• Rollback configuration
• Restore configuration in case of a broken router

There are two ways to backup: manually (using write command each time that you would save running configuration) or automatically (using software like Ciscoworks, HP OpenView, … ).

In this tutorial, I would explain a different method to backup configuration: the archive command.

Introduced into Cisco IOS Release 12.3(4)T, the archive command permits to save a copy of the current running configuration to different path: ftp, http, https, rcp, scp, tftp servers. Moreover the archive command has other features, but in this article I would use only two of these:

• time-period: it sets the time increment for automatically saving an archive file of the current running configuration in the Cisco IOS configuration archive.
• write-memory: it enable automatic backup generation during write memory; for instance, when I use the ‘write’ command the archive command will be invoked automatically.

Example: Implement and test archive command

Suppose to have a network (192.168.217.0/24) with an FTP-Server (.1). It is required to save the running configuration to the FTP-Server each day (1440 minutes). The FTP-Server has an FTP account with username: cisco and password: lab.

First of all, it is required access to the archive configuration mode:

Ciscozine(config)#archive

Now it is possible define the destination path. In this example, I use the FTP protocol to send the running configuration; the name ‘$h’ instructs the system to use the router hostname when naming the archived configuration (in this case $h is equal to Ciscozine).

Ciscozine(config-archive)#path ftp://cisco:lab@192.168.217.1/$h

To instruct the router to save the configuration each day (1440 minutes) and to enable automatic backup generation when write memory command is typed, use:

Ciscozine(config-archive)#time-period 1440
Ciscozine(config-archive)#write-memory

To see how many configurations are been saved use the command ’show archive’:

Ciscozine#sh archive
The next archive file will be named
                      ftp://cisco:lab@192.168.217.1/Ciscozine-17
Archive #  Name
0       ftp://cisco:lab@192.168.217.1/Ciscozine-15
1       ftp://cisco:lab@192.168.217.1/Ciscozine-16 <- Most Recent
2       ftp://cisco:lab@192.168.217.1/Ciscozine-2
3       ftp://cisco:lab@192.168.217.1/Ciscozine-3
4       ftp://cisco:lab@192.168.217.1/Ciscozine-4
5       ftp://cisco:lab@192.168.217.1/Ciscozine-5
6       ftp://cisco:lab@192.168.217.1/Ciscozine-6
7       ftp://cisco:lab@192.168.217.1/Ciscozine-7
8       ftp://cisco:lab@192.168.217.1/Ciscozine-8
9       ftp://cisco:lab@192.168.217.1/Ciscozine-9
10       ftp://cisco:lab@192.168.217.1/Ciscozine-10
11       ftp://cisco:lab@192.168.217.1/Ciscozine-11
12       ftp://cisco:lab@192.168.217.1/Ciscozine-12
13       ftp://cisco:lab@192.168.217.1/Ciscozine-13
14       ftp://cisco:lab@192.168.217.1/Ciscozine-14
Ciscozine#

To display the differences between two config files use the ’show archive config differences’; for instance, to find the differences between the startup-config and the ‘Ciscozine-8′ file, type:

NEW-CISCOZINE#show archive config differences nvram:startup-config
    ftp://cisco:lab@192.168.217.1/Ciscozine-8
Loading Ciscozine-8 !
[OK - 717/4096 bytes]

Contextual Config Diffs:
+hostname Ciscozine

-hostname NEW-CISCOZINE
NEW-CISCOZINE#

As you can see, there are two differences: the hostname saved in the startup-configuration file (NEW-CISCOZINE) is different from the Ciscozine-8 file (Ciscozine).

Remember: If the router is reloaded, the system will restart to save the configuration with the counter equal to one (for example Ciscozine-1). So the previous configurations will be overwritten!

References: http://www.cisco.com/…/cfrgt_01.html#wp1094403

© Fabio Semperboni for CiscoZine, 2010. | Permalink | One comment
Post tags: Advanced configuration, Archive, Video

After the upgrading, I have tried to downlad an ISO image but the speed was very low (about 300KB/s and not 700KB/s). Mhhh this is strange! I have begun the troubleshooting but no error, no warning message. So I have reset my current configuration, but nothing… no real improvement.

Fortunately my better friend (google hihihi) help me and I have found how to fix the ‘download speed’: define manually the ‘clockrate’ into the atm interface!

Ciscozine(config-if)#clock rate aal5 ?
        1000000
        1300000
        1600000
        2000000
        2600000 (default)
        3200000
        4000000
        5300000
        7000000

  <1000000-7000000>  clock rates in bits per second,
                     choose one from above

Ciscozine(config-if)#

In fact, if you don’t define the clock rate command into the atm interface, the IOS set to 2600000 this parameter. To force it, use the command ‘clock rate aal5′; in my case I use the command ‘clock rate aal5 7000000′.

Below the download speed test guarantee the bandwith improvement.

Without clock rate command

With clock rate command

That’s all! I hope this tutorial can help you!

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: ADSL, Advanced configuration, Tips

The router is typically segmented into three planes of operation, each with a clearly identified objective:

• the data plane allows the ability to forward data packets
• the control plane allows the ability to route data correctly
• the management plane allows the ability to manage network elements.

The vast majority of packets handled by a router travel through the router by way of the forwarding plane, or data plane. However, the system’s route processor must handle certain packets, such as routing protocols, keepalives, packets destined to the local IP addresses of the router, and packets from management protocols and other interactive access protocols, such as Telnet and Secure Shell (SSH) Protocol. This type of traffic is often referred to as control plane traffic.

