Skip to main content

CCIE-LAB-SECURITY

1) secure management plane:

control-plane host
 management-interface fa0/0 allow https ssh 
R2#sh management-interface
Management interface FastEthernet0/0
        Protocol        Packets processed
             ftp                0
            http                0
           https                0
             ssh                0
            tftp                0
            snmp                0
            beep                0
          telnet                0
             tl1                0

R2#

2) access-list (IOS):
 
R3(config)#ip access-list extended TEST123
R3(config-ext-nacl)#den
R3(config-ext-nacl)#deny ip a
R3(config-ext-nacl)#deny ip any a
R3(config-ext-nacl)#deny ip any any ?
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  option      Match packets with given IP Options value
  precedence  Match packets with given precedence value
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  ttl         Match packets with given TTL value
  <cr>

R3(config-ext-nacl)#deny ip any any fra
R3(config-ext-nacl)#deny ip any any fragments ?
  dscp        Match packets with given dscp value
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  option      Match packets with given IP Options value
  precedence  Match packets with given precedence value
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  ttl         Match packets with given TTL value
  <cr>

R3(config-ext-nacl)#deny ip any any tt
R3(config-ext-nacl)#deny ip any any ttl ?
  eq     Match only packets on a given TTL number
  gt     Match only packets with a greater TTL number
  lt     Match only packets with a lower TTL number
  neq    Match only packets not on a given TTL number
  range  Match only packets in the range of TTLs

R3(config-ext-nacl)#deny ip any any opt
R3(config-ext-nacl)#deny ip any any option ?
  <0-255>       IP Options value
  add-ext       Match packets with Address Extension Option (147)
  any-options   Match packets with ANY Option
  com-security  Match packets with Commercial Security Option (134)
  dps           Match packets with Dynamic Packet State Option (151)
  encode        Match packets with Encode Option (15)
  eool          Match packets with End of Options (0)
  ext-ip        Match packets with Extended IP Option (145)
  ext-security  Match packets with Extended Security Option (133)
  finn          Match packets with Experimental Flow Control Option (205)
  imitd         Match packets with IMI Traffic Desriptor Option (144)
  lsr           Match packets with Loose Source Route Option (131)
  mtup          Match packets with MTU Probe Option (11)
  mtur          Match packets with MTU Reply Option (12)
  no-op         Match packets with No Operation Option (1)
  nsapa         Match packets with NSAP Addresses Option (150)
  record-route  Match packets with Record Route Option (7)
  router-alert  Match packets with Router Alert Option (148)
  sdb           Match packets with Selective Directed Broadcast Option (149)
  security      Match packets with Basic Security Option (130)
  ssr           Match packets with Strict Source Routing Option (137)
  stream-id     Match packets with Stream ID Option (136)
  timestamp     Match packets with Time Stamp Option (68)
  traceroute    Match packets with Trace Route Option (82)
  ump           Match packets with Upstream Multicast Packet Option (152)
  visa          Match packets with Experimental Access Control Option (142)
  zsu           Match packets with Experimental Measurement Option (10)

R3(config-ext-nacl)#deny ip any any option

3) icmp techiques to reduce the risk of icmp -related attack (IOS):
 
Device(config)# no ip source-route
Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# no ip unreachables
Device(config-if)# no ip redirects
Device(config-if)# no ip mask-reply

more info: IP Application Services Configuration Guide, Cisco IOS Release 15M&T

4) L2 - Dynamic Trunking Protocol (DTP)
 
interface range FastEthernet1/0/1 - 2
 switchport nonegotiate

5) L2 - Switch Port Security
 
interface FastEthernet1/0/1
 switchport voice vlan 100
 switchport port-security
 switchport port-security maximum 2
 switchport port-security maximum 1 vlan voice
 switchport port-security maximum 1 vlan access
 switchport port-security violation protect
 switchport port-security aging time 10
 switchport port-security aging type inactivity
!
errdisable recovery cause psecure-violation
errdisable recovery interval 180

