietary
      • heavy-weight protocol consuming more resources
      • mainly used for Device Administration
      • seperates authentication and authorization
    • RADIUS
      • UDP port 1812
      • robust accounting features
      • encrypts only the password
      • support authorization and authentications functions
  • How do you configure IOS local AAA?
    • MISSING

SNMP

  • What is an SNMP Manager?
    • The manager runs a network management application. Sometimes refered as NMS.
  • What is an SNMP Agent?
    • A piece of software which runs of the managed device.
  • What is the MIB?
    • Management Information Base: Information about the device’s resources and activity is defined by a series of objects.
  • What type of SNMP messages do you know?
    snmp-messages.PNG

    • GET: Retrieves information from a managed device.
    • SET: Sets a variable in a managed device or triggers an action on it.
    • Trap: The managed device sends a message to an NMS which can notify the SNMP manager about an event.
  • What kind of security exist on SNMPv1 and SNMPv2?
    • They use community string to gain read-only or read-write access. This considered weak.
  • How do you configure SNMPv2?
    • snmp-server community DRIZZT ro 10
      snmp-server community GERALT rw 10
      !
      access-list 10 permit host 10.0.0.1
  • What is the difference between SNMP traps and informs?
    • TRAP: send a notification to the manager that something happened
    • INFORM: send a trap and wait for an acknowledgement from the manager. It will keep sending traps until acknowledgement is not received.
  • How do you configure SNMPv3?
    • ip access-list standard SNMPV3-ACL
        permit 10.1.1.0 0.0.0.255
      !
      snmp-server view OPS sysUpTime included
      snmp-server view OPS ifOpenStatus included
      
      snmp-server group MY-GROUP v3 priv read OPS write OPS access SNMPV3-ACL
      snmp-server user ADMIN MY-GROUP v3 auth sha SNMP-Secret1 priv aes 256 SNMP-Secret2
      !
      snmp-server enable traps
      !
      snmp-server host 10.1.1.254 traps version 3 priv ADMIN cpu
      snmp-server ifindex persist
  • What type of security models exist (SNMP)?
    • noAuthNoPriv: (no authentication, no privacy) This level uses a username for authentication but no encryption
    • authNoPriv: Authentication using Hash Message Authentication Code (HMAC) with MD5 or SHA-1. No encryption.
    • authPriv: HMAC authentication with encryptionsnmp-security.PNG
  • What if there is no read view defined? What if there is no write view defined?
    • When no read view: everything is readable
    • When no write view: nothing can be modified
  • What is the function of the snmp-server manager command?
    • To enable the device to send and receive SNMP requests and responses.

NTP

  • What is a stratum value?
    • It is used by NTP and indicates the believability of a time source.
    • Stratum range from 0-15. The lower the better. It works like a hop count.
  • What are the 4 modes that NTP can propagate time?
    • Server (or NTP master): Can be configured using ntp master stratum global command.
    • Client: Synchronizes its time with the NTP server.  ntp server IP
    • Peers: This is called symmetric mode. Peers exchange time synchronization information. This is often used between two or more servers operating as mutually redundant group. ntp peer IP
    • Broadcast/multicast: The NTP server provides one-way time announcements to receptive clients. Client config: (interface) ntp broadcast client
  • How do you configure NTP broadcast?
    • !Server
      interface Fa0/0
        ip addr 10.0.0.1 255.255.255.0
        ntp broadcast
      ntp server 192.168.88.1
      
      !Client
      interface Fa0/0
        ip addr 10.0.0.2 255.255.255.0
        ntp broadcast client
  • How do you configure NTP multicast?
    • !Server
      ip multicast-routing
      !
      interface Fa0/0
        ip addr 10.0.0.1 255.255.255.0
        ip pim dense-mode
        ntp multicast 239.5.5.5
      
      !Client
      ip multicast-routing
      !
      interface Fa0/0
        ip addr 10.0.0.2 255.255.255.0
        ip pim dense-mode
        ntp multicast client 239.5.5.5
  • What are the differences between NTPv3 and NTPv4?
    • NTPv4 supports IPv6
    • NTPv4 uses multicast instead of broadcast
    • improved security
  • What does the following command means?
    ntp access-group serve 10

    • The NTP server only serves the devices which are defined in ACL 10.
  • How do you configure authenticated NTP?
    • !Server
        ntp authentication-key key-id md5 key
        ntp authenticate
        ntp trusted-key key-id
        ntp master stratum-number 
      
      !Client
        ntp authentication key-id md5 key
        ntp authenticate
        ntp trusted-key key-id
        ntp server ip-address-of-ntp-server key key-id 
    • The key and key-id must match on the Client and Server.
  • How do you verify NTP?
    • show ntp associations detail
    • show ntp status
  • What is SNTP?
    • SNTP cannot provide time service (master) to other systems
    • Also it does not provide complex filtering and statistical mechanism as NTP
    • SNTP and NTP cannot coexist on a device as the use the same port
  • How do you configure SNTP?
    • The same way as NTP only instead of “ntp..” you use the command “sntp..”

Logging

  • How can you enchance logging?
    • By increasing the logging history (logging buffer) and using time stamps.
  • How do you configure timestamps to logging?
    • (global) service timestamps log datetime
  • What is a core dump?
    • It a file containing a process’s address space (memory) when the process terminates unexpectedly to identify the cause of the crash. It is useful for crash collection when a device crashes without warning.
    • It is not recommended to do a core dump when the router is in operation.
  • How does debug condition works?
    • It only shows debug messages which relates to the condition parameter:
      ie.: debug condition interface Fa0/0
             debug ip RIP

      Only those RIP messages will appear which are related to Fa0/0
  • How do you apply an ACL to a debug command?
    • i.e.:: debug ip packet acl-number
  • How do you turn on local logging?
    • logging buffered severity-number
  • What kind of message logging types exists?
    • message loggging
  • What level does “logging console warning” command use?
    • level 4,3,2,1,0  =  warning, error, critical, alert, emergencies

Blog at WordPress.com.

Up ↑