Packet overloads on a router’s control plane can slow down routing processes and, as a result, degrade network service levels and user productivity. One cause for an overburdened router control plane is a router making inefficient use of shared CPU and memory resources. The same result can occur if reconnaissance or denial-of-service (DoS) attacks appear on the control plane, or if a routing protocol otherwise misbehaves.

For example, if a high volume of rogue packets generated by a virus or worm is presented to the control plane, the router will spend an excessive amount of time processing and discarding unnecessary traffic. This can eventually overwhelm the route processor, which is responsible for handling router control plane functions, and possibly bring router processes to a halt.

Following is an overview of several Cisco IOS Software security features that protect the control plane of networking devices.

• Receive Access Control Lists: Receive Access Controls Lists (rACLs) are designed to protect the route processor on high-end routers from unnecessary traffic that could potentially affect system performance.
  The rACL feature uses standard or extended ACLs that control the traffic sent by the various line cards to the route processor on distributed architectures such as Cisco 12000 Series Routers. An rACL does not apply to transit traffic.
• Control Plane Policing: The control plane policing (CoPP) feature significantly improves upon the rACL feature. Whereas rACLs allow the configuration of basic “permit” and “deny” filters for traffic destined to the router CPU, the CPP feature extends this by allowing users to configure a quality of service (QoS) filter that can also “rate-limit” this traffic.
• Control Plane Protection: Cisco Control Plane Protection (CPPr) extends the CPP feature by enabling classification of the control plane traffic based on packet destination and information provided by the forwarding plane, allowing appropriate throttling for each category of packet.

In this article I will explain the control plane policing (CoPP), a feature introduced with release 12.2(18)S.

The CoPP feature protects the control plane of Cisco IOS Software-based routers and switches against many attacks, including reconnaissance and denial-of-service (DoS) attacks. In this manner, the control plane can maintain packet forwarding and protocol state despite an attack or heavy load on the router or switch.

CoPP provides the following benefits:

• Protection against DoS attacks at infrastructure routers and switches
• QoS control for packets that are destined to the control plane of Cisco routers or switches
• Ease of configuration for control plane policies
• Better platform reliability and availability

Example: Implement and test CoPP feature
Suppose to have a network (192.168.144.0/24) with two routers (.252 and .253) and an untrusted PC (.100). It is required to protect Ciscozine1 control plane from ICMP flood attack.

Ciscozine2 (the trusted host) can forward ICMP packets to the control plane without constraint, while all remaining ICMP packets will be policed at the specified rate.

To test the CoPP feature, I use the ping command, with a size of 1250byte. As you can see, all ICMP packets sent by Ciscozine2 are received, while some ICMP packets from the Untrusted_pc are lost due to the control plane policing feature.

To display the configuration and statistics for a traffic class or all traffic classes in the policy maps attached to the control plane for aggregate or distributed control plane services, use the show policy-map control-plane command in privileged EXEC mode.

Ciscozine1#show policy-map control-plane
 Control Plane

  Service-policy input: control-plane-policing-test

    Class-map: block-untrusted-icmp (match-all)
      5246 packets, 3764458 bytes
      5 minute offered rate 10000 bps, drop rate 6000 bps
      Match: access-group 100
      police:
          cir 8000 bps, bc 1500 bytes
        conformed 3536 packets, 1386530 bytes; actions:
          transmit
        exceeded 1710 packets, 2377928 bytes; actions:
          drop
        conformed 4000 bps, exceed 6000 bps

    Class-map: class-default (match-any)
      1478 packets, 132467 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
Ciscozine1#

Ciscozine1 (partial) configuration:
Ciscozine1#
!
hostname Ciscozine1
!
class-map match-all block-untrusted-icmp
 match access-group 100
!
!
policy-map control-plane-policing-test
 class block-untrusted-icmp
    police 8000 conform-action transmit  exceed-action drop
!
interface FastEthernet0/0
 ip address 192.168.144.252 255.255.255.0
 duplex auto
 speed auto
!
access-list 100 deny   icmp host 192.168.144.253 any
access-list 100 permit icmp any any
!
control-plane
 service-policy input control-plane-policing-test


References:

• http://www.cisco.com/…/gtrtlimt.html
• http://www.cisco.com/…/prod_white_paper0900aecd805ffde8.html
• http://www.cisco.com/…/prod_presentation0900aecd80313fee.pdf

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: Advanced configuration, DOS, QOS, Secure a router, Video

The OSPF protocol is based on link-state technology, which is a departure from the Bellman-Ford vector based algorithms used in traditional Internet routing protocols such as RIP. OSPF has introduced new concepts such as authentication of routing updates, Variable Length Subnet Masks (VLSM), route summarization, and so forth.

An OSPF network can be divided into sub-domains called areas. An area is a logical collection of OSPF networks, routers, and links that have the same area identification. A router within an area must maintain a topological database for the area to which it belongs. The router doesn’t have detailed information about network topology outside of its area, thereby reducing the size of its database.

All areas in an OSPF autonomous system must be physically connected to the backbone area (area 0). In some cases where this physical connection is not possible, you can use a virtual link to connect to the backbone through a non-backbone area. You can also use virtual links to connect two parts of a partitioned backbone through a non-backbone area. The area through which you configure the virtual link, known as a transit area, must have full routing information. The transit area cannot be a stub area.