6) L2 - Storm Control
 
interface FastEthernet1/0/2
 storm-control broadcast level bps 10m
 storm-control action trap
!
!
interface FastEthernet1/0/3
 storm-control unicast level 1
 storm-control action trap
!
!
snmp-server enable traps storm-control trap-rate 60
snmp-server host 136.1.13.33 traps version 2c cisco

7) L2 - Protected Ports

They are not able to communicate:
 
interface range FastEthernet1/0/13 , FastEthernet1/0/15
 switchport mode access
 switchport access vlan 13
 switchport protected
 no shutdown
!

8) L2 - Port Blocking

By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or nonprotected) from flooding unknown unicast or multicast packets to other ports.
 
Switch# configure terminal
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# switchport block multicast
Switch(config-if)# switchport block unicast
Switch(config-if)# end

9) L2 - Private Vlan

VTP v3 supports Private VLANs.
 
Switch# configure terminal
Switch(config)# vlan 20
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# exit
Switch(config)# vlan 501
Switch(config-vlan)# private-vlan isolated
Switch(config-vlan)# exit
Switch(config)# vlan 502
Switch(config-vlan)# private-vlan community
Switch(config-vlan)# exit
Switch(config)# vlan 503
Switch(config-vlan)# private-vlan community
Switch(config-vlan)# exit
Switch(config)# vlan 20
Switch(config-vlan)# private-vlan association 501-503
Switch(config-vlan)# end
Switch(config)# show vlan private vlan 

Switch# configure terminal
Switch(config)# interface gigabitethernet1/0/22
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 20 501
Switch(config-if)# end
Switch# show interfaces gigabitethernet1/0/22 switchport 

Switch# configure terminal
Switch(config)# interface gigabitethernet1/0/2
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 20 add 501-503
Switch(config-if)# end

10) L2 - MAC access list

block non-IP traffic except ARP:
 
SW1:
!
mac access-list extended PERMIT_ARP
 permit any any 0x806 0x0
!
interface FastEthernet1/0/1
 mac access-group PERMIT_ARP in

The ethertype mask functions the same way as a wildcard mask from IP access-lists, where a bit of zero means match and a bit of one means don’t care.

11) L2 - VLAN ACL
 
SW2:
mac access-list extended PERMIT_LAYER2
 permit any any lsap 0x4242 0x0
 permit any any 0x010B 0x0
 permit any any 0x806 0x0
 permit any any lsap 0xAAAA 0x0
!
ip access-list extended DENY_TELNET
 permit tcp any any eq 23
!
ip access-list extended PERMIT_IP
 permit ip any any
!
vlan access-map VLAN23 10
 match mac address PERMIT_LAYER2
 action forward
vlan access-map VLAN23 20
 match ip address DENY_TELNET
 action drop
vlan access-map VLAN23 30
 match ip address PERMIT_IP
 action forward
!
vlan filter VLAN23 vlan-list 23

The following protocols use 802.2 SNAP encapsulation with the SNAP Protocol ID values listed below:
 
VTP: 0x2003
CDP: 0x2000
DTP: 0x2004
UDLD: 0x0111

All SNAP-encapsulated packets can be matched using an LSAP value of 0xAAAA.

12) L2 - STP BPDU Guard

MP-SW#sh spanning-tree summary 
Switch is in pvst mode
Root bridge for: none
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
EtherChannel misconfig guard is enabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Configured Pathcost method used is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     0         0        0         16         16
---------------------- -------- --------- -------- ---------- ----------
1 vlan                       0         0        0         16         16
MP-SW#

BPDU Guard can be enabled at the interface level using the command spanning-tree bpduguard enable, in which case it’s applied unconditionally to the port. BPDU Guard can be enabled globally using the command spanning-tree portfast bpduguard default , in which case it’s applied only to portfast-enabled ports, also called Edge Ports. Note that if you enable portfast (access or trunk) on a port, if it receives a BPDU it gets out of the portfast-enabled state and starts negotiating its STP state, so this feature is conditional.
 
