Skip to main content


Showing posts from January, 2010


1) to see ASA as a hop during traceroute you need to:

policy-map global_policy classclass-defaultset connection ttl-decrement
2) interface: port-channel & redundant

a) port channel - active - active mode (port channel on switch is required)

b) redundant - active/passive mode (default settings on switch because only one port is active

3) traceroute

linux/cisco version:
a) router send udp packet on port 33434-> send to destination with ttl 1(3 times) b) icmp time-exceeded -> because of ttl=0 c) udp on port 33437-> send with incremented ttl+1(ttl=2) d)and so on till it reach the destination e) destination sends icmp port unreachable
windows version:
a) icmp echo request -> b) icmp time exceeded <- c)and so on d) icmp echo reply
4) global access-list

Starting with code 8.3(1), you can also apply one IPv4 and one IPv6 ACL globally, configured with the command access-group global; the global access-list is always interpreted as an inbound ACL. When the global ACL…


1) static NAT
a) alllow on more than one nat statement:

ip nat inside source static136.1.128.9136.1.19.250 extendable ip nat inside source static136.1.128.9136.1.99.250 extendable
ip nat inside source static tcp
access-list 100 permit ip any access-list 150 deny ip any access-list 150 permit ip any access-list 190 permit ip any VLAN19_SUBNET permit 10 match ip address 100! route-map ALL_SUBNET permit 10 match ip address 150! route-map LOOPBACK_SUBNET permit 10 match ip address 190ip nat inside source static150.1.9.9136.1.99.100 route-map VLAN19_SUBNET reversible ip nat inside source static150.1.9.9136.1.99.150 route-map ALL_SUBNET reversible ip nat inside source static150.1.9.9136.1.99.190 route-map LOOPBACK_SUBNET reversible
Without the word ‘reversible’ it translates all traffic without checking source.

ip nat log translations…


1) tacacs user can be an admin on WLC but the ‘shell profile’ needs to have one attribute: role1=ALL (double check if there is no space!!!!)

2) radius user can be an admin on WLC but the user needs to have following attributes:
IETF Service-Type attributes: NAS PromptforreadonlyAdministrativefor readwrite CallbackAdministrativefor lobbyadmin
3) adding a new admin user on WLC:
config mgmtuser add testuser testpAss1 read-write
4) you can have different rules for malicious and trusted networks:
(CiscoController)>show rogue rule summary PriorityRuleNameStateTypeMatchHitCount------------------------------------------------------------------1 KNOWN EnabledFriendlyAll02 UNKNOWN EnabledMaliciousAny0(CiscoController)>
5) you can manually add (MAC address) which APs are trusted:
(CiscoController)>show auth-list Authorize MIC APs against AAA ....…


1) RIP

a) neighbor - only unicast b) passive-interface (stop sending, still receiving) c) distribute-list - prefix -> deny first and then permit le 32 d) authentication (clear or MD5) - on IOS you need key-chain, on ASA you just provide password inline with the key_id (which must match)

2) OSPF v2

a) clear text or MD5 b) you can authenticate per interface or per area c)

3) OSPF v3

a) you can authenticate and encrypt (available on some IOS’)


a) only MD5 b) key_chain

5) BGP

a) authentication (tcp) MD5 available b) passing firewall you need to add policy: disable random sequence number and allow tcp option 19 (range 19 19) to pass
tcp-map BGP tcp-options range 1919 allow !set connection random-sequence-number disable set connection advanced-options BGP


Control Plane Policy

1) control-plane host

a) service-policy input
!class-map match-all UDP-FLOOD match access-group101! policy-map UDP-FLOOD-PM class UDP-FLOOD police rate 16000 bps conform-action drop ! control-plane service-policy input UDP-FLOOD-PM !
b) service-policy type queue-threshold input

only for some protocols:
R2(config-cmap)#match protocol ? bgp BorderGatewayProtocol dns DomainNameServer lookup ftp FileTransferProtocol http WorldWideWeb traffic igmp InternetGroupManagementProtocol snmp SimpleNetworkManagementProtocol ssh SecureShellProtocol syslog SyslogServer telnet Telnet tftp TrivialFileTransferProtocol R2(config-cmap)#class type queue-threshold HTTP-CM match protocol http ! policy-map type queue-threshold HTTP-PM class HTTP-CM queue-limit 10
 c) service-policy type port-filter input
class-map type port-filter TASK1-1-closed-ports match closed-ports ! policy-map type port-filter TASK1-1-closed-ports-PM cl…



R1: router rip version 2noauto-summary network network
R2: router rip version 2noauto-summary network network! router bgp 23 neighbor remote-as23 neighbor send-community redistribute static route-map STATIC_TO_BGP ! route-map STATIC_TO_BGP permit 10 match tag 23setlocal-preference 200set origin igp set community no-exportset ip next-hop! ip route
when attack start add below acl (with IP of the destination - local server):
ip route tag 23
R3: router rip version 2noauto-summary network network network! router bgp 23 neighbor remote-as23! ip route!interfaceNull0no ip unreachables


when attack start add below acl (with source IP of the attacker):
ip route tag 23


1) secure management plane:

control-plane host management-interface fa0/0 allow https ssh R2#sh management-interfaceManagementinterfaceFastEthernet0/0ProtocolPackets processed ftp 0 http 0 https 0 ssh 0 tftp 0 snmp 0 beep 0 telnet 0 tl1 0 R2#
2) access-list (IOS):
R3(config)#ip access-list extended TEST123 R3(config-ext-nacl)#den R3(config-ext-nacl)#deny ip a R3(config-ext-nacl)#deny ip any a R3(config-ext-nacl)#deny ip any any ? dscp Match packets with given dscp value fragments Check non-initial fragments log Log matches against this entry log-input Log matches against this entry, including input interface option Match packets with given IP Options value precedence Match packets with given precedence value …