Example:
Suppose to manage a network running an OSPF process. The network has three areas: area0 (the backbone), area2 and area3.

The area0 has four networks:

• 1.0.0.0/24

• 1.0.1.0/24

• 1.0.2.0/24

• 1.0.3.0/24

The area2 has two networks:

• 2.0.0.0/24

• 2.0.1.0/24

The area3 is connected to the area0 via area2 and it has two networks:

• 3.0.0.0/24

• 3.0.1.0/24

In this example, we must configure three routers: Ciscozine1, Ciscozine2 and Ciscozine3. Ciscozine1 belongs to Area0 and Area2, Ciscozine2 belongs to Area2. Ciscozine3 belongs to Area2 and Area3, but due to OSPF constraint (all areas in an OSPF autonomous system must be physically connected to the backbone area), the Ciscozine3 router requires a Virtual-link.

Tips:

• For convenience, the networks 1.0.0.0/22 and 3.0.0.0/23 will be defined using loopback interfaces.
• To advertises the loopback subnet as the actual subnet configured on loopbacks, the “ip ospf network point-to-point” command is configured under loopbacks.
• Router ID: It’s a 32-bit number assigned to each router running the OSPF protocol. This number uniquely identifies the router within an Autonomous System. RID is the highest logical (loopback) IP address configured on a router, if no logical/loopback IP address is set then the Router uses the highest IP address configured on its active interfaces. In this example, to have more control, I have chose to define statically the RID using the “router-id” command

Below, the router configurations based on four steps:

1. Interface configuration
2. Test connectivity
3. OSPF configuration
4. Virtual Link

The three (partial) router configurations:

Ciscozine1#
!
interface Loopback0
 ip address 1.0.0.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback1
 ip address 1.0.1.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback2
 ip address 1.0.2.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback3
 ip address 1.0.3.1 255.255.255.0
 ip ospf network point-to-point
!
interface FastEthernet0/0
 description Link-to-Ciscozine2
 ip address 2.0.0.1 255.255.255.0
!
router ospf 1
 router-id 1.0.0.1
 area 2 virtual-link 3.0.0.1
 network 1.0.0.0 0.0.3.255 area 0
 network 2.0.0.0 0.0.0.255 area 2

 

Ciscozine2#
!
interface FastEthernet0/0
 description Link-to-Ciscozine1
 ip address 2.0.0.2 255.255.255.0
!
interface FastEthernet0/1
 description Link-to-Ciscozine3
 ip address 2.0.1.1 255.255.255.0
!
router ospf 1
 router-id 2.0.0.2
 network 2.0.0.0 0.0.1.255 area 2

Ciscozine3#
!
interface Loopback0
 ip address 3.0.0.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback1
 ip address 3.0.1.1 255.255.255.0
 ip ospf network point-to-point
!
interface FastEthernet0/0
 description Link-to-Ciscozine2
 ip address 2.0.1.2 255.255.255.0
!
router ospf 1
 router-id 3.0.0.1
 area 2 virtual-link 1.0.0.1
 network 2.0.1.0 0.0.0.255 area 2
 network 3.0.0.0 0.0.1.255 area 3

Remember: To display parameters about and the current state of OSPF virtual links, use the “show ip ospf virtual-links” command in EXEC mode.

Note: You can also build a generic routing encapsulation (GRE) tunnel between two routers and put the tunnel in Area 0. The main differences between a GRE tunnel and a virtual link are:

References:

• http://www.cisco.com/…/support_sub-protocol_home.html

• http://www.cisco.com/…/configuration_example09186a00801ec9ee.shtml

• http://www.cisco.com/…/configuration_example09186a00800946bd.shtml

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: Advanced configuration, OSPF, Routing, Video

But if you would do it, there is a pretty trick : it’s the “test crash” command, an hidden IOS command. This can help you if you are lucky enough to have the real crash exactly like one of those you can test with “test crash” command.

Below, the test crash menu:

Ciscozine#test crash
WARNING: Command selections marked with '(crash router)' will crash
         router when issued. However a selection 'C' will need to
         be issued IMMEDIATELY before these selections to enable them.
Type the number for the selected crash:
--------------------------------------
 1  (crash router) Bus Error, due to invalid address access
 2  (crash router) Bus Error, due to parity error in Main memory
 3  (crash router) Bus Error, due to parity error in I/O memory
 4  (crash router) Address Error, due to fetching code from odd address
 5  (crash router) Jump to zero
 6  (crash router) Software forced crash
 7  (crash router) Illegal read of address zero
 8  (crash router) Divide by zero
 9  (crash router) Corrupt memory
 C  Enable crash router selection marked with (crash router)
 R  (crash router) User enter read bus error address
 U  (crash router) User enter write bus error address
 W  (crash router) Software watchdog timeout (*** Watch Dog Timeout ***)
 w  (crash router) Process watchdog timeout (SYS-2-WATCHDOG)
 d  Disable crashinfo collection
 e  Enable crashinfo collection
 i  Display contents of current crashinfo flash file
 m  Write crashinfo on crashinfo RAM
 n  Change crashinfo flash file name
 q  Exit crash menu
 s  Save crashinfo to current crashinfo flash file
 c  Close current crashinfo flash file
 t  Write crashinfo on console TTY
 x  Exit crash menu
?

To generate a Cisco crash, type “C” to enable Cisco crash feature. Then select the crash type that you would generate.

How Cisco test crash command works?