SW2:
interface FastEthernet1/0/3
 spanning-tree bpduguard enable
!
!
spanning-tree portfast default
spanning-tree portfast bpduguard default
!
errdisable recovery cause bpduguard 
errdisable recovery interval 300

or per interface
 
interface FastEthernet1/0/3
 spanning-tree portfast
!
spanning-tree portfast bpduguard default
!

or only globally:
 
!
spanning-tree portfast default
spanning-tree portfast bpduguard default
!
MP-SW#sh spanning-tree interface fa1/0/17 detail 
 Port 19 (FastEthernet1/0/17) of VLAN0001 is designated forwarding 
   Port path cost 19, Port priority 128, Port Identifier 128.19.
   Designated root has priority 32768, address 000a.4138.4dc0
   Designated bridge has priority 32769, address e8ba.7091.9d00
   Designated port id is 128.19, designated path cost 38
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   Bpdu guard is enabled
   BPDU: sent 66617, received 0
MP-SW#

13) L2 - STP BPDU Filter

BPDU Filter has different behavior, depending on how it’s enabled:

-When configured at the interface level, BPDU Filter unconditionally drops all inbound BPDUs and does not send BPDUs out the interface.
 
interface FastEthernet1/0/1
 spanning-tree bpdufilter enable

-When configured at global level, it sends out exactly 11 BPDUs on all portfast-enabled interfaces, and if no BPDU is received within this interval it stops sending BPDUs; however, if a BPDU is received inbound on the interface at any time after, it is accepted and STP port state negotiation starts, so BPDU Filter becomes inactive.
 
spanning-tree portfast bpdufilter default

14) L2 - STP Guard Root

Preventing port to accept connected switch become the root switch:

SW2:
!
interface FastEthernet1/0/20
 spanning-tree guard root

15) L2 - STP Loop Guard

You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is enabled on the entire switched network. Loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.
You can enable this feature by using the spanning-tree loopguard default global configuration command.
When the switch is operating in PVST+ or rapid-PVST+ mode, loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.
When the switch is operating in MST mode, BPDUs are not sent on nonboundary ports only if the interface is blocked by loop guard in all MST instances. On a boundary port, loop guard blocks the interface in all MST instances.
 
SW1:
!
spanning-tree loopguard default

16) L2 - DHCP - snooping

DHCP Snooping is a security feature that inspects DHCP packets initiated/destined from/to hosts of an attached VLAN, thus is a switch functionality. With SNopping configured, the switch enforces DHCP packet flow integrity and protects the network from DHCP-based attacks, regardless of its role in the DHCP process: it can be the DHCP Server, DHCP Layer 3 Relay Agent, or have no role in the DHCP end-to-end flow (act like a Layer 2 switch for the VLAN).
 
SW1:
ip dhcp snooping
ip dhcp snooping vlan 23
ip dhcp snooping database flash:/VLAN23_DHCP.txt
ip dhcp snooping database write-delay 30
!
interface FastEthernet1/0/12
 ip dhcp snooping limit rate 15     <--- DHCP client
!
interface FastEthernet1/0/2
 ip dhcp snooping trust                 <--- DHCP server
!
errdisable recovery cause dhcp-rate-limit
errdisable recovery interval 300
!
interface FastEthernet1/0/12
 switchport mode access
 switchport access vlan 23
 spanning-tree portfast
 no shutdown

R2:
!
ip dhcp relay information trust-all
!
ip dhcp pool VLAN23
 network 136.1.23.0/24

to protect DHCP and limit the number of allocated IPs you can implement:
 
