Monitor
In order to report on something, you have to monitor it.
Logging
- Stored in the router’s random access memory (RAM)
- RAM is cleared when the router is rebooted or powered off
Local Logging buffer
- Only so much is allocated to logging
- The oldest information will be overwritten
- Not persistent (rebooting or powering off will lose it)
Syslog
- Mechanism to send logs to an external syslog server
- Logs are stored safely outside the router
Customer request:
- The log buffer on R7 fills too quickly. Increase the logging buffer size to 8192 bytes
- Reduce the size of the log by disabling miliseconds in the timestamps
R1#show logging R1#show logging | i Log Buffer ### Current status
R7(config)#logging buffered 8192 R7(config)#service timestamps log datetime
Network Time Protocol(NTP)
Server
- Acts as the master clock
- Listens for connections from clients
Clients
- Request time directly from the server
NTP Broadcast
Server
- Actas as the master clock
- Sends NTP broadcasts
Clients
- Passively listen for NTP broadcasts
Customer request:
- Configure R7 to act as an NTP server
- Configure R2 to get its time only from R7
### R7(config)#ntp master R7#show ntp status R2(config)#ntp server 10.0.27.7 R2#show ntp status
### Broadcast method R7(config)#int fa0/0 R7(config-if)#ntp broadcast R2(config)#int fa1/0 R2(config-if)#ntp broadcast client
Simple Network Management Protocol (SNMP)
Agent
- Runs on the device to be monitored
Notification host
- Receives notifications from the agent
SNMP Version 2c
- Uses a community string
- Insecure
- Notifications are called Traps
SNMP Version 3
- Provides authentication and encryption
- Uses a username
- Notifications are called informs (acknowledged by the host)
SNMP Traps
- Are not acknowledged by the host
- Sent over UDP 162
SNMP Informs
- Are acknowledged by the host
SNMPv3 Authentication and Encryption
- Authentication is called AUTH
- Encryption is called PRIV
Customer request
- Configure R2 to send all possible SNMP traps to 192.168.78.12
- Use the community string “Cisco”
R2(config)#snmp-server host 192.168.78.12 traps version 2c cisco R2(config)#snmp-server enable traps
### Verify setting R2#show snmp host
NetFlow
- NetFlow tracks the number of bytes and packets used by each flow
NetFlow Versions
- Version 5 (Can monitor only ingress
- Version 9 (Can monitor both ingress & egress)
Customer request:
- Configure NetFlow on R3 to monitor only ingress flows on subinterface S2/0.302
- Export to 192.168.168.168 on port 5858
- Use a NetFlow version that supports monitoring egress flows
R3(config)#ip flow-export version 9 R3(config)#ip flow-export destination 192.168.168.168 5858 R3(config)#int s2/0.302 R3(config-if)#ip flow ingress
### verify setting R3#show ip flow export R3#show ip cache flow
Flow Sampling
- NetFlow monitors all flows by default (can result in high bandwidth & CPU utilization)
- e.g 1 out of 10 packets
- e.g. 1 out of 100 packets
- NetFlow samples packets, not flows
- Traffic sampled can be ingress, egress or both
- Monitoring of all flows must be disabled first
Customer request:
- Reconfigure NetFlow on R3 to monitor only 1% of ingress flows
R3(config)#flow-sampler-map FSM_1_PERCENT R3(config-sampler)#mode random one-out-of 100
R3(config-sampler)#int s2/0.302 R3(config-if)#no ip flow ingress R3(config-if)#flow-sampler FSM_1_PERCENT
### verify setting R3#show flow-sampler R2#ping 4.4.4.4 repeat 100
IOS Security
Customer request:
- On R1, create a user account “admin” with credentials “cisco”
- The user should have unrestricted access to the router
- Enable any local user to login to R1 via SSH from 4.4.4.4 only
R1(config)#username admin privilege 15 secret cisco R1(config)#line vty 0 4 R1(config-line)#login local R1(config-line)#transport input ssh R1(config-line)#access-class 104 in
### Create the required access-list 104 R1(config)#access-list 104 permit tcp 4.4.4.4 0.0.0.0 any eq 22
### Verify connectivity R4(config)#ip ssh source-interface loopback 0 R4#ssh -l admin 1.1.1.1
Setup SSH
R1(config)#ip domain-name xyz.com R1(config)#crypto key generate rsa How many bits in the modulus [512]: 1024
IPv6 Traffic Filters
IPv4ACL
- Named or numbered
- Do not contain implicit permit statements
IPv6 ACL
- Named only
- Contain two implicit permit statement for neighbor discovery
- You must explicitly allow link-local addresses when whitelisting
Implicit Statement in IPv6 ACLs
- Does not implicitly permit router advertisement and solicitation messages
permit icmp any any nd-na permit icmp any any nd-ns
Customer request:
- Configure traffic filtering on R1’s Serial2/1 interface to permit traffic only from 2001:db8:14::4
- Perform any other tasks as necessary to ensure existing IPv6 routing is not affected
R1(config)#ipv6 access-list ONLYR4 R1(config-ipv6-acl)#permit 2001:db8:14::4/128 any log ### Apply Access-list to int S2/1 R1(config-if)#int S0/1 R1(config-if)#ipv6 traffic-filter ONLYR4 in ### Verify access-list R1#show ipv6 access-list ### Add Link-local address of R4 R1(config)#ipv6 access-list ONLYR4 R1(config-ipv6-acl)#permit fe80::14:4/128 any
IPv6 Flow Labels
- Random value up to 20 bits
- Changes every minutes
- Can be used to detect spoofing
Configuring a Router to Set the Flow Label
Sets the flow label on packets greater than 1280 bytes (minimum IPv6 path MTU)
R12(config)#ipv6 flowset
Unicast Reverse Path Forwarding (uRPF)
uRPF detects spoofed packets by checking:
- Receiving interface
- Source address
- FIB entry for source prefix
uRPF Mode
- Strict
- Loose
- VRF
uRPF (Strict Mode)
- The router drops the packet if the source address and interface do not match a FIB entry
- E.g. a packet from 1.2.3.4 comes in on Serial2/1 but the FIB shows 1.2.3.4 reachable via Ethernet0/0. The packet will be dropped.