In this example, I have selected the “s” option to save crashinfo to the flash. The file will be named like: crashinfo_YYYYMMDD-hhmmss, where:

• YYYY is the year, like 2009
• MM is the month, like 06
• DD is the day, like 18
• hh are the hours, like 15
• mm are the minutes, like 03
• ss are the seconds, like 34

As you can see, the file saved on the flash memory (due a Software forced crash, option #6) could be read with the command “more”. Remember that it is not easy understand the crashinfo file…

© Fabio Semperboni for CiscoZine, 2009. | Permalink | One comment
Post tags: Advanced configuration, Hidden commands, Video

When creating passwords, keep these rules in mind:

• Make passwords lengthy
• Passwords should combine letters, numbers, and symbols. Passwords should not use dictionary words
• Change passwords as often as possible

Strong passwords are the primary defense against unauthorized access to your router. The best way to manage passwords is to maintain them on an AAA server, but not all people can have/manage a AAA server.

Cisco provides a number of enhanced features that allow you to increase the security of your passwords.

For the basic configuration read this article.

Protecting Line Access
Resctrict the AUX, VTY and console access with a password or with a username/password.

The simplest configuration to protect is:
Enables password checking at login

login

Sets the password

password my_password

Note: Administrators sometimes use auxiliary ports to remotely configure and monitor the router using a dial-up modem connection. If you want to turn off the EXEC process for the aux port, use the no exec command within the auxiliary line configuration mode.

service password-encryption
All Cisco router passwords are, by default, stored in plaintext form within the router configuration (see the running-config or startup-config …). Cisco permits to “hide” these password with a proprietary Cisco algorithm based on a Vigenere cipher. To encrypt system password use:

service password-encryption

For instance, if you set an “enable password ciscozine” without this feature the password in your running-config is in plaintext:

enable password ciscozine

but if you enable service password-encryption command, the password is hidden:

enable password 7 02050D4808091528424B

Remember: When you remove the service password-encryption command with the no form, the command does not decrypt the passwords.
Remember:Vigenere cipher is not a SECURE crypto algorithm; in fact you can find many software to decrypt this type of password. This method is not as safe as MD5, which is used with the enable secret command, but prevents casual discovery of the router line-level passwords.

Use MD5
Use MD5  hash function where it is possible; for instance:

• enable secret command is more secure than enable passwordcommand, because it use MD5 algorithm for hash the passsword.
• username my_user secret my_passwordis more secure than username my_user password my_password, because it use MD5 algorithm for hash the passsword.

Timeout
By default, an administrative interface (TTY, AUX, ….) stays active (and logged on) for ten minutes after the last session activity. A better choise is to limit the time to three minutes.
To adjust this timer to 2 minutes and 30 seconds:

exec-timeout 2 30

Remember: Setting the exec-timeout value to zero means that there will be no timeout and the session will stay active for an unlimited time. Do not set the value to zero.

Protecting against dictionary attack
Cisco has implemented many features to procted router/swtich against dictionary attack; there are many ways to protect:

• security password min-length
  From Cisco IOS Release 12.3(1) and later it is possible to define a minimum password length (default is Six characters). This command affects user passwords, enable passwords and secrets, and line passwords that users create after the command is executed. Existing router passwords remain unaffected.

For instance, if you would set a minimum password length of 8 characters:

security password min-length 8

If you insert a password that not respect the lenght an error message is displayed:

Password too short - must be at least 8 characters. Password not configured.

• security authentication failure rate
  From Cisco IOS Release 12.3(1) and later, it it possible to configure the number of allowable unsuccessful login attempts. The security authentication failure-rate command provides enhanced security access to the router by generating syslog messages after the number of unsuccessful login attempts exceeds the configured threshold rate. This command ensures that there are not any continuous failures to access the router.

After the 15-second delay has passed, the user can continue to attempt to log in to the router.

The following example shows how to configure your router to generate a syslog message after five failed login attempts (a 15-second delay timer starts after the number of login failed is reached):

security authentication failure rate 5 log

• login block for
  Another helpful command to block dictionary attack is the login block forcommand. This command permits to block for ‘x’ seconds after ‘y’ login are tried within ‘z’ seconds. See below to understand how the command works.

The following example shows how block login access for 120 seconds after 5 failed login attempts within 30 seconds:

login block-for 120 attempts 5 within 30

Remember:All login attempts made via Telnet, SSH, and HTTP are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is issued.

• login quiet-mode access-class
  It is possible to define an ACL to permit login attempts when the login access is blocked by the login block-for or by the security authentication failure rate command. It can be useful in emergency situation.

login quiet-mode access-class 101

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

The following logging message is generated after the router switches to quiet-mode:

00:04:07:%SEC_LOGIN-1-QUIET_MODE_ON:Still timeleft for watching failures is 158 seconds,
[user:ciscozine] [Source:192.168.10.10] [localport:23] [Reason:Invalid login], [ACL:22] at 16:17:23
UTC Wed Apr 15 2009

The following logging message is generated after the router switches from quiet mode back to normal mode:

00:09:07:%SEC_LOGIN-5-QUIET_MODE_OFF:Quiet Mode is OFF, because block period timed out at
16:22:23 UTC Wed Apr 15 2009

• login delay
  From Cisco IOS Release 12.3(4)T and later, it is possbile to define the time between successive login attempts. If this command is not enabled, a login delay of one second is automatically enforced after the login block-for command is applied to the router configuration.For instance, if I would define a delay of 10 seconds, use this command:

login delay 10

Logging login requests
It is possible logging failure/success login requests:

• login on-success
  Generates logging messages for successful login attempts. For example:

  00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:ciscozine] [Source:192.168.10.10]
  [localport:23] at 16:30:40 UTC Wed Apr 15 2009

• login on-failure
  Generates logging messages for failed login attempts. For example:

  00:03:34:%SEC_LOGIN-4-LOGIN_FAILED:Login failed [user:ciscozine] [Source:192.168.10.10]
  [localport:23] [Reason:Invalid login] at 16:32:12 UTC Wed Apr 15 2009

To check login enforcement settings use the “show login” command.