SW1:
!
interface FastEthernet1/0/12
 switchport port-security

17) L2 - Dynamic ARP Inspection

Dynamic ARP Inspection (DAI) is a security feature that fixes some well-known weaknesses in the ARP protocol. Generally, ARP operation on an Ethernet segment allows any host to spoof a MAC address for any IP address on the segment. These attacks, commonly known as Man-in-the-Middle (MITM) attacks, cannot be prevented by using only port-security, access-lists, or other well-known security features. DAI is used to prevent ARP poisoning attacks.
For non DHCP environment:
 
SW1:
arp access-list DAI_VLAN23
 permit ip host 136.1.23.2 mac host d867.d9e0.bbc0 log
 permit ip host 136.1.23.3 mac host 001e.f779.4771 log
!
ip arp inspection filter DAI_VLAN23 vlan 23
!
ip arp inspection vlan 23
ip arp inspection vlan 23 logging acl-match matchlog
ip arp inspection vlan 23 logging dhcp-bindings all
ip arp inspection vlan 23 logging arp-probe
ip arp inspection log-buffer entries 10
ip arp inspection validate src-mac dst-mac ip

example:
 
*Mar  1 17:39:29.515: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/4, vlan 1.([04c5.a43f.d6d0/10.0.0.10/e8b7.4842.4c58/10.0.0.1/17:39:28 UTC Mon Mar 1 1993])

18) L2 - IP Source Guard

It works almost like DHCP Snooping together with ARP Inspection.
 
SW1:
interface FastEthernet1/0/2
 ip verify source port-security
 switchport port-security
 ip dhcp snooping trust 
!
interface range FastEthernet1/0/9 - 10
 switchport mode access
 switchport access vlan 23
 ip verify source port-security
 switchport port-security
 no shutdown
!
!
ip dhcp snooping
ip dhcp snooping vlan 23

Example:
 
MP-SW#sh ip verify source 
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan   Log
---------  -----------  -----------  ---------------  -----------------  ----   ---
Fa1/0/4    ip-mac       active       deny-all         deny-all           1
Fa1/0/13   ip-mac       active       10.0.0.6         04:C5:A4:3F:D6:D0  1      disabled
MP-SW

19) L3 - Preventing ICMP attack - ACL

You have to use named ACL to see all options:
 
SW2:
ip access-list extended ICMP_ATTACK
 permit icmp 172.1.114.0 0.0.0.255 any echo
 permit icmp 172.1.114.0 0.0.0.255 any echo-reply
 permit icmp 172.1.114.0 0.0.0.255 any ttl-exceeded
 permit icmp 172.1.114.0 0.0.0.255 any port-unreachable
 permit icmp 172.1.114.0 0.0.0.255 any packet-too-big
 permit icmp 172.1.114.0 0.0.0.255 any source-quench
 deny icmp 172.1.114.0 0.0.0.255 any
 permit ip any any
!
interface Vlan213
 ip access-group ICMP_ATTACK in


ASA3:
icmp permit any echo-reply OUTSIDE

20) L3 - Preventing ICMP attack - NBAR

Network-Based Application Recognition (NBAR) includes a feature called Protocol Discovery. Protocol Discovery provides an easy way to discover the application protocols that are operating on an interface. When you configure NBAR, the first task is to enable Protocol Discovery. 
 
R3:
class-map match-all ICMP
 match protocol icmp
!
policy-map ICMP
 class ICMP
  drop
!
!Note that NBAR classification engine needs to be enabled at the interface level for NBAR traffic policies to be matched.
!
interface FastEthernet0/1.23
 ip nbar protocol-discovery
 service-policy output ICMP

21) L3 - Preventing ICMP attack - Policing

In my example:
Ensure that the burst size is large enough to accommodate normal and excess burst durations of 200 ms and 300 ms at a rate of 128 Kbps.
Bc = (128000*0,2)/8=3200 bytes Be = (128000*0,3)/8=4800 bytes
 
