Minggu, 09 Januari 2011

TTL Security Check

Based on the Generalized TTL Security Mechanism (GTSM, RFC 3682), the TTL security check is a security feature that protects BGP peers from multi-hop attacks. This feature allows the configuration of a minimum acceptable TTL value for the packets exchanged between two eBGP peers. When enabled, both peering routers transmit all their traffic to each other with a TTL of 255. In addition, routers establish a peering session only if the other eBGP peer sends packets with a TTL equal to or greater than the TTL value configured for the peering session. All packets received with TTL values less than the predefined value are silently discarded. In this way, the TTL security check prevents all possible attacks from attackers not connected directly to the same physical network connecting the two routers.
For example, when TTL security check is enabled between two eBGP peers, both routers transmit all their traffic to each other with a TTL of 255. If the routers are one hop away, the security check will accept only incoming packets with a TTL equal to or greater than 254. This ensures that traffic from all devices that are not directly connected will not be accepted because all traffic from devices not directly connected will arrive with a TTL of less than 254, as shown in Figure 3.
In the example shown in Figure 3, Router A will accept only those packets with a TTL of 254 or greater. Regardless of the TTL value the attacker sets, all of their packets will reach Router A with a TTL of less than 254.

In Cisco IOS software, the TTL security check can be enabled per peer using the neighbor ttl-security command:
Router(config)# router bgp as-number
Router(config-router)# switchport mode access
Router(config-router)# neighbor ip-address ttl-security hops hop-count
In this example, TTL security check is enabled for the 10.1.1.1 eBGP neighbor, which resides two hops away:
Router(config)# router bgp 1
Router(config-router)# neighbor 10.1.1.1 ttl-security hops 2
For more information about TTL Security Check, refer to the following URL:
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide
_chapter09186a0080455621.html

Disabling Auto-Negotiated Trunking

By default, all Ethernet ports on Catalyst switches are set to auto-negotiated trunking mode. Auto-negotiated trunking allows switches to automatically negotiate ISL and 802.1Q trunks. The negotiation is managed by the Dynamic Trunking Protocol (DTP). Setting a port to auto-negotiated trunking mode makes the port willing to convert the link into a trunk link, and the port becomes a trunk port if the neighboring port is set as a trunk, or configured in desirable mode. At the same time, a port configured in desirable mode becomes a trunk if the neighboring port is set to trunk, desirable, or auto mode.
While the auto-negotiation of trunks facilitates the deployment of switches, anyone can take advantage of this feature and easily set up an illegitimate trunk. For this reason, auto-negotiation trunking should be disabled on all ports connecting to end users.
In Catalyst OS, auto-negotiated trunking can be disabled on a port using the set trunk off command. By default, auto-negotiated trunking is set to auto, which causes the port to become a trunk port if the neighboring port tries to negotiate a trunk link. Using the off keyword forces the port to become a nontrunk port and persuades the neighboring port to become a nontrunk port:
Console> (enable) set trunk mod/ports {on | off | desirable | auto | nonegotiate} [vlans | none] [isl | dot1q | dot10 | lane | negotiate]

This example shows how to disable auto-negotiation on port 2 on module 1:
Console> (enable)#set trunk 1/2 off
Port(s) 1/2 trunk mode set to off.
Console> (enable)
For more information on the set trunk command on the Catalyst 6500, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_5/cmd_ref/setsy
_tr.htm#wp1170006
For more information on the set trunk command on the Catalyst 4500, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/8_3/command/set_s_z.htm#wp1025473
To disable auto-negotiated trunking in Cisco IOS software, use the switchport mode access command. Setting the port mode to access makes the port a nontrunking, nontagged single VLAN Layer 2 interface:
Switch(config-if)# switchport mode {access | trunk | {dynamic {auto | desirable}} | dot1q-tunnel}
This example shows how to set a port as nontrunking, nontagged single-VLAN Layer 2:
Switch(config)# interface type slot/port
Switch(config-if)# switchport mode access
Switch(config-if)#

For more information on the switchport mode access command on the Catalyst 6500, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/s1.htm#wp1022676
For more information on the switchport mode access command on the Catalyst 4500, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_31s/cmdref/snmp
_vtp.htm#wp1210450