Disable password recovery
Cisco permits to recover password during the reload system. This scenario presents a potential security breach because anyone who gains physical access to the router console port can enter ROMMON, reset the enable secret password, and discover the router configuration.

For this reason, it is possible disable password recovery procedure. To do it use the “hidden” command “no service password-recovery”.

When you configure the router, disabling password recovery feature, you see this message:

ciscozine(config)#no service password-recovery
WARNING:
Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for
password recovery.

Are you sure you want to continue? [yes/no]: yes
ciscozine(config)#

When the no service password-recovery command is configured, you see this message during boot up:

System Bootstrap, Version 11.1(19)AA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Copyright (c) 1998 by Cisco Systems, Inc.
C3600 processor with 65536 Kbytes of main memory
Main memory is configured to 64 bit mode with parity enabled

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x80008000, size: 0x10ce394
Self decompressing the image : #########################################################
########################################################################################
#######################################################################    [OK]

Remember: If a router is configured with the no service password-recovery command, this disables all access to the ROMMON. If there is no valid Cisco IOS software image in the Flash memory of the router, the user is not able to use the ROMMON XMODEM command in order to load a new Flash image. In order to fix the router, you must get a new Cisco IOS software image on a Flash SIMM, or on a PCMCIA card, for example on the 3600 Series Routers.

References:

• http://www.cisco.com/…/sec_login_enhance.html
• http://www.cisco.com/…/configuration_example09186a00801d8113.shtml

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: Advanced configuration, Secure a router, Tips

See below to understand BPDU attack:

In this example the Ciscozine1 switch is elected Root Bridge due to the lower MAC-address (suppose that all the switches have the same priority).

What happen if an attacker (in this instance a laptop) spoof a BPDU with a lower priority?

The attacker (red laptop) will be the new root bridge and the spanning-tree topology change. See the figure:

With this new topology, Ciscozine3 and Ciscozine4 use only Ciscozine1 to switch packets, while Ciscozine2 is not used by the access switches (Ciscozine3 and Ciscozine4)!
Moreover the election of the attacker as root causes the Gigabit Ethernet link that connects the two core switches (Ciscozine1 and Ciscozine2) to block, causing suboptimal network.

Note: The administrator can set the root bridge priority to zero in an effort to secure the root bridge position, but there is no guarantee against a bridge with a priority of 0 and a lower MAC address.
Note: The temporary introduction and subsequent removal of STP devices with low (0) bridge priority cause a permanent STP recalculation.

How can I protect myself against BPDU spoof attack?
Cisco has implemented three different solutions: BPDU Guard, BPDU Filtering and Root Guard.

BPDU Guard
The STP PortFast BPDU guard enhancement allows network designers to enforce the STP domain borders and keep the active topology predictable. The devices behind the ports that have STP PortFast enabled are not able to influence the STP topology. At the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state, and a message appears on the console.

You can enable or disable STP PortFast BPDU guard on a global basis, which affects all ports that have PortFast configured. By default, STP BPDU guard is disabled.

To enable BPDU guard globally on the switch, use this command:

Ciscozine3(config)#spanning-tree portfast bpduguard default

To enable PortFast BPDU guard on a specific switch port, use this command:

Ciscozine3(config)#spanning-tree bpduguard enable

Use the following command to verify the BPDU configuration:

Ciscozine3#show spanning-tree summary totals

The STP PortFast BPDU guard was introduced in Cisco IOS Software Release 12.1.

Note: STP PortFast BPDU guard is not available for the Catalyst 8500 series, 2948G-L3, or 4908G-L3 switches.
Note: You must manually reenable the port that is put into errdisable state or configure errdisable-timeout. 

BPDU Filterning
When configured globally, PortFast BPDU filtering applies to all operational PortFast ports. Ports in an operational PortFast state are supposed to be connected to hosts, that typically drop BPDUs. If an operational PortFast port receives a BPDU, it immediately loses its operational PortFast status. In that case, PortFast BPDU filtering is disabled on this port and STP resumes sending BPDUs on this port.

PortFast BPDU filtering can also be configured on a per-port basis. When PortFast BPDU filtering is explicitly configured on a port, it does not send any BPDUs and drops all BPDUs it receives.

To enable PortFast BPDU filtering globally on the switch, use this command:

Ciscozine3(config)#spanning-tree portfast bpdufilter default

To enable PortFast BPDU filtering on a specific switch port, use this command:

Ciscozine3(config-if)#spanning-tree bpdufilter enable

To verify the configuration on the switch, use this command:

Ciscozine3#show spanning-tree summary

The STP PortFast BPDU filtering was introduced in Cisco IOS Software Release 12.1(13)E.

Remember: Explicit configuration of PortFast BPDU filtering on a port not connected to a host station can result in bridging loops. The port ignores any incoming BPDUs and changes to the forwarding state. This does not occur when PortFast BPDU filtering is enabled globally.