R3:
ip access-list extended ICMP_ATTACK
 permit icmp any any echo-reply
!
class-map ICMP_ATTACK
 match access-group name ICMP_ATTACK
!
policy-map POLICE_VLAN13
 class ICMP_ATTACK
   police 128000 3200 4800 conform-action set-prec-transmit 1 exceed-action set-prec-transmit 0 violate-action drop
!
interface FastEthernet0/1.13
  service-policy input POLICE_VLAN13

22) L3 - Preventing ICMP attack - MPF
 
ASA4:
access-list ICMP_VLAN143 extended permit icmp any 172.1.143.0 255.255.255.0 echo 
!
class-map ICMP_VLAN143
 match access-list ICMP_VLAN143
!
policy-map ICMP_VLAN143
 class ICMP_VLAN143
  police output 128000
!
service-policy ICMP_VLAN143 interface OUTSIDE

23) L3 - Preventing TCP attack - ACL
 
R3:
ip access-list extended TCP_ESTABLISHED
 permit tcp any any established
 deny tcp any any
 permit ip any any
!
interface FastEthernet0/1.13
 ip access-group TCP_ESTABLISHED in

24) L3 - Preventing TCP attack - Policing

Drop SYN flood attack when it exceeds 16 Kbps:
 
R3:
ip access-list extended SYN_VLAN13
 permit tcp any 136.1.13.0 0.0.0.255 syn
!
class-map SYN_VLAN13
 match access-group name SYN_VLAN13
!
policy-map SYN_VLAN13
 class SYN_VLAN13
  police 16000 conform-action transmit exceed-action drop violate-action drop
!
interface FastEthernet0/0.133
 service-policy input SYN_VLAN13

25) L3 - Preventing TCP attack - CBAC
 
R3:
ip inspect tcp block-non-session 
ip inspect tcp synwait-time 10
ip inspect tcp max-incomplete host 50 block-time 5
ip inspect log drop-pkt 
!
ip inspect name CBAC_VLAN13 tcp
ip inspect name CBAC_VLAN13 udp
!
interface FastEthernet0/1.13
 ip inspect CBAC_VLAN13 in

26) L3 - Preventing TCP attack - CAR
 
R2:
ip access-list extended 100
 deny tcp any any established
 permit tcp any any
!
interface GigabitEthernet0/0
 rate-limit input access-group 100 64000 8000 16000 conform-action transmit exceed-action drop

27) L3 - Preventing application attack - MPF
 
ASA3:
 
regex REG_cisco "^cisco.*"
regex REG_c100 "^c100.*"
regex REG_c200 "^c200.*"
!
class-map type regex match-any FTP_REGEX
 match regex REG_cisco
 match regex REG_c100
 match regex REG_c200
!
class-map type inspect ftp match-all FTP_COMMAND
 match request-command dele
!
policy-map type inspect ftp FTP_INSPECT
 parameters
  mask-banner
  mask-syst-reply
 match filename regex class FTP_REGEX
  reset
 class FTP_COMMAND
  reset
!
!
!
class-map FTP_PORT
 match port tcp eq 21
!
policy-map VLAN133
 class FTP_PORT
  inspect ftp strict FTP_INSPECT
!
service-policy VLAN133 interface OUTSIDE

28) L3 - IP Spoofing Attacks- uRPF
 
R3:
access-list 101 deny ip any any log
!
interface FastEthernet0/1.13
 ip verify unicast source reachable-via rx 101

29) L3 - Fragments Attack - ACL
 
R2:
ip access-list extended ICMP_FRAGMENTS
 deny icmp any any fragments
 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group ICMP_FRAGMENTS in

30) L3 - RFC 1918
 
R3:
ip access-list extended RFC1918
 deny ip 10.0.0.0 0.255.255.255 any log
 deny ip 172.16.0.0 0.15.255.255 any log
 deny ip 192.168.0.0 0.0.255.255 any log
 permit ip any any
!
ip access-list log-update threshold 1
ip access-list logging hash-generation 
!
interface FastEthernet0/1.23
 ip access-group RFC1918 in

31) L3 - RFC 2827

RFC 2827 defines a filtering mechanism based on your internally assigned IPv4 address space, to ensure a basic form of security.
 