uRPF (Loose Mode)
- The router drops the packet if it has no route to the source prefix in the FIB
- As long as it has some routes back to on any of its interfaces, packets are allowed.
Customer request:
- Configure strict mode uRPF on R5’s Ethernet 0/0 interface
R5(config)#int Fa0/0 R5(config-if)#ip verify unicast source reachable-via rx
### Spoof packet and test uRPF strict mode R4#ping 5.5.5.5 source 4.4.4.4 R4(config)#int loopback 6 R4(config-if)#ip address 6.6.6.6 255.255.255.255 R4#ping 5.5.5.5 source 6.6.6.6
### Verify uRPF R5#show ip int fa0/0 | b verify R5#show ip traffic | i RPF
Network Address Translation (NAT)
- 10.0.0.0-10.255.255.255
- 172.16.0.0 – 172.31.255.255
- 192.168.0.0 – 192.168.255.255
Static NAT
- Translates a single local IP address to a global IP address
- One-to-one mapping of local to global
Customer request:
- On R2 create a static NAT mapping between R2’s 10.0.23.2 & R7’s 10.0.27.7 address
### INSIDE R2(config)#int fa1/0 R2(config-if)#ip nat inside ### OUTSIDE R2(config-if)#int fa0/1 R2(config-if)#ip nat outside ### Translate (local) to (global) (10.0.27.7) to (10.0.23.2) R2(config)#ip nat inside source static 10.0.27.7 10.0.23.2 ### Verify setting R2#show ip nat translations
Further verification
R3(config)#ip access-list extended 107 R3(config-ext-nacl)#permit icmp 10.0.23.2 0.0.0.0 10.0.23.3 0.0.0.0 R3#debug ip packet 107
Dynamic NAT (never seen in real world)
- Performs dynamic temporary one-to-one mapping
- Pulls inside global addresses from a pool
- Once the address pool is exhausted, no more inside hosts will be allocated to an inside global address
- Existing translations remain in place and do not get overwritten (until expires default timeout is 24 hours)
Customer request:
- Reconfigure R2 to dynamically map any 7.7.7.0/24 inside local addresses to the following inside global addresses
- 2.0.0.1/29
- 2.0.0.2/29
- 2.0.0.3/29
- Do not change the inside and outside interfaces
### Create inside local addresses R7(config)#int loopback 8 R7(config-if)#ip address 7.7.7.8 255.255.255.255 R7(config-if)#int loopback 9 R7(config-if)#ip address 7.7.7.9 255.255.255.255 R7(config-if)#int loopback 10 R7(config-if)#ip address 7.7.7.10 255.255.255.255 ### Create inside global addresses R2(config)#int loopback 201 R2(config-if)#ip address 2.0.0.1 255.255.255.255 R2(config-if)#int loopback 202 R2(config-if)#ip address 2.0.0.2 255.255.255.255 R2(config-if)#int loopback 203 R2(config-if)#ip address 2.0.0.3 255.255.255.255 ### Create NAT POOL and ACL R2(config)#ip nat pool R2NAT 2.0.0.1 2.0.0.3 netmask 255.255.255.248 R2(config)#ip nat inside source list 1 pool R2NAT R2(config)#access-list 1 permit 7.7.7.0 0.0.0.255
### Test & Verify R7#ping 3.3.3.3 R7#ping 3.3.3.3 source loopback 8 R7#ping 3.3.3.3 source loopback 9 R7#ping 3.3.3.3 source loopback 10 R2#show ip nat translations
Additional information
R2(config)#no ip nat pool R2NAT %Pool R2NAT in use, cannot destroy R2#clear ip nat translation * ### MUST CLEAR EXISTING NAT BEFORE REMOVING/EDITING
Overloading NAT with Port Address Translation (PAT)
Customer Request:
- Reconfigure R2 to perform port address translation using 10.0.23.2 as the inside global address
- Use ACL 1 for the inside source list
R2(config)#access-list 1 permit 7.7.7.0 0.0.0.255 R2(config)#ip nat inside source list 1 interface fa0/0.203
PAT overload with a Global Pool
The overload keyboard allows multiple inside local hosts to hide behind a smaller number of global addresses
R2(config)#ip nat pool R2NAT 2.0.0.1 2.0.0.3 NETMASk 255.255.255.248 R2(config)#ip nat inside source list 1 pool R2NAT overload