Sabtu, 08 Januari 2011

Troubleshooting Enterprise Networks 1


!------------------------------------------
! R1
!------------------------------------------
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 6
enable secret 5 ciscoccna
!
ip cef
!
ip dhcp pool Access1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
!
no ip domain lookup
!
username R3 password 0 ciscoccna
username ccna password 0 ciscoccna
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip rip authentication mode md5
ip rip authentication key-chain RIP_KEY
no shutdown
!
interface FastEthernet0/1
ip address 192.168.11.1 255.255.255.0
ip rip authentication mode md5
ip rip authentication key-chain RIP_KEY
no shutdown
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
ip rip authentication mode md5
ip rip authentication key-chain RIP_KEY
encapsulation frame-relay
clockrate 128000
frame-relay map ip 10.1.1.1 201
frame-relay map ip 10.1.1.2 201 broadcast
no frame-relay inverse-arp
no shutdown
!
interface Serial0/0/1
ip address 10.3.3.1 255.255.255.252
ip rip authentication mode md5
ip rip authentication key-chain RIP_KEY
encapsulation ppp
ppp authentication chap
no shutdown
!
!
router rip
version 2
passive-interface default
network 192.168.10.0
network 192.168.11.0
no auto-summary
!
ip classless
!
no ip http server
!
ip access-list standard Anti-spoofing
permit 192.168.10.0 0.0.0.255
deny any
ip access-list standard VTY
permit 10.0.0.0 0.255.255.255
permit 192.168.10.0 0.0.0.255
permit 192.168.11.0 0.0.0.255
permit 192.168.20.0 0.0.0.255
permit 192.168.30.0 0.0.0.255
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
access-class VTY in
login local
!
end
!------------------------------------------
! R2
!------------------------------------------
no service password-encryption
!
hostname R2
!
security passwords min-length 6
enable secret ciscoccna
!
aaa new-model
!
aaa authentication login LOCAL_AUTH local
aaa session-id common
!
ip cef
!
no ip domain lookup
!
key chain RIP_KEY
key 1
key-string cisco
username ccna password 0 ciscoccna
!
interface Loopback0
description Simulated ISP Connection
ip address 209.165.200.245 255.255.255.224
!
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
ip access-group TFTP out
ip access-group Anti-spoofing in
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.2 255.255.255.0
ip nat inside
encapsulation frame-relay
no keepalive
frame-relay map ip 10.1.1.1 201 broadcast
no frame-relay inverse-arp
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.0
ip access-group R3-telnet in
ip nat inside
ip rip authentication mode md5
ip rip authentication key-chain RIP_KEY
clockrate 128000
!
!
router rip
version 2
passive-interface default
no passive-interface Serial0/0/0
no passive-interface Serial0/0/1
network 10.0.0.0
network 192.168.20.0
default-information originate
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 209.165.200.226
!
no ip http server
ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list standard Anti-spoofing
permit 192.168.20.0 0.0.0.255
deny any
ip access-list standard NAT
permit 10.0.0.0 0.255.255.255
permit 192.168.0.0 0.0.255.255
!
ip access-list extended R3-telnet
deny tcp host 10.2.2.2 host 10.2.2.1 eq telnet
deny tcp host 10.3.3.2 host 10.2.2.1 eq telnet
deny tcp host 192.168.11.3 host 10.2.2.1 eq telnet
deny tcp host 192.168.30.1 host 10.2.2.1 eq telnet
permit ip any any
!
ip access-list standard TFTP
permit 192.168.20.0 0.0.0.255
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
exec-timeout 15 0
logging synchronous
login authentication local_auth
transport output telnet
line vty 0 4
exec-timeout 15 0
logging synchronous
login authentication local_auth
transport input telnet
!
end
!------------------------------------------
! R3
!------------------------------------------
no service password-encryption
!
hostname R3
!
security passwords min-length 6
enable secret ciscoccna
!
no aaa new-model
!
ip cef
!
no ip domain lookup
!
key chain RIP_KEY
key 1
key-string cisco
username R1 password 0 ciscoccna
username ccna password 0 ciscoccna
!
interface FastEthernet0/1
no shutdown
!
interface FastEthernet0/1.11
encapsulation dot1Q 11
