CCNP 300-101 Route (Security)

Monitor

In order to report on something, you have to monitor it.

Logging

  • Stored in the router’s random access memory (RAM)
  • RAM is cleared when the router is rebooted or powered off

Local Logging buffer

  • Only so much is allocated to logging
  • The oldest information will be overwritten
  • Not persistent (rebooting or powering off will lose it)

Syslog

  • Mechanism to send logs to an external syslog server
  • Logs are stored safely outside the router

Customer request:

  • The log buffer on R7 fills too quickly. Increase the logging  buffer size to 8192 bytes
  • Reduce the size of the log by disabling miliseconds in the timestamps
R1#show logging
R1#show logging | i Log Buffer
### Current status
R7(config)#logging buffered 8192
R7(config)#service timestamps log datetime

Network Time Protocol(NTP)

Server

  • Acts as the master clock
  • Listens for connections from clients

Clients

  • Request time directly from the server

NTP Broadcast

Server

  • Actas as the master clock
  • Sends NTP broadcasts

Clients

  • Passively listen for NTP broadcasts

Customer request:

  • Configure R7 to act as an NTP server
  • Configure R2 to get its time only from R7
###
R7(config)#ntp master
R7#show ntp status

R2(config)#ntp server 10.0.27.7
R2#show ntp status
### Broadcast method
R7(config)#int fa0/0
R7(config-if)#ntp broadcast

R2(config)#int fa1/0
R2(config-if)#ntp broadcast client

Simple Network Management Protocol (SNMP)

Agent

  • Runs on the device to be monitored

Notification host

  • Receives notifications from the agent

SNMP Version 2c

  • Uses a community string
  • Insecure
  • Notifications are called Traps

SNMP Version 3

  • Provides authentication and encryption
  • Uses a username
  • Notifications are called informs (acknowledged by the host)

SNMP Traps

  • Are not acknowledged by the host
  • Sent over UDP 162

SNMP Informs

  • Are acknowledged by the host

SNMPv3 Authentication and Encryption

  • Authentication is called AUTH
  • Encryption is called PRIV

Customer request

  • Configure R2 to send all possible SNMP traps to 192.168.78.12
  • Use the community string “Cisco”
R2(config)#snmp-server host 192.168.78.12 traps version 2c cisco
R2(config)#snmp-server enable traps
### Verify setting
R2#show snmp host

NetFlow

  • NetFlow tracks the number of bytes and packets used by each flow

 

 

 

NetFlow Versions

  • Version 5 (Can monitor only ingress
  • Version 9 (Can monitor both ingress & egress)

Customer request:

  • Configure NetFlow on R3 to monitor only ingress flows on subinterface S2/0.302
  • Export to 192.168.168.168 on port 5858
  • Use a NetFlow version that supports monitoring egress flows
R3(config)#ip flow-export version 9
R3(config)#ip flow-export destination 192.168.168.168 5858
R3(config)#int s2/0.302
R3(config-if)#ip flow ingress
### verify setting
R3#show ip flow export
R3#show ip cache flow

Flow Sampling

  • NetFlow monitors all flows by default (can result in high bandwidth & CPU utilization)
  • e.g 1 out of 10 packets
  • e.g. 1 out of 100 packets
  • NetFlow samples packets, not flows
  • Traffic sampled can be ingress, egress or both
  • Monitoring of all flows must be disabled first

Customer request:

  • Reconfigure NetFlow on R3 to monitor only 1% of ingress flows
R3(config)#flow-sampler-map FSM_1_PERCENT
R3(config-sampler)#mode random one-out-of 100
R3(config-sampler)#int s2/0.302
R3(config-if)#no ip flow ingress
R3(config-if)#flow-sampler FSM_1_PERCENT
### verify setting
R3#show flow-sampler
R2#ping 4.4.4.4 repeat 100

IOS Security

Customer request:

  • On R1, create a user account “admin” with credentials “cisco”
  • The user should have unrestricted access to the router
  • Enable any local user to login to R1 via SSH from 4.4.4.4 only
R1(config)#username admin privilege 15 secret cisco
R1(config)#line vty 0 4
R1(config-line)#login local
R1(config-line)#transport input ssh
R1(config-line)#access-class 104 in
### Create the required access-list 104
R1(config)#access-list 104 permit tcp 4.4.4.4 0.0.0.0 any eq 22
### Verify connectivity
R4(config)#ip ssh source-interface loopback 0
R4#ssh -l admin 1.1.1.1

Setup SSH

R1(config)#ip domain-name xyz.com
R1(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024

IPv6 Traffic Filters

IPv4ACL

  • Named or numbered
  • Do not contain implicit permit statements

IPv6 ACL

  • Named only
  • Contain two implicit permit statement for neighbor discovery
  • You must explicitly allow link-local addresses when whitelisting

Implicit Statement in IPv6 ACLs

  • Does not implicitly permit router advertisement and solicitation messages
permit icmp any any nd-na
permit icmp any any nd-ns

Customer request:

  • Configure traffic filtering on R1’s Serial2/1 interface to permit traffic only from 2001:db8:14::4
  • Perform any other tasks as necessary to ensure existing IPv6 routing is not affected
R1(config)#ipv6 access-list ONLYR4
R1(config-ipv6-acl)#permit 2001:db8:14::4/128 any log