R3:
ip access-list extended RFC2827_IN
 deny ip 136.1.0.0 0.255.255.255 any log RFC2827_IN_LINE1
 permit ip any any
!
ip access-list extended RFC2827_OUT
 permit ip 136.1.0.0 0.255.255.255 any
 deny ip any any log RFC2827_OUT_LINE2
!
interface FastEthernet0/0.143
 ip access-group RFC2827_IN in
 ip access-group RFC2827_OUT out
!
ip access-list log-update threshold 1

32) L3 - RFC 3030

RFC 3030
 
0.0.0.0/8
10.0.0.0/8
14.0.0.0/8
24.0.0.0/8
39.0.0.0/8
127.0.0.0/8
128.0.0.0/16
169.254.0.0/16
172.16.0.0/12
191.255.0.0/16
192.0.0.0/24
192.0.2.0/24
192.88.99.0/24
192.168.0.0/16
198.18.0.0/15
223.255.255.0/24
224.0.0.0/4
240.0.0.0/4

RFC 5735
 
0.0.0.0/8
10.0.0.0/8
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
192.88.99.0/24
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/4
240.0.0.0/4
255.255.255.255/32

32) L3 - IOS - TCP Intercept
 
R3:
ip access-list extended TCP_INTERCEPT
 permit ip any 136.1.13.0 0.0.0.255
!
ip tcp intercept list TCP_INTERCEPT
!
ip tcp intercept drop-mode random
ip tcp intercept connection-timeout 30
ip tcp intercept one-minute low 30 high 60
ip tcp intercept max-incomplete low 80 high 100

33) L3 - IOS - TCP Intercept - watched mode
 
R3:
ip access-list extended TCP_INTERCEPT
 permit ip any 136.1.13.0 0.0.0.255
!
!
ip tcp intercept list TCP_INTERCEPT
ip tcp intercept mode watch
ip tcp intercept watch-timeout 20

34) L3 - ASA - TCP Intercept 
 
ASA3:
class-map type management TELNET
 match port tcp eq telnet
!
policy-map TELNET
 class TELNET
  set connection embryonic-conn-max 10 
!
service-policy TELNET interface INSIDE
!
class-map TCP_INTERCEPT
 match any
!
policy-map global_policy
  class TCP_INTERCEPT
   set connection embryonic-conn-max 15 per-client-embryonic-max 1

35) L3 - IOS - NBAR traffic classification 
 
R3:
class-map match-all EXTENSION
 match protocol http url *.bin|*.exe|*.com
!
policy-map DROP
 class EXTENSION
  drop
!
!Note that NBAR protocol classification engine needs to be enabled at the interface level separately.
!
interface FastEthernet0/0.143
 ip nbar protocol-discovery
 service-policy output DROP
 

 36) L3 - IPv6 - RA Guard




Configure IPv6 RA Guard on SW3 for all current and future hosts in VLAN 11. Allow R4’s FE80::4 link-local address
to send RA messages but only for 2001::/64 prefix. R6 should not be affected by the above configurations. 

Configure R5 for SLAAC.

SW3:
ipv6 prefix-list RA_PREFIX permit 2001::/64
!
ipv6 access-list RA_SOURCE
 permit ipv6 host FE80::4 any
!
ipv6 nd raguard policy HOST_INSPECT
 device-role host
!
ipv6 nd raguard policy HOST_NON_INSPECT
 trusted-port
!
ipv6 nd raguard policy ROUTER
 device-role router
 match ra prefix-list RA_PREFIX
 match ipv6 access-list RA_SOURCE
!
vlan configuration 11
 ipv6 nd raguard attach-policy HOST_INSPECT
!
interface GigabitEthernet1/0/1
 ipv6 nd raguard attach-policy ROUTER
!
interface GigabitEthernet1/0/3
 ipv6 nd raguard attach-policy HOST_NON_INSPECT
 