ip address 192.168.11.3 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip access-group Anti-spoofing in
no snmp trap link-status
!
!
interface Serial0/0/0
ip address 10.3.3.2 255.255.255.252
encapsulation ppp
clockrate 125000
ppp authentication chap
!
interface Serial0/0/1
ip address 10.2.2.2 255.255.255.252
!
router rip
version 2
passive-interface default
no passive-interface FastEthernet0/0.11
no passive-interface FastEthernet0/0.30
no passive-interface Serial0/0/0
no passive-interface Serial0/0/1
network 10.0.0.0
network 192.168.11.0
network 192.168.30.0
no auto-summary
!
ip classless
!
ip http server
!
ip access-list standard Anti-spoofing
permit 192.168.30.0 0.0.0.255
deny any
ip access-list standard VTY
permit 10.0.0.0 0.255.255.255
permit 192.168.10.0 0.0.0.255
permit 192.168.11.0 0.0.0.255
permit 192.168.20.0 0.0.0.255
permit 192.168.30.0 0.0.0.255
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
exec-timeout 15 0
logging synchronous
line vty 0 4
access-class VTY in
exec-timeout 15 0
logging synchronous
login local
!
end
!-----------------------------------------
! S1
!-----------------------------------------
no service password-encryption
!
hostname S1
!
security passwords min-length 6
enable secret ciscoccna
!
no aaa new-model
vtp domain CCNA_Troubleshooting
vtp mode transparent
vtp password ciscoccna
ip subnet-zero
!
no ip domain-lookup
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
!
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
!
interface range FastEthernet0/3-24
!
interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
shutdown
!
interface Vlan1
no ip address
no ip route-cache
!
interface Vlan10
ip address dhcp
no ip route-cache
!
ip default-gateway 192.168.10.1
ip http server
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password ciscoccna
login
line vty 5 15
no login
!
end
!-----------------------------------------
! S2
!-----------------------------------------
no service password-encryption
!
hostname S2
!
security passwords min-length 6
enable secret ciscoccna
!
no aaa new-model
vtp domain CCNA_Troubleshooting
vtp mode transparent
vtp password ciscoccna
ip subnet-zero
!
no ip domain-lookup
!
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 11 priority 24576
spanning-tree vlan 30 priority 28672
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/3
switchport trunk native vlan 99
switchport trunk allowed vlan 11,30
switchport mode trunk
!
interface FastEthernet0/4
switchport trunk native vlan 99
switchport trunk allowed vlan 11,30
switchport mode trunk
!
interface range FastEthernet0/5-24
shutdown
!
interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
shutdown
!
interface Vlan1
no ip address
no ip route-cache
!
interface Vlan11
ip address 192.168.11.2 255.255.255.0
no ip route-cache
!
ip http server
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
password ciscoccna
login
line vty 5 15
no login
!
end
!-----------------------------------------
! S3
!-----------------------------------------
no service password-encryption
!
hostname S3
!
security passwords min-length 6
enable secret ciscoccna
!
no aaa new-model
vtp domain CCNA_troubleshooting
vtp mode server
vtp password ciscoccna
ip subnet-zero
!
no ip domain-lookup
!
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 11 priority 28672
spanning-tree vlan 30 priority 24576
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
switchport trunk allowed vlan 30
switchport mode trunk
!
interface FastEthernet0/2
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/3
switchport trunk native vlan 99
switchport trunk allowed vlan 11,30
switchport mode trunk
!
interface FastEthernet0/4
switchport trunk native vlan 99
switchport trunk allowed vlan 11,30
switchport mode trunk
!
interface range FastEthernet0/5-24
shutdown
!
interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
shutdown
!
interface Vlan1
no ip address
no ip route-cache
!
interface Vlan30
ip address 192.168.30.2 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.30.1
ip http server
!
control-plane
!
line con 0
exec-timeout 5 0
logging synchronous
line vty 0 4
password ciscoccna
login
line vty 5 15
no login
!
end