Skip to main content

Posts

Showing posts from January, 2015

Traceroute - Cisco, Linux, and Windows versions

In my today post I’d like analyze different version of traceroute on three platforms. You need to know exactly what protocols/types are used when you would like to permit them on your firewall. 1) Cisco version I’m going now traceroute from R17 to R18: This is what I captured on R17 interface: Let me explain what we see: R17 sends udp packet with ttl=1 to discover device in one hop distance. R16 decrements ttl by 1 and sees that ttl=0 and sends icmp packet ‘time exceeded): -> udp - dst port : 33434 , ttl = 1 <- icmp - time exceeded ( due to ttl = 0 ) - type 11 , code 0 - ttl = 255 -> udp - dst port : 33435 , ttl = 1 <- icmp - time exceeded ( due to ttl = 0 ) - type 11 , code 0 - ttl = 255 -> udp - dst port : 33436 , ttl = 1 <- icmp - time exceeded ( due to ttl = 0 ) - type 11 , code 0 - ttl = 255 After three repeats R17 increases ttl by 1 and sends next three packets. R15 receives them, decrease
1 comment
Read more

Proxy ARP

In today’s post I would like to look closer into one feature - proxy arp. On Cisco routers it is enabled by default and I think it’s worth of writing about possible pros and cons. To be on the same page just few words about ARP (Address Resolution Protocol). ARP is used to resolve IP addresses to MAC (physical). When we want to send packet to a host with known IP address, we need first know its MAC or MAC of a next hop. This is place where ARP start its job. Let’s look into below diagram. Assume that R1 has never contacted with R3 and I’m going to check its ARP table:   R1 #sh ip arp Protocol Address Age ( min ) Hardware Addr Type Interface Internet 10.0 . 0.1 - ca00 . 18c4.0008 ARPA FastEthernet0 / 0 R1 # As you see I have only one entry with IP and MAC of the local interface. Before I ping R3 I enable debugging to see what’s happening behind the scene.   R1 #debug arp ARP packet debugging is on R1 # R1 #pin
Post a Comment
Read more

Zone-Based Policy Firewall High Availability

Today I’m going to present how to implement a high availability for ZBPF. Below you can see the scenario I work on: As you see I have two routers (R1 and R2) which now operates separately. From R4 we can reach R5 via R1 and R2:   R4 #sh ip route Codes : L - local , C - connected , S - static , R - RIP , M - mobile , B - BGP D - EIGRP , EX - EIGRP external , O - OSPF , IA - OSPF inter area N1 - OSPF NSSA external type 1 , N2 - OSPF NSSA external type 2 E1 - OSPF external type 1 , E2 - OSPF external type 2 i - IS - IS , su - IS - IS summary , L1 - IS - IS level - 1 , L2 - IS - IS level - 2 ia - IS - IS inter area , * - candidate default , U - per - user static route o - ODR , P - periodic downloaded static route , H - NHRP , l - LISP + - replicated route , % - next hop override Gateway of last resort is not set 4.0 . 0.0 / 8 is variably subnetted , 2 subnets
Post a Comment
Read more