 
 
R5:
 
interface FastEthernet0/0
 ipv6 address autoconfig default



To protect the infrastructure from spoofed RA messages, a feature named IPv6 RA Guard can be configured on the
layer2/layer3 switch where hosts and routers are attached. Basically you would want to restrict/drop receiving router 

type NDP messages (like router advertisement and redirects) on ports where hosts are connected. You can configure 

three types of RA Guard policies:




a)host, where all inbound NDP messages are inspected and router type messages are dropped; this is the
default state of a policy.




b)router, where all inbound NDP messages are inspected but router type messages are allowed; optionally, you
can restrict for which prefixes are RA messages allowed (achieved via prefix-list filtering) and which sources are allowed 

o send ICMPv6 Type 133,134, and 137 (achieved via access-lists matching on link-local addresses).




c)trust, where all inbound NDP messages are allowed and not inspected.




The RA Guard policies can be applied at the VLAN level or port level; if both are enabled, the port-level policy
will take precedence over the VLAN-wide-level policy. In most real-life cases, it is faster to deploy a host policy at VLAN 

level and router/trust policy at port level, because there will be few router/trusted ports. To enable a Cisco router for SLAAC, 

the interface-level command ipv6 address autoconfig is used. The interface-level command ipv6 enable is used when you 

want the router to autoconfigure itself with just a link-local address on the interface (which does not require SLAAC).





 
37) L3 - IPv6 - DHCPv6 Guard

Configure IPv6 DHCPv6 Guard on SW3 for all current and future hosts in VLAN 11. Allow R4’s FE80::4 link-local address to act as DHCP server but only for 2001::/64 prefix. R6 should not be affected by the above configurations. Activate DHCPv6 server on R4 for 2001::/64 subnet; assign the domain inelab.local and the DNS server 2001::4 with maximum lifetime. Configure R5 to receive an IPv6 address via DHCPv6.

DHCPv6 Guard achieves almost the same thing for IPv6 as DHCP snooping did for IPv4. It blocks DHCP reply and advertisement messages that originate from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients. It lacks the advanced functionalities of deep DHCP packet inspection to prevent DHCP starvation attacks, but this problem is solved with IPv6 snooping, with which you can limit the number of IPv6 addresses that a neighbor can use; it also does not support rate-limiting the DHCPv6 clients for the number of requests

CISCO Doc - IOS 15s (only!!!!)
 
SW3: 

ipv6 prefix-list DHCP_SCOPE permit 2001::/64 le 128  
!
ipv6 access-list DHCP_SOURCE permit ipv6 host FE80::4 any 
!
!
ipv6 dhcp guard policy DHCP_SERVER 
device-role server 
match server access-list DHCP_SOURCE 
match reply prefix-list DHCP_SCOPE 
!
ipv6 dhcp guard policy DHCP_CLIENT_INSPECT 
device-role client 
!
ipv6 dhcp guard policy DHCP_CLIENT_NON_INSPECT 
trusted-port 
! 
vlan configuration 11 
ipv6 dhcp guard attach-policy DHCP_CLIENT_INSPECT 
! 
interface GigabitEthernet1/0/1 
ipv6 dhcp guard attach-policy DHCP_SERVER  
! 
interface GigabitEthernet1/0/3 
ipv6 dhcp guard attach-policy DHCP_CLIENT_NON_INSPECT 

R4: 

ipv6 dhcp pool VLAN11 
address prefix 2001::/64 
lifetime infinite infinite 
link-address 2001::4/64 
dns-server 2001::4 
domain-name inelab.local 
! 
interface FastEthernet0/0 
ipv6 dhcp server VLAN11 

R5: 

interface FastEthernet0/0 
ipv6 address dhcp ipv6 enable 
 
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-s/ip6f-15-s-book/ip6-dhcpv6-guard.html
 
  

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an ...
8 comments
Read more

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis...
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze ...
1 comment
Read more