myITmicroblog

1) to see ASA as a hop during traceroute you need to: policy - map global_policy class class - default set connection ttl - decrement 2) interface: port-channel & redundant a) port channel - active - active mode (port channel on switch is required) b) redundant - active/passive mode (default settings on switch because only one port is active 3) traceroute linux/cisco version:   a ) router send udp packet on port 33434 -> send to destination with ttl 1 ( 3 times ) b ) icmp time - exceeded -> because of ttl = 0 c ) udp on port 33437 -> send with incremented ttl + 1 ( ttl = 2 ) d ) and so on till it reach the destination e ) destination sends icmp port unreachable windows version:   a ) icmp echo request -> b ) icmp time exceeded <- c ) and so on d ) icmp echo reply 4) global access-list Starting with code 8.3(1), you can also apply one IPv4 and one IPv6 ACL globally, configured with the command

1) static NAT a) alllow on more than one nat statement: ip nat inside source static 136.1 . 128.9 136.1 . 19.250 extendable ip nat inside source static 136.1 . 128.9 136.1 . 99.250 extendable b)   ip nat inside source static tcp 136.1 . 128.9 80 interface GigabitEthernet0 / 1.123 8080 c)   access - list 100 permit ip any 136.1 . 19.0 0.0 . 0.255 access - list 150 deny ip any 136.1 . 19.0 0.0 . 0.255 access - list 150 permit ip any 136.1 . 0.0 0.0 . 255.255 access - list 190 permit ip any 150.1 . 0.0 0.0 . 255.255 route - map VLAN19_SUBNET permit 10 match ip address 100 ! route - map ALL_SUBNET permit 10 match ip address 150 ! route - map LOOPBACK_SUBNET permit 10 match ip address 190   ip nat inside source static 150.1 . 9.9 136.1 . 99.100 route - map VLAN19_SUBNET reversible ip nat inside source static 150.1 . 9.9 136.1 . 99.150 route - map ALL_SUBNET reversible ip nat inside source static 150.1 . 9.9 136.1 . 99.190 rou

1) tacacs user can be an admin on WLC but the ‘shell profile’ needs to have one attribute: role1=ALL (double check if there is no space!!!!) Authorization Result { Type = Authorization ; Author - Reply - Status = PassAdd ; AVPair = role1 = ALL ; } 2) radius user can be an admin on WLC but the user needs to have following attributes:   IETF Service - Type attributes : NAS Prompt for readonly Administrative for readwrite Callback Administrative for lobbyadmin 3) adding a new admin user on WLC:   config mgmtuser add testuser testpAss1 read - write 4) you can have different rules for malicious and trusted networks:   ( Cisco Controller ) > show rogue rule summary Priority Rule Name State Type Match Hit Count -------- ----------------------- -------- ------------- ----- --------- 1 KNOWN Enabled Friendly All 0 2 UNKNOWN Enable

1) RIP a) neighbor - only unicast b) passive-interface (stop sending, still receiving) c) distribute-list - prefix -> deny first and then permit 0.0.0.0/0 le 32 d) authentication (clear or MD5) - on IOS you need key-chain, on ASA you just provide password inline with the key_id (which must match) 2) OSPF v2 a) clear text or MD5 b) you can authenticate per interface or per area c) 3) OSPF v3 a) you can authenticate and encrypt (available on some IOS’) 4) EIGRP a) only MD5 b) key_chain 5) BGP a) authentication (tcp) MD5 available b) passing firewall you need to add policy: disable random sequence number and allow tcp option 19 (range 19 19) to pass   tcp - map BGP tcp - options range 19 19 allow ! set connection random - sequence - number disable set connection advanced - options BGP

Control Plane Policy 1) control-plane host a) service-policy input   ! class - map match - all UDP - FLOOD match access - group 101 ! policy - map UDP - FLOOD - PM class UDP - FLOOD police rate 16000 bps conform - action drop ! control - plane service - policy input UDP - FLOOD - PM ! b) service-policy type queue-threshold input only for some protocols:   R2 ( config - cmap )# match protocol ? bgp Border Gateway Protocol dns Domain Name Server lookup ftp File Transfer Protocol http World Wide Web traffic igmp Internet Group Management Protocol snmp Simple Network Management Protocol ssh Secure Shell Protocol syslog Syslog Server telnet Telnet tftp Trivial File Transfer Protocol R2 ( config - cmap )# class type queue - threshold HTTP - CM match protocol http ! policy - map type queue - threshold HTTP - PM class HTTP - CM queue - limit 10  c) service-policy

I - DESTINATION BASED ATTACKER:   R1 : router rip version 2 no auto - summary network 136.1 . 0.0 network 150.1 . 0.0 TRIGGER:   R2 : router rip version 2 no auto - summary network 136.1 . 0.0 network 150.1 . 0.0 ! router bgp 23 neighbor 136.1 . 23.3 remote - as 23 neighbor 136.1 . 23.3 send - community redistribute static route - map STATIC_TO_BGP ! route - map STATIC_TO_BGP permit 10 match tag 23 set local - preference 200 set origin igp set community no - export set ip next - hop 192.0 . 2.1 ! ip route 192.0 . 2.1 255.255 . 255.255 Null0 when attack start add below acl (with IP of the destination - local server):   ip route 10.1 . 0.100 255.255 . 255.255 Null0 tag 23 EDGE:   R3 : router rip version 2 no auto - summary network 136.1 . 0.0 network 150.1 . 0.0 network 10.0 . 0.0 ! router bgp 23 neighbor 136.1 . 23.2 remote - as 23 ! ip route 192.0 . 2.1 255.255 . 255.255 Null0 ! interface

1) secure management plane: control - plane host management - interface fa0 / 0 allow https ssh R2 #sh management-interface Management interface FastEthernet0 / 0 Protocol Packets processed ftp 0 http 0 https 0 ssh 0 tftp 0 snmp 0 beep 0 telnet 0 tl1 0 R2 # 2) access-list (IOS):   R3 ( config )# ip access - list extended TEST123 R3 ( config - ext - nacl )# den R3 ( config - ext - nacl )# deny ip a R3 ( config - ext - nacl )# deny ip any a R3 ( config - ext - nacl )# deny ip any any ? dscp Match packets with given dscp value fragments Check non - initial fragments log Log matches against this entry log - input Log matches against this entry , including input interface