BPDU Root guard
The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.

To enable Root Guard on a specific switch port, use this command:

Ciscozine3(config-if)#spanning-tree rootguard

Root guard is available in Cisco IOS Software Release 12.0(5)XU and later. The Catalyst 2950 series switches support the root guard feature in Cisco IOS Software Release 12.0(5.2)WC(1) and later. The Catalyst 3550 series switches support the root guard feature in Cisco IOS Software Release 12.1(4)EA1 and later.

Note: You must manually reenable the port that is put into errdisable state or configure errdisable-timeout. 

Conclusion: In my opinion, BPDU Guard control BPDU spoof attack much better than BPDU Filtering. As a matter of fact, BPDU Guard block immediately the port at the reception of BPDUs, whereas BPDU Filtering only disable portfast feature.
The root guard feature partially restricts this type of attack; in fact an attacker will not be the root bridge, but it could take part of the spanning-tree instance.

For these reasons, a good solution to block BPDU spoof attack is to enable BPDU Guard control at all fastethernet ports used to connect laptop/PC/Server, while enable root guard feature on the ports used to connect switches.

References: 

• http://www.cisco.com/…/technologies_tech_note09186a008009482f.shtml
• http://www.cisco.com/…/guide/stp_enha.html#wp1033403
• http://www.cisco.com/…/technologies_tech_note09186a00800ae96b.shtml

© Fabio Semperboni for CiscoZine, 2009. | Permalink | 2 comments
Post tags: Advanced configuration, DOS, Secure a router, Spanning-Tree

The result of this attack causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out on all ports (as with a hub), instead of just down the correct port as per normal operation. A malicious user could then use a packet sniffer running in promiscuous mode to capture sensitive data from other computers, which would not be accessible were the switch operating normally.

Cisco gives you an opportunity to set up protection against this attack with limiting and/or hardwiring some MAC addresses to a dedicated port.

Understand the MAC flooding attack
Suppose to have a switch with 3 PC: PC A, PC B and PC C; in normal situation, when PC A sends a packet to PC B, PC C does not view packet sent between PC A and PC B.

This because the 3 PC are connected to a switch and NOT to a hub.

Under MAC flooding attack, the switch behaviour is different. During the MAC flooding attack, the attacker (in this instance PC C) floods the switch with packets, each with different source MAC address.

If the Content Addressable Memory (the memory where the MAC addresses are stored) is full, the switch works like an hub; so, if the PC A sends a packet to PC B, the packet will be received to PC C too.

Protecting against MAC flooding attack
Cisco has implemented a feature, called switchport port-security, to protect against this type of attack. You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port.

There are three types of secure MAC addresses:

• Static secure MAC addresses: These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.
• Dynamic secure MAC addresses: These are dynamically learned, stored only in the address table, and removed when the switch restarts.
• Sticky secure MAC addresses: These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts.

Remember: A secure port can have from 1 to 132 associated secure addresses. The total number of available secure addresses on the switch is 1024.

When the maximum number of secure MAC addresses have been added to the address table and a station whose MAC address is not in the address table attempts to access the interface a security violation occurs.

The switch can react to a security violation in three different ways:

• protect: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.
• restrict: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is logged, and the violation counter increments.
• shutdown: In this mode, a port security violation causes the interface to immediately become error-disabled, and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands. This is the default mode.

Example: Limit to ten MAC addresses, two of which are statics (aaaa.aaaa.aaaa, bbbb.bbbb.bbbb), on FastEthernet 0/1 port. The violation required is “restricted”.

Ciscozine# conf t
Ciscozine(config)# interface fastethernet0/1
Ciscozine(config-if)# switchport mode access
Ciscozine(config-if)# switchport port-security
Ciscozine(config-if)# switchport port-security maximum 10
Ciscozine(config-if)# switchport port-security violation restrict
Ciscozine(config-if)# switchport port-security mac-address aaaa.aaaa.aaaa
Ciscozine(config-if)# switchport port-security mac-address bbbb.bbbb.bbbb

switchport mode access: The port-security works only on access port,  so define it.
switchport port-security: Enable port security on the interface.
switchport port-security maximum 10: Sets the maximum number of secure MAC addresses for the interface to 10.
switchport port-security violation restrict: It defines to “restrict” the violation mode.
switchport port-security mac-address aaaa.aaaa.aaaa: Define the static MAC address; remember that if you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.

Useful commands to displaying traffic control status and configuration are:

• show interfaces [interface-id] switchport: Displays the administrative and operational status of all switching (nonrouting) ports or the specified port, including port blocking and port protection settings.
• show port-security [interface interface-id]: Displays port security settings for the switch or for the specified interface, including the maximum allowed number of secure MAC addresses for each interface, the number of secure MAC addresses on the interface, the number of security violations that have occurred, and the violation mode.
• show port-security [interface interface-id] address: Displays all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each address.