### Apply Access-list to int S2/1
R1(config-if)#int S0/1
R1(config-if)#ipv6 traffic-filter ONLYR4 in

### Verify access-list
R1#show ipv6 access-list

### Add Link-local address of R4
R1(config)#ipv6 access-list ONLYR4
R1(config-ipv6-acl)#permit fe80::14:4/128 any

IPv6 Flow Labels

  • Random value up to 20 bits
  • Changes every minutes
  • Can be used to detect spoofing

Configuring a Router to Set the Flow Label

Sets the flow label on packets greater than 1280 bytes (minimum IPv6 path MTU)

R12(config)#ipv6 flowset

Unicast Reverse Path Forwarding (uRPF)

uRPF detects spoofed packets by checking:

  • Receiving interface
  • Source address
  • FIB entry for source prefix

uRPF Mode

  • Strict
  • Loose
  • VRF

uRPF (Strict Mode)

  • The router drops the packet if the source address and interface do not match a FIB entry
  • E.g. a packet from 1.2.3.4 comes in on Serial2/1 but the FIB shows 1.2.3.4 reachable via Ethernet0/0. The packet will be dropped.

uRPF (Loose Mode)

  • The router drops the packet if it has no route to the source prefix in the FIB
  • As long as it has some routes back to on any of its interfaces, packets are allowed.

Customer request:

  • Configure strict mode uRPF on R5’s Ethernet 0/0 interface
R5(config)#int Fa0/0
R5(config-if)#ip verify unicast source reachable-via rx
### Spoof packet and test uRPF strict mode
R4#ping 5.5.5.5 source 4.4.4.4
R4(config)#int loopback 6
R4(config-if)#ip address 6.6.6.6 255.255.255.255
R4#ping 5.5.5.5 source 6.6.6.6
### Verify uRPF 
R5#show ip int fa0/0 | b verify
R5#show ip traffic | i RPF

Network Address Translation (NAT)

  • 10.0.0.0-10.255.255.255
  • 172.16.0.0 – 172.31.255.255
  • 192.168.0.0 – 192.168.255.255

Static NAT

  • Translates a single local IP address to a global IP address
  • One-to-one mapping of local to global

Customer request:

  • On R2 create a static NAT mapping between R2’s 10.0.23.2 & R7’s 10.0.27.7 address

### INSIDE
R2(config)#int fa1/0
R2(config-if)#ip nat inside

### OUTSIDE
R2(config-if)#int fa0/1
R2(config-if)#ip nat outside

### Translate (local) to (global) (10.0.27.7) to (10.0.23.2)
R2(config)#ip nat inside source static 10.0.27.7 10.0.23.2

### Verify setting
R2#show ip nat translations

Further verification

R3(config)#ip access-list extended 107
R3(config-ext-nacl)#permit icmp 10.0.23.2 0.0.0.0 10.0.23.3 0.0.0.0
R3#debug ip packet 107

Dynamic NAT (never seen in real world)

  • Performs dynamic temporary one-to-one mapping
  • Pulls inside global addresses from a pool
  • Once the address pool is exhausted, no more inside hosts will be allocated to an inside global address
  • Existing translations remain in place and do not get overwritten (until expires default timeout is 24 hours)

Customer request:

  • Reconfigure R2 to dynamically map any 7.7.7.0/24 inside local addresses to the following inside global addresses
  • 2.0.0.1/29
  • 2.0.0.2/29
  • 2.0.0.3/29
  • Do not change the inside and outside interfaces
### Create inside local addresses
R7(config)#int loopback 8
R7(config-if)#ip address 7.7.7.8 255.255.255.255
R7(config-if)#int loopback 9
R7(config-if)#ip address 7.7.7.9 255.255.255.255
R7(config-if)#int loopback 10
R7(config-if)#ip address 7.7.7.10 255.255.255.255

### Create inside global addresses
R2(config)#int loopback 201
R2(config-if)#ip address 2.0.0.1 255.255.255.255
R2(config-if)#int loopback 202
R2(config-if)#ip address 2.0.0.2 255.255.255.255
R2(config-if)#int loopback 203
R2(config-if)#ip address 2.0.0.3 255.255.255.255

### Create NAT POOL and ACL
R2(config)#ip nat pool R2NAT 2.0.0.1 2.0.0.3 netmask 255.255.255.248
R2(config)#ip nat inside source list 1 pool R2NAT
R2(config)#access-list 1 permit 7.7.7.0 0.0.0.255
### Test & Verify
R7#ping 3.3.3.3
R7#ping 3.3.3.3 source loopback 8
R7#ping 3.3.3.3 source loopback 9
R7#ping 3.3.3.3 source loopback 10
R2#show ip nat translations

Additional information

R2(config)#no ip nat pool R2NAT
%Pool R2NAT in use, cannot destroy
R2#clear ip nat translation *
### MUST CLEAR EXISTING NAT BEFORE REMOVING/EDITING

Overloading NAT with Port Address Translation (PAT)

Customer Request:

  • Reconfigure R2 to perform port address translation using 10.0.23.2 as the inside global address
  • Use ACL 1 for the inside source list
R2(config)#access-list 1 permit 7.7.7.0 0.0.0.255
R2(config)#ip nat inside source list 1 interface fa0/0.203

PAT overload with a Global Pool

The overload keyboard allows multiple inside local hosts to hide behind a smaller number of global addresses

R2(config)#ip nat pool R2NAT 2.0.0.1 2.0.0.3 NETMASk 255.255.255.248
R2(config)#ip nat inside source list 1 pool R2NAT overload

Leave a Comment

Your email address will not be published. Required fields are marked *