The first of May, Cisco has revealed that its Nexus 9000 fabric switches have a critical flaw that could allow anyone to remotely connect to a vulnerable device using Secure Shell (SSH) and control it with root user privileges. Discovered and reported by Oliver Matula of ERNW Enno Rey Netzwerke in cooperation with ERNW Research, the issue is the presence of a default SSH key pair in all devices could be exploited by an attacker by opening an SSH connection via IPv6 to a targeted device (IPv4 is not vulnerable). Tracked as CVE-2019-1804 and featuring a CVSS score of 9.8, […]

In the last article, I explained how to configure DMVPN phase3, but what are the most useful commands to troubleshoot this type of network architecture? Five are the main group of commands used to troubleshoot a DMVPN topology: show dmvpn […] show ip nhrp […] show ip eigrp […] show crypto […] The “show dmvpn” and “show ip nhrp” commands permit to obtain the state of the tunnels. On hub router, all tunnels are dynamic (D attribute) because it waits the registration from spokes routers (“ip nhrp map multicast dynamic”).

In a previous article, I explained what is and how it works DMVPN technology. In this article you see how to configure DMVPN phase3. This phase allows spokes to build a spoke-to-spoke tunnel and to overcomes the phase2 restriction using NHRP traffic indication messages from the hub to signal to the spokes that a better path exists to reach the target network. The phase3 configuration is based by 4 steps: Define Tunnel interface (mandatory) Define NHRP (mandatory) Define EIGRP Process (mandatory) Define IPSEC Profile (optional) In this example, there are 3 routers: one hub (Ciscozine) and two spokes.

In an old post, dated 2011, I explained various types of VPN technologies. In seven years several things have changed: SHA1 is deprecated, des and 3des are no more used for security issues, but some VPN technologies are still used with protocols more secure (SHA256, AES, …). In this article, I explain how DMVPN works and what are the key components of it. Cisco DMVPN uses a centralized architecture to provide easier implementation and management for deployments that require granular access controls for diverse user communities, including mobile workers, telecommuters, and extranet users.

At the end of March, Cisco published a stack-based buffer overflow vulnerability in Smart Install Client code. This vulnerability enables an attacker to remotely execute arbitrary code without authentication. So it allows getting full control over a vulnerable network equipment. Cisco Smart Install is a “plug-and-play” configuration and image-management feature that provides zero-touch deployment for new (typically access layer) switches. The feature allows a customer to ship a Cisco switch to any location, install it in the network, and power it on without additional configuration requirements. The Smart Install feature incorporates no authentication by design.

Few days ago, Cisco published a critical advisor with a score of 10/10 about ASA and Firepower devices. The vulnerability known as CVE-2018-0101 and discovered by Cedric Halbronn, Senior Researcher at NCC Group is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. This vulnerability allows the attacker to see all of the data passing through the system and provides them with administrative privileges, enabling them to remotely […]

The Enhanced Interior Gateway Routing Protocol can be configured using either the classic mode or the named mode. The classic mode is the old way of configuring EIGRP. In classic mode, EIGRP configurations are scattered across the router mode and the interface mode. The named mode is the new way of configuring EIGRP; this mode allows EIGRP configurations to be entered in a hierarchical manner under the router mode. Each named mode configuration can have multiple address families and autonomous system number combinations. In the named mode, you can have similar configurations across IPv4 and IPv6.

WPA2 (Wi-Fi Protected Access 2) is a network security technology commonly used on Wi-Fi wireless networks. It’s an upgrade from the original WPA technology, which was designed as a replacement for the older and much less secure WEP. WPA2 is used on all certified Wi-Fi hardware since 2006 and is based on the IEEE 802.11i technology standard for data encryption. Yesterday, researchers Mathy Vanhoef and Frank Piessens, from the University of Leuven, has officially published a series of vulnerabilities that target the session establishment and management process in WPA(1/2)-PSK and WPA(1/2)-Enterprise. I say “officially” because the first notification by this […]

Prefix lists are used in route maps and route filtering operations and can be used as an alternative to access lists in many route filtering commands. The most notable and important difference is that a prefix-list allows you to filter networks based on their subnet mask. ACLs used in distribute list filter networks only by network addresses but they do not perform matching on subnet mask; in other words, for an ACL used in distribute list, the networks 192.168.100.0/24 and 192.168.100.0/28 are indistinguishable. Moreover, the prefix-list also allows you to specify networks in much more natural format that ACLs.

In one of my last job activities, the customer has requested to reinstall the Cisco ISE appliance (SNS-3495). The first option, a DVD reader, is not feasible due the large ISO image file; in fact, the Cisco ISE Software Version 2.2.0 full installation iso file requires more or less 8Gb. So, how can we install the software? There are two options: Using an USB pendrive(al least 16Gb) Using the Cisco Integrated Management Interface (CIMC)