Remember: you can enable port security on a interface only if the port is not configured as one of these:

• Trunk ports: If you try to enable port security on a trunk port, an error message appears, and port security is not enabled. If you try to change the mode of a secure port to trunk, the port mode is not changed.
• Dynamic port: A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable port security on a dynamic port, an error message appears, and port security is not enabled. If you try to change the mode of a secure port to dynamic, the port mode is not changed.
• Dynamic-access port: If you try to enable port security on a dynamic-access (VLAN Query Protocol [VQP]) port, an error message appears, and port security is not enabled. If you try to change a secure port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed.
• EtherChannel porT: Before enabling port security on the port, you must first remove it from the EtherChannel. If you try to enable port security on an EtherChannel or on an active port in an EtherChannel, an error message appears, and port security is not enabled. If you enable port security on a not-yet active port of an EtherChannel, the port does not join the EtherChannel.
• 802.1X port: You cannot configure an 802.1X port as a secure port. If you try to enable port security on an 802.1X port, an error message appears, and port security is not enabled. If you try to change a secure port to an 802.1X port, an error message appears, and the 802.1X settings are not changed.
• Switch Port Analyzer (SPAN) destination port: You can enable port security on a port that is a SPAN destination port; however, port security is disabled until the port is removed as a SPAN destination. You can enable port security on a SPAN source port.

References:

• http://en.wikipedia.org/wiki/MAC_flooding
• http://www.cisco.com/…/configuration/guide/swtrafc.html#wp1038501

© Fabio Semperboni for CiscoZine, 2009. | Permalink | 2 comments
Post tags: Advanced configuration, Flooding attack

But what is Cisco Tcl?
The Cisco IOS Tcl shell was designed to allow customers to run Tcl commands directly from the Cisco IOS CLI prompt. Cisco IOS software does contain some subsystems such as Embedded Syslog Manager (ESM) and Interactive Voice Response (IVR) that use Tcl interpreters as part of their implementation. These subsystems have their own proprietary commands and keyword options that are not available in the Tcl shell.

Several methods have been developed for creating and running Tcl scripts within Cisco IOS software. A Tcl shell can be enabled, and Tcl commands can be entered line by line. After Tcl commands are entered, they are sent to a Tcl interpreter. If the commands are recognized as valid Tcl commands, the commands are executed and the results are sent to the tty. If a command is not a recognized Tcl command, it is sent to the Cisco IOS CLI parser. If the command is not a Tcl or Cisco IOS command, two error messages are displayed. A predefined Tcl script can be created outside of Cisco IOS software, transferred to flash or disk memory, and run within Cisco IOS software. It is also possible to create a Tcl script and precompile the code before running it under Cisco IOS software.

Multiple users on the same router can be in Tcl configuration mode at the same time without interference because each Tcl shell session launches a separate interpreter and Tcl server process. The tty interface number served by each Tcl process is represented in the server process name and can be displayed using the show process CLI command.

The Tcl shell can be used to run Cisco IOS CLI EXEC commands within a Tcl script. Using the Tcl shell to run CLI commands allows customers to build menus to guide novice users through tasks, to automate repetitive tasks, and to create custom output for show commands.

To enter in the “Tool Command Language shell” type “tclsh” command, while to exit type “tclquit“.

Remember: errors in Tcl scripts can cause infinite loops in the router

1. A very simple example: Hello world
Copy this function in the Tcl configuration mode

proc test {} {
puts "Hello world!"
}

The result will be:

Ciscozine#tclsh
Ciscozine(tcl)#proc test {} {

+>puts "Hello world!"
+>}

To test the script type “test”:

Ciscozine(tcl)#test
Hello world!

Ciscozine(tcl)#

2. Ping multiple IP addresses
Often during troubleshooting, it is needed to ping some IP addresses to test connectivity; in these situations Tcl could be very useful.

For instance, suppose to ping the first ‘x’ ip address of the 172.16.1.x/24 network. Usually a network administrator must type “ping 172.16.1.1″ then “ping 172.16.1.2″ and so on…, but it could take a long time.

Tcl could help us with a very simple script:

proc ping_net {x} {
 for {set n 1} {$n<=$x} {incr n 1} {
    exec "ping 172.16.1.$n"
 }
}

The result will be:

Ciscozine(tcl)#proc ping_net {x} {
+> for {set n 1} {$n<=$x} {incr n 1} {
+>    exec "ping 172.16.1.$n"
+> }
+>}

To test the first five IP addresses:

Ciscozine(tcl)#ping_net 5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Ciscozine(tcl)#

In these 2 simple examples, I have used 3 Tcl command: proc, puts, for.

The proc command creates a new command. The syntax for the proc command is: proc name args body
When proc is evaluated, it creates a new command with name name that takes arguments args. When the procedure name is called, it then runs the code contained in body.

The puts command is used to print “somethings”.

The for command in Tcl takes four arguments; an initialization, a test, an increment, and the body of code to evaluate on each pass through the loop. The syntax for the for command is: for start test next body
During evaluation of the for command, the start code is evaluated once, before any other arguments are evaluated.

You can find more informations about tcl command syntax on http://www.tcl.tk/.

References:

• http://www.cisco.com/…/feature/guide/gt_tcl.html
• http://en.wikipedia.org/wiki/Tcl
• http://forums.cisco.com/eforum/servlet/EEM?page=main

© Fabio Semperboni for CiscoZine, 2008. | Permalink | One comment
Post tags: Advanced configuration, Tcl

If a link within the EtherChannel bundle fails, traffic previously carried over the failed link is carried over the remaining links within the EtherChannel.

There are two protocols used for the link aggregation:

• Cisco’s proprietary Port Aggregation Protocol (PAgP).
• IEEE standard Link Aggregation Protocol (LACP)

PAgP packets are sent between Fast EtherChannel-capable ports to negotiate the forming of a channel. When PAgP identifies matched Ethernet links, it groups the links into an EtherChannel. The EtherChannel is then added to the spanning tree as a single bridge port.

LACP is part of an IEEE specification (802.3ad) that allows several physical ports to be bundled together to form a single logical channel. LACP allows a switch to negotiate an automatic bundle by sending LACP packets to the peer. It performs a similar function as PAgP with Cisco EtherChannel. Because LACP is an IEEE standard, it can be used to facilitate EtherChannels in mixed-switch environments.

Etherchannel Negotiation Protocols

Matrix of Load Balancing Methods
Cisco EtherChannel technology is composed of several Fast Ethernet links and is capable of load balancing traffic across those links. Unicast, broadcast, and multicast traffic is evenly distributed across the links, providing higher performance and redundant parallel paths. When a link fails, traffic is redirected to the remaining links within the channel without user intervention and with minimal packet loss. To define the load-balance method, enter in the global configuration mode and use the command “port-channel load-balance ?” to see the load-distribution method availables.

This matrix consolidates the load balancing methods:

¹ For the 3550 series switch, when source-MAC address forwarding is used, load distribution based on the source and destination IP address is also enabled for routed IP traffic. All routed IP traffic chooses a port based on the source and destination IP address.
² For the 6500 series switches that run Cisco IOS, MPLS layer 2 information can also be used for load balancing MPLS packets.

Example #1: Configuring Layer2 Etherchannel

In this example, the FastEthernet0/0-0/1-0/2 (on Ciscozine_SW1 and Ciscozine_SW2) must belong to vlan 10; it is required to create a Layer2 etherchannel using LACP with desirable mode on Ciscozine_SW1 and passive mode on the Ciscozine_SW2. The configuration is:

Ciscozine_SW1 etherchannel L2 configuration

Ciscozine_SW1# configure terminal
Ciscozine_SW1(config)# interface range fastethernet0/0 -2
Ciscozine_SW1(config-if-range)# switchport mode access
Ciscozine_SW1(config-if-range)# switchport access vlan 10
Ciscozine_SW1(config-if-range)# channel-protocol lacp
Ciscozine_SW1(config-if-range)# channel-group 1 mode active
Ciscozine_SW2 etherchannel L2 configuration

Ciscozine_SW2 etherchannel L2 configuration

Ciscozine_SW2# configure terminal
Ciscozine_SW2(config)# interface range fastethernet0/0 -2
Ciscozine_SW2(config-if-range)# switchport mode access
Ciscozine_SW2(config-if-range)# switchport access vlan 10
Ciscozine_SW1(config-if-range)# channel-protocol lacp
Ciscozine_SW2(config-if-range)# channel-group 1 mode passive

Example #2: Configuring Layer3 Etherchannel

In this example, the FastEthernet0/0-0/1-0/2 (on Ciscozine_SW1 and Ciscozine_SW2) must be aggregated; it is required to create a Layer3 etherchannel using PAgP with desirable mode on Ciscozine_SW1 and auto mode on the Ciscozine_SW2. The configuration is:

Ciscozine_SW1 etherchannel L3 configuration

Ciscozine_SW1# configure terminal
Ciscozine_SW1(config)# interface port-channel 1
Ciscozine_SW1(config-if)# no switchport
Ciscozine_SW1(config-if)# ip address 172.16.1.11 255.255.255.0
Ciscozine_SW1(config-if)# end
Ciscozine_SW1# configure terminal
Ciscozine_SW1(config)# interface range fastethernet0/0 -2
Ciscozine_SW1(config-if-range)# no switchport
Ciscozine_SW1(config-if-range)# no ip address
Ciscozine_SW1(config-if-range)# channel-group 1 mode desirable
Ciscozine_SW1(config-if-range)# end
Ciscozine_SW2 etherchannel L3 configuration

Ciscozine_SW2 etherchannel L3 configuration

Ciscozine_SW2# configure terminal
Ciscozine_SW2(config)# interface port-channel 1
Ciscozine_SW2(config-if)# no switchport
Ciscozine_SW2(config-if)# ip address 172.16.1.12 255.255.255.0
Ciscozine_SW2(config-if)# end
Ciscozine_SW2# configure terminal
Ciscozine_SW2(config)# interface range fastethernet0/0 -2
Ciscozine_SW2(config-if-range)# no switchport
Ciscozine_SW2(config-if-range)# no ip address
Ciscozine_SW2(config-if-range)# channel-group 1 mode auto
Ciscozine_SW2(config-if-range)# end

REMEMBER: The “no switchport” command is required to change interface from layer2 to layer3 mode.

Use the “show etherchannel” command to display port-channel information after configuration and remember to save the configuration!

References:

• Configuring EtherChannels (Catalyst 6500/6000 Switches That Run Cisco IOS Software)
• Configuring Fast EtherChannel and Gigabit EtherChannel (Catalyst 5000 Switches)
• Configuring Fast EtherChannel and Gigabit EtherChannel (Catalyst 4000 Switches That Run CatOS)
• Understanding and Configuring EtherChannel (Catalyst 4000 Switches That Run Cisco IOS Software)
• Creating EtherChannel Port Groups section of Configuring the Switch Ports (Catalyst 2900XL/3500XL Switches)
• Configuring EtherChannel (Catalyst 3550 Switches)
• Understanding the EtherChannel section of Configuring the Switch Ports (Catalyst 2950 Switches)

© Fabio Semperboni for CiscoZine, 2008. | Permalink | No comment
Post tags: Advanced configuration, Etherchannel